Due to insufficient bounds checking in the code that handles the fields 'MAIL FROM:' and 'RCPT TO:', it is possible to remotely crash Avirt Mail. Entering over 272 characters into the 'RCPT TO:' field will crash the application upon termination of the session and no further connections can be initiated until Avirt Mail is restarted. This is also the case with the 'MAIL FROM' field with the exception that over 556 characters must be entered.
Microsoft IIS 3.0 came with a sample program, newdsn.exe, installed by default in the directory wwwroot/scripts/tools/. Execution of this program with a properly submitted URL could allow for remote file creation. The file created is a Microsoft Access Database, but can have any extension, including .html.
Samba is an open source software suite that provides seamless file and print services to SMB/CIFS clients. Certain older versions of Samba had a remotely exploitable buffer overflow vulnerability. This vulnerability was in the password function of the authentication mechanism which is to say a user could supply an overly long password to the Samba server and trigger a buffer overflow.
A buffer overflow condition exists when a user attempts to access a telnet address over 153 characters long. Depending on the data entered, a denial of service attack or arbitrary code could be launched by a malicious third party. A specially malformed telnet address could be launched on a remote system if it were embedded in a HTML page or email message.
An attacker may gain read access on remote systems by specifying a custom codebase in a Java applet, and delivering to the victim(s) via HTML email or a website. Any arbitrary codebase can be referenced by a java applet that was loaded by an <OBJECT> tag in conjunction with a jar file when using Microsoft Internet Explorer or Outlook/Outlook Express. This allows for the possibility of any known file to be read by a remote attacker.
Microsoft Site Server is an intranet server designed for an NT Server with IIS. Site Server enables users to locate and view information stored in various locations through personalized web pages and emails. The 'Users' directory, if not already created, is automatically generated once the first successful upload has been completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload various content including ASP pages to the web server through the Anonymous Internet Account (IUSR_machinename). If one does not have knowledge of a password to access the services in Site Server, a user could telnet to port 80 on the web server and perform a specially crafted PUT request. Once the file is created performing a specially formed GET request will execute the file. Successful exploitation of this vulnerability will allow a remote user to possibly upload malicious content to the web site.
When the 'visiadmin.exe' program is executed via CGI with the argument 'user=guest', it creates temporary files until the hard drive fills. The files then need to be manually removed before anything can be written to the disk.
OatMeal studios' Mail-File is a cgi application that allows for sending of certain files to user-specified email addresses via a web interface. A vulnerability exists in this script that can be used to send the contents of any readable user-specified files to an email address. When used normally, the web interface provides the user with the option to select files to send that have been pre-configured in the script. The values of the form variables associated with each "pre-configured file" are the actual filenames that are used when opening the files. As a result, the user can manipulate the filename value so that the script will, instead of opening one of the "normal" options, open whatever has been specified as the filename (eg "../../../../../../../../../etc/passwd"). The script also checks the value of the referrer when accepting submitted input from the form but fails to protect against this attack. If exploited, an attacker can read arbitrary files on the filesystem with the privileges of the webserver. This may lead to further compromise.
A vulnerability exists in xlib, the C language interface to the X Window System protocol. When applications linked to the xlib library are run, user-supplied values for the DISPLAY environment variable (and the command-line argument -display) are stored in buffers of predefined length. It is not verified that the amount data is within the predefined size limits before it is copied onto the stack during function calls. Consequently, it is possible for users to overwrite stack variables such as the calling function's return address with arbitrary values that can alter the program's flow of execution. While this vulnerability permits only numeric characters to be written to the stack, a successful exploit of this vulnerability can lead to partial overwriting of addresses and local variables.
Curl's error-logging feature improperly tests the size of generated error messages, which are sent from a remote host. A malicious remote server could send a maliciously-formed response to a request from curl, designed to exceed the maximum length of the error buffer. The contents of this oversized buffer, when copied onto the stack, can potentially overwrite the calling functions' return address. This can alter the program's flow of execution and result in arbitrary code being run on the client host.
Services By CQR