VARIoT IoT vulnerabilities database

The web server for D-Link DP-300 print server allows remote attackers to cause a denial of service (hang) via a large HTTP POST request. The DP-303 print server is a hardware device developed by D-LINK and designed to connect to printable shares via Ethernet. It has a built-in WEB interface for management.  The DP-303 print server's WEB interface lacks the correct check when processing extra long POST requests. Remote attackers can use this vulnerability to conduct remote denial of service attacks

Buffer overflow in Lucent Access Point 300, 600, and 1500 Service Routers allows remote attackers to cause a denial of service (reboot) via a long HTTP request to the administrative interface. An error has been reported in the embedded HTTP server. It has been reported that sending a HTTP request consisting of approximately 4000 characters of data will cause the device to reboot. This may result in an interruption of service for legitimate users of the device

Administrative web interface for IC9 Pocket Print Server Firmware 7.1.30 and 7.1.36f allows remote attackers to cause a denial of service (reboot and reset) via a long password, possibly due to a buffer overflow. IC9 is the Pocket Print Server distributed by SEH. It provides network capability to parallel port printers. A user accessing the web administration interface of a vulnerable device may be able to reboot the print server, and attached printer. This results in a denial of service, as the print server and printer are unavailable during the reboot process. If an attacker can access the WEB management interface and submit password data containing more than 300 bytes to the management interface program for processing, it will cause the printer to crash and the device to restart

Heap-based buffer overflow in the TFTP server capability in Cisco IOS 11.1, 11.2, and 11.3 allows remote attackers to cause a denial of service (reset) or modify configuration via a long filename. A problem has been discovered in Cisco IOS and MGX switches that could result in a denial of service, and potential code execution. This overflow results due insufficient bounds checking on requested file names. A request for a file name of 700 or more bytes will result a crash of the router, and reboot of the device. On Cisco MGX switches, the TFTP service will fail but the device will continue to function. Cisco IOS versions 12.0 and later are not prone to this issue. Cisco has assigned Cisco Bug ID CSCdy03429 to this vulnerability. Cisco has announced that some MGX switches are also affected by this issue. Cisco has assigned Cisco Bug ID CSCdy03429 to this vulnerability. Cisco routers are widely used Internet routers developed by CISCO, using the Cisco IOS operating system

Lucent Ascend MAX Router 5.0 and earlier, Lucent Ascend Pipeline Router 6.0.2 and earlier and Lucent DSLTerminator allows remote attackers to obtain sensitive information such as hostname, MAC, and IP address of the Ethernet interface via a discard (UDP port 9) packet, which causes the device to leak the information in the response. Several Lucent Router product lines include support for a configuration tool which communicates over UDP on port 9. If a specially crafted packet is sent to some of these devices on UDP port 9, a response is issued which contains sensitive information. This information may be of aid in further attacks against the network or device

HP ProCurve Switch 4000M C.07.23 allows remote attackers to cause a denial of service (crash) via an SNMP write request containing 85 characters, possibly triggering a buffer overflow. HP ProCurve 4000M Switch is a high-performance switch issued by HP.  The HP ProCurve 4000M switch has a problem handling a certain SNMP variable being written. A remote attacker can use this vulnerability to conduct a denial of service attack on the switch

Buffer overflow in the Web Messaging daemon for Ipswitch IMail before 7.12 allows remote attackers to execute arbitrary code via a long HTTP GET request for HTTP/1.0. IMail is a commercial email server software package distributed and maintained by Ipswitch, Incorporated. IMail is available for Microsoft Operating Systems. The web messaging server is vulnerable to a buffer overflow. When the server receives a request for HTTP version 1.0, and the total request is 96 bytes or greater, a buffer overflow occurs. This could result in the execution of attacker-supplied instructions, and potentially allow an attacker to gain local access. ** Ipswitch has reported they are unable to reproduce this issue. In addition, Ipswitch has stated that the supplied, third party patch may in fact open additional vulnerabilities in the product. Ipswitch suggests that users do not apply the supplied patch. IMail's Web Messaging daemon lacks proper checks for parameters when processing HTTP/1.0 GET requests. Remote attackers can exploit this vulnerability to perform buffer overflow attacks

The default configuration of Mail.app in Mac OS X 10.0 through 10.0.4 and 10.1 through 10.1.5 sends iDisk authentication credentials in cleartext when connecting to Mac.com, which could allow remote attackers to obtain passwords by sniffing network traffic. The iDisk service password is also used by the Mac.com service. Users of both services can use Mail.app to retrieve mail from Mac.com. Authentication credentials for the iDisk service are sent using HTTPS over WebDAV, which ensures that the communications between client and server are encrypted. However, Mail.app does not appear to use the same security measure by default when communicating with Mac.com. While Mail.app can be configured to communicate with mail servers using SSL, this option does not appear to be enabled in the default Mail.app configuration. STARTTLS is supported on the server-side by Mac.com. An attacker may potentially take advantage of this exposure to gain unauthorized access to both Mac.com and iDisk, since the credentials are shared between the two services

Directory traversal vulnerability in GoAhead Web Server 2.1 allows remote attackers to read arbitrary files via a URL with an encoded / (%5C) in a .. (dot dot) sequence. NOTE: it is highly likely that this candidate will be REJECTED because it has been reported to be a duplicate of CVE-2001-0228. GoAhead WebServer is prone to a directory traversal vulnerability

Buffer overflow in HTTP Proxy for Symantec Norton Personal Internet Firewall 3.0.4.91 and Norton Internet Security 2001 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large outgoing HTTP request. The condition is reportedly due to an inability to handle large requests. The overflow occurs in kernel memory. It may be possible to execute arbitrary code in this context to compromise the system. The HTTP proxy component included in NPIF lacks correct buffer boundary checks when handling very long hostnames. Remote attackers can exploit this vulnerability to perform buffer overflow attacks. An attacker could exploit this vulnerability by accessing NPIF's HTTP proxy requests through an internal connection or by attaching a malicious email or instructing the user to connect to a malicious WEB site to download code

Cross-site scripting vulnerability in GoAhead Web Server 2.1 allows remote attackers to execute script as other web users via script in a URL that generates a "404 not found" message, which does not quote the script. A vulnerability has been reported for GoAhead WebServer 2.1. Reportedly, it is possible for attackers to launch cross site scripting attacks against vulnerable systems. GoAhead WebServer includes unsanitized requested URLs when displaying a 404 error page. An attacker may be able to trick a user into following a link which includes malicious script code, and executing the attack

Dynamic VPN Configuration Protocol service (DVCP) in Watchguard Firebox firmware 5.x.x allows remote attackers to cause a denial of service (crash) via a malformed packet containing tab characters to TCP port 4110. A denial of service vulnerability has been reported for WatchGuard Firebox firmware versions 5.x.x. The vulnerability occurs in the DVCP service. WatchGuard Firebox is a firewall for small and medium-sized business offices produced by WatchGuard in the United States. DVCP protocol The protocol used by the WatchGuard Firebox system to transmit IPSec VPN configuration information on the client server. The firewall needs to be restarted to use the DVCP service function again

SoftwareUpdate for MacOS 10.1.x does not use authentication when downloading a software update, which could allow remote attackers to execute arbitrary code by posing as the Apple update server via techniques such as DNS spoofing or cache poisoning, and supplying Trojan Horse updates. A vulnerability has been reported for MacOS X where an attacker may use SoftwareUpdate to install malicious software on the vulnerable system. SoftwareUpdate uses HTTP, without any authentication, to obtain updates from Apple. Any updated packages are installed on the system as the root user. In order to exploit this vulnerability, the attacker must control the machine located at swquery.apple.com, from the perspective of the vulnerable client. It may be possible to create this condition through some known techniques, including DNS cache poisoning and DNS spoofing

SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. SonicWALL Firmware is prone to a denial-of-service vulnerability. This is reported to cause the daemon to crash. This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771. Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues. This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition. This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange. This vulnerability affects versions of the client on all platforms. When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. Previous versions of SonicWALL firmware were vulnerable

Cisco Virtual Private Network (VPN) Client 3.5.4 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a packet with a zero-length payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. This is reported to cause the daemon to crash. This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771. Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues. This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition. This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange. This vulnerability affects versions of the client on all platforms. When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. The Cisco bug ID for these vulnerabilities is CSCdy26045

Buffer overflow in NetScreen-Remote 8.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) large number of payloads, or (3) a long payload. Internet Key Exchange (IKE) implementations from several vendors contain buffer overflows and denial-of-service conditions. The buffer overflow vulnerabilities could permit an attacker to execute arbitrary code on a vulnerable system. This is reported to cause the daemon to crash. This issue may be related to the multiple IKE implementation vulnerabilities described in CERT/CC Vulnerability Note VU#287771. Other vendor products are reported to be affected by similar issues. There are currently not enough details available to determine if PGPFreeware is affected by any of these specific issues. This issue was reported in PGPFreeware 7.03 running on Windows NT 4.0 SP6. The Cisco VPN Client is prone to a remotely exploitable buffer overflow condition. It is possible to trigger this condition by sending malformed IKE packets to the client. The overflow occurs when the Security Parameter Index payload of the IKE packet is longer than 16 bytes in length. It is possible that exploitation of this vulnerability may affect availability of the client, resulting in a denial of service condition. This issue is reported to be exploitable when the client software is operating in Aggressive Mode during a phase 1 IKE exchange. This vulnerability affects versions of the client on all platforms. When vulnerable clients receive a specific IKE packet with a zero length payload, the VPN client will consume all available processor time. < *Link: http://www.netscreen.com/support/alerts/9_6_02.htm* >

Cisco ONS15454 optical transport platform running ONS 3.1.0 to 3.2.0 allows remote attackers to cause a denial of service (reset) by sending IP packets with non-zero Type of Service (TOS) bits to the Timing Control Card (TCC) LAN interface. The ONS15454 is an optical network platform manufactured and distributed by Cisco. Under some circumstances, it may be possible to stop the ONS15454 from handling traffic. The receipt of this type of packet via the TCC interface causes the reset of the TCC interface. Solaris 9 is a UNIX operating system developed by Sun, which includes the rcp program for remote copying between hosts. The rcp program does not perform correct boundary checks when processing parameter data submitted by users. Local attackers can exploit this vulnerability to carry out buffer overflow attacks. There is a loophole in rcp's processing of super long command line parameters. The user submits a file name exceeding 10,000 bytes, and the destination host name and destination file name are used as parameters for the rcp program to execute, which may cause buffer overflow. Because rcp runs as suid root in the system Attribute installation, carefully constructed parameter data may allow an attacker to execute arbitrary instructions on the system with root privileges

Cisco IOS software 11.3 through 12.2 running on Cisco uBR7200 and uBR7100 series Universal Broadband Routers allows remote attackers to modify Data Over Cable Service Interface Specification (DOCSIS) settings via a DOCSIS file without a Message Integrity Check (MIC) signature, which is approved by the router. CMTS is running on Cisco IOS Due to deficiencies in Cisco uBR7100 and uBR7200 contains a vulnerability in which a configuration file with invalid parameters is applied.Cisco uBR7100 and uBR7200 may apply a configuration file with invalid parameters. A vulnerability has been announced which affects Cisco uBR7200 series and uBR7100 series Universal Broadband Routers under some versions of IOS. Invalid DOCSIS files without an MIC signature may be accepted by a vulnerable router, even if MIC signatures are required. Exploitation of this vulnerability may allow arbitrary configuration files to be accepted by the network. Even if the router configuration requires MIC signatures to receive files, it may incorrectly receive illegal DOCSIS configuration files, which may lead attackers to exploit This vulnerability reconfigures the router, removes related bandwidth restrictions and other illegal operations

Netgear RP114 Cable/DSL Web Safe Router Firmware 3.26 uses a default administrator password and accepts admin logins on the external interface, which allows remote attackers to gain privileges if the password is not changed. NetGear RP114 router can access management through TELNET and HTTP.  The NetGear RP114 router has a vulnerability in restricting management interface access processing. A remote attacker could use this vulnerability to externally access the management interface services.  The NetGear RP114 router sets the 192.168.0.1 IP address as a local access address. All access restrictions on management tools are only accessible by this address, but there are loopholes. The NetGear RP114 router receives all communications with an IP address in the range of 192.168.xx. If the user has authentication information, he can access the management tool from the external interface for reconfiguration or conduct illegal activities such as denial of service attacks. However, there is a loophole

Cross-site scripting vulnerability (XSS) in DeltaScripts PHP Classifieds 6.0.5 allows remote attackers to execute arbitrary script as other users via the URL parameter. PHP Classifieds is a web-based directory classification program written in PHP.  PHP Classifieds lacks proper and sufficient filtering of the parameters submitted by users. An attacker can build a link containing URL parameters of malicious code. When the user views this link, the included malicious script code will be in the user's browser Execution, leading to the leakage of information based on cookie authentication