Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data. According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow." As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding. Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning.
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data. According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow." As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding. Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning.
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data. According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends. Windows NT bugchecks when the URGENT POINTER points to the end of the frame and no normal data follows. Windows NT expects normal data to follow." As a result of this assumption not being met, Windows gives a "blue screen of death" and stops responding. Windows port 139 (NetBIOS) is most susceptible to this attack. although other services may suffer as well. Rebooting the affected machine is required to resume normal system functioning.
A vulnerability has been discovered in a number of Unix shells which may allow a local attacker to corrupt files or potentially elevate privileges. Scripts and command line operations using << as a redirection operator create files in the /tmp directory with a predictable naming convention. Additionally, files are created in the /tmp directory without first checking if the file already exists. This could result in a symbolic link attack that could be used to corrupt any file that the owner of the redirecting shell has access to write to.
NCSA HTTPd and comes with a CGI sample shell script, test-cgi, located by default in /cgi-bin. This script does not properly enclose an 'ECHO' command in quotes, and as a result 'shell expansion' of the * character can occur under some configurations. This allows a remote attacker to obtain file listings, by passing *, /*, /usr/* etc., as variables. The ECHO command expands the * to give a directory listing of the specified directory. This could be used to gain information to facilitate future attacks.
Miva's htmlscript CGI program provides a unique scripting language with HTML type tags. Versions of the htmlscript interpreter (a CGI script) prior to 2.9932 are vulnerable to a file reading directory traversal attack using relative paths (eg., "../../../../../../etc/passwd"). An attacker need only append this path as a variable passed to the script via a URL. The contents of any file to which the web server process has read access can be retrieved using this method.
Whois scripts provide InterNIC lookup services via HTTP. The vulnerable scripts include versions of Matt's Whois and CGI City Whois. Older versions of these fail to filter metacharacters, allowing execution of arbitrary commands by embedding the commands in the domain name to lookup. Specifically, the UNIX command separation character ';' can be used to execute commands. Successful exploitation of this vulnerability would allow an attacker to execute commands with the privileges of the web server process, which could result in retrieval of sensitive information, web defacements, etc. Depending on the specific script used, the following syntaxes have been shown to allow intrusion: 1) ;command 2) ";command 3) ;command; 4) %3Bcommand%3B
Phorum is a PHP based web forums package. Due to an error in the handling of user input in administrative scripts, any user can view the any file readable by the webserver on the target host. This is due to user-supplied input being referenced as a filename in two locations in the file common.php. The ForumLang variable, used to specify a language in which the forum will be displayed, is not checked for "../" character sequences. As a result, it is possible for users to supply a path consisting of "../" sequences followed by an arbitrary file on the filesystem to the script, which will open it and display its contents.
The info2www script allows HTTP access to information stored in GNU EMACS Info Nodes. This script fails to properly parse input and can be used to execute commands on the server with permissions of the web server, by passing commands as part of a variable. Potential consequences of a successful exploitation involve anything the web server process has permissions to do, including possibly web site defacement.
ServletExec will return the source code of JSP files when an HTTP request is appended with certain characters. This vulnerability is dependent on the platform that Resin is running on. Successful exploitation could lead to the disclosure of sensitive information contained within JSP pages. Apache (Win32): ..%2e..%81%82 Example: http://target/filename.jsp%81 Resin Web Server: ../ Example: http://target/filename.jsp../ IIS 5 requesting the URL encoded with ASCII: '%2' instead of '.' Example: http://target/filename%2ejsp
Services By CQR