VARIoT IoT vulnerabilities database

SQL injection vulnerability in Room.php in Francisco Charrua Photo-Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. Photo-Gallery is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. Photo-Gallery version 1.0 is vulnerable to this issue; other versions may also be affected

D-Link router devices have stack overflow issues that can cause denial of service attacks or execute arbitrary instructions with process privileges. The problem lies in the router's UPNP function, and its M-SEARCH has vulnerabilities. By sending an M-SEARCH request with over-length parameters (more than 800 bytes), a stack overflow can be caused. This vulnerability can be executed without affecting network connectivity and without any attack signatures.

Stack-based buffer overflow in the Universal Plug and Play (UPnP) service in D-Link DI-524, DI-604 Broadband Router, DI-624, D-Link DI-784, WBR-1310 Wireless G Router, WBR-2310 RangeBooster G Router, and EBR-2310 Ethernet Broadband Router allows remote attackers to execute arbitrary code via a long M-SEARCH request to UDP port 1900. A buffer overflow vulnerability in the software that operates certain models of D-Link routers could allow a remote attacker to execute arbitrary code on the affected device. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.  If an attacker can send an M-SEARCH request with an excessively long parameter (about 800 bytes) to the LAN interface of the vulnerable D-Link device, it will trigger a stack overflow and cause reliable execution of arbitrary instructions. The attack does not affect network connectivity and shows no signs. In some cases, a soft restart of the device may be required, resulting in a temporary loss of connectivity. D-Link wired and wireless routers are prone to a buffer-overflow vulnerability because these devices fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment

filtnt.sys in Outpost Firewall Pro before 3.51.759.6511 (462) allows local users to cause a denial of service (crash) via long arguments to mshta.exe. Outpost Firewall is prone to a local denial-of-service vulnerability. An attacker can exploit this issue to crash the application, effectively denying service. Outpost Firewall Pro version 3.5.631 is affected by this issue; other versions may also be vulnerable. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to an unspecified error in the Virtual Firewall driver (filtnt.sys) and can be exploited to crash the system by e.g. passing an overly long string as command line argument to mshta.exe. The vulnerability has been reported in version 3.5.631. Other versions may also be affected. SOLUTION: Update to version 3.51.759.6511 (462) or later. PROVIDED AND/OR DISCOVERED BY: Bipin Gautam ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Agnitum Outpost Firewall Pro 3.51.759.6511 (462), as used in (1) Lavasoft Personal Firewall 1.0.543.5722 (433) and (2) Novell BorderManager Novell Client Firewall 2.0, does not properly restrict user activities in application windows that run in a LocalSystem context, which allows local users to gain privileges and execute commands (a) via the "open folder" option when no instance of explorer.exe is running, possibly related to the ShellExecute API function; or (b) by overwriting a batch file through the "Save Configuration As" option. NOTE: this might be a vulnerability in Microsoft Windows and explorer.exe instead of the firewall. Lavasoft Personal Firewall will allow local attackers to gain elevated privileges, which may lead to a complete compromise. Version 1.0.543.5722 (433) is reported vulnerable. Other versions may be affected as well. Reports indicate that this issue may be related to BID 19024. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to the application windows running with SYSTEM privileges and the application not checking if explorer.exe is running. This can be exploited to launch explorer.exe with SYSTEM privileges by terminating it and then using the "open folder" option in e.g. the "Shared Components" window. SOLUTION: Enable password protection. PROVIDED AND/OR DISCOVERED BY: Ben Goulding ORIGINAL ADVISORY: http://www.ben.goulding.com.au/secad.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Norton Personal Firewall 2006 9.1.0.33 allows local users to cause a denial of service (crash) via certain RegSaveKey, RegRestoreKey and RegDeleteKey operations on the (1) HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc and (2) HKLM\SYSTEM\CurrentControlSet\Services\SymEvent registry keys. Microsoft Windows is prone to a denial-of-service vulnerability. This issue occurs when a program calls certain API calls for manipulating Windows registry keys. This may crash the affected computer. NOTE: This BID has been revised (July 3, 2007); the issue was originally thought to be a vulnerability in Symantec Norton Personal Firewall, but further investigation reveals a problem in an underlying OS API. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Norton Firewall does not properly check calls to the standard Windows API functions RegSaveKey, RegRestoreKey, and RegDeleteKey. In the registry key HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc or HKLM\SYSTEM\CurrentControlSet\Services\SymEvent, combined calls to the above functions will trigger errors in the implementation of the Norton driver, resulting in a system crash

kpf4ss.exe in Sunbelt Kerio Personal Firewall 4.3.x before 4.3.268 does not properly hook the CreateRemoteThread API function, which allows local users to cause a denial of service (crash) and bypass protection mechanisms by calling CreateRemoteThread. Sunbelt Kerio Personal Firewall is prone to a denial-of-service vulnerability. This issue can occur when a program calls the 'CreateRemoteThread' Windows API call. Exploitation of this vulnerability could cause the firewall application to crash. This could expose the computer to further attacks. The individual who discovered this vulnerability claims to have tested it on Sunbelt Kerio Personal Firewall versions 4.3.246 and 4.2.3.912. They were unable to reproduce the vulnerability on version 4.2.3.912, which is an older release. The vulnerable functionality may have been introduced at some point after the 4.2.3.912 release, but this has not been confirmed

The device driver for Intel-based gigabit network adapters in Cisco Intrusion Prevention System (IPS) 5.1(1) through 5.1(p1), as installed on various Cisco Intrusion Prevention System 42xx appliances, allows remote attackers to cause a denial of service (kernel panic and possibly network outage) via a crafted IP packet. Cisco Intrusion Prevention System is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash an affected device, effectively denying service. This issue is documented in Cisco bug ID CSCsd36590. This issue affects 42xx IPS appliances running affected versions of the IPS software. There is a denial of service vulnerability in the Cisco IPS client device driver. An IPS device configured to use the automatic pass-through function will also fail to forward packets. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. This can be exploited to cause a DoS via a specially crafted packet received on an Intel-based gigabit network adapter configured as a sensing interface. Successful exploitation causes the network device to stop processing packets and become inaccessible both remotely and via the console. SOLUTION: Update to version 5.1(2). http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-ips.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in FlexWATCH Network Camera 3.0 and earlier allows remote attackers to bypass access restrictions for (1) admin/aindex.asp or (2) admin/aindex.html via a .. (dot dot) and encoded / (%2f) sequence in the URL. FlexWatch is prone to an authorization-bypass vulnerability. This issue is due to a failure in the application to properly verify user-supplied input. An attacker can exploit this issue to bypass the authorization mechanism. This allows the attacker to gain unauthorized access to the surveillance system. Versions 3.0 and prior are affected. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. 1) Input passed via the URL isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: Jaime Blasco ORIGINAL ADVISORY: Digital Armaments: http://www.digitalarmaments.com/2006300687985463.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Premium Anti-Spam in Ipswitch IMail Secure Server 2006 and Collaboration Suite 2006 Premium, when using a certain .dat file in the StarEngine /data directory from 20060630 or earlier, does not properly receive and implement bullet signature updates, which allows context-dependent attackers to use the server for spam transmission. Attackers use the server to transmit spam

Unspecified vulnerability in the command line interface (CLI) in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows local users to execute arbitrary commands with elevated privileges via unspecified vectors, involving "certain CLI commands," aka bug CSCse11005. Cisco Unified CallManager is susceptible to multiple remote vulnerabilities. These specific issues are identified: - A local privilege-escalation vulnerability, documented as Cisco bug CSCse11005 - A local file-overwrite vulnerability, documented as Cisco bug CSCse31704 - A remote buffer-overflow vulnerability, documented as Cisco bug CSCsd96542 These issues allow local attackers to completely compromise affected devices, and remote attackers to execute arbitrary machine code in the context of the affected service. Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution. The CallManager CLI provides an alternate management interface to the system for diagnosing and troubleshooting the primary HTTPS-based management interface. The vulnerabilities allow command output to be redirected to a file or folder specified on the command line. Cisco Unified CallManager supports both SCCP and SIP telephony, which allows migration to SIP while still protecting investments in existing equipment. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Unified CallManager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21030 VERIFY ADVISORY: http://secunia.com/advisories/21030/ CRITICAL: Highly critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/11019/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified CallManager, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 2) An unspecified error makes it possible to for an authenticated administrator to overwrite arbitrary files or folders with output of CLI commands. 3) A boundary error within the processing of SIP requests can be exploited to cause a buffer overflow via an overly long hostname string in a malicious SIP request. Successful exploitation causes a DoS or allows execution of arbitrary code. The vulnerabilities have been reported in versions 5.0(1), 5.0(2), 5.0(3), and 5.0(3a). SOLUTION: Update to version 5.0(4) or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The command line interface (CLI) in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows local users to overwrite arbitrary files by redirecting a command's output to a file or folder, aka bug CSCse31704. Cisco Unified CallManager is susceptible to multiple remote vulnerabilities. These specific issues are identified: - A local privilege-escalation vulnerability, documented as Cisco bug CSCse11005 - A local file-overwrite vulnerability, documented as Cisco bug CSCse31704 - A remote buffer-overflow vulnerability, documented as Cisco bug CSCsd96542 These issues allow local attackers to completely compromise affected devices, and remote attackers to execute arbitrary machine code in the context of the affected service. Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution. The CallManager CLI provides an alternate management interface to the system for diagnosing and troubleshooting the primary HTTPS-based management interface. Cisco Unified CallManager supports both SCCP and SIP telephony, which allows migration to SIP while still protecting investments in existing equipment. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Unified CallManager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21030 VERIFY ADVISORY: http://secunia.com/advisories/21030/ CRITICAL: Highly critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/11019/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified CallManager, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 1) Errors in various CLI commands can be exploited by an authenticated administrator to break out of the CLI environment and execute arbitrary Linux commands with root privileges. 3) A boundary error within the processing of SIP requests can be exploited to cause a buffer overflow via an overly long hostname string in a malicious SIP request. Successful exploitation causes a DoS or allows execution of arbitrary code. The vulnerabilities have been reported in versions 5.0(1), 5.0(2), 5.0(3), and 5.0(3a). SOLUTION: Update to version 5.0(4) or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows remote attackers to execute arbitrary code via a long hostname in a SIP request, aka bug CSCsd96542. Cisco Unified CallManager is susceptible to multiple remote vulnerabilities. Cisco Unified CallManager is the software-based call-processing component of the Cisco IP telephony solution. Cisco Unified CallManager supports both SCCP and SIP telephony, which allows migration to SIP while still protecting investments in existing equipment. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco Unified CallManager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA21030 VERIFY ADVISORY: http://secunia.com/advisories/21030/ CRITICAL: Highly critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Cisco Unified CallManager 5.x http://secunia.com/product/11019/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Unified CallManager, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 1) Errors in various CLI commands can be exploited by an authenticated administrator to break out of the CLI environment and execute arbitrary Linux commands with root privileges. 2) An unspecified error makes it possible to for an authenticated administrator to overwrite arbitrary files or folders with output of CLI commands. Successful exploitation causes a DoS or allows execution of arbitrary code. The vulnerabilities have been reported in versions 5.0(1), 5.0(2), 5.0(3), and 5.0(3a). SOLUTION: Update to version 5.0(4) or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060712-cucm.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The default configuration of IOS HTTP server in Cisco Router Web Setup (CRWS) before 3.3.0 build 31 does not require credentials, which allows remote attackers to access the server with arbitrary privilege levels, aka bug CSCsa78190. This issue is due to the application's failure to ensure that remote web-based users are properly authenticated. This issue allows remote attackers to gain administrative access to affected routers. This may aid them in further attacks. This vulnerability is documented in Cisco Bug ID CSCsa78190. Other authentication mechanisms can also be configured, including using a local user database, an external RADIUS, or an external TACACS+ server. Privilege level 15 is the highest privilege level in Cisco IOS devices. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The problem is caused due to the application shipping with an insecure default Cisco IOS configuration. This can be exploited to execute arbitrary commands with privilege level 15 via the web interface. SOLUTION: Update to version 3.3.0 build 31. http://www.cisco.com/pcgi-bin/tablebuild.pl/crws NOTE: Users upgrading from a previous version, who wish to keep their existing configuration, should apply the workarounds described in the vendor advisory. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060712-crws.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

BT Voyager 2091 Wireless firmware 2.21.05.08m_A2pB018c1.d16d and earlier, and 3.01m and earlier, allow remote attackers to bypass the authentication process and gain sensitive information, such as configuration information via (1) /btvoyager_getconfig.sh, PPP credentials via (2) btvoyager_getpppcreds.sh, and decode configuration credentials via (3) btvoyager_decoder.c. BT Voyager is prone to authentication-bypass vulnerabilities. These issues are due to a flaw in the authentication process of the affected application. Exploiting these issues may allow attackers to gain unauthorized, remote access to the application's administrative functions. BT Voyager 2091 Wireless ADSL, Firmware 2.21.05.08m_A2pB018c1.d16d, and Firmware 3.01m are reported vulnerable; other versions may also be affected. NOTE: Other precise reports have related to the \"psiBackupInfo\" and \"connect.html\" files, but these vectors were not clear in the original disclosure. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. The problem is caused due to missing authentication checks when accessing the "psiBackupInfo" and "connect.html" files. Other versions may also be affected. SOLUTION: Filter traffic to affected devices. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://ikwt.dyndns.org/projects/btvoyager-getconfig.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in index.php in FlexWATCH Network Camera 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. FlexWATCH 3.0 and prior versions are affected. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: FlexWATCH Network Camera FW-3400 Two Vulnerabilities SECUNIA ADVISORY ID: SA20994 VERIFY ADVISORY: http://secunia.com/advisories/20994/ CRITICAL: Less critical IMPACT: Security Bypass, Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: FlexWATCH Network Camera FW-3400 http://secunia.com/product/10980/ DESCRIPTION: Jaime Blasco has reported two vulnerabilities in FlexWATCH Network Camera FW-3400, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions. Example: http://[host]/[code] 2) An input validation error in the HTTP request handling can be exploited to access the administration section without being authenticated via the "..%2f" directory traversal sequence. SOLUTION: Filter malicious characters and character sequences in a proxy server or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: Jaime Blasco ORIGINAL ADVISORY: Digital Armaments: http://www.digitalarmaments.com/2006300687985463.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the web administration interface logging feature in Juniper Networks (Redline) DX 5.1.x, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the username login field. Juniper Networks DX is prone to an HTML-injection vulnerability. This vulnerability exists because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials, to control how the site is rendered to the user, and to launch other attacks. Version 5.1 is vulnerable; other versions may also be affected. Juniper's DX application acceleration platform is a solution for improving the performance of Web applications. Because the syslog content in the web administration interface is not properly filtered, a malicious user can inject content into the username login field, resulting in the execution of the injected content if the administrative user browses the syslog. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Juniper Networks DX System Log Script Insertion SECUNIA ADVISORY ID: SA20990 VERIFY ADVISORY: http://secunia.com/advisories/20990/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Juniper Networks DX 5.x http://secunia.com/product/10978/ DESCRIPTION: Darren Bounds has reported a vulnerability for Juniper DX, which can be exploited by malicious people to conduct script insertion attacks. The vulnerability is caused due to insufficient filtering of the system log when displaying it in the web administration interface. This can be exploited to insert arbitrary HTML and script code via e.g. the username login field, which will be executed in a user's browser session in context of an affected site when malicious data is viewed. SOLUTION: Restrict access to the web administration console to trusted users only. PROVIDED AND/OR DISCOVERED BY: Darren Bounds ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047772.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak in Juniper JUNOS 6.4 through 8.0, built before May 10, 2006, allows remote attackers to cause a denial of service (kernel packet memory consumption and crash) via crafted IPv6 packets whose buffers are not released after they are processed. Juniper JUNOS Is for routing provided by Juniper Networks OS is. As a result, a remote third party could interfere with service operation. (DoS) You can be attacked. JUNOS is prone to a remote denial-of-service vulnerability. This issue arises when the application consistently handles specially crafted IPv6 packets. All versions of JUNOS Internet Software built prior to May 10, 2006 running on M-series, T-series, and J-series routers are vulnerable. The operating system provides a secure programming interface and Junos SDK. There is a loophole in the processing of specific malformed IPv6 packets in JUNOS. Remote attackers may use this loophole to perform denial of service attacks on routers. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Juniper Networks JUNOS IPv6 Packet Handling Denial of Service SECUNIA ADVISORY ID: SA21003 VERIFY ADVISORY: http://secunia.com/advisories/21003/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: JUNOS 6.x http://secunia.com/product/3418/ JUNOS 7.x http://secunia.com/product/5158/ JUNOS 8.x http://secunia.com/product/10974/ DESCRIPTION: A vulnerability has been reported in the M-series, T-series, and J-Series routers, which can be exploited by malicious people to cause a DoS (Denial of Service). Successful exploitation crashes the router. SOLUTION: Apply an updated version of the JUNOS software. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.juniper.net/support/security/alerts/IPv6_bug.txt http://www.juniper.net/support/security/alerts/EXT-PSN-2006-06-017.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Dell Openmanage CD launches X11 and SSH daemons that do not require authentication, which allows remote attackers to gain privileges

The TIFFFetchAnyArray function in ImageIO in Apple OS X 10.4.7 and earlier allows remote user-assisted attackers to cause a denial of service (application crash) via an invalid tag value in a TIFF image, possibly triggering a null dereference. NOTE: This is a different issue than CVE-2006-1469. Mac OS X is prone to a denial-of-service vulnerability