A vulnerability exists in all versions of RealServer 7 and below that could allow a remote attacker to gain administrative rights and access to server information and data belonging to other user sessions. RealServer will pass random pieces of the server's runtime memory which may contain information on previous sessions including cookies, usernames, passwords and the port number where the administrative server listens. This can be achieved by passing a specific URL request to the server.
CGIForum is a commercial cgi script from Markus Triska which is designed to facilitate web-based threaded discussion forums. The script improperly validates user-supplied input to the 'thesection' parameter. If an attacker supplies a carefully-formed URL contaning '/../' sequences as argument to this parameter, the script will traverse the normal directory structure of the application in order to find the specified file. As a result, it is possible to remotely view arbitrary files on the host which are readable by user 'nobody'.
DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums. The script improperly validates user-supplied input, which allows the remote viewing of arbitrary files on the host which are readable by user 'nobody' or the webserver. Additionally, it has been reported that the dcforum.cgi script can be made to delete itself if the attacker attempts to read its source code using this method, effectively permitting a denial-of-service attack.
Improper bounds checking exists in code that handles requests (RHCWindow.cpp and RHLogger.cpp). The components RHConsole and RHDaemon will cease operations upon receiving a request consisting of over 4078 bytes. If RobinHood were to encounter such requests repeatedly, a prolonged denial of service attack may result. Restarting the application is required in order to regain normal functionality.
Small HTTP Server is subject to a denial of service. When making an http request without a filename specified the server will attempt to locate index.html in that particular directory, if index.html does not exist the server will utilize a large amount of system memory. If numerous http requests, again structured without a filename, are sent to the web server, an attacker could cause the server to consume all system memory. A restart of the application is required in order to gain normal functionality.
Modutils is a component of many linux systems that includes tools for using loadable kernel modules. One of these tools, modprobe, loads a set of modules that correspond to a provided 'name' (passed at the command line) automatically. Modprobe version 2.3.9 and possibly others around it contain a vulnerability (present since March 12, 1999) that can lead to a local root compromise. The problem has to do with modprobe using popen() to execute the 'echo' program argumented with user input. Because popen() relies on /bin/sh to parse the command string and execute 'echo', unescaped shell metacharacters can be included in user input to execute other commands. Though modprobe is not installed setuid root, this vulnerability can be exploited to gain root access provided the target system is using kmod. Kmod is a kernel facility that automatically executes the program 'modprobe' when a module is requested via request_module(). One program that does this is the version of ping that ships with RedHat Linux 7.0. When a device is specified at the command-line that doesnt exist, request_module is called with the user-supplied arguments passed to the kernel. The kernel then takes the arguments and exec's modprobe with them. Arbitrary commands included in the argument for module name (device name to ping) are then executed when popen() is called as root. Successful exploitation of this will yield root access for the attacker.
A vulnerability exists in the InoculateIT Agent for MS Exchange that can allow a local attacker to pass a virus through both the agent and MS Exchange Server. There are reportedly numerous methods by which this can be accomplished, one of which is to remove the "From:" field in a infected message (MIME attachment included) and submit the message to the Exchange server. The Inoculate Agent will not detect the infected file when it is submitted in this manner. If different organizations are using MS Exchange Server and InoculateIT Agents (with MS IMC being used to send the messages) the following vulnerabilities can exist: If a message is sent with only an infected file in the body of the message and no text, the Inoculate IT Agents will not detect the virus. If a message contains embedded characters and an infected attachment, InoculateIT will not open the attachment for scanning. InoculateIT only scans for messages destined for an Inbox folder. If a ruleset exists on the server whereby messages are directed to another mailbox, an infected file can bypass virus scanning.
A malicious website operator may verify the existence of files residing on a Windows 2000 system with Indexing Services enabled. The website operator is capable of searching for specific files by using the Indexing Services via specially malformed HTML containing the ActiveX Object 'ixsso.query'. Query results will display the full physical path of the file and will only be retrieved from directories that have been explicitly configured as searchable directories within the Indexing Service.
Cart32 is a shopping cart application for e-commerce enabled sites. It contains a vulnerability which reveals server information. Requesting a specially crafted URL, by way of the CGI application, will reveal the physical path to the web root as well to the Windows and Program files directory. Successful exploitation of this vulnerability could assist in further attacks against the victim host.
Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. During normal execution, Aserver executes "ps" via the system() libcall, relying on the PATH environment variable to do so. As a result, a user can modify their PATH environment variable so that it includes an arbitrary program called 'ps' before executing Aserver. When Aserver is run with the -f argument, the offending system() function will be called and the attacker's version of ps will be executed as root.
Services By CQR