Variable $header not sanitized. When register_globals=on, an attacker can exploit this vulnerability with a simple PHP injection script.
Microsoft has made available fixes for the JET/ODBC and RDS vulnerabilities. These fixes implement specific Registry Key values to restrict 'malicious activity'. The Security Permissions over these Registry Keys are Set to 'Everyone:Special Access'. Special Access, in these instances, includes 'Set Value'. This permission allows members of the Everyone Group (Domain Users, Users, Guests, etc.) to modify the value of these keys, including the ability to disable the security features which may have been enabled by the administrator. Disabling the Data FactoryHandlerInfo setting ('handlerRequired DWORD=0') may open the host to exploit via the MDAC RDS exploit as described in Bugtraq ID 529 (https://www.securityfocus.com/bid/529.html).
cfingerd is vulnerable to a local root (or nobody) buffer overflow. By setting a carefully designed GECOS field, it is possible to execute arbitrary code with root (or nobody) privileges.
The libtt.so shared library under certain versions of CDE handles a user defined variable titled TT_SESSION. The code which handles this variable does not place a restriction on its size. At least one of the CDE programs which rely on this variable do not have sufficient bounds checking in place for this variable. This can result in a buffer overflow. The program in question is dtsession. Due to the fact that dtsession is running setuid root and does not remove the root privilege (at least as tested on Solaris), the overflow can lead to local root compromise.
A local user can modify DCOM registry entries to escalate their privilege level. By editing the registry keys associated with DCOM server applications, they can change which services are started to handle specific events. By overwriting the services EXE file and triggering the event, the user's code can run as SYSTEM.
A denial of service attack exists that affects FreeBSD, NetBSD, and OpenBSD, and potentially other operating systems based in some part on BSD. It is believed that all versions of these operating systems are vulnerable. The vulnerability is related to setting socket options regarding the size of the send and receive buffers on a socketpair. By setting them to certain values, and performing a write the size of the value the options have been set to, FreeBSD can be made to panic. NetBSD and OpenBSD do not panic, but network applications will stop responding.
The vulnerability in ProFTPD versions 1.2pre1, 1.2pre3, and 1.2pre3 is a remotely exploitable buffer overflow. It is caused by a sprintf() function in the log_xfer() routine in src/log.c. The vulnerability in ProFTPD version 1.2pre4 is a mkdir overflow, where the name of the created path cannot exceed 255 characters. ProFTPD version 1.2pre6 limits the command buffer size to 512 characters in src/main.c and modifies the fix from version 1.2pre4.
A user can add any group to the Local Administrators group on Windows NT hosts running IBM's GINA replacement. By creating a specific Registry key under HKLMSystemCurrentControlSetServicesIBMNeTNT, non-administrators can modify the GroupMapping key to include a group name that will be added to the administrators group upon the next reboot.
The version of Vixie cron that ships with RedHat versions 4.2, 5.2 and 6.0 is vulnerable to a local buffer overflow attack. By utilizing the MAILTO environment variable, a buffer can be overflown in the cron_popen() function, allowing an attacker to execute arbitrary code. Vixie cron daemon is installed setuid root by default, allowing for a local root compromise.
The in.identd daemon in SuSE Linux is vulnerable to a remote denial of service attack. By sending a large number of ident requests in a short period of time, an attacker can force the target machine to start multiple daemons, eventually causing the machine to run out of memory and halt.
Services By CQR