innd 2.2.2 contains a remotely exploitable buffer overflow in code reached when a cancel request is sent to the 'control' newsgroup, under the condition that the cancel request contains a valid Message-ID but the From/Sender fields differ between the cancel request and the post referenced by the Message-ID. This attack only works against machines running INN with 'verifycancels = true'.
EType EServ is a combination mail, news, HTTP, FTP, and proxy server. The logging mechanism in EType EServ is vulnerable to a heap buffer overflow that could allow remote attackers to execute arbitrary code on the server. The overflow occurs when a MKD command with an unusually long argument is sent to the FTP Server port.
Due to a faulty mechanism in the password parsing implementation in authentication requests, it is possible to launch a denial of service attack against Allaire ColdFusion 4.5.1 or previous by inputting a string of over 40 000 characters to the password field in the Administrator login page. CPU utilization could reach up to 100%, bringing the program to halt. The default form for the login page would prevent such an attack. However, a malicious user could download the form locally to their hard drive, modify HTML tag fields, and be able to submit the 40 000 character string to the ColdFusion Server.
Omitting the HTTP version from a 'GET' request for a CGI script to the Savant Web Server discloses the source code of the script. An attacker can use telnet to connect to the target and issue a GET request for the CGI script without specifying the HTTP version. The source code of the script will then be displayed.
By sending illegally fragmented packets directly to or routed through Check Point FireWall-1, it is possible to force the firewall to use 100% of available processor time logging these packets. The FireWall-1 rulebase cannot prevent this attack and it is not logged in the firewall logs.
When using ICQmailclient, a user creates a temporary internet link in a default temporary directory, which remains even after the user signs out or closes ICQ. This link can be re-opened by another user, thus giving them full access to the ICQmail webaccount. The temporary link can be found in the default temp file (eg. c:emp) and appears as: http://cf.icq.com/cgi-bin/icqmail/write.pl5?uname=username&pwd=12345678
A vulnerability exists in the 'mail' program, part of the Berkeley mailx package. The 'mail' program contains a buffer overflow condition that is present when the -c parameter is used at the command line. On systems where it is installed setgid, this vulnerability can be exploited to gain group 'mail' privileges.
The programmers of the 'man' command on various HPUX releases have made several fatal mistakes that allow an attacker to trivially set a trap that could result in any arbitrary file being overwritten on the system when root runs the 'man' command. Details: 1) man creates temporary files with predictable filenames in world-writeable directories. The two files are named catXXXX and manXXXX where XXXX is the PID of the man process (highly predictable). 2) man blindly follows symlinks. 3) man explicitly opens the temp files with mode 666 and ignores the existing umask. 4) man opens the tempfiles with O_TRUNC. Create ~65535 catXXXX or manXXXX symlinks in /tmp, pointing to the file you want to overwrite (e.g. /etc/passwd). Then wait. When root runs man, the file will be blindly overwritten with the formatted manpage contents (cat????) or unformatted (man????) are written to the symlinked file.
PassWd 1.2 is a password management utility designed to store user login information to various URLs. The login information, which includes username, password and link location is stored in the pass.dat file which resides in the PassWD directory. The information is encrypted with a weak encoding algorithm and includes the key which can be used to decode any stored password. Decoder for PassWD v1.2 `pass.dat' password files was written by Daniel Roethlisberger in 2000 which can be used to decode the stored passwords.
A denial of service attack exists that affects FreeBSD, NetBSD and OpenBSD. It is believed that all versions of these operating systems are vulnerable. The vulnerability is related to setting socket options regarding the size of the send and receive buffers on a socketpair. By setting them to certain values, and performing a write the size of the value the options have been set to, FreeBSD can be made to panic. NetBSD and OpenBSD do not panic, but network applications will stop responding.
Services By CQR