Due to a failure to properly validate user-supplied input, URLs submitted by a remote user of the form: http://target:8765/somefile.html/ will return the source to 'somefile.html'. As a result, it is possible for an attacker to obtain source code to any Ultraseek scripts, which could be used to support further attacks.
Apache Web Server is vulnerable to a file disclosure vulnerability when used in conjunction with the PHP3 script language. By requesting a specially crafted URL by way of php, it is possible for a remote user to gain read access to a known file that resides on the target host.
The 'cachemgr.cgi' module is a management interface for the Squid proxy service. It was installed by default in '/cgi-bin' by Red Hat Linux 5.2 and 6.0 installed with Squid. This script prompts for a host and port, which it then tries to connect to. If a webserver such as Apache is running, this can be used to connect to arbitrary hosts and ports, allowing for potential use as an intermediary in denial-of-service attacks, proxied port scans, etc. Interpreting the output of the script can allow the attacker to determine whether or not a connection was established.
Hylafax is a popular fax server software package designed to run on multiple UNIX operating systems. Unpatched version of Hylafax ship with an insecure script, faxsurvey, which allows remote command execution with the privileges of the web server process. This can be exploited simply by passing the command as a parameter to the script - see exploit. Consequences could include web site defacements, exploiting locally accessible vulnerabilities to gain further privileges, etc.
Authenticated users can gain access to the ftproot of the drive where Serv-U FTP has been installed. Users that have read, write, execute and list access in the home directory will have the same permissions to any file which resides on the same partition as the ftproot, once a user is in the home directory they can successfully transfer any files using specially crafted GET requests. All hidden files will be revealed even if the 'Hide hidden files' feature is on. Successful exploitation of this vulnerability could enable a remote user to gain access to systems files, password files, etc. This could lead to a complete compromise of the host.
A buffer overflow vulnerability was discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this vulnerability allows an attacker to execute arbitrary code and obtain a remote command shell with those privileges of the IUSR_machinename account (IIS 4) or the IWAM_machinename account (IIS 5). The vulnerability can be exploited by sending a request with the following form: GET /pbserver/pbserver.dll?&&&&&&pb=AAAAAA... (less than 980 chars) HTTP/1.0
Due to a design error in the implementation of the INPUT TYPE=FILE variable, it is possible for a website operator to specify a known filename from the visitors machine for upload to the website. This vulnerability is exploitable under certain circumstances, the filename would have to be known by the website operator, the amount of characters that exist in the filename would have to be the same amount of characters the user typed in the form, and the visiting user would need to have at least read access to the known file. This vulnerability does not allow the website operator to delete or modify any files on the visitors machine. Successful exploitation of this vulnerability could lead to the disclosure of sensitive information and possibly assist in further attacks against the victim.
The linux implementation of ptrace in 2.2.x kernels (and possibly earlier versions) contains a vulnerability that may allow an attacker to gain sensitive information in non-readable non-setuid executable files. When ptrace is called to trace a child process, it does not properly check to make sure that the disk image is readable to the user. As a result, the process can be traced and its core memory examined. Information compiled into the binary that was meant to be hidden via setting it non-readable may be disclosed to an attacker.
The API Srv_paraminfo(), which is implemented by Extended Stored Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the application to fail or arbitrary code to be executed on the target system depending on the data entered into the buffer. A vulnerability lies in Srv_paraminfo() and the fact that it does not check the length of the parameter string that an XP passes to it. If an attacker can pass an overly long string to the XP xp_showcolv, a buffer overflow can occur due to an unsafe memory copy. This can cause SQL Server to crash. It may also be possible for attackers to execute arbitrary code on the host running SQL Server.
A problem exists in the enq program of AIX, a variant of the UNIX Operating System, distributed by IBM. An overflow exists in the command line argument parsing, which could lead to the overwriting of variables on the stack. This creates the potential for a malicious user to execute arbitrary code, and possibly gain administrative access.
Services By CQR