Drupal Team reports:
The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.
The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.
Denis Barov reports:
sysutils/fuser allows user to send any signal to any process when installed with suid bit.
Census Labs reports:
We have discovered a remotely exploitable "improper input validation" vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests.
PHP developers reports:
This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.2.12:
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
- Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
- Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas)
- Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)
PostgreSQL project reports:
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.
SecurityFocus reports:
TPTEST is prone to a remote stack-based buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Mozilla Project reports:
MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
freeRADIUS Vulnerability Notifications reports:
2009.09.09 v1.1.7 - Anyone who can send packets to the server can crash it by sending a Tunnel-Password attribute in an Access-Request packet. This vulnerability is not otherwise exploitable. We have released 1.1.8 to correct this vulnerability.
This issue is similar to the previous Tunnel-Password issue noted below. The vulnerable versions are 1.1.3 through 1.1.7. Version 2.x is not affected.
secunia reports:
Russ McRee has discovered some vulnerabilities in Pligg, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks.
Input passed via the "Referer" HTTP header to various scripts (e.g. admin/admin_config.php, admin/admin_modules.php, delete.php, editlink.php, submit.php, submit_groups.php, user_add_remove_links.php, and user_settings.php) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site.
secunia reports:
Stefan Esser has reported a vulnerability in Piwik, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to the core/Cookie.php script using "unserialize()" with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the "__wakeup()" or "__destruct()" methods of a serialized object passed via an HTTP cookie.
Dovecot author reports:
Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir's permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.32.18 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
The official ruby site reports:
There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.
Secunia reports:
A vulnerability has been reported in RT, which can be exploited by malicious people to conduct session fixation attacks. The vulnerability is caused due to an error in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.
CVE reports:
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read.
CVE reports:
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c.
Opera Team reports:
- Fixed a heap buffer overflow in string to number conversion
- Fixed an issue where error messages could leak onto unrelated sites
- Fixed a moderately severe issue, as reported by Chris Evans of the Google Security Team; details will be disclosed at a later date.
Secunia.com
Do not attempt to load an unqualified module.la file from the current directory (by default) since doing so is insecure and is not compliant with the documentation.
The Ubuntu security team reports:
It was discovered that libvorbis did not correctly handle certain malformed vorbis files. If a user were tricked into opening a specially crafted vorbis file with an application that uses libvorbis, an attacker could cause a denial of service or possibly execute arbitrary code with the user's privileges.
A Bugzilla Security Advisory reports:
When a bug is in a group, none of its information (other than its status and resolution) should be visible to users outside that group. It was discovered that as of 3.3.2, Bugzilla was showing the alias of the bug (a very short string used as a shortcut for looking up the bug) to users outside of the group, if the protected bug ended up in the "Depends On" or "Blocks" list of any other bug.
The cacti development team reports:
The Cross-Site Scripting patch has been posted.
This patch addresses cross-site scripting issues reported by Moritz Naumann.
secunia reports:
The security issue is caused due to the wp_check_filetype() function in /wp-includes/functions.php improperly validating uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.
Successful exploitation of this vulnerability requires that Apache is not configured to handle the mime-type for media files with an e.g. "gif", "jpg", "png", "tif", "wmv" extension.
Input passed via certain parameters to press-this.php is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
CVE reports:
The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character.
CVE reports:
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293.
TYPO3 develop team reports:
Affected versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below, 4.3.0beta1 and below.
SQL injection, Cross-site scripting (XSS), Information disclosure, Frame hijacking, Remote shell command execution and Insecure Install Tool authentication/session handling.
VideoLAN reports:
When parsing a MP4, ASF or AVI file with an overly deep box structure, a stack overflow might occur. It would overwrite the return address and thus redirect the execution flow.
If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player.
oCERT reports:
Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.
IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content.
KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.
The exploitation of these vulnerabilities is unlikely according to Portcullis and KDE but the execution of active content is nonetheless unexpected and might pose a threat.
Opera Team Reports:
- Fixed an issue where certain domain names could allow execution of arbitrary code, as reported by Chris Weber of Casaba Security
- Fixed an issue where scripts can run on the feed subscription page, as reported by Inferno
Securityfocus reports:
cTorrent and dTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.
Mozilla Foundation reports:
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing
SecurityFocus reports:
ELinks is prone to an off-by-one buffer-overflow vulnerability because the application fails to accurately reference the last element of a buffer.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
SquidGuard website reports:
Patch 20091015 fixes one buffer overflow problem in sgLog.c when overlong URLs are requested. SquidGuard will then go into emergency mode were no blocking occurs. This is not required in this situation.
Patch 20091019 fixes two bypass problems with URLs which length is close to the limit defined by MAX_BUF (default: 4096) in squidGuard and MAX_URL (default: 4096 in squid 2.x and 8192 in squid 3.x) in squid. For this kind of URLs the proxy request exceeds MAX_BUF causing squidGuard to complain about not being able to parse the squid request. Increasing the buffer limit to be higher than the one defined in MAX_URL solves the issue.
SecurityFocus reports:
Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user's system.
1) Multiple integer overflows in "SplashBitmap::SplashBitmap()" can be exploited to cause heap-based buffer overflows.
2) An integer overflow error in "ObjectStream::ObjectStream()" can be exploited to cause a heap-based buffer overflow.
3) Multiple integer overflows in "Splash::drawImage()" can be exploited to cause heap-based buffer overflows.
4) An integer overflow error in "PSOutputDev::doImageL1Sep()" can be exploited to cause a heap-based buffer overflow when converting a PDF document to a PS file.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code by tricking a user into opening a specially crafted PDF file.
Django project reports:
Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effectively denial-of-service attack.
phpMyAdmin Team reports:
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name.
SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.
Vendor reports
Security Enhancements and Fixes in PHP 5.2.11: Fixed certificate validation inside php_openssl_apply_verification_policy. Fixed sanity check for the color index in imagecolortransparent. Added missing sanity checks around exif processing. Fixed bug 44683 popen crashes when an invalid mode is passed.
Sun reports:
A security vulnerability in the VBoxNetAdpCtl configuration tool for certain Sun VirtualBox 3.0 packages may allow local unprivileged users who are authorized to run VirtualBox to execute arbitrary commands with root privileges.
Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer.
Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.
An errata note, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.
A race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results.
Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code on the target system.
An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.
mybb team reports:
Input passed via avatar extensions is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by uploading specially named avatars.
The script allows to sign up with usernames containing zero width space characters, which can be exploited to e.g. conduct spoofing attacks.
Drupal Team reports:
The core OpenID module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore able to use cross site request forgeries to add attacker controlled OpenID identities to existing accounts. These OpenID identities can then be used to gain access to the affected accounts.
The OpenID module is not a compliant implementation of the OpenID Authentication 2.0 specification. An implementation error allows a user to access the account of another user when they share the same OpenID 2.0 provider.
File uploads with certain extensions are not correctly processed by the File API. This may lead to the creation of files that are executable by Apache. The .htaccess that is saved into the files directory by Drupal should normally prevent execution. The files are only executable when the server is configured to ignore the directives in the .htaccess file.
Drupal doesn't regenerate the session ID when an anonymous user follows the one time login link used to confirm email addresses and reset forgotten passwords. This enables a malicious user to fix and reuse the session id of a victim under certain circumstances.
Firewall Builder release notes reports:
Vadim Kurland (vadim.kurland@fwbuilder.org) reports:
Fwbuilder and libfwbuilder 3.0.4 through to 3.0.6 generate iptables scripts with a security issue when also used to generate static routing configurations.
A Bugzilla Security Advisory reports:
- It is possible to inject raw SQL into the Bugzilla database via the "Bug.create" and "Bug.search" WebService functions.
- When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password.
The Horde team reports:
An error within the form library when handling image form fields can be exploited to overwrite arbitrary local files.
An error exists within the MIME Viewer library when rendering unknown text parts. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed.
The preferences system does not properly sanitise numeric preference types. This can be exploited to execute arbitrary HTML and script code in a user's browser session in contact of an affected site.
nginx development team reports:
A segmentation fault might occur in worker process while specially crafted request handling.
The IkiWiki development team reports:
IkiWikis teximg plugin's blacklisting of insecure TeX commands is insufficient; it can be bypassed and used to read arbitrary files.
Olly Betts reports:
There's a cross-site scripting issue in Omega - exception messages don't currently get HTML entities escaped, but can contain CGI parameter values in some cases.
Mozilla Foundation reports:
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
The Cyrus IMAP Server ChangeLog states:
Fixed CERT VU#336053 - Potential buffer overflow in Sieve.
SILC Changlog reports:
An unspecified format string vulnerability exists in silc-toolkit.
Opera Team Reports:
- Issue where sites using revoked intermediate certificates might be shown as secure
- Issue where the collapsed address bar didn't show the current domain
- Issue where pages could trick users into uploading files
- Some IDNA characters not correctly displaying in the address bar
- Issue where Opera accepts nulls and invalid wild-cards in certificates
Simon Kelley reports:
Fix security problem which allowed any host permitted to do TFTP to possibly compromise dnsmasq by remote buffer overflow when TFTP enabled.
Fix a problem which allowed a malicious TFTP client to crash dnsmasq.
Apache ChangeLog reports:
CVE-2009-1891: Fix a potential Denial-of-Service attack against mod_deflate or other modules.
CVE-2009-1195: Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it.
CVE-2009-1890: Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration.
CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body.
CVE-2009-0023, CVE-2009-1955, CVE-2009-1956: The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules (was already fixed in 2.2.11_5).
Secunia reports:
A vulnerability has been reported in Pidgin, which can be exploited by malicious people to potentially compromise a user's system.
The vulnerability is caused due to an error in the "msn_slplink_process_msg()" function when processing MSN SLP messages and can be exploited to corrupt memory.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in versions 2.5.8 and prior. Other versions may also be affected.
SecurityFocus reports:
GnuTLS is prone to multiple remote vulnerabilities:
- A remote code-execution vulnerability.
- A denial-of-service vulnerability.
- A signature-generation vulnerability.
- A signature-verification vulnerability.
An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.
GnuTLS reports:
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate.
Secunia reports:
A weakness has been reported in memcached, which can be exploited by malicious people to disclose system information.
The weakness is caused due to the application disclosing the content of /proc/self/maps if a stats maps command is received. This can be exploited to disclose e.g. the addresses of allocated memory regions.
WordPress reports:
A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.
Matthias Andree reports:
Moxie Marlinspike demonstrated in July 2009 that some CAs would sign certificates that contain embedded NUL characters in the Common Name or subjectAltName fields of ITU-T X.509 certificates.
Applications that would treat such X.509 strings as NUL-terminated C strings (rather than strings that contain an explicit length field) would only check the part up to and excluding the NUL character, so that certificate names such as www.good.example\0www.bad.example.com would be mistaken as a certificate name for www.good.example. fetchmail also had this design and implementation flaw.
Joomla! Security Center reports:
In com_mailto, it was possible to bypass timeout protection against sending automated emails.
A Subversion Security Advisory reports:
Subversion clients and servers have multiple heap overflow issues in the parsing of binary deltas. This is related to an allocation vulnerability in the APR library used by Subversion.
Clients with commit access to a vulnerable server can cause a remote heap overflow; servers can cause a heap overflow on vulnerable clients that try to do a checkout or update.
This can lead to a DoS (an exploit has been tested) and to arbitrary code execution (no exploit tested, but the possibility is clear).
A Bugzilla Security Advisory reports:
Normally, users are only supposed to see products that they can file bugs against in the "Product" drop-down on the bug-editing page. Instead, users were being shown all products, even those that they normally could not see. Any user who could edit any bug could see all product names.
Mozilla Project reports:
MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
MFSA 2009-42: Compromise of SSL-protected communication
MFSA 2009-43: Heap overflow in certificate regexp parsing
MFSA 2009-44: Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-45: Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
MFSA 2009-46: Chrome privilege escalation due to incorrectly cached wrapper
SILC changelog reports:
An unspecified format string vulnerability exists in silc-client.
The SquirrelMail Web Server has been compromised, and three plugins are affected.
The port of squirrelmail-sasql-plugin is safe (right MD5), and change_pass is not in the FreeBSD ports tree, but multilogin has a wrong MD5.
When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit.
To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.
An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation.
No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver.
NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability.
Secunia reports:
A security issue has been reported in Mono, which can be exploited by malicious people to conduct spoofing attacks.
The security issue is caused due to an error when processing certain XML signatures.
Squid security advisory 2009:2 reports:
Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses.
Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses.
These problems allow any trusted client or external server to perform a denial of service attack on the Squid service.
Squid-2.x releases are not affected.
Mozilla Project reports:
Firefox user zbyte reported a crash that we determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state. This could be exploited by an attacker to run arbitrary code such as installing malware.
This vulnerability does not affect earlier versions of Firefox which do not support the JIT feature.
US-CERT reports:
The ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.
The Drupal Security Team reports:
Cross-site scripting
The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).
User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment's input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format.
If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code. This issue affects Drupal 6.x only.
When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer.
In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache.
nfsen reports:
Due to double input checking, a remote command execution security bug exists in all NfSen versions 1.3 and 1.3.1. Users are requested to update to nfsen-1.3.2.
The phpMyAdmin project reports:
It was possible to conduct an XSS attack via a crafted SQL bookmark.
All 3.x releases on which the "bookmarks" feature is active are affected, previous versions are not.
Secunia reports:
A vulnerability has been reported in Nagios, which can be exploited by malicious users to potentially compromise a vulnerable system.
Input passed to the "ping" parameter in statuswml.cgi is not properly sanitised before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands.
Successful exploitation requires access to the ping feature of the WAP interface.
The Tor Project reports:
A malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address.
Secunia reports:
Some vulnerabilities have been reported in Cscope, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to various boundary errors, which can be exploited to cause buffer overflows when parsing specially crafted files or directories.
SecurityFocus reports:
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Secunia reports:
Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious data is displayed.
Certain unspecified input passed to the user view of the com_users core component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Input passed via certain parameters to the "JA_Purity" template is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Secunia reports:
Some vulnerabilities and weaknesses have been reported in Pidgin, which can be exploited by malicious people to cause a DoS or to potentially compromise a user's system.
A truncation error in the processing of MSN SLP messages can be exploited to cause a buffer overflow.
A boundary error in the XMPP SOCKS5 "bytestream" server when initiating an outgoing file transfer can be exploited to cause a buffer overflow.
A boundary error exists in the implementation of the "PurpleCircBuffer" structure. This can be exploited to corrupt memory and cause a crash via specially crafted XMPP or Sametime packets.
A boundary error in the "decrypt_out()" function can be exploited to cause a stack-based buffer overflow with 8 bytes and crash the application via a specially crafted QQ packet.
SecurityFocus reports:
Git is prone to a denial-of-service vulnerability because it fails to properly handle some client requests.
Attackers can exploit this issue to cause a daemon process to enter an infinite loop. Repeated exploits may consume excessive system resources, resulting in a denial of service condition.
The official ruby site reports:
A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.
An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:
BigDecimal("9E69999999").to_s("F")
Mozilla Foundation reports:
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-31 XUL scripts bypass content-policy checks
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-25 URL spoofing with invalid unicode characters
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
Secunia reports:
Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).
A vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition.
A vulnerability is caused due to an error within the "apr_strmatch_precompile()" function in strmatch/apr_strmatch.c, which can be exploited to crash an application using the library.
RedHat reports:
A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function.
DokuWiki reports:
A security hole was discovered which allows an attacker to include arbitrary files located on the attacked DokuWiki installation. The included file is executed in the PHP context. This can be escalated by introducing malicious code through uploading file via the media manager or placing PHP code in editable pages.
Secunia reports:
Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS.
The library does not limit the number of buffered DTLS records with a future epoch. This can be exploited to exhaust all available memory via specially crafted DTLS packets.
An error when processing DTLS messages can be exploited to exhaust all available memory by sending a large number of out of sequence handshake messages.
Secunia reports:
The vulnerability is caused due to an error in the processing of private messages within the server module (/mod/server.mod/servrmsg.c). This can be exploited to cause a crash by sending a specially crafted message to the bot.
Secunia reports:
A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS.
The vulnerability is caused due to an error in the PCNFSD dissector and can be exploited to cause a crash via a specially crafted PCNFSD packet.
Secunia reports:
Two vulnerabilities have been reported in libsndfile, which can be exploited by malicious people to compromise an application using the library.
A boundary error exists within the "voc_read_header()" function in src/voc.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted VOC file.
A boundary error exists within the "aiff_read_header()" function in src/aiff.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted AIFF file.
Secunia reports:
A security issue has been reported in SLiM, which can be exploited by malicious, local users to disclose sensitive information.
The security issue is caused due to the application generating the X authority file by passing the X authority cookie via the command line to "xauth". This can be exploited to disclose the X authority cookie by consulting the process list and e.g. gain access the user's display.
US-CERT reports:
ntpd contains a stack buffer overflow which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.
SecurityFocus reports:
University of Washington IMAP c-client is prone to a remote format-string vulnerability because the software fails to adequately sanitize user-supplied input before passing it as the format-specifier to a formatted-printing function.
NLnet Labs:
A one-byte buffer overflow has been reported in NSD. The problem affects all versions 2.0.0 to 3.2.1. The bug allows a carefully crafted exploit to bring down your DNS server. It is highly unlikely that this one byte overflow can lead to other (system) exploits.
xine developers report:
- Fix another possible int overflow in the 4XM demuxer. (ref. TKADV2009-004, CVE-2009-0385)
- Fix an integer overflow in the Quicktime demuxer.
Multiple vulnerabilities were fixed in libxine 1.1.16.2.
Tobias Klein reports:
FFmpeg contains a type conversion vulnerability while parsing malformed 4X movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of FFmpeg or an application using the FFmpeg library.
Note: A similar issue also affects xine-lib < version 1.1.16.2.
xine developers report:
- Fix broken size checks in various input plugins (ref. CVE-2008-5239).
- More malloc checking (ref. CVE-2008-5240).
securityfocus research reports:
A bug that leads to the emptying of the INI file contents if the database key was not found exists in PHP dba extension in versions 5.2.6, 4.4.9 and earlier.
Function dba_replace() are not filtering strings key and value. There is a possibility for the destruction of the file.
Secunia reports:
A vulnerability has been reported in libwmf, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library.
The vulnerability is caused due to a use-after-free error within the embedded GD library, which can be exploited to cause a crash or potentially to execute arbitrary code via a specially crafted WMF file.
Secunia reports:
infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library.
The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed.
Secunia reports:
Input passed via multiple parameters to action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Secunia reports:
Certain input passed to the "Apache::Status" and "Apache2::Status" modules is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website.
The Drupal Security Team reports:
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports.
Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary.
US-CERT reports:
The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.
Secunia reports:
Some vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Certain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
SecurityFocus reports:
Ghostscript is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it into a finite-sized buffer.
Exploiting this issue allows remote attackers to overwrite a sensitive memory buffer with arbitrary data, potentially allowing them to execute malicious machine code in the context of the affected application. This vulnerability may facilitate the compromise of affected computers.
oCERT reports:
Pango suffers from a multiplicative integer overflow which may lead to a potentially exploitable, heap overflow depending on the calling conditions.
For example, this vulnerability is remotely reachable in Firefox by creating an overly large document.location value but only results in a process-terminating, allocation error (denial of service).
The affected function is pango_glyph_string_set_size. An overflow check when doubling the size neglects the overflow possible on the subsequent allocation.
Wireshark team reports:
Wireshark 1.0.7 fixes the following vulnerabilities:
- The PROFINET dissector was vulnerable to a format string overflow. (Bug 3382) Versions affected: 0.99.6 to 1.0.6, CVE-2009-1210.
- The Check Point High-Availability Protocol (CPHAP) dissector could crash. (Bug 3269) Versions affected: 0.9.6 to 1.0.6; CVE-2009-1268.
- Wireshark could crash while loading a Tektronix .rf5 file. (Bug 3366) Versions affected: 0.99.6 to 1.0.6, CVE-2009-1269.
Gentoo security team summarizes:
The following issues were reported in CUPS:
- iDefense reported an integer overflow in the _cupsImageReadTIFF() function in the "imagetops" filter, leading to a heap-based buffer overflow (CVE-2009-0163).
- Aaron Siegel of Apple Product Security reported that the CUPS web interface does not verify the content of the "Host" HTTP header properly (CVE-2009-0164).
- Braden Thomas and Drew Yao of Apple Product Security reported that CUPS is vulnerable to CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf and poppler.
A remote attacker might send or entice a user to send a specially crafted print job to CUPS, possibly resulting in the execution of arbitrary code with the privileges of the configured CUPS user -- by default this is "lp", or a Denial of Service. Furthermore, the web interface could be used to conduct DNS rebinding attacks.
The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them.
An application which attempts to print a BMPString or UniversalString which has an invalid length will crash as a result of OpenSSL accessing invalid memory locations. This could be used by an attacker to crash a remote application.
No workaround is available, but applications which do not use the ASN1_STRING_print_ex function (either directly or indirectly) are not affected.
Debian Security Team reports:
It was discovered that Quagga, an IP routing daemon, could no longer process the Internet routing table due to broken handling of multiple 4-byte AS numbers in an AS path. If such a prefix is received, the BGP daemon crashes with an assert failure leading to a denial of service.
Secunia reports:
A vulnerability has been reported in Openfire which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to Openfire not properly respecting the no password changes setting which can be exploited to change passwords by sending jabber:iq:auth passwd_change requests to the server.
Drupal Security Team reports:
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the meta http-equiv="Content-Type" tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.
In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.
Mozilla Foundation reports:
MFSA 2009-22: Firefox allows Refresh header to redirect to javascript: URIs
MFSA 2009-21: POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-20: Malicious search plugins can inject code into arbitrary sites
MFSA 2009-19: Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
MFSA 2009-18: XSS hazard using third-party stylesheets and XBL bindings
MFSA 2009-17: Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-16: jar: scheme ignores the content-disposition: header on the inner URI
MFSA 2009-15: URL spoofing with box drawing character
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)
Secunia reports:
Some vulnerabilities have been reported in Poppler which can be exploited by malicious people to potentially compromise an application using the library.
Secunia reports:
Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user's system.
A boundary error exists when decoding JBIG2 symbol dictionary segments. This can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code.
Multiple integer overflows in the JBIG2 decoder can be exploited to potentially execute arbitrary code.
Multiple boundary errors in the JBIG2 decoder can be exploited to cause buffer overflows and potentially execute arbitrary code.
Multiple errors in the JBIG2 decoder can be exploited can be exploited to free arbitrary memory and potentially execute arbitrary code.
Multiple unspecified input validation errors in the JBIG2 decoder can be exploited to potentially execute arbitrary code.
Secunia reports:
Some vulnerabilities have been reported in FreeType, which can be exploited by malicious people to potentially compromise an application using the library.
An integer overflow error within the "cff_charset_compute_cids()" function in cff/cffload.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font.
Multiple integer overflow errors within validation functions in sfnt/ttcmap.c can be exploited to bypass length validations and potentially cause buffer overflows via specially crafted fonts.
An integer overflow error within the "ft_smooth_render_generic()" function in smooth/ftsmooth.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font.
SecurityFocus reports:
The ejabberd application is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Ziproxy Developers reports:
Multiple HTTP proxy implementations are prone to an information-disclosure vulnerability related to the interpretation of the 'Host' HTTP header. Specifically, this issue occurs when the proxy makes a forwarding decision based on the 'Host' HTTP header instead of the destination IP address.
Attackers may exploit this issue to obtain sensitive information such as internal intranet webpages. Additional attacks may also be possible.
phpMyAdmin Team reports:
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch.
Drupal CCK plugin developer reports:
The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.
Secunia reports:
A vulnerability has been discovered in Pivot, which can be exploited by malicious people to delete certain files.
Input passed to the "refkey" parameter in extensions/bbclone_tools/count.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the "refkey" parameter.
NOTE: Users with the "Advanced" user level are able to include and execute uploaded PHP code via the "pivot_path" parameter in extensions/bbclone_tools/getkey.php when extensions/bbclone_tools/hr_conf.php can be deleted.
phpMyAdmin reports:
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Secunia reports:
Tobias Klein has reported some vulnerabilities in Amarok, which potentially can be exploited by malicious people to compromise a user's system.
Two integer overflow errors exist within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp. These can be exploited to cause heap-based buffer overflows via specially crafted Audible Audio files.
Two errors within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp can be exploited to corrupt arbitrary memory via specially crafted Audible Audio files.
Vendor reports:
On non-Windows systems Wireshark could crash if the HOME environment variable contained sprintf-style string formatting characters. Wireshark could crash while reading a malformed NetScreen snoop file. Wireshark could crash while reading a Tektronix K12 text capture file.
Secunia reports:
A vulnerability has been reported in Netatalk, which potentially can be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to the papd daemon improperly sanitising several received parameters before passing them in a call to popen(). This can be exploited to execute arbitrary commands via a specially crafted printing request.
Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.
Secunia reports:
Tobias Klein has reported some vulnerabilities in GStreamer Good Plug-ins, which can potentially be exploited by malicious people to compromise a vulnerable system.
A boundary error occurs within the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "ctts" Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file.
An array indexing error exists in the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "stss" Atom parsing. This can be exploited to corrupt memory via a specially crafted QuickTime media file.
A boundary error occurs within the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "stts" Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file.
Secunia reports:
The vulnerability is caused due to an integer overflow error in the processing of CAF description chunks. This can be exploited to cause a heap-based buffer overflow by tricking the user into processing a specially crafted CAF audio file.
Secunia reports:
Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library.
The vulnerability is caused due to a signedness error within the "fourxm_read_header()" function in libavformat/4xm.c. This can be exploited to corrupt arbitrary memory via a specially crafted 4xm file.
Secunia reports:
Some vulnerabilities have been reported in RoundCube Webmail, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct script insertion attacks and compromise a vulnerable system.
The HTML "background" attribute within e.g. HTML emails is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if a malicious email is viewed.
Input passed via a vCard is not properly sanitised before being used in a call to "preg_replace()" with the "e" modifier in program/include/rcube_vcard.php. This can be exploited to inject and execute arbitrary PHP code by e.g. tricking a user into importing a malicious vCard file.
Secunia reports:
Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks.
The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding.
An error exists in the "mod_sql" module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code.
Secunia reports:
Some vulnerabilities have been reported in the ZABBIX PHP frontend, which can be exploited by malicious people to conduct cross-site request forgery attacks and malicious users to disclose sensitive information and compromise a vulnerable system.
Input appended to and passed via the "extlang" parameter to the "calc_exp2()" function in include/validate.inc.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary PHP code.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create users by enticing a logged in administrator to visit a malicious web page.
Input passed to the "srclang" parameter in locales.php (when "next" is set to a non-NULL value) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
SecurityFocus reports:
PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the 'mbstring' extension included in the standard distribution.
An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.
Secunia reports:
Dun has discovered a vulnerability in phpPgAdmin, which can be exploited by malicious people to disclose sensitive information.
Input passed via the "_language" parameter to libraries/lib.inc.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
Opera Team reports:
An unspecified error in the processing of JPEG images can be exploited to trigger a memory corruption.
An error can be exploited to execute arbitrary script code in a different domain via unspecified plugins.
An unspecified error has a "moderately severe" impact. No further information is available.
CVE Mitre reports:
Untrusted search path vulnerability in the Python interface in Epiphany 2.22.3, and possibly other versions, allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983).
CVE Mitre reports:
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
Secunia reports:
A vulnerability has been reported in Pngcrush, which can be exploited by malicious people to potentially compromise a user's system.
The vulnerability is caused due to the use of vulnerable libpng code.
Secunia reports:
The security issue is caused due to cURL following HTTP Location: redirects to e.g. scp:// or file:// URLs which can be exploited by a malicious HTTP server to overwrite or disclose the content of arbitrary local files and potentially execute arbitrary commands via specially crafted redirect URLs.
Matthew Weier O'Phinney reports:
A potential Local File Inclusion (LFI) vulnerability exists in the Zend_View::render() method. If user input is used to specify the script path, then it is possible to trigger the LFI.
Note that Zend Framework applications that never call the Zend_View::render() method with a user-supplied parameter are not affected by this vulnerability.
Security Focus reports:
An attacker could exploit this issue by enticing an unsuspecting victim to execute the vulnerable application in a directory containing a malicious Python file. A successful exploit will allow arbitrary Python commands to run within the privileges of the currently logged-in user.
Dwayne C. Litzenberger reports:
pycrypto is exposed to a buffer overflow issue because it fails to adequately verify user-supplied input. This issue resides in the ARC2 module. This issue can be triggered with specially crafted ARC2 keys in excess of 128 bytes.
SecurityFocus reports:
Varnish is prone to a remote denial-of-service vulnerability because the application fails to handle certain HTTP requests.
Successfully exploiting this issue allows remote attackers to crash the affected application denying further service to legitimate users.
Secunia reports:
Some vulnerabilities have been reported in Tor, where one has an unknown impact and others can be exploited by malicious people to cause a DoS.
An error when running Tor as a directory authority can be exploited to trigger the execution of an infinite loop.
An unspecified error exists when running on Windows systems prior to Windows XP. No further information is currently available.
Mozilla Foundation reports:
MFSA 2009-06: Directives to not cache pages ignored
MFSA 2009-05: XMLHttpRequest allows reading HTTPOnly cookies
MFSA 2009-04: Chrome privilege escalation via local .desktop files
MFSA 2009-03: Local file stealing with SessionStore
MFSA 2009-02: XSS using a chrome XBL method and window.eval
MFSA 2009-01: Crashes with evidence of memory corruption (rv:1.9.0.6)
znirkel reports:
The eval() function in _reset_post_array crashes when posting certain data. By passing in carefully-crafted input data, the eval() function could also execute malicious PHP code.
Note that CodeIgniter applications that either do not use the new Form Validation class or use the old Validation class are not affected by this vulnerability.
Security Focus reports:
PyBlosxom is prone to multiple XML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied XML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Secunia reports:
Some vulnerabilities have been reported in Typo3, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information.
Input passed via unspecified fields to the backend user interface is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
An error in the "jumpUrl" mechanism can be exploited to read arbitrary files from local resources by disclosing a hash secret used to restrict file access.
Secunia reports:
A boundary error when processing "div" HTML tags can be exploited to cause a stack-based buffer overflow via an overly long "id" parameter.
A boundary error exists when processing overly long links. This can be exploited to cause a stack-based buffer overflow by tricking the user into e.g. editing a malicious link.
A boundary error when processing e.g. a "bdo" HTML tag having an overly long "dir" attribute can be exploited to cause a stack-based buffer overflow.
A boundary error when processing "input" HTML tags can be exploited to cause a stack-based buffer overflow via an overly long e.g. "type" attribute.
Secunia reports:
Some vulnerabilities have been reported in WebSVN, which can be exploited by malicious users to disclose sensitive information, and by malicious people to conduct cross-site scripting attacks and manipulate data.
Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Input passed to the "rev" parameter in rss.php is not properly sanitised before being used. This can be exploited to overwrite arbitrary files via directory traversal attacks.
Access to restricted repositories is not properly enforced, which can be exploited to disclose potentially sensitive information by accessing the repository via "listing.php" and using the "compare with previous" and "show changed files" links.
Secunia reports:
Input passed to the "_SERVER[ConfigFile]" parameter in admin/index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.
Squid security advisory 2009:1 reports:
Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests.
This problem allows any client to perform a denial of service attack on the Squid service.
Secunia reports:
Some vulnerabilities have been reported in Typo3, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and compromise a vulnerable system.
The "Install tool" system extension uses insufficiently random entropy sources to generate an encryption key, resulting in weak security.
The authentication library does not properly invalidate supplied session tokens, which can be exploited to hijack a user's session.
Certain unspecified input passed to the "Indexed Search Engine" system extension is not properly sanitised before being used to invoke commands. This can be exploited to inject and execute arbitrary shell commands.
Input passed via the name and content of files to the "Indexed Search Engine" system extension is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Certain unspecified input passed to the Workspace module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Note: It is also reported that certain unspecified input passed to test scripts of the "ADOdb" system extension is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website.
Todd Miller reports:
A bug was introduced in Sudo's group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.
Drupal Team reports:
The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that proces the existing node's content is copied into the new node's submission form.
The module contains a flaw that allows a user with the 'translate content' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes.
When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted.
Secunia reports:
Paul Szabo has reported a vulnerability in Perl File::Path::rmtree, which potentially can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to a race condition in the way File::Path::rmtree handles directory permissions when cleaning up directories. This can be exploited by replacing an existing sub directory in the directory tree with a symbolic link to an arbitrary file.
Successful exploitation may allow changing permissions of arbitrary files, if root uses an application using the vulnerable code to delete files in a directory having a world-writable sub directory.
Secunia reports:
Input passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Certain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Secunia reports:
Spike Spiegel has discovered a vulnerability in Ganglia which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the process_path function in gmetad/server.c. This can be exploited to cause a stack-based buffer overflow by e.g. sending a specially crafted message to the gmetad service.
The vulnerability is confirmed in version 3.1.1. Other versions may also be affected.
Secunia reports:
A vulnerability with an unknown impact has been reported in Tor.
The vulnerability is caused due to an unspecified error and can be exploited to trigger a heap corruption. No further information is currently available.
The GLPI project reports:
Input passed via unspecified parameters is not properly sanitised before being used in SQL queries. This can be exploited to manipulateSQL queries by injecting arbitrary SQL code.
Core Security Technologies reports:
Multiple cross-site scripting vulnerabilities have been found which may lead to arbitrary remote code execution on the server running the application due to unauthorized upload of Java plugin code.
SecurityFocus reports:
IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets.
A successful attack allows a remote attacker to crash the software, denying further service to legitimate users.
SecurityFocus reports:
TeamSpeak is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
Secunia reports:
A vulnerability has been reported in OptiPNG, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the BMP reader and can be exploited to cause a buffer overflow by tricking a user into processing a specially crafted file.
Successful exploitation may allow execution of arbitrary code.
Git maintainers report:
gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query.
SecurityFocus reports:
GNUs tar and cpio utilities are prone to a denial-of-service vulnerability because of insecure use of the alloca() function.
Successfully exploiting this issue allows attackers to crash the affected utilities and possibly to execute code but this has not been confirmed.
Secunia reports:
The vulnerability is caused due to a boundary error within the "str_read_packet()" function in libavformat/psxstr.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted STR file.
Secunia reports:
A vulnerability has been reported in CGIWrap, which can be exploited by malicious people to conduct cross-site scripting attacks.
The vulnerability is caused due to the application generating error messages without specifying a charset. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation may require that the victim uses Internet Explorer or a browser based on Internet Explorer components.
securityfocus reports:
An attacker with low-level privileges may exploit this issue to bypass authorization and cause arbitrary commands to run within the context of the Nagios server. This may aid in further attacks.
Secunia reports:
Some security issues have been reported in PDFjam, which can be exploited by malicious, local users to perform certain actions with escalated privileges.
The security issues are caused due to the "pdf90", "pdfjoin", and "pdfnup" scripts using temporary files in an insecure manner. This can be exploited to overwrite arbitrary files via symlink attacks.
securityfocus reports:
An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.
Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.
Verlihub is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input.
Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.
MySQL reports:
The vulnerability is caused due to an error when processing an empty bit-string literal and can be exploited to crash the server via a specially crafted SQL statement.
MySQL reports:
Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information by replacing the symbolic link points. the file to which the symlink points.
MySQL reports:
A malformed password packet in the connection protocol could cause the server to crash.
MySQL reports:
The requirement of the DROP privilege for RENAME TABLE was not enforced.
SANS reports:
The University of Washington IMAP library is a library implementing the IMAP mail protocol. University of Washington IMAP is exposed to a buffer overflow issue that occurs due to a boundary error within the rfc822_output_char function in the c-client library. The University of Washington IMAP library versions prior to 2007e are affected.
SANS reports:
University of Washington "tmail" and "dmail" are mail deliver agents. "tmail" and "dmail" are exposed to local buffer overflow issues because they fail to perform adequate boundary checks on user-supplied data.
securityfocus reports:
The 'libcdaudio' library is prone to a remote heap code in the context of an application that uses the library. Failed attacks will cause denial-of-service conditions.
A buffer-overflow in Grip occurs when the software processes a response to a CDDB query that has more than 16 matches.
To exploit this issue, an attacker must be able to influence the response to a CDDB query, either by controlling a malicious CDDB server or through some other means. Successful exploits will allow arbitrary code to run.
Some function pointers for netgraph and bluetooth sockets are not properly initialized.
A local user can cause the FreeBSD kernel to execute arbitrary code. This could be used by an attacker directly; or it could be used to gain root privilege or to escape from a jail.
No workaround is available, but systems without local untrusted users are not vulnerable. Furthermore, systems are not vulnerable if they have neither the ng_socket nor ng_bluetooth kernel modules loaded or compiled into the kernel.
Systems with the security.jail.socket_unixiproute_only sysctl set to 1 (the default) are only vulnerable if they have local untrusted users outside of jails.
If the command
# kldstat -v | grep ng_
produces no output, the system is not vulnerable.
The ftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command.
This could, with a specifically crafted command, be used in a cross-site request forgery attack.
FreeBSD systems running ftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites.
No workaround is available, but systems not running FTP servers are not vulnerable. Systems not running the FreeBSD ftp(8) server are not affected, but users of other ftp daemons are advised to take care since several other ftp daemons are known to have related bugs.
IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node.
An attacker on a different physical network connected to the same IPv6 router as another node could redirect IPv6 traffic intended for that node. This could lead to denial of service or improper access to private network traffic.
Firewall packet filters can be used to filter incoming Neighbor Solicitation messages but may interfere with normal IPv6 operation if not configured carefully.
Reverse path forwarding checks could be used to make gateways, such as routers or firewalls, drop Neighbor Solicitation messages from nodes with unexpected source addresses on a particular interface.
IPv6 router administrators are encouraged to read RFC 3756 for further discussion of Neighbor Discovery security implications.
When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator.
All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes:
* GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data.
* GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split.
* System processes started early after boot may receive predictable IDs.
* The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks.
* The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks.
No workaround is available for affected systems.
SecurityFocus reports:
The xterm program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input.
Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.
According to CVE-2008-5498 entry:
Array index error in the "imageRotate" function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the "bgd_color" or "clrBack" argument) for an indexed image.
Secunia reports:
Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation requires that the application is running as a CGI script.
Jan Lieskovsky reports:
perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this)
This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1. It's also present in File::Path 2.xx, up to and including 2.07 which has only a partial fix.
Jan Minar reports:
Applying the ``D'' to a file with a crafted file name, or inside a directory with a crafted directory name, can lead to arbitrary code execution.
Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name.
The Vim Netrw Plugin shares the FTP user name and password across all FTP sessions. Every time Vim makes a new FTP connection, it sends the user name and password of the previous FTP session to the FTP server.