LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Cross-site scripting attacks
Two weeks ago, this page examined SQL injection attacks on web applications. Another well-known attack is cross-site scripting, often abbreviated as "XSS." Cross-site scripting is, perhaps, a more subtle way of breaking web applications, but its effects can be just as damaging as SQL Injection.The basic vector for XSS is user input into a website that is not filtered to remove dangerous content. One of the more obvious ways this can occur is with sites that allow users to add comments to stories, without removing or altering HTML tags that they enter. For example, if one adds a comment that contains:
<script>alert("howdy")</script>
and someone else, when looking at that comment, gets the alert,
the site is vulnerable to XSS. Obviously, a javascript popup is not
particularly dangerous and would be a clear sign that something odd is
going on. This kind of 'attack' is only used as a proof of concept.
The key thing to note
is that one user can run javascript in the context of another user's
browser, with all of the information and privileges of the targeted user
(or, at least, the subset granted to javascript).
There are other mechanisms to inject this kind of malicious content, either as HTML links or by causing error messages that display the content. Essentially any place that a web application displays user input can be exploited if the input or output is not filtered correctly. When XSS attacks appear in links, they are often encoded in hex using the '%xx' or '&#xx;' so that it is not immediately apparent that the link contains malicious content.
A wide variety of actions can be triggered by an XSS exploit, including cookie theft, account hijacking, and denial of service. A clever attacker could make a page that looks exactly like the login page of a popular website (Google for example) and an unwary user could be fooled into entering their username and password into this page after following a link. By exploiting an XSS hole recently reported and discussed on the Bugtraq mailing list, the link would not obviously be malicious and could start with http://www.google.com.
Another common attack is to hijack a session by using an XSS exploit to capture a cookie value that stores a session ID. An attacker can then use that session ID to take over a currently logged-in session at the web site and for all intents and purposes, become that user. This attack is especially nasty if that user happens to be an administrative user - or is logged into, say, a financial site.
Avoiding XSS in a web application requires diligence in filtering user input (a common theme in nearly all web application vulnerabilities). Any user input that is sent back to browser for any reason needs to have certain characters converted to strings that will display properly, but not be interpreted as HTML by the browser. An XSS FAQ recommends replacing the following characters: < > ( ) & and # with <, >, (, etc.
XSS vulnerabilities are one of the most commonly reported security issues with web applications today. New XSS techniques are discovered regularly that find new ways to evade various security measures implemented by the browser scripting languages and new ways to fool users into falling into an XSS trap. Any technique that allows attackers to run code in your browser with your permissions is obviously cause for worry. Website users can only take some fairly drastic measures to avoid XSS (turning off javascript, not following links, etc.). This is clearly something that website owners must handle to protect their users.
Security news
Anti-virus to protect against anti-virus vulnerabilities
Users of the ClamAV free anti-virus system should be aware of the recent vulnerabilities in that package. No need to fear, however: SonicWALL has announced that its (proprietary) anti-virus system is now equipped to shield your network from attempts to exploit one of those vulnerabilities. So ClamAV users need not actually apply the update - just layer another anti-virus package on top of it instead.
New vulnerabilities
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2006-1614 CVE-2006-1615 CVE-2006-1630 | |||||||||||||||
| Created: | April 6, 2006 | Updated: | April 12, 2006 | |||||||||||||||
| Description: | The ClamAV anti-virus toolkit has three vulnerabilities. the PE header parser has an integer overflow problem, the logging code has format string vulnerabilities that may lead to the execution of arbitrary code, and the cli_bitset_set() function can be used to create a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
doomsday: format string vulnerability
| Package(s): | doomsday | CVE #(s): | CVE-2006-1618 | |||
| Created: | April 6, 2006 | Updated: | April 12, 2006 | |||
| Description: | The doomsday gaming engine has a format string vulnerability that may be utilized by a remote attacker for the execution of arbitrary code. | |||||
| Alerts: |
| |||||
libimager-perl: denial of service
| Package(s): | libimager-perl | CVE #(s): | CVE-2006-0053 | |||
| Created: | April 9, 2006 | Updated: | April 12, 2006 | |||
| Description: | The libimager-perl Perl extension has a vulnerability in which maliciously created 4-channel JPEG images can cause a segmentation fault and cause a denial of service. | |||||
| Alerts: |
| |||||
mplayer: integer overflows
| Package(s): | mplayer | CVE #(s): | CVE-2006-1502 | ||||||
| Created: | April 9, 2006 | Updated: | May 1, 2006 | ||||||
| Description: | MPlayer 1.0pre7try2 has multiple integer overflow vulnerabilities. Remote attackers can maliciously craft an ASF file or an AVI file in order to cause a denial of service. | ||||||||
| Alerts: |
| ||||||||
openvpn: arbitrary code execution
| Package(s): | openvpn | CVE #(s): | CVE-2006-1629 | ||||||
| Created: | April 11, 2006 | Updated: | April 27, 2006 | ||||||
| Description: | OpenVPN 2.0 through 2.0.5 allows remote malicious servers to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable. | ||||||||
| Alerts: |
| ||||||||
plone: unauthorized access
| Package(s): | plone | CVE #(s): | CVE-2006-1711 | |||
| Created: | April 12, 2006 | Updated: | April 12, 2006 | |||
| Description: | From the Debian advisory: "It was discovered that the Plone content management system lacks security declarations for three internal classes. This allows manipulation of user portraits by unprivileged users." | |||||
| Alerts: |
| |||||
xscreensaver: possible password exposure
| Package(s): | xscreensaver | CVE #(s): | CVE-2004-2655 | ||||||
| Created: | April 11, 2006 | Updated: | May 24, 2006 | ||||||
| Description: | In some cases, xscreensaver did not properly grab the keyboard when reading the password for unlocking the screen, so that the password was typed into the currently active application window. The only known vulnerable case was when xscreensaver activated while an rdesktop session was currently active. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | |||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | |||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | |||||||||||
| Alerts: |
| |||||||||||
ADOdb: PostgresSQL command injection
| Package(s): | adodb | CVE #(s): | CVE-2006-0410 | |||||||||||||||
| Created: | February 6, 2006 | Updated: | April 17, 2006 | |||||||||||||||
| Description: | Andy Staudacher discovered that ADOdb does not properly sanitize all parameters. By sending specifically crafted requests to an application that uses ADOdb and a PostgreSQL backend, an attacker might exploit the flaw to execute arbitrary SQL queries on the host. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2005-3352 | |||||||||||||||||||||||||||||||||
| Created: | December 14, 2005 | Updated: | May 10, 2006 | |||||||||||||||||||||||||||||||||
| Description: | Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
blender: integer overflow
| Package(s): | blender | CVE #(s): | CVE-2005-4470 | |||||||||||||||
| Created: | January 6, 2006 | Updated: | June 15, 2006 | |||||||||||||||
| Description: | Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
bzip2: race condition and infinite loop
| Package(s): | bzip2 | CVE #(s): | CAN-2005-0953 CAN-2005-1260 | ||||||||||||||||||||||||
| Created: | May 17, 2005 | Updated: | January 10, 2007 | ||||||||||||||||||||||||
| Description: | A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ktools: buffer overflow
| Package(s): | centericq | CVE #(s): | CVE-2005-3863 | |||||||||||||||
| Created: | December 7, 2005 | Updated: | August 29, 2006 | |||||||||||||||
| Description: | From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
cpio: arbitrary code execution
| Package(s): | cpio | CVE #(s): | CVE-2005-4268 | |||||||||
| Created: | January 2, 2006 | Updated: | May 8, 2007 | |||||||||
| Description: | Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). | |||||||||||
| Alerts: |
| |||||||||||
crossfire: arbitrary code execution
| Package(s): | crossfire | CVE #(s): | CVE-2006-1010 | ||||||
| Created: | March 14, 2006 | Updated: | April 24, 2006 | ||||||
| Description: | It was discovered that Crossfire, a multiplayer adventure game, performs insufficient bounds checking on network packets when run in "oldsocketmode", which may possibly lead to the execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
curl: heap-based buffer overflow
| Package(s): | curl | CVE #(s): | CVE-2006-1061 | ||||||||||||
| Created: | March 21, 2006 | Updated: | June 28, 2006 | ||||||||||||
| Description: | Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd | CVE #(s): | CAN-2005-0546 | |||||||||||||||||||||||||||
| Created: | February 23, 2005 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
dia: missing input sanitizing
| Package(s): | dia | CVE #(s): | CAN-2005-2966 | ||||||||||||||||||
| Created: | October 4, 2005 | Updated: | April 6, 2006 | ||||||||||||||||||
| Description: | Joxean Koret discovered that the SVG import plugin did not properly sanitize data read from an SVG file. By tricking an user into opening a specially crafted SVG file, an attacker could exploit this to execute arbitrary code with the privileges of the user. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
dia: buffer overflows
| Package(s): | dia | CVE #(s): | CVE-2006-1550 | |||||||||||||||
| Created: | April 3, 2006 | Updated: | May 3, 2006 | |||||||||||||||
| Description: | Three buffer overflows were discovered in the Xfig file format importer. By tricking a user into opening a specially crafted .fig file with dia, an attacker could exploit this to execute arbitrary code with the user's privileges. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 | CVE #(s): | CAN-2005-0100 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 7, 2005 | Updated: | May 15, 2006 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
enscript: arbitrary code execution
| Package(s): | enscript | CVE #(s): | CAN-2004-1184 CAN-2004-1185 CAN-2004-1186 | |||||||||||||||||||||||||||||||||||||||
| Created: | January 21, 2005 | Updated: | May 27, 2006 | |||||||||||||||||||||||||||||||||||||||
| Description: | Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
fetchmail: multidrop bug
| Package(s): | fetchmail | CVE #(s): | CVE-2005-4348 | ||||||||||||||||||||||||
| Created: | December 20, 2005 | Updated: | May 27, 2006 | ||||||||||||||||||||||||
| Description: | Fetchmail contains a bug which allows a malicious mail server to crash the client by sending a message without headers. This occurs when running in multidrop mode. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic | CVE #(s): | CAN-2004-0801 | |||||||||||||||
| Created: | September 20, 2004 | Updated: | May 31, 2006 | |||||||||||||||
| Description: | There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
freeradius: authentication bypass
| Package(s): | freeradius | CVE #(s): | CVE-2006-1354 | ||||||||||||||||||
| Created: | March 24, 2006 | Updated: | June 5, 2006 | ||||||||||||||||||
| Description: | An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
gdb: multiple vulnerabilities
| Package(s): | gdb | CVE #(s): | CAN-2005-1704 CAN-2005-1705 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 20, 2005 | Updated: | August 11, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnupg: incorrect signature verification
| Package(s): | gnupg | CVE #(s): | CVE-2006-0049 | ||||||||||||||||||||||||||||||
| Created: | March 13, 2006 | Updated: | May 15, 2006 | ||||||||||||||||||||||||||||||
| Description: | Another vulnerability has been found in GnuPG. "Signature verification of non-detached signatures may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature. Thus it is possible for an attacker to take any signed message and inject extra arbitrary data." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gzip: arbitrary command execution
| Package(s): | gzip | CVE #(s): | CAN-2005-0758 | |||||||||||||||||||||
| Created: | August 1, 2005 | Updated: | January 9, 2007 | |||||||||||||||||||||
| Description: | zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
horde: two remotely exploitable vulnerabilities
| Package(s): | horde | CVE #(s): | CVE-2006-1491 CVE-2006-1260 | |||||||||
| Created: | April 5, 2006 | Updated: | April 14, 2006 | |||||||||
| Description: | Versions of horde prior to 3.1.1 have two vulnerabilities, both of which are remotely exploitable: code execution in the help viewer and an input validation error which could allow read access to arbitrary files. | |||||||||||
| Alerts: |
| |||||||||||
imap: buffer overflow in c-client
| Package(s): | imap | CVE #(s): | CAN-2003-0297 | |||||||||
| Created: | February 18, 2005 | Updated: | April 9, 2006 | |||||||||
| Description: | A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine. | |||||||||||
| Alerts: |
| |||||||||||
ipsec-tools: denial of service
| Package(s): | ipsec-tools | CVE #(s): | CVE-2005-3732 | |||||||||||||||||||||
| Created: | December 1, 2005 | Updated: | June 8, 2006 | |||||||||||||||||||||
| Description: | ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kaffeine: buffer overflow
| Package(s): | kaffeine | CVE #(s): | CVE-2006-0051 | ||||||||||||
| Created: | April 5, 2006 | Updated: | April 6, 2006 | ||||||||||||
| Description: | Marcus Meissner discovered that kaffeine, a media player for KDE 3, contains an unchecked buffer that can be overwritten remotely when fetching remote RAM playlists which can cause the execution of arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kdebase: local root vulnerability
| Package(s): | kdebase | CVE #(s): | CAN-2005-2494 | |||||||||||||||
| Created: | September 7, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite | CVE #(s): | CAN-2005-1920 | |||||||||||||||||||||
| Created: | July 19, 2005 | Updated: | November 27, 2006 | |||||||||||||||||||||
| Description: | Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2005-0449 CAN-2005-0209 CAN-2005-0529 CAN-2005-0530 CAN-2005-0532 CAN-2005-0384 CAN-2005-0210 CAN-2005-0504 CAN-2005-0003 | |||||||||||||||||||||
| Created: | March 24, 2005 | Updated: | May 31, 2006 | |||||||||||||||||||||
| Description: | A number of vulnerabilities have been found in the Linux kernel, including a PPP-related denial of service problem, an integer overflow in the epoll() code, memory corruption in the ELF loader, and exploitable overflows in the ISO9660 code. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2005-3527 CVE-2005-3783 CVE-2005-3784 CVE-2005-3805 CVE-2005-3806 CVE-2005-3808 | ||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2006 | Updated: | April 18, 2006 | ||||||||||||||||||||||||||||||||||||
| Description: | Here's another set of vulnerabilities in the Linux kernel:
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
libapreq2: algorithm weakness
| Package(s): | libapreq2-perl apache2 | CVE #(s): | CVE-2006-0042 | |||||||||
| Created: | March 14, 2006 | Updated: | April 18, 2006 | |||||||||
| Description: | An algorithm weakness has been discovered in Apache2::Request, the generic request library for Apache2 which can be exploited remotely and cause a denial of service via CPU consumption. | |||||||||||
| Alerts: |
| |||||||||||
libgadu: memory alignment bug
| Package(s): | libgadu | CVE #(s): | CAN-2005-2370 | |||||||||
| Created: | July 29, 2005 | Updated: | June 25, 2007 | |||||||||
| Description: | Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
libgd2: buffer overflows in PNG handling
| Package(s): | libgd2 | CVE #(s): | CAN-2004-0990 CAN-2004-0941 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 29, 2004 | Updated: | June 28, 2006 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges. Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap | CVE #(s): | CAN-2005-2641 | ||||||||||||
| Created: | August 25, 2005 | Updated: | October 6, 2006 | ||||||||||||
| Description: | libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mailman: denial of service
| Package(s): | mailman | CVE #(s): | CVE-2006-0052 | |||||||||||||||
| Created: | March 30, 2006 | Updated: | June 9, 2006 | |||||||||||||||
| Description: | Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: remote access vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2005-0088 | ||||||||||||||||||||||||||||||
| Created: | February 10, 2005 | Updated: | April 9, 2006 | ||||||||||||||||||||||||||||||
| Description: | mod_python has a vulnerability in the publisher handler that may allow a remote user to use a specially crafted URL to allow access to objects that should be protected. An information leak can result. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
mozilla: multiple vulnerabilities
| Package(s): | mozilla | CVE #(s): | CVE-2005-4134 CVE-2006-0292 CVE-2006-0296 | |||||||||||||||||||||||||||
| Created: | February 2, 2006 | Updated: | May 4, 2006 | |||||||||||||||||||||||||||
| Description: | Mozilla has three new vulnerabilities.
The Javascript interpreter has a problem with
dereferencing objects. A user can visit a specially crafted web page
which can crash the browser or cause it to execute arbitrary code. The XULDocument.persist() function has a bug that can be triggered by viewing specially crafted web sites, RDF data can be injected into the localstore.rdf file, allowing arbitrary javascript code to be executed. The Mozilla history saving mechanism is vulnerable to a denial of service attack, visiting sites with extra-long titles can cause a crash or very slow startup the next time the browser is run. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Mozilla Thunderbird: remote code execution and DoS
| Package(s): | mozilla-thunderbird | CVE #(s): | CVE-2006-0884 | ||||||
| Created: | March 3, 2006 | Updated: | May 4, 2006 | ||||||
| Description: | The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier allows user-complicit attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail. | ||||||||
| Alerts: |
| ||||||||
MySQL: logging bypass
| Package(s): | mysql | CVE #(s): | CVE-2006-0903 | ||||||||||||
| Created: | April 4, 2006 | Updated: | May 21, 2008 | ||||||||||||
| Description: | MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs | CVE #(s): | CAN-2005-0013 CAN-2005-0014 | |||||||||||||||
| Created: | January 31, 2005 | Updated: | May 15, 2006 | |||||||||||||||
| Description: | Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
ntp: uses wrong gid
| Package(s): | ntp | CVE #(s): | CAN-2005-2496 | |||||||||||||||
| Created: | August 26, 2005 | Updated: | August 11, 2006 | |||||||||||||||
| Description: | When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openmotif: buffer overflows
| Package(s): | openmotif | CVE #(s): | CVE-2005-3964 | |||||||||
| Created: | December 29, 2005 | Updated: | July 27, 2006 | |||||||||
| Description: | The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code. | |||||||||||
| Alerts: |
| |||||||||||
OpenSSH: double shell expansion
| Package(s): | openssh | CVE #(s): | CVE-2006-0225 | ||||||||||||||||||||||||||||||
| Created: | January 23, 2006 | Updated: | July 20, 2006 | ||||||||||||||||||||||||||||||
| Description: | OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
perl: setuid vulnerabilities
| Package(s): | perl | CVE #(s): | CAN-2005-0155 CAN-2005-0156 | ||||||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | August 11, 2006 | ||||||||||||||||||||||||
| Description: | There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 | CVE #(s): | CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537 | |||
| Created: | December 22, 2005 | Updated: | February 11, 2008 | |||
| Description: | The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem. | |||||
| Alerts: |
| |||||
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin | CVE #(s): | CVE-2005-4079 CVE-2005-3665 | ||||||||||||
| Created: | December 12, 2005 | Updated: | November 20, 2006 | ||||||||||||
| Description: | Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8). | ||||||||||||||
| Alerts: |
| ||||||||||||||
pound: HTTP Request Smuggling Attack
| Package(s): | pound | CVE #(s): | CVE-2005-3751 | ||||||
| Created: | January 10, 2006 | Updated: | June 8, 2006 | ||||||
| Description: | HTTP requests with conflicting Content-Length and Transfer-Encoding headers could lead to HTTP Request Smuggling Attack, which can be exploited to bypass packet filters or poison web caches. | ||||||||
| Alerts: |
| ||||||||
scorched3d: multiple vulnerabilities
| Package(s): | scorched3d | CVE #(s): | |||||||
| Created: | November 15, 2005 | Updated: | August 11, 2006 | ||||||
| Description: | Luigi Auriemma discovered multiple flaws in the Scorched 3D game server, including a format string vulnerability and several buffer overflows. A remote attacker could exploit these vulnerabilities to crash a game server or execute arbitrary code with the rights of the game server user. | ||||||||
| Alerts: |
| ||||||||
squirrelmail: multiple vulnerabilities
| Package(s): | squirrelmail | CVE #(s): | CVE-2006-0188 CVE-2006-0195 CVE-2006-0377 | ||||||||||
| Created: | February 28, 2006 | Updated: | June 8, 2006 | ||||||||||
| Description: | Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to
inject arbitrary web pages into the right frame via a URL in the
right_frame parameter. NOTE: this has been called a cross-site scripting
(XSS) issue, but it is different than what is normally identified as
XSS. (CVE-2006-0188)
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. (CVE-2006-0195) CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." (CVE-2006-0377) | ||||||||||||
| Alerts: |
| ||||||||||||