VARIoT IoT vulnerabilities database

Unspecified vulnerability in SAP Web Application Server 6.40 before patch 136 and 7.00 before patch 66 allows remote attackers to cause a denial of service (enserver.exe crash) via a 0x72F2 sequence on UDP port 64999. Exploiting this issue allows remote attackers to consume excessive system resources until the software becomes unresponsive to further calls, effectively denying service to legitimate users. These versions are affected: - 6.40 patch 135 and prior - 7.00 patch 55 and prior. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. 1) Due to an unspecified error it is possible to read arbitrary files on the system with privileges of the web server. 2) An unspecified error allows crashing the enserver.exe process. The vulnerabilities are reported in version 6.40 and 7.00. PROVIDED AND/OR DISCOVERED BY: Nicob ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Security Agent Management Center (CSAMC) 5.1 before 5.1.0.79 does not properly handle certain LDAP error messages, which allows remote attackers to bypass authentication requirements via an empty password when using an external LDAP server. Exploiting this issue allows remote attackers to gain administrative access to the web-based administrative interface of the affected application. This issue affects Cisco Security Agent Management Center 5.1 prior to 5.1.0.79. This issue is being tracked by Cisco Bug ID CSCsg40822. Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. There is a loophole in CSA processing LDAP authentication, and remote attackers may use this loophole to obtain unauthorized management rights. If the administrator has the configuration or deployment role, it is possible to change the policies of the managed CSA clients. This can lead to a reduction in the security posture of the managed system and an attack on the managed system. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability is reported in version 5.1 prior to Hotfix 5.1.0.79. SOLUTION: Apply Hotfix 5.1.0.79 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807726f7.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The \Device\SandBox driver in Outpost Firewall PRO 4.0 (964.582.059) allows local users to cause a denial of service (system crash) via an invalid argument to the DeviceIoControl function that triggers an invalid memory operation. Outpost Firewall PRO is prone to a local denial-of-service vulnerability because the application fails to properly handle unexpected input. Exploiting this issue allows local attackers to crash affected computers, denying service to legitimate users. Outpost Firewall PRO 4.0 (964.582.059) is vulnerable to this issue; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Outpost Firewall "Sandbox" Driver Denial Of Service Vulnerability SECUNIA ADVISORY ID: SA22673 VERIFY ADVISORY: http://secunia.com/advisories/22673/ CRITICAL: Not critical IMPACT: DoS WHERE: Local system SOFTWARE: Outpost Firewall Pro 4.x http://secunia.com/product/12472/ DESCRIPTION: Matousec has discovered a vulnerability in Outpost Firewall, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of data sent to the "Device\Sandbox" device. This can be exploited to crash a vulnerable system by sending arbitrary data to the said device. The vulnerability is confirmed in version 4.0.964.6926 (582). Other versions may be affected as well. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Matousec Transparent Security ORIGINAL ADVISORY: Matousec Transparent Security: http://www.matousec.com/info/advisories/Outpost-Insufficient-validation-of-SandBox-driver-input-buffer.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in modules/journal/search.php in the Journal module in Francisco Burzi PHP-Nuke 7.9 and earlier allows remote attackers to execute arbitrary SQL commands via the forwhat parameter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. PHP-Nuke 7.9 and prior versions are vulnerable. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: PHP-Nuke "forwhat" SQL Injection Vulnerability SECUNIA ADVISORY ID: SA22617 VERIFY ADVISORY: http://secunia.com/advisories/22617/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Paisterist has discovered a vulnerability in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "forwhat" parameter in modules/journal/search.php is not properly sanitised, before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 7.9. SOLUTION: Edit the source code to ensure that input is properly verified. PROVIDED AND/OR DISCOVERED BY: Paisterist ORIGINAL ADVISORY: http://www.neosecurityteam.net/index.php?action=advisories&id=29 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ECI Telecom B-FOCuS Wireless 802.11b/g ADSL2+ Router allows remote attackers to read arbitrary files via a certain HTTP request, as demonstrated by a request for a router configuration file, related to the /html/defs/ URI. ECI Telecom's B-FOCuS ADSL2+ Combo332+ wireless router is prone to an information-disclosure vulnerability. The router's Web-Based Management interface fails to authenticate users before providing access to sensitive information. Exploiting this issue may allow an unauthenticated remote attacker to retrieve sensitive information from the affected device, which may aid in further attacks. B-Focus ADSL2+ does not properly configure the web management interface, attackers can list directories, read routers and configuration files by sending specially crafted requests. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: ECI B-FOCuS Wireless Router Information Disclosure SECUNIA ADVISORY ID: SA22667 VERIFY ADVISORY: http://secunia.com/advisories/22667/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: B-FOCuS Router 332+ http://secunia.com/product/12485/ DESCRIPTION: Tal Argoni has reported a vulnerability in B-FOCuS Wireless router, which can be exploited by malicious people to disclose certain sensitive information. The problem is due to improper authentication in the web-based management, which can be exploited by an unauthenticated person to read the router's configuration files. PROVIDED AND/OR DISCOVERED BY: Tal Argoni ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to list contents of the cgi-bin directory via unspecified vectors, probably a direct request. D-Link DSL-G624T Is cgi-bin A vulnerability exists that lists directory contents.By a third party cgi-bin The contents of the directory may be listed. D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 has an unknown information disclosure vulnerability. Dsl-G624t is prone to a remote security vulnerability

Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allow remote attackers to inject arbitrary web script or HTML via the (1) upnp:settings/state or (2) upnp:settings/connection parameters. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: D-Link DSL-G624T Directory Traversal and Cross-Site Scripting SECUNIA ADVISORY ID: SA22524 VERIFY ADVISORY: http://secunia.com/advisories/22524/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From local network SOFTWARE: D-Link DSL-G624T http://secunia.com/product/12420/ DESCRIPTION: Jose Ramon Palanco has reported some vulnerabilities in D-Link DSL-G624T, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose certain sensitive information. 1) Input passed to the "upnp%3Asettings%2Fstate" and "upnp%3Asettings%2Fconnection" parameters in cgi-bin/webcm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed to the "getpage" parameter in cgi-bin/webcm is not properly verified before being used. This can be exploited to disclose the content of certain files via directory traversal attacks. The vulnerabilities are reported in firmware version V3.00B01T01.YA-C.20060616. Other versions may also be affected. SOLUTION: Do not visit other web sites while accessing the device and use it only in a trusted network. PROVIDED AND/OR DISCOVERED BY: Jose Ramon Palanco ORIGINAL ADVISORY: http://www.eazel.es/advisory005-D-Link-DSL-G624T-directoy-transversal-xss-cross-site-scripting-directory-listing-vulnerabilities.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Security Agent (CSA) for Linux 4.5 before 4.5.1.657 and 5.0 before 5.0.0.193, as used by Unified CallManager (CUCM) and Unified Presence Server (CUPS), allows remote attackers to cause a denial of service (resource consumption) via a port scan with certain options. Successfully exploiting this issue allows remote attackers to cause the affected software to enter into an unresponsive state, denying further service to legitimate users. This issue does not affect CSA for Windows or Solaris. Cisco Security Agent (CSA) provides threat protection for server and desktop computing systems. Vulnerabilities exist when CSA handles special cases such as port scanning, and remote attackers may exploit this vulnerability to degrade service responsiveness. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. The vulnerability is caused due to an error within the detection of port scans. SOLUTION: Apply Hotfixes. http://www.cisco.com/pcgi-bin/tablebuild.pl/cups-10?psrtdcat20e2 CSA version 4.5 for Linux: Apply Hotfix 4.5.1.657 CSA version 5.0 for Linux: Apply Hotfix 5.0.0.193 CUCM 5.0 version including 5.0(4): Apply COS COP upgrade. CUPS 1.0 version including 1.0(2): Apply COS COP upgrade. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807693c7.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

3Com Switch SS3 4400 switches, firmware 5.11, 6.00 and 6.10 and earlier, allow remote attackers to read the SNMP Read-Write Community string and conduct unauthorized actions via unspecified "normally restricted management packets on the device" that cause the community string to be returned. 3Com SS3 4400 Switch products are prone to an information-disclosure vulnerability. An attacker can exploit this issue to retrieve potentially sensitive information. The impact of successful exploits may allow various operations on the device, including disabling ports and reconfiguring a VLAN. Note that this issue may be exploited only through the management VLAN that the affected device is connected to. Firmware versions 5.11, 6.00, and 6.10 or earlier are vulnerable. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: 3Com SuperStack 3 Switch 4400 Information Disclosure SECUNIA ADVISORY ID: SA22818 VERIFY ADVISORY: http://secunia.com/advisories/22818/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: 3Com SuperStack 3 Switch 4400 Family http://secunia.com/product/450/ DESCRIPTION: A security issue has been reported in the 3Com SuperStack 3 Switch 4400 family, which can be exploited by malicious people to gain knowledge of sensitive information. Successful exploitation requires access to the management VLAN. SOLUTION: An update is reportedly available for customers with a software maintenance agreement or via the 3Com Partner Access site. PROVIDED AND/OR DISCOVERED BY: The vendor credits Andrew Brennan. ORIGINAL ADVISORY: http://www.3com.com/securityalert/alerts/3COM-06-004.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in /cgi-bin/webcm in INCA IM-204 allows remote attackers to read arbitrary files via a "/./." (modified dot dot) sequences in the getpage parameter. INCA IM-204 devices are prone to a remote information-disclosure vulnerability because the devices fail to properly sanitize user-supplied input. Exploiting this issue allows remote, unauthenticated attackers to gain access to potentially sensitive configuration information from affected devices. This may aid them in further attacks. This BID may be related to BID 20689; the issues are very similar in nature. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: INCA IM-204 "getpage" Parameter Information Disclosure SECUNIA ADVISORY ID: SA22557 VERIFY ADVISORY: http://secunia.com/advisories/22557/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: INCA IM-204 http://secunia.com/product/12440/ DESCRIPTION: Crackers_Child has reported a vulnerability in INCA IM-204, which can be exploited by malicious people to disclose potential sensitive information. Input passed to the "getpage" parameter in cgi-bin/webcm is not properly verified before being used. This can be exploited to disclose the content of certain files via directory traversal attacks. SOLUTION: Use the device only in a trusted network. PROVIDED AND/OR DISCOVERED BY: Crackers_Child ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The SAVRT.SYS device driver, as used in Symantec AntiVirus Corporate Edition 8.1 and 9.0.x up to 9.0.3, and Symantec Client Security 1.1 and 2.0.x up to 2.0.3, allows local users to execute arbitrary code via a modified address for the output buffer argument to the DeviceIOControl function. Symantec AntiVirus and Symantec Client Security are prone to a privilege-escalation vulnerability. Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. The vulnerability is caused due to an improper validation of the output buffer address space of a "DeviceIOControl()" call in the SAVRT.SYS device driver. PROVIDED AND/OR DISCOVERED BY: The vendor credits Boon Seng Lim. ORIGINAL ADVISORY: Symantec: http://www.symantec.com/avcenter/security/Content/2006.10.23.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in cgi-bin/webcm in D-Link DSL-G624T firmware 3.00B01T01.YA-C.20060616 allows remote attackers to read arbitrary files via a .. (dot dot) in the getpage parameter. D-Link DSL-G624T of cgi-bin/webcm Contains a directory traversal vulnerability.By a third party .. A remote attacker can read any file using .. D-Link DSL-G624T devices are prone to a remote information-disclosure vulnerability because the devices fail to properly sanitize user-supplied input. Exploiting this issue allows remote, unauthenticated attackers to gain access to potentially sensitive configuration information from affected devices. This may aid them in further attacks. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: D-Link DSL-G624T Directory Traversal and Cross-Site Scripting SECUNIA ADVISORY ID: SA22524 VERIFY ADVISORY: http://secunia.com/advisories/22524/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Exposure of sensitive information WHERE: >From local network SOFTWARE: D-Link DSL-G624T http://secunia.com/product/12420/ DESCRIPTION: Jose Ramon Palanco has reported some vulnerabilities in D-Link DSL-G624T, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose certain sensitive information. 1) Input passed to the "upnp%3Asettings%2Fstate" and "upnp%3Asettings%2Fconnection" parameters in cgi-bin/webcm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed to the "getpage" parameter in cgi-bin/webcm is not properly verified before being used. The vulnerabilities are reported in firmware version V3.00B01T01.YA-C.20060616. Other versions may also be affected. SOLUTION: Do not visit other web sites while accessing the device and use it only in a trusted network. PROVIDED AND/OR DISCOVERED BY: Jose Ramon Palanco ORIGINAL ADVISORY: http://www.eazel.es/advisory005-D-Link-DSL-G624T-directoy-transversal-xss-cross-site-scripting-directory-listing-vulnerabilities.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

PHP remote file inclusion vulnerability in functions.php in DeltaScripts PHP Classifieds 7.1 allows remote attackers to execute arbitrary PHP code via a URL in the set_path parameter. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. Version 7.1 is vulnerable; other versions may also be affected. This BID is being retired because further information shows that the application is not vulnerable to this issue

Unspecified vulnerability in Toshiba Bluetooth wireless device driver 3.x and 4 through 4.00.35, as used in multiple products, allows physically proximate attackers to cause a denial of service (crash), corrupt memory, and possibly execute arbitrary code via crafted Bluetooth packets. Bluetooth Wireless Device Driver is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Toshiba Bluetooth Stack Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA22402 VERIFY ADVISORY: http://secunia.com/advisories/22402/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Toshiba Bluetooth Stack 4.x http://secunia.com/product/6807/ Toshiba Bluetooth Stack 3.x http://secunia.com/product/6806/ DESCRIPTION: A vulnerability has been reported in Toshiba Bluetooth Stack, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Successful exploitation requires knowledge of the Bluetooth device address. The vulnerability is reported in version 3.x and versions 4 through 4.00.35. Other versions may also be affected. NOTE: Products from other vendors using the Toshiba Bluetooth Stack may also be affected. The Toshiba Bluetooth Stack running on 64-bit platforms is reportedly not affected. SOLUTION: Update to the latest version. PROVIDED AND/OR DISCOVERED BY: David Maynor, SecureWorks and Jon Ellch. ORIGINAL ADVISORY: http://www.secureworks.com/press/20061011-dell.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

XORP (eXtensible Open Router Platform) 1.2 and 1.3 allows remote attackers to cause a denial of service (application crash) via an Open Shortest Path First (OSPF) Link State Advertisement (LSA) with an invalid LSA length field. Exploiting this issue allows remote, unauthenticated attackers to crash the application, denying further service to legitimate users. eXtensible Open Router Platform versions 1.2 and 1.3 are vulnerable to this issue. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: XORP OSPF Link State Advertisements Denial of Service SECUNIA ADVISORY ID: SA22462 VERIFY ADVISORY: http://secunia.com/advisories/22462/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: XORP 1.x http://secunia.com/product/12372/ DESCRIPTION: Mu Security has reported a vulnerability in XORP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an out of bounds read when processing Link State Advertisements (LSA). This can be exploited to crash the OSPF daemon by sending LSAs with invalid length values. The vulnerability is reported in XORP 1.2 and 1.3. Other versions may also be affected. SOLUTION: Follow vendor instructions to apply patches. http://www.xorp.org/advisories/XORP_SA_06:01.ospf.txt PROVIDED AND/OR DISCOVERED BY: Mu Security ORIGINAL ADVISORY: XORP Project Advisory: http://www.xorp.org/advisories/XORP_SA_06:01.ospf.txt Mu Security Advisory: http://labs.musecurity.com/advisories/MU-200610-01.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Kerio WinRoute Firewall 6.2.2 and earlier allows remote attackers to cause a denial of service (crash) via malformed DNS responses. Kerio WinRoute Firewall is prone to a remote denial-of-service vulnerability. Exploiting this issue may permit an attacker to crash affected devices, denying further network services to legitimate users. Kerio WinRoute Firewall 6.2.2 and prior versions are vulnerable; other versions may also be affected. Kerio WinRoute Firewall is a gateway firewall for small and medium businesses. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Kerio WinRoute Firewall DNS Response Denial of Service SECUNIA ADVISORY ID: SA22986 VERIFY ADVISORY: http://secunia.com/advisories/22986/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: Kerio WinRoute Firewall 6.x http://secunia.com/product/3613/ DESCRIPTION: A vulnerability has been reported in Kerio WinRoute Firewall, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when processing malformed DNS responses. This can be exploited to crash the application. SOLUTION: Update to version 6.2.3. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in my.acctab.php3 in F5 Networks FirePass 1000 SSL VPN 5.5, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the sid parameter. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Version 5.5 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Input passed to the "sid" parameter in my.acctab.php3 is not properly sanitised before being returned to the user. The vulnerability is reported in FirePass 1000 SSL VPN version 5.5. PROVIDED AND/OR DISCOVERED BY: Richard Brain, ProCheckUp ORIGINAL ADVISORY: http://www.procheckup.com/Vulner_PR0603b.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

McAfee Network Agent (mcnasvc.exe) 1.0.178.0, as used by multiple McAfee products possibly including Internet Security Suite, Personal Firewall Plus, and VirusScan, allows remote attackers to cause a denial of service (agent crash) via a long packet, possibly because of an invalid string position field value. NOTE: some of these details are obtained from third party information. McAfee Network Agent is prone to a remote denial-of-service vulnerability because the service fails to properly handle excessive network data. Exploiting this issue may cause the affected application to crash, denying service to legitimate users. Version 1.0.178.0 is vulnerable; other versions may also be affected. Remote attackers may use this vulnerability to perform denial of service attacks on services. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. This can be exploited to crash the service by sending a specially crafted message with an invalid value in the string position field. SOLUTION: Restrict access to the service. PROVIDED AND/OR DISCOVERED BY: JAAScois ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco 2700 Series Wireless Location Appliances before 2.1.34.0 have a default administrator username "root" and password "password," which allows remote attackers to obtain administrative privileges, aka Bug ID CSCsb92893. An attacker may use prior knowledge to log into the device to gain access to the device's administrative section. This could aid in further attacks. Cisco 2700 Series Wireless Location Appliance versions prior to 2.1.34.0 are vulnerable

Multiple PHP remote file inclusion vulnerabilities in Vtiger CRM 4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the calpath parameter to (1) modules/Calendar/admin/update.php, (2) modules/Calendar/admin/scheme.php, or (3) modules/Calendar/calendar.php. (1) modules/Calendar/admin/update.php To calpath Parameters (2) modules/Calendar/admin/scheme.php To calpath Parameters (3) modules/Calendar/calendar.php To calpath Parameters. vtiger CRM is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. This may allow an attacker to compromise the application and the underlying system; other attacks are also possible. vtiger CRM 4.2 and prior versions are vulnerable; other versions may also be affected