A sample Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0 gives remote users access to view any file on the same volume as the web server that is readable by the web server. The script does not perform sufficent checks and allows files outside the sample directory to be requested. Similar vulnerabilities have been noted in ViewCode.asp, CodeBrws.asp and Winmsdp.exe.
A buffer overflow condition has been found in sdtcm_convert which may be exploited to obtain root access.
The vulnerability exists in Sun's power management software under Solaris versions 2.4-2.6. The sys-suspend program is initiated when a user runs the program, or presses the power key on a sun keyboard. This program moves the contents of memory to the disk, and powers down the system. As part of this shutdown procedure, it runs xlock to prevent a user from resuming the machine and accessing the logged in account. The vulnerability that exists is due to the order in which sys-suspend performs its operations. As xlock is run by this program, it executes after the suspension begins. Upon a resume, there is a window of time during which any data typed at the keyboard is passed to whatever X application last had focus. If this was an xterm, arbitrary commands can be issued. In the even the user who was logged in was root, system security can be entirely subverted.
Two vulnerabilities exist in Verity's Search`97 web interface to the Verity search engine. The first vulnerability is due to cgi-bin scripts, s97_cgi and s97r_cgi failing to check for the existence of certain shell meta characters. This allows an attacker to access any file on the file system. The second vulnerability is due to a lack of authentication being used to access the Verity administrative program. Any user can telnet to the appropriate port, and issue a command to shut the Verity software down.
Oracle8 is an enterprise level database. As part of the Internet Agent option installation process it installs the file $ORACLE_HOME/bin/oratclsh as suid root. oratclsh is a TCL application that provides full access to TCL. oratclsh gives anyone the ability to execute arbitrary TCL commands as root. The suid root bit gets set when the post install script 'root.sh' is executed as root as directed in the installation instructions. If the 'root.sh' script is not executed as root after installing the Intelligent Agent the oratclsh will be owned by the installation user (typically oracle). Although not as degerous as suid root, a suid oracle oratclsh script would allow a malicious user to obtain full acess to the database.
HP's JetAdmin Rev. D.01.09 software fails to check if it is following a symbolic link, allowing an attacker to create a link from /tmp/jetadmin.log to anywhere on the filesystem, with permissions for reading and writing by everyone on the system. This can be used to gain root access.
A buffer overflow exists in the pop server shipped with Santa Cruz Operation, Inc's (SCO) Open Server. By presenting a buffer of sufficient length to the pop server, an attacker can overwrite the return address on the stack, and execute arbitrary code upon a return. SCO's pop server is based on Qualcomm's pop daemon, and this vulnerability is similar to others present in Qualcomm's server.
Due to the way /bin/login behaves when a /etc/group file is not present under Slackware's version of the password shadowing suite, users who log in while this file is not present will be given uid and gid 0. This will allow them unrestricted access to the machine. If the call to initgroups() fails in setup_uid_gid(), the function immediately returns value of -1. However, the call to setup_uid_gid() in login.c fails to check this return value. Since the uid and gid were not checked, their value is still 0, and the user will be logged in with 0 as their uid and gid. Remove /etc/group and log in as a valid user. /etc/group must entirely not exist -- mode 000 is not sufficient.
The WWW Authorization Gateway program written by Ray Chan fails to eliminate characters with special meaning to the shell prior to executing a command. This allows an attacker to execute arbitrary commands on a system remotely, as whatever user invoked the cgi-bin, by placing a command in the username field.
ePerl is vulnerable to command injection when an ISINDEX query is passed on the command line by the web server. This allows an attacker to execute arbitrary code via the ePerl interpreter, with none of the restrictions enforced normally. In addition, this allows for the execution of any code on the file system. An attacker can place perl code on the file system, determine or guess the path to the code, and then execute it via an appropriate cgi-bin program.