Fingerd version 1.19 is vulnerable to an information disclosure vulnerability which allows a remote user to determine whether or not a given username exists on the system. Normally, if a user has declined to be open to finger requests, a finger attempt will elicit this response: 'That user does not want to be fingered'. However, if a remote user attempts to finger a nonexistent username, the attempt will return the default message: 'That user does not want to be fingered.' The extra '.' at the end of the second message reveals that the message was generated as a result of an attempt to finger a nonexistent user, as opposed to one who simply does not wish to be fingered. As a result, an attacker familiar with the discrepancy between the two failure message strings will be able to test the validity of usernames.
Acquiring access to known files outside of the web root is possible through directory traversal techniques in Netscape Directory Server. This is made possible through the use of "../" in a HTTP request. The following services are affected by this vulnerability: The Agent services server on port 8100/tcp, The End Entity services server on port 443/tcp (Accessible through SSL), The Administrator services server on a random port configured during installation.
Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS). This is made possible through the use of "../" in a HTTP request. The following services are affected by this vulnerability: The Agent services server on port 8100/tcp, The End Entity services server on port 443/tcp (Accessible through SSL), The Administrator services server on a random port configured during installation.
Cisco devices running IOS software may be prone to a denial of service attack if a URL containing a question mark followed by a slash (?/) is requested. The device will enter an infinite loop when supplied with a URL containing a '?/' and an enable password. Subsequently, the router will crash in two minutes after the watchdog timer has expired and will then reload. In certain cases, the device will not reload and a restart would be required in order to regain normal functionality.
A malicious website operator may be able to obtain cookies from a target system browsing with Sun HotJava Browser. The Document Object Model (DOM) of arbitrary URLs can be accessed if a specially formed javascript is launched from a named window. Cookies that may contain sensitive information can be acquired through this method.
The vulnerability is in the processing of troff files, their conversion into postscript files for printing on a postscript printer. When the processing occurs, certain commands embedded in the troff file being processed can be executed -- with the privileges of the setgid lpr. This is the result of formatting programs being executed by the print filter in an unsafe manner.
Allaire JRun is a web application development suite with JSP and Java Servlets. It contains a vulnerability that allows a user to access documents outside of the webroot. Requesting a malformed URL using the SSIFilter servlet, a remote user will gain read access to any file on a hosts filesystem. This is due to improper checking of where "../" paths lead (eg, outside of the webroot). In addition to disclosing the contents of arbitrary files, this vulnerability could allow a user to gain access to the source code of any file within the web document root of the web server.
Jrun contains a vulnerability that allows a user to compile and execute JSP code from an arbitrary file on the webserver's filesystem. This bug is due to the way JSP execution is invoked -- if a requested filename/path is prefixed with '/servlet/'. If a user specifies "../" paths as part of a "/servlet/" request, it is possible to access documents outside of the webroot. The document specified (the complete path must be known by the attacker) will then be compiled and executed as a JSP script. This can be a serious vulnerability if an attacker can send user-input to a file on the filesystem.
Allaire JRun is a web application development suite with JSP and Java Servlets. Each web application directory contains a WEB-INF directory, this directory contains information on web application classes, pre-compiled JSP files, server side libraries, session information and files such as web.xml and webapp.properties. JRun contains a vulnerability which allows remote user to view the contents of the WEB-INF directory. By requesting a malformed URL comprised of an additional '/' all of the directories below the WEB-INF directory will be revealed. Successful exploitation of this vulnerability could lead to a remote attacker gaining read access to any file within the WEB-INF directory. While this issue was addressed in earlier patches, it is still a problem if the attacker makes a raw specially crafted HTTP GET Request through a Microsoft IIS connector using a utility such as netcat or telnet.
A buffer overflow exists in the oidldap binary, which is setuid oracle. When executed on the command line, the oidldap binary performs an unsafe check of the ORACLE_HOME environment variable. It is possible for a malicious user to execute shell code through the ORACLE_HOME environment variable, allowing the user to inherit an euid of oracle. In a stock installation of Oracle 8.1.6, this could create a scenario which would allow a local user to compromise the integrity of a database.
Services By CQR