VARIoT IoT vulnerabilities database

Cisco Wireless Control System (WCS) for Linux and Windows 4.0(1) and earlier uses a default administrator username "root" and password "public," which allows remote attackers to gain access (aka bug CSCse21391). Vendors have confirmed this vulnerability Bug ID CSCse21391 It is released as.Access may be obtained by a third party. Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the TFTP server in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51), when configured to use a directory path name that contains a space character, allows remote authenticated users to read and overwrite arbitrary files via unspecified vectors. Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the login page of the HTTP interface for the Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a "malicious URL". Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

HTTP server in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames and directory paths via a direct URL request. Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web interface on Cisco IOS 12.3(8)JA and 12.3(8)JA1, as used on the Cisco Wireless Access Point and Wireless Bridge, reconfigures itself when it is changed to use the "Local User List Only (Individual Passwords)" setting, which removes all security and password configurations and allows remote attackers to access the system. This may permit an attacker to bypass the authentication mechanism and gain access to the web interface. Remote attackers may use this loophole to obtain unauthorized access. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Successful exploitation requires that the web management interface is enabled. http://www.cisco.com/public/sw-center/sw-usingswc.shtml PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The internal database in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51) uses an undocumented, hard-coded username and password, which allows remote authenticated users to read, and possibly modify, sensitive configuration data (aka bugs CSCsd15955). Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

F-Secure Anti-Virus 2003 through 2006 and other versions, Internet Security 2003 through 2006, and Service Platform for Service Providers 6.x and earlier does not scan files contained on removable media when "Scan network drives" is disabled, which allows remote attackers to bypass anti-virus controls. Multiple products by F-Secure are prone to scan-evasion vulnerabilities. Exploitation of these vulnerabilities may result in a false sense of security and in the execution of malicious applications. This could potentially lead to a malicious code infection. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An unspecified error within the handling of executable programs where the name has been manipulated in a certain way can be exploited to bypass the anti-virus scanning functionality. 2) An error causes files on removable media to not be scanned when the "Scan network devices" option has been disabled. SOLUTION: Apply patches (see patch matrix in the vendor's advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: F-Secure: http://www.f-secure.com/security/fsc-2006-4.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in the CF_syslog function launchd in Apple Mac OS X 10.4 up to 10.4.6 allows local users to execute arbitrary code via format string specifiers that are not properly handled in a syslog call in the logging facility, as demonstrated by using a crafted plist file. Apple Mac OS X 'launchd' is prone to a local format-string vulnerability. A local attacker can exploit this issue through a malicious 'plist' file that includes externally supplied format specifiers that will be passed to the vulnerable code. A successful attack may crash the application or lead to arbitrary code execution. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities). The vulnerability exists specifically in the logging tool of launchd. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

OpenLDAP in Apple Mac OS X 10.4 up to 10.4.6 allows remote attackers to cause a denial of service (crash) via an invalid LDAP request that triggers an assert error. Apple has reported a vulnerability in their version of OpenLDAP that is included in Apple Mac OS X and Mac OS X Server versions 10.4 to 10.4.6. If successfully exploited, this vulnerability would allow an attacker to create a denial-of-service condition. An attacker can exploit this issue to cause a crash in the LDAP server, effectively denying service to legitimate users. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities), which has been split into individual BIDs to discuss each issue separately. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. This crashes an affected application and may allow arbitrary code execution when a specially crafted TIFF image is viewed. 4) A format string error within the logging functionality of the setuid program "launchd" can be exploited by local users to execute arbitrary code with system privileges. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.6 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image. Mac OS X is prone to a buffer-overflow vulnerability. This issue is due to a stack-based buffer-overflow that results in a buffer being overrun with attacker-supplied data. This issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying service to legitimate users. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities), which has been split into individual BIDs to discuss each issue separately. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. 4) A format string error within the logging functionality of the setuid program "launchd" can be exploited by local users to execute arbitrary code with system privileges. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Apple File Protocol (AFP) server in Apple Mac OS X 10.4 up to 10.4.6 includes the names of restricted files and folders within search results, which might allow remote attackers to obtain sensitive information. Mac OS X is prone to an information-disclosure vulnerability. This issue is due to a failure in the application to properly secure potentially sensitive information. An attacker can exploit this issue to retrieve potentially sensitive information that may aid in further attacks. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities), which has been split into individual BIDs to discuss each issue separately. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. This crashes an affected application and may allow arbitrary code execution when a specially crafted TIFF image is viewed. 4) A format string error within the logging functionality of the setuid program "launchd" can be exploited by local users to execute arbitrary code with system privileges. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the Online Registration Facility for Algorithmic Research PrivateWire VPN software up to 3.7 allows remote attackers to execute arbitrary code via a long GET request. PrivateWire online registration is prone to a remote buffer-overflow vulnerability. The application fails to properly check boundary conditions when handling GET requests. PrivateWire 3.7 is vulnerable to this issue; previous versions may also be affected. Algorithmic Research PrivateWire is a security suite that protects communications between clients and servers. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: PrivateWire Registration Functionality Buffer Overflow SECUNIA ADVISORY ID: SA20812 VERIFY ADVISORY: http://secunia.com/advisories/20812/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: PrivateWire 3.x http://secunia.com/product/10656/ DESCRIPTION: Michael Thumann has reported a vulnerability in PrivateWire, which can be exploited by malicious people to cause a DoS and potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error within the Online Registration functionality when handling an overly long URL. This can be exploited to cause a buffer overflow via an overly long GET request. The vulnerability has been reported in PrivateWire Gateway version 3.7. SOLUTION: The vendor has reportedly issued a patch. Users can contract the vendor to obtain the patch. PROVIDED AND/OR DISCOVERED BY: Michael Thumann ORIGINAL ADVISORY: http://www.ernw.de/security_advisories.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 2.0.3 (417.9.3) on Mac OS X 10.4.6 allows remote attackers to cause a denial of service (CPU consumption) via Javascript with an infinite for loop. NOTE: it could be argued that this is not a vulnerability, unless it interferes with the operation of the system outside of the scope of Safari itself

Cisco Secure Access Control Server (ACS) 4.x for Windows uses the client's IP address and the server's port number to grant access to an HTTP server port for an administration session, which allows remote attackers to bypass authentication via various methods, aka "ACS Weak Session Management Vulnerability.". This issue is due to the application's failure to properly ensure that remote web-based users are properly authenticated. This issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application. Cisco Secure ACS for Windows versions in the 4.x series were identified as vulnerable to this issue; other versions and platforms may also be affected. This issue is being tracked by Cisco Bug IDs CSCse26754 and CSCse26719. This helps attackers to hijack management sessions because port numbers are assigned in a sequential fashion without using strong authentication. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Secure ACS Session Management Security Issue SECUNIA ADVISORY ID: SA20816 VERIFY ADVISORY: http://secunia.com/advisories/20816/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network SOFTWARE: Cisco Secure ACS 4.x http://secunia.com/product/10635/ DESCRIPTION: Darren Bounds has reported a security issue in Cisco Secure ACS, which can be exploited by malicious people to bypass certain security restrictions. The problem is caused due to the web-based management interface handling session management in an insecure way based on the assigned service port and the client's IP address. Successful exploitation requires that the attacker uses the same IP address as the logged in administrative user. The security issue has been reported in version 4.0 for Windows. Other versions may also be affected. SOLUTION: Only connect to the web-based management interface from dedicated management systems. PROVIDED AND/OR DISCOVERED BY: Darren Bounds ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060623-acs.shtml Darren Bounds: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The FTP proxy module in Fortinet FortiOS (FortiGate) before 2.80 MR12 and 3.0 MR2 allows remote attackers to bypass anti-virus scanning via the Enhanced Passive (EPSV) FTP mode. Fortinet FortiGate is prone to a vulnerability that allows an attacker to bypass antivirus protection. This issue occurs when files are transferred using the FTP protocol under certain conditions. Fortinet FortiOS versions prior to 2.80 MR12 and 3.0 MR2 are vulnerable to this issue if the FTP antivirus gateway-scanning service is used. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: FortiGate FTP Anti-Virus Scanning Bypass Vulnerability SECUNIA ADVISORY ID: SA20720 VERIFY ADVISORY: http://secunia.com/advisories/20720/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Fortinet FortiOS (FortiGate) 3.x http://secunia.com/product/6802/ Fortinet FortiOS (FortiGate) 2.x http://secunia.com/product/2289/ DESCRIPTION: A vulnerability has been reported in FortiGate, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the FortiGate FTP proxy when handling the ESPV command. SOLUTION: Update to FortiOS 2.80 MR12 release or FortiOS 3.0 MR2 release. Users can contact Fortinet Tech Support to obtain the updated firmware. PROVIDED AND/OR DISCOVERED BY: The vendor credits a recent magazine test review article. ORIGINAL ADVISORY: http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-15.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Cisco CallManager 3.3 before 3.3(5)SR3, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3), and 4.3 before 4.3(1), allows remote attackers to inject arbitrary web script or HTML via the (1) pattern parameter in ccmadmin/phonelist.asp and (2) arbitrary parameters in ccmuser/logon.asp, aka bugid CSCsb68657. This issue is due to a failure in the web-interface to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting administrative user in the context of the affected site. This may help the attacker launch other attacks

Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP). Microsoft DHCP Client service contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Microsoft Office applications fail to properly handle PNG images. To exploit this issue, attackers must be able to place and execute malicious ASP pages on computers running the affected ASP server software. This may be an issue in shared-hosting environments. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-192A Microsoft Windows, Office, and IIS Vulnerabilities Original release date: July 11, 2006 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Information Services (IIS) * Microsoft Office * Microsoft Office for Mac * Microsoft Access * Microsoft Excel and Excel Viewer * Microsoft FrontPage * Microsoft InfoPath * Microsoft OneNote * Microsoft Outlook * Microsoft PowerPoint * Microsoft Project * Microsoft Publisher * Microsoft Visio * Microsoft Word and Word Viewer Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, IIS, and Office. I. Description Microsoft Security Bulletin Summary for July 2006 addresses vulnerabilities in Microsoft products including Windows, IIS, and Office. (CVE-2006-0007) In MS06-037, Microsoft has released updates for the Excel vulnerability (VU#802324) described in Technical Cyber Security Alert TA06-167A. II. An attacker may also be able to cause a denial of service. III. Solution Apply a patch from your vendor Microsoft has provided updates for these vulnerabilities in the Security Bulletins. Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Apple Mac OS X users should obtain updates from the Mactopia web site. System administrators may wish to consider using Windows Server Update Services (WSUS). Workaround Please see the following Vulnerability Notes for workarounds. Appendix A. References * Microsoft Security Bulletin Summary for July 2006 - <http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx> * Technical Cyber Security Alert TA06-167A - <http://www.us-cert.gov/cas/techalerts/TA06-167A.html> * US-CERT Vulnerability Notes for Microsoft July 2006 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms06-jul> * US-CERT Vulnerability Note VU#395588 - <http://www.kb.cert.org/vuls/id/395588> * US-CERT Vulnerability Note VU#189140 - <http://www.kb.cert.org/vuls/id/189140> * US-CERT Vulnerability Note VU#257164 - <http://www.kb.cert.org/vuls/id/257164> * US-CERT Vulnerability Note VU#802324 - <http://www.kb.cert.org/vuls/id/802324> * US-CERT Vulnerability Note VU#580036 - <http://www.kb.cert.org/vuls/id/580036> * US-CERT Vulnerability Note VU#609868 - <http://www.kb.cert.org/vuls/id/609868> * US-CERT Vulnerability Note VU#409316 - <http://www.kb.cert.org/vuls/id/409316> * US-CERT Vulnerability Note VU#459388 - <http://www.kb.cert.org/vuls/id/459388> * US-CERT Vulnerability Note VU#668564 - <http://www.kb.cert.org/vuls/id/668564> * CVE-2006-0026 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0026> * CVE-2006-1314 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1314> * CVE-2006-2372 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2372> * CVE-2006-3059 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059> * CVE-2006-1316 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1316> * CVE-2006-1540 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1540> * CVE-2006-2389 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2389> * CVE-2006-0033 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0033> * CVE-2006-0007 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0007> * Microsoft Update - <https://update.microsoft.com/microsoftupdate> * Microsoft Office Update - <http://officeupdate.microsoft.com> * Mactopia - <http://www.microsoft.com/mac> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-192A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-192A Feedback VU#802324" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History July 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRLQsLn0pj593lg50AQLyjQf/blQM+kdtxI5/dQ/Njj99QuR3yBT9ERwJ QfZgOr8yN4rUhOU1xkXq6go7E1W4kfwuKVwwobLuYXk9Cq6xP4aVpt0/ws53wNHI iAvJ1rURSFcVwDAXKvbiv7mmjORA36R5M37JiwR0ny76f20yZaz8LTjMbhwSLyFR Cj7kPE0o6Fu0uUwI7ETskfcK4iF0PVoVW2mava1YG8zFuby/A+Ps7ddQvu/EcaxP Y12QXtCP1jsB3+iJKAh7aQAh9h8aV6nuq4NZyFAHmao8iQo7qd9BMG451xTPDxn3 PoM2y5R0bXko+E4hWudpjel/JABm+nIV3R9il1QDantUI0aCqTDS9A== =7GPc -----END PGP SIGNATURE----- . Other versions of Excel, and other Office programs may be affected or act as attack vectors. Opening a specially crafted Excel document, including documents hosted on web sites or attached to email messages, could trigger the vulnerability. Office documents can contain embedded objects. For example, a malicious Excel document could be embedded in an Word or PowerPoint document. Office documents other than Excel documents could be used as attack vectors. If the user has administrative privileges, the attacker could gain complete control of the system. Solution At the time of writing, there is no complete solution available. Consider the following workarounds: Do not open untrusted Excel documents Do not open unfamiliar or unexpected Excel or other Office documents, including those received as email attachments or hosted on a web site. Please see Cyber Security Tip ST04-010 for more information. Do not rely on file extension filtering In most cases, Windows will call Excel to open a document even if the document has an unknown file extension. For example, if document.x1s (note the digit "1") contains the correct file header information, Windows will open document.x1s with Excel. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-167A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff

Cross-site scripting (XSS) vulnerability in LogonProxy.cgi in Cisco Secure ACS for UNIX 2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) error, (2) SSL, and (3) Ok parameters. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. This issue affects Cisco Secure ACS version 2.3 for UNIX; other versions may also be vulnerable. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed to specified parameters in LogonProxy.cgi is not properly sanitised before being returned to the user. SOLUTION: Apply patch. http://www.cisco.com/pcgi-bin/tablebuild.pl/cspatchunix-3des PROVIDED AND/OR DISCOVERED BY: The vendor credits Thomas Liam Romanis and Fujitsu Services Limited. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060615-acs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA). NOTE: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher. The issue is due to insufficient sanitization of HTML and script code from error messages that are displayed to users. This vulnerability could result in the execution of attacker-supplied HTML and script code in the session of a victim user. In the worst-case scenario, the attacker could gain unauthorized access to the VPN by stealing the WebVPN session cookie. Cisco tracks this issue as Bug IDs CSCsd81095 and CSCse48193. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed in the URL isn't properly sanitised before being returned to the user in the "dnserror.html" and the "connecterror.html" pages. Successful exploitation requires that clientless mode of the WebVPN feature is enabled. SOLUTION: Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: The vendor credits Michal Zalewski and two other users. ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2 and earlier and possibly other products, allows local users to create arbitrary files via a symlink attack on the simulation.sql file. Apple Xcode Used in etc. The OpenBase application shipped with Apple Xcode is prone to multiple privilege-escalation issues because the application fails to handle exceptional conditions when executing setuid programs. A local attacker can exploit these issues to gain superuser privileges. A successful exploit would lead to the complete compromise of affected computers. This issue affects Apple Xcode 2.2 and earlier versions. Xcode is the development tool used on Apple machines. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. The vulnerabilities are caused due to the inclusion of vulnerable versions of Binutils and OpenBase SQL. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: SpamAssassin "spamd" Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA20430 VERIFY ADVISORY: http://secunia.com/advisories/20430/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: SpamAssassin 3.x http://secunia.com/product/4506/ DESCRIPTION: A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to compromise a vulnerable system. Some unspecified input is not properly sanitised before being used. This can be exploited to inject arbitrary shell commands. Successful exploitation requires that spamd is used with the "--vpopmail" and "--paranoid" switches. The vulnerability has been reported in version 3.0.3. Other versions may also be affected. SOLUTION: Update to version 3.0.6 or 3.1.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------