dump-0.4b15 exploit is a privilege escalation vulnerability in Redhat 6.2 dump command which allows an attacker to execute external program with suid priviledge. The bug was found by mat@hacksware.com and the exploit was coded by md0claes@mdstud.chalmers.se.
NSCA httpd prior to and including 1.5 and Apache Web Server prior to 1.0 contain a bug in the ScriptAlias function that allows remote users to view the source of CGI programs on the web server, if a ScriptAlias directory is defined under DocumentRoot. A full listing of the CGI-BIN directory can be obtained if indexing is turned on, as well. This is accomplished by adding multiple forward slashes in the URL. The web server fails to recognize that a ScriptAlias directory is actually redirected to a CGI directory when this syntax is used, and returns the text of the script instead of properly executing it. This may allow an attacker to audit scripts for vulnerabilities, retrieve proprietary information, etc.
ConferenceRoom is a chat package which enables a large community of users to chat together. It is possible to cause a denial of service in ConferenceRoom by making duplicate connections and executing special server commands in both sessions. For ConferenceRoom 1.8.1, the commands are "/ns buddy on" on the second connection and "/ns buddy add <clone client nickname>" on the first connection, followed by "/ns auth accept 1" on the second connection. For ConferenceRoom 1.8.2, the commands are "/ns set authorize chanlists on", "/cs aop <#ChannelName> add <NickName>", and "/ns auth accept 1". Executing these commands will cause the service to crash and refuse any new connections.
bbs_forum.cgi is a popular Perl cgi script from eXtropia.com. It fails to properly validate user-supplied, URL-encoded input to the read environment variable. Maliciously-formed URLs submitted to the script may contain references to files on the host's filesystem, as well as shell commands which will be run with the privilege level of the webserver. As a result, unpatched affected versions of the script permit an attacker to execute arbitrary code and to read arbitrary files on the vulnerable system.
It is possible for a remote user to gain access to any known file residing on the Lotus Domino Server 5.0.6 and previous. A specially crafted HTTP request comprised of '.nsf' and '../' along with the known filename, will display the contents of the particular file with read permissions.
This exploit takes advantage of the SUID privileges of the rcp command to gain root access. The exploit creates a shell script in the /tmp directory and then uses rcp to copy it to the localhost. The shell script is then compiled and given root privileges. Finally, the shell script is executed to gain root access.
A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26. The widely-used Perl script provides a web-email interface. Affected versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and execute arbitrary commands. These commands will be executed with the privilege level of the CGI script (commonly user 'nobody'). This vulnerability may allow remote attackers to gain interactive 'local' access on the target server. This will execute and echo back the uid.
PostACI contains a vulnerability in its default configuration that may allow a remote attacker to gain access to the underlying database. Webmail stores database username and password information in a file called global.inc. This file is world-readable and stored in a directory accessible by a web browser over the internet. As a result, an attacker can retrieve the global.inc file with a web browser on a typical system (default configuration). Once obtained, the attacker may be able to access the systems database.
Net.Data contains a vulnerability which reveals server information. Requesting a specially crafted URL, by way of the CGI application, comprised of an invalid request and known database, will reveal the physical path of server files.
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of Band" data. This vulnerability can be exploited by sending a malicious packet with the URGENT bit flag set in the TCP header, which will cause the affected system to crash and display a "blue screen of death". The attack is most effective against port 139 (NetBIOS), but other services may be affected as well.
Services By CQR