VARIoT IoT vulnerabilities database

Format string vulnerability in the CF_syslog function launchd in Apple Mac OS X 10.4 up to 10.4.6 allows local users to execute arbitrary code via format string specifiers that are not properly handled in a syslog call in the logging facility, as demonstrated by using a crafted plist file. Apple Mac OS X 'launchd' is prone to a local format-string vulnerability. A local attacker can exploit this issue through a malicious 'plist' file that includes externally supplied format specifiers that will be passed to the vulnerable code. A successful attack may crash the application or lead to arbitrary code execution. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities). The vulnerability exists specifically in the logging tool of launchd. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

OpenLDAP in Apple Mac OS X 10.4 up to 10.4.6 allows remote attackers to cause a denial of service (crash) via an invalid LDAP request that triggers an assert error. Apple has reported a vulnerability in their version of OpenLDAP that is included in Apple Mac OS X and Mac OS X Server versions 10.4 to 10.4.6. If successfully exploited, this vulnerability would allow an attacker to create a denial-of-service condition. An attacker can exploit this issue to cause a crash in the LDAP server, effectively denying service to legitimate users. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities), which has been split into individual BIDs to discuss each issue separately. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. This crashes an affected application and may allow arbitrary code execution when a specially crafted TIFF image is viewed. 4) A format string error within the logging functionality of the setuid program "launchd" can be exploited by local users to execute arbitrary code with system privileges. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in ImageIO in Apple Mac OS X 10.4 up to 10.4.6 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image. Mac OS X is prone to a buffer-overflow vulnerability. This issue is due to a stack-based buffer-overflow that results in a buffer being overrun with attacker-supplied data. This issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying service to legitimate users. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities), which has been split into individual BIDs to discuss each issue separately. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 1) An error in the AFP server within the handling of users' search results can be exploited by malicious users to gain knowledge of the names of files and folders for which the user performing the search has no access to. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. 4) A format string error within the logging functionality of the setuid program "launchd" can be exploited by local users to execute arbitrary code with system privileges. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Apple File Protocol (AFP) server in Apple Mac OS X 10.4 up to 10.4.6 includes the names of restricted files and folders within search results, which might allow remote attackers to obtain sensitive information. Mac OS X is prone to an information-disclosure vulnerability. This issue is due to a failure in the application to properly secure potentially sensitive information. An attacker can exploit this issue to retrieve potentially sensitive information that may aid in further attacks. This issue was initially discussed in BID 18686 (Apple Mac OS X Multiple Security Vulnerabilities), which has been split into individual BIDs to discuss each issue separately. ---------------------------------------------------------------------- Reverse Engineer Wanted Secunia offers a Security Specialist position with emphasis on reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. 2) A vulnerability within the Freshclam command line utility in ClamAV can potentially be exploited to compromise a vulnerable system. For more information: SA19880 3) A boundary error in ImageIO within the handling of TIFF images can be exploited to cause a stack-based buffer overflow. This crashes an affected application and may allow arbitrary code execution when a specially crafted TIFF image is viewed. 4) A format string error within the logging functionality of the setuid program "launchd" can be exploited by local users to execute arbitrary code with system privileges. 5) An error within "slapd" of the OpenLDAP server when handling an anonymous bind operation can be exploited to crash the service via a malformed ldap-bind message. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the Online Registration Facility for Algorithmic Research PrivateWire VPN software up to 3.7 allows remote attackers to execute arbitrary code via a long GET request. PrivateWire online registration is prone to a remote buffer-overflow vulnerability. The application fails to properly check boundary conditions when handling GET requests. PrivateWire 3.7 is vulnerable to this issue; previous versions may also be affected. Algorithmic Research PrivateWire is a security suite that protects communications between clients and servers. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: PrivateWire Registration Functionality Buffer Overflow SECUNIA ADVISORY ID: SA20812 VERIFY ADVISORY: http://secunia.com/advisories/20812/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: PrivateWire 3.x http://secunia.com/product/10656/ DESCRIPTION: Michael Thumann has reported a vulnerability in PrivateWire, which can be exploited by malicious people to cause a DoS and potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error within the Online Registration functionality when handling an overly long URL. This can be exploited to cause a buffer overflow via an overly long GET request. The vulnerability has been reported in PrivateWire Gateway version 3.7. SOLUTION: The vendor has reportedly issued a patch. Users can contract the vendor to obtain the patch. PROVIDED AND/OR DISCOVERED BY: Michael Thumann ORIGINAL ADVISORY: http://www.ernw.de/security_advisories.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 2.0.3 (417.9.3) on Mac OS X 10.4.6 allows remote attackers to cause a denial of service (CPU consumption) via Javascript with an infinite for loop. NOTE: it could be argued that this is not a vulnerability, unless it interferes with the operation of the system outside of the scope of Safari itself

Cisco Secure Access Control Server (ACS) 4.x for Windows uses the client's IP address and the server's port number to grant access to an HTTP server port for an administration session, which allows remote attackers to bypass authentication via various methods, aka "ACS Weak Session Management Vulnerability.". This issue is due to the application's failure to properly ensure that remote web-based users are properly authenticated. This issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application. Cisco Secure ACS for Windows versions in the 4.x series were identified as vulnerable to this issue; other versions and platforms may also be affected. This issue is being tracked by Cisco Bug IDs CSCse26754 and CSCse26719. This helps attackers to hijack management sessions because port numbers are assigned in a sequential fashion without using strong authentication. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Cisco Secure ACS Session Management Security Issue SECUNIA ADVISORY ID: SA20816 VERIFY ADVISORY: http://secunia.com/advisories/20816/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network SOFTWARE: Cisco Secure ACS 4.x http://secunia.com/product/10635/ DESCRIPTION: Darren Bounds has reported a security issue in Cisco Secure ACS, which can be exploited by malicious people to bypass certain security restrictions. The problem is caused due to the web-based management interface handling session management in an insecure way based on the assigned service port and the client's IP address. Successful exploitation requires that the attacker uses the same IP address as the logged in administrative user. The security issue has been reported in version 4.0 for Windows. Other versions may also be affected. SOLUTION: Only connect to the web-based management interface from dedicated management systems. PROVIDED AND/OR DISCOVERED BY: Darren Bounds ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060623-acs.shtml Darren Bounds: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047301.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The FTP proxy module in Fortinet FortiOS (FortiGate) before 2.80 MR12 and 3.0 MR2 allows remote attackers to bypass anti-virus scanning via the Enhanced Passive (EPSV) FTP mode. Fortinet FortiGate is prone to a vulnerability that allows an attacker to bypass antivirus protection. This issue occurs when files are transferred using the FTP protocol under certain conditions. Fortinet FortiOS versions prior to 2.80 MR12 and 3.0 MR2 are vulnerable to this issue if the FTP antivirus gateway-scanning service is used. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: FortiGate FTP Anti-Virus Scanning Bypass Vulnerability SECUNIA ADVISORY ID: SA20720 VERIFY ADVISORY: http://secunia.com/advisories/20720/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Fortinet FortiOS (FortiGate) 3.x http://secunia.com/product/6802/ Fortinet FortiOS (FortiGate) 2.x http://secunia.com/product/2289/ DESCRIPTION: A vulnerability has been reported in FortiGate, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the FortiGate FTP proxy when handling the ESPV command. SOLUTION: Update to FortiOS 2.80 MR12 release or FortiOS 3.0 MR2 release. Users can contact Fortinet Tech Support to obtain the updated firmware. PROVIDED AND/OR DISCOVERED BY: The vendor credits a recent magazine test review article. ORIGINAL ADVISORY: http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-15.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The TOSRFBD.SYS driver for Toshiba Bluetooth Stack 4.00.29 and earlier on Windows allows remote attackers to cause a denial of service (reboot) via a L2CAP echo request that triggers an out-of-bounds memory access, similar to "Ping o' Death" and as demonstrated by BlueSmack. NOTE: this issue was originally reported for 4.00.23. Toshiba Bluetooth Stack is prone to a remote denial-of-service vulnerability. Reports indicate that a successful attack can corrupt memory and restart a vulnerable computer. Toshiba Bluetooth Stack for Windows versions 4.0.23 and prior are reported to be affected

Cross-site scripting (XSS) vulnerability in Cisco CallManager 3.3 before 3.3(5)SR3, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3), and 4.3 before 4.3(1), allows remote attackers to inject arbitrary web script or HTML via the (1) pattern parameter in ccmadmin/phonelist.asp and (2) arbitrary parameters in ccmuser/logon.asp, aka bugid CSCsb68657. This issue is due to a failure in the web-interface to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting administrative user in the context of the affected site. This may help the attacker launch other attacks

Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP). Microsoft DHCP Client service contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Microsoft Office applications fail to properly handle PNG images. To exploit this issue, attackers must be able to place and execute malicious ASP pages on computers running the affected ASP server software. This may be an issue in shared-hosting environments. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-192A Microsoft Windows, Office, and IIS Vulnerabilities Original release date: July 11, 2006 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Information Services (IIS) * Microsoft Office * Microsoft Office for Mac * Microsoft Access * Microsoft Excel and Excel Viewer * Microsoft FrontPage * Microsoft InfoPath * Microsoft OneNote * Microsoft Outlook * Microsoft PowerPoint * Microsoft Project * Microsoft Publisher * Microsoft Visio * Microsoft Word and Word Viewer Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, IIS, and Office. I. Description Microsoft Security Bulletin Summary for July 2006 addresses vulnerabilities in Microsoft products including Windows, IIS, and Office. (CVE-2006-0007) In MS06-037, Microsoft has released updates for the Excel vulnerability (VU#802324) described in Technical Cyber Security Alert TA06-167A. II. An attacker may also be able to cause a denial of service. III. Solution Apply a patch from your vendor Microsoft has provided updates for these vulnerabilities in the Security Bulletins. Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Apple Mac OS X users should obtain updates from the Mactopia web site. System administrators may wish to consider using Windows Server Update Services (WSUS). Workaround Please see the following Vulnerability Notes for workarounds. Appendix A. References * Microsoft Security Bulletin Summary for July 2006 - <http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx> * Technical Cyber Security Alert TA06-167A - <http://www.us-cert.gov/cas/techalerts/TA06-167A.html> * US-CERT Vulnerability Notes for Microsoft July 2006 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms06-jul> * US-CERT Vulnerability Note VU#395588 - <http://www.kb.cert.org/vuls/id/395588> * US-CERT Vulnerability Note VU#189140 - <http://www.kb.cert.org/vuls/id/189140> * US-CERT Vulnerability Note VU#257164 - <http://www.kb.cert.org/vuls/id/257164> * US-CERT Vulnerability Note VU#802324 - <http://www.kb.cert.org/vuls/id/802324> * US-CERT Vulnerability Note VU#580036 - <http://www.kb.cert.org/vuls/id/580036> * US-CERT Vulnerability Note VU#609868 - <http://www.kb.cert.org/vuls/id/609868> * US-CERT Vulnerability Note VU#409316 - <http://www.kb.cert.org/vuls/id/409316> * US-CERT Vulnerability Note VU#459388 - <http://www.kb.cert.org/vuls/id/459388> * US-CERT Vulnerability Note VU#668564 - <http://www.kb.cert.org/vuls/id/668564> * CVE-2006-0026 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0026> * CVE-2006-1314 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1314> * CVE-2006-2372 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2372> * CVE-2006-3059 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059> * CVE-2006-1316 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1316> * CVE-2006-1540 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1540> * CVE-2006-2389 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2389> * CVE-2006-0033 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0033> * CVE-2006-0007 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0007> * Microsoft Update - <https://update.microsoft.com/microsoftupdate> * Microsoft Office Update - <http://officeupdate.microsoft.com> * Mactopia - <http://www.microsoft.com/mac> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-192A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-192A Feedback VU#802324" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History July 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRLQsLn0pj593lg50AQLyjQf/blQM+kdtxI5/dQ/Njj99QuR3yBT9ERwJ QfZgOr8yN4rUhOU1xkXq6go7E1W4kfwuKVwwobLuYXk9Cq6xP4aVpt0/ws53wNHI iAvJ1rURSFcVwDAXKvbiv7mmjORA36R5M37JiwR0ny76f20yZaz8LTjMbhwSLyFR Cj7kPE0o6Fu0uUwI7ETskfcK4iF0PVoVW2mava1YG8zFuby/A+Ps7ddQvu/EcaxP Y12QXtCP1jsB3+iJKAh7aQAh9h8aV6nuq4NZyFAHmao8iQo7qd9BMG451xTPDxn3 PoM2y5R0bXko+E4hWudpjel/JABm+nIV3R9il1QDantUI0aCqTDS9A== =7GPc -----END PGP SIGNATURE----- . Other versions of Excel, and other Office programs may be affected or act as attack vectors. Opening a specially crafted Excel document, including documents hosted on web sites or attached to email messages, could trigger the vulnerability. Office documents can contain embedded objects. For example, a malicious Excel document could be embedded in an Word or PowerPoint document. Office documents other than Excel documents could be used as attack vectors. If the user has administrative privileges, the attacker could gain complete control of the system. Solution At the time of writing, there is no complete solution available. Consider the following workarounds: Do not open untrusted Excel documents Do not open unfamiliar or unexpected Excel or other Office documents, including those received as email attachments or hosted on a web site. Please see Cyber Security Tip ST04-010 for more information. Do not rely on file extension filtering In most cases, Windows will call Excel to open a document even if the document has an unknown file extension. For example, if document.x1s (note the digit "1") contains the correct file header information, Windows will open document.x1s with Excel. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-167A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff

Cross-site scripting (XSS) vulnerability in LogonProxy.cgi in Cisco Secure ACS for UNIX 2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) error, (2) SSL, and (3) Ok parameters. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. This issue affects Cisco Secure ACS version 2.3 for UNIX; other versions may also be vulnerable. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed to specified parameters in LogonProxy.cgi is not properly sanitised before being returned to the user. SOLUTION: Apply patch. http://www.cisco.com/pcgi-bin/tablebuild.pl/cspatchunix-3des PROVIDED AND/OR DISCOVERED BY: The vendor credits Thomas Liam Romanis and Fujitsu Services Limited. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060615-acs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the WebVPN feature in the Cisco VPN 3000 Series Concentrators and Cisco ASA 5500 Series Adaptive Security Appliances (ASA), when in WebVPN clientless mode, allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) dnserror.html and (2) connecterror.html, aka bugid CSCsd81095 (VPN3k) and CSCse48193 (ASA). NOTE: the vendor states that "WebVPN full-network-access mode" is not affected, despite the claims by the original researcher. The issue is due to insufficient sanitization of HTML and script code from error messages that are displayed to users. This vulnerability could result in the execution of attacker-supplied HTML and script code in the session of a victim user. In the worst-case scenario, the attacker could gain unauthorized access to the VPN by stealing the WebVPN session cookie. Cisco tracks this issue as Bug IDs CSCsd81095 and CSCse48193. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. Input passed in the URL isn't properly sanitised before being returned to the user in the "dnserror.html" and the "connecterror.html" pages. Successful exploitation requires that clientless mode of the WebVPN feature is enabled. SOLUTION: Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities. PROVIDED AND/OR DISCOVERED BY: The vendor credits Michal Zalewski and two other users. ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046708.html Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060613-webvpn-xss.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2 and earlier and possibly other products, allows local users to create arbitrary files via a symlink attack on the simulation.sql file. Apple Xcode Used in etc. The OpenBase application shipped with Apple Xcode is prone to multiple privilege-escalation issues because the application fails to handle exceptional conditions when executing setuid programs. A local attacker can exploit these issues to gain superuser privileges. A successful exploit would lead to the complete compromise of affected computers. This issue affects Apple Xcode 2.2 and earlier versions. Xcode is the development tool used on Apple machines. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. The vulnerabilities are caused due to the inclusion of vulnerable versions of Binutils and OpenBase SQL. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: SpamAssassin "spamd" Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA20430 VERIFY ADVISORY: http://secunia.com/advisories/20430/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: SpamAssassin 3.x http://secunia.com/product/4506/ DESCRIPTION: A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to compromise a vulnerable system. Some unspecified input is not properly sanitised before being used. This can be exploited to inject arbitrary shell commands. Successful exploitation requires that spamd is used with the "--vpopmail" and "--paranoid" switches. The vulnerability has been reported in version 3.0.3. Other versions may also be affected. SOLUTION: Update to version 3.0.6 or 3.1.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2 and earlier and possibly other products, allows local users to execute arbitrary code via a modified PATH that references a malicious gzip program, which is executed by gnutar with certain TAR_OPTIONS environment variable settings, when gnutar is invoked by OpenBase. Apple Xcode Used in etc. The OpenBase application shipped with Apple Xcode is prone to multiple privilege-escalation issues because the application fails to handle exceptional conditions when executing setuid programs. A local attacker can exploit these issues to gain superuser privileges. A successful exploit would lead to the complete compromise of affected computers. This issue affects Apple Xcode 2.2 and earlier versions. Xcode is the development tool used on Apple machines. By using the TAR_OPTIONS environment variable, gnutar can be forced to call gzip without specifying the path, and the attacker can gain root privileges by controlling the PATH variable. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. For more information: SA22390 SOLUTION: Download the latest J2SE 5.0-compliant OpenBase JDBC drivers from http://www.openbase.com. Alternatively, remove the "setuid" flags from the OpenBase binaries. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: SpamAssassin "spamd" Shell Command Injection Vulnerability SECUNIA ADVISORY ID: SA20430 VERIFY ADVISORY: http://secunia.com/advisories/20430/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: SpamAssassin 3.x http://secunia.com/product/4506/ DESCRIPTION: A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to compromise a vulnerable system. Some unspecified input is not properly sanitised before being used. This can be exploited to inject arbitrary shell commands. Successful exploitation requires that spamd is used with the "--vpopmail" and "--paranoid" switches. The vulnerability has been reported in version 3.0.3. Other versions may also be affected. SOLUTION: Update to version 3.0.6 or 3.1.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the web interface in Ingate Firewall before 4.4.1 and SIParator before 4.4.1 allows remote attackers to inject arbitrary web script or HTML, and steal cookies, via unspecified vectors related to "XSS exploits" in administrator functionality. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Two Vulnerabilities SECUNIA ADVISORY ID: SA20479 VERIFY ADVISORY: http://secunia.com/advisories/20479/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote OPERATING SYSTEM: Ingate SIParator 4.x http://secunia.com/product/5687/ Ingate Firewall 4.x http://secunia.com/product/4050/ DESCRIPTION: Two vulnerabilities have been reported in Ingate Firewall and SIParator, which can be exploited by malicious people to conduct cross-site scripting attacks and to cause a DoS (Denial of Service). 1) An error exists within the handling of SSL/TLS handshake in the SIP module and in the web server. This can be exploited to cause the modules to crash via a specially-crafted handshake. Successful exploitation requires that SSL/TLS is enabled. 2) Input passed to unspecified parameters in the web interface isn't properly sanitised before being returned to the user. SOLUTION: Update to version 4.4.1. http://www.ingate.com/upgrades.php PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-441.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ingate Firewall in the SIP module before 4.4.1 and SIParator before 4.4.1, when TLS is enabled or when SSL/TLS is enabled in the web server, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake. Ingate Firewall and SIParator products are prone to a remote denial-of-service vulnerability. This vulnerability is exploitable only if SSL/TLS has been enabled in the SIP module or in the webserver. Versions of Ingate Firewall and SIParator prior to 4.4.1 are vulnerable to this issue. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: Ingate Firewall and SIParator Two Vulnerabilities SECUNIA ADVISORY ID: SA20479 VERIFY ADVISORY: http://secunia.com/advisories/20479/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting, DoS WHERE: >From remote OPERATING SYSTEM: Ingate SIParator 4.x http://secunia.com/product/5687/ Ingate Firewall 4.x http://secunia.com/product/4050/ DESCRIPTION: Two vulnerabilities have been reported in Ingate Firewall and SIParator, which can be exploited by malicious people to conduct cross-site scripting attacks and to cause a DoS (Denial of Service). 1) An error exists within the handling of SSL/TLS handshake in the SIP module and in the web server. This can be exploited to cause the modules to crash via a specially-crafted handshake. Successful exploitation requires that SSL/TLS is enabled. 2) Input passed to unspecified parameters in the web interface isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in an administrator's browser session in context of the web interface. SOLUTION: Update to version 4.4.1. http://www.ingate.com/upgrades.php PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.ingate.com/relnote-441.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Internet Explorer 6 allows user-assisted remote attackers to read arbitrary files by tricking a user into typing the characters of the target filename in a text box and using the OnKeyDown, OnKeyPress, and OnKeyUp Javascript keystroke events to change the focus and cause those characters to be inserted into a file upload input control, which can then upload the file when the user submits the form. Mozilla Firefox allows cross-domain access to an iframe. This vulnerability could allow an attacker to interact with a web site in a different domain. The attacker could read content and cookies, capture keystrokes, and modify content. Mozilla Firefox does not filter input when sending certain URIs to registered protocol handlers. This may allow a remote, authenticated attacker to use Firefox as a vector for executing commands on a vulnerable system. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. SOLUTION: Disable Active Scripting support. Do not enter suspicious text when visiting untrusted web sites. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Mozilla Firefox Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26095 VERIFY ADVISORY: http://secunia.com/advisories/26095/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, Spoofing, DoS, System access WHERE: >From remote SOFTWARE: Mozilla Firefox 2.0.x http://secunia.com/product/12434/ DESCRIPTION: Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks and potentially to compromise a user's system. 1) Various errors in the browser engine can be exploited to cause memory corruption and potentially to execute arbitrary code. 2) Various errors in the Javascript engine can be exploited to cause memory corruption and potentially to execute arbitrary code. 3) An error in the "addEventListener" and "setTimeout" methods can be exploited to inject script into another site's context, circumventing the browser's same-origin policy. 4) An error in the cross-domain handling can be exploited to inject arbitrary HTML and script code in a sub-frame of another web site. This is related to vulnerability #5 in: SA21906 5) An unspecified error in the handling of elements outside of documents allows an attacker to call an event handler and execute arbitrary code with chrome privileges. 6) An unspecified error in the handling of "XPCNativeWrapper" can lead to execution of user-supplied code. SOLUTION: Update to version 2.0.0.5. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson, and Vladimir Sukhoy. 2) The vendor credits Asaf Romano, Jesse Ruderman, and Igor Bukanov. 3, 5) The vendor credits moz_bug_r_a4 4) Ronen Zilberman and Michal Zalewski 6) The vendor credits shutdown and moz_bug_r_a4. ORIGINAL ADVISORY: http://www.mozilla.org/security/announce/2007/mfsa2007-18.html http://www.mozilla.org/security/announce/2007/mfsa2007-19.html http://www.mozilla.org/security/announce/2007/mfsa2007-20.html http://www.mozilla.org/security/announce/2007/mfsa2007-21.html http://www.mozilla.org/security/announce/2007/mfsa2007-25.html OTHER REFERENCES: SA21906: http://secunia.com/advisories/21906/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. The vulnerability is caused due to an error within the handling of "about:blank" pages loaded by chrome in an addon. This can be exploited to execute script code under chrome privileges by e.g. clicking on a link opened in an "about:blank" window created and populated in a certain ways by an addon. Successful exploitation requires that certain addons are installed. http://www.mozilla.com/en-US/firefox/ Thunderbird: Fixed in the upcoming version 2.0.0.6. http://www.mozilla.com/en-US/thunderbird/ SeaMonkey: Fixed in the upcoming version 1.1.4. For more information: SA26201 PROVIDED AND/OR DISCOVERED BY: moz_bug_r_a4 CHANGELOG: 2007-07-31: Updated "Description". Added link to vendor advisory. "mailto", "news", "nntp", "snews", "telnet"). using Firefox visits a malicious website with a specially crafted "mailto" URI containing a "%" character and ends in a certain extension (e.g. The vulnerability is confirmed on a fully patched Windows XP SP2 and Windows Server 2003 SP2 system using Firefox version 2.0.0.5 and Netscape Navigator version 9.0b2. Other versions and browsers may also be affected. SOLUTION: Do not browse untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Vulnerability discovered by: * Billy (BK) Rios Firefox not escaping quotes originally discussed by: * Jesper Johansson Additional research by Secunia Research. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-297B Adobe Updates for Microsoft Windows URI Vulnerability Original release date: October 24, 2007 Last revised: -- Source: US-CERT Systems Affected Microsoft Windows XP and Windows Server 2003 systems with Internet Explorer 7 and any of the following Adobe products: * Adobe Reader 8.1 and earlier * Adobe Acrobat Professional, 3D, and Standard 8.1 and earlier * Adobe Reader 7.0.9 and earlier * Adobe Acrobat Professional, 3D, Standard, and Elements 7.0.9 and earlier Overview Adobe has released updates for the Adobe Reader and Adobe Acrobat product families. The update addresses a URI handling vulnerability in Microsoft Windows XP and Server 2003 systems with Internet Explorer 7. I. Description Installing Microsoft Internet Explorer (IE) 7 on Windows XP or Server 2003 changes the way Windows handles Uniform Resource Identifiers (URIs). This change has introduced a flaw that can cause Windows to incorrectly determine the appropriate handler for the protocol specified in a URI. More information about this vulnerability is available in US-CERT Vulnerability Note VU#403150. Public reports indicate that this vulnerability is being actively exploited with malicious PDF files. Adobe has released Adobe Reader 8.1.1 and Adobe Acrobat 8.1.1, which mitigate this vulnerability. II. III. Solution Apply an update Adobe has released Adobe Reader 8.1.1 and Adobe Acrobat 8.1.1 to address this issue. These Adobe products handle URIs in a way that mitigates the vulnerability in Microsoft Windows. Disable the mailto: URI in Adobe Reader and Adobe Acrobat If you are unable to install an updated version of the software, this vulnerability can be mitigated by disabling the mailto: URI handler in Adobe Reader and Adobe Acrobat. Please see Adobe Security Bulletin APSB07-18 for details. Appendix A. Vendor Information Adobe For information about updating affected Adobe products, see Adobe Security Bulletin APSB07-18. Appendix B. References * Adobe Security Bulletin APSB07-18 - <http://www.adobe.com/support/security/bulletins/apsb07-18.htm> * Microsoft Security Advisory (943521) - <http://www.microsoft.com/technet/security/advisory/943521.mspx> * US-CERT Vulnerability Note VU#403150 - <http://www.kb.cert.org/vuls/id/403150> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-297B.html> _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-297B Feedback VU#403150" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ Revision History October 24, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRx+8WPRFkHkM87XOAQIrOQf/USsBbfDmKZ4GCi8W2466mI+kZoEHoe/H 3l3p4/1cuFGoPHFfeDLbG+alXiHSAdXoX7Db34InEUKMs7kRUVPEdW9LggI9VaTJ lKnZJxM3dXL+zPCWcDkNqrmmzyJuXwN5FmSXhlcnN4+FRzNrZYwDe1UcOk3q6m1s VNPIBTrqfSuFRllNt+chV1vQ876LLweS+Xh1DIQ/VIyduqvTogoYZO4p2A0YJD57 4y0obNuk+IhgzyhZHtSsR0ql7rGrFr4S97XUQGbKOAZWcDzNGiXJ5FkrMTaP25OI LazBVDofVz8ydUcEkb4belgv5REpfYUJc9hRbRZ+IpbAay2j42m8NQ== =PgB9 -----END PGP SIGNATURE-----

The web server for D-Link Wireless Access-Point (DWL-2100ap) firmware 2.10na and earlier allows remote attackers to obtain sensitive system information via a request to an arbitrary .cfg file, which returns configuration information including passwords. D-Link DWL-2100ap is a popular wireless access point. Harm to remote attackers can use vulnerabilities to obtain sensitive information. Conditions Required for Attack An attacker must access D-Link DWL-2100AP. Vulnerability Information D-Link DWL-2100AP is a wireless router device. Test method http: //dlink-DWL-2100ap/cgi-bin/Intruders.cfg Vendor solutions can use the following third-party patches: http://www.dlinkbrasil.com.br/internet/downloads/Wireless/DWL-2100AP /DWL2100AP-firmware-v210na-r0343.tfp. D-Link DWL-2100AP devices are susceptible to a remote information-disclosure vulnerability. The devices fail to properly secure configuration information. This may aid them in further attacks. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. http://secunia.com/secunia_security_specialist/ ---------------------------------------------------------------------- TITLE: D-Link DWL-2100AP Exposure of Configuration Files SECUNIA ADVISORY ID: SA20474 VERIFY ADVISORY: http://secunia.com/advisories/20474/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: D-Link DWL-2100AP http://secunia.com/product/4116/ DESCRIPTION: A security issue has been reported in D-Link DWL-2100AP, which can be exploited by malicious people to disclose sensitive information. The problem is caused due to configuration files being stored insecurely inside the "cgi-bin" directory. Example: http://[host]/cgi-bin/[file].cfg The security issue has been reported in firmware version 2.10na. Other versions may also be affected. SOLUTION: Filter traffic to the web interface of an affected device. PROVIDED AND/OR DISCOVERED BY: Wendel Guglielmetti Henrique and Intruders Tiger Team Security. ORIGINAL ADVISORY: http://www.intruders.org.br/adv0206en.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the web console in F-Secure Anti-Virus for Microsoft Exchange 6.40, and Internet Gatekeeper 6.40 through 6.42 and 6.50 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown attack vectors. NOTE: By default, the connections are only allowed from the local host. F-Secure Anti-Virus is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Want to join the Secunia Security Team? Secunia offers a position as a security specialist, where your daily work involves reverse engineering of software and exploit code, auditing of source code, and analysis of vulnerability reports. The vulnerability is caused due to an unspecified boundary error within the web console prior to authentication and can be exploited to cause a buffer overflow. Successful exploitation crashes the web console process and may potentially allow execution of arbitrary code. The criticality of the vulnerability therefore depends on how the web console has been configured to accept connections. SOLUTION: Update to a fixed version or apply hotfix. -- F-Secure Anti-Virus for Microsoft Exchange -- Apply hotfix for version 6.40: ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-05.zip -- F-Secure Internet Gatekeeper -- Update to version 6.60 or apply hotfix (for version 6.50): ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk650-01.zip PROVIDED AND/OR DISCOVERED BY: The vendor credits Mikko Korppi. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2006-3.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------