An HTTP request sent with a long header (ie, over 4.1K), will crash webobjects.exe. This may also permit the attacker to remotely execute code with the privilege of IIS, but this has not been verified.
top contains a format-string vulnerability that may lead to a compromise of effective groupid kmem on BSD systems (or similar privileges on other systems). The problem occurs in the printing of error messages to a users terminal. A string partially composed of user input (the error message) is passed to a printf() function as the format string argument, allowing malicious format specifiers in user input to corrupt stack variables and execute arbitrary code.
An attacker capable of forging a pmap_set/pmap_unset udp packet can cause the remote host to register or unregister arbitrary RPC programs. This can permit an attacker to carry out a denial of services by disabling key services on the target host, including mountd, nfsd and ypserv. Because it allows a malicious local user to register rpc programs on the server, depending on the program the attacker chooses to register, this vulnerability can allow a compromise of root privilege, potentially extending to other systems on the local network.
A vulnerability exists in Sun Microsystems' JavaWebServer for Win32, version 1.1Beta. If a URL is submitted requesting a .jhtml file (an HTML document with embedded Java source) and a '.' or '/' character is appended to the filename, the source for that .jhtml file will be returned to the client, rather than being compiled on the server. As a result, system information which is not intended for disclosure to the client, such as database usernames and passwords, resource locations, website and network structure and business models, may be obtained by the attacker.
The version of cu that ships with HP-UX is vulnerable to a buffer overflow attack that may result in an escalation of privileges if exploited properly. The argument to the -l option (the line) is handled in an unsafe manner and if the length of it exceeds 9777 bytes, it will corrupt vital stack variables. This may result in shellcode provided by the user being executed with the privileges of the process (euid 0).
A vulnerability exists in the Cisco Virtual Central Office 4000 (VCO/4K) programmable voice switch running software versions 5.13 and earlier. The usernames and passwords for the device's SNMP administration interface are protected by a simple substitution cipher which can be easily defeated. As a result, if the 'encrypted' passwords are retrieved, (for example, through the read-only community string) an attacker can obtain a list of valid usernames and passwords potentially allowing an elevation of privileges and possibly more serious consequences.
A directory traversal vulnerability exists in Microsoft's implementation of the SMB file and print sharing protocol for Windows 95 build 490.r6 and Windows for Workgroups. smbclient normally rejects '/../' sequences in user-supplied pathnames before submitting them to the server. However, a modified client can be made to accept the restricted '/../' sequences, appending these characters to filenames and submitting them as a request to the server. This can lead to the disclosure of security-related information, leaving the host open to further compromise.
Kootenay Web Inc's Whois (release v.1.9) is vulnerable to command injection due to a failure to properly check user-supplied input to a form variable for shell metacharacters. A malicious remote user can trick the script into executing arbitrary code on the host system, allowing them to gain local shell access to the system with the privileges of the webserver.
It is possible to configure the PIX so that it hides the IP address of internal ftp servers from clients connecting to it. By sending a number of requests to enter passive ftp mode (PASV) during an ftp session, the IP address will eventually be disclosed.
Samba ships with a utility titled SWAT (Samba Web Administration Tool) which is used for remote administration of the Samba server and is by default set to run from inetd as root on port 701. Certain versions of this software ship with a vulnerability local users can use to leverage root access. This problem in particular is a permissions problem where users can take advantage of poor permission setting in SWAT's log files to read username and password data which SWAT records for all users which login to remotely administrate the server. If logging is turned on (it is not enabled by default) SWAT it logs by default to /tmp/cgi.log which is world readable and contains usernames and passwords which local users may pull from the file (base64 encoded).
Services By CQR