VARIoT IoT vulnerabilities database

Unspecified vulnerability in Juniper Networks JUNOSe E-series routers before 7-1-1 has unknown impact and remote attack vectors related to the DNS "client code," as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. Juniper JUNOSe is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle DNS datagrams. An attacker can exploit this issue to crash the affected DNS client service, effectively denying service to legitimate users. Juniper Networks JunosE is an operating system of Juniper Networks (Juniper Networks) running on E series IP edge and broadband service routers. The PROTOS DNS test component developed by OUSPG for DNS implementation found in the test that if a specially crafted message is sent, JUNOSe will have a denial of service when responding to DNS. The vulnerability is caused due to unspecified errors within the handling of DNS responses. SOLUTION: The vulnerability has been fixed in JUNOSe versions 5-3-5p0-2, 6-0-3p0-6, 6-0-4, 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 7-1-0p0-1, and 7-1-1. PROVIDED AND/OR DISCOVERED BY: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. ORIGINAL ADVISORY: NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Mac OS X Safari 2.0.3, 1.3.1, and possibly other versions allows remote attackers to cause a denial of service (CPU consumption and crash) via a TD element with a large number in the rowspan attribute. Apple Mac OS X of Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Safari web browser is prone to a denial-of-service vulnerability. An attacker can exploit this issue to consume excessive system resources and eventually crash an affected browser. Safari opening malicious HTML files may cause the operating system to slow down SRCOD (Spinning Rainbow Cursor Of Death), so that no application can be launched to kill the process. Safari will crash after a few minutes. TITLE: Safari "rowspan" Attribute Denial of Service Vulnerability SECUNIA ADVISORY ID: SA19763 VERIFY ADVISORY: http://secunia.com/advisories/19763/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Safari 1.x http://secunia.com/product/1543/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Yannick von Arx has discovered a vulnerability in Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the processing of "td" HTML tags with overly large values for the "rowspan" attribute. This can be exploited to consume a large amount of CPU and memory resources on a vulnerable system by tricking a user into visiting a malicious web site. Successful exploitation causes a vulnerable system to become unresponsive. The vulnerability has been confirmed in version 2.0.3 (417.9.2) and has also been reported in version 1.3.1 (312.3.1). Other versions may also be affected. SOLUTION: Do not visit untrusted web sites while working with unsaved sensitive information. PROVIDED AND/OR DISCOVERED BY: Yannick von Arx ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045472.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Dnsmasq 2.29 allows remote attackers to cause a denial of service (application crash) via a DHCP client broadcast reply request. Dnsmasq is prone to a remote denial-of-service vulnerability. TITLE: Dnsmasq DHCP Broadcast Reply Denial of Service SECUNIA ADVISORY ID: SA19760 VERIFY ADVISORY: http://secunia.com/advisories/19760/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: Dnsmasq 2.x http://secunia.com/product/4837/ DESCRIPTION: A vulnerability has been reported in Dnsmasq, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain requests from a DHCP client. The vulnerability has been reported in version 2.29. SOLUTION: Update to version 2.30. http://thekelleys.org.uk/dnsmasq/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Sandra Dekkers. ORIGINAL ADVISORY: http://thekelleys.org.uk/dnsmasq/CHANGELOG ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Java InputMethods on Mac OS X 10.4.5 may cause InputMethods to send input events for secure fields to the wrong text field, which might reveal the password to others who can view the screen. Mac OS X is prone to a local security vulnerability

An unspecified Fortinet product, possibly Fortinet28, allows remote attackers to cause a denial of service via a "small synflood" to the SMTP port (TCP port 25), as demonstrated by a 10-microsecond wait between sending packets. NOTE: this issue has been disputed in followup posts that suggest that a protection feature is triggering a RST. Unspecified Fortinet Product has a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Fortinet28 is prone to a denial-of-service vulnerability

Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 routers, allows remote attackers to cause a denial of service (Modular Services Cards (MSC) crash or "MPLS packet handling problems") via certain MPLS packets, as identified by Cisco bug IDs (1) CSCsd15970 and (2) CSCsd55531. Cisco IOS XR The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state. A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card. A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS. Successful exploitation requires that MPLS has been configured on the network device. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router allow remote attackers to cause a denial of service via malformed Session Initiation Protocol (SIP) messages. Linksys RT31P2 is a broadband router that supports VoIP phone functions. This issue allows remote attackers to crash affected devices, denying service to legitimate users. SOLUTION: The product has reportedly been discontinued. Filter traffic or use another product. PROVIDED AND/OR DISCOVERED BY: Peter Thermos and Guy Hadsall, Telcordia. ORIGINAL ADVISORY: US-CERT VU#621566: http://www.kb.cert.org/vuls/id/621566 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13, Hosting Solution Engine (HSE) and User Registration Tool (URT) before 20060419, and all versions of Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS) allow local users to gain Linux shell access via shell metacharacters in arguments to the "show" command in the application's command line interface (CLI), aka bug ID CSCsd21502 (WLSE), CSCsd22861 (URT), and CSCsd22859 (HSE). NOTE: other issues might be addressed by the Cisco advisory. plural Cisco The product includes Linux A vulnerability exists that allows shell access to be obtained.By local users Linux Shell access may be obtained. Multiple Linux-based Cisco products are prone to a local privilege-escalation vulnerability. The applications fail to properly sanitize user-supplied input. This issue allows attackers with telnet or SSH access to affected devices to execute arbitrary shell commands with superuser privileges. This facilitates the complete compromise of affected devices. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The \"displayMsg\" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability. Attackers can exploit this vulnerability to steal JSP session cookies, and then combine it with other vulnerabilities to gain administrative-level access to the system. This is related to vulnerability #2 in: SA19736 SOLUTION: Apply fixes. Cisco URT: Update to version 2.5.5(A1) for the URT appliance. http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des Cisco HSE: Apply HSE-PSIRT1 patch. However, Cisco encourages customers requiring a fix to open a service request through the Technical Support organization. TITLE: Cisco WLSE Privilege Escalation and Cross-Site Scripting SECUNIA ADVISORY ID: SA19736 VERIFY ADVISORY: http://secunia.com/advisories/19736/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Privilege escalation WHERE: >From remote OPERATING SYSTEM: CiscoWorks Wireless LAN Solution Engine 2.x http://secunia.com/product/2187/ DESCRIPTION: Adam Pointon has reported two vulnerabilities in CiscoWorks Wireless LAN Solution Engine (WLSE), which can be exploited by malicious, local users to gain escalated privileges or by malicious people to conduct cross-site scripting attacks. 1) Input passed to the "displayMsg" parameter in "/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE appliance web interface is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. 2) Several errors in the "show" CLI application can be exploited to gain a shell account with root privileges from the command line interface. SOLUTION: Update to version 2.13 or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng PROVIDED AND/OR DISCOVERED BY: Adam Pointon, Assurance. The vendor also credits Mathieu Pepin for reporting the second vulnerability. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml Assurance: http://www.assurance.com.au/advisories/200604-cisco.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 or Cisco 12000 series routers, allows remote attackers to cause a denial of service (Line card crash) via certain MPLS packets, as identified by Cisco bug ID CSCsc77475. Cisco IOS XR There is a service disruption (Line Card crash ) There are vulnerabilities that are put into a state.Service disruption by a third party (Line Card crash ) There is a possibility of being put into a state. A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card. A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS. Successful exploitation requires that MPLS has been configured on the network device. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the appliance web user interface in Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13 allows remote attackers to inject arbitrary web script or HTML, possibly via the displayMsg parameter to archiveApplyDisplay.jsp, aka bug ID CSCsc01095. CiscoWorks Wireless LAN Solution Engine (WLSE) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal JSP session cookie-based authentication credentials and launch other attacks. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The "displayMsg" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability. This is related to vulnerability #2 in: SA19736 SOLUTION: Apply fixes. Cisco URT: Update to version 2.5.5(A1) for the URT appliance. http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des Cisco HSE: Apply HSE-PSIRT1 patch. 1) Input passed to the "displayMsg" parameter in "/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE appliance web interface is not properly sanitised before being returned to users. 2) Several errors in the "show" CLI application can be exploited to gain a shell account with root privileges from the command line interface. SOLUTION: Update to version 2.13 or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng PROVIDED AND/OR DISCOVERED BY: Adam Pointon, Assurance. The vendor also credits Mathieu Pepin for reporting the second vulnerability. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml Assurance: http://www.assurance.com.au/advisories/200604-cisco.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in unspecified components in Symantec LiveUpdate for Macintosh 3.0.0 through 3.5.0 do not set the execution path, which allows local users to gain privileges via a Trojan horse program. Symantec LiveUpdate for Macintosh is prone to a local privilege-escalation vulnerability. This issue is due to the application's failure to properly use the PATH environment variable in some of its components. A successful exploit allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer. TITLE: Symantec LiveUpdate for Machintosh Privilege Escalation SECUNIA ADVISORY ID: SA19682 VERIFY ADVISORY: http://secunia.com/advisories/19682/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Symantec Norton Utilities for Macintosh 8.x http://secunia.com/product/5953/ Symantec Norton SystemWorks for Macintosh 3.x http://secunia.com/product/5952/ Symantec Norton Personal Firewall for Macintosh 3.x http://secunia.com/product/5950/ Symantec Norton Internet Security for Macintosh 3.x http://secunia.com/product/5951/ Symantec Norton AntiVirus for Macintosh 9.x http://secunia.com/product/5948/ Symantec Norton AntiVirus for Macintosh 10.x http://secunia.com/product/5949/ Symantec LiveUpdate for Macintosh 3.x http://secunia.com/product/5954/ DESCRIPTION: A vulnerability has been reported in Symantec LiveUpdate for Machintosh, which can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply latest LiveUpdate patch. PROVIDED AND/OR DISCOVERED BY: The vendor credits DigitalMunition.com. ORIGINAL ADVISORY: http://securityresponse.symantec.com/avcenter/security/Content/2006.04.17b.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. Microsoft Internet Explorer is prone to address-bar spoofing. Attackers may exploit this via a malicious web page to spoof the contents of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing. TITLE: Internet Explorer Multiple Vulnerabilities SECUNIA ADVISORY ID: SA18957 VERIFY ADVISORY: http://secunia.com/advisories/18957/ CRITICAL: Highly critical IMPACT: Spoofing, System access, Cross Site Scripting WHERE: >From remote SOFTWARE: Microsoft Internet Explorer 5.5 http://secunia.com/product/10/ Microsoft Internet Explorer 5.01 http://secunia.com/product/9/ Microsoft Internet Explorer 6.x http://secunia.com/product/11/ DESCRIPTION: Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks, conduct phishing attacks, or compromise a user's system. 1) An error in the cross-domain restriction when accessing properties of certain dynamically created objects can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via a JavaScript URI handler applied on a dynamically created "object" tag. 2) An error within the handling of multiple event handlers (e.g. onLoad) in an HTML element can be exploited to corrupt memory in a way that may allow execution of arbitrary code. 3) An error within the parsing of specially crafted, non-valid HTML can be exploited to corrupt memory in a way that allows execution of arbitrary code when a malicious HTML document is viewed. 4) An error within the instantiation of COM objects that are not intended to be instantiated in Internet Explorer can be exploited to corrupt memory in a way that allows execution of arbitrary code. 5) An error within the handling of HTML elements containing a specially crafted tag can be exploited to corrupt memory in a way that allows execution of arbitrary code. 6) An error within the handling of double-byte characters in specially crafted URLs can be exploited to corrupt memory in a way that allows execution of arbitrary code. Successful exploitation requires that the system uses double-byte character sets. 7) An error in the way IOleClientSite information is returned when an embedded object is dynamically created can be exploited to execute arbitrary code in context of another site or security zone. 8) An unspecified error can be exploited to spoof information displayed in the address bar and other parts of the trust UI. 9) Some unspecified vulnerabilities exist in the two ActiveX controls included with Danim.dll and Dxtmsft.dll. SOLUTION: Apply patches. Internet Explorer 5.01 SP4 on Windows 2000 SP4: http://www.microsoft.com/downloa...7B87-AF8F-4346-9164-596E3E5C22B1 Internet Explorer 6 SP1 on Windows 2000 SP4 or Windows XP SP1: http://www.microsoft.com/downloa...41E1-2B36-4696-987A-099FC57E0129 Internet Explorer 6 for Windows XP SP2: http://www.microsoft.com/downloa...FB31-E6B4-4771-81F1-4ACCEBF72133 Internet Explorer 6 for Windows Server 2003 and Windows Server 2003 SP1: http://www.microsoft.com/downloa...6871-D217-41D3-BECC-B27FAFA00054 Internet Explorer 6 for Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems: http://www.microsoft.com/downloa...957C-0ABE-4129-ABAF-AA2852AD62A3 Internet Explorer 6 for Windows Server 2003 x64 Edition: http://www.microsoft.com/downloa...8BE3-39EE-4937-9BD1-280FC35125C6 Internet Explorer 6 for Windows XP Professional x64 Edition: http://www.microsoft.com/downloa...FE3E-620A-4BBC-868B-CA2D9EFF7AC3 Internet Explorer 6 SP1 on Windows 98, Windows 98 SE, or Windows ME: Patches are available via the Microsoft Update Web site or the Windows Update Web site. PROVIDED AND/OR DISCOVERED BY: 1) Discovered by anonymous person. 2) Michal Zalewski 3) The vendor credits Jan P. Monsch, Compass Security Network Computing. 4) The vendor credits Richard M. Smith, Boston Software Forensics. 5) The vendor credits Thomas Waldegger. 6) The vendor credits Sowhat, Nevis Labs. 7) The vendor credits Heiko Schultze, SAP. 9) The vendor credits Will Dormann, CERT/CC. ORIGINAL ADVISORY: MS06-013 (KB912812): http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. Microsoft FrontPage Server Extensions are prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before it is rendered to other users. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user, with the privileges of the victim userâ??s account. This may help the attacker steal cookie-based authentication credentials and launch other attacks. SOLUTION: Apply patches. FrontPage Server Extensions 2002 (Windows Server 2003 and Windows Server 2003 SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=5C03F85A-5228-47FB-A338-90FA23818E08 FrontPage Server Extensions 2002 (Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems): http://www.microsoft.com/downloads/details.aspx?FamilyId=59F15A6B-CC1B-43D5-A007-BFC9ABB63486 FrontPage Server Extensions 2002 (x64 Edition) downloaded and installed on Windows Server 2003 x64 Edition and Windows XP Pro x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA FrontPage Server Extensions 2002 (x86 Editions) downloaded and installed on Windows Server 2000 SP4, Windows XP SP1, and Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA Microsoft SharePoint Team Services: http://www.microsoft.com/downloads/details.aspx?FamilyId=EEE40662-39E6-4C07-8241-1AC4F5D24FFC PROVIDED AND/OR DISCOVERED BY: The vendor credits Esteban Mart\xednez Fay\xf3. ORIGINAL ADVISORY: MS06-017 (KB917627): http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (memory exhaustion and possibly card reset) by sending an invalid response when the final ACK is expected, aka bug ID CSCei45910. Cisco Optical Networking System (ONS) The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state. The response, which is also known as bug ID CSCei45910. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities. Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities. Cisco Transport Controller is prone to an arbitrary code-execution vulnerability. 1) Multiple services are vulnerable to ACK DoS attacks where an invalid response is sent instead of the final ACK packet during the 3-way handshake. This can be exploited to cause the control cards to exhaust memory resources, not respond to further connections, or reset by establishing multiple of these connections. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 2) An error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default) and secure mode for element management system (EMS)-to-network-element access is enabled (disabled by default). 3) Another error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 4) An error within the processing of OSPF (Open Shortest Path First) packets can be exploited to reset the control cards by sending a specially crafted OSPF packet. Successful exploitation requires that the OSPF routing protocol is configured on the LAN interface (disabled by default). Successful exploitation of the above vulnerabilities (#1 through #4) requires that the Optical node has the Common Control Card connected to a DCN (Data Communication Network) and is enabled for IPv4. The above vulnerabilities (#1 through #4) affect the following Cisco ONS 15000 series platforms: * Cisco ONS 15310-CL Series * Cisco ONS 15327 Series * Cisco ONS 15454 MSPP * Cisco ONS 15454 MSTP * Cisco ONS 15600 Series The following Cisco ONS 15000 series platforms are not affected by the vulnerabilities: * Cisco ONS 15100 Series * Cisco ONS 15200 Series * Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms * Cisco ONS 15500 Series * Cisco ONS 15800 Series 5) A vulnerability exists within the Cisco Transport Controller (CTC) applet launcher, which is downloaded each time a management connection is made to the Optical node. The vulnerability is caused due to the java.policy permissions being to broad by granting all permissions to any software originating from the codeBase or source at http://*/fs/LAUNCHER.jar. This can be exploited to execute arbitrary code on the CTC workstation if it is used to connect to a malicious web site running Java code from the "/fs/LAUNCHER.jar" location. The vulnerability affects versions 4.0.x and prior. SOLUTION: 1-4) Updated versions are available (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the HTTP compression functionality in Cisco CSS 11500 Series Content Services switches allows remote attackers to cause a denial of service (device reload) via (1) "valid, but obsolete" or (2) "specially crafted" HTTP requests. The Cisco CSS 11500 Content Services Switch is a load balancing device that provides robust and scalable network services (Layer 4-7) for data centers.  The Cisco CSS 11500 has a vulnerability in processing HTTP packets. Successful exploitation of this vulnerability can lead to device reloads and repeated attacks can lead to persistent denial of service. A successful attack can allow an attacker to trigger a reload on the device. A sustained denial-of-service condition can also arise due to repeated attacks. Successful exploitation requires that the network device has been configured for HTTP compression. SOLUTION: Update to version 8.10.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/css11500-maint?psrtdcat20e2 Disable HTTP compression. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-css.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The installation of Cisco Transport Controller (CTC) for Cisco Optical Networking System (ONS) 15000 series nodes adds a Java policy file entry with a wildcard that grants the java.security.AllPermission permission to any http URL containing "fs/LAUNCHER.jar", which allows remote attackers to execute arbitrary code on a CTC workstation, aka bug ID CSCea25049. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities. Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities. Cisco Transport Controller is prone to an arbitrary code-execution vulnerability. This java file has java. 1) Multiple services are vulnerable to ACK DoS attacks where an invalid response is sent instead of the final ACK packet during the 3-way handshake. This can be exploited to cause the control cards to exhaust memory resources, not respond to further connections, or reset by establishing multiple of these connections. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 2) An error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default) and secure mode for element management system (EMS)-to-network-element access is enabled (disabled by default). 3) Another error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 4) An error within the processing of OSPF (Open Shortest Path First) packets can be exploited to reset the control cards by sending a specially crafted OSPF packet. Successful exploitation requires that the OSPF routing protocol is configured on the LAN interface (disabled by default). Successful exploitation of the above vulnerabilities (#1 through #4) requires that the Optical node has the Common Control Card connected to a DCN (Data Communication Network) and is enabled for IPv4. The above vulnerabilities (#1 through #4) affect the following Cisco ONS 15000 series platforms: * Cisco ONS 15310-CL Series * Cisco ONS 15327 Series * Cisco ONS 15454 MSPP * Cisco ONS 15454 MSTP * Cisco ONS 15600 Series The following Cisco ONS 15000 series platforms are not affected by the vulnerabilities: * Cisco ONS 15100 Series * Cisco ONS 15200 Series * Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms * Cisco ONS 15500 Series * Cisco ONS 15800 Series 5) A vulnerability exists within the Cisco Transport Controller (CTC) applet launcher, which is downloaded each time a management connection is made to the Optical node. The vulnerability is caused due to the java.policy permissions being to broad by granting all permissions to any software originating from the codeBase or source at http://*/fs/LAUNCHER.jar. The vulnerability affects versions 4.0.x and prior. SOLUTION: 1-4) Updated versions are available (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (card reset) via (1) a "crafted" IP packet to a device with secure mode EMS-to-network-element access, aka bug ID CSCsc51390; (2) a "crafted" IP packet to a device with IP on the LAN interface, aka bug ID CSCsd04168; and (3) a "malformed" OSPF packet, aka bug ID CSCsc54558. Cisco Optical Networking System (ONS) In Denial of service ( Card reset ) There is a vulnerability that can be exploited.Denial of service by third party ( Card reset ) May be in a state. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities. Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities. Cisco Transport Controller is prone to an arbitrary code-execution vulnerability. 1) Multiple services are vulnerable to ACK DoS attacks where an invalid response is sent instead of the final ACK packet during the 3-way handshake. This can be exploited to cause the control cards to exhaust memory resources, not respond to further connections, or reset by establishing multiple of these connections. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 2) An error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default) and secure mode for element management system (EMS)-to-network-element access is enabled (disabled by default). 3) Another error within the processing of IP packets can be exploited to reset the control cards by sending a specially crafted IP packet. Successful exploitation requires that IP is configured on the LAN interface (enabled by default). 4) An error within the processing of OSPF (Open Shortest Path First) packets can be exploited to reset the control cards by sending a specially crafted OSPF packet. Successful exploitation requires that the OSPF routing protocol is configured on the LAN interface (disabled by default). Successful exploitation of the above vulnerabilities (#1 through #4) requires that the Optical node has the Common Control Card connected to a DCN (Data Communication Network) and is enabled for IPv4. The above vulnerabilities (#1 through #4) affect the following Cisco ONS 15000 series platforms: * Cisco ONS 15310-CL Series * Cisco ONS 15327 Series * Cisco ONS 15454 MSPP * Cisco ONS 15454 MSTP * Cisco ONS 15600 Series The following Cisco ONS 15000 series platforms are not affected by the vulnerabilities: * Cisco ONS 15100 Series * Cisco ONS 15200 Series * Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms * Cisco ONS 15500 Series * Cisco ONS 15800 Series 5) A vulnerability exists within the Cisco Transport Controller (CTC) applet launcher, which is downloaded each time a management connection is made to the Optical node. The vulnerability is caused due to the java.policy permissions being to broad by granting all permissions to any software originating from the codeBase or source at http://*/fs/LAUNCHER.jar. This can be exploited to execute arbitrary code on the CTC workstation if it is used to connect to a malicious web site running Java code from the "/fs/LAUNCHER.jar" location. The vulnerability affects versions 4.0.x and prior. SOLUTION: 1-4) Updated versions are available (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the HP Color LaserJet 2500 Toolbox and Color LaserJet 4600 Toolbox on Microsoft Windows before 20060402 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP GET request to TCP port 5225. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid attackers in further attacks. The vulnerability is caused due to an input validation error in the built-in HTTP server. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks. Example: http://[host]:5225/../../../[file] SOLUTION: Update to version 3.1. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Mac OS X before 10.4.6, when running on an Intel-based computer, allows attackers with physical access to bypass the firmware password and log on in Single User Mode via unspecified vectors. Mac OS X running on Intel-based Macintosh computers is prone to an authentication-bypass vulnerability. SOLUTION: Update to version 10.4.6. http://www.apple.com/support/downloads/ PROVIDED AND/OR DISCOVERED BY: The vendor credits David Pugh, University of Michigan. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=303567 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Hitachi XFIT/S, XFIT/S/JCA, XFIT/S/ZGN, and XFIT/S ZENGIN TCP/IP Procedure allows remote attackers to cause a denial of service (server process and transfer control process stop) when the products "receive data unexpectedly". There are unknown vulnerabilities in Hitachi XFIT / S, XFIT / S / JCA, XFIT / S / ZGN, and XFIT / S ZENGIN TCP / IP. (The server process and the transmission control process stop). XFIT/S is prone to a denial-of-service vulnerability. The vulnerability presents itself when the application receives data unexpectedly. Due to a lack of details, further information cannot be provided at the moment. This BID will be updated when more details become available