EmuMail is an open source web mail application available for the Unix, Linux, and Microsoft Windows operating systems. It has been reported that EmuMail does not properly sanitize input. Under some conditions, it is possible to pass an email containing script or html code through the EmuMail web mail interface. This would result in execution of the script code in the security context of the EmuMail site. Entering the string '<script>alert(document.cookie)</script>' into the email address field on the main form will cause the script to be executed when the email is viewed.
An attacker may be able to put malicious code in the %%PageOrder: portion of a file. When this malicious file is opened with gv, the code would be executed in the security context of the user opening the file.
The gds_lock_mgr program within Interbase is typically installed setuid. This program does not properly handle user-supplied umasks, and may allow the creation of files with insecure permissions as a privileged user. This exploit is written to work on a raq550 using xinetd.
A remotely exploitable heap overflow has been discovered in Null httpd. By passing a negative content length value to the server, it is possible to modify the allocation size of the read buffer, resulting in a heap overflow. An attacker may exploit this condition to overwrite arbitrary words in memory through the free() function. This may allow for the execution of arbitrary code.
This exploit is a buffer overflow vulnerability in the expect program. It was tested on versions 5.31.8 and 5.28.1 of expect, running on Slackware 7.x. The exploit uses a NOP sled and shellcode to overwrite the return address of the stack frame, allowing the attacker to execute arbitrary code.
Sun has released an advisory warning that it is possible for local users to escalate priveleges on Sun/Cobalt RaQ or Qube systems, by exploiting a vulnerability located in /usr/lib/authenticate. The vulnerability is due to the open() function in the authenticate program, which allows a local user to create a file with world-writable permissions in the current working directory. This can be exploited by a local user to create a malicious cron job, which will be executed with root privileges.
When a Microsoft Internet Explorer (MSIE) window opens another window, security checks should prevent the parent from accessing the child if the latter is of another domain or Security Zone. It has been reported that such checks fails to occur against attempts to access the frames of child window documents. It is possible for a parent window to set the URL of frames or iframes within a child window regardless of the domain or Security Zone. This has serious security implications as the parent can cause script code to be executed within the context of the child domain by setting the URL to the 'javascript' protocol, followed by the desired code. Attackers may also execute script code within the 'My Computer' Zone. This may have more severe consequences.
In cases where users of Webmin do not have root access on the underlying host, it may be possible to mount privilege escalation attacks on the underlying host. This normally occurs in configurations where multiple Webmin client systems have access to a centralized Webmin server. Webmin allows commands to be executed remotely on the underlying host from other Webmin client systems via the RPC module. However, the script that provides this facility does not sufficiently check the permissions of the source of the remote commands. As a result, it is possible for remote authenticated Webmin users to abuse this facility to execute commands (as root) on the underlying host. This may be exploited to gain root access to a system hosting the vulnerable software.
Microsoft Internet Explorer includes support for dialog windows through script calls to the two functions showModalDialog and showModelessDialog. These functions accept a URL location for the dialog content, and an option argument parameter to allow data to be passed to the dialog from the calling page. A check is done to ensure that data is only passed to dialogs located in the same domain as the calling page. However, if the URL provided as the dialog source redirects to a second location, only the first is subject to this security check. Exploitation may allow malicious content to be inserted into sensitive dialogs. Execution of arbitrary script within the Local Computer Zone has been demonstrated.
A weak default configuration problem has been reported in the Windows binary release of MySQL. Reportedly, the root user of the database is defined with no password, and granted login privileges from any host.
Services By CQR