IdealBB error.asp page is prone to a cross-site scripting vulnerability due to a lack of sufficient sanitization performed by functions in the error.asp script on user-influenced URI parameters. This vulnerability may be exploited to permit the theft of cookie authentication credentials if a malicious link is followed.
Debian has reported two vulnerabilities in the Postfix mail transfer agent. The first vulnerability, CAN-2003-0468, can allow for an adversary to 'bounce-scan' a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. These attacks are reportedly possible through forcing the server to connect to an arbitrary port on an arbitrary host. The second vulnerability, CAN-2003-0540, is another denial of service. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener, also resulting in a denial of service.
Under certain configurations, UniVerse allows the 'uvadm' user to perform certain administration tasks for the software. It has been reported that the uvadmsh binary does not perform bounds checking when parsing command-line arguments. Because access to the vulnerable option is restricted to the uvadm user, other users may not be able to exploit this vulnerability. While this vulnerability was reported in UniVerse version 10.0.0.9, previous versions are likely vulnerable as well.
The Exceed server and client have been reported prone to a remotely triggered buffer overflow vulnerability. An attacker may trigger this vulnerability by sending excessive data as a font name to the server via a malicious XLoadQueryFont() request, or by passing a malicious font name from the server to the client in a manner sufficient to trigger the overflow. When the vulnerable software handles this request it will crash.
This exploit is for xsoldier version 0.96 on Red Hat Linux release 6.2 (Zoot). It uses a buffer overflow vulnerability to overwrite the return address of the stack and execute arbitrary code. The exploit code contains a NOP sled followed by the shellcode and the return address.
It has been reported that there is a buffer overflow condition present in gopherd that may be exploited remotely to execute arbitrary code. The affected component is said to be used for determining view-types for gopher objects. An example exploit would look like this: "g+<long string>1<shellcode(256 character max)>". To exploit this, the request must start with a h, 0, 4, 5, 9, s, I, or g. The server must be running linix/bsd/solaris, and must have the gopherd binary compiled with debugging symbols.
phpForum is vulnerable to a remote file inclusion vulnerability, which allows an attacker to include and execute malicious PHP scripts. This can be exploited by sending a specially crafted HTTP request to the vulnerable server, containing a malicious URL in the MAIN_PATH parameter.
A vulnerability has been reported for the RDS service that may allow an attacker to obtain unauthorized access to data residing on a ColdFusion MX server. The vulnerability is due to the way that authentication is done when communicating with a ColdFusion MX server. It is possible for a remote user to configure their web site properties to access files residing on the vulnerable server. Any information obtained in this manner may be used by an attacker to launch further attacks against a vulnerable system.
A cross-site scripting vulnerability has been reported for ProductCart. The vulnerability exists due to insufficient sanitization of some user-supplied values. Exploitation could permit an attacker to steal cookie-based authentication credentials or launch other attacks.
It has been reported that the permissions set by default on the files and directories comprising InterSystems Cache are insecure. The permissions on directories allegedly allow for any user to overwrite any file. This creates many opportunities for local attackers to obtain root privileges. A snippet from an strace of the cuxs binary shows that it is possible to execute the cache binary, which is set to be +s. An attacker can use this to copy the ash binary to the cache directory and execute it, allowing them to gain root privileges.
Services By CQR