VARIoT IoT vulnerabilities database

Unspecified vulnerability in the command line interface (CLI) in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows local users to execute arbitrary commands with elevated privileges via unspecified vectors, involving "certain CLI commands," aka bug CSCse11005. Cisco Unified CallManager is susceptible to multiple remote vulnerabilities. These specific issues are identified: - A local privilege-escalation vulnerability, documented as Cisco bug CSCse11005 - A local file-overwrite vulnerability, documented as Cisco bug CSCse31704 - A remote buffer-overflow vulnerability, documented as Cisco bug CSCsd96542 These issues allow local attackers to completely compromise affected devices, and remote attackers to execute arbitrary machine code in the context of the affected service. Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution. The CallManager CLI provides an alternate management interface to the system for diagnosing and troubleshooting the primary HTTPS-based management interface. The vulnerabilities allow command output to be redirected to a file or folder specified on the command line. Cisco Unified CallManager supports both SCCP and SIP telephony, which allows migration to SIP while still protecting investments in existing equipment. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Unified CallManager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21030 VERIFY ADVISORY: http://secunia.com/advisories/21030/ CRITICAL: Highly critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/11019/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified CallManager, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 2) An unspecified error makes it possible to for an authenticated administrator to overwrite arbitrary files or folders with output of CLI commands. 3) A boundary error within the processing of SIP requests can be exploited to cause a buffer overflow via an overly long hostname string in a malicious SIP request. Successful exploitation causes a DoS or allows execution of arbitrary code. The vulnerabilities have been reported in versions 5.0(1), 5.0(2), 5.0(3), and 5.0(3a). SOLUTION: Update to version 5.0(4) or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The command line interface (CLI) in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows local users to overwrite arbitrary files by redirecting a command's output to a file or folder, aka bug CSCse31704. Cisco Unified CallManager is susceptible to multiple remote vulnerabilities. These specific issues are identified: - A local privilege-escalation vulnerability, documented as Cisco bug CSCse11005 - A local file-overwrite vulnerability, documented as Cisco bug CSCse31704 - A remote buffer-overflow vulnerability, documented as Cisco bug CSCsd96542 These issues allow local attackers to completely compromise affected devices, and remote attackers to execute arbitrary machine code in the context of the affected service. Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution. The CallManager CLI provides an alternate management interface to the system for diagnosing and troubleshooting the primary HTTPS-based management interface. Cisco Unified CallManager supports both SCCP and SIP telephony, which allows migration to SIP while still protecting investments in existing equipment. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Unified CallManager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21030 VERIFY ADVISORY: http://secunia.com/advisories/21030/ CRITICAL: Highly critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/11019/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified CallManager, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 1) Errors in various CLI commands can be exploited by an authenticated administrator to break out of the CLI environment and execute arbitrary Linux commands with root privileges. 3) A boundary error within the processing of SIP requests can be exploited to cause a buffer overflow via an overly long hostname string in a malicious SIP request. Successful exploitation causes a DoS or allows execution of arbitrary code. The vulnerabilities have been reported in versions 5.0(1), 5.0(2), 5.0(3), and 5.0(3a). SOLUTION: Update to version 5.0(4) or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows remote attackers to execute arbitrary code via a long hostname in a SIP request, aka bug CSCsd96542. Cisco Unified CallManager is susceptible to multiple remote vulnerabilities. Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution. Cisco Unified CallManager supports both SCCP and SIP telephony, which allows migration to SIP while still protecting investments in existing equipment. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Unified CallManager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21030 VERIFY ADVISORY: http://secunia.com/advisories/21030/ CRITICAL: Highly critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/11019/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified CallManager, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 1) Errors in various CLI commands can be exploited by an authenticated administrator to break out of the CLI environment and execute arbitrary Linux commands with root privileges. 2) An unspecified error makes it possible to for an authenticated administrator to overwrite arbitrary files or folders with output of CLI commands. Successful exploitation causes a DoS or allows execution of arbitrary code. The vulnerabilities have been reported in versions 5.0(1), 5.0(2), 5.0(3), and 5.0(3a). SOLUTION: Update to version 5.0(4) or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The default configuration of IOS HTTP server in Cisco Router Web Setup (CRWS) before 3.3.0 build 31 does not require credentials, which allows remote attackers to access the server with arbitrary privilege levels, aka bug CSCsa78190. This issue is due to the application's failure to ensure that remote web-based users are properly authenticated. This issue allows remote attackers to gain administrative access to affected routers. This may aid them in further attacks. This vulnerability is documented in Cisco Bug ID CSCsa78190. Other authentication mechanisms can also be configured, including using a local user database, an external RADIUS, or an external TACACS+ server. Privilege level 15 is the highest privilege level in Cisco IOS devices. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The problem is caused due to the application shipping with an insecure default Cisco IOS configuration. This can be exploited to execute arbitrary commands with privilege level 15 via the web interface. SOLUTION: Update to version 3.3.0 build 31. http://www.cisco.com/pcgi-bin/tablebuild.pl/crws NOTE: Users upgrading from a previous version, who wish to keep their existing configuration, should apply the workarounds described in the vendor advisory. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

BT Voyager 2091 Wireless firmware 2.21.05.08m_A2pB018c1.d16d and earlier, and 3.01m and earlier, allow remote attackers to bypass the authentication process and gain sensitive information, such as configuration information via (1) /btvoyager_getconfig.sh, PPP credentials via (2) btvoyager_getpppcreds.sh, and decode configuration credentials via (3) btvoyager_decoder.c. BT Voyager is prone to authentication-bypass vulnerabilities. These issues are due to a flaw in the authentication process of the affected application. Exploiting these issues may allow attackers to gain unauthorized, remote access to the application's administrative functions. BT Voyager 2091 Wireless ADSL, Firmware 2.21.05.08m_A2pB018c1.d16d, and Firmware 3.01m are reported vulnerable; other versions may also be affected. NOTE: Other precise reports have related to the \"psiBackupInfo\" and \"connect.html\" files, but these vectors were not clear in the original disclosure. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. The problem is caused due to missing authentication checks when accessing the "psiBackupInfo" and "connect.html" files. Other versions may also be affected. SOLUTION: Filter traffic to affected devices. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://ikwt.dyndns.org/projects/btvoyager-getconfig.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in index.php in FlexWATCH Network Camera 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. FlexWATCH 3.0 and prior versions are affected. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: FlexWATCH Network Camera FW-3400 Two Vulnerabilities SECUNIA ADVISORY ID: SA20994 VERIFY ADVISORY: http://secunia.com/advisories/20994/ CRITICAL: Less critical IMPACT: Security Bypass, Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: FlexWATCH Network Camera FW-3400 http://secunia.com/product/10980/ DESCRIPTION: Jaime Blasco has reported two vulnerabilities in FlexWATCH Network Camera FW-3400, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Example: http://[host]/[code] 2) An input validation error in the HTTP request handling can be exploited to access the administration section without being authenticated via the "..%2f" directory traversal sequence. SOLUTION: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: Jaime Blasco ORIGINAL ADVISORY: Digital Armaments: http://www.digitalarmaments.com/2006300687985463.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the web administration interface logging feature in Juniper Networks (Redline) DX 5.1.x, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the username login field. Juniper Networks DX is prone to an HTML-injection vulnerability. This vulnerability exists because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials, to control how the site is rendered to the user, and to launch other attacks. Version 5.1 is vulnerable; other versions may also be affected. Juniper's DX application acceleration platform is a solution for improving the performance of Web applications. Because the syslog content in the web administration interface is not properly filtered, a malicious user can inject content into the username login field, resulting in the execution of the injected content if the administrative user browses the syslog. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Juniper Networks DX System Log Script Insertion SECUNIA ADVISORY ID: SA20990 VERIFY ADVISORY: http://secunia.com/advisories/20990/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Juniper Networks DX 5.x http://secunia.com/product/10978/ DESCRIPTION: Darren Bounds has reported a vulnerability for Juniper DX, which can be exploited by malicious people to conduct script insertion attacks. The vulnerability is caused due to insufficient filtering of the system log when displaying it in the web administration interface. This can be exploited to insert arbitrary HTML and script code via e.g. the username login field, which will be executed in a user's browser session in context of an affected site when malicious data is viewed. SOLUTION: Restrict access to the web administration console to trusted users only. PROVIDED AND/OR DISCOVERED BY: Darren Bounds ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047772.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak in Juniper JUNOS 6.4 through 8.0, built before May 10, 2006, allows remote attackers to cause a denial of service (kernel packet memory consumption and crash) via crafted IPv6 packets whose buffers are not released after they are processed. Juniper JUNOS Is for routing provided by Juniper Networks OS is. As a result, a remote third party could interfere with service operation. (DoS) You can be attacked. JUNOS is prone to a remote denial-of-service vulnerability. This issue arises when the application consistently handles specially crafted IPv6 packets. All versions of JUNOS Internet Software built prior to May 10, 2006 running on M-series, T-series, and J-series routers are vulnerable. The operating system provides a secure programming interface and Junos SDK. There is a loophole in the processing of specific malformed IPv6 packets in JUNOS. Remote attackers may use this loophole to perform denial of service attacks on routers. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Juniper Networks JUNOS IPv6 Packet Handling Denial of Service SECUNIA ADVISORY ID: SA21003 VERIFY ADVISORY: http://secunia.com/advisories/21003/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: JUNOS 6.x http://secunia.com/product/3418/ JUNOS 7.x http://secunia.com/product/5158/ JUNOS 8.x http://secunia.com/product/10974/ DESCRIPTION: A vulnerability has been reported in the M-series, T-series, and J-Series routers, which can be exploited by malicious people to cause a DoS (Denial of Service). Successful exploitation crashes the router. SOLUTION: Apply an updated version of the JUNOS software. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.juniper.net/support/security/alerts/IPv6_bug.txt http://www.juniper.net/support/security/alerts/EXT-PSN-2006-06-017.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Dell Openmanage CD launches X11 and SSH daemons that do not require authentication, which allows remote attackers to gain privileges

The TIFFFetchAnyArray function in ImageIO in Apple OS X 10.4.7 and earlier allows remote user-assisted attackers to cause a denial of service (application crash) via an invalid tag value in a TIFF image, possibly triggering a null dereference. NOTE: This is a different issue than CVE-2006-1469. Mac OS X is prone to a denial-of-service vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in Hitachi Groupmax Collaboration Portal and Web Client before 07-20-/D, and uCosminexus Collaboration Portal and Forum/File Sharing before 06-20-/C, allow remote attackers to "execute malicious scripts" via unknown vectors (aka HS06-014-01). An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed to unspecified parameters is not properly sanitised before being returned to the user. SOLUTION: Fixes are available (see patch matrix in the vendor's advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi: http://www.hitachi-support.com/security_e/vuls_e/HS06-014_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 2.0.4/419.3 allows remote attackers to cause a denial of service (application crash) via a DHTML setAttributeNode function call with zero arguments, which triggers a null dereference. Apple Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Safari web browser is prone to a denial-of-service vulnerability when parsing certain malformed DHTML elements. An attacker can exploit this issue to crash an affected browser

Multiple cross-site scripting (XSS) vulnerabilities in F5 Networks FirePass 4100 5.x allow remote attackers to inject arbitrary web script or HTML via unspecified "writable form fields and hidden fields," including "authentication frontends.". F5 Firepass 4100 SSL VPN is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks

Microsoft Internet Explorer 6 allows remote attackers to cause a denial of service (crash) by setting the Filter property of an ADODB.Recordset ActiveX object to certain values multiple times, which triggers a null dereference. Microsoft Internet Explorer is prone to a denial-of-service condition when processing the 'ADODB.Recordset Filter Property' COM object. A successful attack may cause the browser to fail due to a null-pointer dereference. Microsoft Internet Explorer is a very popular WEB browser released by Microsoft. When the properties of the ADODB.Recordset ActiveX object are assigned different values ​​three times, the null pointer reference problem will be triggered. If the user is tricked into accessing a malicious WEB page containing malformed ActiveX reference code, it will cause IE to deny service

The "change password forms" in Taskjitsu before 2.0.1 includes password hashes in hidden form fields, which allows remote attackers to obtain sensitive information from the (1) Category Editor and (2) User Information editor. Taskjitsu is prone to multiple information disclosure vulnerabilities

Integer overflow in the AAC file parsing code in Apple iTunes before 6.0.5 on Mac OS X 10.2.8 or later, and Windows XP and 2000, allows remote user-assisted attackers to execute arbitrary code via an AAC (M4P, M4A, or M4B) file with a sample table size (STSZ) atom with a "malformed" sample_size_table value. Apple iTunes does not properly parse AAC files. This vulnerability may allow a remote attacker to execute arbitrary code. Exploitation requires an attacker to convince a target user into opening a malicious play list file.The specific flaw exists during the processing of malicious AAC media files such as those with extensions .M4A and .M4P. During the parsing of the sample table size atom (STSZ), a malformed 'sample_size_table' value can trigger an integer overflow leading to an exploitable memory corruption. iTunes is prone to an integer-overflow vulnerability. This may help the attacker gain unauthorized access or escalate privileges. Apple iTunes is a media player program. ZDI-06-020: Apple iTunes AAC File Parsing Integer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-020.html June 29, 2006 -- CVE ID: CVE-2006-1467 -- Affected Vendor: Apple -- Affected Products: iTunes -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4282. -- Vendor Response: Apple has addressed this issue in the latest release of iTunes, version 6.0.5. More information is available from the vendor web site at: http://docs.info.apple.com/article.html?artnum=303952 -- Disclosure Timeline: 2006.04.03 - Digital Vaccine released to TippingPoint customers 2006.04.07 - Vulnerability reported to vendor 2006.06.29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by ATmaCA. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

F-Secure Anti-Virus 2003 through 2006 and other versions, Internet Security 2003 through 2006, and Service Platform for Service Providers 6.x and earlier allows remote attackers to bypass anti-virus scanning via a crafted filename. Multiple products by F-Secure are prone to scan-evasion vulnerabilities. Exploitation of these vulnerabilities may result in a false sense of security and in the execution of malicious applications. This could potentially lead to a malicious code infection. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An unspecified error within the handling of executable programs where the name has been manipulated in a certain way can be exploited to bypass the anti-virus scanning functionality. 2) An error causes files on removable media to not be scanned when the "Scan network devices" option has been disabled. SOLUTION: Apply patches (see patch matrix in the vendor's advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: F-Secure: http://www.f-secure.com/security/fsc-2006-4.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Siemens Speedstream Wireless Router 2624 allows local users to bypass authentication and access protected files by using the Universal Plug and Play UPnP/1.0 component. Siemens' speedstream wireless router contains vulnerabilities related to authorization, privileges, and access control.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SpeedStream Wireless Router web interface is prone to an authentication-bypass vulnerability. This may permit an attacker to bypass the authentication mechanism and to gain access to the web interface. Version 2624 is vulnerable; other versions may be affected

The internal database in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(63) stores a hard-coded username and password in plaintext within unspecified files, which allows remote authenticated users to access the database (aka bug CSCsd15951). Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Wireless Control System (WCS) for Linux and Windows 4.0(1) and earlier uses a default administrator username "root" and password "public," which allows remote attackers to gain access (aka bug CSCse21391). Vendors have confirmed this vulnerability Bug ID CSCse21391 It is released as.Access may be obtained by a third party. Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------