VARIoT IoT vulnerabilities database

Off-by-one error in the CodeBrws.asp sample script in Microsoft IIS 5.0 allows remote attackers to view the source code for files with extensions containing with one additional character after .html, .htm, .asp, or .inc, such as .aspx files. ------------ This vulnerability information is a comprehensive explanation of multiple vulnerabilities that were published at the same time. Please note that this document contains vulnerability information other than the title. ------------Microsoft IIS 5.0 There is a problem with disclosing the source of the file. Microsoft IIS 5.0 has sample files installed for demonstration purposes. IIS 5.0 of Internet Service Manager One of the sample programs used by codebrws.asp There is a file called. codebrws.asp Due to a flaw in the handling of Unicode characters in this file, an attacker could potentially use this file to obtain the source of files located under the webroot directory. default settings IIS 5.0 Now remotely codebrws.asp Unless you intentionally change the settings, only local attacks will be successful.Please refer to the "Overview" for the impact of this vulnerability. However, this script (CodeBrws.asp) does not adequately filter unicode representations of directory traversals. For example, an attacker can break out of the sample script directory by substituting '%c0%ae%c0%ae' for '..' in a dot-dot-slash directory traversal attack. It has been demonstrated that this issue may be exploited to map out the directory structure of the filesystem on a host running the vulnerable script. However, a flaw exists which will allow an additional character to be added to the file extension. This may allow an attacker to view, for example, .aspx files used by the .NET architecture. If used in conjunction with the issues discussed in BID 4525, this may expose files outside of the sample script directory

Nortel CVX 1800 is installed with a default "public" community string, which allows remote attackers to read usernames and passwords and modify the CVX configuration. The Nortel Networks CVX 1800 Multi-Service Access Switch discloses privileged information. The device contains a default SNMP community string of "public", which may allow enable a remote attacker to gain access to sensitive information such as authentication credentials for local accounts on the device, network infrastructure info, etc. The Nortel CVX 1800 multi-service access gateway device has a default SNMP communication password \"public\". Remote attackers can use this password to obtain system sensitive information such as passwords and network structure. According to the test, the attacker can obtain the username and password information for accessing the Telnet service. An attacker can use the route command or view gateway to obtain the IP address of the Nortel CVX 1800 multi-service access gateway

Watchguard SOHO firewall 5.0.35 unpredictably disables certain IP restrictions for customized services that were set before the administrator upgrades to 5.0.35, which could allow remote attackers to bypass the intended access control rules. SoHo firewall is a hardware firewall solution distributed and maintained by WatchGuard. A problem introduced into the 5.0.35 firmware causes the dropping of arbitrary firewall rules. When a user configures IP restrictions on certain IP addresses, the firewall may drop restriction entries arbitrarily. This could allow a remote user unintended access to a supposedly secure network

Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. A vulnerability in IIS could allow an intruder to disrupt ordinary operations of both FTP and Web services on vulnerable IIS servers. The condition is present when a request is made for the FTP transfer status is made via the STAT command. A client issuing this command with a large number of file globbing characters as the argument may cause the service to crash. On IIS 4.0 servers, the service must be manually restarted. On IIS 5.0 and 5.1 servers, the service will restart itself automatically. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Microsoft IIS 4.0/5.0/5.1 Has the potential to cause problems that can lead to cross-site scripting. below 3 There are two problems. * IIS The search results page of the help file does not properly convert the metacharacters contained in the request sent by the client. * "404 not found" As part of the error page, the metacharacters included in the request from the client are sent to the client without conversion. * Internet Explorer If you are using a browser other than "302 Object Moved" As part of the error page, the metacharacters contained in the request from the client are sent to the client without conversion. A Cross Site Scripting issue exists in some versions of IIS. The HTTP Error Page created by IIS may, under some circumstances, contain HTML content which includes unsanitized user supplied input. An attacker may construct a link to a vulnerable server such that it exploits this vulnerability. When an innocent user follows this link, the script code will be reproduced by the server, and execute within the context of the vulnerable site. This may result in the exposure of sensitive data and cookie information, or allow the attacker to subvert the content and functionality of the site. It has been reported that this issue may be exploited to steal cookie-based authentication credentials from users of a number of Microsoft domains/services (such as hotmail, passport, etc.). A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session. Visitors to web sites that use Microsoft IIS and also issue redirect response messages are vulnerable to cross-site scripting attacks. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Microsoft IIS 4.0/5.0/5.1 Has the potential to cause problems that can lead to cross-site scripting. below 3 There are two problems. * IIS The search results page of the help file does not properly convert the metacharacters contained in the request sent by the client. * "404 not found" As part of the error page, the metacharacters included in the request from the client are sent to the client without conversion. * Internet Explorer If you are using a browser other than "302 Object Moved" As part of the error page, the metacharacters contained in the request from the client are sent to the client without conversion. A Cross Site Scripting issue exists in some versions of IIS. The HTTP Error Page created by IIS may, under some circumstances, contain HTML content which includes unsanitized user supplied input. An attacker may construct a link to a vulnerable server such that it exploits this vulnerability. When an innocent user follows this link, the script code will be reproduced by the server, and execute within the context of the vulnerable site. This may result in the exposure of sensitive data and cookie information, or allow the attacker to subvert the content and functionality of the site. It has been reported that this issue may be exploited to steal cookie-based authentication credentials from users of a number of Microsoft domains/services (such as hotmail, passport, etc.). A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. A buffer overflow in IIS could allow an intruder to execute arbitrary code the the privileges of the ASP ISAPI extension. A buffer overflow related to the processing of request header fields has been reported for Microsoft IIS (Internet Information Services). This problem is related to the interpretation of HTTP header field delimiters. This vulnerability affects IIS 4.0, IIS 5.0 and IIS 5.1. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. A condition exists that may allow for an existing bounds check on potentially user-supplied input to be bypassed, resulting in a potential buffer overflow. This condition affects IIS 4.0, IIS 5.0 and IIS 5.1. Exploitation requires that the attacker can influence when and how the file is included. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun.". This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. Microsoft IIS In HTR The request is processed incorrectly and is invalid HTR There is a vulnerability that overflows in the heap area by receiving a request.ISM.DLL An arbitrary code may be executed with the execution right. This condition affects IIS 4.0, IIS 5.0 and may be effectively mitigated by disabling the extension. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer. Intruders may be able to cause the IIS service to fail by sending a particular kind of overly-long URL. A vulnerability has been identified in the way Microsoft Internet Information Server handles URL errors. The ISAPI filter involved in this vulnerability is installed by Front Page Server Extensions and ASP.NET. On IIS 4.0 servers, the service must be manually restarted. On IIS 5.0 and 5.1 servers, the service will restart itself automatically. Custom ISAPI filters may also be affected by this condition. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Visitors to web sites that use Microsoft IIS and also issue redirect response messages are vulnerable to cross-site scripting attacks. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Microsoft IIS 4.0/5.0/5.1 Has the potential to cause problems that can lead to cross-site scripting. below 3 There are two problems. * IIS The search results page of the help file does not properly convert the metacharacters contained in the request sent by the client. * "404 not found" As part of the error page, the metacharacters included in the request from the client are sent to the client without conversion. * Internet Explorer If you are using a browser other than "302 Object Moved" As part of the error page, the metacharacters contained in the request from the client are sent to the client without conversion. A Cross Site Scripting issue exists in some versions of IIS. The HTTP Error Page created by IIS may, under some circumstances, contain HTML content which includes unsanitized user supplied input. An attacker may construct a link to a vulnerable server such that it exploits this vulnerability. When an innocent user follows this link, the script code will be reproduced by the server, and execute within the context of the vulnerable site. This may result in the exposure of sensitive data and cookie information, or allow the attacker to subvert the content and functionality of the site. It has been reported that this issue may be exploited to steal cookie-based authentication credentials from users of a number of Microsoft domains/services (such as hotmail, passport, etc.). A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cisco Aironet before 11.21 with Telnet enabled allows remote attackers to cause a denial of service (reboot) via a series of login attempts with invalid usernames and passwords. The Cisco Aironet product family provides wireless LAN (WLAN) support for a wide range of applications. A vulnerability has been reported in some Aironet products. If telnet access to the device is enabled, an attacker is able to cause the device to reboot. Authentication is not required, although it must be supported. This vulnerability cannot be triggered through the WEB interface

Watchguard SOHO firewall before 5.0.35 allows remote attackers to cause a denial of service (crash and reboot) when SOHO forwards a packet with bad IP options. WatchGuard SOHO Firewall is a firewall appliance intended for use by Home Office/Small Office users. It offers built-in VPN capabilities. WatchGuard SOHO Firewall crashes when handling certain types of malformed TCP packets. All current connections will drop when this occurs. It should be noted that this is only an issue for packets that are forwarded by the firewall appliance. It runs under the Windows operating system platform. The firewall may crash the program due to improper parsing and restart. This vulnerability exists only when the firewall allows the packet forwarding function to be enabled. For example, there are WEB services behind the firewall that may be affected by this vulnerability

Format string vulnerability in the administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to crash the CSADMIN module only (denial of service of administration function) or execute arbitrary code via format strings in the URL to port 2002. ACS is the commercial access control server distributed and maintained by Cisco Systems. This problem affects CiscoSecure ACS on the Microsoft Windows platform. ACS does not properly handle user-supplied input. ACS is vulnerable to a format string attack which could allow the execution of arbitrary code. By sending a custom-crafted URL to port 2002 of a vulnerable server, it is possible to execute user-supplied code with the privileges of the ACS server. There is a loophole in the implementation of CiscoSecure ACS software under the Microsoft Windows platform, and a remote attacker may use this loophole to execute arbitrary commands on the host. There is a formatting overflow vulnerability when ACS processes user input

When Siemens mobile phones accept short messages, the format used is PDU format. When displaying special format characters, the S3569i mobile phone has errors, which will cause the mobile phone to shut down directly and cannot delete the short messages. Malicious intruders use this vulnerability to target mobile phones Sending the short message capacity of the mobile phone short message capacity, the mobile phone user cannot process any other short messages.

Check Point Firewall-1 3.0b through 4.0 SP1 follows symlinks and creates a world-writable temporary .cpp file when compiling Policy rules, which could allow local users to gain privileges or modify the firewall policy. Firewall-1 is prone to a local security vulnerability. Local users escalate privileges or modify firewall policies

The RCA Digital Cable Modems DCM225 and DCM225E allow remote attackers to cause a denial of service (modem device reset) by connecting to port 80 on the 10.0.0.0/8 device. The RCA Digital Cable Modem provides a bridge between a computer and cable internet access. Remote users can use the public password to view and modify the modem configuration data through the 10.0.0.0/8 address space monitored by the SNMP interface

RCA Digital Cable Modem DCM225 and DCM225E, and other modems that must conform to the Data-over-Cable Service Interface Specifications DOCSIS standard, uses the "public" community string for SNMP access, which allows remote attackers to read or write MIB information. The RCA Digital Cable Modem provides a bridge between a computer and cable internet access. SNMP access is granted to the public community. Remote users may connect, view, and modify modem configuration data through the SNMP interface listening on the 10.0.0.0/8 address space