VARIoT IoT vulnerabilities database

Unknown vulnerability in Apple File Service (AFP Server) for Mac OS X Server, when sharing files on a UFS or re-shared NFS volume, allows remote attackers to overwrite arbitrary files. A vulnerability has been discovered in Apple AFP Server. The problem presents itself when the application is serving files on a specific filesystem type. A remote attacker is said to be able to exploit this vulnerability to corrupt arbitrary files on the local system. Mac OS X is an operating system used on Mac machines, based on the BSD system. The included Apple File Protocol (Apple Filing Protocol) is used for communication between the server and guest room machines in the AppleShare network. No detailed vulnerability details are currently available

Safari 1.0 Beta 2 (v73) and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates

A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Therefore, it cannot be read originally setuid It is possible to create an executable file with a bit assigned as a new executable file by changing the owner. As a result, local attackers who exploit this issue cannot read it setuid It is possible to read an executable file with a bit attached. At this time, it has been reported that this issue could potentially be used to execute arbitrary code with elevated privileges.Please refer to the “Overview” for the impact of this vulnerability. The problem lies in the atomicity of placing a target executables file descriptor within the current process descriptor and executing the file. Linux is an open source operating system. The execve() function has the following code (fs/binfmt_elf.c): static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs) { struct file *interpreter = NULL; /* to shut gcc up */ [...] retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size); if (retval < 0) goto out_free_ph; retval = get_unused_fd(); if (retval < 0) goto out_free_ph; get_file(bprm- >file); fd_install(elf_exec_fileno = retval, bprm->file); When executing a new binary program, put the open executable file descriptor into the file table of the current process (current execve() caller), and execute . This allows an attacker to read the contents of the suid program (even if the attacker does not have permission to read)

Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation. A vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to cause a denial of service. An exploit for this vulnerability is publicly available. A Microsoft Windows DirectX library, quartz.dll, does not properly validate certain parameters in Musical Instrument Digital Interface (MIDI) files. A remotely exploitable vulnerability has been discovered in Internet Explorer. A remote attacker could execute arbitrary code with the privileges of the user running IE. When a web page containing an OBJECT tag using a parameter containing excessive data is encountered by a vulnerable client, a internal memory buffer will be overrun. Description Microsoft Windows operating systems include multimedia technologies called DirectX and DirectShow. From Microsoft Security Bulletin MS03-030, "DirectX consists of a set of low-level Application Programming Interfaces (APIs) that are used by Windows programs for multimedia support. Any application that uses DirectX/DirectShow to process MIDI files may be affected by this vulnerability. Of particular concern, Internet Explorer (IE) uses the Windows Media Player ActiveX control and quartz.dll to handle MIDI files embedded in HTML documents. An attacker could therefore exploit this vulnerability by convincing a victim to view an HTML document, such as a web page or an HTML email message, that contains an embedded MIDI file. Note that in addition to IE, a number of applications, including Outlook, Outlook Express, Eudora, AOL, Lotus Notes, and Adobe PhotoDeluxe, use the WebBrowser ActiveX control to interpret HTML documents. Further technical details are available in eEye Digital Security advisory AD20030723. Common Vulnerabilities and Exposures (CVE) refers to these vulnerabilities as CAN-2003-0346. Disable embedded MIDI files Change the Run ActiveX controls and plug-ins security setting to Disable in the Internet zone and the zone(s) used by Outlook, Outlook Express, and any other application that uses the WebBrowser ActiveX control to render HTML. This modification will prevent MIDI files from being automatically loaded from HTML documents. This workaround is not a complete solution and will not prevent attacks that attempt to load MIDI files directly. Instructions for modifying IE security zone settings can be found in the CERT/CC Malicious Web Scripts FAQ. References * CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284 * CERT/CC Vulnerability Note VU#265232 - http://www.kb.cert.org/vuls/id/265232 * eEye Digital Security advisory AD20030723 - http://www.eeye.com/html/Research/Advisories/AD20030723.html * Microsoft Security Bulletin MS03-030 - http://microsoft.com/technet/security/bulletin/MS03-030.asp * Microsoft Knowledge Base article 819696 - http://support.microsoft.com/default.aspx?scid=kb;en-us;819696 _________________________________________________________________ These vulnerabilities were researched and reported by eEye Digital Security. _________________________________________________________________ Feedback can be directed to the author, Art Manion. -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-04 November 24, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in September 2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft Windows Workstation Service, RPCSS Service, and Exchange. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Mimail Variants The CERT/CC has received reports of several new variants of the 'Mimail' worm. The most recent variant of the worm (W32/Mimail.J) arrives as an email message alleging to be from the Paypal financial service. The message requests that the recipient 'verify' their account information to prevent the suspension of their Paypal account. Attached to the email is an executable file which captures this information (if entered), and sends it to a number of email addresses. Current Activity - November 19, 2003 http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili 2. CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service http://www.cert.org/advisories/CA-2003-28.html Vulnerability Note VU#567620 Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message http://www.kb.cert.org/vuls/id/567620 3. CERT Advisory CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange http://www.cert.org/advisories/CA-2003-27.html Vulnerability Note VU#575892 Buffer overflow in Microsoft Windows Messenger Service http://www.kb.cert.org/vuls/id/575892 Vulnerability Note VU#422156 Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests http://www.kb.cert.org/vuls/id/422156 Vulnerability Note VU#467036 Microsoft Windows Help and support Center contains buffer overflow in code used to handle HCP protocol http://www.kb.cert.org/vuls/id/467036 Vulnerability Note VU#989932 Microsoft Windows contains buffer overflow in Local Troubleshooter ActiveX control (Tshoot.ocx) http://www.kb.cert.org/vuls/id/989932 Vulnerability Note VU#838572 Microsoft Windows Authenticode mechanism installs ActiveX controls without prompting user http://www.kb.cert.org/vuls/id/838572 Vulnerability Note VU#435444 Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form http://www.kb.cert.org/vuls/id/435444 Vulnerability Note VU#967668 Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message http://www.kb.cert.org/vuls/id/967668 4. Multiple Vulnerabilities in SSL/TLS Implementations Multiple vulnerabilities exist in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols allowing an attacker to execute arbitrary code or cause a denial-of-service condition. CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations http://www.cert.org/advisories/CA-2003-26.html Vulnerability Note VU#935264 OpenSSL ASN.1 parser insecure memory deallocation http://www.kb.cert.org/vuls/id/935264 Vulnerability Note VU#255484 OpenSSL contains integer overflow handling ASN.1 tags (1) http://www.kb.cert.org/vuls/id/255484 Vulnerability Note VU#380864 OpenSSL contains integer overflow handling ASN.1 tags (2) http://www.kb.cert.org/vuls/id/380864 Vulnerability Note VU#686224 OpenSSL does not securely handle invalid public key when configured to ignore errors http://www.kb.cert.org/vuls/id/686224 Vulnerability Note VU#732952 OpenSSL accepts unsolicited client certificate messages http://www.kb.cert.org/vuls/id/732952 Vulnerability Note VU#104280 Multiple vulnerabilities in SSL/TLS implementations http://www.kb.cert.org/vuls/id/104280 Vulnerability Note VU#412478 OpenSSL 0.9.6k does not properly handle ASN.1 sequences http://www.kb.cert.org/vuls/id/412478 5. These attacks include the installation of tools for launching distributed denial-of-service (DDoS) attacks, providing generic proxy services, reading sensitive information from the Windows registry, and using a victim system's modem to dial pay-per-minute services. The vulnerability described in VU#865940 exists due to an interaction between IE's MIME type processing and the way it handles HTML application (HTA) files embedded in OBJECT tags. W32/Swen.A Worm On September 19, the CERT/CC began receiving a large volume of reports of a mass mailing worm, referred to as W32/Swen.A, spreading on the Internet. Similar to W32/Gibe.B in function, this worm arrives as an attachment claiming to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. The W32/Swen.A worm requires a user to execute the attachment either manually or by using an email client that will open the attachment automatically. Upon opening the attachment, the worm attempts to mail itself to all email addresses it finds on the system. The CERT/CC updated the current activity page to contain further information on this worm. Current Activity - September 19, 2003 http://www.cert.org/current/archive/2003/09/19/archive.html#swena 7. Buffer Overflow in Sendmail Sendmail, a widely deployed mail transfer agent (MTA), contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root. CERT Advisory CA-2003-25 Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-25.html Vulnerability Note VU#784980 Sendmail prescan() buffer overflow vulnerability http://www.kb.cert.org/vuls/id/784980 8. RPCSS Vulnerabilities in Microsoft Windows On September 10, the CERT/CC reported on three vulnerabilities that affect numerous versions of Microsoft Windows, two of which are remotely exploitable buffer overflows that may an allow an attacker to execute code with system privileges. CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows http://www.cert.org/advisories/CA-2003-23.html Vulnerability Note VU#483492 Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines http://www.kb.cert.org/vuls/id/483492 Vulnerability Note VU#254236 Microsoft Windows RPCSS Service contains heap overflow in DCOM request filename handling http://www.kb.cert.org/vuls/id/254236 Vulnerability Note VU#326746 Microsoft Windows RPC service vulnerable to denial of service http://www.kb.cert.org/vuls/id/326746 ______________________________________________________________________ New CERT Coordination Center (CERT/CC) PGP Key On October 15, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information to the CERT/CC https://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Congressional Testimony http://www.cert.org/congressional_testimony * Training Schedule http://www.cert.org/training/ * CSIRT Development http://www.cert.org/csirts/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright \xa92003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78 7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU UENALuNdthA= =DD60 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Interface Original issue date: July 31, 2003 Last revised: - Source: CERT/CC A complete revision history is at the end of this file. I. Known exploits target TCP port 135 and create a privileged backdoor command shell on successfully compromised hosts. Some versions of the exploit use TCP port 4444 for the backdoor, and other versions use a TCP port number specified by the intruder at run-time. We have also received reports of scanning activity for common backdoor ports such as 4444/TCP. In some cases, due to the RPC service terminating, a compromised system may reboot after the backdoor is accessed by an intruder. Based on current information, we believe this vulnerability is separate and independent from the RPC vulnerability addressed in MS03-026. The CERT/CC is tracking this additional vulnerability as VU#326746 and is continuing to work to understand the issue and mitigation strategies. In both of the attacks described above, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. II. III. Solutions Apply patches All users are encouraged to apply the patches referred to in Microsoft Security Bulletin MS03-026 as soon as possible in order to mitigate the vulnerability described in VU#568148. These patches are also available via Microsoft's Windows Update service. Systems running Windows 2000 may still be vulnerable to at least a denial of service attack via VU#326746 if their DCOM RPC service is available via the network. Therefore, sites are encouraged to use the packet filtering tips below in addition to applying the patches supplied in MS03-026. Filter network traffic Sites are encouraged to block network access to the RPC service at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be blocked include * 135/TCP * 135/UDP * 139/TCP * 139/UDP * 445/TCP * 445/UDP If access cannot be blocked for all external hosts, the CERT/CC recommends limiting access to only those hosts that require it for normal operation. As a general rule, the CERT/CC recommends filtering all types of network traffic that are not required for normal operation. Because current exploits for VU#568148 create a backdoor, which is in some cases 4444/TCP, blocking inbound TCP sessions to ports on which no legitimate services are provided may limit intruder access to compromised hosts. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise Reporting The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line. Appendix A. Vendor Information This appendix contains information provided by vendors. If a vendor is not listed below, we have not received their comments. Microsoft Please see Microsoft Security Bulletin MS03-026. Appendix B

The Kerberos login authentication feature in Mac OS X, when used with an LDAPv3 server and LDAP bind authentication, may send cleartext passwords to the LDAP server when the AuthenticationAuthority attribute is not set. Versions 10.2 and later of Apple's MacOS X operating system include support for the Lightweight Directory Access Protocol (LDAP). A vulnerability in the way some of these versions of MacOS X handle authentication in certain environments could expose user's passwords in plaintext as they're transmitted across the network. It has been reported that Mac OS X may leak plain text passwords in a network that uses Kerberos. This could allow an attacker to gain unauthorized access to systems. Mac OS X is an operating system used on Mac machines, based on the BSD system. After authenticating the user with an encrypted password, the login window returns and attempts a simple bind to the server that transmits the account password in clear text

Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 3.5.x through 4.0.REL, when enabling IPSec over TCP for a port on the concentrator, allow remote attackers to reach the private network without authentication

Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7 allows remote attackers to cause a denial of service (reload) via a malformed SSH initialization packet. Provide services to merchants or enterprise users. There is no detailed vulnerability details at present, the CISCO BUG ID is: CSCdz15393

Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7A allow remote attackers to cause a denial of service (slowdown and possibly reload) via a flood of malformed ICMP packets

The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page. This vulnerability was initially described in BID 7728 and is now being assigned its own BID

Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. All current web, FTP, and email sessions will be terminated. IIS will automatically restart and normal service will resume. ** It has been reported that if a WebDAV request with a certain number of bytes is received, the Inetinfo service will remain alive but cease serving requests. This will cause the IIS server to stop serving requests until the service is manually restarted. This vulnerability was initially described in BID 7728 and is now being assigned its own BID

Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. An attacker could exploit this issue by enticing a web user to a malicious link which contains hostile HTML or script code. This code may be rendered in the user's browser when the redirection error page is displayed

Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun.". Microsoft IIS ssinc.dll has been reported prone to a buffer overflow vulnerability. The issue presents itself, due to insufficient bounds checking performed on requests for server side includes. This vulnerability was initially described in BID 7728 and is now being assigned its own BID

The D-Link DI-704P is a 4-port broadband router. The syslog.htm contained in the WEB interface of the DI-704P incorrectly handles the long input submitted by the user. The remote attacker can exploit this vulnerability to perform a denial of service attack on the router. The attacker submits a syslog.htm script request containing a very long string to the WEB interface, such as the following URL to the internal interface: http://192.168.0.1/syslog.htm?D=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA The above URL will cause the router to perform the following DNS Query: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@xxxx.xx.comcast.net and this hostname does not exist, the final router will answer \"no such name\". Since the DNS reply packet is much larger than the request packet, the attacker can submit multiple similar requests, which can cause the router to generate a denial of service. The issue presents itself in a D-Link web interface page. It has been reported that when excessive is data passed URI parameter in a request for the vulnerable page, the router firmware the device behaves in an unstable manner. Subsequent malicious requests may result in a complete denial of service condition requiring a device reboot, or in corruption of device logs. Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected

Privacyware Privatefirewall 3.0 does not block certain incoming packets when in "Filter Internet Traffic" or Deny Internet Traffic" modes, which allows remote attackers to identify running services via FIN scans or Xmas scans. It has been reported that Privatefirewall does not properly handle TCP traffic with certain flag settings. This may allow an attacker to circumvent firewall filtering. Privatefirewall is a set of firewall software that integrates personal firewall and intrusion detection system. Privatefirewall does not properly handle the communication of some specially marked packets. Remote attackers can exploit this vulnerability to bypass filtering restrictions and access protected resources. The filtering rules of Privatefirewall cannot detect FIN and /Xmas scans, and attackers can use scanning tools such as NMAP to scan protected resources and obtain sensitive information

The web-based administration capability for various Axis Network Camera products allows remote attackers to bypass access restrictions and modify configuration via an HTTP request to the admin/admin.shtml containing a leading // (double slash). A vulnerability in various Axis Communications products may allow unauthorized remote privileged access. By making a request for a specially formatted URL, it may be possible for remote users to access the administrative configuration interface without being prompted for authentication. Axis network video can transmit and capture on-site images directly through IP network, allowing users to view and manage the camera system with a WEB browser. The management tool of the Axis network video system does not properly handle user access restrictions. After setting up the Axis network video system, a WEB-based management tool is provided for users to access to configure and manage the camera system. Users can access it by requesting the following URL: http://camera-ip/admin/admin.shtml However, the above connection needs to provide a user name and password, but due to the incorrect design of access restrictions, an attacker can access the management interface without a password by submitting the following URL: http://camera-ip//admin/admin.shtml The user can reset the RO0T password, then modify the configuration file through the telnet service program, and execute arbitrary commands on the system with root user privileges through non-interactive access

Integer overflow in MP3Broadcaster for Apple QuickTime/Darwin Streaming Server 4.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed ID3 tags in MP3 files. Apple's QuickTime and Darwin Streaming Server (DSS) package includes a utility called MP3Broadcaster. This utility contains an integer overflow which may be exploited to cause a denial of service. MP3Broadcaster has been reported prone to a vulnerability when processing malicious ID3 tags. This is likely due to insufficient sanity checks performed when handling signed integer values contained within MP3 file ID3 tags. MP3Broadcaster is an MP3 broadcasting program included in the Darwin streaming service program. MP3Broadcaster does not correctly process the ID3 tag. Remote attackers can use this vulnerability to construct malicious MP3 files, trigger integer-based buffer overflows, and perform denial-of-service attacks on service programs. Malicious MP3 files can cause MP3Broadcaster to segfault

It has been reported that Cisco IOS is vulnerable to an issue in handling Service Assurance Agent (previously called Response Time Reporter, or RTR) packets. Because of this, a remote user may be able to cause the router to become unstable and crash.

The Internet Operating System (IOS) is an operating system used on CISCO routers. The use of an access control list when the CISCO router enables the crypto engine accelerator allows unauthorized types of communication access, which can be exploited by remote attackers to bypass the access control list to access the protected network. If the CISCO router has the following configuration: crypto engine accelerator PPPoE dialer Ip route-cache Set the access control list on the external interface to allow only incoming ISAKMP and IPSEC communication, such as: ip access-list extended Block-Inbound-unwanted-Trafic permit udp 100.100. 100.0 0.0.0.255 host 102.168.1.2 eq isakmp permit esp 100.100. 100.0 0.0.0.255 host 102.168.1.2 deny ip any any log The IPSec communication will be parsed twice due to the incoming access control list, which will result in unauthorized communication access being protected. The internet. For example, ACLs allow internal networks to be exploited by attackers to inject fake packets into the network. However, if static encryption (crypto) mapping is used, this problem does not exist, so non-encrypted communication will be discarded when it is parsed by the ACL. In the case of dynamic encryption mapping, if an attacker wants to note that a forged packet bypasses the access list to access the network, it must control the neighbor router connected to the ACK interface to complete the attack

Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x through 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in the Your_Account module, (2) avatarcategory parameter in the Your_Account module, or (3) lid parameter in the Downloads module. It is reported that the PHP-Nuke 'Your_Account' module is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input. This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. This vulnerability is reported to affect PHP-Nuke version 7.6 and previous versions

The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full web server path via an invalid cid parameter that is non-numeric or null, which leaks the pathname in an error message. The Web_Links module for PHP-Nuke has been reported prone to a vulnerability which, when exploited, may disclose sensitive path information to a remote attacker. An attacker may use the information gathered in this manner to mount further attacks against the host. It should be noted that although PHP-Nuke version 6.x has been reported vulnerable, other versions might also be affected. There is a vulnerability in the Web_Links module of PHP-Nuke versions 6.0 to 6.5 Ultimate