Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
|
|
| |
|
| |
Security
Searching for Insecurity
September 27, 2006
This article was contributed by Jake Edge.
Google and other search engines provide an invaluable service for people
looking for web-based information, but, as several automatic teller machine
(ATM) vendors found out recently, search engines can also be useful for
people looking for information that might better stay hidden. Google
searches have recently turned up
operator manuals for several ATM models which include information on how
to enter maintenance mode, along with default administrative passwords.
This information was promptly put to use in ways not intended by the
manufacturers. ATM manufacturers are not the only folks
who should be concerned about this, search engines store a wealth of
sensitive information and for those with malicious intent, they are
a gold mine.
Two weeks ago, a news
report
about someone reprogramming an ATM led a security researcher to see what
information was available about the ATM model shown in a CNN report.
It turns out that it was not difficult to come up with information that
could be used to make the ATM believe that it was handing out $5 bills
when it was really providing $20 bills. Neither the researcher (nor,
presumably, the unknown ATM reprogrammer) confirmed that it was a web
search that led to the information, but a subsequent
report
makes it clear that the manual was available via a simple Google query.
Other ATM vendors' products were then
targeted
with the same results. The major security issue in these cases appears to
be the well known 'default password' vulnerability. The default
administrative passwords were listed in the operator's manual, which is
not unreasonable, but, like default passwords everywhere, they were
not routinely changed as part of the installation.
This kind of vulnerability is not at all specific to ATM machines;
various kinds of hardware (routers, servers, PBX systems, etc.) have been
or are susceptible. Of course, it is not just hardware that suffers from
well known or easily discovered default passwords, many software packages
have exactly the same problem. Finding vulnerable installations of those
packages has been made a great deal easier with search engines, particularly
Google with its rich set of searching operators.
Many software packages, especially web-based packages, show that they have
been installed correctly by displaying a default page. The Apache web
server on many Linux distributions installs a page that indicates its presence
(and its version, which may come in handy the next time an Apache
vulnerability is discovered) and the fact that it has not been completely
configured. Searching for
these default pages, especially for packages (like portals, blogs, picture
galleries, etc.) that have a default administrative password, will generate
a list of sites that may not have done anything more than install the
package. This is a pretty good place to start trying default passwords.
Web searching can also generate lists of sites that are vulnerable to known
exploits simply by looking for sites displaying 'VulnerableApp v0.0.1'. In
many cases, the applications were installed at one point and then orphaned
but not removed and the administrator has completely forgotten about their
presence. It can be difficult to keep up with security updates for an
application that one has forgotten is even installed.
This just scratches the surface of the kinds of information, useful
to those with malicious intent, that can be found via search engines. Johnny
Long has done various conference presentations and written a book,
Google Hacking for
Penetration Testers describing these techniques. His
homepage has a great deal
of information on using Google to find interesting things on the web.
Using these techniques against your own site is one of the best ways to
determine how vulnerable you are. Finding web applications that were
forgotten or were never completely configured is just one step in the right
direction. These techniques could also find directories that provide
indexes or publicly exposed documents that were believed to be secure.
It is almost always an eye opening experience to find out how much
information the search engines have about one's site.
Comments (4 posted)
New vulnerabilities
openssh: remote denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4924
CVE-2006-5051
|
| Created: | September 27, 2006 |
Updated: | November 15, 2006 |
| Description: |
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms. |
| Alerts: |
|
Comments (none posted)
TikiWiki: arbitrary command execution
| Package(s): | tikiwiki |
CVE #(s): | CVE-2006-4299
CVE-2006-4602
|
| Created: | September 26, 2006 |
Updated: | September 27, 2006 |
| Description: |
A vulnerability in jhot.php allows for an unrestricted file upload to
the img/wiki/ directory. Additionally, a cross-site scripting vulnerability
exists in the highlight parameter of tiki-searchindex.php. |
| Alerts: |
|
Comments (none posted)
webmin: cross-site scripting
| Package(s): | webmin |
CVE #(s): | CVE-2006-4542
|
| Created: | September 26, 2006 |
Updated: | October 24, 2006 |
| Description: |
Webmin before 1.296 and Usermin before 1.226 does not properly handle a URL
with a null ("%00") character, which allows remote attackers to conduct
cross-site scripting (XSS), read CGI program source code, list directories,
and possibly execute programs. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
binutils: buffer overflow
| Package(s): | binutils |
CVE #(s): | CVE-2005-4807
|
| Created: | August 17, 2006 |
Updated: | October 19, 2006 |
| Description: |
The GNU assembler (gas) in binutils is vulnerable to a buffer overflow.
If a user can be tricked into assembling a specially crafted file with
gcc or gas, arbitrary code can be executed with the privileges of the user. |
| Alerts: |
|
Comments (3 posted)
bomberclone: information disclosure and denial of service
| Package(s): | bomberclone |
CVE #(s): | CVE-2006-4005
CVE-2006-4006
|
| Created: | September 19, 2006 |
Updated: | September 20, 2006 |
| Description: |
Luigi Auriemma discovered two security related bugs in bomberclone, a free
Bomberman clone. The program copies remotely provided data unchecked which
could lead to a denial of service via an application crash. Bomberclone
uses remotely provided data as length argument which can lead to the
disclosure of private information. |
| Alerts: |
|
Comments (1 posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
capi4hylafax: missing input sanitizing
| Package(s): | capi4hylafax |
CVE #(s): | CVE-2006-3126
|
| Created: | September 1, 2006 |
Updated: | October 18, 2006 |
| Description: |
Lionel Elie Mamane discovered a security vulnerability in capi4hylafax,
tools for faxing over a CAPI 2.0 device, that allows remote attackers to
execute arbitrary commands on the fax receiving system. |
| Alerts: |
|
Comments (none posted)
cheesetracker: buffer overflow
| Package(s): | cheesetracker |
CVE #(s): | CVE-2006-3814
|
| Created: | September 4, 2006 |
Updated: | October 27, 2006 |
| Description: |
Luigi Auriemma discovered a buffer overflow in the loading component
of cheesetracker, a sound module tracking program, which could allow a
maliciously constructed input file to execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dokuwiki: arbitrary command execution
| Package(s): | dokuwiki |
CVE #(s): | CVE-2006-4674
CVE-2006-4675
CVE-2006-4679
|
| Created: | September 15, 2006 |
Updated: | September 20, 2006 |
| Description: |
"rgod" discovered that DokuWiki doesn't sanitize the X-FORWARDED-FOR
HTTP header, allowing the injection of arbitrary contents - such as PHP
commands - into a file. Additionally, the accessory scripts installed
in the "bin" DokuWiki directory are vulnerable to directory traversal
attacks, allowing to copy and execute the previously injected code. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
flash-plugin: arbitrary code execution
| Package(s): | flash-plugin |
CVE #(s): | CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
|
| Created: | September 13, 2006 |
Updated: | October 5, 2006 |
| Description: |
Security issues were discovered in the Adobe Flash Player. It may be
possible to execute arbitrary code on a victim's machine if the victim
opens a malicious Adobe Flash file. |
| Alerts: |
|
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gnutls: signature forge vulnerability
| Package(s): | gnutls |
CVE #(s): | CVE-2006-4790
|
| Created: | September 14, 2006 |
Updated: | September 26, 2006 |
| Description: |
GnuTLS has a vulnerability with PKCS #1 v1.5 signatures.
If an RSA key with exponent 3 is used, an attacker may be able to
forge a PKCS #1 v1.5 signature. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ImageMagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-3743
CVE-2006-3744
|
| Created: | September 6, 2006 |
Updated: | September 26, 2006 |
| Description: |
The latest set of buffer overflow vulnerabilities in ImageMagick can be found in the Sun Raster and XCF decoders. |
| Alerts: |
|
Comments (2 posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libmusicbrainz: buffer overflows
| Package(s): | libmusicbrainz-2.0 |
CVE #(s): | CVE-2006-4197
|
| Created: | August 30, 2006 |
Updated: | October 23, 2006 |
| Description: |
Several buffer overflows have been discovered in the libmusicbrainz CD index library. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: authentication bypass
| Package(s): | libpam-ldap |
CVE #(s): | CAN-2005-2641
|
| Created: | August 25, 2005 |
Updated: | October 6, 2006 |
| Description: |
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | November 17, 2006 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libwmf: integer overflow
| Package(s): | libwmf |
CVE #(s): | CVE-2006-3376
|
| Created: | July 13, 2006 |
Updated: | November 6, 2006 |
| Description: |
libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability. |
| Alerts: |
|
Comments (none posted)
mailman: several vulnerabilities
| Package(s): | mailman |
CVE #(s): | CVE-2006-2941
CVE-2006-3636
|
| Created: | September 8, 2006 |
Updated: | October 23, 2006 |
| Description: |
A flaw was found in the way Mailman handled MIME multipart messages. An
attacker could send a carefully crafted MIME multipart email message to a
mailing list run by Mailman which caused that particular mailing list
to stop working. (CVE-2006-2941)
Several cross-site scripting (XSS) issues were found in Mailman. An
attacker could exploit these issues to perform cross-site scripting attacks
against the Mailman administrator. (CVE-2006-3636) |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CVE-2006-4565
CVE-2006-4566
CVE-2006-4571
CVE-2006-4253
CVE-2006-4567
CVE-2006-4568
CVE-2006-4569
|
| Created: | September 15, 2006 |
Updated: | November 14, 2006 |
| Description: |
Two flaws were found in the way Firefox/Thunderbird processed certain regular
expressions. A malicious web page/HTML email could crash the browser or
possibly execute arbitrary code as the user running
Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)
A number of flaws were found in Firefox/Thunderbird. A malicious web
page/HTML email could crash the browser or possibly execute arbitrary code
as the user running Firefox/Thunderbird. (CVE-2006-4571)
A flaw was found in the handling of JavaScript timed events. A malicious
web page could crash the browser or possibly execute arbitrary code as the
user running Firefox/Thunderbird. (CVE-2006-4253)
A flaw was found in the Firefox/Thunderbird auto-update verification
system. An attacker who has the ability to spoof a victim's DNS could get
Firefox to download and install malicious code. In order to exploit this
issue an attacker would also need to get a victim to previously accept an
unverifiable certificate. (CVE-2006-4567)
Firefox did not properly prevent a frame in one domain from injecting
content into a sub-frame that belongs to another domain, which facilitates
website spoofing and other attacks (CVE-2006-4568)
Firefox did not load manually opened, blocked popups in the right domain
context, which could lead to cross-site scripting attacks. In order to
exploit this issue an attacker would need to find a site which would frame
their malicious page and convince the user to manually open a blocked
popup. (CVE-2006-4569) |
| Alerts: |
|
Comments (none posted)
mutt: IMAP namespace buffer overflow
| Package(s): | mutt |
CVE #(s): | CVE-2006-3242
|
| Created: | June 28, 2006 |
Updated: | October 24, 2006 |
| Description: |
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | October 9, 2006 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
nss: signature forgery vulnerability
| Package(s): | nss |
CVE #(s): | CVE-2006-4340
|
| Created: | September 15, 2006 |
Updated: | October 18, 2006 |
| Description: |
Daniel Bleichenbacher recently described an implementation error in RSA
signature verification. For RSA keys with exponent 3 it is possible for an
attacker to forge a signature that which would be incorrectly verified by
the NSS library. |
| Alerts: |
|
Comments (1 posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
openssl: insufficient signature checking
| Package(s): | openssl |
CVE #(s): | CVE-2006-4339
|
| Created: | September 5, 2006 |
Updated: | November 15, 2006 |
| Description: |
Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google
Security discovered that the OpenSSL library did not sufficiently check the
padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3
(which is widely used for CAs). This could be exploited to forge signatures
without the need of the secret key. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: arbitrary code execution
| Package(s): | php |
CVE #(s): | CVE-2006-4020
|
| Created: | August 22, 2006 |
Updated: | September 21, 2006 |
| Description: |
A vulnerability was discovered in the sscanf function that could allow
attackers in certain circumstances to execute arbitrary code via argument
swapping which incremented an index past the end of an array and triggered
a buffer over-read. |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #( | |
|