VARIoT IoT vulnerabilities database

The Web interface in Linksys WRT54G 2.02.7 and BEFSR41 version 3, with the firewall disabled, allows remote attackers to attempt to login to an administration web page, even when the configuration specifies that remote administration is disabled. Linksys WRT54G Router is a router device.  Even when the management function is turned off, Linksys WRT54G Router still provides 80 and 443 port management web pages on the WAN interface. As a result, an attacker can access the management interface. In combination with other loopholes, the router may be controlled. A weakness is reported to affect the Linksys WRT54G appliance

Unknown vulnerability in Mac OS X 10.3.4, related to "handling of process IDs during package installation," a different vulnerability than CVE-2004-0516. A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements

Unknown vulnerability in Mac OS X 10.3.4, related to "package installation scripts," a different vulnerability than CVE-2004-0517. A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements

Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of console log files.". A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None

Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of directory services lookups.". A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X and Apple Mac OS X Server Exists in unspecified vulnerabilities.None

Unspecified vulnerability in Mac OS X before 10.3.4 has unknown impact and attack vectors related to "logging when tracing system calls.". A vulnerability in Mac OS X may permit a local authenticated user with physical access to the machine to gain elevated privileges. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements. No detailed vulnerability details are currently available

Sun Java System Application Server is an application server that is compatible with the J2EE platform. The Java System Application Server incorrectly filters user-submitted requests, and a remote attacker can exploit this vulnerability to obtain installation path information for the server. Submit a similar request to Sun-Java-App-Server PE 8.0: http://127.0.0.1:8080////http://127.0.0.1:8080////CON server will return information containing the installation path Error message. Attackers can use this information to further attack the system. This issue is due to a failure of the application to properly filter user requests. Successful exploitation of this issue may allow an attacker to gain sensitive information about the file system that may aid in launching more direct attacks against the system

HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 allows remote attackers to cause a denial of service (hang) by accessing iLO using the TCP/IP reserved port zero. hewlett packard enterprise HPE Integrated Lights-Out There are unspecified vulnerabilities in the firmware.None. A successful attack can allow an attacker to cause the iLO service to crash, affectively denying service to legitimate users. iLO firmware prior to versions 1.55 is prone to this vulnerability. Integrated Lights-Out Advanced Package - Upgrades the Integrated Lights-Out processor to full virtual memory and control via a graphical console and virtual media

Netgear RP114 allows remote attackers to bypass the keyword based URL filtering by requesting a long URL, as demonstrated using a large number of %20 (hex-encoded space) sequences. NetGear RP114 router can access management through TELNET and HTTP.  NetGear RP114 router content filtering problem, remote attackers can use this vulnerability to access restricted resources.  If the URI string requested by the user exceeds 220 bytes, the content filtering function of NetGear RP114 can be bypassed. This problem can cause administrators to ignore some security. This vulnerability may result in a false sense of security for a network administrator, where a malicious website is believed to be unreachable. In reality any host may contact blacklisted websites. D-Link DIR-100 long url filter evasion scip AG Vulnerability ID 3808 (09/08/2008) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808 I. INTRODUCTION D-Link DIR-100 is a small and cost-effective router and firewall device for small offices and home users. More details are available at the official product web site (German link): http://www.dlink.de/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oV492gqltbNlwaaFp6DQoHDrpxC5H+40AAdvl II. DESCRIPTION Marc Ruef at scip AG found a possibility to evade url filters of the web proxy to prevent access to web sites. An attacker might add a very long string to the url to access web resources althought their access is forbidden. This problem could be verified in all firmware versions up to v1.12. A similar vulnerability was already detected years ago in a similar device Netgear RP114. [1, 2] III. EXPLOITATION It is possible to exploit the vulnerability with a common web browser by using a long url (approx. 1'300 chars). You can expand the length of the url by adding a non-used http get request parameter. Example url: http://www.scip.ch/?foo=aaa(...) A video illustrating this issue is available at the following url: http://de.youtube.com/watch?v=WTzPn37XNl4 The Attack Tool Kit (ATK)[3] is able to exploit this vulnerability with the following generic ASL code (expand the long URL request): open|send GET http://www.scip.ch/?foo=aaa(...) HTTP/1.0\n\n|sleep|close|pattern_not_exists *This URL is <font color=red>blocked</font> by administrator !* IV. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. VI. SOLUTION We have informed D-Link on an early stage. Our technical requests were not answered nor confirmed. Therefore, not official statement, patch or upgrade is available. We suggest the use of another device for filtering forbidden web resources successfully. VII. VENDOR RESPONSE D-Link has been informed first via the unhandy web form at http://www.dlink.com (no public mail address for such cases could be found). The first responses claimed that the problem must be within a wrong configuration setting. Further discussions were initiated. The support was not able to understand the problem. Not even after several step-by-step guides and examples. They always suggest I have to upgrade to the latest firmware and they could not verify the problem. Therefore, no official solution, workaround or patch is available. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch/ scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808 computec.ch document data base (german) http://www.computec.ch/download.php IX. DISCLOSURE TIMELINE 2008/07/25 Identification of the vulnerability by Marc Ruef 2008/07/28 First information to D-Link via web form 2008/07/28 First reply by D-Link support via support@service.dlink.biz (ticket id 1375981) 2008/07/29 Providing our config for further analysis 2008/08/06 Request for actual status (no reply) 2008/08/29 Another request for actual status 2008/08/29 Response could not verify the problem 2008/09/01 Detailed explanation of the exploitation 2008/09/01 Responder could still not understand the problem 2008/09/08 Public disclosure of the advisory X. CREDITS The vulnerability was discovered by Marc Ruef. Marc Ruef, scip AG, Zuerich, Switzerland maru-at-scip.ch http://www.scip.ch/ A1. BIBLIOGRAPHY [1] http://www.securityfocus.com/bid/10404 [2] http://seclists.org/bugtraq/2004/May/0263.html [3] http://www.computec.ch/projekte/atk/ A2. LEGAL NOTICES Copyright (c) 2007-2008 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory

Unknown vulnerability in the ASN.1/H.323/H.225 stack of VocalTec VGW120 and VGW480 allows remote attackers to cause a denial of service. The issue is reported to exist in the ASN.1/H.323/H.225 stack. VocalTec VGW120/ VGW480 is a telephone gateway system. VocalTec VGW120/ VGW480 telephony gateways have problems when processing some H.323 communications

The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume. Remote attackers may potentially use this vulnerability to create files on the local system without explicit user consent. We have not independently verified the scope of this vulnerability report. apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Details on the nature of this vulnerability are not known at this time. There are a range of possibilities: from a vulnerability that allows for URLs to be obfuscated to full remote command execution through malicious URLs. This alert will be updated as new information becomes available

A certain ActiveX control in Symantec Norton AntiVirus 2004 allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary programs. Symantec's Norton AntiVirus Exists in unspecified vulnerabilities.None. Symantec Norton AntiVirus is prone to a remote code execution vulnerability. The ActiveX control contained in Symantec Norton AntiVirus does not properly validate external input. To successfully exploit this vulnerability, the executable must be on the local system, and its location needs to be known to the attacker

The web-based Management Console in Blue Coat Security Gateway OS 3.0 through 3.1.3.13 and 3.2.1, when importing a private key, stores the key and its passphrase in plaintext in a log file, which allows attackers to steal digital certificates. The issue reportedly occurs when the private key is imported through the web-based administrative interface. This will cause the private key and passphrase to logged in plaintext, potentially exposing this issue to other local users. It is also reported that certain administrative actions or configurations could also expose this information to other unauthorized parties, though specific details have not been publicized at this time. Blue Coat Systems' products are purpose-built appliances optimized for the specific application of Web acceleration and security. Attackers may obtain these sensitive information and control the device

PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to reference a URL on a remote web server that contains the code. PHP-Nuke is prone to a potential file include vulnerability. This issue could allow a remote attacker to include malicious files containing aribtrary code to be executed on a vulnerable system. This issue can be exploited via the 'modpath' parameter. If successful, the malicious script supplied by the attacker will be executed in the context of the web server hosting the vulnerable software. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. There is a file inclusion problem in PHP-Nuke. A remote attacker can use this vulnerability to view the content of any file in the system with the authority of the WEB process. PHP-Nuke lacks filtering for the data submitted by users to the \'\'modpath\'\' parameter

The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which displays the full path in a PHP error message. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. PHP-Nuke incorrectly handles the data submitted by users in many places. Remote attackers can use this vulnerability to conduct cross-site scripting, path disclosure, sensitive information disclosure and other attacks. A. Path Leakage The \"WebLinks\" module lacks filtering for the \"show\" variable, which can lead to path leaks: http://localhost/nuke73/modules.php?name=Web_Links&l_op=viewlink&cid=1&show=foobar Warning: Division by zero in D:\apache_wwwroot\nuke73\modules\Web_Links\index.php on\line 774 B. Multiple modules lack adequate filtering of variables, which can lead to cross-site scripting attacks and leak sensitive information of target users: http:// localhost/nuke73/modules.php?name=News&file=article&sid=1&optionbox=[xss code \here] http://localhost/nuke73/modules.php?name=Statistics&op=DailyStats&year=2004&month=5&da\te=[xss code here ] http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=[xss code\here]&month=05&month_l=May\http://localhost/nuke73/modules

Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 6.x through 7.3 allow remote attackers to inject arbitrary HTML or web script into the (1) optionbox parameter in the News module, (2) date parameter in the Statistics module, (3) year, month, and month_1 parameters in the Stories_Archive module, (4) mode, order, and thold parameters in the Surveys module, or (5) a SQL statement to index.php, as processed by mainfile.php. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. PHP-Nuke incorrectly handles the data submitted by users in many places. Remote attackers can use this vulnerability to conduct cross-site scripting, path disclosure, sensitive information disclosure and other attacks. A. Path Leakage The \"WebLinks\" module lacks filtering for the \"show\" variable, which can lead to path leaks: http://localhost/nuke73/modules.php?name=Web_Links&l_op=viewlink&cid=1&show=foobar Warning: Division by zero in D:\apache_wwwroot\nuke73\modules\Web_Links\index.php on\line 774 B. Multiple modules lack adequate filtering of variables, which can lead to cross-site scripting attacks and leak sensitive information of target users: http:// localhost/nuke73/modules.php?name=News&file=article&sid=1&optionbox=[xss code \here] http://localhost/nuke73/modules.php?name=Statistics&op=DailyStats&year=2004&month=5&da\te=[xss code here ] http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=[xss code\here]&month=05&month_l=May\http://localhost/nuke73/modules

Off-by-one error in passwd 0.68 and earlier, when using the --stdin option, causes passwd to use the first 78 characters of a password instead of the first 79, which results in a small reduction of the search space required for brute force attacks. Two potential security issues reportedly affect the implementation of passwd included with Mandrake Linux, according to Mandrake advisory MDKSA-2004:045. According to the report, passwords supplied to passwd via stdin are incorrectly one character shorter than they should be. It is not known whether this behavior occurs at the interactive prompt or if the implementation allows for passwords to be "piped" to passwd through stdin. This may or may not have security implications as the user's password will not be stored correctly and the user will not be able to login. It is conceivable that this could result in a less secure password. The second issue reported by Mandrake is that PAM may not be initialized correctly and "safe and proper" operation may not be ensured. Further technical details are not known. Mandrake Linux is an open source operating system

Cross-site scripting (XSS) vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary script as other users via the input field. PHP-Nuke is prone to multiple vulnerabilities. The issues result from insufficient sanitization of user-supplied data. An attacker can carry out cross-site scripting and path disclosure attacks. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. PHP-Nuke incorrectly handles the data submitted by users in many places. A. Path Leakage The \"WebLinks\" module lacks filtering for the \"show\" variable, which can lead to path leaks: http://localhost/nuke73/modules.php?name=Web_Links&l_op=viewlink&cid=1&show=foobar Warning: Division by zero in D:\apache_wwwroot\nuke73\modules\Web_Links\index.php on\line 774 B. Multiple modules lack adequate filtering of variables, which can lead to cross-site scripting attacks and leak sensitive information of target users: http:// localhost/nuke73/modules.php?name=News&file=article&sid=1&optionbox=[xss code \here] http://localhost/nuke73/modules.php?name=Statistics&op=DailyStats&year=2004&month=5&da\te=[xss code here ] http://localhost/nuke73/modules.php?name=Stories_Archive&sa=show_month&year=[xss code\here]&month=05&month_l=May\http://localhost/nuke73/modules

passwd 0.68 does not check the return code for the pam_start function, which has unknown impact and attack vectors that may prevent "safe and proper operation" of PAM. Two potential security issues reportedly affect the implementation of passwd included with Mandrake Linux, according to Mandrake advisory MDKSA-2004:045. According to the report, passwords supplied to passwd via stdin are incorrectly one character shorter than they should be. It is not known whether this behavior occurs at the interactive prompt or if the implementation allows for passwords to be "piped" to passwd through stdin. This may or may not have security implications as the user's password will not be stored correctly and the user will not be able to login. It is conceivable that this could result in a less secure password. The second issue reported by Mandrake is that PAM may not be initialized correctly and "safe and proper" operation may not be ensured. Further technical details are not known. Mandrake Linux is an open source operating system

Memory leak in passwd 0.68 allows local users to cause a denial of service (memory consumption) via a large number of failed read attempts from the password buffer. Two potential security issues reportedly affect the implementation of passwd included with Mandrake Linux, according to Mandrake advisory MDKSA-2004:045. According to the report, passwords supplied to passwd via stdin are incorrectly one character shorter than they should be. It is not known whether this behavior occurs at the interactive prompt or if the implementation allows for passwords to be "piped" to passwd through stdin. This may or may not have security implications as the user's password will not be stored correctly and the user will not be able to login. It is conceivable that this could result in a less secure password. The second issue reported by Mandrake is that PAM may not be initialized correctly and "safe and proper" operation may not be ensured. Further technical details are not known. Mandrake Linux is an open source operating system