VARIoT IoT vulnerabilities database

Unspecified vulnerability in the HTTP management interface in Cisco Unity Express (CUE) 2.2(2) and earlier, when running on any CUE Advanced Integration Module (AIM) or Network Module (NM), allows remote authenticated attackers to reset the password for any user with an expired password. Cisco Unity Express (CUE) is prone to a privilege-escalation vulnerability. An attacker could reset the password of a privileged account that has an expired password. Cisco Unity is an advanced unified communications solution for enterprise-level organizations that can provide powerful messaging services and intelligent voice messaging services. There is a loophole in Cisco Unity's handling of user authentication. Local attackers may use this loophole to elevate their privileges. Cisco Unity has a problem with the authentication process of the HTTP-based management interface. If the target user is an administrator, then An attacker could gain administrator privileges on the device. TITLE: Cisco Unity Express Expired Password Change Vulnerability SECUNIA ADVISORY ID: SA19881 VERIFY ADVISORY: http://secunia.com/advisories/19881/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data WHERE: >From local network SOFTWARE: Cisco Unity Express 2.x http://secunia.com/product/5151/ DESCRIPTION: A vulnerability has been reported in Cisco Unity Express (CUE), which can be exploited by malicious users to manipulate certain information. The vulnerability is caused due to missing restrictions in the HTTP management interface during password changes. This makes it possible for an authenticated user to change the password for another user with an expired password (including newly created users with blank/randomly selected passwords). Successful exploitation may e.g. grant administrative privileges on a CUE module, if the changed expired password belongs to an administrative user. SOLUTION: Update to version 2.3(1) or later. http://www.cisco.com/pcgi-bin/tablebuild.pl/cue-231?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: The vendor credits Xu He and Keith Vaughan, Bank of America Application Assessment Team. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060501-cue.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Direct static code injection vulnerability in Pro Publish 2.0 allows remote authenticated administrators to execute arbitrary PHP code by editing certain settings, which are stored in set_inc.php. Harm to remote attackers can use vulnerabilities to obtain sensitive information. Conditions required for the attack An attacker must access DeltaScripts PHP Pro Publish. Vulnerability Information DeltaScripts PHP Pro Publish is a PHP-based article management program. The problem is that multiple scripts lack filtering on the web parameters submitted by users, submit malicious SQL data, and can change the original SQL logic, resulting in obtaining sensitive information. Vendor solutions are currently not available: http://www.deltascripts.com/propublish. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. 1) Input passed to the "email" and "password" parameters in admin/login.php, to the "find_str" parameter in search.php, and to the "catid" parameter in cat.php isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of certain parameters requires that "magic_quotes_gpc" is disabled. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been confirmed in version 2.0. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Aliaksandr Hartsuyeu ORIGINAL ADVISORY: http://evuln.com/vulns/131/summary.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Harm to remote attackers can use vulnerabilities to obtain sensitive information. Conditions required for the attack An attacker must access DeltaScripts PHP Pro Publish. Vulnerability Information DeltaScripts PHP Pro Publish is a PHP-based article management program. DeltaScripts PHP Pro Publish incorrectly filters URI data submitted by users, and remote attackers can use the vulnerability to obtain sensitive information. The problem is that multiple scripts lack filtering on the web parameters submitted by users, submit malicious SQL data, and can change the original SQL logic, resulting in obtaining sensitive information. Vendor solutions are currently not available: http://www.deltascripts.com/propublish. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. 1) Input passed to the "email" and "password" parameters in admin/login.php, to the "find_str" parameter in search.php, and to the "catid" parameter in cat.php isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of certain parameters requires that "magic_quotes_gpc" is disabled. 2) It is possible for the administrative user to inject arbitrary PHP code into the set_inc.php file via specially-crafted input in the "Settings" page. Successful exploitation requires that "magic_quotes_gpc" is disabled. The vulnerabilities have been confirmed in version 2.0. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Aliaksandr Hartsuyeu ORIGINAL ADVISORY: http://evuln.com/vulns/131/summary.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple Apple Mac OS X 10.4 applications might allow context-dependent attackers to cause a denial of service (application crash) via a crafted OpenEXR (.exr) image file, which triggers the crash when opening a folder using Finder, displaying the image in Safari, or using Preview to open the file. ImageIO is susceptible to a remote denial-of-service vulnerability. This issue is do to a failure to properly process malicious OpenEXR image files. This issue allows remote users to crash applications that use the ImageIO API, denying further service to users

The Gmax Mail client in Hitachi Groupmax before 20060426 allows remote attackers to cause a denial of service (application hang or erroneous behavior) via an attachment with an MS-DOS device filename. Some email clients contain a vulnerability which may crash themselves as they do not properly handle an attached file with an particular file name.Actual impact could differ depending on the email clients though, email clients may crash when hadling an attached file with a particular file name. Other possible impacts could be an attached file not being saved or hanged up while in the saving process, or an error message being displayed on the application related to the attached file. Groupmax Integrated Desktop is prone to a denial-of-service vulnerability. TITLE: Groupmax Mail Client Attachment Filename Handling Weakness SECUNIA ADVISORY ID: SA19840 VERIFY ADVISORY: http://secunia.com/advisories/19840/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Groupmax World Wide Web Desktop 5.x http://secunia.com/product/4333/ Groupmax World Wide Web 3.x http://secunia.com/product/4332/ Groupmax World Wide Web 2.x http://secunia.com/product/4331/ Groupmax Mail 7.x http://secunia.com/product/6160/ Groupmax Mail 6.x http://secunia.com/product/6159/ Groupmax Integrated Desktop Version 7.x http://secunia.com/product/9565/ Groupmax Integrated Desktop Version 6.x http://secunia.com/product/9564/ Groupmax Integrated Desktop Version 5.x http://secunia.com/product/9563/ Groupmax Integrated Desktop Version 3.x http://secunia.com/product/9562/ Groupmax Integrated Desktop Version 2.x http://secunia.com/product/9561/ Groupmax World Wide Web Desktop 6.x http://secunia.com/product/4334/ Groupmax World Wide Web Desktop for Jichitai 6.x http://secunia.com/product/4335/ DESCRIPTION: A weakness has been reported in Groupmax Mail Client, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to an error within the handling of email attachments. The weakness has been reported in the following products: * Groupmax Integrated Desktop version 3, 5, 6, 7. * Mail Client version 02-00 through 02-31-/E. * GroupMail/Client(DOS/V) version 01-21-/C through 01-21-/D. * GroupMail/Client version 01-01 through 01-21-/G. * Groupmax World Wide Web Desktop Version 2, 3, 5, 6. SOLUTION: Apply patches (see patch matrix in the vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS06-006_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

parser.exe in Océ (OCE) 3121/3122 Printer allows remote attackers to cause a denial of service (crash or reboot) via a long request, possibly triggering a buffer overflow. The Oce 2121/3122 printer is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the device to properly handle user-supplied data. An attacker can exploit this issue to crash the device, effectively denying service to legitimate users. TITLE: Oc\xe9 3121/3122 Printer Long URL Denial of Service SECUNIA ADVISORY ID: SA19847 VERIFY ADVISORY: http://secunia.com/advisories/19847/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: OCE 3121/3122 http://secunia.com/product/9606/ DESCRIPTION: Herman Groeneveld has reported a vulnerability in Oc\xe9 3121/3122 Printer, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the built-in webserver when handling user-supplied URL. This can be exploited to cause the printer to stop printing until it is restarted. SOLUTION: Restrict access of the printer to trusted users only. PROVIDED AND/OR DISCOVERED BY: Herman Groeneveld ORIGINAL ADVISORY: http://milw0rm.com/exploits/1718 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Hitachi JP1 products allow remote attackers to cause a denial of service (application stop or fail) via unexpected requests or data. Unknown vulnerability in Hitachi JP1 product. Multiple JP1 products are prone to a denial-of-service vulnerability. This issue affects multiple models and versions of Hitachi JP1 products. Specific models and versions will be listed in future revisions of this BID. TITLE: Hitachi Multiple JP1 Products Denial of Service SECUNIA ADVISORY ID: SA19841 VERIFY ADVISORY: http://secunia.com/advisories/19841/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: Hitachi JP1/Server Conductor/Server Manager http://secunia.com/product/9572/ Hitachi JP1/Server Conductor/Blade Server Manager http://secunia.com/product/9571/ Hitachi JP1/Security Integrated Manager http://secunia.com/product/9574/ Hitachi JP1/PFM/SNMP System Observer (SSO) http://secunia.com/product/9566/ Hitachi JP1/Performance Management (PFM) http://secunia.com/product/9568/ Hitachi JP1/File Access Control http://secunia.com/product/9573/ Hitachi JP1/Cm2/Network Node Manager http://secunia.com/product/9570/ Hitachi JP1/Automatic Job Management System 2 (AJS2) http://secunia.com/product/9567/ DESCRIPTION: A vulnerability has been reported in multiple JP1 products, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling certain specially crafted data or requests. This can be exploited to cause the products to stop responding. The vulnerability has been reported in the following products: * JP1/PFM/SNMP System Observer * JP1/Server System Observer * JP1/Automatic Job Management System 2 * JP1/Performance Management * Cm2/Network Node Manager Enterprise/Unlimited/250, * JP1/Cm2/Network Node Manager Enterprise/250 * JP1/Server Conductor/Blade Server Manager * JP1/Server Conductor/Server Manager * Server Conductor/Blade Server Manager * Server Conductor/Server Manager * System Manager - Management Console * JP1/File Access Control * JP1/Security Integrated Manager SOLUTION: Apply patches (see patch matrix in the vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS06-007_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000, and E20/E30, allow remote attackers to cause a denial of service via crafted DNS messages that trigger errors in (1) ProxyDNS or (2) PKI-Resolver, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. There are unexplained vulnerabilities in multiple FITELnet products, including FITELnet-F40, F80, F100, F120, F1000 and E20/E30. Consequences of these vulnerabilities are currently unknown, but remote code execution or denial-of-service attacks may be possible. This BID will be updated as further information is disclosed. TITLE: FITELnet Products DNS Handling Vulnerability SECUNIA ADVISORY ID: SA19820 VERIFY ADVISORY: http://secunia.com/advisories/19820/ CRITICAL: Moderately critical IMPACT: Unknown WHERE: >From remote OPERATING SYSTEM: FITELnet-E Series http://secunia.com/product/9600/ FITELnet-F Series http://secunia.com/product/9599/ MUCHO-EV/PK http://secunia.com/product/9601/ DESCRIPTION: A vulnerability with unknown impact has been reported in various FITELnet products. The vulnerability is caused due to unspecified errors in ProxyDNS and PKI-Resolver when handling certain malformed DNS packets. The vulnerability has been reported in the following products: FITELnet-F40 FITELnet-F80 FITELnet-F100 FITELnet-F120 FITELnet-F1000 FITELnet-E20/E30 MUCHO-EV/PK SOLUTION: The vendor is reportedly working on a fix. PROVIDED AND/OR DISCOVERED BY: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. ORIGINAL ADVISORY: http://www.furukawa.co.jp/fitelnet/topic/dns2_attacks.html NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in JuniperSetupDLL.dll, loaded from JuniperSetup.ocx by the Juniper SSL-VPN Client when accessing a Juniper NetScreen IVE device running IVE OS before 4.2r8.1, 5.0 before 5.0r6.1, 5.1 before 5.1r8, 5.2 before 5.2r4.1, or 5.3 before 5.3r2.1, allows remote attackers to execute arbitrary code via a long argument in the ProductName parameter. Juniper SSL-VPN Client ActiveX control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer. Invoking the object from a malicious website may trigger the condition. If the vulnerability were successfully exploited, this would corrupt process memory, resulting in arbitrary code execution. Juniper's SSL VPN series products can provide users with secure remote access services. JuniperSetupDLL.dll is loaded from the JuniperSetup.ocx ActiveX control. If the following super long string is specified in the ProductName parameter, a stack overflow will be triggered in the JuniperSetupDLL.dll function: --- object classid=\"clsid: E5F5D008-DD2C-4D32-977D-1A0ADF03058B\" id= NeoterisSetup codebase=\"path_to_JuniperSetup.cab#version=1,0,0,3\" > ..... ---PARAM NAME=\"ProductName\" VALUE=\"AAAAAAA (long \'\'A\ '\')\" > ..... script language=javascript NeoterisSetup.startSession(); end script The vulnerable function is as follows: .text: 04F15783 ; int __stdcall sub_4F15783_ilvdlp(char *szProductName, LPCSTR lpValueName, LPBYTE lpData, LPDWORD lpcbData) .text: 04F15783 sub_4F15783_ilvdlp proc near .text: 04F15783 .text: 04F15783 SubKey = byte ptr -10Ch .text: 04F15783 Type = dword ptr -8 .text: 04F15783 hKey = dword ptr -4 ... This can be exploited to cause a stack-based buffer overflow when the control is instantiated with an overly long "ProductName" parameter. tricked into visiting a malicious web site. The vulnerability has been reported in versions 1.x through 5.x. SOLUTION: Update to IVE software version 5.3r2.1, 5.2r4.1, 5.1r8, 5.0r6.1, or 4.2r8.1. PROVIDED AND/OR DISCOVERED BY: Yuji Ukai, eEye Digital Security. ORIGINAL ADVISORY: eEye Digital Security: http://www.eeye.com/html/research/advisories/AD20060424.html Juniper Networks: http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 allows local users to gain Unix shell access via "`" (backtick) characters in the appliance's command line interface (CLI). IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities: - A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system. - An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks. - An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information. These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected. TITLE: IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses SECUNIA ADVISORY ID: SA19818 VERIFY ADVISORY: http://secunia.com/advisories/19818/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation WHERE: >From local network OPERATING SYSTEM: IP3 Networks NA75 http://secunia.com/product/9602/ DESCRIPTION: Ralph Moonen has reported a vulnerability and some weaknesses in IP3 Networks NA75, which can be exploited by malicious, local users to potentially gain escalated privileges and disclose or manipulate sensitive information, or by malicious people to conduct SQL injection attacks. 1) Some input passed in the web interface is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Example: * The password field during login. 3) The shadow password file has world-readable permissions, which can be exploited to disclose other users' encrypted passwords. 4) The database file is stored with world-readable and world-writable permissions. SOLUTION: Apply patch available from the vendor. http://www.ip3.com/supportoverview.htm PROVIDED AND/OR DISCOVERED BY: Ralph Moonen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in DeleGate 9.x before 9.0.6 and 8.x before 8.11.6 allow remote attackers to cause a denial of service via crafted DNS responses messages that cause (1) a buffer over-read or (2) infinite recursion, which can trigger a segmentation fault or invalid memory access, as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ In multiple products DNS For protocol implementation, DNS There are deficiencies due to protocol specifications, and certain DNS There are problems that cause memory area corruption and buffer overflow when packets are processed. Depending on the product implementation, the impact will vary, but if exploited by a remote attacker, DNS A service that processes packets or an application may go out of service. The discoverer also suggests the possibility of arbitrary code execution.Please refer to the “Overview” for the impact of this vulnerability. There are several unexplained vulnerabilities in the 9.x series prior to DeleGate 9.0.6 and the 8.x series prior to 8.11.6. The vendor has addressed this issue in versions 8.11.6 and 9.0.6; earlier versions are vulnerable. ISC BIND is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle malformed TSIG (Secret Key Transaction Authentication for DNS) replies. To exploit this issue, attackers must be able to send messages with a correct TSIG during a zone transfer. This limits the potential for remote exploits significantly. An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users. TITLE: DeleGate DNS Query Handling Denial of Service SECUNIA ADVISORY ID: SA19750 VERIFY ADVISORY: http://secunia.com/advisories/19750/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: DeleGate 8.x http://secunia.com/product/1237/ DESCRIPTION: A vulnerability has been reported in DeleGate, which can be exploited by malicious people to cause a DoS (Denial of Service). This can lead to out-of-bounds memory accesses and infinite recursive function calls, which causes the process to stop responding to requests. The vulnerability has been reported in version 8.11.5 and prior (stable), and in version 9.0.5 and prior (development). SOLUTION: Update to version 8.11.6 or later. http://www.delegate.org/delegate/download/ The vulnerability has also been fixed in development version 9.0.6. PROVIDED AND/OR DISCOVERED BY: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. ORIGINAL ADVISORY: NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The (1) shadow password file in na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has world readable permissions, which allows local users to view encrypted passwords; and the (2) NetAccess database file has world readable and writable permissions, which allows local users to view sensitive information and modify data. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities: - A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system. - An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks. - An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information. These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected. TITLE: IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses SECUNIA ADVISORY ID: SA19818 VERIFY ADVISORY: http://secunia.com/advisories/19818/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation WHERE: >From local network OPERATING SYSTEM: IP3 Networks NA75 http://secunia.com/product/9602/ DESCRIPTION: Ralph Moonen has reported a vulnerability and some weaknesses in IP3 Networks NA75, which can be exploited by malicious, local users to potentially gain escalated privileges and disclose or manipulate sensitive information, or by malicious people to conduct SQL injection attacks. 1) Some input passed in the web interface is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Example: * The password field during login. 2) Some input validation errors in the command line interface can be exploited to inject arbitrary shell commands via the "`" backtick character. 4) The database file is stored with world-readable and world-writable permissions. SOLUTION: Apply patch available from the vendor. http://www.ip3.com/supportoverview.htm PROVIDED AND/OR DISCOVERED BY: Ralph Moonen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

na-img-4.0.34.bin for the IP3 Networks NetAccess NA75 has a default username of admin and a default password of admin. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities: - A command-injection vulnerability due to insufficient input-sanitization of user-supplied commands. This issue allows attackers to execute arbitrary shell commands in the underlying UNIX-based operating system. - An encrypted-password information-disclosure vulnerability. This issue may aid attackers in brute-force password-guessing attacks. - An insecure default-permissions vulnerability. This issue allows attackers to access or corrupt potentially sensitive information. These issues are present in version 4.0.34 of the device's firmware; other versions may also be affected. TITLE: IP3 Networks NA75 SQL Injection Vulnerability and Weaknesses SECUNIA ADVISORY ID: SA19818 VERIFY ADVISORY: http://secunia.com/advisories/19818/ CRITICAL: Less critical IMPACT: Security Bypass, Manipulation of data, Exposure of sensitive information, Privilege escalation WHERE: >From local network OPERATING SYSTEM: IP3 Networks NA75 http://secunia.com/product/9602/ DESCRIPTION: Ralph Moonen has reported a vulnerability and some weaknesses in IP3 Networks NA75, which can be exploited by malicious, local users to potentially gain escalated privileges and disclose or manipulate sensitive information, or by malicious people to conduct SQL injection attacks. 1) Some input passed in the web interface is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Example: * The password field during login. 2) Some input validation errors in the command line interface can be exploited to inject arbitrary shell commands via the "`" backtick character. 3) The shadow password file has world-readable permissions, which can be exploited to disclose other users' encrypted passwords. 4) The database file is stored with world-readable and world-writable permissions. SOLUTION: Apply patch available from the vendor. http://www.ip3.com/supportoverview.htm PROVIDED AND/OR DISCOVERED BY: Ralph Moonen ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Juniper Networks JUNOSe E-series routers before 7-1-1 has unknown impact and remote attack vectors related to the DNS "client code," as demonstrated by the OUSPG PROTOS DNS test suite. Numerous vulnerabilities have been reported in various Domain Name System (DNS) implementations. The impacts of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or cause a DNS implementation to behave in an unstable/unpredictable manner. Juniper JUNOSe is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle DNS datagrams. An attacker can exploit this issue to crash the affected DNS client service, effectively denying service to legitimate users. Juniper Networks JunosE is an operating system of Juniper Networks (Juniper Networks) running on E series IP edge and broadband service routers. The PROTOS DNS test component developed by OUSPG for DNS implementation found in the test that if a specially crafted message is sent, JUNOSe will have a denial of service when responding to DNS. The vulnerability is caused due to unspecified errors within the handling of DNS responses. SOLUTION: The vulnerability has been fixed in JUNOSe versions 5-3-5p0-2, 6-0-3p0-6, 6-0-4, 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 7-1-0p0-1, and 7-1-1. PROVIDED AND/OR DISCOVERED BY: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. ORIGINAL ADVISORY: NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Mac OS X Safari 2.0.3, 1.3.1, and possibly other versions allows remote attackers to cause a denial of service (CPU consumption and crash) via a TD element with a large number in the rowspan attribute. Apple Mac OS X of Safari There is a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Apple Safari web browser is prone to a denial-of-service vulnerability. An attacker can exploit this issue to consume excessive system resources and eventually crash an affected browser. Safari opening malicious HTML files may cause the operating system to slow down SRCOD (Spinning Rainbow Cursor Of Death), so that no application can be launched to kill the process. Safari will crash after a few minutes. TITLE: Safari "rowspan" Attribute Denial of Service Vulnerability SECUNIA ADVISORY ID: SA19763 VERIFY ADVISORY: http://secunia.com/advisories/19763/ CRITICAL: Not critical IMPACT: DoS WHERE: >From remote SOFTWARE: Safari 1.x http://secunia.com/product/1543/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Yannick von Arx has discovered a vulnerability in Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the processing of "td" HTML tags with overly large values for the "rowspan" attribute. This can be exploited to consume a large amount of CPU and memory resources on a vulnerable system by tricking a user into visiting a malicious web site. Successful exploitation causes a vulnerable system to become unresponsive. The vulnerability has been confirmed in version 2.0.3 (417.9.2) and has also been reported in version 1.3.1 (312.3.1). Other versions may also be affected. SOLUTION: Do not visit untrusted web sites while working with unsaved sensitive information. PROVIDED AND/OR DISCOVERED BY: Yannick von Arx ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045472.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Dnsmasq 2.29 allows remote attackers to cause a denial of service (application crash) via a DHCP client broadcast reply request. Dnsmasq is prone to a remote denial-of-service vulnerability. TITLE: Dnsmasq DHCP Broadcast Reply Denial of Service SECUNIA ADVISORY ID: SA19760 VERIFY ADVISORY: http://secunia.com/advisories/19760/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: Dnsmasq 2.x http://secunia.com/product/4837/ DESCRIPTION: A vulnerability has been reported in Dnsmasq, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain requests from a DHCP client. The vulnerability has been reported in version 2.29. SOLUTION: Update to version 2.30. http://thekelleys.org.uk/dnsmasq/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Sandra Dekkers. ORIGINAL ADVISORY: http://thekelleys.org.uk/dnsmasq/CHANGELOG ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Java InputMethods on Mac OS X 10.4.5 may cause InputMethods to send input events for secure fields to the wrong text field, which might reveal the password to others who can view the screen. Mac OS X is prone to a local security vulnerability

An unspecified Fortinet product, possibly Fortinet28, allows remote attackers to cause a denial of service via a "small synflood" to the SMTP port (TCP port 25), as demonstrated by a 10-microsecond wait between sending packets. NOTE: this issue has been disputed in followup posts that suggest that a protection feature is triggering a RST. Unspecified Fortinet Product has a service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. Fortinet28 is prone to a denial-of-service vulnerability

Cisco IOS XR, when configured for Multi Protocol Label Switching (MPLS) and running on Cisco CRS-1 routers, allows remote attackers to cause a denial of service (Modular Services Cards (MSC) crash or "MPLS packet handling problems") via certain MPLS packets, as identified by Cisco bug IDs (1) CSCsd15970 and (2) CSCsd55531. Cisco IOS XR The denial of service (DoS) There is a vulnerability that can be exploited.Denial of service by third party (DoS) May be in a state. A successful attack results in a denial-of-service condition for traffic that is being switched on an affected Modular Services Card (MSC) or line card. A sustained denial-of-service condition can also arise from repeated attacks. Cisco IOS XR Software, a member of the Cisco IOS Software family, uses a microkernel-based distributed operating system infrastructure. Cisco IOS XR runs on Cisco CRS-1 and Cisco 12000 series routers. MPLS packets are forwarded through the MPLS network, so the packets that trigger this vulnerability can be sent from remote systems in the MPLS network. Such packets cannot be received on interfaces that are not configured with MPLS. Successful exploitation requires that MPLS has been configured on the network device. SOLUTION: Apply patches (see patch matrix in vendor advisory). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in Linksys RT31P2 VoIP router allow remote attackers to cause a denial of service via malformed Session Initiation Protocol (SIP) messages. Linksys RT31P2 is a broadband router that supports VoIP phone functions. This issue allows remote attackers to crash affected devices, denying service to legitimate users. SOLUTION: The product has reportedly been discontinued. Filter traffic or use another product. PROVIDED AND/OR DISCOVERED BY: Peter Thermos and Guy Hadsall, Telcordia. ORIGINAL ADVISORY: US-CERT VU#621566: http://www.kb.cert.org/vuls/id/621566 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------