Due to insufficient bounds checking on arguments (in this case -C) which are supplied by users, it is possible to overwrite the internal stack space of the lpr program while it is executing. This can allow an intruder to cause lpr to execute arbitrary commands by supplying a carefully designed argument to lpr. These commands will be run with the privileges of the lpr program. When lpr is installed setuid or setgid, it may allow intruders to gain those privileges.
There is a buffer overflow vulnerability in /opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel. It is important to know that the overflows are not in "/usr/bin/cancel" or "/usr/lpd/remote/cancel". The consequence of this vulnerability being exploited is compromise of effective groupid of group lp.
Novell client versions 3.0 and 3.01 for Windows platforms are vulnerable to a remotely exploitable vulnerability which could cause a denial of service. The client opens a listening tcp socket on port 427, to which if a SYN is sent, results in the machine locking with a 'blue screen' error. The only solution from that point is to reset the affected computer.
Internet Explorer 5 will allow a malicious web page to read the contents of local files through a weakness in the IE5 security model. Normally the document.execCommand method is restricted from reading and returning data on the local machine, however if the method is called from within an IFRAME this restriction can be circumvented.
Hybrid Network's cable modems are vulnerable to several different types of attack due to a lack of authentication for the remote administration/configuration system. The cable modems use a protocol called HSMP, which uses UDP as its transport layer protocol. This makes it trivial to spoof packets and possible for hackers to compromise cable-modem subscribers anonymously. The possible consequences of this problem being exploited are very serious and range from denial of service attacks to running arbitrary code on the modem.
TeamTrack 3.00 has a built-in webserver which does not filter out requested paths containing the ../ sequence. This allows an attacker to specify a file outside of the normal web file structure. An attacker can request the SAM file from the TeamTrack server by using the URL http://target.com/../../../../../winnt/repair/sam._
A security hole exists in the nph-test-cgi script included in most UNIX based World Wide Web daemon distributions. The nph-* scripts exist to allow 'non-parsed headers' to be sent via the HTTP protocol (this is not the cause of this security problem, though). The problem is that nph-test-cgi, which prints out information on the current web environment (just like 'test-cgi' does) does not enclose its arguments to the 'echo' command inside of quotes....shell escapes are not possible (or at least I have not found them to be--yet) but shell *expansion* is.... This means that _any_ remote user can easily browse your filesystem via the WWW.
Due to insufficient bounds checking on user supplied arguments, it is possible to overflow an internal buffer and execute arbitrary code as root.
A buffer overflow vulnerability in the /usr/lib/fs/ufs/ufsdump setuid program allows local users to obtain root and tty group access. The vulnerability is the result of 'ufsdump' not being able to handle device names of a large length.
A buffer overflow vulnerability in the /usr/lib/fs/ufs/ufsdump setuid program allows local users to obtain root and tty group access. The vulnerability is the result of 'ufsdump' not being able to handle device names of a large length.
Services By CQR