VARIoT IoT vulnerabilities database

Sagem F@st 3304 is an ADSL device. The Sagem F@st 3304 router does not properly restrict access to sensitive information, and remote attackers can exploit the vulnerability to obtain the router's PPPoE password

CiscoKits CCNA TFTP Server is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. CiscoKits CCNA TFTP Server 1.0 is affected; other versions may also be vulnerable.

Pragyan CMS is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Pragyan CMS 2.6.1 is available; other versions may also be affected.

Because the application displays the authentication credentials in the accessaccount.cgi script, an attacker can gain sensitive information. ZTE ZXDSL 831-II is an ADSL device issued by ZTE Corporation. A cross-site request forgery vulnerability exists in the ZTE ZXDSL 831 II modem. Since the application WEB interface allows certain operations to be performed through HTTP requests, without strict verification of the request, the attacker constructs a malicious link, entices the user to resolve, and can perform various operations with administrator privileges. Such as changing the administrator password and so on. ZTE ZXDSL 831-II is prone to a cross-site request-forgery vulnerability and an information-disclosure vulnerability. Attackers can exploit the information-disclosure issue to obtain sensitive information that may aid in launching further attacks. Exploiting the cross-site request-forgery may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: ZTE ZXDSL 831 II Modem Cross-Site Request Forgery and Information Disclosure Vulnerabilities SECUNIA ADVISORY ID: SA46659 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46659/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46659 RELEASE DATE: 2011-11-08 DISCUSS ADVISORY: http://secunia.com/advisories/46659/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46659/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46659 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in the ZTE ZXDSL 831 II modem, which can be exploited by malicious people to conduct cross-site request forgery attacks and to disclose sensitive information. This can be exploited to e.g. change an administrator's password by tricking a logged in administrator into visiting a malicious web site. The vulnerabilities are reported in version 7.5.0a_Z29_OV. Other versions may also be affected. SOLUTION: Restrict access to trusted users only. Do not browse untrusted websites or follow untrusted links while logged in to the application. PROVIDED AND/OR DISCOVERED BY: Mehdi Boukazoula and Ibrahim Debeche. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trend Micro Control Manager (TMCM) is a centralized security management console from Trend Micro that enables unified coordination of Trend Micro products and services. The input passed to the WebApp/widget/proxy_request.php script via the \"module\" parameter is missing validation before being used to read the file, and the attacker can read any file in the local resource through the directory traversal sequence. Trend Micro Control Manager is prone to a directory-traversal vulnerability because the application fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain arbitrary local files in the context of the webserver process. ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Trend Micro Control Manager "module" File Disclosure Vulnerability SECUNIA ADVISORY ID: SA44970 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44970/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44970 RELEASE DATE: 2011-07-13 DISCUSS ADVISORY: http://secunia.com/advisories/44970/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44970/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44970 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Sow Ching Shiong has discovered a vulnerability in Trend Micro Control Manager, which can be exploited by malicious users to disclose sensitive information. The vulnerability is confirmed in version 5.5 (Build 1250). Other versions may also be affected. SOLUTION: Apply hotfix 1470. Please contact the vendor for details. PROVIDED AND/OR DISCOVERED BY: Sow Ching Shiong via Secunia. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The D-Link DNS-320 is a storage device for small business users. D-Link DNS-320 has multiple security vulnerabilities that can be exploited for denial of service attacks. The dsk_mgr.cgi is allowed to perform a restart by a POST request with the cmd=FMT_restart parameter. The system_mgr.cgi is allowed to perform a restart by a POST request with the cmd=cgi_restart or cmd=cgi_reboo parameters. System_mgr.cgi is allowed to perform shutdown by a POST request with the cmd=cgi_shutdown parameter. The firmware is allowed to be executed by wizard_mgr.cgi by a POST request with the cmd=cgi_wizard parameter. D-Link DNS-320 ShareCenter is prone to a denial-of-service vulnerability. Successful exploits will cause an affected device to reload or shutdown, denying service to legitimate users

Multiple PHP remote file inclusion vulnerabilities in SAPID CMS 1.2.3 Stable allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[root_path] parameter to usr/extensions/get_tree.inc.php or (2) root_path parameter to usr/extensions/get_infochannel.inc.php. (1) usr/extensions/get_tree.inc.php of GLOBALS[root_path] Parameters (2) usr/extensions/get_infochannel.inc.php of root_path Parameters. SAPID CMS is a content management system. An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. SAPID CMS 1.2.3 is vulnerable; other versions may also be affected

Cloupia provides end-to-end FlexPod configuration, management, and automation solutions. Cloupia End-To-End FlexPod management has a directory traversal vulnerability, jQuery File Tree is a configurable Ajax file browser jQuery plugin. Unauthenticated access to this module allows a remote attacker to browse the entire file system on the host server. FlexPod Management & Automation is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to read arbitrary files outside of the server root directory. This may aid in further attacks

SAP Web Application Server (sometimes called WebAS) is the runtime environment for SAP applications - all mySAP Business Suite solutions (SRM, CRM, SCM, PLM, ERP) run on SAP WebAS. The SAP Web Application Server provides an input validation vulnerability for the 'cachetest' service. An unauthenticated attacker can exploit the vulnerability to remotely destroy the SAP Web Application Server, causing a denial of service attack. SAP WebAS is prone to a denial-of-service vulnerability. Attackers may leverage this issue to crash the affected application, denying service to legitimate users

AirTies Air 4450 1.1.2.18 allows remote attackers to cause a denial of service (reboot) via a direct request to cgi-bin/loader. AirTies Air is a set-top box device. Air 4450 is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reboot. Repeated attempts will result in a denial-of-service condition

Multiple Hitachi products have security vulnerabilities that allow malicious users to conduct denial of service attacks on applications. The problem exists in the Cosminexus XML processor, and no detailed vulnerability details are currently provided. A remote attacker can leverage this issue to cause denial-of-service condition. The following products are vulnerable: Cosminexus uCosminexus Application Server uCosminexus Client uCosminexus Developer uCosminexus Operator uCosminexus Service Architect uCosminexus Service Platform. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Hitachi Products Cosminexus XML Processor Denial of Service Vulnerability SECUNIA ADVISORY ID: SA45863 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45863/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45863 RELEASE DATE: 2011-09-05 DISCUSS ADVISORY: http://secunia.com/advisories/45863/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45863/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45863 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in multiple Hitachi products, which can be exploited by malicious people to cause a DoS (Denial of Service). No further information is currently available. Please see the vendor's advisory for a list of affected versions. SOLUTION: Apply updates. Please see vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-018/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Hitachi JP1/Cm2/Network Node Manager has security vulnerabilities that allow a malicious user to conduct a denial of service attack or control the application. There are currently no detailed vulnerability details available, which can lead to application crashes or arbitrary code execution. Successfully exploiting these issues allows remote attackers to cause denial-of-service conditions. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Hitachi JP1/Cm2/Network Node Manager Multiple Unspecified Vulnerabilities SECUNIA ADVISORY ID: SA45710 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45710/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45710 RELEASE DATE: 2011-08-27 DISCUSS ADVISORY: http://secunia.com/advisories/45710/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45710/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45710 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Hitachi JP1/Cm2/Network Node Manager, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Please see the vendor's advisory for a list of affected products and versions. SOLUTION: Apply updates (Please see vendor's advisory for details). Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-017/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. Vtiger CRM is a Web-based Sales Capability Automation (SFA)-based Customer Relationship Management System (CRM). vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected. The management system provides functions such as management, collection, and analysis of customer information

The Cyclope Internet Filtering Proxy monitors the entire Internet traffic and blocks access to websites and files based on selected filtering criteria. The web-based management console lacks sufficient filtering for input and there is a cross-site scripting vulnerability. Whitelist and blacklist modes are affected by this vulnerability. Sending the malicious script code <user>USER</user><computer>COMPUTER</computer><ip>IP ADDY</ip>\\n to the default record port 8585 in the correct order, resulting in an XSS attack due to no filtering. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks

Cross-site scripting (XSS) vulnerability in the Web Administrator component in GE Intelligent Platforms Proficy Historian 4.x and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. GE Proficy Historian is a factory system that collects, archives and distributes very large amounts of real-time data at high speeds, significantly improving operational visibility and profit and loss settlement lines. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. All versions of Proficy Historian, Proficy HMI/SCADA-CIMPLICITY 8.1 and 8.2, and Proficy HMI/SCADA-iFIX 5.0 and 5.1 are vulnerable. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Proficy Historian Cross-Site Scripting and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA46699 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46699/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46699 RELEASE DATE: 2011-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/46699/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46699/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46699 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Proficy Historian, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. 2) An error in the Data Archiver service (ihDataArchiver.exe or ihDataArchiver_x64.exe) when processing certain network messages can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 14000. Successful exploitation of this vulnerability may allow execution of arbitrary code. Please see the vendor's advisories for a list of affected versions. SOLUTION: Apply updates. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Billy Rios and Terry McCorkle via ICS-CERT. 2) Luigi Auriemma via ZDI. ORIGINAL ADVISORY: GE (GEIP11-01, GEIP11-03): http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14493/en_US/GEIP11-03%20Security%20Advisory%20-%20Proficy%20Historian%20Web%20Administrator.pdf http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14493/en_US/GEIP11-01%20Security%20Advisory%20-%20Proficy%20Historian%20ihDataArchiver.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in the GatewayService component in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to execute arbitrary code via a large size value in the packet header, which triggers a heap-based buffer overflow. CoDeSys is a powerful PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. The GatewayService has an integer overflow. The GatewayService uses the 32-bit value offset at the header 0x0c to specify the size of the received data. The program receives this value, increasing the number of 0x34 and allocating the amount of memory can cause an integer overflow. CmpWebServer is a component of the 3SRTESrv3 and CoDeSysControlService services for handling 8080 port connections. The function 0040f480 copies the input URI to a limited stack buffer, which can trigger a buffer overflow. 3S CoDeSys handles the Content-Length value in an HTTP POST request to trigger a null pointer reference. An integer overflow vulnerability exists in the GatewayService component in 3S CoDeSys 3.4 SP4 Patch 2 release. CoDeSys is prone to a stack-based buffer-overflow and an integer-overflow vulnerability. Attackers can exploit these issues to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: CoDeSys Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47018 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47018/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47018 RELEASE DATE: 2011-12-01 DISCUSS ADVISORY: http://secunia.com/advisories/47018/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47018/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47018 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered multiple vulnerabilities in CoDeSys, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. 2) A boundary error in the Control service when processing web requests can be exploited to cause a stack-based buffer overflow via an overly long URL sent to TCP port 8080. 3) A NULL pointer dereference error in the CmbWebserver.dll module of the Control service when processing HTTP POST requests can be exploited to deny processing further requests via a specially crafted "Content-Length" header sent to TCP port 8080. 4) A second NULL pointer dereference error in the CmbWebserver.dll module of the Control service when processing web requests can be exploited to deny processing further requests by sending a request with an unknown HTTP method to TCP port 8080. 5) An error in the Control service when processing web requests containing a non-existent directory can be exploited to create arbitrary directories within the webroot via requests sent to TCP port 8080. The vulnerabilities are confirmed in version 3.4 SP4 Patch 2. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/codesys_1-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and possibly other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080. CoDeSys is a powerful PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. The GatewayService has an integer overflow. The GatewayService uses the 32-bit value offset at the header 0x0c to specify the size of the received data. The program receives this value, increasing the number of 0x34 and allocating the amount of memory can cause an integer overflow. CmpWebServer is a component of the 3SRTESrv3 and CoDeSysControlService services for handling 8080 port connections. The function 0040f480 copies the input URI to a limited stack buffer, which can trigger a buffer overflow. 3S CoDeSys handles the Content-Length value in an HTTP POST request to trigger a null pointer reference. CoDeSys is prone to a stack-based buffer-overflow and an integer-overflow vulnerability. Failed attacks may cause a denial-of-service condition

Multiple stack-based buffer overflows in GE Intelligent Platforms Proficy Applications before 4.4.1 SIM 101 and 5.x before 5.0 SIM 43 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted TCP message traffic to (1) PRProficyMgr.exe in Proficy Server Manager, (2) PRGateway.exe in Proficy Server Gateway, (3) PRRDS.exe in Proficy Remote Data Service, or (4) PRLicenseMgr.exe in Proficy Server License Manager. GE Proficy Plant is a smart factory solution that allows you to make business decisions and make decisions through real-time plant data. A security vulnerability exists in multiple Proficy services, allowing an attacker to gain control of the system. The GE Proficy Plan application component handles inbound TCP/IP messaging. There is a stack-based buffer overflow. This vulnerability affects: (1) By default, the Proficy Server Manager (PRProficyMgr.exe) on the TCP 12293 port is monitored. (2) By default, the Proficy Service Gateway program (PRGateway.exe) on the TCP 12294 port is monitored. (3) By default, the Proficy Remote Data Service (PRRDS.exe) on the TCP 12299 port is monitored. (4) By default, the Proficy Server License Manager (PRLicenseMgr.exe) on the TCP 12401 port is monitored. GE Proficy Plant is prone to a remote stack buffer-overflow vulnerability. An attacker could exploit this issue to execute arbitrary code with administrative privileges. Successfully exploiting this issue will result in the complete compromise of the affected computer. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Proficy Plant Applications Multiple Services Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA46700 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46700/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46700 RELEASE DATE: 2011-11-02 DISCUSS ADVISORY: http://secunia.com/advisories/46700/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46700/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46700 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Proficy Plant Applications, which can be exploited by malicious people to compromise a vulnerable system. Please see the vendor's advisory for a list of affected versions. SOLUTION: Apply updates. PROVIDED AND/OR DISCOVERED BY: The vendor credits Luigi Auriemma via ZDI. ORIGINAL ADVISORY: GE (GEIP-11-02): http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14493/en_US/GEIP11-02%20Security%20Advisory%20-%20Proficy%20Plant%20Applications%20services.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Pantech Link is a mobile phone that supports 2.4\" LCD screen and full keyboard. The Pantech Link/P7040P browser SSL certificate parsing contains a vulnerability caused by the \"Basic Constraints\" parameter that does not correctly check the certificate in the chain. Use the legal final entity The certificate is signed with a new certificate, and the attacker can obtain a \"legal\" certificate for any domain. For example: -TrustedCA--somedomain.com (legitimate certificate)---api.someotherdomain.com (signed by somedomain.com) uses this technology Any SSL communication using the api.someotherdomain.com certificate can be transparently intercepted. The browser of Pantech Link Phones is prone to a security weakness because it fails to verify SSL certificates presented by a remote server. An attacker can exploit this weakness to masquerade as a legitimate server using a man-in-the-middle attack or to launch other attacks, such as phishing

Directory traversal vulnerability in download.lib.php in Pragyan CMS 3.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the fileget parameter in a profile action to index.php. ( Dot dot ) including fileget Arbitrary files may be read via parameters. Pragyan CMS is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view local files in the context of the webserver process, which may aid in further attacks. Pragyan CMS 3.0 is vulnerable; other versions may also be affected