vqSoft vqServer for Windows is vulnerable to a directory traversal attack, which allows an attacker to access files outside of the web directory structure by appending a variable number of "../" and a known filename to an HTTP GET request.
A vulnerability exists in the gpm-root program, part of the gpm package. This package is used to enable mice on the consoles of many popular Linux distributions. The problem is a design error, caused when a programmer chose to attempt to revert to the running users groups, after having called setuid to the users id already. The setgid call fails, and the process maintains the groups the gpm-root program is running as. This is usually the 'root' group. This vulnerability requires the user have console access. cp /bin/sh /tmp create a .gpm-root file in ~ with the following: button 1 { name "create a setgid shell" "setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh" } click control-left mouse button, and click "setgid shell" execute /tmp/sh
Netscape Enterprise Server 3.x includes a poorly documented feature that will allow remote users to view directory listings by appending various instructional tags to the URL. Although it can be disabled, Netscape Enterprise Server is shipped with the 'Directory Indexing' feature enabled by default.
Kreatecd is a graphical front end to the cdrecord program, and is installed setuid root. This program will blindly trust the configuration of the path to cdrecord, as specified by the user. This means that arbitrary programs can be executed as root by an attacker using kreatecd. It appears that graphical interaction is required to exploit this program.
A vulnerability exists in the 'imwheel' package for Linux. This package is known to be vulnerable to a buffer overrun in its handling of the HOME environment variable. By supplying a sufficiently long string containing machine executable code, the imwheel program can be caused to run arbitrary commands as root. This is due to a setuid root perl script named 'imwheel-solo' which invokes the imwheel program with effective UID 0.
WebView WebMail-Client is an add-on for the Mercur SMTP/POP3/IMAP4 Mail Server which allows a user to access email through a web browser. Insufficient boundary checking exists in the code which handles GET requests, specifically on port 1080. Issuing a GET request containing a string of over 1000 characters on port 1080 will cause the WebView WebMail-Client application to crash.
Oracle Web Listener for NT makes use of various batch files as cgi scripts, which are stored in the /ows-bin/ directory by default. Any of these batch files can be used to run arbitrary commands on the server, simply by appending '?&' and a command to the filename. The command will be run at the SYSTEM level. The name of a batch file is not even neccessary, as it will translate the '*' character and apply the appended string to every batch file in the directory. Moreover, UNC paths can be used to cause the server to download and execute remote code.
A vulnerability in the Sojourn search engine allows an attacker to read any file that the webserver has read access to. This is done by making a request for a URL like http://target/cgi-bin/sojourn.cgi?cat=categoryname, where the program appends the .txt extension onto the contents of the 'cat' variable. However, the program will accept and follow the '../' string in the variable contents, allowing read access to any .txt file the webserver can read. This restriction can be bypassed by appending %00 to the end of the requested file, which will prevent the .txt extension from being used in the filename.
Atrium Software Mercur is a SMTP, POP3, and IMAP mail server. Insufficient boundary checking exists in the code that handles within the SMTP "mail from" command, the POP3 "user" command and the IMAP "login" command. The application will crash if an overly long string is used as an argument to any of these commands.
Atrium Software Mercur is a SMTP, POP3, and IMAP mail server. Insufficient boundary checking exists in the code that handles within the SMTP "mail from" command, the POP3 "user" command and the IMAP "login" command. The application will crash if an overly long string is used as an argument to any of these commands.
Services By CQR