VARIoT IoT vulnerabilities database

The administration function in Cisco Secure Access Control Server (ACS) for Windows, 2.6.x and earlier and 3.x through 3.01 (build 40), allows remote attackers to read HTML, Java class, and image files outside the web root via a ..\.. (modified ..) in the URL to port 2002

LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that ends in two newline characters, instead of the expected carriage return/newline combinations. A vulnerability has been reported in some versions of National Instruments LabVIEW for Linux and Microsoft Windows. LabVIEW includes an integrated HTTP server. If a malformed HTTP request is received, it is possible to crash the LabVIEW Web Server and LabVIEW itself. This condition occurs when an HTTP GET request is received and terminated with two new line characters, as opposed to the compliant carriage return / new line combination

FTP proxy in Symantec Raptor Firewall 6.5.3 and Enterprise 7.0 rewrites an FTP server's "FTP PORT" responses in a way that allows remote attackers to redirect FTP data connections to arbitrary ports, a variant of the "FTP bounce" vulnerability. Raptor Firewall is an enterprise level firewall originally developed by Axent Technologies and is maintained and distributed by Symantec. Symantec Enterprise Firewall is formerly known as Raptor firewall. It is available for Microsoft Windows and Unix operating systems. As a result, if the attacker can authenticate with the FTP server (anonymously or otherwise), then it is possible to cause the FTP server to make a connection to an arbitrary host. It should be noted that affected firewall implementations disable FTP PORT connections to ports below 1024. Symantec has reported that Enterprise Firewall V7.0 for Solaris is also vulnerable to this issue

The "block fragmented IP Packets" option in Symantec Norton Personal Firewall 2002 (NPW) does not properly protect against certain attacks on Windows vulnerabilities such as jolt2 (CVE-2000-0305). It has been reported that NPW may not adequately filter packet fragments. In particular, denial of service attacks based on fragmented packets have been reported to work effectively against systems protected by NPW. This may happen even if the attacking address is entirely blocked from the system. These issues have not been confirmed

Symantec Norton Personal Firewall 2002 allows remote attackers to bypass the portscan protection by using a (1) SYN/FIN, (2) SYN/FIN/URG, (3) SYN/FIN/PUSH, or (4) SYN/FIN/URG/PUSH scan. Symantec Norton Personal Firewall 2002 (NPW)is a firewall solution for home and small office machines based on some versions of the Microsoft Windows operating systems. It has a variety of features, including the ability to detect and dynamically block portscans. An issue has been reported with the manner in which Personal Firewall 2002 handles portscans. Reportedly, only SYN scans are detected. An attacker may scan with a variety of other methods, including SYN/FIN packets and evade the protective features of NPW. This issue may affect Norton Internet Security 2002, however this has not been confirmed

Directory traversal vulnerability in CodeBrws.asp in Microsoft IIS 5.0 allows remote attackers to view source code and determine the existence of arbitrary files via a hex-encoded "%c0%ae%c0%ae" string, which is the Unicode representation for ".." (dot dot). ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Microsoft IIS 5.0 There is a problem with disclosing the source of a file. Microsoft IIS 5.0 Contains sample files for demonstration purposes. These demonstration sample files are .asp , .inc , .htm , .html Etc. and exist under the web root directory. IIS 5.0 of Internet Service Manager One of the sample programs used by codebrws.asp There is a file called. codebrws.asp There is a flaw in the handling of Unicode characters in the URL, so using this file may allow an attacker to obtain the source of the file that exists under the web root directory. You can get the source .html , .htm , .asp , .inc Limited to files with the above extensions. Default setting IIS 5.0 So remotely codebrws.asp Since it is not possible to access, only local attacks will succeed unless the setting is changed intentionally.Please refer to the “Overview” for the impact of this vulnerability. However, this script (CodeBrws.asp) does not adequately filter unicode representations of directory traversals. For example, an attacker can break out of the sample script directory by substituting '%c0%ae%c0%ae' for '..' in a dot-dot-slash directory traversal attack. It has been demonstrated that this issue may be exploited to map out the directory structure of the filesystem on a host running the vulnerable script. This may allow an attacker to view, for example, .aspx files used by the .NET architecture. If used in conjunction with the issues discussed in BID 4525, this may expose files outside of the sample script directory

Off-by-one error in the CodeBrws.asp sample script in Microsoft IIS 5.0 allows remote attackers to view the source code for files with extensions containing with one additional character after .html, .htm, .asp, or .inc, such as .aspx files. ------------ This vulnerability information is a comprehensive explanation of multiple vulnerabilities that were published at the same time. Please note that this document contains vulnerability information other than the title. ------------Microsoft IIS 5.0 There is a problem with disclosing the source of the file. Microsoft IIS 5.0 has sample files installed for demonstration purposes. IIS 5.0 of Internet Service Manager One of the sample programs used by codebrws.asp There is a file called. codebrws.asp Due to a flaw in the handling of Unicode characters in this file, an attacker could potentially use this file to obtain the source of files located under the webroot directory. default settings IIS 5.0 Now remotely codebrws.asp Unless you intentionally change the settings, only local attacks will be successful.Please refer to the "Overview" for the impact of this vulnerability. However, this script (CodeBrws.asp) does not adequately filter unicode representations of directory traversals. For example, an attacker can break out of the sample script directory by substituting '%c0%ae%c0%ae' for '..' in a dot-dot-slash directory traversal attack. It has been demonstrated that this issue may be exploited to map out the directory structure of the filesystem on a host running the vulnerable script. However, a flaw exists which will allow an additional character to be added to the file extension. This may allow an attacker to view, for example, .aspx files used by the .NET architecture. If used in conjunction with the issues discussed in BID 4525, this may expose files outside of the sample script directory

Nortel CVX 1800 is installed with a default "public" community string, which allows remote attackers to read usernames and passwords and modify the CVX configuration. The Nortel Networks CVX 1800 Multi-Service Access Switch discloses privileged information. The device contains a default SNMP community string of "public", which may allow enable a remote attacker to gain access to sensitive information such as authentication credentials for local accounts on the device, network infrastructure info, etc. The Nortel CVX 1800 multi-service access gateway device has a default SNMP communication password \"public\". Remote attackers can use this password to obtain system sensitive information such as passwords and network structure. According to the test, the attacker can obtain the username and password information for accessing the Telnet service. An attacker can use the route command or view gateway to obtain the IP address of the Nortel CVX 1800 multi-service access gateway

Watchguard SOHO firewall 5.0.35 unpredictably disables certain IP restrictions for customized services that were set before the administrator upgrades to 5.0.35, which could allow remote attackers to bypass the intended access control rules. SoHo firewall is a hardware firewall solution distributed and maintained by WatchGuard. A problem introduced into the 5.0.35 firmware causes the dropping of arbitrary firewall rules. When a user configures IP restrictions on certain IP addresses, the firewall may drop restriction entries arbitrarily. This could allow a remote user unintended access to a supposedly secure network

Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. A vulnerability in IIS could allow an intruder to disrupt ordinary operations of both FTP and Web services on vulnerable IIS servers. The condition is present when a request is made for the FTP transfer status is made via the STAT command. A client issuing this command with a large number of file globbing characters as the argument may cause the service to crash. On IIS 4.0 servers, the service must be manually restarted. On IIS 5.0 and 5.1 servers, the service will restart itself automatically. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Microsoft IIS 4.0/5.0/5.1 Has the potential to cause problems that can lead to cross-site scripting. below 3 There are two problems. * IIS The search results page of the help file does not properly convert the metacharacters contained in the request sent by the client. * "404 not found" As part of the error page, the metacharacters included in the request from the client are sent to the client without conversion. * Internet Explorer If you are using a browser other than "302 Object Moved" As part of the error page, the metacharacters contained in the request from the client are sent to the client without conversion. A Cross Site Scripting issue exists in some versions of IIS. The HTTP Error Page created by IIS may, under some circumstances, contain HTML content which includes unsanitized user supplied input. An attacker may construct a link to a vulnerable server such that it exploits this vulnerability. When an innocent user follows this link, the script code will be reproduced by the server, and execute within the context of the vulnerable site. This may result in the exposure of sensitive data and cookie information, or allow the attacker to subvert the content and functionality of the site. It has been reported that this issue may be exploited to steal cookie-based authentication credentials from users of a number of Microsoft domains/services (such as hotmail, passport, etc.). A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session. Visitors to web sites that use Microsoft IIS and also issue redirect response messages are vulnerable to cross-site scripting attacks. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Microsoft IIS 4.0/5.0/5.1 Has the potential to cause problems that can lead to cross-site scripting. below 3 There are two problems. * IIS The search results page of the help file does not properly convert the metacharacters contained in the request sent by the client. * "404 not found" As part of the error page, the metacharacters included in the request from the client are sent to the client without conversion. * Internet Explorer If you are using a browser other than "302 Object Moved" As part of the error page, the metacharacters contained in the request from the client are sent to the client without conversion. A Cross Site Scripting issue exists in some versions of IIS. The HTTP Error Page created by IIS may, under some circumstances, contain HTML content which includes unsanitized user supplied input. An attacker may construct a link to a vulnerable server such that it exploits this vulnerability. When an innocent user follows this link, the script code will be reproduced by the server, and execute within the context of the vulnerable site. This may result in the exposure of sensitive data and cookie information, or allow the attacker to subvert the content and functionality of the site. It has been reported that this issue may be exploited to steal cookie-based authentication credentials from users of a number of Microsoft domains/services (such as hotmail, passport, etc.). A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. A buffer overflow in IIS could allow an intruder to execute arbitrary code the the privileges of the ASP ISAPI extension. A buffer overflow related to the processing of request header fields has been reported for Microsoft IIS (Internet Information Services). This problem is related to the interpretation of HTTP header field delimiters. This vulnerability affects IIS 4.0, IIS 5.0 and IIS 5.1. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. A condition exists that may allow for an existing bounds check on potentially user-supplied input to be bypassed, resulting in a potential buffer overflow. This condition affects IIS 4.0, IIS 5.0 and IIS 5.1. Exploitation requires that the attacker can influence when and how the file is included. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun.". This condition affects IIS 4.0 and IIS 5.0. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other sample scripts may also be exploitable. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. Microsoft IIS In HTR The request is processed incorrectly and is invalid HTR There is a vulnerability that overflows in the heap area by receiving a request.ISM.DLL An arbitrary code may be executed with the execution right. This condition affects IIS 4.0, IIS 5.0 and may be effectively mitigated by disabling the extension. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

The w3svc.dll ISAPI filter in Front Page Server Extensions and ASP.NET for Internet Information Server (IIS) 4.0, 5.0, and 5.1 does not properly handle the error condition when a long URL is provided, which allows remote attackers to cause a denial of service (crash) when the URL parser accesses a null pointer. Intruders may be able to cause the IIS service to fail by sending a particular kind of overly-long URL. A vulnerability has been identified in the way Microsoft Internet Information Server handles URL errors. The ISAPI filter involved in this vulnerability is installed by Front Page Server Extensions and ASP.NET. On IIS 4.0 servers, the service must be manually restarted. On IIS 5.0 and 5.1 servers, the service will restart itself automatically. Custom ISAPI filters may also be affected by this condition. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Visitors to web sites that use Microsoft IIS and also issue redirect response messages are vulnerable to cross-site scripting attacks. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ Microsoft IIS 4.0/5.0/5.1 Has the potential to cause problems that can lead to cross-site scripting. below 3 There are two problems. * IIS The search results page of the help file does not properly convert the metacharacters contained in the request sent by the client. * "404 not found" As part of the error page, the metacharacters included in the request from the client are sent to the client without conversion. * Internet Explorer If you are using a browser other than "302 Object Moved" As part of the error page, the metacharacters contained in the request from the client are sent to the client without conversion. A Cross Site Scripting issue exists in some versions of IIS. The HTTP Error Page created by IIS may, under some circumstances, contain HTML content which includes unsanitized user supplied input. An attacker may construct a link to a vulnerable server such that it exploits this vulnerability. When an innocent user follows this link, the script code will be reproduced by the server, and execute within the context of the vulnerable site. This may result in the exposure of sensitive data and cookie information, or allow the attacker to subvert the content and functionality of the site. It has been reported that this issue may be exploited to steal cookie-based authentication credentials from users of a number of Microsoft domains/services (such as hotmail, passport, etc.). A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves

Cisco Aironet before 11.21 with Telnet enabled allows remote attackers to cause a denial of service (reboot) via a series of login attempts with invalid usernames and passwords. The Cisco Aironet product family provides wireless LAN (WLAN) support for a wide range of applications. A vulnerability has been reported in some Aironet products. If telnet access to the device is enabled, an attacker is able to cause the device to reboot. Authentication is not required, although it must be supported. This vulnerability cannot be triggered through the WEB interface