The truncate() system call on a number of versions of the IRIX operating system (with the xfs file system) does not properly check permissions before truncating a file, making it possible for unprivileged users to damage files to which they would otherwise not have write access.
Network Associates Inc.'s Net Tools PKI (Public Key Infrastructure) server is vulnerable to a directory traversal attack. This vulnerability allows an attacker to read any file in the system which the PKI server resides, such as autoexec.bat, backup SAM files, etc. This is due to the failure of the web server to enforce a web root directory, allowing a user to move backward in the directory tree.
A directory traversal vulnerability exists in SimpleServer 1.06 and possibly earlier versions. By requesting a specially formed URL containing encoding (%2E) to the vulnerable server, a remote user can gain read access to known files above the SimpleServer directory.
This exploit is for WUFTPD 2.6.0 which is a vulnerability in the FTP server. It allows an attacker to gain root access to the server. The exploit is written in C and uses Lam3rZ chroot() code for Linux and FreeBSD.
The servlet sunexamples.RealmDumpServlet, which is packaged by Default with Sun's Java Web Server, can be used to discover ACLs and local users on the server. It can be accessed by sending a request to http://javawebserver/servlet/sunexamples.RealmDumpServlet or http://javawebserver:8080/servlet/sunexamples.RealmDumpServlet#Realm-NT. This will reveal the list of users and their home directories on the server.
The Razor Configuration Management program stores passwords in an insecure manner. A local attacker can obtain the Razor passwords, and either seize control of the software and relevant databases or use those passwords to access other users' accounts on the network.
An exploit which causes a Denial of Service to Sybergen's Sygate when run from an internal machine has been released. The exploit sends a UDP packet to port 53 of the gateway.
CheckPoint IP Firewall is vulnerable to a Denial of Service attack when it receives a number of spoofed UDP packets with Source IP = Destination IP. This causes the firewall (and likely the machine hosting it) to crash.
A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd". The following request will display the first line of /etc/passwd: http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3. If sawmill is run as a cgi script, the following can be used instead: http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3.
Washington University ftp daemon (wu-ftpd) is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. It should be noted that the SITE INDEX command is affected as well.
Services By CQR