Phorum is a PHP based web forums package. Due to an error in the implementation of forum selection in administrative scripts, any user can view the any PHP script on the target host. This is due to user-supplied input being referenced as a filename in two locations in the file common.php. For example, any value can be submitted as $f and the corresponding PHP file will be displayed to the browser. This could lead to disclosure of sensitive information, including the MySql server, database name, userid and password, which are kept in master.php.
Windows Media Player is an application used for digital audio, and video content viewing. An unsafe buffer copy involving remotely-obtained data exists in the Active Stream Redirector (ASX) component in Windows Media Player. The ASX enables a user to play streaming media residing on an intranet or external site. .ASX files are metafiles that redirect streaming media content from a browser to Windows Media Player. The contents of ASX files, when being interpreted by Windows Media Player, are copied into memory buffers for run-time use. When this data is copied, it is not ensured that the amount of data copied is within the predefined size limits. As a result, any extraneous data will be copied over memory boundaries and can overwrite neighbouring memory on the program's stack. Depending on the data that is copied, a denial of service attack could be launched or arbitrary code could be executed on the target host. Windows Media Player runs in the security context of the user currently logged on, therefore arbitrary code would be run at the privilege level of that particular user. If random data were entered into the buffer, the application would crash and restarting the application is required in order to regain normal functionality. If a user was misled to download a hostile .ASX file to the local machine, they would only have to single click on the file within Windows Explorer to activate the code. This is due to the 'Web View' option that is used by Windows Explorer to preview web documents automatically while browsing (this feature is enabled by default). In addition, a malformed .ASX file could be embedded into a HTML document and be configured to execute when opened via a browser or HTML compliant email client.
IE 5.5 (and possibly other versions) stores recently visited URLs and cache folder names in a local file called index.dat. This file is kept in the following known locations: Windows 9x: C:/WINDOWS/Temporary Internet Files/Content.IE5/ Windows 2000: C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet Files/Content.IE5/. This file will register as local content in IE's security mechanism, but arbitrary code can be written to it by including scripting commands in a URL. Therefore, although the code may not execute when the URL itself it visited, it will be trusted in the local index.dat file. To execute code in that file, it must be parsed by IE. Microsoft has released a security bulletin about parsing non-html files (see Microsoft Security Bulletin MS00-055 in the credit section), however it is still possible to force IE to render non-html files via an object tag defining the TYPE as text/html and specifying the file in the DATA field. Therefore, remote code can be injected into a trusted file and successfully executed. This vulnerability can be used for many purposes, including determining the names of the cache folders. With that information, an attacker could cause the target to execute files previously downloaded by the victim.
CyberPatrol is popular web access restriction software by Microsys. A vulnerability exists in the way CyberPatrol submits registration information from its client software to Microsys' backend (cybercentral.microsys.com) that could allow a remote attacker to gather confidential information including credit card details. The client software claims that all information including credit card details are 'scrambled' before being sent to Microsys' backend. Installation of a sniffer has shown that all information with the exception of the credit card number is actually sent in clear text to Microsys. A remote attacker could place a sniffer upstream from the sending client and gather confidential registration information in addition to the credit card number which is only protected by a substitution cypher.
GFI, developer of email content checking & network security software, has recently discovered a security flaw within Windows Media Player which allows a malicious user to run arbitary code on a target machine as it attempts to view a website or an HTML E-mail. The problem is exploited by embedding a javascript (.js) file within a Media Player skin file (.wmz) which can also be embeded in a Windows Media Download file (.wmd). This does not require the user to run any attachments since the Media Player file is automatically executed using a iframe tag or a window.open() with in a <script> tag.
Campas is a sample CGI script shipped with some older versions of NCSA HTTPd, an obsolete web server package. The script fails to properly filter user supplied variables, and as a result can be used to execute commands on the host with the privileges of the web server. Commands can be passed as a variable to the script, separated by %0a (linefeed) characters. Successful exploitation of this vulnerability could be used to deface the web site, read any files the server process has access to, get directory listings, and execute anything else the web server has access to.
Big Brother Network Monitor is a robust, feature rich network monitoring package produced by BB4 Technologies. A problem exists that can allow remote account guessing. The problem occurs in the Common Gateway Interface package included with Big Brother, which runs on the Big Brother Display Server. The CGI is responsible for statistical posting of network operations on the Big Brother Display Server, an interface which is accessible via Web Browser. Due to insufficient handling of input, it is possible to verify the existance of sensitive files and valid user accounts through the the CGI of the Display Server. Yielding this information to a malicious user could result in a targeted brute force password cracking attack.
Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major web servers such as Microsoft IIS, Apache, Netscape Enterprise Server, etc. ServletExec will return the source code of JSP files when a HTTP request is appended with one of the following characters: ., %2E, +, %2B, %5C, %20, %00. Successful exploitation could lead to the disclosure of sensitive information contained within JSP pages.
A vulnerability exists in cmctl, part of the Oracle 8i installation, that can allow elevation of privileges. The problem occurs in the way cmctl handles the user-supplied command line arguments. The string representing argv[1] (the first user-supplied commandline argument) is copied into a buffer of predefined length without being checked to ensure that its length does not exceed the size of the destination buffer. As a result, the excessive data that is written to the buffer will write past its boundaries and overwrite other values on the stack (such as the return address). This can lead to the user executing supplied shellcode with the effective privileges of cmctl, egid dba and euid oracle.
Koules is an original, arcade-style game authored by Jan Hubicka. The version using svgalib is usually installed setuid root so that it may access video hardware when being run at the console by regular users. This version contains a buffer overflow vulnerability that may allow a user to gain higher priviledges. The vulnerability exists in handling of user-supplied commandline arguments. Successful exploitation of this vulnerability leads to root compromise.
Services By CQR