Microsoft Excel is prone to a remote code execution issue which may be triggered when a malformed Excel document is opened. The issue is due to an error in Excel while handling malformed URL strings. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the user running Excel. Code execution is dependent upon certain factors including the overflow condition, the MS Excel version and the host OS and SP.
Sending malformed packets to port 7070 will cause Real Server to stop responding. Restarting the server will be required in order to re-establish normal functionality.
Panda Security is a user management application for Windows 9x. With it, certain functions can be prohibited for specific users. One of the restrictive policies possible is to disable registry editing. However, even with this feature activated, any user can edit the registry by either executing a *.reg file or renaming and then executing regedit.exe. As the restriction settings for Panda are stored in the registry, this weakness negates the effectiveness of the rest of the Panda software. In addition, users can uninstall Panda Security through the Add/Remove Programs applet in the Control Panel. An error message will appear when the user attempts to uninstall Panda Security. However upon reboot, the application will have been successfully uninstalled.
The Netware Remote Administration utility can be compromised to allow arbitrary code to be remotely run on the server. The Remote Administration server is basically a simple webserver, and if sent a GET request of between 4 and 8 kb, some of the data gets written to executable registers. Even without executable code being sent, this can lead to a DoS as although the server will not crash, the connection will not be aborted or cleaned. Therefore, these failed requests can be made repeatedly until the TCP/IP subsystem will no longer accept connection requests.
The htimage.exe and imagemap.exe files included with FrontPage handle server-side image mapping functions. Under normal operations, it would be passed a map name and a set of coordinates in the format http: //target/path/htimage.exe/mapname?x,y. If the mapname portion of the request is replaced with 741 or more characters, the webserver software will crash, although the operating system will continue to function normally. Stack dumps reveal that user-supplied data occasionally makes it to the EIP register, making the execution of remote arbitrary code potentially possible.
Appending specific variables and values to http://target/cgi-bin/cart.pl? will allow remote users to perform certain actions. 'vars' will display the configuration settings of the application, which includes the username and password used for credit card transactions. Environmental settings can be obtained using 'env'. The 'db' string will list the entire database file containing all items in the shopping cart. In addition, Dansie Shopping Cart allows remote users to modify shopping cart contents by requesting a certain URL with altered variables.
A design error in the operation of the crypt(3) function exists in QNX, from QNX System Software, Limited (QSSL). The flaw allows the recovery of passwords from the hashes. On most Unix variants, crypt(3) is based on a variant of the DES encryption algorithm, used as a hashing algorithm. QNX, however, implements its own hashing algorithm, which, unlike standard crypt(3), contains all the information required to directly recover the password. This can result in the recovery of passwords by local users who have access to the password file, which in turn can result in the compromise of the root account.
A denial of service exists in the X11 font server shipped with RedHat Linux 6.x. Due to improper input validation, it is possible for any user to crash the X fontserver. This will prevent the X server from functioning properly. Additional, similar problems exist in the stock xfs. Users can crash the font server remotely, and potential exists for buffer overruns. The crux of the problem stems from the font server being lax about verifying network input. While no exploits exist, it is likely they are available in private circles, and can result in remote root compromise.
A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine. Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access. Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machine.
A buffer overflow exists in imapd. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine. Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machine.
Services By CQR