VARIoT IoT vulnerabilities database

Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007. Safari Used in etc. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The flaw exists within the QuickTime Java extensions (QTJava.dll), specifically the routine toQTPointer() exposed through quicktime.util.QTHandleRef. A lack of sanity checking on the parameters passed to this routine, through the Java Virtual Machine (JVM), allows an attacker to write arbitrary values to memory. This can be leveraged to execute arbitrary code under the context of the current user. Example code execution vectors include Microsoft Internet Explorer, Mozilla Firefox and Apple Safari. This vulnerability affects the latest versions of both the MacOS and Windows operating systems, including MacOS 10.4.9 and Windows Vista. QuickTime is prone to a vulnerability that may aid in the remote compromise of a vulnerable computer. The issue occurs when a Java-enabled browser is used to view a malicious website. QuickTime must also be installed. Failed exploit attempts will likely result in denial-of-service conditions. This issue is exploitable through both Safari and Mozilla Firefox running on Mac OS X. Reports indicate that Firefox on Windows platforms may also be an exploit vector. Reports also indicate that Internet Explorer 6 and 7 running on Windows XP may be an exploit vector, but that a sandboxing feature may interfere with successful exploits. Neither of these points has been confirmed. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. ZDI-07-023: Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-023.html May 1, 2007 -- CVE ID: CVE-2007-2175 -- Affected Vendor: Apple -- Affected Products: Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 23, 2007 by Digital Vaccine protection filter ID 5310, 5311. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://docs.info.apple.com/article.html?artnum=305446 -- Disclosure Timeline: 2007.04.23 - Vulnerability reported to vendor 2007.04.23 - Digital Vaccine released to TippingPoint customers 2007.05.01 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Dino A. Dai Zovi. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Java Handling Unspecified Code Execution SECUNIA ADVISORY ID: SA25011 VERIFY ADVISORY: http://secunia.com/advisories/25011/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ Apple Quicktime 6.x http://secunia.com/product/810/ Apple Quicktime 5.x http://secunia.com/product/215/ Apple Quicktime 4.x http://secunia.com/product/7923/ Apple Quicktime 3.x http://secunia.com/product/10883/ DESCRIPTION: A vulnerability has been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. Other browsers and platforms may also be affected. SOLUTION: Disable Java support. Do not browse untrusted websites. PROVIDED AND/OR DISCOVERED BY: Dino Dai Zovi ORIGINAL ADVISORY: Matasano: http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari allows remote attackers to cause a denial of service (browser crash) via JavaScript that matches a regular expression against a long string, as demonstrated using /(.)*/. Safari is prone to a denial-of-service vulnerability. Apple Safari is a web browser software. This JavaScript pairs regular expressions against long strings

Unspecified vulnerability in the Initialize function in NetscapeFTPHandler in WS_FTP Home and Professional 2007 allows remote attackers to cause a denial of service (NULL dereference and application crash) via unspecified vectors related to "improper arguments.". WSFTP is prone to a remote denial-of-service vulnerability. WS_FTP Home is a fast, powerful FTP client program. The NetscapeFTPHandler function of WS_FTP Home has a null pointer reference when processing user input. Local attackers may use this vulnerability to cause denial of service to the server program. ESI 00000000 75DC3E09 MOVZX EAX,WORD PTR [ESI] If the function is executed with incorrect parameters: int Initialize ( char *str1, char *str2) may trigger this vulnerability, resulting in denial of service

vsdatant.sys 6.5.737.0 in Check Point Zone Labs ZoneAlarm before 7.0.362 allows local users to gain privileges via a crafted Interrupt Request Packet (Irp) in a METHOD_NEITHER (1) IOCTL 0x8400000F or (2) IOCTL 0x84000013 request, which can be used to overwrite arbitrary memory locations. Multiple Check Point ZoneAlarm products are prone to local privilege-escalation vulnerabilities. An attacker can exploit these issues to gain elevated privileges and completely compromise an affected computer. These issues have been confirmed in: ZoneAlarm 6.5.737 ZoneAlarm Security Suite 5.5.062.004 and 6.5.737. Other versions are likely vulnerable as well. NOTE: This BID is being retired because it is a duplicate of BID 25365 (Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities). The following are vulnerable: - Versions prior to ZoneAlarm 7.0.362 - Zone Labs products that include 'vsdatant.sys' 6.5.737.0. ZoneAlarm is a personal computer firewall that protects personal data and privacy. There are multiple security vulnerabilities in the implementation and installation of ZoneAlarm, local attackers may use this vulnerability to elevate their own privileges. Since some programs run as system services, attackers can replace the installed ZoneAlarm files with their own code, which will then be executed with system-level privileges. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: ZoneAlarm Products Insecure Directory Permissions and IOCTL Handler Privilege Escalation SECUNIA ADVISORY ID: SA26513 VERIFY ADVISORY: http://secunia.com/advisories/26513/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: ZoneAlarm 6.x http://secunia.com/product/5806/ ZoneAlarm 7.x http://secunia.com/product/13889/ ZoneAlarm 5.x http://secunia.com/product/4647/ ZoneAlarm Pro 5.x http://secunia.com/product/4280/ ZoneAlarm Pro 6.x http://secunia.com/product/6071/ ZoneAlarm Security Suite 5.x http://secunia.com/product/4272/ ZoneAlarm 2.x http://secunia.com/product/3056/ ZoneAlarm 3.x http://secunia.com/product/153/ ZoneAlarm 4.x http://secunia.com/product/150/ ZoneAlarm Anti-Spyware 6.x http://secunia.com/product/6073/ ZoneAlarm Antivirus 5.x http://secunia.com/product/4271/ ZoneAlarm Antivirus 6.x http://secunia.com/product/6074/ ZoneAlarm Internet Security Suite 6.x http://secunia.com/product/6072/ ZoneAlarm Plus 3.x http://secunia.com/product/3057/ ZoneAlarm Plus 4.x http://secunia.com/product/151/ ZoneAlarm Pro 2.x http://secunia.com/product/152/ ZoneAlarm Pro 3.x http://secunia.com/product/1960/ ZoneAlarm Pro 4.x http://secunia.com/product/1961/ ZoneAlarm Wireless Security 5.x http://secunia.com/product/4648/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in ZoneAlarm products, which can be exploited by malicious, local users to gain escalated privileges. 1) Insufficient address space verification within the 0x8400000F and 0x84000013 IOCTL handlers of vsdatant.sys and insecure permissions on the "\\.\vsdatant" device interface can be exploited to e.g. access the said IOCTL handlers and overwrite arbitrary memory and execute code with kernel privileges. 2) Insecure default Access Control List (ACL) settings when ZoneAlarm tools are installed can be exploited to gain escalated privileges by replacing certain files. SOLUTION: Update to version 7.0.362. 2) Discovered by an anonymous person and reported via iDefense Labs. ORIGINAL ADVISORY: iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=584 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=585 Reversemode: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . BACKGROUND Zone Alarm products provide security solutions such as anti-virus, firewall, spy-ware, and ad-ware protection. The vsdatant.sys driver, also known as the TrueVector Device Driver, is the core firewall driver in ZoneAlarm products. http://www.zonelabs.com/ II. The problems specifically exist within the IOCTL handling code in the vsdatant.sys device driver. The device driver fails to validate user-land supplied addresses passed to IOCTL 0x8400000F and IOCTL 0x84000013. Since the Irp parameters are not correctly validated, an attacker could utilize these IOCTLs to overwrite arbitrary memory with the constant double-word value of 0x60001 or the contents of a buffer returned from ZwQuerySystemInformation. This includes kernel memory as well as the code segments of running processes. III. The access control mechanisms under a default installation allow restricted accounts to access the affected device drivers. IV. V. WORKAROUND Changing the access control mechanisms for the affected device drivers will prevent exploitation by restricted accounts. VI. http://www.zonealarm.com/store/content/catalog/products/trial_zaFamily/trial_zaFamily.jsp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4216 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/19/2006 Initial vendor notification 12/20/2006 Initial vendor response 08/20/2007 Coordinated public disclosure IX. CREDIT These vulnerabilities were reported to iDefense by Ruben Santamarta of reversemode.com. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

The IOCTL handling in srescan.sys in the ZoneAlarm Spyware Removal Engine (SRE) in Check Point ZoneAlarm before 5.0.156.0 allows local users to execute arbitrary code via certain IOCTL lrp parameter addresses. Check Point ZoneAlarm is prone to multiple local privilege-escalation vulnerabilities. On a default installation, only certain restricted accounts can access the vulnerable sections of the application. An attacker can exploit these issues to execute arbitrary code with SYSTEM-level privileges. A successful exploit will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. ZoneAlarm is a personal computer firewall that protects personal data and privacy. There is a vulnerability in ZoneAlarm's srescan.sys driver implementation. Local attackers may use this vulnerability to elevate their privileges in the system. The IOCTL handling code of the srescan.sys device driver does not correctly handle userland addresses passed to IOCTL 0x22208F and IOCTL 0x2220CF. In the case of IOCTL 0x2220CF, the attacker can write the constant double word value 0x30000; in the case of IOCTL 0x22208F, the attacker can write the contents of the ZwQuerySystemInformation return buffer. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: ZoneAlarm Products SRESCAN.SYS IOCTL Handler Privilege Escalation SECUNIA ADVISORY ID: SA24986 VERIFY ADVISORY: http://secunia.com/advisories/24986/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: ZoneAlarm 4.x http://secunia.com/product/150/ ZoneAlarm 3.x http://secunia.com/product/153/ ZoneAlarm 2.x http://secunia.com/product/3056/ ZoneAlarm 5.x http://secunia.com/product/4647/ ZoneAlarm 6.x http://secunia.com/product/5806/ ZoneAlarm 7.x http://secunia.com/product/13889/ ZoneAlarm Anti-Spyware 6.x http://secunia.com/product/6073/ ZoneAlarm Antivirus 5.x http://secunia.com/product/4271/ ZoneAlarm Antivirus 6.x http://secunia.com/product/6074/ ZoneAlarm Internet Security Suite 6.x http://secunia.com/product/6072/ ZoneAlarm Plus 3.x http://secunia.com/product/3057/ ZoneAlarm Plus 4.x http://secunia.com/product/151/ ZoneAlarm Pro 2.x http://secunia.com/product/152/ ZoneAlarm Pro 3.x http://secunia.com/product/1960/ ZoneAlarm Pro 4.x http://secunia.com/product/1961/ ZoneAlarm Pro 5.x http://secunia.com/product/4280/ ZoneAlarm Pro 6.x http://secunia.com/product/6071/ ZoneAlarm Security Suite 5.x http://secunia.com/product/4272/ ZoneAlarm Wireless Security 5.x http://secunia.com/product/4648/ DESCRIPTION: Some vulnerabilities have been reported in ZomeAlarm products, which can be exploited by malicious, local users to gain escalated privileges. Insufficient address space verification within the 0x22208F and 0x0x2220CF IOCTL handlers of SRESCAN.SYS and insecure permissions on the \\.\SreScan DOS device interface can be exploited to e.g. The vulnerabilities are reported in SRESCAN.SYS version 5.0.63.0 included in the free version of ZoneAlarm. Other versions may also be affected. SOLUTION: Update to version 5.0.156.0 or higher of the ZoneAlarm Spyware Removal Engine (current deployed version is 5.0.162.0). http://www.zonealarm.com/store/content/catalog/download_buy.jsp?dc=12bms&ctry=US&lang=en PROVIDED AND/OR DISCOVERED BY: Discovered by Ruben Santamarta and reported via iDefense Labs. ORIGINAL ADVISORY: iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=517 Reversemode: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=48 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 6_05.140 uses a fixed DES key to encrypt passwords, which allows remote authenticated users to obtain a password via a brute force attack on a hash from the LDAP store. Nortel VPN routers are prone to multiple remote unauthorized-access vulnerabilities due to design errors. Successful exploits will allow attackers to access administrative functionality and completely compromise vulnerable devices or gain direct access to the private network. This issue affects all model numbers for Nortel VPN Routers 1000, 2000, 4000, 5000. Nortel VPN routers were formerly known as Contivity. Nortel VPN routers provide routing, VPN, firewall, bandwidth management, encryption, authentication, and data integrity functions for secure connections over IP networks and the Internet. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: Nortel VPN Router Default User Accounts and Missing Authentication Checks SECUNIA ADVISORY ID: SA24962 VERIFY ADVISORY: http://secunia.com/advisories/24962/ CRITICAL: Moderately critical IMPACT: Security Bypass, Manipulation of data WHERE: >From remote OPERATING SYSTEM: Nortel Contivity VPN Switches http://secunia.com/product/2425/ Nortel VPN Routers http://secunia.com/product/2426/ DESCRIPTION: A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data. 1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. 2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations. The vulnerability and security issue reportedly affect the following products: * Contivity 1000 VPN Switch * Contivity 2000 VPN Switch * Contivity 4000 VPN Switch * VPN Router 5000 *VPN Router Portfolio SOLUTION: Update to versions 6_05.140, 5_05.304, or 5_05.149. PROVIDED AND/OR DISCOVERED BY: The vendor credits Detack GmbH. ORIGINAL ADVISORY: Nortel: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=567877&RenditionID=&poid=null ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 5_05.149, 5_05.3xx before 5_05.304, and 6.x before 6_05.140 includes the FIPSecryptedtest1219 and FIPSunecryptedtest1219 default accounts in the LDAP template, which might allow remote attackers to access the private network. Nortel VPN routers are prone to multiple remote unauthorized-access vulnerabilities due to design errors. This issue affects all model numbers for Nortel VPN Routers 1000, 2000, 4000, 5000. Nortel VPN routers were formerly known as Contivity. Nortel VPN routers provide routing, VPN, firewall, bandwidth management, encryption, authentication, and data integrity functions for secure connections over IP networks and the Internet. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: Nortel VPN Router Default User Accounts and Missing Authentication Checks SECUNIA ADVISORY ID: SA24962 VERIFY ADVISORY: http://secunia.com/advisories/24962/ CRITICAL: Moderately critical IMPACT: Security Bypass, Manipulation of data WHERE: >From remote OPERATING SYSTEM: Nortel Contivity VPN Switches http://secunia.com/product/2425/ Nortel VPN Routers http://secunia.com/product/2426/ DESCRIPTION: A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data. 1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. 2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations. An issue regarding same DES keys used to encrypt user's passwords has also been reported, which can facilitate brute-force attacks on user's passwords if the attacker were to gain access to the LDAP store. The vulnerability and security issue reportedly affect the following products: * Contivity 1000 VPN Switch * Contivity 2000 VPN Switch * Contivity 4000 VPN Switch * VPN Router 5000 *VPN Router Portfolio SOLUTION: Update to versions 6_05.140, 5_05.304, or 5_05.149. PROVIDED AND/OR DISCOVERED BY: The vendor credits Detack GmbH. ORIGINAL ADVISORY: Nortel: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=567877&RenditionID=&poid=null ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 5_05.149, 5_05.3xx before 5_05.304, and 6.x before 6_05.140 has two template HTML files lacking certain verification tags, which allows remote attackers to access the administration interface and change the device configuration via certain requests. Nortel VPN routers are prone to multiple remote unauthorized-access vulnerabilities due to design errors. Successful exploits will allow attackers to access administrative functionality and completely compromise vulnerable devices or gain direct access to the private network. This issue affects all model numbers for Nortel VPN Routers 1000, 2000, 4000, 5000. Nortel VPN routers were formerly known as Contivity. Nortel VPN routers provide routing, VPN, firewall, bandwidth management, encryption, authentication, and data integrity functions for secure connections over IP networks and the Internet. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: Nortel VPN Router Default User Accounts and Missing Authentication Checks SECUNIA ADVISORY ID: SA24962 VERIFY ADVISORY: http://secunia.com/advisories/24962/ CRITICAL: Moderately critical IMPACT: Security Bypass, Manipulation of data WHERE: >From remote OPERATING SYSTEM: Nortel Contivity VPN Switches http://secunia.com/product/2425/ Nortel VPN Routers http://secunia.com/product/2426/ DESCRIPTION: A vulnerability and a security issue have been reported in Nortel VPN Routers, which can be exploited by malicious people to bypass certain security restrictions or manipulate certain data. 1) Two default user accounts ("FIPSecryptedtest1219" and "FIPSunecryptedtest1219") are configured on the VPN Router, which are not readily visible to the system manager. 2) Missing authentication checks within two template files of the web management tool can be exploited to e.g. modify certain router configurations. An issue regarding same DES keys used to encrypt user's passwords has also been reported, which can facilitate brute-force attacks on user's passwords if the attacker were to gain access to the LDAP store. The vulnerability and security issue reportedly affect the following products: * Contivity 1000 VPN Switch * Contivity 2000 VPN Switch * Contivity 4000 VPN Switch * VPN Router 5000 *VPN Router Portfolio SOLUTION: Update to versions 6_05.140, 5_05.304, or 5_05.149. PROVIDED AND/OR DISCOVERED BY: The vendor credits Detack GmbH. ORIGINAL ADVISORY: Nortel: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=567877&RenditionID=&poid=null ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the management interface in Canon Network Camera Server VB100 and VB101 with firmware 3.0 R69 and earlier, and VB150 with firmware 1.1 R39 and earlier, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Exploiting this issue may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. Input passed to certain parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Update to the latest firmware versions. VB100 V3.0 R71: http://cweb.canon.jp/drv-upd/webview/vb100farm.html VB101 V3.0 R71: http://cweb.canon.jp/drv-upd/webview/vb101farm.html VB150 V1.1 R41: http://cweb.canon.jp/drv-upd/webview/vb150farm.html PROVIDED AND/OR DISCOVERED BY: Reported in a JVN repository. ORIGINAL ADVISORY: Canon: http://cweb.canon.jp/drv-upd/webview/notification.html OTHER REFERENCES: JVN#06735665: http://jvn.jp/jp/JVN%2306735665/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SNMP implementation in the Cisco Wireless LAN Controller (WLC) before 20070419 uses the default read-only community public, and the default read-write community private, which allows remote attackers to read and modify SNMP variables, aka Bug ID CSCse02384. Cisco Wireless LAN Controller (WLC) is prone to multiple remote vulnerabilities, including an unauthorized-access vulnerability, an information-disclosure vulnerability, and a vulnerability that prevents the WLAN's ACLs from being installed. An attacker can exploit these issues to completely compromise the affected device, cause a denial-of-service condition, obtain potentially sensitive information, and gain unauthorized access to the affected device. Cisco Wireless LAN Controllers (WLCs) manage Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). This vulnerability is documented in Cisco Bug ID as CSCse02384

Cisco Wireless LAN Controller (WLC) before 3.2.116.21, and 4.0.x before 4.0.155.0, allows remote attackers on a local network to cause a denial of service (device crash) via malformed Ethernet traffic. An attacker can exploit these issues to completely compromise the affected device, cause a denial-of-service condition, obtain potentially sensitive information, and gain unauthorized access to the affected device. Cisco Wireless LAN Controllers (WLCs) manage Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). There are multiple security holes in the implementation of WLC: The default SNMP community string +----------------------------- WLC reads it only The public and private values ​​are used for reading and writing SNMP community strings. This vulnerability is documented in Cisco Bug ID as CSCse02384. Malformed Ethernet communication crash +----------------------------- WLC may crash when responding to malformed Ethernet communication. This vulnerability is documented in Cisco Bug ID as CSCsc90179. Multiple NPU Lock-Up Vulnerabilities +----------------------------- The Network Processing Unit (NPU) is responsible for handling communication in the WLC. One or more NPUs may lock up if certain types of traffic are sent to the affected WLC. These communications include specially crafted SNAP messages, malformed 802. 11 Communication and some headers contain messages with unexpected length values. Each NPU operates independently, servicing two physical ports on the WLC, and locking one NPU does not affect the other, so the number of NPUs available and device configuration determine whether these vulnerabilities can result in partial or complete inability to forward traffic. If you want to clear the NPU lock, you must restart the WLC. If a lockout prevents access to the management interface, a reboot must be performed through the console port or the service port. These vulnerabilities are documented in Cisco Bug IDs as CSCsg36361, CSCsg15901, and CSCsh10841. Service password hardcoded in lightweight AP + -------------------------- Cisco Aironet 1000 Series and 1500 Series Lightweight Access Points include There is a hardcoded service password for debugging. This service account is only accessible through a physical connection to the console port, but the password is the same for all devices in these families. This vulnerability is documented in Cisco Bug ID as CSCsg15192. WLAN ACL becomes invalid after restarting +-------------------------- WLC has a loophole in processing WLAN ACL, resulting in an invalid verification and save the WLAN ACL configuration. If the configuration is later reloaded at boot time, the checksum will be invalidated and the WLAN ACL will not be installed. This vulnerability is documented in Cisco Bug ID as CSCse58195

The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller (WLC) before 3.2.193.5, 4.0.x before 4.0.206.0, and 4.1.x allows remote attackers on a local wireless network to cause a denial of service (loss of packet forwarding) via (1) crafted SNAP packets, (2) malformed 802.11 traffic, or (3) packets with certain header length values, aka Bug ID CSCsg36361. Cisco Wireless LAN Controller (WLC) is prone to multiple remote vulnerabilities, including an unauthorized-access vulnerability, an information-disclosure vulnerability, and a vulnerability that prevents the WLAN's ACLs from being installed. An attacker can exploit these issues to completely compromise the affected device, cause a denial-of-service condition, obtain potentially sensitive information, and gain unauthorized access to the affected device. Cisco Wireless LAN Controllers (WLCs) manage Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). Multiple NPU Lock-Up Vulnerabilities +----------------------------- The Network Processing Unit (NPU) is responsible for handling communication in the WLC. One or more NPUs may lock up if certain types of traffic are sent to the affected WLC. These communications include specially crafted SNAP packets, malformed 802.11 communications, and packets with unexpected length values ​​in some headers. Each NPU operates independently, servicing two physical ports on the WLC, and locking one NPU does not affect the other, so the number of NPUs available and device configuration determine whether these vulnerabilities can result in partial or complete inability to forward traffic. If you want to clear the NPU lock, you must restart the WLC. If a lockout prevents access to the management interface, a reboot must be performed through the console port or the service port. These vulnerabilities are documented in Cisco Bug IDs as CSCsg36361, CSCsg15901, and CSCsh10841

The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller (WLC) before 3.2.171.5, 4.0.x before 4.0.206.0, and 4.1.x allows remote attackers on a local wireless network to cause a denial of service (loss of packet forwarding) via (1) crafted SNAP packets, (2) malformed 802.11 traffic, or (3) packets with certain header length values, aka Bug IDs CSCsg15901 and CSCsh10841. Cisco Wireless LAN Controller (WLC) is prone to multiple remote vulnerabilities, including an unauthorized-access vulnerability, an information-disclosure vulnerability, and a vulnerability that prevents the WLAN's ACLs from being installed. An attacker can exploit these issues to completely compromise the affected device, cause a denial-of-service condition, obtain potentially sensitive information, and gain unauthorized access to the affected device. Cisco Wireless LAN Controllers (WLCs) manage Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). Multiple NPU Lock-Up Vulnerabilities +----------------------------- The Network Processing Unit (NPU) is responsible for handling communication in the WLC. One or more NPUs may lock up if certain types of traffic are sent to the affected WLC. These communications include specially crafted SNAP packets, malformed 802.11 communications, and packets with unexpected length values ​​in some headers. Each NPU operates independently, servicing two physical ports on the WLC, and locking one NPU does not affect the other, so the number of NPUs available and device configuration determine whether these vulnerabilities can result in partial or complete inability to forward traffic. If you want to clear the NPU lock, you must restart the WLC. If a lockout prevents access to the management interface, a reboot must be performed through the console port or the service port. These vulnerabilities are documented in Cisco Bug IDs as CSCsg36361, CSCsg15901, and CSCsh10841

Cisco Aironet 1000 Series and 1500 Series Lightweight Access Points before 3.2.185.0, and 4.0.x before 4.0.206.0, have a hard-coded password, which allows attackers with physical access to perform arbitrary actions on the device, aka Bug ID CSCsg15192. Cisco Wireless LAN Controller (WLC) is prone to multiple remote vulnerabilities, including an unauthorized-access vulnerability, an information-disclosure vulnerability, and a vulnerability that prevents the WLAN's ACLs from being installed. An attacker can exploit these issues to completely compromise the affected device, cause a denial-of-service condition, obtain potentially sensitive information, and gain unauthorized access to the affected device. Cisco Wireless LAN Controllers (WLCs) manage Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). This service account is only accessible through a physical connection to the console port, but the password is the same for all devices in these families. This vulnerability is documented in Cisco Bug ID as CSCsg15192

Cisco Wireless LAN Controller (WLC) before 4.0.206.0 saves the WLAN ACL configuration with an invalid checksum, which prevents WLAN ACLs from being loaded at boot time, and might allow remote attackers to bypass intended access restrictions, aka Bug ID CSCse58195. Cisco Wireless LAN Controller (WLC) is prone to multiple remote vulnerabilities, including an unauthorized-access vulnerability, an information-disclosure vulnerability, and a vulnerability that prevents the WLAN's ACLs from being installed. An attacker can exploit these issues to completely compromise the affected device, cause a denial-of-service condition, obtain potentially sensitive information, and gain unauthorized access to the affected device. Cisco Wireless LAN Controllers (WLCs) manage Cisco Aironet access points using the Lightweight Access Point Protocol (LWAPP). WLAN ACL becomes invalid after restarting +-------------------------- WLC has a loophole in processing WLAN ACL, resulting in an invalid verification and save the WLAN ACL configuration. This vulnerability is documented in Cisco Bug ID as CSCse58195

Cisco Wireless Control System (WCS) before 4.0.96.0 has a hard-coded FTP username and password for backup operations, which allows remote attackers to read and modify arbitrary files via unspecified vectors related to "properties of the FTP server," aka Bug ID CSCse93014. Cisco Wireless Control System is prone to multiple vulnerabilities, including an unauthorized-access issue, a privilege-escalation issue, and an information-disclosure issue. An attacker can exploit these issues to obtain sensitive information, gain unauthorized access, and elevate privileges, which will compromise affected devices and aid in further attacks. Versions prior to 4.0.96.0 are vulnerable. These issues are being tracked by Cisco Bug IDs: CSCse93014 CSCse78596 CSCsg05190 CSCsg04301. Cisco Wireless Control System (WCS) provides wireless LAN planning and design, system configuration, location tracking, security monitoring and wireless LAN management tools. In some cases, this can lead to changing system files and hacking the server. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Vulnerability and Security Issues SECUNIA ADVISORY ID: SA24865 VERIFY ADVISORY: http://secunia.com/advisories/24865/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) http://secunia.com/product/6332/ DESCRIPTION: A vulnerability and two security issues have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious users to gain escalated privileges, and by malicious people to disclose sensitive information, bypass certain security restrictions, or potentially compromise a vulnerable system. 1) WCS includes a fixed username and password for backup operations via FTP. This can be exploited to read from and write to arbitrary files on affected systems. Successful exploitation potentially allows the server to be compromised, but requires knowledge of other properties of the FTP server. The security issue has been reported in WCS prior to version 4.0.96.0. 2) An unspecified error exists in the authentication system, which can be exploited by an authenticated user to change his account group membership. Successful exploitation can allow full administrative control of WCS, but requires a valid username and password. The vulnerability is reported in WCS prior to version 4.0.87.0. 3) Certain directories in WCS are not password protected. This can be exploited to disclose certain system information, e.g. organization of the network including access point locations. The security issue is reported in WCS prior to version 4.0.66.0. SOLUTION: Update to version 4.0.96.0 or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Wireless Control System (WCS) before 4.0.66.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain network organization data via a direct request for files in certain directories, aka Bug ID CSCsg04301. Cisco Wireless Control System is prone to multiple vulnerabilities, including an unauthorized-access issue, a privilege-escalation issue, and an information-disclosure issue. An attacker can exploit these issues to obtain sensitive information, gain unauthorized access, and elevate privileges, which will compromise affected devices and aid in further attacks. Versions prior to 4.0.96.0 are vulnerable. These issues are being tracked by Cisco Bug IDs: CSCse93014 CSCse78596 CSCsg05190 CSCsg04301. Cisco Wireless Control System (WCS) provides wireless LAN planning and design, system configuration, location tracking, security monitoring and wireless LAN management tools. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. 1) WCS includes a fixed username and password for backup operations via FTP. This can be exploited to read from and write to arbitrary files on affected systems. Successful exploitation potentially allows the server to be compromised, but requires knowledge of other properties of the FTP server. The security issue has been reported in WCS prior to version 4.0.96.0. 2) An unspecified error exists in the authentication system, which can be exploited by an authenticated user to change his account group membership. Successful exploitation can allow full administrative control of WCS, but requires a valid username and password. The vulnerability is reported in WCS prior to version 4.0.87.0. 3) Certain directories in WCS are not password protected. This can be exploited to disclose certain system information, e.g. organization of the network including access point locations. The security issue is reported in WCS prior to version 4.0.66.0. SOLUTION: Update to version 4.0.96.0 or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Wireless Control System (WCS) before 4.0.87.0 allows remote authenticated users to gain the privileges of the SuperUsers group, and manage the application and its networks, related to the group membership of user accounts, aka Bug ID CSCsg05190. Cisco Wireless Control System is prone to multiple vulnerabilities, including an unauthorized-access issue, a privilege-escalation issue, and an information-disclosure issue. An attacker can exploit these issues to obtain sensitive information, gain unauthorized access, and elevate privileges, which will compromise affected devices and aid in further attacks. Versions prior to 4.0.96.0 are vulnerable. These issues are being tracked by Cisco Bug IDs: CSCse93014 CSCse78596 CSCsg05190 CSCsg04301. Cisco Wireless Control System (WCS) provides wireless LAN planning and design, system configuration, location tracking, security monitoring and wireless LAN management tools. For example, a user in the LobbyAmbassador group can be added to the SuperUsers group. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Vulnerability and Security Issues SECUNIA ADVISORY ID: SA24865 VERIFY ADVISORY: http://secunia.com/advisories/24865/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) http://secunia.com/product/6332/ DESCRIPTION: A vulnerability and two security issues have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious users to gain escalated privileges, and by malicious people to disclose sensitive information, bypass certain security restrictions, or potentially compromise a vulnerable system. 1) WCS includes a fixed username and password for backup operations via FTP. This can be exploited to read from and write to arbitrary files on affected systems. Successful exploitation potentially allows the server to be compromised, but requires knowledge of other properties of the FTP server. The security issue has been reported in WCS prior to version 4.0.96.0. 2) An unspecified error exists in the authentication system, which can be exploited by an authenticated user to change his account group membership. Successful exploitation can allow full administrative control of WCS, but requires a valid username and password. The vulnerability is reported in WCS prior to version 4.0.87.0. 3) Certain directories in WCS are not password protected. This can be exploited to disclose certain system information, e.g. organization of the network including access point locations. The security issue is reported in WCS prior to version 4.0.66.0. SOLUTION: Update to version 4.0.96.0 or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Wireless Control System (WCS) before 4.0.81.0 allows remote authenticated users to read any configuration page by changing the group membership of user accounts, aka Bug ID CSCse78596. Cisco Wireless Control System is prone to multiple vulnerabilities, including an unauthorized-access issue, a privilege-escalation issue, and an information-disclosure issue. An attacker can exploit these issues to obtain sensitive information, gain unauthorized access, and elevate privileges, which will compromise affected devices and aid in further attacks. Versions prior to 4.0.96.0 are vulnerable. These issues are being tracked by Cisco Bug IDs: CSCse93014 CSCse78596 CSCsg05190 CSCsg04301. Cisco Wireless Control System (WCS) provides wireless LAN planning and design, system configuration, location tracking, security monitoring and wireless LAN management tools. For example, a user in the LobbyAmbassador group can be added to the SuperUsers group. ---------------------------------------------------------------------- Secunia customers receive relevant and filtered advisories. Delivery is done via different channels including SMS, Email, Web, and https based XML feed. http://corporate.secunia.com/trial/38/request/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Vulnerability and Security Issues SECUNIA ADVISORY ID: SA24865 VERIFY ADVISORY: http://secunia.com/advisories/24865/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) http://secunia.com/product/6332/ DESCRIPTION: A vulnerability and two security issues have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious users to gain escalated privileges, and by malicious people to disclose sensitive information, bypass certain security restrictions, or potentially compromise a vulnerable system. 1) WCS includes a fixed username and password for backup operations via FTP. This can be exploited to read from and write to arbitrary files on affected systems. Successful exploitation potentially allows the server to be compromised, but requires knowledge of other properties of the FTP server. The security issue has been reported in WCS prior to version 4.0.96.0. Successful exploitation can allow full administrative control of WCS, but requires a valid username and password. The vulnerability is reported in WCS prior to version 4.0.87.0. 3) Certain directories in WCS are not password protected. This can be exploited to disclose certain system information, e.g. organization of the network including access point locations. The security issue is reported in WCS prior to version 4.0.66.0. SOLUTION: Update to version 4.0.96.0 or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070412-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Miniwebsvr is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid in further attacks. Note that the attacker can traverse to only one directory above the current working directory of the webserver application. Miniwebsvr 0.0.7 is vulnerable to this issue; other versions may also be affected. UPDATE (March 4, 2008): Miniwebsvr 0.0.9a is also reported vulnerable.