Regardless of privilege level, any remote user can modify the administrative password for CGI Script Centers' Account Manager. In order to accomplish this, a user would access the following URL with a POST command: http://target/cgibin/amadmin.pl?setpasswd. This would grant the user full administrative privileges which includes the capability of granting and revoking user access to secured areas of the target website.
A remote buffer overflow exists in the Asian language servers portion of a number of different implementations of Wnn. It has been reported that only systems that have WorldView Japanese, Korean, and Chinese installed are vulnerable to this issue. An overflow exists when the server receives a long string with a Wnn command, such as JS_OPEN, JS_MKDIR or JS_FILE_INFO included. By creating a buffer containing machine executable code, it is possible to cause a remote system running the jserver daemon to execute arbitrary commands as the user the daemon is running as.
X-Chat versions 1.4.2 and earlier are vulnerable to command injection attacks. By supplying commands enclosed in backticks (``) in URL's sent to X-Chat, it is possible to execute arbitrary commands should the X-Chat user decide to view the link by clicking on it. This is due to the manner in which X-Chat launches pages for viewing, which does not check for shell metacharacters in the supplied URL, allowing for an attacker to exploit shell expansion capabilities to execute commands as the user running Netscape.
A vulnerability exists in HP-UX, from Hewlett Packard, under certain configurations. Version 11.0 is confirmed to have this problem; other versions may also be susceptible. If the CLEAR_TMP option in /etc/rc.config.d is set to 1, meaning enabled, it is possible for a local user to create a symbolic link in /tmp that will be followed prior to being removed. This will allow the local user to overwrite any file upon reboot. The /sbin/rc2.d/S008net.init file, and /sbin/rc2.d/S204clean_tmps file are run upon reboot. The net.init is run first. (Lower number S scripts are run first). In the net.init file, a temporary file, /tmp/stcp.conf, is use. This file is blindly written to, and is removed by the clean_tmps script. A local user can simply create this file as a symbolic link to any file, and cause the net.init script to overwrite its contents upon reboot.
Minicom is a unix terminal program often used for communication between computers with modems. It is often installed setgid uucp, as this access is required for regular users to use certain devices on the system. Through specifying a capture-file on the command line, a file can be created with effective gid uucp and thus owned by gid uucp. Where this is a serious concern is on systems using uucp -- critical files writeable by group uucp can be overwritten by exploiting this vulnerability leading to other problems.
PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs when the code checks to make sure the query passed to mysql_query is legal, but there are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions.
It is possible to either execute arbitrary code or crash a remote system running University of Minnesota's Gopher Daemon, depending on the data entered. An unchecked buffer exists in the 'halidate' function of Gopherd, where the 512 byte buffer can be overwritten with approximately 600 bytes of data.
A remote user is capable of gaining read access to any known file residing on a host running Netwin Netauth through directory traversal. Appending a series of '../' and the desired file name to the 'page' variable at the end of a request to netauth.cgi will allow a remote user to walk the entire directory tree above the Netauth directory.
A vulnerability exists in the installation of Multisoft's FlagShip 4.4 product. Some binaries are installed with world writable permissions. This may allow an attacker to alter a binary and cause other users to execute arbitrary code.
Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL.
Services By CQR