VARIoT IoT vulnerabilities database

Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows remote attackers to steal sensitive information via numeric fields, as demonstrated using (1) the viewlink function and cid parameter, or (2) index.php. PHP-Nuke is reportedly prone to multiple SQL injection vulnerabilities in the Downloads module. Exploitation could allow for injection of malicious SQL syntax, resulting in modification of SQL query logic or other attacks. It has been reported that multiple input validation bugs exist in the Web_Links module used by PHPNuke. Because of this, a remote user may be able to access the database and potentially gain access to sensitive information. Successful exploitation could result in compromise of the web forums or more severe consequences. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. If the SQL agent allows users to use the UNION syntax, it is possible to expand any information inside the database through the Web_Links module, including passwords and personal data, but if the UNION syntax cannot be used, the attacker cannot access other SQL tables managed through WEB LINK, so Only some click-through rate and voting information can be obtained

Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates via a man-in-the-middle attack. KDE Included file manager or Web Used as a browser Konqueror Is SSL Due to incomplete implementation of SSL The check against the certificate is not the host name IP User forged because it is done with an address SSL A vulnerability exists that accepts a certificate without realizing it is a certificate.SSL Untrusted through malicious Web May connect to site. The browser fails to detect cases where the CN doesn't match the hostname of the server. This could lead to a variety of attacks, including the possibility of allowing a malicious server to masquerade as a trusted server. The non-embedded Konqueror distribution is reportedly not affected by this issue

Buffer overflow in Siemens 45 series mobile phones allows remote attackers to cause a denial of service (disconnect and unavailable inbox) via a Short Message Service (SMS) message with a long image name. There are vulnerabilities in Siemens 45 series phones. This is reportedly due to a boundary condition error that occurs when an overly large image name is included in a SMS message

Unknown vulnerability in Cisco Catalyst 7.5(1) allows local users to bypass authentication and gain access to the enable mode without a password. Cisco Catalyst version 7.5(1) has an unknown vulnerability

The backup configuration file for Microsoft MN-500 wireless base station stores administrative passwords in plaintext, which allows local users to gain access. A weakness has been reported for the MN-500 device that may result in the disclosure of administrative credentials to remote attackers. Microsoft MN-500 is a wireless access device that supports 802.11B wireless network. According to the report, the problem is that the backup configuration file stores the administrator password in clear text, and the attacker can control the entire device by querying the backup file to obtain authentication information

The Cisco ONS 15454, ONS 15327, ONS 15454 SDH, and ONS 15600 hardware are managed by TCC+, XTC, TCCi, and TSC control cards, which are typically used in internal customer environments to connect to the external Internet. The telnet service of the Cisco Optical Transport Platform system handles illegal requests incorrectly. A remote attacker can exploit this vulnerability to perform a denial of service attack on the device, which can cause network interruption. By submitting an illegal telnet request, an attacker can cause a TCC+, XTC, TCCi, and TSC control card to be reset. Repeating an illegal request can cause the device to interrupt normal communication and generate a denial of service. This vulnerability was reproduced by the Nessus scanner, CISCO BUG number: CSCdz83519

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. Portable Edition OpenSSH If this setting is PAM If enabled in conjunction with an implementation of OpenSSH When authentication fails, the authentication result is determined depending on the existing username and non-existing username. "Permission denied, please try again." There is a vulnerability where there is a difference in the time it takes to return the .It may be possible to guess whether the username exists or not. The portable version of OpenSSH is reported prone to an information-disclosure vulnerability. The portable version is distributed for operating systems other than its native OpenBSD platform. This issue is related to BID 7467. Reportedly, the previous fix for BID 7467 didn't completely fix the issue. This current issue may involve differing code paths in PAM, resulting in a new vulnerability, but this has not been confirmed. Exploiting this vulnerability allows remote attackers to test for the presence of valid usernames. Knowledge of usernames may aid them in further attacks

Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute administrator commands by sniffing packets from a valid session and replaying them against the remote administration server

Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet. An exploit for this vulnerability is publicly available. A buffer-overflow vulnerability has been discovered in Kerio Personal Firewall. The problem occurs during the administration authentication process. An attacker could exploit this vulnerability by forging a malicious packet containing an excessive data size. The application then reads this data into a static memory buffer without first performing sufficient bounds checking. Note that this vulnerability affects Kerio Personal Firewall 2.1.4 and earlier. When the administrator connects to the firewall, a handshake connection will be performed to establish an encrypted session. The fourth packet of the handshake (the first packet is sent by the administrator) contains 4 bytes of data, which has a certain fixed value 0x40 (64) to indicate the follow-up The size of the package containing the admin key. When the firewall side uses recv() to process this data, it does not check the boundary buffer

Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53. Reportedly, KPF suffers from a vulnerability whereby the existing firewall filters may be bypassed. This vulnerability exists due to the fact that UDP traffic to and from port 53 is allowed. Allegedly, an attacker may craft a special packet with a source port of 53 and send this packet to a vulnerable system. KPF will allow this packet to proceed thus bypassing the firewall filters

SonicWall Pro running firmware 6.4.0.1 allows remote attackers to cause a denial of service (device reset) via a long HTTP POST to the internal interface, possibly due to a buffer overflow. The firewall device will reset, resulting in a loss of availability while it goes through this cycle. This may be the result of a buffer being overrun, however, this has not been confirmed. SonicWALL PRO is a full-featured Internet security appliance designed specifically for large networks with ever-growing VPN needs

A vulnerability has been reported for Cisco Catalyst switches that may result in unauthorized access to the enable level. The vulnerability exists due to the way the 'enable' mode is accessed through the switch. An attacker who is able to obtain command line access to a vulnerable switch is able to access 'enable' mode without a password.

The HP JetDirect printer is a printer with integrated network capabilities developed by Hewlett-Packard. The FTP directory in the HP JetDirect printer is writable, and a remote attacker can exploit this vulnerability to perform a denial of service attack on the print service. Since the HP JetDirect printer's directory permissions for its FTP service are not set correctly, any files sent to the Jetdirect FTP service can be printed, and an attacker can send a large number of requests for a denial of service attack. It has been reported that HP JetDirect Printers accept documents from any source without access control limitations. This could lead to a denial of service or abuse of printing services

Buffer overflow in the administration service (CSAdmin) for Cisco Secure ACS before 3.1.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long user parameter to port 2002. It has been reported that some versions of the Cisco Secure ACS software do not properly handle input supplied during authentication. Because of this, it may be possible for a remote attacker to gain unauthorized access to a host using the vulnerable software. The management service of Cisco Secure ACS listens on TCP port 2002 and provides WEB-based management. When CSAdmin processes the login request, there is a buffer overflow. If an overlong user parameter is sent to the service program, the service can be suspended, and it needs to be restarted to obtain normal service. It may execute arbitrary commands with system privileges. The BUG ID of this vulnerability is: CSCea51366

The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. SAP is an integrated enterprise resource planning system based on client/server architecture and open systems, including database open tools when installed. The SAP database program instlserver has problems handling environment variables. Local attackers can exploit this vulnerability for privilege escalation attacks and gain root user privileges. The instlserver program uses the user-supplied data and still runs with ROOT privileges when chmod and chown some files. When running the 'DevTool/bin/instlserver' program, according to the environment variable 'INSTROOT', the specified file will be chowned and chmoded. The attacker builds a malicious file and stores it in the location specified by the environment variable, and gets a suid root. Properties of the program, thereby increasing permissions

DirectoryServices in MacOS X trusts the PATH environment variable to locate and execute the touch command, which allows local users to execute arbitrary commands by modifying the PATH to point to a directory containing a malicious touch program. Apple MacOS X DirectoryService is prone to an issue which may allow local attackers to gain elevated privileges. This issue is due to usage of libc system() function to execute commands. Attackers may potentially set a PATH environment variable that causes an arbitrary file to be executed with elevated. Exploitation may require the attacker to abuse other known issues (BID 7323) to crash the service. DirectoryServices is the MacOS X information and authentication subsystem, which is started during the startup phase and installed with the default setuid root attribute. To exploit this vulnerability, you must first stop the DirectoryServices service, which can be done by repeatedly connecting to port 625

Mac OS X before 10.2.5 allows guest users to modify the permissions of the DropBox folder and read unauthorized files. A vulnerability has been discovered in Apple MacOS X 10.2.4 and earlier. The problem occurs when various file sharing services are enabled. The issue occurs in the privileges granted to 'guest' users, when accessing shared folders. Due to a design error, it may be possible for an unprivileged user to change the permissions of a write-only directory, effectively revealing its contents. Information obtained through exploiting this vulnerability could aid an attacker in launching further attacks against a target system. Mac OS X is an operating system used on Mac machines, based on the BSD system. An issue in the way Mac OS X handles file-sharing services could allow remote attackers to gain access to sensitive file information. Using this information can help attackers further attack the system

The Linsys BEFVP41 is a VPN-enabled router. Linsys BEFVP41 has a default community string that can be exploited by remote attackers to obtain a large amount of sensitive information on the target network. The external interface of the Linksys VPN router uses the default globally readable 'public' community string. Using this community string, you can obtain sensitive information such as routers and host hardware addresses in the internal network. This information can be used to further attack the network. Linksys BEFVP4 VPN router has been reported prone to a sensitive information disclosure vulnerability. It should be noted that this issue has also been reported to affect the Linksys BEFSR81 appliance

The Buffalo WBRG54 is a router for wireless broadband. Buffalo WBRG54 has problems handling super-multiple ICMP packets, which can be exploited by remote attackers to perform denial of service attacks on devices. According to the vulnerability finder's test, it uses two broadband routers WBR-g54 (the first one is: g54-01, the second is g54-02), and both connections are peer-to-peer mode connections: [atacker PC ]--[g54-01]-.-.-per-to-pear-.-.-[g54-02]--[victim PC] If you use a lot of ICMP packets (ping -f <victim IP can be used in Linux) >) Submitted to the device, which can cause the connection to be broken. A vulnerability has been reported for the WBRG54 device that may result in a denial of service. The vulnerability occurs when a vulnerable device receives numerous ICMP packets. In some cases, this will result in the device behaving unpredictably and denying service

Netgear FM114P ProSafe is a wireless network router. The Netgear FM114P ProSafe wireless network router uses a port blocking rule vulnerability when using the UPnP feature, which can be exploited by remote attackers to bypass restricted access to restricted ports. Netgear FM114P allows blocking of some ports, restricting external users from accessing the internal network or restricting internal users from connecting to the WAN. If remote access and UPnP functions are enabled in the device, remote users can submit UPnP SOAP request connections to bypass rule access restrictions. port,