Gustavo Noronha Silva reports:
The patches to fix the following CVEs are included with help from Huzaifa Sidhpurwala from the Red Hat security team.
Django project reports:
Today the Django team is issuing multiple releases -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- to remedy two security issues reported to us. All users of affected versions of Django are urged to upgrade immediately.
Information leakage in Django administrative interface
The Django administrative interface, django.contrib.admin supports filtering of displayed lists of objects by fields on the corresponding models, including across database-level relationships. This is implemented by passing lookup arguments in the querystring portion of the URL, and options on the ModelAdmin class allow developers to specify particular fields or relationships which will generate automatic links for filtering.
Denial-of-service attack in password-reset mechanism
Django's bundled authentication framework, django.contrib.auth, offers views which allow users to reset a forgotten password. The reset mechanism involves generating a one-time token composed from the user's ID, the timestamp of the reset request converted to a base36 integer, and a hash derived from the user's current password hash (which will change once the reset is complete, thus invalidating the token).
Drupal security team reports:
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting (XSS) vulnerability. An attacker could exploit this to gain full administrative access.
Mitigating factors: This vulnerability only occurs with a specific combination of configuration options for a specific View, but this combination is used in the default Views provided by some additional modules. A malicious user would need to get an authenticated administrative user to visit a specially crafted URL.
Jean-Philippe Lang reports:
This release also fixes 3 security issues reported by joernchen of Phenoelit:
- logged in users may be able to access private data (affected versions: 1.0.x)
- persistent XSS vulnerability in textile formatter (affected versions: all previous releases)
- remote command execution in bazaar repository adapter (affected versions: 0.9.x, 1.0.x)
The Tor Project reports:
Remotely exploitable bug that could be used to crash instances of Tor remotely by overflowing on the heap. Remote-code execution hasn't been confirmed, but can't be ruled out. Everyone should upgrade.
The YUI team reports:
A security-related defect was introduced in the YUI 2 Flash component infrastructure beginning with the YUI 2.4.0 release. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files.
The following DoS conditions in Zip extension were fixed in PHP 5.3.4 and PHP 5.2.15:
Fixed crash in zip extract method (possible CWE-170).
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.
The following DoS condition in filter extension was fixed in PHP 5.3.4 and PHP 5.2.15:
Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string.
The following DoS condition in IMAP extension was fixed in PHP 5.3.4 and PHP 5.2.15:
A remote user can send specially crafted IMAP user name or password data to trigger a double free memory error in 'ext/imap/php_imap.c' and cause the target service to crash.
It may be possible to execute arbitrary code. However, code execution was not confirmed.
Entry for CVE-2010-2094 says:
Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.
PECL source code for PHAR extension shares the same code, so it is vulnerable too.
PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR:
Poison NULL byte vulnerability for perl CGI applications was described in [1]. ShAnKaR noted, that same vulnerability also affects different PHP applications.
PHP developers report that branch 5.3 received a fix:
Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).
MITRE reports:
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.
Off-by-one error in the sanity validator for the extract() method allowed attackers to replace the values of $GLOBALS and $this when mode EXTR_OVERWRITE was used.
The Mozilla Project reports:
MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
MFSA 2010-75 Buffer overflow while line breaking after document.write with long string
MFSA 2010-76 Chrome privilege escalation with window.open and isindex element
MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree
MFSA 2010-78 Add support for OTS font sanitizer
MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh
MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver
MFSA 2010-81 Integer overflow vulnerability in NewIdArray
MFSA 2010-82 Incomplete fix for CVE-2010-0179
MFSA 2010-83 Location bar SSL spoofing using network error page
MFSA 2010-84 XSS hazard in multiple character encodings
The MIT Kerberos team reports:
MIT krb5 KDC may issue tickets not requested by a client, based on an attacker-chosen KrbFastArmoredReq.
An authenticated remote attacker that controls a legitimate service principal could obtain a valid service ticket to itself containing valid KDC-generated authorization data for a client whose TGS-REQ it has intercepted. The attacker could then use this ticket for S4U2Proxy to impersonate the targeted client even if the client never authenticated to the subverted service. The vulnerable configuration is believed to be rare.
The MIT Kerberos team reports:
MIT krb5 (releases incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH and AD-KDC-ISSUED authorization data.
An authenticated remote attacker that controls a legitimate service principal has a 1/256 chance of forging the AD-SIGNEDPATH signature if the TGT key is RC4, allowing it to use self-generated "evidence" tickets for S4U2Proxy, instead of tickets obtained from the user or with S4U2Self. Configurations using RC4 for the TGT key are believed to be rare.
An authenticated remote attacker has a 1/256 chance of forging AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4 service key, resulting in privilege escalation against a service that relies on these signatures. There are no known uses of the KDC-ISSUED authdata container at this time.
The MIT Kerberos team reports:
MIT krb5 incorrectly accepts an unkeyed checksum for PAC signatures.
An authenticated remote attacker can forge PACs if using a KDC that does not filter client-provided PAC data. This can result in privilege escalation against a service that relies on PAC contents to make authorization decisions.
The MIT Kerberos team reports:
MIT krb incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism.
An unauthenticated remote attacker can forge GSS tokens that are intended to be integrity-protected but unencrypted, if the targeted pre-existing application session uses a DES session key.
MIT krb5 KDC incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq.
An unauthenticated remote attacker has a 1/256 chance of swapping a client-issued KrbFastReq into a different KDC-REQ, if the armor key is RC4. The consequences are believed to be minor.
The MIT Kerberos team reports:
MIT krb5 clients incorrectly accept an unkeyed checksums in the SAM-2 preauthentication challenge.
An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. Under some circumstances, this can negate the incremental security benefit of using a single-use authentication mechanism token.
MIT krb5 incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying KRB-SAFE messages.
An unauthenticated remote attacker has a 1/256 chance of forging KRB-SAFE messages in an application protocol if the targeted pre-existing session uses an RC4 session key. Few application protocols use KRB-SAFE messages.
The ProFTPD Project team reports:
The security issue is caused due to the distribution of compromised ProFTPD 1.3.3c source code packages via the project's main FTP server and all of the mirror servers, which contain a backdoor allowing remote root access.
phpMyAdmin team reports:
It was possible to conduct a XSS attack using spoofed request on the db search script.
ISC reports:
If the server receives a DHCPv6 packet containing one or more Relay-Forward messages, and none of them supply an address in the Relay-Forward link-address field, then the server will crash. This can be used as a single packet crash attack vector.
The OpenTTD Team reports:
When a client disconnects, without sending the "quit" or "client error" message, the server has a chance of reading and writing a just freed piece of memory. The writing can only happen while the server is sending the map. Depending on what happens directly after freeing the memory there is a chance of segmentation fault, and thus a denial of service.
The Horde team reports:
The major changes compared to Horde version 3.3.10 are:
* Fixed XSS vulnerability when viewing details of a vCard.
Tippingpoint reports:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability.
The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process.
OpenSSL Team reports:
Rob Hulswit has found a flaw in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack.
Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.
In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654 referenced in Security Advisory APSA10-05, could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Secunia reports:
A vulnerability has been discovered in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an infinite recursion error in the "dissect_unknown_ber()" function in epan/dissectors/packet-ber.c and can be exploited to cause a stack overflow e.g. via a specially crafted SNMP packet.
The vulnerability is confirmed in version 1.4.0 and reported in version 1.2.11 and prior and version 1.4.0 and prior.
Secunia reports:
Two vulnerabilities have been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.
Certain input passed via the list descriptions is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation requires "list owner" permissions.
OTRS Security Advisory reports:
- Multiple Cross Site Scripting issues: Missing HTML quoting allows authenticated agents or customers to inject HTML tags. This vulnerability allows an attacker to inject script code into the OTRS web-interface which will be loaded and executed in the browsers of system users.
- Possible Denial of Service Attack: Perl's regular expressions consume 100% CPU time on the server if an agent or customer views an affected article. To exploit this vulnerability the malicious user needs to send extremely large HTML emails to your system address.
AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:
Whenever a customer sends an HTML e-mail and RichText is enabled in OTRS, javascript contained in the email can do everything in the OTRS agent interface that the agent himself could do.
Most relevant is that this type of exploit can be used in such a way that the agent won't even detect he is being exploited.
The Mozilla Project reports:
MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion
The Opera Desktop Team reports:
- Fixed an issue that allowed cross-domain checks to be bypassed, allowing limited data theft using CSS, as reported by Isaac Dawson.
- Fixed an issue where manipulating the window could be used to spoof the page address.
- Fixed an issue with reloads and redirects that could allow spoofing and cross-site scripting.
- Fixed an issue that allowed private video streams to be intercepted, as reported by Nirankush Panchbhai of Microsoft Vulnerability Research.
- Fixed an issue that caused JavaScript to run in the wrong security context after manual interaction.
Secunia reports:
A vulnerability has been reported in bzip2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
The vulnerability is caused due to an integer overflow in the "BZ2_decompress()" function in decompress.c and can be exploited to cause a crash or potentially execute arbitrary code.
When decompressing data, the run-length encoded values are not adequately sanity-checked, allowing for an integer overflow.
The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption.
The NFS client subsystem fails to correctly validate the length of a parameter provided by the user when a filesystem is mounted.
A programming error in the OPIE library could allow an off-by-one buffer overflow to write a single zero byte beyond the end of an on-stack buffer.
The jail(8) utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants.
When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes.
If ntpd receives a mode 7 (MODE_PRIVATE) request or error response from a source address not listed in either a 'restrict ... noquery' or a 'restrict ... ignore' section it will log the even and send a mode 7 error response.
If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag.
When downloading updates to FreeBSD via 'freebsd-update fetch' or 'freebsd-update upgrade', the freebsd-update(8) utility copies currently installed files into its working directory (/var/db/freebsd-update by default) both for the purpose of merging changes to configuration files and in order to be able to roll back installed updates.
The default working directory used by freebsd-update(8) is normally created during the installation of FreeBSD with permissions which allow all local users to see its contents, and freebsd-update(8) does not take any steps to restrict access to files stored in said directory.
When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing.
The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters.
The monotone developers report:
Running "mtn ''" or "mtn ls ''" doesn't cause an internal error anymore. In monotone 0.48 and earlier this behavior could be used to crash a server remotely (but only if it was configured to allow execution of remote commands).
The Mozilla Project reports:
MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)
MFSA 2010-65 Buffer overflow and memory corruption using document.write
MFSA 2010-66 Use-after-free error in nsBarProp
MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
MFSA 2010-68 XSS in gopher parser when parsing hrefs
MFSA 2010-69 Cross-site information disclosure via modal calls
MFSA 2010-70 SSL wildcard certificate matching IP addresses
MFSA 2010-71 Unsafe library loading vulnerabilities
MFSA 2010-72 Insecure Diffie-Hellman key exchange
Gustavo Noronha Silva reports:
The patches to fix the following CVEs are included with help from Vincent Danen and other members of the Red Hat security team:
Secunia reports:
Multiple vulnerabilities have been reported in APR-util, which can be exploited by malicious people to cause a DoS (Denial of Service).
Two XML parsing vulnerabilities exist in the bundled version of expat.
An error within the "apr_brigade_split_line()" function in buckets/apr_brigade.c can be exploited to cause high memory consumption.
The phpMyFAQ project reports:
The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 2.6.x: phpMyFAQ doesn't sanitize some variables in different pages correctly. With a properly crafted URL it is e.g. possible to inject JavaScript code into the output of a page, which could result in the leakage of domain cookies (f.e. session identifiers)..
The Horde team reports:
The major changes compared to Gollem version H3 (1.1.1) are:
* Fixed an XSS vulnerability in the file viewer.
The Horde team reports:
Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability.
The major changes compared to IMP version H3 (4.3.7) are:
* Fixed an XSS vulnerability in the Fetchmail configuration.
The Horde team reports:
Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability.
Thanks to Secunia for releasing an advisory for the new CSRF protection in the preference interface
The major changes compared to Horde version 3.3.8 are:
* Fixed XSS vulnerability in util/icon_browser.php.
* Protected preference forms against CSRF attacks.
The OpenX project reported:
It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised.
This vulnerability exists in the file upload functionality and allows attackers to upload and execute PHP code of their choice.
Squid security advisory 2010:3 reports:
Due to an internal error in string handling Squid is vulnerable to a denial of service attack when processing specially crafted requests.
This problem allows any trusted client to perform a denial of service attack on the Squid service.
Adobe Product Security Incident Response Team reports:
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
Django project reports:
The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.
Gustavo Noronha Silva reports:
With help from Vincent Danen and other members of the Red Hat security team, the following CVE's where fixed.
Description for CVE-2008-3432 says:
Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.
The Mozilla Project reports:
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-59 SJOW creates scope chains ending in outer object
MFSA 2010-60 XSS using SJOW scripted function
MFSA 2010-61 UTF-7 XSS by overriding document charset using object type attribute
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
MFSA 2010-63 Information leak via XMLHttpRequest statusText
Todd Miller reports:
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.
Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
GNU Wget version 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a `.' (dot) character, which allows remote servers to create or overwrite files via a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
The Red Hat security team reported two vulnerabilities:
A stack buffer overflow flaw was found in the way Quagga's bgpd daemon processed Route-Refresh messages. A configured Border Gateway Protocol (BGP) peer could send a Route-Refresh message with specially-crafted Outbound Route Filtering (ORF) record, which would cause the master BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd.
A NULL pointer dereference flaw was found in the way Quagga's bgpd daemon parsed paths of autonomous systems (AS). A configured BGP peer could send a BGP update AS path request with unknown AS type, which could lead to denial of service (bgpd daemon crash).
A Bugzilla Security Advisory reports:
- Remote Information Disclosure: An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. This security fix restricts the use of pronouns to groups the user belongs to.
- Notification Bypass: Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent.
- Remote Information Disclosure: An error message thrown by the "Reports" and "Duplicates" page confirmed the non-existence of products, thus allowing users to guess confidential product names. (Note that the "Duplicates" page was not vulnerable in Bugzilla 3.6rc1 and above though.)
- Denial of Service: If a comment contained the phrases "bug X" or "attachment X", where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. Bugzillas running on databases other than PostgreSQL are not affected.
The OpenTTD Team reports:
When multiple commands are queued (at the server) for execution in the next game tick and an client joins the server can get into an infinite loop. With the default settings triggering this bug is difficult (if not impossible), however the larger value of the "frame_freq" setting is easier it is to trigger the bug.
The affected corkscrew versions use sscanf calls without proper bounds checking. In the authentication file parsing routine this can cause an exploitable buffer overflow condition. A similar but issue exists in the server response code but appears to be non-exploitable.
phpMyAdmin Team reports:
It was possible to conduct a XSS attack using crafted URLs org POST parameters on several pages.
SLiM assigns logged on users a PATH in which the current working directory ("./") is included. This PATH can allow unintentional code execution through planted binaries and has therefore been fixed SLiM version 1.3.2.
The official ruby site reports:
WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not.
Isolate currently suffers from some bad security bugs! These are local root privilege escalation bugs. Thanks to the helpful person who reported them (email Chris if you want credit!). We're working to fix them ASAP, but until then, isolate is unsafe and you should uninstall it. Sorry!
VideoLAN project reports:
VLC fails to perform sufficient input validation when trying to extract some meta-informations about input media through ID3v2 tags. In the failure case, VLC attempt dereference an invalid memory address, and a crash will ensure.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
The Opera Destkop Team reports:
- Fixed an issue where heap buffer overflow in HTML5 canvas could be used to execute arbitrary code, as reported by Kuzzcc.
- Fixed an issue where unexpected changes in tab focus could be used to run programs from the Internet, as reported by Jakob Balle and Sven Krewitt of Secunia.
- Fixed an issue where news feed preview could subscribe to feeds without interaction, as reported by Alexios Fakos.
The Mozilla Project reports:
MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix
Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary, remote file inclusion using a directory traversal pattern infinite a crafted request for a data renderer.
A vulnerability has been reported in Piwik, which can before exploited by malicious people to disclose potentially sensitive information. Input passed to unspecified parameters when requesting a data renderer is not properly verified before being used to include files. This can be exploited to includes arbitrary files from local resources via directory traversal attacks.
There is a denial of service vulnerability in libmspack. The libmspack code is built into cabextract, so it is also vulnerable.
Secunia reports:
The vulnerability is caused due to an error when copying data from an uncompressed block (block type 0) and can be exploited to trigger an infinite loop by tricking an application using the library into processing specially crafted MS-ZIP archives.
Apache ChangeLog reports:
mod_dav, mod_cache: Fix Handling of requests without a path segment.
Greg Brockman reports:
If an attacker were to create a crafted working copy where the user runs any git command, the attacker could force execution of arbitrary code.
Derek Jones reports:
A fix has been implemented for a security flaw in CodeIgniter 1.7.2. All applications using the File Upload class should install the patch to ensure that their application is not subject to a vulnerability.
The Mozilla Project reports:
MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)
MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
MFSA 2010-36 Use-after-free error in NodeIterator
MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
MFSA 2010-39 nsCSSValue::Array index integer overflow
MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
MFSA 2010-41 Remote code execution using malformed PNG image
MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
MFSA 2010-43 Same-origin bypass using canvas context
MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
MFSA 2010-45 Multiple location bar spoofing vulnerabilities
MFSA 2010-46 Cross-domain data theft using CSS
MFSA 2010-47 Cross-origin data leakage from script filename in error messages
Kees Cook reports:
Janne Snabb discovered that applications using VTE, such as gnome-terminal, did not correctly filter window and icon title request escape codes. If a user were tricked into viewing specially crafted output in their terminal, a remote attacker could execute arbitrary commands with user privileges.
Gustavo Noronha reports:
Debian's Michael Gilbert has done a great job going through all CVEs released about WebKit, and including patches in the Debian package. 1.2.3 includes all of the commits from trunk to fix those, too.
Eric Davis reports:
This security release addresses some security vulnerabilities found in the advanced subversion integration module (Redmine.pm perl script).
Julius Plenz reports:
I found a bug in the base64_decode function which may cause memory corruption when the function is executed on a malformed base64 encoded string.
If a string starting with an equal-sign is passed to the base64_decode function it triggers a memory corruption that in some cases makes bogofilter crash.
A Bugzilla Security Advisory reports:
- Normally, information about time-tracking (estimated hours, actual hours, hours worked, and deadlines) is restricted to users in the "time-tracking group". However, any user was able, by crafting their own search URL, to search for bugs based using those fields as criteria, thus possibly exposing sensitive time-tracking information by a user seeing that a bug matched their search.
- If $use_suexec was set to "1" in the localconfig file, then the localconfig file's permissions were set as world-readable by checksetup.pl. This allowed any user with local shell access to see the contents of the file, including the database password and the site_wide_secret variable used for CSRF protection.
Two security vulnerabilities have been discovered:
Multiple format string vulnerabilities in the DCC functionality in KVIrc 3.4 and 4.0 have unspecified impact and remote attack vectors.
Directory traversal vulnerability in the DCC functionality in KVIrc 3.4 and 4.0 allows remote attackers to overwrite arbitrary files via unknown vectors.
The PNG project describes the problem in an advisory:
Several versions of libpng through 1.4.2 (and through 1.2.43 in the older series) contain a bug whereby progressive applications such as web browsers (or the rpng2 demo app included in libpng) could receive an extra row of image data beyond the height reported in the header, potentially leading to an out-of-bounds write to memory (depending on how the application is written) and the possibility of execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site).
The Moodle release notes report multiple vulnerabilities which could allow cross site scripting, XSS attacks, unauthorised deletion of attempts in some instances.
Juli Mallett reports:
mdnsd will crash on some systems with a corrupt stack and once that's fixed it will still leak a file descriptor when parsing resolv.conf. The crash is because scanf is used with %10s for a buffer that is only 10 chars long. The buffer size needs increased to 11 chars to hold the trailing NUL. To fix the leak, an fclose needs added.
The Opera Desktop Team reports:
Data URIs are allowed to run scripts that manipulate pages from the site that directly opened them. In some cases, the opening site is not correctly detected. In these cases, Data URIs may erroneously be able to run scripts so that they interact with sites that did not directly cause them to be opened.
Multiple vulnerabilities have been reported to exist in older version of Cacti. The release notes of Cacti 0.8.7f summarizes the problems as follows:
- SQL injection and shell escaping issues
- Cross-site scripting issues
- Cacti Graph Viewer SQL injection vulnerability
Mozilla Project reports:
MFSA 2010-33 User tracking across sites using Math.random()
MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
MFSA 2010-30 Integer Overflow in XSLT Node Sorting
MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
MFSA 2010-28 Freed object reuse across plugin instances
MFSA 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()
MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
MFSA 2010-25 Re-use of freed object due to scope confusion
Daniel Mealha Cabrita reports:
Fixed security vulnerability (heap-related) in PNG decoder. (new bug from 3.1.0)
Tielei Wang:
Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Kevin Finisterre reports:
Multiple integer overflows in the handling of TIFF files may result in a heap buffer overflow. Opening a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. The issues are addressed through improved bounds checking. Credit to Kevin Finisterre of digitalmunition.com for reporting these issues.
Todd Miller reports:
Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one.
An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run.
Ziproxy 3.0.1 release fixes a security vulnerability related to atypical huge picture files (>4GB of size once expanded).
Two security vulnerabilities were discovered:
Noncompliant CSS parsing behaviour in Internet Explorer allows attackers to construct CSS strings which are treated as safe by previous versions of MediaWiki, but are decoded to unsafe strings by Internet Explorer.
A CSRF vulnerability was discovered in our login interface. Although regular logins are protected as of 1.15.3, it was discovered that the account creation and password reset reset features were not protected from CSRF. This could lead to unauthorised access to private wikis.
The Redmine release announcement reports that several cross side scripting vulnerabilities and a potential data disclosure vulnerability have been fixed in the latest release.
A vulnerability found in the DOCSIS dissector can cause Wireshark to crash when a malformed packet trace file is opened. This means that an attacker will have to trick a victim into opening such a trace file before being able to crash the application
The Piwik security advisory reports:
A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik's Login form that reflected the form_url parameter without being properly escaped or filtered.
The spamassassin milter plugin contains a vulnerability that can allow remote attackers to execute commands on affected systems.
The vulnerability can be exploited trough a special-crafted email header when the plugin was started with the '-x' (expand) flag.
A MediaWiki security announcement reports:
MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website.
If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password.
Dan Rosenberg reports:
There are several cross-site scripting vulnerabilities in LXR. These vulnerabilities could allow an attacker to execute scripts in a user's browser, steal cookies associated with vulnerable domains, redirect the user to malicious websites, etc.
VideoLAN project reports:
VLC media player suffers from various vulnerabilities when attempting to parse malformatted or overly long byte streams.
Joomla! reported the following vulnerabilities:
If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system..
The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server.
Session id doesn't get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie. If the user then logs in, the remote site can use that cookie to authenticate as that user.
When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.
Bonsai information security reports:
A Vulnerability has been discovered in Cacti, which can be exploited by any user to conduct SQL Injection attacks. Input passed via the "export_item_id" parameter to "templates_export.php" script is not properly sanitized before being used in a SQL query.
The same source also reported a command execution vulnerability. This second issue can be exploited by Cacti users who have the rights to modify device or graph configurations.
The Moodle release notes report multiple vulnerabilities which could allow remote attackers to perform, amongst others, cross site scripting, user enumeration and SQL injection attacks.
The Apache software foundation reports:
The "WWW-Authenticate" header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate one.
In some circumstances this can expose the local hostname or IP address of the machine running Tomcat.
The MIT Kerberos team reports:
An authenticated remote attacker can crash the KDC by inducing the KDC to perform a double free. Under some circumstances on some platforms, this could also allow malicious code execution.
Secunia Research reported two vulnerabilities in e107:
The first problem affects installations that have the Content Manager plugin enabled. This plugin does not sanitize the "content_heading" parameter correctly and is therefore vulnerable to a cross site scripting attack.
The second vulnerability is related to the avatar upload functionality. Images containing PHP code can be uploaded and executed.
Fetchmail developer Matthias Andree reported a vulnerability that allows remote attackers to crash the application when it is runs in verbose mode.
Fetchmail before release 6.3.17 did not properly sanitize external input (mail headers and UID). When a multi-character locale (such as UTF-8) was in use, this could cause memory exhaustion and thus a denial of service.
Three denial of service vulnerabilities where found in pidgin and allow remote attackers to crash the application. The developers summarized these problems as follows:
Pidgin can become unresponsive when displaying large numbers of smileys
Certain nicknames in group chat rooms can trigger a crash in Finch
Failure to validate all fields of an incoming message can trigger a crash
A vulnerability in libpng can result in denial of service conditions when a remote attacker tricks a victim to open a specially-crafted PNG file.
The PNG project describes the problem in an advisory:
Because of the efficient compression method used in Portable Network Graphics (PNG) files, a small PNG file can expand tremendously, acting as a "decompression bomb".
Malformed PNG chunks can consume a large amount of CPU and wall-clock time and large amounts of memory, up to all memory available on a system
The cURL project reports in a security advisory:
Using the affected libcurl version to download compressed content over HTTP, an application can ask libcurl to automatically uncompress data. When doing so, libcurl can wrongly send data up to 64K in size to the callback which thus is much larger than the documented maximum size.
An application that blindly trusts libcurl's max limit for a fixed buffer size or similar is then a possible target for a buffer overflow vulnerability.
The Red Hat security response team reports:
A remotely exploitable DoS from XMPP client to ejabberd server via too many "client2server" messages (causing the message queue on the server to get overloaded, leading to server crash) has been found.
Two vulnerabilities have found in irssi. The first issue could allow man-in-the-middle attacks due to a missing comparison of SSL server hostnames and the certificate domain names (e.g. CN).
A second vulnerability, related to the nick matching code, could be triggered by remote attackers in order to crash an irssi client when leaving a channel.
An authenticated remote attacker can causing a denial of service by using a newer version of the kadmin protocol than the server supports.
The MIT Kerberos team also reports the cause:
The Kerberos administration daemon (kadmind) can crash due to referencing freed memory.
Two vulnerabilities in krb5 can be used by remote attackers in denial of service attacks. The MIT security advisories report this as follows:
An unauthenticated remote attacker can send an invalid request to a KDC process that will cause it to crash due to an assertion failure, creating a denial of service.
An unauthenticated remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash.
The Debian security team reports:
It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names.
Todd Miller reports:
Sudo's command matching routine expects actual commands to include one or more slash ('/') characters. The flaw is that sudo's path resolution code did not add a "./" prefix to commands found in the current working directory. This creates an ambiguity between a "sudoedit" command found in the cwd and the "sudoedit" pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named "sudoedit" in the current working directory. For the attack to be successful, the PATH environment variable must include "." and may not include any other directory that contains a "sudoedit" command.
KDE Security Advisory reports:
KDM contains a race condition that allows local attackers to make arbitrary files on the system world-writeable. This can happen while KDM tries to create its control socket during user login. A local attacker with a valid local account can under certain circumstances make use of this vulnerability to execute arbitrary code as root.
The Dojo Toolkit team reports:
Some PHP files did not properly escape input.
Some files could operate like "open redirects". A bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor's site.
A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.
The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.
The Zend Framework team reports:
Several files in the bundled Dojo library were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the Dojo library tree when deploying to production.
Mozilla Project reports:
MFSA 2009-25 Re-use of freed object due to scope confusion
Mozilla Project reports:
MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
MFSA 2010-23 Image src redirect to mailto: URL opens email editor
MFSA 2010-22 Update NSS to support TLS renegotiation indication
MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy
MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop
MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray
MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
BugTraq reports:
PostgreSQL is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code with elevated privileges or crash the affected application.
Jakob Lell reports:
The rmt client implementation of GNU Tar/Cpio contains a heap-based buffer overflow which possibly allows arbitrary code execution.
The problem can be exploited when using an untrusted/compromised rmt server.
Mozilla Project reports:
MFSA 2010-08 WOFF heap corruption due to integer overflow
Mozilla Project reports:
MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch
MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-49 TreeColumns dangling pointer vulnerability
Egroupware Team report:
Nahuel Grisolia from CYBSEC S.A. Security Systems found two security problems in EGroupware:
Serious remote command execution (allowing to run arbitrary command on the web server by simply issuing a HTTP request!).
A reflected cross-site scripting (XSS).
Both require NO valid EGroupware account and work without being logged in!
Drupal Team reports:
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.
Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer languages' permission.
Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.
Todd Miller reports:
When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not begin with a slash ('/'). The flaw is that sudo's the matching code would only check against the list of pseudo-commands if the user-specified command also contained no slashes. As a result, if the user ran "sudo ./sudoedit" the normal matching code path was followed, which uses stat(2) to verify that the user-specified command matches the one in sudoers. In this case, it would compare the "./sudoedit" specified by the user with "sudoedit" from the sudoers file, resulting in a positive match.
OpenOffice.org Security Team reports:
Fixed in OpenOffice.org 3.2
CVE-2006-4339: Potential vulnerability from 3rd party libxml2 libraries
CVE-2009-0217: Potential vulnerability from 3rd party libxmlsec libraries
CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable version of MSVC Runtime
CVE-2009-2949: Potential vulnerability related to XPM file processing
CVE-2009-2950: Potential vulnerability related to GIF file processing
CVE-2009-3301/2: Potential vulnerability related to MS-Word document processing
Mozilla Project reports:
MFSA 2010-05 XSS hazard using SVG document and binary Content-Type
MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain
MFSA 2010-03 Use-after-free crash in HTML parser
MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability
MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)
Lighttpd security advisory reports:
If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.
Squid security advisory 2010:2 reports:
Due to incorrect processing Squid is vulnerable to a denial of service attack when receiving specially crafted HTCP packets.
This problem allows any machine to perform a denial of service attack on the Squid service when its HTCP port is open.
Adobe Product Security Incident Response Team reports:
A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. This update also resolves a potential Denial of Service issue (CVE-2010-0187).
Ray Strode reports:
Under certain circumstances it is possible to circumvent the security of screen locking functionality of gnome-screensaver by changing the systems physical monitor configuration.
gnome-screensaver can lose its keyboard grab when locked, exposing the system to intrusion by adding and removing monitors.
Matthias Andree reports:
In verbose mode, fetchmail prints X.509 certificate subject and issuer information to the user, and counts and allocates a malloc() buffer for that purpose.
If the material to be displayed contains characters with high bit set and the platform treats the "char" type as signed, this can cause a heap buffer overrun because non-printing characters are escaped as \xFF..FFnn, where nn is 80..FF in hex.
Wireshark project reports:
Babi discovered several buffer overflows in the LWRES dissector.
It may be possible to make Wireshark crash remotely or by convincing someone to read a malformed packet trace file.
OTRS Security Advisory reports:
Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements.
A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions).
To use this vulnerability the malicious user needs to have a valid Agent- or Customer-session.
Apache ChangeLog reports:
Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.
Squid security advisory 2010:1 reports:
Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted DNS packets.
This problem allows any trusted client or external server who can determine the squid receiving port to perform a short-term denial of service attack on the Squid service.
A Bugzilla Security Advisory reports:
When moving a bug from one product to another, an intermediate page is displayed letting you select the groups the bug should be restricted to in the new product. However, a regression in the 3.4.x series made it ignore all groups which are not available in both products. As a workaround, you had to move the bug to the new product first and then restrict it to the desired groups, in two distinct steps, which could make the bug temporarily public.
SecurityFocus reports:
The first affects the /quote HELP module and allows a user to trigger an IRCD crash on some platforms.
The second affects the /links processing module when the flatten_links configuration option is not enabled.
Dokuwiki reports:
The plugin does no checks against cross-site request forgeries (CSRF) which can be exploited to e.g. change the access control rules by tricking a logged in administrator into visiting a malicious web site.
The bug allows listing the names of arbitrary file on the webserver - not their contents. This could leak private information about wiki pages and server structure.
The Zend Framework team reports:
Potential XSS or HTML Injection vector in Zend_Json.
Potential XSS vector in Zend_Service_ReCaptcha_MailHide.
Potential MIME-type Injection in Zend_File_Transfer Executive Summary.
Potential XSS vector in Zend_Filter_StripTags when comments allowed.
Potential XSS vector in Zend_Dojo_View_Helper_Editor.
Potential XSS vectors due to inconsistent encodings.
XSS vector in Zend_Filter_StripTags.
LFI vector in Zend_View::setScriptPath() and render().
PowerDNS Security Advisory reports:
PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited.
PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
PEAR Security Advisory reports:
Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute.
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.