VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in the web administration interface logging feature in Juniper Networks (Redline) DX 5.1.x, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the username login field. Juniper Networks DX is prone to an HTML-injection vulnerability. This vulnerability exists because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials, to control how the site is rendered to the user, and to launch other attacks. Version 5.1 is vulnerable; other versions may also be affected. Juniper's DX application acceleration platform is a solution for improving the performance of Web applications. Because the syslog content in the web administration interface is not properly filtered, a malicious user can inject content into the username login field, resulting in the execution of the injected content if the administrative user browses the syslog. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Juniper Networks DX System Log Script Insertion SECUNIA ADVISORY ID: SA20990 VERIFY ADVISORY: http://secunia.com/advisories/20990/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Juniper Networks DX 5.x http://secunia.com/product/10978/ DESCRIPTION: Darren Bounds has reported a vulnerability for Juniper DX, which can be exploited by malicious people to conduct script insertion attacks. The vulnerability is caused due to insufficient filtering of the system log when displaying it in the web administration interface. This can be exploited to insert arbitrary HTML and script code via e.g. the username login field, which will be executed in a user's browser session in context of an affected site when malicious data is viewed. SOLUTION: Restrict access to the web administration console to trusted users only. PROVIDED AND/OR DISCOVERED BY: Darren Bounds ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047772.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak in Juniper JUNOS 6.4 through 8.0, built before May 10, 2006, allows remote attackers to cause a denial of service (kernel packet memory consumption and crash) via crafted IPv6 packets whose buffers are not released after they are processed. Juniper JUNOS Is for routing provided by Juniper Networks OS is. As a result, a remote third party could interfere with service operation. (DoS) You can be attacked. JUNOS is prone to a remote denial-of-service vulnerability. This issue arises when the application consistently handles specially crafted IPv6 packets. All versions of JUNOS Internet Software built prior to May 10, 2006 running on M-series, T-series, and J-series routers are vulnerable. The operating system provides a secure programming interface and Junos SDK. There is a loophole in the processing of specific malformed IPv6 packets in JUNOS. Remote attackers may use this loophole to perform denial of service attacks on routers. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Reversing must be a passion as your skills will be challenged on a daily basis and you will be working several hours everyday in IDA, Ollydbg, and with BinDiff. Often, it is also required that you write a PoC or even a working exploit to prove that an issue is exploitable. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Juniper Networks JUNOS IPv6 Packet Handling Denial of Service SECUNIA ADVISORY ID: SA21003 VERIFY ADVISORY: http://secunia.com/advisories/21003/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: JUNOS 6.x http://secunia.com/product/3418/ JUNOS 7.x http://secunia.com/product/5158/ JUNOS 8.x http://secunia.com/product/10974/ DESCRIPTION: A vulnerability has been reported in the M-series, T-series, and J-Series routers, which can be exploited by malicious people to cause a DoS (Denial of Service). Successful exploitation crashes the router. SOLUTION: Apply an updated version of the JUNOS software. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.juniper.net/support/security/alerts/IPv6_bug.txt http://www.juniper.net/support/security/alerts/EXT-PSN-2006-06-017.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Dell Openmanage CD launches X11 and SSH daemons that do not require authentication, which allows remote attackers to gain privileges

The TIFFFetchAnyArray function in ImageIO in Apple OS X 10.4.7 and earlier allows remote user-assisted attackers to cause a denial of service (application crash) via an invalid tag value in a TIFF image, possibly triggering a null dereference. NOTE: This is a different issue than CVE-2006-1469. Mac OS X is prone to a denial-of-service vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in Hitachi Groupmax Collaboration Portal and Web Client before 07-20-/D, and uCosminexus Collaboration Portal and Forum/File Sharing before 06-20-/C, allow remote attackers to "execute malicious scripts" via unknown vectors (aka HS06-014-01). An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed to unspecified parameters is not properly sanitised before being returned to the user. SOLUTION: Fixes are available (see patch matrix in the vendor's advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi: http://www.hitachi-support.com/security_e/vuls_e/HS06-014_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 2.0.4/419.3 allows remote attackers to cause a denial of service (application crash) via a DHTML setAttributeNode function call with zero arguments, which triggers a null dereference. Apple Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Safari web browser is prone to a denial-of-service vulnerability when parsing certain malformed DHTML elements. An attacker can exploit this issue to crash an affected browser

Multiple cross-site scripting (XSS) vulnerabilities in F5 Networks FirePass 4100 5.x allow remote attackers to inject arbitrary web script or HTML via unspecified "writable form fields and hidden fields," including "authentication frontends.". F5 Firepass 4100 SSL VPN is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks

Microsoft Internet Explorer 6 allows remote attackers to cause a denial of service (crash) by setting the Filter property of an ADODB.Recordset ActiveX object to certain values multiple times, which triggers a null dereference. Microsoft Internet Explorer is prone to a denial-of-service condition when processing the 'ADODB.Recordset Filter Property' COM object. A successful attack may cause the browser to fail due to a null-pointer dereference. Microsoft Internet Explorer is a very popular WEB browser released by Microsoft. When the properties of the ADODB.Recordset ActiveX object are assigned different values ​​three times, the null pointer reference problem will be triggered. If the user is tricked into accessing a malicious WEB page containing malformed ActiveX reference code, it will cause IE to deny service

The "change password forms" in Taskjitsu before 2.0.1 includes password hashes in hidden form fields, which allows remote attackers to obtain sensitive information from the (1) Category Editor and (2) User Information editor. Taskjitsu is prone to multiple information disclosure vulnerabilities

Integer overflow in the AAC file parsing code in Apple iTunes before 6.0.5 on Mac OS X 10.2.8 or later, and Windows XP and 2000, allows remote user-assisted attackers to execute arbitrary code via an AAC (M4P, M4A, or M4B) file with a sample table size (STSZ) atom with a "malformed" sample_size_table value. Apple iTunes does not properly parse AAC files. This vulnerability may allow a remote attacker to execute arbitrary code. Exploitation requires an attacker to convince a target user into opening a malicious play list file.The specific flaw exists during the processing of malicious AAC media files such as those with extensions .M4A and .M4P. During the parsing of the sample table size atom (STSZ), a malformed 'sample_size_table' value can trigger an integer overflow leading to an exploitable memory corruption. iTunes is prone to an integer-overflow vulnerability. This may help the attacker gain unauthorized access or escalate privileges. Apple iTunes is a media player program. ZDI-06-020: Apple iTunes AAC File Parsing Integer Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-020.html June 29, 2006 -- CVE ID: CVE-2006-1467 -- Affected Vendor: Apple -- Affected Products: iTunes -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since April 3, 2006 by Digital Vaccine protection filter ID 4282. -- Vendor Response: Apple has addressed this issue in the latest release of iTunes, version 6.0.5. More information is available from the vendor web site at: http://docs.info.apple.com/article.html?artnum=303952 -- Disclosure Timeline: 2006.04.03 - Digital Vaccine released to TippingPoint customers 2006.04.07 - Vulnerability reported to vendor 2006.06.29 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by ATmaCA. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

F-Secure Anti-Virus 2003 through 2006 and other versions, Internet Security 2003 through 2006, and Service Platform for Service Providers 6.x and earlier allows remote attackers to bypass anti-virus scanning via a crafted filename. Multiple products by F-Secure are prone to scan-evasion vulnerabilities. Exploitation of these vulnerabilities may result in a false sense of security and in the execution of malicious applications. This could potentially lead to a malicious code infection. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An unspecified error within the handling of executable programs where the name has been manipulated in a certain way can be exploited to bypass the anti-virus scanning functionality. 2) An error causes files on removable media to not be scanned when the "Scan network devices" option has been disabled. SOLUTION: Apply patches (see patch matrix in the vendor's advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: F-Secure: http://www.f-secure.com/security/fsc-2006-4.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Siemens Speedstream Wireless Router 2624 allows local users to bypass authentication and access protected files by using the Universal Plug and Play UPnP/1.0 component. Siemens' speedstream wireless router contains vulnerabilities related to authorization, privileges, and access control.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Siemens SpeedStream Wireless Router web interface is prone to an authentication-bypass vulnerability. This may permit an attacker to bypass the authentication mechanism and to gain access to the web interface. Version 2624 is vulnerable; other versions may be affected

The internal database in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(63) stores a hard-coded username and password in plaintext within unspecified files, which allows remote authenticated users to access the database (aka bug CSCsd15951). Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Wireless Control System (WCS) for Linux and Windows 4.0(1) and earlier uses a default administrator username "root" and password "public," which allows remote attackers to gain access (aka bug CSCse21391). Vendors have confirmed this vulnerability Bug ID CSCse21391 It is released as.Access may be obtained by a third party. Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the TFTP server in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51), when configured to use a directory path name that contains a space character, allows remote authenticated users to read and overwrite arbitrary files via unspecified vectors. Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the login page of the HTTP interface for the Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a "malicious URL". Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

HTTP server in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames and directory paths via a direct URL request. Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web interface on Cisco IOS 12.3(8)JA and 12.3(8)JA1, as used on the Cisco Wireless Access Point and Wireless Bridge, reconfigures itself when it is changed to use the "Local User List Only (Individual Passwords)" setting, which removes all security and password configurations and allows remote attackers to access the system. This may permit an attacker to bypass the authentication mechanism and gain access to the web interface. Remote attackers may use this loophole to obtain unauthorized access. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Successful exploitation requires that the web management interface is enabled. http://www.cisco.com/public/sw-center/sw-usingswc.shtml PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The internal database in Cisco Wireless Control System (WCS) for Linux and Windows before 3.2(51) uses an undocumented, hard-coded username and password, which allows remote authenticated users to read, and possibly modify, sensitive configuration data (aka bugs CSCsd15955). Cisco Wireless Control System is prone to multiple security vulnerabilities. The following issues have been disclosed: - Authorization-bypass vulnerability due to multiple hardcoded username and password pairs - Arbitrary file access vulnerability - Cross-site scripting vulnerability - Information-disclosure vulnerability An attacker can exploit these issues to retrieve potentially sensitive information, overwrite files, perform cross-site scripting attacks, and gain unauthorized access; other attacks are also possible. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Wireless Control System Multiple Vulnerabilities SECUNIA ADVISORY ID: SA20870 VERIFY ADVISORY: http://secunia.com/advisories/20870/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Cisco Wireless Control System (WCS) 1.x http://secunia.com/product/6332/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Wireless Control System (WCS), which can be exploited by malicious, local users to gain knowledge of sensitive information, and by malicious people to gain knowledge of sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions and potentially compromise a vulnerable system. 1) An undocumented username and hard-coded password exists in the WCS. This can be exploited to connect to the WCS internal database and to gain access to the configuration information of managed wireless access points. The security issue has been reported in WCS for Linux and Windows 3.2(40) and prior. 2) Undocumented database username and password are stored in clear text in several WCS files. This can potentially be exploited by local users to gain knowledge of the user credentials and to gain access to the database. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 3) An error within the internal TFTP server allows reading from or writing to arbitrary locations in the filesystem of a WCS system. Successful exploitation requires that the configured root directory of the TFTP server contains a space character. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 4) Input passed to the unspecified parameter in login page is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. 5) An access control error within the WCS HTTP server can be exploited to gain access to certain directories, which may contain sensitive information like WCS usernames and directory paths. The vulnerability has been reported in WCS for Linux and Windows 3.2(51) and prior. Note: It has also been reported that WCS for Linux and Windows 4.0(1) and prior are installed with a default administrator username root, with a default password of public. SOLUTION: Update to WCS for Linux and Windows 3.2(63) or later. http://www.cisco.com/public/sw-center/sw-usingswc.shtml Default administrator passwords should be changed after installation. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

F-Secure Anti-Virus 2003 through 2006 and other versions, Internet Security 2003 through 2006, and Service Platform for Service Providers 6.x and earlier does not scan files contained on removable media when "Scan network drives" is disabled, which allows remote attackers to bypass anti-virus controls. Multiple products by F-Secure are prone to scan-evasion vulnerabilities. Exploitation of these vulnerabilities may result in a false sense of security and in the execution of malicious applications. This could potentially lead to a malicious code infection. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An unspecified error within the handling of executable programs where the name has been manipulated in a certain way can be exploited to bypass the anti-virus scanning functionality. 2) An error causes files on removable media to not be scanned when the "Scan network devices" option has been disabled. SOLUTION: Apply patches (see patch matrix in the vendor's advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: F-Secure: http://www.f-secure.com/security/fsc-2006-4.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------