VARIoT IoT vulnerabilities database

Microsoft Internet Information Server (IIS) 4.0 opens log files with FILE_SHARE_READ and FILE_SHARE_WRITE permissions, which could allow remote attackers to modify the log file contents while IIS is running. Unprivileged users could modify the log file using a File Open Dialog with Win32 API call. The following are the default permissions on the log files folder: Administrators: Full Control Everyone: Change (RWXD) IUSR_ ComputerName : Full Control System: Full Control

Netgear RP114 Cable/DSL Web Safe Router Firmware 3.26, when configured to block traffic below port 1024, allows remote attackers to cause a denial of service (hang) via a port scan of the WAN port. The Netgear RP114 Cable / DSL Web Safe router allows some users to share cable / DSL connections and provides address translation capabilities. A similar situation may occur in other configuration situations, and it may be the problem for all routers with firmware versions earlier than 3.26. All incoming/outgoing communication across the WAN port will cease for the duration of the port scan. This condition has reportedly also been reproduced with other configurations. This issue may affect firmware releases other than v3.26. < *Link: http://archives.neohapsis.com/archives/bugtraq/2002-01/0183.html* >

Siemens 3568i WAP mobile phones allows remote attackers to cause a denial of service (crash) via an SMS message containing unusual characters. Siemens has a certain number of user groups for the production of various types of mobile phone products.  Some models of Siemens phones have problems with the short message processing function. Malicious attackers can use this vulnerability to make the phone unable to receive short messages.  When the mobile phone receives SMS short messages that contain certain illegal characters, the mobile phone will shut down by mistake when trying to view these messages. Because some models of mobile phones can only be viewed before deleting, these malicious short messages cannot be deleted. When the receiving queue of the mobile phone is filled with malicious short messages, the mobile phone cannot continue to receive short messages. If enough messages are sent, SMS functionality may be completely denied

Cisco SN 5420 Storage Router 1.1(5) and earlier allows attackers to read configuration files without authorization. This can lead to an intruder gaining access to the storage space on the router. The attacker must be able to guess the name of the configuration file. Cisco has identified this issue as bug number CSCdv24925

Cisco SN 5420 Storage Router 1.1(5) and earlier allows remote attackers to cause a denial of service (router crash) via an HTTP request with large headers. The router must be restarted to regain normal functionality. Cisco has identified this issue as bug number CSCdu32533

Cisco SN 5420 Storage Router 1.1(5) and earlier allows remote attackers to cause a denial of service (halt) via a fragmented packet to the Gigabit interface. The router must be restarted to regain normal functionality. Cisco has identified this issue as bug number CSCdu45417

Linksys EtherFast BEFN2PS4, BEFSR41, and BEFSR81 Routers, and possibly other products, allow remote attackers to gain sensitive information and cause a denial of service via an SNMP query for the default community string "public," which causes the router to change its configuration and send SNMP trap information back to the system that initiated the query. Linksys DSL router is a high-speed internet access solution provided by Linksys Group. Linksys DSL routers provide features including high-speed internet access, built-in switching capabilities in the router, and Voice-over-IP.  Linksys routers send SNMP traps to arbitrary addresses. This will leak network traffic information handled by the router. Because SNMP uses UDP as a means of transmitting information, this may result in a number of routers being used to create a network of distributed denial of service attacks. The problem is in the use of a default community string. The problem affects Linksys routers which may work with either Microsoft or Unix and Linux systems

Ipswitch IMail 7.0.4 and earlier allows attackers with administrator privileges to read and modify user alias and mailing list information for other domains hosted by the same server via the (1) aliasadmin or (2) listadm1 CGI programs, which do not properly verify that an administrator is the administrator for the target domain. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP etc. IMail also includes support for multiple domains, and web based administration. It runs on Microsoft Windows platforms. There is a vulnerability with the authentication process for this web administration tool. Any valid administrator account may make changes to any domain on the server. IPSwitch IMail is a popular web-based mail retrieval program used by many ISPs. Attackers can list, view, add, and delete other domains arbitrarily. User aliases and mailing lists for

Cross-site scripting (XSS) vulnerability in im.php in IMessenger for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via a message. PHP-Nuke is prone to a cross-site scripting vulnerability

Cross-site scripting (XSS) vulnerability in the DMOZGateway module for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the topic parameter. Dmozgateway is prone to a cross-site scripting vulnerability

IPRoute 0.973, 0.974 and 1.18 allows remote attackers to cause a denial of service via fragmented IP packets that split the TCP header. Iproute is prone to a denial-of-service vulnerability. Versions 0.973, 0.974 and 1.18 of IPRoute are vulnerable

CMG WAP gateway does not verify the fully qualified domain name URL with X.509 certificates from root certificate authorities, which allows remote attackers to spoof SSL certificates via a man-in-the-middle attack. Wap Gateway is prone to a remote security vulnerability

Openwave WAP gateway does not verify the fully qualified domain name URL with X.509 certificates from root certificate authorities, which allows remote attackers to spoof SSL certificates via a man-in-the-middle attack. Openwave Wap Gateway is prone to a remote security vulnerability

Cisco ubr900 series routers that conform to the Data-over-Cable Service Interface Specifications (DOCSIS) standard must ship without SNMP access restrictions, which can allow remote attackers to read and write information to the MIB using arbitrary community strings. The ubr900 series routers are a Cable Access solution manufactured and maintained by Cisco Systems. They are designed to route traffic over cable networks. The MIB supports default community strings xyzzy, agent_steal, freekevin, and fubar. This problem has been confirmed in models ubr920, ubr924, and ubr925

Point to Point Protocol daemon (pppd) in MacOS x 10.0 and 10.1 through 10.1.5 provides the username and password on the command line, which allows local users to obtain authentication information via the ps command. An issue has been reported in Mac OS X which could disclose the authentication information for a PPP connection. If a user has established a PPP connection, executing a ps command will not only display the information about current processes running, but will disclose the PPP username and password for Internet Connect

D-Link DWL-1000AP Firmware 3.2.28 #483 Wireless LAN Access Point uses a default SNMP community string of 'public' which allows remote attackers to gain sensitive information. DLink DWL-1000AP is an 11Mbps wireless LAN access point product for home users. It supports WEP, MAC address control and user authentication.  The product has a security issue that could cause remote attackers to obtain sensitive information.  The device comes with a read-only SNMP communication word named 'public' by default. This communication word cannot be cancelled by setting, so a malicious attacker can use an SNMP client to browse to the sensitive information in the 'public' management system library. This community string is hard-coded into the product and cannot be changed with the configuration interface. This issue has been confirmed with the 3.2.28 #483 (Aug 23 2001) firmware. Other versions of the firmware may also be affected

D-Link DWL-1000AP Firmware 3.2.28 #483 Wireless LAN Access Point stores the administrative password in plaintext in the default Management Information Base (MIB), which allows remote attackers to gain administrative privileges. DLink DWL-1000AP is an 11Mbps wireless LAN access point product for home users. It supports WEP, MAC address control and user authentication.  The product has a security issue that could cause a remote attacker to hijack the access point.  This is because the administrator password is stored in plain text in the default 'public' management system library (OID 1.3.6.1.4.1.937.2.1.2.2.0). An attacker who has access to this management system library may pass the SNMP client Obtain the password, then access the wireless network, modify the configuration, or launch a denial of service attack. Any attacker within range, using a SNMP client, can reveal the administrative password by browsing the "public" MIB. This issue has been confirmed with the 3.2.28 #483 (Aug 23 2001) firmware. Other versions of the firmware may also be affected

Atmel Firmware 1.3 Wireless Access Point (WAP) allows remote attackers to cause a denial of service via a SNMP request with (1) a community string other than "public" or (2) an unknown OID, which causes the WAP to deny subsequent SNMP requests. Atmel is a chip designer and manufacturer that offers a variety of RF-based products. Atmel manufactures firmware for various wireless access systems. These firmware support SNMP for network management.  Some of these versions of the firmware have security issues that can cause a denial of service attack.  If an SNMP read request is sent using a non-public password or an unknown OID, the device will stop responding and only restart will resume normal operation. The device will not respond to further communication, and a restart is required to regain normal functionality

Microsoft IIS 5.0 allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents IIS from timing out the connection. If an IIS 5.0 web server is sent a crafted HTTP GET request which contains a falsified and excessive "Content-Length" field, it behaves in an unusual manner. The server keeps the connection open and does not time out, but does not respond otherwise. It is possible that this may be used to cause a denial of service to the web server

DeltaThree Pc-To-Phone 3.0.3 stores sensitive data in a universally readable unit in the installation directory, which allows local users to read the information in temp.html, the log folder, and the PhoneBook folder.