There is a buffer overflow vulnerability in the server daemon of NetWin's DMail mail-server solution for unix and NT servers. This vulnerability could allow remote attackers to execute arbitrary commands as root or cause a denial of service. The overflow occurs when a large buffer is sent to argument the ETRN command: If over 260 characters are sent, the stack is corrupted and the mailserver will crash.
Windows 95, 98, NT and 2000 suffer from a number of related buffer overflows that can result in a crash if a filename with an extension longer than 128 characters is accessed. Although arbitrary code could be executed via this manner, it would have to composed of valid filename character values only.File extensions of this size cannot be created within Windows 95, 98 or NT. A batch file executed from the command interpreter can accomplish this in a manner similar to the example in Securax advisory SA-02, linked to in the credit section.In Windows 2000, long extensions can be created with Explorer. The file will display properly, however if a cut and paste operation is attempted Explorer crashes and EIP is overwritten, making arbitrary code executable at the security level of the user.
Sending a malformed URL request to the JetAdmin Web Interface Server on port 8000 causes the server services to stop responding, requiring a service restart for normal functionality.
A remote user can gain read and write access on a target machine running Carello shopping cart software. By creating a duplicate of a known file in a known directory on the target host through add.exe in /scripts/Carello, the user can generate a duplicate file with a "1" appended to the filename. The remote user can then perform an HTTP request of the newly created duplicate file and view its contents. This vulnerability requires the anonymous internet account to have write access to the relevant directories.
By requesting a specially formed URL which includes "../" it is possible for a remote user to gain read-access to any files outside of the web-published directory.
Various shopping cart applications use hidden form fields within the html source code with preset parameters which contain product information. If a remote user saves the web page of a particular item to their machine it is possible for them to edit the html source, consequently allowing them to alter the parameters of the product. The modified web page can then be submitted to the shopping cart application. It is also possible in some circumstances to exploit this vulnerability via any regular browser's address bar.
A buffer overrun exists in the XDMCP handling code used in 'gdm', an xdm replacement, shipped as part of the GNOME desktop. By sending a maliciously crafted XDMCP message, it is possible for a remote attacker to execute arbitrary commands as root on the susceptible machine. The problem lies in the handling of the display information sent as part of an XDMCP 'FORWARD_QUERY' request.
The Directory Traversal vulnerability in MetaProducts Offline Explorer allows remote attackers to view known files on the system by performing a GET request with a double dot "../.." directory traversal technique.
The DocumentComplete() function in IE does not properly validate origin domains. Therefore it is possible for a remote webserver to gain read access to local files on the machine of any website visitor or email recipient by accessing the browser object of a frame containing local content. Only files that can be opened by a browser window (eg. *.htm, *.js, *.txt etc) are viewable, and the path and name of the file must be known by the attacker.
This exploit allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a long URI in a GET request to TCP port 80.
Services By CQR