VARIoT IoT vulnerabilities database
VAR-200604-0552 | CVE-2006-2078 | Multiple vulnerabilities in DNS implementations |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000, and E20/E30, allow remote attackers to cause a denial of service via crafted DNS messages that trigger errors in (1) ProxyDNS or (2) PKI-Resolver, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. There are unexplained vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000 and E20/E30.
Consequences of these vulnerabilities are currently unknown, but remote code execution or denial-of-service attacks may be possible.
This BID will be updated as further information is disclosed.
TITLE:
FITELnet Products DNS Handling Vulnerability
SECUNIA ADVISORY ID:
SA19820
VERIFY ADVISORY:
http://secunia.com/advisories/19820/
CRITICAL:
Moderately critical
IMPACT:
Unknown
WHERE:
>From remote
OPERATING SYSTEM:
FITELnet-E Series
http://secunia.com/product/9600/
FITELnet-F Series
http://secunia.com/product/9599/
MUCHO-EV/PK
http://secunia.com/product/9601/
DESCRIPTION:
A vulnerability with unknown impact has been reported in various
FITELnet products.
The vulnerability is caused due to unspecified errors in ProxyDNS and
PKI-Resolver when handling certain malformed DNS packets.
The vulnerability has been reported in the following products:
FITELnet-F40
FITELnet-F80
FITELnet-F100
FITELnet-F120
FITELnet-F1000
FITELnet-E20/E30
MUCHO-EV/PK
SOLUTION:
The vendor is reportedly working on a fix.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor based on DNS Test Tool created by Oulu University
Secure Programming Group.
ORIGINAL ADVISORY:
http://www.furukawa.co.jp/fitelnet/topic/dns2_attacks.html
NISCC:
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0559 | CVE-2006-2086 | Juniper Networks IVE client ActiveX control buffer overflow |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter. Juniper SSL-VPN Client ActiveX control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer.
Invoking the object from a malicious website may trigger the condition. If the vulnerability were successfully exploited, this would corrupt process memory, resulting in arbitrary code execution. Juniper's SSL VPN series products can provide users with secure remote access services. JuniperSetupDLL.dll is loaded from the JuniperSetup.ocx ActiveX control. If the following super long string is specified in the ProductName parameter, a stack overflow will be triggered in the JuniperSetupDLL.dll function: --- object classid=\"clsid: E5F5D008-DD2C-4D32-977D-1A0ADF03058B\" id= NeoterisSetup codebase=\"path_to_JuniperSetup.cab#version=1,0,0,3\" > ..... ---PARAM NAME=\"ProductName\" VALUE=\"AAAAAAA (long \'\'A\ '\')\" > ..... script language=javascript NeoterisSetup.startSession(); end script The vulnerable function is as follows: .text: 04F15783 ; int __stdcall sub_4F15783_ilvdlp(char *szProductName, LPCSTR lpValueName, LPBYTE lpData, LPDWORD lpcbData) .text: 04F15783 sub_4F15783_ilvdlp proc near .text: 04F15783 .text: 04F15783 SubKey = byte ptr -10Ch .text: 04F15783 Type = dword ptr -8 .text: 04F15783 hKey = dword ptr -4 ... This
can be exploited to cause a stack-based buffer overflow when the
control is instantiated with an overly long "ProductName" parameter. tricked into visiting a malicious web site.
The vulnerability has been reported in versions 1.x through 5.x.
SOLUTION:
Update to IVE software version 5.3r2.1, 5.2r4.1, 5.1r8, 5.0r6.1, or
4.2r8.1.
PROVIDED AND/OR DISCOVERED BY:
Yuji Ukai, eEye Digital Security.
ORIGINAL ADVISORY:
eEye Digital Security:
http://www.eeye.com/html/research/advisories/AD20060424.html
Juniper Networks:
http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0487 | CVE-2006-2043 | IP3 Networks NetAccess NA75 Multiple Local Vulnerabilities |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 allows local users to gain Unix shell access via "`" (backtick) characters in the appliance's command line interface (CLI). IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities:
- A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system.
- An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks.
- An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information.
These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected.
TITLE:
IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses
SECUNIA ADVISORY ID:
SA19818
VERIFY ADVISORY:
http://secunia.com/advisories/19818/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Manipulation of data, Exposure of sensitive
information, Privilege escalation
WHERE:
>From local network
OPERATING SYSTEM:
IP3 Networks NA75
http://secunia.com/product/9602/
DESCRIPTION:
Ralph Moonen has reported a vulnerability and some weaknesses in IP3
Networks NA75, which can be exploited by malicious, local users to
potentially gain escalated privileges and disclose or manipulate
sensitive information, or by malicious people to conduct SQL
injection attacks.
1) Some input passed in the web interface is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Example:
* The password field during login.
3) The shadow password file has world-readable permissions, which can
be exploited to disclose other users' encrypted passwords.
4) The database file is stored with world-readable and world-writable
permissions.
SOLUTION:
Apply patch available from the vendor.
http://www.ip3.com/supportoverview.htm
PROVIDED AND/OR DISCOVERED BY:
Ralph Moonen
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0574 | CVE-2006-2072 | DeleGate DNS Response Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple unspecified vulnerabilities in DeleGate 9.x before 9.0.6 and 8.x before 8.11.6 allow remote attackers to cause a denial of service via crafted DNS responses messages that cause (1) a buffer over-read or (2) infinite recursion, which can trigger a segmentation fault or invalid memory access, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ In multiple products DNS For protocol implementation, DNS There are deficiencies due to protocol specifications, and certain DNS There are problems that cause memory area corruption and buffer overflow when packets are processed. Depending on the product implementation, the impact will vary, but if exploited by a remote attacker, DNS A service that processes packets or an application may go out of service. The discoverer also suggests the possibility of arbitrary code execution.Please refer to the “Overview” for the impact of this vulnerability. There are several unexplained vulnerabilities in the 9.x series prior to DeleGate 9.0.6 and the 8.x series prior to 8.11.6.
The vendor has addressed this issue in versions 8.11.6 and 9.0.6; earlier versions are vulnerable. ISC BIND is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle malformed TSIG (Secret Key Transaction Authentication for DNS) replies.
To exploit this issue, attackers must be able to send messages with a correct TSIG during a zone transfer. This limits the potential for remote exploits significantly.
An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users.
TITLE:
DeleGate DNS Query Handling Denial of Service
SECUNIA ADVISORY ID:
SA19750
VERIFY ADVISORY:
http://secunia.com/advisories/19750/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
DeleGate 8.x
http://secunia.com/product/1237/
DESCRIPTION:
A vulnerability has been reported in DeleGate, which can be exploited
by malicious people to cause a DoS (Denial of Service). This can lead to out-of-bounds memory
accesses and infinite recursive function calls, which causes the
process to stop responding to requests.
The vulnerability has been reported in version 8.11.5 and prior
(stable), and in version 9.0.5 and prior (development).
SOLUTION:
Update to version 8.11.6 or later.
http://www.delegate.org/delegate/download/
The vulnerability has also been fixed in development version 9.0.6.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor based on DNS Test Tool created by Oulu University
Secure Programming Group.
ORIGINAL ADVISORY:
NISCC:
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0489 | CVE-2006-2045 | IP3 Networks NetAccess NA75 Information disclosure vulnerability |
CVSS V2: 3.6 CVSS V3: - Severity: LOW |
The (1) shadow password file in na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has world readable permissions, which allows local users to view encrypted passwords; and the (2) NetAccess database file has world readable and writable permissions, which allows local users to view sensitive information and modify data. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities:
- A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system.
- An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks.
- An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information.
These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected.
TITLE:
IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses
SECUNIA ADVISORY ID:
SA19818
VERIFY ADVISORY:
http://secunia.com/advisories/19818/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Manipulation of data, Exposure of sensitive
information, Privilege escalation
WHERE:
>From local network
OPERATING SYSTEM:
IP3 Networks NA75
http://secunia.com/product/9602/
DESCRIPTION:
Ralph Moonen has reported a vulnerability and some weaknesses in IP3
Networks NA75, which can be exploited by malicious, local users to
potentially gain escalated privileges and disclose or manipulate
sensitive information, or by malicious people to conduct SQL
injection attacks.
1) Some input passed in the web interface is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Example:
* The password field during login.
2) Some input validation errors in the command line interface can be
exploited to inject arbitrary shell commands via the "`" backtick
character.
4) The database file is stored with world-readable and world-writable
permissions.
SOLUTION:
Apply patch available from the vendor.
http://www.ip3.com/supportoverview.htm
PROVIDED AND/OR DISCOVERED BY:
Ralph Moonen
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0488 | CVE-2006-2044 | IP3 Networks NetAccess NA75 Multiple Local Vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has a default username of admin and a default password of admin. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities:
- A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system.
- An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks.
- An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information.
These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected.
TITLE:
IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses
SECUNIA ADVISORY ID:
SA19818
VERIFY ADVISORY:
http://secunia.com/advisories/19818/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Manipulation of data, Exposure of sensitive
information, Privilege escalation
WHERE:
>From local network
OPERATING SYSTEM:
IP3 Networks NA75
http://secunia.com/product/9602/
DESCRIPTION:
Ralph Moonen has reported a vulnerability and some weaknesses in IP3
Networks NA75, which can be exploited by malicious, local users to
potentially gain escalated privileges and disclose or manipulate
sensitive information, or by malicious people to conduct SQL
injection attacks.
1) Some input passed in the web interface is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Example:
* The password field during login.
2) Some input validation errors in the command line interface can be
exploited to inject arbitrary shell commands via the "`" backtick
character.
3) The shadow password file has world-readable permissions, which can
be exploited to disclose other users' encrypted passwords.
4) The database file is stored with world-readable and world-writable
permissions.
SOLUTION:
Apply patch available from the vendor.
http://www.ip3.com/supportoverview.htm
PROVIDED AND/OR DISCOVERED BY:
Ralph Moonen
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0576 | CVE-2006-2074 | Multiple vulnerabilities in DNS implementations |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Juniper Networks JUNOSe E-series routers before 7-1-1 has unknown impact and remote attack vectors related to the DNS "client code," as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. Juniper JUNOSe is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle DNS datagrams.
An attacker can exploit this issue to crash the affected DNS client service, effectively denying service to legitimate users. Juniper Networks JunosE is an operating system of Juniper Networks (Juniper Networks) running on E series IP edge and broadband service routers. The PROTOS DNS test component developed by OUSPG for DNS implementation found in the test that if a specially crafted message is sent, JUNOSe will have a denial of service when responding to DNS.
The vulnerability is caused due to unspecified errors within the
handling of DNS responses.
SOLUTION:
The vulnerability has been fixed in JUNOSe versions 5-3-5p0-2,
6-0-3p0-6, 6-0-4, 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 7-1-0p0-1, and 7-1-1.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor based on DNS Test Tool created by Oulu University
Secure Programming Group.
ORIGINAL ADVISORY:
NISCC:
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0537 | CVE-2006-2019 | Apple Safari Web Browser Rowspan Denial Of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Apple Mac OS X Safari 2.0.3, 1.3.1, and possibly other versions allows remote attackers to cause a denial of service (CPU consumption and crash) via a TD element with a large number in the rowspan attribute. Apple Mac OS X of Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Safari web browser is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to consume excessive system resources and eventually crash an affected browser. Safari opening malicious HTML files may cause the operating system to slow down SRCOD (Spinning Rainbow Cursor Of Death), so that no application can be launched to kill the process. Safari will crash after a few minutes.
TITLE:
Safari "rowspan" Attribute Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA19763
VERIFY ADVISORY:
http://secunia.com/advisories/19763/
CRITICAL:
Not critical
IMPACT:
DoS
WHERE:
>From remote
SOFTWARE:
Safari 1.x
http://secunia.com/product/1543/
Safari 2.x
http://secunia.com/product/5289/
DESCRIPTION:
Yannick von Arx has discovered a vulnerability in Safari, which can
be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in the processing of "td"
HTML tags with overly large values for the "rowspan" attribute. This
can be exploited to consume a large amount of CPU and memory
resources on a vulnerable system by tricking a user into visiting a
malicious web site.
Successful exploitation causes a vulnerable system to become
unresponsive.
The vulnerability has been confirmed in version 2.0.3 (417.9.2) and
has also been reported in version 1.3.1 (312.3.1). Other versions may
also be affected.
SOLUTION:
Do not visit untrusted web sites while working with unsaved sensitive
information.
PROVIDED AND/OR DISCOVERED BY:
Yannick von Arx
ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045472.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0535 | CVE-2006-2017 | DNSmasq Broadcast Reply Denial Of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Dnsmasq 2.29 allows remote attackers to cause a denial of service (application crash) via a DHCP client broadcast reply request. Dnsmasq is prone to a remote denial-of-service vulnerability.
TITLE:
Dnsmasq DHCP Broadcast Reply Denial of Service
SECUNIA ADVISORY ID:
SA19760
VERIFY ADVISORY:
http://secunia.com/advisories/19760/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From local network
SOFTWARE:
Dnsmasq 2.x
http://secunia.com/product/4837/
DESCRIPTION:
A vulnerability has been reported in Dnsmasq, which potentially can
be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the handling of
certain requests from a DHCP client.
The vulnerability has been reported in version 2.29.
SOLUTION:
Update to version 2.30.
http://thekelleys.org.uk/dnsmasq/
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Sandra Dekkers.
ORIGINAL ADVISORY:
http://thekelleys.org.uk/dnsmasq/CHANGELOG
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0347 | CVE-2006-1981 | Mac OS X Java InputMethods Unknown vulnerability |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Unspecified vulnerability in Java InputMethods on Mac OS X 10.4.5 may cause InputMethods to send input events for secure fields to the wrong text field, which might reveal the password to others who can view the screen. Mac OS X is prone to a local security vulnerability
VAR-200604-0332 | CVE-2006-1966 | Unspecified Fortinet Service disruption in products (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
An unspecified Fortinet product, possibly Fortinet28, allows remote attackers to cause a denial of service via a "small synflood" to the SMTP port (TCP port 25), as demonstrated by a 10-microsecond wait between sending packets. NOTE: this issue has been disputed in followup posts that suggest that a protection feature is triggering a RST. Unspecified Fortinet Product has a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Fortinet28 is prone to a denial-of-service vulnerability
VAR-200604-0324 | CVE-2006-1928 | Cisco IOS XR MPLS Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 routers, allows remote attackers to cause a denial of service (Modular Services Cards (MSC) crash or "MPLS packet handling problems") via certain MPLS packets, as identified by Cisco bug IDs (1) CSCsd15970 and (2) CSCsd55531. Cisco IOS XR The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state.
A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card.
A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS.
Successful exploitation requires that MPLS has been configured on the
network device.
SOLUTION:
Apply patches (see patch matrix in vendor advisory).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0339 | CVE-2006-1973 | Linksys RT31P2 VoIP router denial of service vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router allow remote attackers to cause a denial of service via malformed Session Initiation Protocol (SIP) messages. Linksys RT31P2 is a broadband router that supports VoIP phone functions.
This issue allows remote attackers to crash affected devices, denying service to legitimate users.
SOLUTION:
The product has reportedly been discontinued.
Filter traffic or use another product.
PROVIDED AND/OR DISCOVERED BY:
Peter Thermos and Guy Hadsall, Telcordia.
ORIGINAL ADVISORY:
US-CERT VU#621566:
http://www.kb.cert.org/vuls/id/621566
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0267 | CVE-2006-1961 | plural Cisco In product Linux Vulnerability gained shell access |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13, Hosting Solution Engine (HSE) and User Registration Tool (URT) before 20060419, and all versions of Ethernet Subscriber Solution Engine (ESSE) and CiscoWorks2000 Service Management Solution (SMS) allow local users to gain Linux shell access via shell metacharacters in arguments to the "show" command in the application's command line interface (CLI), aka bug ID CSCsd21502 (WLSE), CSCsd22861 (URT), and CSCsd22859 (HSE). NOTE: other issues might be addressed by the Cisco advisory. plural Cisco The product includes Linux A vulnerability exists that allows shell access to be obtained.By local users Linux Shell access may be obtained. Multiple Linux-based Cisco products are prone to a local privilege-escalation vulnerability. The applications fail to properly sanitize user-supplied input.
This issue allows attackers with telnet or SSH access to affected devices to execute arbitrary shell commands with superuser privileges. This facilitates the complete compromise of affected devices. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The \"displayMsg\" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability. Attackers can exploit this vulnerability to steal JSP session cookies, and then combine it with other vulnerabilities to gain administrative-level access to the system.
This is related to vulnerability #2 in:
SA19736
SOLUTION:
Apply fixes.
Cisco URT:
Update to version 2.5.5(A1) for the URT appliance.
http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des
Cisco HSE:
Apply HSE-PSIRT1 patch. However, Cisco encourages customers requiring a
fix to open a service request through the Technical Support
organization.
TITLE:
Cisco WLSE Privilege Escalation and Cross-Site Scripting
SECUNIA ADVISORY ID:
SA19736
VERIFY ADVISORY:
http://secunia.com/advisories/19736/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting, Privilege escalation
WHERE:
>From remote
OPERATING SYSTEM:
CiscoWorks Wireless LAN Solution Engine 2.x
http://secunia.com/product/2187/
DESCRIPTION:
Adam Pointon has reported two vulnerabilities in CiscoWorks Wireless
LAN Solution Engine (WLSE), which can be exploited by malicious,
local users to gain escalated privileges or by malicious people to
conduct cross-site scripting attacks.
1) Input passed to the "displayMsg" parameter in
"/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE
appliance web interface is not properly sanitised before being
returned to users. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of a
vulnerable site.
2) Several errors in the "show" CLI application can be exploited to
gain a shell account with root privileges from the command line
interface.
SOLUTION:
Update to version 2.13 or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng
PROVIDED AND/OR DISCOVERED BY:
Adam Pointon, Assurance.
The vendor also credits Mathieu Pepin for reporting the second
vulnerability.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml
Assurance:
http://www.assurance.com.au/advisories/200604-cisco.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0323 | CVE-2006-1927 | Cisco IOS XR MPLS Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 or Cisco 12000 series routers, allows remote attackers to cause a denial of service (Line card crash) via certain MPLS packets, as identified by Cisco bug ID CSCsc77475. Cisco IOS XR There is a service disruption (Line Card crash ) There are vulnerabilities that are put into a state.Service disruption by a third party (Line Card crash ) There is a possibility of being put into a state.
A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card.
A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS.
Successful exploitation requires that MPLS has been configured on the
network device.
SOLUTION:
Apply patches (see patch matrix in vendor advisory).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0266 | CVE-2006-1960 | Cisco WLSE archiveApplyDisplay.jsp Cross-site scripting vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the appliance web user interface in Cisco CiscoWorks Wireless LAN Solution Engine (WLSE) and WLSE Express before 2.13 allows remote attackers to inject arbitrary web script or HTML, possibly via the displayMsg parameter to archiveApplyDisplay.jsp, aka bug ID CSCsc01095. CiscoWorks Wireless LAN Solution Engine (WLSE) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal JSP session cookie-based authentication credentials and launch other attacks. CiscoWorks WLSE is the centralized system-level application for managing and controlling the entire autonomous Cisco WLAN infrastructure. There is a vulnerability in the implementation of the CiscoWorks WLSE configuration management script. Attackers may exploit this vulnerability to obtain sensitive information. The "displayMsg" parameter in /wlse/configure/archive/archiveApplyDisplay.jsp in WLSE devices can lead to a cross-site scripting vulnerability.
This is related to vulnerability #2 in:
SA19736
SOLUTION:
Apply fixes.
Cisco URT:
Update to version 2.5.5(A1) for the URT appliance.
http://www.cisco.com/pcgi-bin/tablebuild.pl/urt-3des
Cisco HSE:
Apply HSE-PSIRT1 patch.
1) Input passed to the "displayMsg" parameter in
"/wlse/configure/archive/archiveApplyDisplay.jsp" in the WLSE
appliance web interface is not properly sanitised before being
returned to users.
2) Several errors in the "show" CLI application can be exploited to
gain a shell account with root privileges from the command line
interface.
SOLUTION:
Update to version 2.13 or later.
http://www.cisco.com/pcgi-bin/tablebuild.pl/wlan-sol-eng
PROVIDED AND/OR DISCOVERED BY:
Adam Pointon, Assurance.
The vendor also credits Mathieu Pepin for reporting the second
vulnerability.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml
http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml
Assurance:
http://www.assurance.com.au/advisories/200604-cisco.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0363 | CVE-2006-1836 | Symantec LiveUpdate for Macintosh Local privilege elevation vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Untrusted search path vulnerability in unspecified components in Symantec LiveUpdate for Macintosh 3.0.0 through 3.5.0 do not set the execution path, which allows local users to gain privileges via a Trojan horse program. Symantec LiveUpdate for Macintosh is prone to a local privilege-escalation vulnerability. This issue is due to the application's failure to properly use the PATH environment variable in some of its components.
A successful exploit allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer.
TITLE:
Symantec LiveUpdate for Machintosh Privilege Escalation
SECUNIA ADVISORY ID:
SA19682
VERIFY ADVISORY:
http://secunia.com/advisories/19682/
CRITICAL:
Less critical
IMPACT:
Privilege escalation
WHERE:
Local system
SOFTWARE:
Symantec Norton Utilities for Macintosh 8.x
http://secunia.com/product/5953/
Symantec Norton SystemWorks for Macintosh 3.x
http://secunia.com/product/5952/
Symantec Norton Personal Firewall for Macintosh 3.x
http://secunia.com/product/5950/
Symantec Norton Internet Security for Macintosh 3.x
http://secunia.com/product/5951/
Symantec Norton AntiVirus for Macintosh 9.x
http://secunia.com/product/5948/
Symantec Norton AntiVirus for Macintosh 10.x
http://secunia.com/product/5949/
Symantec LiveUpdate for Macintosh 3.x
http://secunia.com/product/5954/
DESCRIPTION:
A vulnerability has been reported in Symantec LiveUpdate for
Machintosh, which can be exploited by malicious, local users to gain
escalated privileges.
SOLUTION:
Apply latest LiveUpdate patch.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits DigitalMunition.com.
ORIGINAL ADVISORY:
http://securityresponse.symantec.com/avcenter/security/Content/2006.04.17b.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0205 | CVE-2006-1192 | Microsoft Internet Explorer Vulnerable to address bar spoofing |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. Microsoft Internet Explorer is prone to address-bar spoofing. Attackers may exploit this via a malicious web page to spoof the contents of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing.
TITLE:
Internet Explorer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA18957
VERIFY ADVISORY:
http://secunia.com/advisories/18957/
CRITICAL:
Highly critical
IMPACT:
Spoofing, System access, Cross Site Scripting
WHERE:
>From remote
SOFTWARE:
Microsoft Internet Explorer 5.5
http://secunia.com/product/10/
Microsoft Internet Explorer 5.01
http://secunia.com/product/9/
Microsoft Internet Explorer 6.x
http://secunia.com/product/11/
DESCRIPTION:
Multiple vulnerabilities have been reported in Internet Explorer,
which can be exploited by malicious people to conduct cross-site
scripting attacks, conduct phishing attacks, or compromise a user's
system.
1) An error in the cross-domain restriction when accessing properties
of certain dynamically created objects can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an arbitrary site via a JavaScript URI handler applied on a
dynamically created "object" tag.
2) An error within the handling of multiple event handlers (e.g.
onLoad) in an HTML element can be exploited to corrupt memory in a
way that may allow execution of arbitrary code.
3) An error within the parsing of specially crafted, non-valid HTML
can be exploited to corrupt memory in a way that allows execution of
arbitrary code when a malicious HTML document is viewed.
4) An error within the instantiation of COM objects that are not
intended to be instantiated in Internet Explorer can be exploited to
corrupt memory in a way that allows execution of arbitrary code.
5) An error within the handling of HTML elements containing a
specially crafted tag can be exploited to corrupt memory in a way
that allows execution of arbitrary code.
6) An error within the handling of double-byte characters in
specially crafted URLs can be exploited to corrupt memory in a way
that allows execution of arbitrary code.
Successful exploitation requires that the system uses double-byte
character sets.
7) An error in the way IOleClientSite information is returned when an
embedded object is dynamically created can be exploited to execute
arbitrary code in context of another site or security zone.
8) An unspecified error can be exploited to spoof information
displayed in the address bar and other parts of the trust UI.
9) Some unspecified vulnerabilities exist in the two ActiveX controls
included with Danim.dll and Dxtmsft.dll.
SOLUTION:
Apply patches.
Internet Explorer 5.01 SP4 on Windows 2000 SP4:
http://www.microsoft.com/downloa...7B87-AF8F-4346-9164-596E3E5C22B1
Internet Explorer 6 SP1 on Windows 2000 SP4 or Windows XP SP1:
http://www.microsoft.com/downloa...41E1-2B36-4696-987A-099FC57E0129
Internet Explorer 6 for Windows XP SP2:
http://www.microsoft.com/downloa...FB31-E6B4-4771-81F1-4ACCEBF72133
Internet Explorer 6 for Windows Server 2003 and Windows Server 2003
SP1:
http://www.microsoft.com/downloa...6871-D217-41D3-BECC-B27FAFA00054
Internet Explorer 6 for Windows Server 2003 for Itanium-based systems
and Windows Server 2003 with SP1 for Itanium-based systems:
http://www.microsoft.com/downloa...957C-0ABE-4129-ABAF-AA2852AD62A3
Internet Explorer 6 for Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloa...8BE3-39EE-4937-9BD1-280FC35125C6
Internet Explorer 6 for Windows XP Professional x64 Edition:
http://www.microsoft.com/downloa...FE3E-620A-4BBC-868B-CA2D9EFF7AC3
Internet Explorer 6 SP1 on Windows 98, Windows 98 SE, or Windows ME:
Patches are available via the Microsoft Update Web site or the
Windows Update Web site.
PROVIDED AND/OR DISCOVERED BY:
1) Discovered by anonymous person.
2) Michal Zalewski
3) The vendor credits Jan P. Monsch, Compass Security Network
Computing.
4) The vendor credits Richard M. Smith, Boston Software Forensics.
5) The vendor credits Thomas Waldegger.
6) The vendor credits Sowhat, Nevis Labs.
7) The vendor credits Heiko Schultze, SAP.
9) The vendor credits Will Dormann, CERT/CC.
ORIGINAL ADVISORY:
MS06-013 (KB912812):
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0199 | CVE-2006-0015 | Microsoft Internet Information Services of FPSE Vulnerable to cross-site scripting |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. Microsoft FrontPage Server Extensions are prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before it is rendered to other users.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user, with the privileges of the victim userâ??s account. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
SOLUTION:
Apply patches.
FrontPage Server Extensions 2002 (Windows Server 2003 and Windows
Server 2003 SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5C03F85A-5228-47FB-A338-90FA23818E08
FrontPage Server Extensions 2002 (Windows Server 2003 for
Itanium-based systems and Windows Server 2003 with SP1 for
Itanium-based systems):
http://www.microsoft.com/downloads/details.aspx?FamilyId=59F15A6B-CC1B-43D5-A007-BFC9ABB63486
FrontPage Server Extensions 2002 (x64 Edition) downloaded and
installed on Windows Server 2003 x64 Edition and Windows XP Pro x64
Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA
FrontPage Server Extensions 2002 (x86 Editions) downloaded and
installed on Windows Server 2000 SP4, Windows XP SP1, and Windows XP
SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA
Microsoft SharePoint Team Services:
http://www.microsoft.com/downloads/details.aspx?FamilyId=EEE40662-39E6-4C07-8241-1AC4F5D24FFC
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Esteban Mart\xednez Fay\xf3.
ORIGINAL ADVISORY:
MS06-017 (KB917627):
http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200604-0097 | CVE-2006-1670 | Cisco Optical Networking System Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Control cards for Cisco Optical Networking System (ONS) 15000 series nodes before 20060405 allow remote attackers to cause a denial of service (memory exhaustion and possibly card reset) by sending an invalid response when the final ACK is expected, aka bug ID CSCei45910. Cisco Optical Networking System (ONS) The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state. The response, which is also known as bug ID CSCei45910. Cisco Optical Networking System and Transport Controller are prone to multiple vulnerabilities.
Cisco Optical Networking System 15000 series are affected by multiple denial-of-service vulnerabilities.
Cisco Transport Controller is prone to an arbitrary code-execution vulnerability.
1) Multiple services are vulnerable to ACK DoS attacks where an
invalid response is sent instead of the final ACK packet during the
3-way handshake. This can be exploited to cause the control cards to
exhaust memory resources, not respond to further connections, or
reset by establishing multiple of these connections.
Successful exploitation requires that IP is configured on the LAN
interface (enabled by default).
2) An error within the processing of IP packets can be exploited to
reset the control cards by sending a specially crafted IP packet.
Successful exploitation requires that IP is configured on the LAN
interface (enabled by default) and secure mode for element management
system (EMS)-to-network-element access is enabled (disabled by
default).
3) Another error within the processing of IP packets can be exploited
to reset the control cards by sending a specially crafted IP packet.
Successful exploitation requires that IP is configured on the LAN
interface (enabled by default).
4) An error within the processing of OSPF (Open Shortest Path First)
packets can be exploited to reset the control cards by sending a
specially crafted OSPF packet.
Successful exploitation requires that the OSPF routing protocol is
configured on the LAN interface (disabled by default).
Successful exploitation of the above vulnerabilities (#1 through #4)
requires that the Optical node has the Common Control Card connected
to a DCN (Data Communication Network) and is enabled for IPv4.
The above vulnerabilities (#1 through #4) affect the following Cisco
ONS 15000 series platforms:
* Cisco ONS 15310-CL Series
* Cisco ONS 15327 Series
* Cisco ONS 15454 MSPP
* Cisco ONS 15454 MSTP
* Cisco ONS 15600 Series
The following Cisco ONS 15000 series platforms are not affected by
the vulnerabilities:
* Cisco ONS 15100 Series
* Cisco ONS 15200 Series
* Cisco ONS 15302, ONS 15305, and ONS 15310-MA platforms
* Cisco ONS 15500 Series
* Cisco ONS 15800 Series
5) A vulnerability exists within the Cisco Transport Controller (CTC)
applet launcher, which is downloaded each time a management connection
is made to the Optical node. The vulnerability is caused due to the
java.policy permissions being to broad by granting all permissions to
any software originating from the codeBase or source at
http://*/fs/LAUNCHER.jar.
This can be exploited to execute arbitrary code on the CTC
workstation if it is used to connect to a malicious web site running
Java code from the "/fs/LAUNCHER.jar" location.
The vulnerability affects versions 4.0.x and prior.
SOLUTION:
1-4) Updated versions are available (see patch matrix in vendor
advisory).
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------