The script fails to properly filter shell commands from user-supplied input to the 'config' field, allowing an attacker to run arbitrary shell commands with the privilege of the web server. An example exploit is provided in the text.
Multiple buffer overflows exist in the Oops Proxy Server package, written by Igor Khasilev. In one instance, it is possible to make a request with numerous quotation marks (") in the request, which are later translated to the html tag "'". The translation of this character makes it possible to overflow and potentially execute code on the stack. This makes it possible for a malicious user to execute code with the privileges of the user the proxy server is operating as. The secondary problem involves a buffer overflow in the DNS resolution code. It is possible to create a stack based overflow by forcing the proxy to attempt to resolve a long host/domain name. This makes it possible to overwrite variables on the stack, and potentially execute arbitrary code. It is possible for a malicious user to exploit this problem and execute commands with the privileges inherited by the proxy server process.
PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a 'zero-length option', PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated.
Under very specific circumstances, it is possible to cause this version of Pico to overwrite arbitrary files with the privilege level of the victim user. As a result, if the attacker is able to correctly predict the name of the editor's temporary file, the current contents of the editor can be written to key system files or other data to which the user has write privileges.
ssldump is a traffic analyzer for monitoring network traffic in real time. It is written and maintained by Eric Rescorla. A problem exists which could allow the arbitrary execution of code. The problem exists in the ssldump handling of format strings. ssldump requires elevated privileges to listen to traffic crossing the network interface. While monitoring traffic, the encounter of format strings in a URL will cause the program to segmentation fault. Potentially, this could lead to the overwriting of stack variables and arbitrary execution of code with administrative access, if exploited by a malicious user. An attacker can exploit this vulnerability by running SSLDUMP, opening up Netscape Navigator, and typing in the string "fixme:%s%s%s%s%s%s" into the browser. This will cause ssldump to gather the traffic and then segmentation fault.
KTH Kerberos contains a vulnerability that may allow/assist in a local or remote root compromise. It is possible for malicious remote users (before authenticating) to remotely set the value of the environment variable 'krb4_proxy' and have the server program contact a fake Kerberos server. This would allow the attacker to intercept authentication requests and/or send false replies to the service they are attempting to use. An attacker, for example, could send the environment variable via telnet to a Kerberos supporting telnet daemon. This attack allows malicious users in control of a fake Kerberos server to exploit a buffer overflow vulnerability (See Bugtraq ID 2091) in the Kerberos shared libraries with malformed replies. If exploited, the combined vulnerabilities may provide remote root access to attackers.
HomeSeer is a home automation application which enables users to control various housewares and appliances locally or remotely via a web interface. It is possible for a remote user to gain access to any known file outside of the HomeSeer directory on the root directory by sending a specially crafted HTTP request comprised of '../' and the known filename. This could lead to a complete compromise of the host.
MetaProducts Offline Explorer is vulnerable to a directory traversal attack, which allows a remote attacker to view the full contents of the directory structure of a system Offline Explorer resides on. By default, Offline Explorer listens on port 800. A remote user may retrieve a directory listing and browse its contents without any authorization whatsoever by issuing a GET request followed by a corresponding physical or logical drive letter.
A vulnerability exists in Watchguard SOHO 2.2 firewalls with firmware versions 2.2.1 and below that could allow a remote attacker to execute a Denial of Service attack on the firewall and render it in-operable. It is possible for a remote attacker to issue large amounts of GET requests (70+) to the firewall which will in turn deplete memory resources on the firewall and either cause it to reboot or shutdown completely.
FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user. A web server can use a remote site's FormMail script without authorization, using remote system resources or exploiting other vulnerabilities in the script. For example, this issue can be used to exploit BID 2079, 'Matt Wright FormMail Remote Command Execution Vulnerability'. An attacker can craft a malicious HTML page with a form that submits to the remote FormMail script, and can include a command in the recipient field that will be executed on the remote system.
Services By CQR