VARIoT IoT vulnerabilities database

Safari version 2.0 (412) does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability.". An attacker may exploit this vulnerability to spoof an interface of a trusted web site. This issue may allow a remote attacker to carry out phishing style attacks. Safari is Apple's answer to browser software. TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA17813 VERIFY ADVISORY: http://secunia.com/advisories/17813/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes 13 vulnerabilities. 1) An error in the handling of HTTP headers in the Apache 2 web server can be exploited by malicious people to conduct HTTP request smuggling attacks when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. This can be exploited to cause a heap-based buffer overflow and may allow arbitrary code execution via a specially-crafted URL. CoreFoundation is used by Safari and other applications. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". This can be exploited by malicious, local users to execute commands with escalated privileges. 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. For more information: SA17151 7) An error in the passwordserver when handling the creation of an Open Directory master server may cause certain credentials to be disclosed. This can be exploited by unprivileged local users to gain elevated privileges on the server. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. For more information: SA16502 9) An error exists in Safari when saving a downloaded file with an overly long filename. This can be exploited to cause the download file to be saved outside of the designated download directory. 10) JavaScript dialog boxes in Safari do not indicate the web site that created them. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. This can be exploited to cause a heap-based buffer overflow via content downloaded from malicious web sites in applications that use WebKit such as Safari. 12) An error in sudo can be exploited by malicious, local users to execute arbitrary commands with escalated privileges. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. This can be exploited to forge log entries and mislead the system administrator by supplying messages certaining control characters, such as the newline character, to the syslog server. SOLUTION: Apply Security Update 2005-009. Mac OS X 10.3.9 Client (Panther): http://www.apple.com/support/downloads/securityupdate2005009pantherclient.html Mac OS X 10.3.9 Server (Panther): http://www.apple.com/support/downloads/securityupdate2005009pantherserver.html Mac OS X 10.4.3 Client (Tiger): http://www.apple.com/support/downloads/securityupdate2005009tigerclient.html Mac OS X 10.4.3 Server (Tiger): http://www.apple.com/support/downloads/securityupdate2005009tigerserver.html PROVIDED AND/OR DISCOVERED BY: 10) Jakob Balle, Secunia Research. 11) Neil Archibald, Suresec LTD and Marco Mella. 13) HELIOS Software GmbH. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Safari Dialog Origin Spoofing Vulnerability SECUNIA ADVISORY ID: SA15474 VERIFY ADVISORY: http://secunia.com/advisories/15474/ CRITICAL: Less critical IMPACT: Spoofing WHERE: >From remote SOFTWARE: Safari 1.x http://secunia.com/product/1543/ DESCRIPTION: Secunia Research has discovered a vulnerability in Safari, which can be exploited by malicious web sites to spoof dialog boxes. The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ The vulnerability has been confirmed in version 2.0 (412). Prior versions may also be affected. SOLUTION: Do not browse untrusted web sites while browsing trusted sites

Cisco VPN 3000 Concentrator before 4.1.7.F allows remote attackers to determine valid groupnames by sending an IKE Aggressive Mode packet with the groupname in the ID field, which generates a response if the groupname is valid, but does not generate a response for an invalid groupname. Cisco IOS and Cisco PIX Firewall In IKE Valid group names in aggressive mode messages / There are vulnerabilities whose responses differ depending on the invalidity. In addition, there is a vulnerability that can analyze the hash value from the response when requesting a valid group name.A valid group name and password hash may be obtained. Cisco VPN Concentrator is affected by a remote groupname enumeration weakness. This issue is due to a design error that could assist a remote attacker in enumerating groupnames. Reportedly, once the attacker has verified a groupname they can obtain a password hash from an affected device and carry out bruteforce attacks against the password hash. A valid groupname and password pair can allow the attacker to complete IKE Phase-1 authentication and carry out man-in-the-middle attacks against other users. This may ultimately allow the attacker to gain unauthorized access to the network. All Cisco VPN Concentrator 3000 series products running groupname authentication are considered vulnerable to this issue. This issue is tracked by the following Cisco BUG IDs: CSCeg00323, CSCsb38075, and CSCsf25725 - for the Cisco VPN 3000 Series Concentrators CSCei29901 - for the Cisco PIX 500 Series Security Appliances running code version 7.x CSCei51783 - for the Cisco ASA 5500 Series Adaptive Security Appliances running code version 7.x CSCsb26495 and CSCsb33172 - for Cisco IOS® software. Cisco VPN series hubs consist of a general-purpose remote access virtual private network (VPN) platform and client software that combines high availability, performance, and scalability with today's most advanced encryption and authentication technologies, providing professional operators with or enterprise users to provide services. A remote group name enumeration vulnerability exists in Cisco VPN hubs that could allow an attacker to use a dictionary program to determine valid group names on the hub

Cisco switches that support 802.1x security allow remote attackers to bypass port security and gain access to the VLAN via spoofed Cisco Discovery Protocol (CDP) messages. Catalyst is prone to a security bypass vulnerability

GIPTables Firewall 1.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on the temp.ip.addresses temporary file. Giptables Firewall is prone to a local security vulnerability. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: GIPTables Firewall Insecure Temporary File Creation SECUNIA ADVISORY ID: SA15604 VERIFY ADVISORY: http://secunia.com/advisories/15604/ CRITICAL: Not critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: GIPTables Firewall 1.x http://secunia.com/product/5214/ DESCRIPTION: Eric Romang has reported a vulnerability in GIPTables Firewall, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to temporary files being created insecurely. The vulnerability has been reported in version 1.1 and prior. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: Eric Romang, ZATAZ Audit ORIGINAL ADVISORY: http://www.zataz.net/adviso/giptables-05222005.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

IEEE 802.1X is a standard for authenticating network clients (or ports) based on user IDs or devices. An authentication bypass vulnerability exists in Cisco switches that allows an attacker to anonymously access a voice VLAN. An attacker can spoof CDP packets, play Cisco IP phones, and join voice VLANs anonymously. This may allow an attacker to access network resources without the expected 802.1x authentication. Because network administrators may think that switch port access is limited to authenticated users, it can lead to erroneous security awareness. Once an attacker gains access to a voice VLAN, they can launch further attacks on the server or host, or eavesdrop on VOIP sessions. Further network attacks are also possible at this point

Unspecified vulnerability in the Apple Mac OS X kernel before 10.4.2 allows remote attackers to cause a denial of service (kernel panic) via a crafted TCP packet, possibly related to source routing or loose source routing. Apple Mac OS X Tiger Dashboard executes arbitrary widgets with the same "bundle identifier" as a system widget. This can allow a user-installed widget to override a system-installed one. Apple Mac OS X is prone to a remote denial of service vulnerability. The issue exists due to a NULL pointer dereference that manifests in the kernel when specially crafted TCP/IP packets of an unspecified type are processed. A remote attacker may exploit this condition to trigger a kernel panic on a target computer, effectively denying service for legitimate users. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Two Vulnerabilities SECUNIA ADVISORY ID: SA16047 VERIFY ADVISORY: http://secunia.com/advisories/16047/ CRITICAL: Moderately critical IMPACT: Manipulation of data, DoS WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Two vulnerabilities have been reported in Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service) or replace system widgets on a user's system. 2) An error in the Dashboard can be exploited to install widgets with the same internal identifier (CFBundleIdentifier) as an Apple-supplied widgets thereby replacing it. SOLUTION: Apply patches. Mac OS X Server 10.4.2 Combo: http://www.apple.com/support/downloads/macosxserver1042combo.html Mac OS X Update 10.4.2: http://www.apple.com/support/downloads/macosxupdate1042.html Mac OS X Update 10.4.2 Combo: http://www.apple.com/support/downloads/macosxupdate1042combo.html PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Julian Y. Koh. 2) mithras.the.prophet ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=301948 mithras.the.prophet: http://www1.cs.columbia.edu/~aaron/files/widgets/ OTHER REFERENCES: US-CERT VU#983429: http://www.kb.cert.org/vuls/id/983429 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The CoreGraphics Window Server in Mac OS X 10.4.1 allows local users with console access to gain privileges by "launching commands into root sessions.". Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. Successful exploitation allows execution of arbitrary code. 2) A bug in AFP Server when using an ACL-enabled storage volume may in certain situations result in an ACL remaining attached when a file with POSIX-only permissions is copied. 3) An input validation error can be exploited to access arbitrary files on a Bluetooth-enabled system using directory traversal attacks via the Bluetooth file and object exchange services. 4) A weakness in CoreGraphics can be exploited via a specially crafted PDF document to crash an application using either PDFKit or CoreGraphics to rendor PDF documents. 7) A race condition in the temporary file creation of launchd can be exploited by malicious, local users to take ownership of arbitrary files on the system. 8) An error in LaunchServices can result in file extensions and MIME types marked as unsafe to bypass download safety checks if they're not mapped to an Apple UTI (Uniform Type Identifier). 10) A security issue in NFS causes a NFS export restricted using "-network" and "-mask" to be exported to "everyone". 11) Multiple vulnerabilities in PHP can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. For more information: SA14792 12) A boundary error in vpnd can be exploited by malicious, local users to cause a buffer overflow via an overly long Server_id parameter and execute arbitrary code with escalated privileges on systems configured as a VPN server. SOLUTION: Apply Security Update 2005-006. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005006macosx1039.html Mac OS X 10.4.1: http://www.apple.com/support/downloads/securityupdate2005006macosx1041.html PROVIDED AND/OR DISCOVERED BY: 3) Kevin Finisterre, digitalmunition.com. 4) Chris Evans 6) Michael Haller 7) Neil Archibald 12) Pieter de Boer ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=301742 OTHER REFERENCES: SA14792: http://secunia.com/advisories/14792/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

MCX Client for Apple Mac OS X 10.4.x up to 10.4.1 insecurely logs Portable Home Directory credentials, which allows local users to obtain the credentials. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues

Apple Mac OS X 10.4.x up to 10.4.1 sets insecure world- and group-writable permissions for the (1) system cache folder and (2) Dashboard system widgets, which allows local users to conduct unauthorized file operations via "file race conditions.". Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues

launchd 106 in Apple Mac OS X 10.4.x up to 10.4.1 allows local users to overwrite arbitrary files via a symlink attack on the socket file in an insecure temporary directory. Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues

NFS on Apple Mac OS X 10.4.x up to 10.4.1 does not properly obey the -network or -mask flags for a filesystem and exports it to everyone, which allows remote attackers to bypass intended access restrictions. Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues

LaunchServices in Apple Mac OS X 10.4.x up to 10.4.1 does not properly mark file extensions and MIME types as unsafe if an Apple Uniform Type Identifier (UTI) is not created when the type is added to the database of unsafe types, which could allow attackers to bypass intended restrictions. Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues. If the ? The MIME type is marked as unsafe

Unknown vulnerability in the CoreGraphics Window Server for Mac OS X 10.4.x up to 10.4.1 allows local users to inject arbitrary commands into root sessions. Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues

Buffer overflow in the legacy client support for AFP Server for Mac OS X 10.4.1 allows attackers to execute arbitrary code. Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues

AFP Server for Mac OS X 10.4.1, when using an ACL enabled volume, does not properly remove an ACL when a file is copied to a directory that does not use ACLs, which will override the POSIX file permissions for that ACL. Apple has released Security Update 2005-006 to address multiple local and remote Mac OS X vulnerabilities. The following new vulnerabilities were addressed by the security update: - A buffer overflow (CAN-2005-1721) in the AFP (Apple File Protocol) Server. - A vulnerability (CAN-2005-1720) in AFP Server related to temporary ACLs. - A denial of service vulnerability (CAN-2005-1722) in the CoreGraphics component. - A local privilege escalation (CAN-2005-1726) in the CoreGraphics component. - A local race condition vulnerability (CAN-2005-1727) related to permissions on the system cache and Dashboard folders. - A local privilege escalation vulnerability (CAN-2005-1725) in the launch daemon (launchd). - A vulnerability in Launch Services (CAN-2005-1723) could allow files to bypass "safe download" checks. - A vulnerability (CAN-2005-1728) in the MCX Client that may allow local attackers to gain access to Portable Home Directory credentials. - A vulnerability in NFS (CAN-2005-1724) could allow unauthorized access to exported filesystems. These vulnerabilities will be separated into individual BIDs upon further analysis of the issues

Dashboard in Apple Mac OS X Tiger 10.4 allows attackers to execute arbitrary commands by overriding the behavior of system widgets via a user widget with the same bundle identifier (CFBundleIdentifier), a different vulnerability than CVE-2005-1474. This can allow a user-installed widget to override a system-installed one. Mac OS X is prone to a remote security vulnerability. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Two Vulnerabilities SECUNIA ADVISORY ID: SA16047 VERIFY ADVISORY: http://secunia.com/advisories/16047/ CRITICAL: Moderately critical IMPACT: Manipulation of data, DoS WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Two vulnerabilities have been reported in Mac OS X, which can be exploited by malicious people to cause a DoS (Denial of Service) or replace system widgets on a user's system. 1) A NULL pointer dereference error in the TCP/IP implementation can be exploited to crash the kernel via a specially crafted TCP/IP packet. 2) An error in the Dashboard can be exploited to install widgets with the same internal identifier (CFBundleIdentifier) as an Apple-supplied widgets thereby replacing it. SOLUTION: Apply patches. Koh. 2) mithras.the.prophet ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=301948 mithras.the.prophet: http://www1.cs.columbia.edu/~aaron/files/widgets/ OTHER REFERENCES: US-CERT VU#983429: http://www.kb.cert.org/vuls/id/983429 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling.". A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system. Multiple vendors' products are prone to HTTP-request-smuggling issues. Attackers can piggyback an HTTP request inside of another HTTP request. By leveraging failures to implement the HTTP/1.1 RFC properly, attackers can launch cache-poisoning, cross-site scripting, session-hijacking, and other attacks. Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities CA Advisory Reference: CA20090123-01 CA Advisory Date: 2009-01-23 Reported By: n/a Impact: Refer to the CVE identifiers for details. Summary: Multiple security risks exist in Apache Tomcat as included with CA Cohesion Application Configuration Manager. CA has issued an update to address the vulnerabilities. Refer to the References section for the full list of resolved issues by CVE identifier. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA Cohesion Application Configuration Manager 4.5 Non-Affected Products CA Cohesion Application Configuration Manager 4.5 SP1 Affected Platforms: Windows Status and Recommendation: CA has issued the following update to address the vulnerabilities. CA Cohesion Application Configuration Manager 4.5: RO04648 https://support.ca.com/irj/portal/anonymous/redirArticles?reqPage=search &searchID=RO04648 How to determine if you are affected: 1. Using Windows Explorer, locate the file "RELEASE-NOTES". 2. By default, the file is located in the "C:\Program Files\CA\Cohesion\Server\server\" directory. 3. Open the file with a text editor. 4. If the version is less than 5.5.25, the installation is vulnerable. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ CA20090123-01: Security Notice for Cohesion Tomcat https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1975 40 Solution Document Reference APARs: RO04648 CA Security Response Blog posting: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx Reported By: n/a CVE References: CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 CVE-2005-3510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510 CVE-2006-3835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835 CVE-2006-7195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195 CVE-2006-7196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196 CVE-2007-0450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 CVE-2007-1355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 CVE-2007-1358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358 CVE-2007-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858 CVE-2007-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 CVE-2007-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 CVE-2007-3382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 CVE-2007-3385 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 CVE-2007-3386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 CVE-2008-0128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128 *Note: the issue was not completely fixed by Tomcat maintainers. OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release v1.1 - Updated Impact, Summary, Affected Products Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Nucleus XML-RPC PHP Code Execution Vulnerability SECUNIA ADVISORY ID: SA15895 VERIFY ADVISORY: http://secunia.com/advisories/15895/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Nucleus 3.x http://secunia.com/product/3699/ DESCRIPTION: A vulnerability has been reported in Nucleus, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA15852 SOLUTION: Update to version 3.21. http://sourceforge.net/project/showfiles.php?group_id=66479 OTHER REFERENCES: SA15852: http://secunia.com/advisories/15852/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01178795 Version: 1 HPSBUX02262 SSRT071447 rev. 1 - HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-10-02 Last Updated: 2007-10-02 Potential Security Impact: Remote arbitrary code execution, cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with Apache running on HP-UX. The vulnerabilities could be exploited remotely via Cross Site Scripting (XSS) to execute arbitrary code. References: CVE-2005-2090, CVE-2006-5752, CVE-2007-0450, CVE-2007-0774, CVE-2007-1355, CVE-2007-1358, CVE-2007-1860, CVE-2007-1863, CVE-2007-1887, CVE-2007-1900, CVE-2007-2449, CVE-2007-2450, CVE-2007-2756, CVE-2007-2872, CVE-2007-3382, CVE-2007-3385, CVE-2007-3386. SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running Apache BACKGROUND To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset. Then determine if the recommended patch or update is installed. AFFECTED VERSIONS For IPv4: HP-UX B.11.11 ============= hpuxwsAPACHE action: install revision A.2.0.59.00 or subsequent restart Apache URL: https://www.hp.com/go/softwaredepot/ For IPv6: HP-UX B.11.11 HP-UX B.11.23 HP-UX B.11.31 ============= hpuxwsAPACHE,revision=B.1.0.00.01 hpuxwsAPACHE,revision=B.1.0.07.01 hpuxwsAPACHE,revision=B.1.0.08.01 hpuxwsAPACHE,revision=B.1.0.09.01 hpuxwsAPACHE,revision=B.1.0.10.01 hpuxwsAPACHE,revision=B.2.0.48.00 hpuxwsAPACHE,revision=B.2.0.49.00 hpuxwsAPACHE,revision=B.2.0.50.00 hpuxwsAPACHE,revision=B.2.0.51.00 hpuxwsAPACHE,revision=B.2.0.52.00 hpuxwsAPACHE,revision=B.2.0.53.00 hpuxwsAPACHE,revision=B.2.0.54.00 hpuxwsAPACHE,revision=B.2.0.55.00 hpuxwsAPACHE,revision=B.2.0.56.00 hpuxwsAPACHE,revision=B.2.0.58.00 hpuxwsAPACHE,revision=B.2.0.58.01 action: install revision B.2.0.59.00 or subsequent restart Apache URL: https://www.hp.com/go/softwaredepot/ END AFFECTED VERSIONS RESOLUTION HP has made the following available to resolve the vulnerability. HP-UX Apache-based Web Server v.2.18 powered by Apache Tomcat Webmin or subsequent. The update is available on https://www.hp.com/go/softwaredepot/ Note: HP-UX Apache-based Web Server v.2.18 powered by Apache Tomcat Webmin contains HP-UX Apache-based Web Server v.2.0.59.00. MANUAL ACTIONS: Yes - Update Install HP-UX Apache-based Web Server v.2.18 powered by Apache Tomcat Webmin or subsequent. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY Revision: 1 (rev.1) - 02 October 2007 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2007 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBRwVCruAfOvwtKn1ZEQK1YgCfavU7x1Hs59uLdP26lpZFwMxKofIAn3gJ HHoe3AY1sc6hrW3Xk+B1hcbr =+E1W -----END PGP SIGNATURE----- . Summary: Updated Tomcat and Java JRE packages for VirtualCenter 2.0.2, ESX Server 3.0.2, and ESX 3.0.1. Relevant releases: VirtualCenter Management Server 2 ESX Server 3.0.2 without patch ESX-1002434 ESX Server 3.0.1 without patch ESX-1003176 3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2090, CVE-2006-7195, and CVE-2007-0450 to these issues. JRE Security Update This release of VirtualCenter Server updates the JRE package from 1.5.0_7 to 1.5.0_12, which addresses a security issue that existed in the earlier release of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-3004 to this issue. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. Solution: Please review the Patch notes for your product and version and verify the md5sum of your downloaded file. VMware VirtualCenter 2.0.2 Update 2 Release Notes http://www.vmware.com/support/vi3/doc/releasenotes_vc202u2.html VirtualCenter CD image md5sum d7d98a5d7f8afff32cee848f860d3ba7 VirtualCenter as Zip md5sum 3b42ec350121659e10352ca2d76e212b ESX Server 3.0.2 http://kb.vmware.com/kb/1002434 md5sum: 2f52251f6ace3d50934344ef313539d5 ESX Server 3.0.1 http://kb.vmware.com/kb/1003176 md5sum: 5674ca0dcfac90726014cc316444996e 5. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce@lists.vmware.com * bugtraq@securityfocus.com * full-disclosure@lists.grok.org.uk E-mail: security@vmware.com Security web site http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure) Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 - - Apache Tomcat 7.0.0 to 7.0.42 - - Apache Tomcat 6.0.0 to 6.0.37 Description: The fix for CVE-2005-2090 was not complete. It did not cover the following cases: - - content-length header with chunked encoding over any HTTP connector - - multiple content-length headers over any AJP connector Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.0-RC3 or later (8.0.0-RC2 contains the fix but was not released) - - Upgrade to Apache Tomcat 7.0.47 or later (7.0.43 to 7.0.46 contain the fix but were not released) - - Upgrade to Apache Tomcat 6.0.39 or later (6.0.38 contains the fix but was not released) Credit: This issue was identified by the Apache Tomcat security team while investigating an invalid report related to CVE-2005-2090

Fortinet firewall running FortiOS 2.x contains a hardcoded username with the password set to the serial number, which allows local users with console access to gain privileges. Fortinet Firewall is prone to a remote security vulnerability. A local user with console access could exploit this vulnerability to gain privileges

Nortel VPN Router (aka Contivity) allows remote attackers to cause a denial of service (crash) via an IPsec IKE packet with a malformed ISAKMP header. Multiple Nortel Networks products are prone to a remote denial of service vulnerability. The issue manifests when the affected appliance processes an IKE main packet (ISAKMP) header of a certain type. When the packet is processed, the vulnerability is triggered and the device crashes, effectively denying service for legitimate users. Nortel VPN routers provide routing, VPN, firewall, bandwidth management, encryption, authentication, and data integrity functions for secure connections over IP networks and the Internet. A denial of service vulnerability exists in the Nortel VPN router product (formerly known as Nortel Contivity) when performing VPN security tests on users

D-Link DSL-504T stores usernames and passwords in cleartext in the router configuration file, which allows remote attackers to obtain sensitive information. DSL-504T is prone to a information disclosure vulnerability