VARIoT IoT vulnerabilities database

Unknown vulnerability in the nfs_mount call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments. This issue exists in Kernel NFS mount functionality and may permit a local attacker to crash the vulnerable computer. It should be noted that this issue was previously reported in BID 13203 (Apple Mac OS X Kernel Multiple Local Privilege Escalation And Denial Of Service Vulnerabilities); it has been assigned its own BID

Heap-based buffer overflow in the syscall emulation functionality in Mac OS X before 10.3.9 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via crafted parameters. A heap-based buffer overflow vulnerability affects Apple Mac OS X. This issue is due to a failure of the application to securely manage user-supplied data when copying it into sensitive memory space while managing syscall emulation functionality. An attacker may leverage this issue to cause a denial of service condition and potentially execute code with kernel level privileges. It should be noted that this issue was previously reported in BID 13203 (Apple Mac OS X Kernel Multiple Local Privilege Escalation And Denial Of Service Vulnerabilities); it has been assigned its own BID

Unknown vulnerability in the setsockopt system call in Mac OS X 10.3.9 and earlier allows local users to cause a denial of service (memory exhaustion) via crafted arguments. The vendor reports that the kernel 'setsockopt()' function fails to properly validate user-supplied arguments. This issue may allow a local attacker to exhaust computer memory and ultimately trigger a denial of service condition

Stack-based buffer overflow in the semop system call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments. A kernel stack overflow that presents itself in the 'semop()' system call exists in the Apple Mac OS X kernel. This is due to a failure of the affected function to properly handle certain user-supplied arguments. Exploitation of this issue will facilitate code execution with kernel level (ring 0) privileges. It should be noted that this issue was previously reported in BID 13203 (Apple Mac OS X Kernel Multiple Local Privilege Escalation And Denial Of Service Vulnerabilities); it has been assigned its own BID

exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ PHP 4 Later, at compile time --enable-exif By compiling with EXIF ( Image file standards for digital cameras ) Enable support for. This generated by the digital camera JPEG/TIFF In the image EXIF Included in header IFD (Image File Directory) tag ( Information such as image size and type, compression method, color information, copyright ) You can get PHP 4.3.10 Before, 5.0.3 Included before EXIF module (exif.c) Contained within a specific image file IFD The following security issues exist due to inadequate handling of tags. still, PHP Group More distributed PHP By default, EXIF Support will not be activated, Red Hat Enterprise Linux Some as Linux Included with the distribution PHP In the package EXIF Support is enabled. PHP 4.3.11/5.0.4 In addition to the above issues, there are multiple security issues (CAN-2005-0524 And CAN-2005-0525 Such ) , And bugs have been fixed, PHP 4.3.11/5.0.4 Can be updated to PHP Group It is strongly recommended.Please refer to the “Overview” for the impact of this vulnerability. PHP is prone to a denial of service vulnerability. This issue could manifest itself in Web applications that allow users to upload images. PHP is a server-side scripting language designed to be embedded in HTML files and can run on Windows, Linux and many Unix operating systems

Microsoft Visual C++, Microsoft WinDbg, and OllyDbg are very popular debuggers. An access validation vulnerability exists in the implementation of these debuggers, which allows the user of the debugger to execute arbitrary code on the host. The cause is that the affected application cannot ensure that the code being checked is running in a restricted environment. If a non-armed user attempts to debug an attacker-provided executable, the malicious code in the containing library is run in an uncontrolled manner in the debugger's environment. This vulnerability allows a remote attacker to execute arbitrary code in an environment that is affected by the debugger. Due to the security nature expected of the debugger, even very careful users can suffer. Other debuggers are also likely affected, as the underlying operating system design makes it very difficult to avoid this vulnerability

Linksys WET11 1.5.4 allows remote attackers to change the password without providing the original password via the data parameter to changepw.html. A remote authentication bypass vulnerability affects Linksys WET11. This issue is due to a failure of the application to validate authentication credentials when processing password change requests. An attacker may leverage this issue to arbitrarily change the administration password of an affected device, facilitating a complete compromise of the device. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Linksys WET11 Password Change Security Bypass Vulnerability SECUNIA ADVISORY ID: SA14871 VERIFY ADVISORY: http://secunia.com/advisories/14871/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: Linksys WET11 http://secunia.com/product/645/ DESCRIPTION: Kristian Hermansen has reported a vulnerability in Linksys WET11, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to set a blank password and gain access to the device. Example: http://[victim]/changepw.html?data=........................ NOTE: In version 1.5.4, successful exploitation requires that a user has logged in recently. The vulnerability has been reported in version 1.5.4. Other versions may also be affected. SOLUTION: Restrict access to the administrative web interface. PROVIDED AND/OR DISCOVERED BY: Kristian Hermansen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the email or url parameters in the Add function, (2) the min parameter in the viewsdownload function, or (3) the min parameter in the search function. PHP-Nuke Downloads module is reportedly affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. These issues are reported to affect PHP-Nuke version 7.6; earlier versions may also be affected

Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 7.6 allow remote attackers to execute arbitrary SQL commands via (1) the email or url parameters in the Add function, (2) the url parameter in the modifylinkrequestS function, (3) the orderby or min parameters in the viewlink function, (4) the orderby, min, or show parameters in the search function, or (5) the ratenum parameter in the MostPopular function. The Web_Links module of PHP-Nuke is affected by multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. These issues are reported to affect PHP-Nuke version 7.6; earlier versions may also be affected

Cisco IOS 12.2T, 12.3 and 12.3T, when using Easy VPN Server XAUTH version 6 authentication, allows remote attackers to bypass authentication via a "malformed packet.". ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Also, IKE (Internet Key Exchange) Expanded XAUTH (eXtended authentication) But VPN Used for authentication with clients. (BID 13031) However, in order to take advantage of this issue, the attacker IKE Phase 1 You need to know the shared group key to complete the negotiation. 2) specific ISAKMP If the profile attribute is set but not processed properly, VPN Server − There is a problem that a deadlock condition occurs in communication between clients. (BID 13033) The deadlock condition usually clears over time, but during this time the phase 2 When a negotiation is initiated by a malicious client, IPSec SA (Security Association) May be established. still, ISAKMP Only affected by certificate map matching in the profile. A remote attacker who exploits these issues could gain unauthorized access and gain access to network resources.Please refer to the “Overview” for the impact of this vulnerability. Cisco IOS is the Internet operating system used by Cisco network equipment. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco IOS IKE XAUTH Implementation Security Bypass Vulnerabilities SECUNIA ADVISORY ID: SA14853 VERIFY ADVISORY: http://secunia.com/advisories/14853/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in the Top module for PHP-Nuke 6.x through 7.6 allows remote attackers to execute arbitrary SQL commands via the querylang parameter. PHP-Nuke is prone to an SQL injection vulnerability. This issue arises due to insufficient sanitization of user-supplied input. This issue may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation

Secure Shell (SSH) 2 in Cisco IOS 12.0 through 12.3 allows remote attackers to cause a denial of service (device reload) (1) via a username that contains a domain name when using a TACACS+ server to authenticate, (2) when a new SSH session is in the login phase and a currently logged in user issues a send command, or (3) when IOS is logging messages and an SSH session is terminated while the server is sending data. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SSH (Secure Shell) Is a protocol that allows a secure remote connection to a device. SSH Protocol version 1 And version 2 Is provided, Cisco IOS Supported by different versions SSH The protocol version is different. TACACS (Terminal Access Controller Access Control System) The authentication protocol used for remote login authentication 1 And extended TACACS+ Is AAA (Authentication, Authorization and Accounting ) Is supported. Cisco IOS 12.0/12.1/12.2/12.3-based Releases Included with SSH The server may not be able to service under certain circumstances 2 There are two problems. 1) IOS Device SSH version 2 Support SSH When configured as a server, there is a problem that the device reloads when any of the following events occur. This problem, SSH version 1 and 2 Both affected and version 2 In the case of, memory leak will occur even if login is successful. (BID 13042) A remote attacker who exploits these issues can cause the target device to go into a denial of service by intentionally repeating the above events. still, 1-1) and 2) Problem as an authentication method RADIUS If the server is used or authenticated with a local user database, it may not be affected. Cisco Systems Has been reported.Please refer to the “Overview” for the impact of this vulnerability. Cisco IOS is reported prone to a remote denial of service vulnerability. It is noted that the vulnerability only affects SSHv2, SSHv1 is not affected. 1) An error when acting as a SSH v2 server for remote management and authenticating against a TACACS+ server can be exploited to cause a vulnerable device to reload. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak in Secure Shell (SSH) in Cisco IOS 12.0 through 12.3, when authenticating against a TACACS+ server, allows remote attackers to cause a denial of service (memory consumption) via an incorrect username or password. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ SSH (Secure Shell) Is a protocol that allows a secure remote connection to a device. SSH Protocol version 1 And version 2 Is provided, Cisco IOS Supported by different versions SSH The protocol version is different. TACACS (Terminal Access Controller Access Control System) The authentication protocol used for remote login authentication 1 And extended TACACS+ Is AAA (Authentication, Authorization and Accounting ) Is supported. Cisco IOS 12.0/12.1/12.2/12.3-based Releases Included with SSH The server may not be able to service under certain circumstances 2 There are two problems. 1) IOS Device SSH version 2 Support SSH When configured as a server, there is a problem that the device reloads when any of the following events occur. (BID 13043) 1-1) TACACS+ If configured to authenticate users using a server, try to log in using a user name that includes the domain name 1-2) new SSH When a session is in the authentication phase, other logged-in users send Use commands 1-3) Already established SSH Message logging is directed to the session, SSH While the server is sending data to the client That IOS To device SSH The session ends 2) TACACS+ When configured to authenticate users using a server, there is a memory leak issue if login fails due to an incorrect username or password. This problem, SSH version 1 and 2 Both affected and version 2 In the case of, memory leak will occur even if login is successful. (BID 13042) A remote attacker who exploits these issues can cause the target device to go into a denial of service by intentionally repeating the above events. still, 1-1) and 2) Problem as an authentication method RADIUS If the server is used or authenticated with a local user database, it may not be affected. Cisco Systems Has been reported.Please refer to the “Overview” for the impact of this vulnerability. This condition is the result of a memory leak that may be triggered by remote clients under some circumstances. If the memory leak is triggered repeatedly, this could exhaust resources on the device, resulting in a reload of the device and persistent denial of service. 1) An error when acting as a SSH v2 server for remote management and authenticating against a TACACS+ server can be exploited to cause a vulnerable device to reload. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.2T, 12.3 and 12.3T, when processing an ISAKMP profile that specifies XAUTH authentication after Phase 1 negotiation, may not process certain attributes in the ISAKMP profile that specifies XAUTH, which allows remote attackers to bypass XAUTH and move to Phase 2 negotiations. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Cisco IOS The remote user IPSec using, CISCO IOS VPN Software that enables secure communication with the gateway Easy VPN Server Has been implemented. Also, IKE (Internet Key Exchange) Expanded XAUTH (eXtended authentication) But VPN Used for authentication with clients. Cisco IOS 12.2/12.3-based Releases Implemented in Easy VPN Server Has several security issues: 1) specific Internet Key Exchange (IKE) XAUTH Message is UDP port 500 Sent to the wrong client XAUTH There is a problem that allows authentication. (BID 13031) However, in order to take advantage of this issue, the attacker IKE Phase 1 You need to know the shared group key to complete the negotiation. 2) specific ISAKMP If the profile attribute is set but not processed properly, VPN Server − There is a problem that a deadlock condition occurs in communication between clients. (BID 13033) The deadlock condition usually clears over time, but during this time the phase 2 When a negotiation is initiated by a malicious client, IPSec SA (Security Association) May be established. still, ISAKMP Only affected by certificate map matching in the profile. A remote attacker who exploits these issues could gain unauthorized access and gain access to network resources.Please refer to the “Overview” for the impact of this vulnerability. The vulnerability occurs in a case where attributes in an ISAKMP profile that have been assigned to remote peer are not processed. Cisco IOS is the Internet operating system used by Cisco network equipment. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco IOS IKE XAUTH Implementation Security Bypass Vulnerabilities SECUNIA ADVISORY ID: SA14853 VERIFY ADVISORY: http://secunia.com/advisories/14853/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS 12.x http://secunia.com/product/182/ DESCRIPTION: Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: See patch matrix in the vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

logwebftbs2000.exe in Logics Software File Transfer (LOG-FT) allows remote attackers to read arbitrary files via modified (1) VAR_FT_LANG and (2) VAR_FT_TMPL parameters. Logics Software LOG-FT is the corresponding component of Siemens BS2000 mainframe PC. It is used to manage the transmission and processing of files.  There is an input verification vulnerability in LOG-FT processing user requests. Remote attackers may use this vulnerability to gain unauthorized access to system files.  LOG-FT's logwebftbs2000.exe program does not properly check and filter user parameters in HTTP GET requests. LOG-FT is reported prone to an arbitrary file disclosure vulnerability. It is reported that an attacker can simply issue a specially crafted HTTP GET request to disclose sensitive files in the context of the affected Web server. Information disclosed through this attack may expose sensitive data that may be used to carry out further attacks against a computer. It is not confirmed whether this issue may also allow an attacker to upload arbitrary files. Example: http://[host]/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=[file] SOLUTION: Restrict access to the "logwebcgi" directory. This may affect functionality. PROVIDED AND/OR DISCOVERED BY: Pedro Vi\xf1uales and Rom\xe1n Ram\xedrez ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the bid parameter to the EmailStats op in banners.pgp, (2) the ratenum parameter in the TopRated and MostPopular actions in the Web_Links module, (3) the ttitle parameter in the viewlinkdetails, viewlinkeditorial, viewlinkcomments, and ratelink actions in the Web_Links module, or (4) the username parameter in the Your_Account module. It is reported that the PHP-Nuke 'Your_Account' module is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input. This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. This vulnerability is reported to affect PHP-Nuke version 7.6 and previous versions

Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ GNU zip (gzip) Is a utility that compresses and decompresses files. grep Run zgrep Or unzip the compressed file gunzip Each tool is packaged. Gzip 1.2.4 Previously, there were several security issues: 1) gzip 1.2.4 Included before zgrep There is a problem that does not properly sanitize arguments. (CAN-2005-0758) Details are currently unknown, but local attackers who exploit this issue zgrep An arbitrary command may be executed by passing an intentional file name to. 3) gzip 1.2.4 Included before gunzip Is -N When decompressing a compressed file with a flag, there is a problem that the validity of the file name is not properly checked. (CAN-2005-1228) A remote attacker who exploits this issue ".." Send a compressed file that is a compressed file containing an intentional character string to the target user gzip Inducing a directory traversal attack by inducing unpacking with.Please refer to the “Overview” for the impact of this vulnerability. The gzip utility is reported prone to a security weakness; the issue occurs only when an archive is extracted into a world- or group-writeable directory. This weakness is reported to affect gzip 1.2.4, 1.3.3, and previous versions. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: gzip Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA15047 VERIFY ADVISORY: http://secunia.com/advisories/15047/ CRITICAL: Less critical IMPACT: System access WHERE: >From remote SOFTWARE: gzip 1.x http://secunia.com/product/4220/ DESCRIPTION: Ulf H\xe4rnhammar has reported a vulnerability in gzip, which potentially can be exploited by malicious people to compromise a user's system. This makes it possible to have a file extracted to an arbitrary location outside the current directory via directory traversal attacks. The vulnerability has been reported in version 1.2.4, 1.2.4a, 1.3.3, 1.3.4 and 1.3.5. Other versions may also be affected. SOLUTION: Do not extract untrusted ".gz" files with the "-N" flag. PROVIDED AND/OR DISCOVERED BY: Ulf H\xe4rnhammar ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gzip: Multiple vulnerabilities Date: May 09, 2005 Bugs: #89946, #90626 ID: 200505-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== gzip contains multiple vulnerabilities potentially allowing an attacker to execute arbitrary commands. The zgrep utility improperly sanitizes arguments, which may come from an untrusted source (CAN-2005-0758). Impact ====== These vulnerabilities could allow arbitrary command execution, changing the permissions of arbitrary files, and installation of files to an aribitrary location in the filesystem. Workaround ========== There is no known workaround at this time. Resolution ========== All gzip users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.3.5-r6" References ========== [ 1 ] CAN-2005-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0758 [ 2 ] CAN-2005-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988 [ 3 ] CAN-2005-1228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0

Multiple cross-site scripting (XSS) vulnerabilities in SonicWALL SOHO 5.1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URL or (2) the user login name, which is not filtered when the administrator views the log file. Multiple remote input validation vulnerabilities affect SonicWALL SOHO. These issues are due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content. Specifically a cross-site scripting issue and an HTML injection issue affect the vulnerable device. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks, potentially leading to a compromise of the affected device. SonicWALL Pro 230 firmware 6.5.0.3 is reported vulnerable to these issues as well. SonicWALL SOHO is a tool that provides network INTERNET security connection. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: SonicWALL SOHO series Cross-Site Scripting and Script Injection SECUNIA ADVISORY ID: SA14823 VERIFY ADVISORY: http://secunia.com/advisories/14823/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: SonicWALL SOHO series http://secunia.com/product/223/ DESCRIPTION: Oliver Karow has reported two vulnerabilities in SonicWALL SOHO series, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. 1) Input passed in the URL path is not properly sanitised before being returned to the user. Example: http://[host]/[code] 2) Input passed to the username in the login page is not properly sanitised before being used. Other versions may also be affected. SOLUTION: Restrict access to the web interface to prevent the script insertion vulnerability. PROVIDED AND/OR DISCOVERED BY: Oliver Karow ORIGINAL ADVISORY: http://www.oliverkarow.de/research/SonicWall.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x to 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) min parameter to the Search module, (2) the categories parameter to the FAQ module, or (3) the ltr parameter to the Encyclopedia module. NOTE: the bid parameter issue in banners.php is already an item in CVE-2005-1000. PHPNuke is reported prone to multiple cross-site scripting vulnerabilities affecting various modules. The affected modules include 'Search', 'FAQ', and 'Encyclopedia'. The 'banners.php' script is also affected. An attacker can exploit these issues by creating a malicious link containing HTML and script code and send this link to a vulnerable user. This can allow for theft of cookie-based authentication credentials and other attacks. PHPNuke 7.6 and prior versions are reportedly affected by these issues

modules.php in PHP-Nuke 6.x to 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) my_headlines, (2) userinfo, or (3) search, which reveals the path in a PHP error message. PHPNuke is reported prone to multiple cross-site scripting vulnerabilities affecting various modules. The affected modules include 'Search', 'FAQ', and 'Encyclopedia'. The 'banners.php' script is also affected. An attacker can exploit these issues by creating a malicious link containing HTML and script code and send this link to a vulnerable user. This can allow for theft of cookie-based authentication credentials and other attacks. PHPNuke 7.6 and prior versions are reportedly affected by these issues