WebLogic Server and WebLogic Express contain four main Java servlets registered to serve different types of files. If an HTTP request is made that includes "/file/", the server calls upon the default servlet which will cause the page to display the source code in the web browser.
gpm is a program that allows Linux users to use the mouse in virtual consoles. It communicates with a device, /dev/gpmctl, via unix domain STREAM sockets and is vulnerable to a locally exploitable denial of service attack. If a malicious user makes too many connections to the device, it will hang and gpm will not function. RedHat 6.1 is confirmed to be vulnerable. It is not known what other linux distributions may also be vulnerable.
A denial of service attack exists in the NFS lock daemon supplied with Linux. By connecting to the port rpc.lockd is running on, and supplying random input, it will cause lockd to exit with an error. The socket associated with rpc.lockd is also not properly released, and cannot be rebound to without a reboot.
KON (Kanji On Console) is a package for displaying Kanji text under Linux and comes with two suid binaries which are vulnerable to buffer overflows. 'fld', one of the vulnerable programs, accepts options input from a text file. Through this mechanism it is possible to input arbitrary code into the stack and spawn a root shell. The other binary, kon, suffers from a buffer overflow as well. The buffer overflow in kon can be exploited via the -StartupMessage command line option, and fld via the command line options: -t bdf <file to be read>.
Red Hat Piranha is vulnerable to an insecure password change vulnerability. When a user submits a password change, the new password is passed as a variable in a GET request. This means that the new password can be obtained by reading the httpd access log or by sniffing the network traffic.
A denial of service vulnerability exists in libICE, part of the X11 windowing system. Any libICE application which creates inet listening sockets can be remotely crashed. This is due to a bug in the handling of the SKIP_STRING macro. By supplying a large value for the skip value, it is possible to cause a pointer to point to uninitialized memory. This in turn will cause a segfault.
A remote user is capable of crashing Alt-N MDaemon 2.8.5.0 by executing the pass command, then the UIDL command and quitting the mail server before the UIDL has returned a response. This must be done before the user is presented with the POP3 login banner. Restarting the application is required in order to regain normal functionality.
By appending the string "/expdate" to a request for the cart32.exe executable, (http: //target/cgi-bin/cart32.exe/expdate) an attacker can access an error message followed by a debugging page containing the server variables, the Cart32 administration directory and possibly the contents of the cgi-bin.
A vulnerability exists in the Volume Manager product, versions 3.0.x, from Veritas Software. Volume Manager is a popular disk management package. Volume Manager running on Solaris platforms prior to Solaris 8 are vulnerable. Upon startup, the /etc/rc2.d/S96vmsa-server script is executed. It never explicitly sets a umask, and therefore inherits the parent umask, which is unset. When the server starts, it creates a file named .server_pids, in the directory /var/opt/vmsa/logs. As no umask is set, its permissions are set to 666. (user, group and world readable and writable). The control script used to control various aspects of the Storage Administrator server will, upon getting a request to stop the server, execute the contents of the .server_pids file. As any user can alter the contents of the .server_pids file, a would be attacker can execute arbitrary commands by placing them in the .server_pids file, and waiting for an administrator to call the stop routine of the control script (/opt/VRTSvmsa/bin/vmsa_server). This will cause the code in the .server_pids file to be executed as the user running the script. In most cases this will be root.
A buffer overflow is present in certain versions of the Small HTTP Server. The overflow in question is triggered by an overlong (65000 or more characters) malformed HTTP GET request to the webserver. By connecting to port 80(http) on a system running Small HTTP Server and issuing a GET command followed by 65000 bytes, the service will crash.
Services By CQR