VARIoT IoT vulnerabilities database

Unknown vulnerability in Mail for Mac OS X 10.3.3 and 10.2.8, with unknown impact, related to "the handling of HTML-formatted email.". apple's Apple Mac OS X Exists in unspecified vulnerabilities.None. Apple Mail has been reported prone to an undisclosed vulnerability. The issue is reported to present itself during HTML formatted e-mail processing routines. This BID will be updated as further pertinent details that pertain to this vulnerability are released

Unknown vulnerability in the CUPS printing system in Mac OS X 10.3.3 and Mac OS X 10.2.8 with unknown impact, possibly related to a configuration file setting. It has been reported that CUPS is prone to an unspecified configuration file vulnerability. Currently details surrounding this issue are insufficient to provide more information. This BID will be updated when new information becomes available

Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter. Coppermine Photo Gallery is reported prone to multiple input-validation vulnerabilities, some of which may lead to arbitrary command execution. These issues occur because the application fails to properly sanitize and validate user-supplied input before using it in dynamic content and in function calls that execute system commands. Attackers may exploit these issues to steal cookie-based authentication credentials, map the application root directory of the affected application, execute arbitrary commands, and include arbitrary files. Other attacks are also possible. Coppermine Photo Gallery is a WEB-based graphics library management program. Coppermine Photo Gallery does not fully filter the input submitted by users in many places. The specific issues are as follows: 1. Path leakage: By directly accessing some configuration scripts, sensitive path information can be obtained. 2. Cross-site scripting attack coppermine/docs/menu.inc.php\'\' lacks filtering for user submitted URIs, attackers can use this vulnerability to obtain sensitive information. 3. Browse any directory: If you have PHP-Nuke administrator privileges, you can bypass directory restrictions to access other files by accessing the coppermine module. 4. Arbitrary command execution: If you have PHP-Nuke administrator privileges to access the coppermine module, you can enter the SHELL command in some parameters of the coppermine configuration panel, and execute it with WEB process privileges

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "T" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4745. Zero Day Initiative Is vulnerable to this vulnerability ZDI-CAN-4745 Was numbered.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the modTMCSS Proxy functionality. An attacker can leverage this vulnerability to execute arbitrary code under the context of the imss user. that integrates anti-virus, anti-spyware and anti-phishing technologies to provide comprehensive protection for email applications. The issue presents itself when the 'VirusEvent' directive in the 'clamav.conf' configuration file has been enabled and the 'Dazuko' module is used with the antivirus software. Although unconfirmed, all versions of the application are assumed to vulnerable at the moment. This information will be updated as more details become available. Failed exploit attempts will result in a denial-of-service condition

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "t" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4744. Zero Day Initiative Is vulnerable to this vulnerability ZDI-CAN-4744 Was numbered.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the modTMCSS Proxy functionality. An attacker can leverage this vulnerability to execute arbitrary code under the context of the imss user. that integrates anti-virus, anti-spyware and anti-phishing technologies to provide comprehensive protection for email applications. The issue presents itself when the 'VirusEvent' directive in the 'clamav.conf' configuration file has been enabled and the 'Dazuko' module is used with the antivirus software. Although unconfirmed, all versions of the application are assumed to vulnerable at the moment. This information will be updated as more details become available. Failed exploit attempts will result in a denial-of-service condition

Cisco IOS 11.2 has been reported prone to an access control bypass vulnerability. The issue is reported to present itself on C2500-F2IN-L appliances, but may also affect other Cisco devices that are running IOS 11.2. It has been repotred that an attacker who resides on a blocked network segment may bypass the access controls by transmitting TCP packets to target hosts that have both RST and ACK flags set.

Unknown vulnerability in Mac OS X 10.2.8 and 10.3.2 allows local users to bypass the screen saver login window and write a text clipping to the desktop or another application. Mac OS X Server is prone to a local security vulnerability

HP Web JetAdmin has an integrated and modified Apache web server. Some scripts included in HP Web Jetadmin lack sufficient filtering of parameters, and remote attackers can use this script to execute arbitrary commands with WEB privileges. Use the wja_update_product.hts script, and 'plugins/framework/script/tree.xms' to allow remote attackers to execute arbitrary commands with WEB privileges. This issue is due to a failure of the application to properly validate and sanitize user supplied input. This issue has been tested with an authenticated account on HP Web Jetadmin version 7.5.2546 running on a Windows platform

Ipswitch WS_FTP Server 4.0.2 allows remote attackers to cause a denial of service (disk consumption) and bypass file size restrictions via a REST command with a large size argument, followed by a STOR of a smaller file. Multiple vulnerabilities have been identified in the WS_FTP Server and client applications. The issues include two remote buffer overflow vulnerabilities in the client, a denial of service vulnerability in the server and an access validation issue in the server leading to remote command execution with SYSTEM privileges. These issues are undergoing further analysis. This BID will be divided into separate issues as analysis is completed. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption. A resource management error vulnerability exists in Progress Software Ipswitch WS_FTP Server version 4.0.2. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products

Ipswitch WS_FTP Server 4.0.2 allows remote authenticated users to execute arbitrary programs as SYSTEM by using the SITE command to modify certain iFtpSvc options that are handled by iftpmgr.exe. Multiple vulnerabilities have been identified in the WS_FTP Server and client applications. These vulnerabilities may allow remote attackers to execute arbitrary code, cause denial of service attacks and gain administrative level access to a server. The issues include two remote buffer overflow vulnerabilities in the client, a denial of service vulnerability in the server and an access validation issue in the server leading to remote command execution with SYSTEM privileges. These issues are undergoing further analysis. This BID will be divided into separate issues as analysis is completed. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption. A security vulnerability exists in Progress Software Ipswitch WS_FTP Server version 4.0.2

Multiple buffer overflows in Ipswitch WS_FTP Server 4.0.2 (1) allow remote authenticated users to execute arbitrary code by causing a large error string to be generated by the ALLO handler, or (2) may allow remote FTP administrators to execute arbitrary code by causing a long hostname or username to be inserted into a reply to a STAT command while a file is being transferred. Multiple vulnerabilities have been identified in the WS_FTP Server and client applications. The issues include two remote buffer overflow vulnerabilities in the client, a denial of service vulnerability in the server and an access validation issue in the server leading to remote command execution with SYSTEM privileges. These issues are undergoing further analysis. This BID will be divided into separate issues as analysis is completed. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption. A buffer error vulnerability exists in Progress Software Ipswitch WS_FTP Server version 4.0.2

Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which allows remote attackers to gain access. Multiple vulnerabilities have been identified in the WS_FTP Server and client applications. The issues include two remote buffer overflow vulnerabilities in the client, a denial of service vulnerability in the server and an access validation issue in the server leading to remote command execution with SYSTEM privileges. These issues are undergoing further analysis. This BID will be divided into separate issues as analysis is completed. Progress Software Ipswitch WS_FTP Server is a set of FTP server software developed by Progress Software Company in the United States. It provides functions such as file transfer control and transfer encryption

MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a direct request to (1) browsers.php, (2) mstrack.php, or (3) title.php, which reveal the full path in a PHP error message. Reportedly MS-Analysis is prone to a remote information disclosure vulnerability. This issue is due to a design error that displays sensitive system information when certain errors are triggered. The problem presents itself when an error condition is triggered in all scripts residing in the 'scripts' directory of the MS-Analysis directory. It has also been reported that this issue affects the 'mstrack.php' and 'title.php' scripts in the MS-Analysis root directory. These issues may be leveraged to gain sensitive information about the affected system potentially aiding an attacker in mounting further attacks. Version 2.0 of the MS Analysis module of PHP-Nuke is vulnerable. This vulnerability discloses the full path in the PHP error message

Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php. It has been reported that MS-Analysis is prone to a multiple cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user supplied URI parameters. These issues could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks

Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660. This service has been reported to be exclusively associated with port 660. The reports indicate that when this service handles a request that is 2056 bytes long the service will crash and restart. This BID will be updated as further details regarding this issue are disclosed. Mac OS X is an operating system used on Mac machines, based on the BSD system. Remote attackers can use this vulnerability to send 2057 characters to perform remote buffer overflow attacks, and may execute arbitrary instructions on the system with process privileges. There are currently no detailed vulnerability details

Unknown vulnerability in F-Secure Anti-Virus (FSAV) 4.52 for Linux before Hotfix 3 allows the Sober.D worm to bypass FASV. A hotfix for this vulnerability has been released. F-Secure Anti-Virus is prone to a remote security vulnerability

SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero. The issue is reported to present itself in the TCP packet processing routines of the affected software. It is reported that this vulnerability will have a system wide impact, causing Windows GUI and peripherals that are attached to the host to become unresponsive. A hard reset is reported to be required to restore normal functionality to the system. The information in this BID was consolidated from BID 10204 as both of these BIDs represented the same issue. BID 10204 is being retired. According to the report, this vulnerability cannot be exploited to execute arbitrary commands, and no detailed vulnerability details are currently available. The vulnerability allows a remote attacker to reliably render a system inoperative with one single packet. Physical access is required in order to bring an affected system out of this "frozen" state. This specific flaw exists within the component that performs low level processing of TCP packets. Technical Description: The vulnerability exists in SYMNDIS.SYS when trying to parse through the TCP Options in a TCP packet. The only way to bring the system back online is to hard boot the system which requires physical access of the system. The attacker only needs to send a single packet to any port on the system regardless of whether or not the port is open. This flaw is still accessible even if the firewall or IDS are enabled/disabled. Below is a portion of a TCP SYN packet (total length of 44 bytes) with a bad SACK TCP option. Sample Packet: 40 00 57 4B 00 00 01 01 05 00 |___| |___| |___| |_________| | | | | | | | TCP Options | | Urgent Pointer | Checksum Window Size The vulnerable code maintains an offset into the TCP option bytes, and attempts to advance past a variable-length option by adding its length to the offset. If the option's length field is zero, then this will result in an infinite loop and the machine halts completely. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Symantec has released a patch for this vulnerability. The patch is available via the Symantec LiveUpdate service. This vulnerability has been assigned the CVE identifier CAN-2004-0375. Credit: Discovery: Karl Lynn Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html Greetings: The entire eEye family, Kelly H., Geoff and Sarah, Mike M. (Tocks), Dragon IDS crew, Riley's list of firewall vendors, pie in the sky charts, SCARFACE : Make Way for The Bad Guy!. Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com

Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm. The Protocol Analysis Module (PAM) used by Internet Security Systems (ISS) intrusion detection and prevention products does not properly handle ICQ server response messages. An unauthenticated, remote attacker could execute arbitrary code by sending a specially crafted UDP packet. This issue exists due to insufficient bounds checking performed on certain unspecified ICQ protocol fields supplied in ICQ response data. This attack would occur in the context of the vulnerable process. This module is used to parse network protocols and is included in a number of products provided by ISS, including various RealSecure and BlackICE releases. To call these affected functions, an attacker simply needs to construct an SRV_USER_ONLINE reply containing two nested reply packets. Attackers can forge data frames and send them to networks, devices, and hosts protected by ISS products

error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information via an invalid (1) language, (2) newlang, or (3) lang parameter, which leaks the pathname in a PHP error message. It has been reported that Error Manager is prone to multiple vulnerabilities. These issues are due to failure to validate user input, failure to handle exceptional conditions and simple design errors. These issues may be leveraged to carry out cross-site scripting attacks, reveal information about the application configuration and initiate HTML injection attacks against the affected system. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. 1) The path leakage problem exists in the error.php file. Submitting any parameter to \'\'newlang\'\' can return sensitive information including the application installation path. 2) The problem of cross-site script execution attack exists in the error.php file. Due to the lack of sufficient filtering of the \'\'pagetitle\'\' and \'\'error\'\' parameters, the submission contains malicious script code data. When When the target user browses this connection, it can lead to the disclosure of sensitive information. 3) Script injection into the error log Error Manager will record references, request URI and other information when recording log errors, but does not perform any filtering on HTML tags, so attackers can inject thermal instrument script code into the error log, when the administrator views At this time, sensitive information of COOKIE can be stolen, or an administrator account can be established

Three security vulnerabilities have been reported to affect OpenSSL. Each of these remotely exploitable issues may result in a denial of service in applications which use OpenSSL. For the first issue, a NULL-pointer assignment can be triggered by attackers during SSL/TLS handshake exchanges. The CVE candidate name for this vulnerability is CAN-2004-0079. Versions 0.9.6c to 0.9.6k (inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable. The second issue is also exploited during the SSL/TLS handshake, but only when Kerberos ciphersuites are in use. The vendor has reported that this vulnerability may not be a threat to many, because it occurs only when Kerberos ciphersuites are in use, an uncommon configuration. The CVE candidate name for this vulnerability is CAN-2004-0112. Versions 0.9.7a, 0.9.7b, and 0.9.7c are affected. This entry will be retired when individual BID records are created for each issue. *Note: A third denial-of-service vulnerability included in the announcement was discovered affecting 0.9.6 and fixed in 0.9.6d. The CVE candidate name for this vulnerability is CAN-2004-0081. Null-pointer assignment during SSL handshake =============================================== Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. 2. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. Recommendations --------------- Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.7d.tar.gz MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 o openssl-0.9.6m.tar.gz [normal] MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9 o openssl-engine-0.9.6m.tar.gz [engine] MD5 checksum: 4c39d2524bd466180f9077f8efddac8c The checksums were calculated using the following command: openssl md5 openssl-0.9*.tar.gz Credits ------- Patches for these issues were created by Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team. The OpenSSL team would like to thank Codenomicon for supplying the TLS Test Tool which was used to discover these vulnerabilities, and Joe Orton of Red Hat for performing the majority of the testing. References ---------- http://www.codenomicon.com/testtools/tls/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 URL for this Security Advisory: http://www.openssl.org/news/secadv_20040317.txt