When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet.
ActivePerl is an implementation of the Perl scripting language for Microsoft Windows systems developed by Activestate. ActivePerl allows for high-performance integration with IIS using a DLL called 'perlIIS.dll' to handle a '.plx' ISAPI extension. perlIIS.dll contains a remotely exploitable buffer overflow vulnerability in handling of the URL string. It is due to an unbounded string copy operation. All versions of ActivePerl prior to build 630 of ActivePerl 5.6.1 are believed to be vulnerable. This vulnerability requires that the option 'Check that file exists' be disabled. This option is enabled by default. Exploitation of this vulnerability may allow for remote attackers to gain access to the target server.
A problem has been discovered in the software package that could allow remote users to deny service to legitimate users of the service. The problem is due to the management of sockets by the software package. When a client disconnects from the 6tunnel server, the socket previously used by the client enters the CLOSE state and does not time out. Once a large number of sockets is reached, the service crashes.
This program is an exploit for a buffer overflow vulnerability in the phf program on Linux-ix86 systems. It sends a malicious HTTP request to the vulnerable program, which contains a bundle of no-op instructions and a shellcode that will be executed when the buffer is overflowed.
Microsoft Outlook Express 6 contains a new security feature which prevents users from opening potentially harmful file attachments. A vulnerability exists which allows a file embedded within an HTML frame in an email message to bypass the dangerous file attachment type security feature. When a message containing an attachment embedded in this way is opened or previewed, the user is automatically prompted to open or save the attachment. If the user attempts to open the file immediately, the action will fail. However, an assembler coded .exe attachment which has had it's extension changed to .bat will execute immediately. Regardless of the extension type, the user is able to save the attachment to disk.
A malicious user can remotely crash a Quake 3 Server by sending a specially crafted packet to the server. The packet contains the string 'connectre' preceded by four bytes of 255. This packet can be sent using the netcat utility. Execution of arbitrary code may be possible as well.
The version of lpd that ships with linux systems invokes groff to process documents that are to be printed. The groff utility used to process images, 'pic', contains a vulnerability that can be exploited to execute arbitrary commands on the victim.
Snapstream Personal Video Station is an application for Microsoft Windows which allows users to record video output on their PC and view it at a later time, locally or via an HTTP interface. The Snapstream PVS web interface runs on port 8129. The PVS service stores passwords and user information in plaintext format. Additional information is also contained in the same file which stores passwords, such as the location of the base directory for the service. This would normally only be a local issue but in combination with other known vulnerabilities the file which stores passwords and user information is easily obtained. Due to the issue discussed as Bugtraq ID 3100, the passwords can be disclosed to remote attackers.
At least two SMTP gateway products have been identified which contain flaws in the handling of restricted filetypes as attachments. An attacker can insert extraneous characters in the filename extension of a hostile attachment. The affected gateway will fail to detect the modified extension. Since Microsoft Outlook removes illegal characters in extensions, the executable attachment is delivered to the recipient user with its normal, working extension intact.
Squid servers, when configured as an 'HTTP accelerator only', may allow remote attackers to use them as port scanners. There is also a potential that they will grant proxied access to the malicious user. To exploit this vulnerability, an attacker would set squid to HTTPD_accel mode, with a particular host and strict ACL's, export httpd_proxy='HTTP://squid-server:port', and use lynx HTTP://victim:port/. If the port is open, the attacker will get a HTTP 200 code and sometimes a response with some services SSH, SMTP, etc. The expected result should be access denied (403).
Services By CQR