LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Capturing web attacks with open proxy honeypots
Honeypots, hosts specifically set up to attract abuse, have been around since at least 1990. Typically, they have been used to detect attacks against various network services, such as SMTP or SSH, but have not been very successful at detecting a wide range of web application attacks. Open proxy honeypots provide a more attractive target for malicious web traffic. Combining several open proxies leads to the Distributed Open Proxy Honeypots (DOPH) project which centralizes the monitoring of open proxies installed all over the globe.
Standard honeypot techniques do not provide much of interest to a web attacker, there is no high profile website to deface or high value information stored there. The honeypot is unlikely to be able to respond correctly to attempts to probe for vulnerable web applications. This makes it difficult to gather information on the variety of web attacks that are being used "in the wild". What is needed is a way to listen in on malicious traffic, which is exactly what a proxy can do.
A proxy is simply a program that forwards traffic for a client. It sits in the middle of the conversation, sending the client requests to the server and forwarding the server replies back to the client. As far as the server can see, it is only talking to the proxy system, it cannot tell that there is a client elsewhere actually making the requests. Proxies exist for a number of reasons, SOCKS is used to traverse firewalls, whereas anonymizers are used to obscure the origin of web traffic. There are also less visible proxies for load balancing or to get around the "same origin" policy of the XmlHttpRequest Javascript call. Most proxies have rules that govern who can use them and what destinations are legitimate, without those rules, it becomes an open proxy.
Probably the most famous open proxy was the default configuration of sendmail (before version 8.9.0 in 1998) which would forward email to and from any destination. Before the explosion of spam, it was considered neighborly to relay mail for anyone who asked.
A system configured as an open proxy for web traffic can record information about what it sees, with luck some portion of it will be malicious. But there is a subtle problem with this approach, the proxy host may be facilitating attacks on vulnerable web servers, attacks which appear to originate with the proxy. There is also concern that recording the "conversation" could run afoul of wiretapping laws. These problems require an open proxy honeypot, at least one that wants to avoid legal trouble, to take some steps to minimize them.
Informing someone that you are recording is typically enough to avoid wiretapping violations, so the DOPH project uses two separate warnings. The first is on the proxy host's webpage, but since most malicious users will never see that page, an additional warning was added to the HTTP headers returned by the host. Typically only programs see those headers, but it is, at least, an attempt to inform the recorded party.
A much more difficult problem is to stop "bad" traffic while proxying "good" traffic. The proxy must seem to function correctly or it will never be used, but honeypot operators are interested in stopping web abuse, so they want to minimize the chances of being used in a real attack. It is a very fine line, they want the bad traffic to study, but not to pass on.
The DOPH project uses the ModSecurity module for the Apache webserver to filter content based on a set of rules maintained by Got Root. The rules specify the signature of various attacks which causes ModSecurity to flag them as it inspects the website traffic. To try to fool attackers and/or their programs, a HTTP 200 (OK) status is returned when an attack is detected. The ModEvasive Apache module is also used to detect and stop the proxy being used in a denial of service attack.
Fully configured versions of the proxy are available from the project as VMware images that can be run using the "free as in beer" VMware server software. The DOPH proxy communicates back to a central data collection server, sending the ModSecurity audit log information. This allows the project to aggregate the information to determine what kinds of attacks are currently ongoing. A Web Security Threat Report (PDF), covering the first few months of the project, was released in April. Seven, geographically diverse, hosts participated during the first reporting period and the project is always looking for more people, willing to run proxy hosts, to increase their data gathering abilities.
Open proxies are used by attackers to mask their true location. It is not uncommon for a chain of proxies to be used, as it makes it more difficult to track back to the originator. If the chain crosses borders, using proxy servers in different countries, each with its own set of laws and procedures to access the server log files, it makes it that much harder. The DOPH project does not specify how they publicize their proxies, that might be giving too much information to attackers, but during the first four months of 2007, their servers handled around a million web requests of which roughly 20% was malicious or suspicious.
Attackers are likely to get more sophisticated over time and their tools will get better at recognizing these kinds of techniques, but there is still value in gathering the data. The proxy techniques will evolve as well which will allow statistics to be gathered and new attacks to be spotted. As the attackers recognize the threat, they will be more inclined to use proxies in an attempt to mask their location, which provides a kind of feedback loop driving more traffic to the honeypots. Open proxy honeypots cannot and will not fool all of the attacks, but they provide a way to study some of them.
New vulnerabilities
avahi: denial of service
| Package(s): | avahi | CVE #(s): | CVE-2007-3372 | ||||||
| Created: | June 28, 2007 | Updated: | September 18, 2007 | ||||||
| Description: | Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function. | ||||||||
| Alerts: |
| ||||||||
c-ares: DNS cache poisoning
| Package(s): | c-ares | CVE #(s): | CVE-2007-3152 CVE-2007-3153 | |||
| Created: | June 28, 2007 | Updated: | July 3, 2007 | |||
| Description: | Versions of the c-ares DNS library below 1.4.0 are vulnerable to application DNS cache poisoning caused by a predictable DNS "Transaction ID" field in a DNS query. | |||||
| Alerts: |
| |||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
fireflier-server: unsafe temp file
| Package(s): | fireflier-server | CVE #(s): | CVE-2007-2837 | |||
| Created: | July 2, 2007 | Updated: | July 3, 2007 | |||
| Description: | The fireflier-server interactive firewall rule creation tool has a vulnerability in the way that it uses temporary files. The vulnerability may be used locally to remove arbitrary files from the system. | |||||
| Alerts: |
| |||||
gimp: multiple vulnerabilities
| Package(s): | gimp | CVE #(s): | CVE-2007-2949 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 28, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The gimp image editor has several vulnerabilities, including a problem where it can open PSD files with excessive dimensions and a possible stack overflow in the Sunras loader. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
glibc: integer overflow
| Package(s): | glibc | CVE #(s): | CVE-2007-3508 | |||
| Created: | July 4, 2007 | Updated: | July 4, 2007 | |||
| Description: | The GNU C library (prior to version 2.5-r4) suffers from an integer overflow vulnerability in the dynamic linker which could, maybe, be exploited to run code with root privileges. | |||||
| Alerts: |
| |||||
gsambad: insecure temp files
| Package(s): | gsambad | CVE #(s): | CVE-2007-2838 | |||
| Created: | July 2, 2007 | Updated: | July 3, 2007 | |||
| Description: | The gsambad GTK+ configuration tool for samba uses temporary files unsafely. A local attacker can use this vulnerability to truncate arbitrary files. | |||||
| Alerts: |
| |||||
hiki: missing input sanitizing
| Package(s): | hiki | CVE #(s): | CVE-2007-2836 | |||
| Created: | June 29, 2007 | Updated: | July 3, 2007 | |||
| Description: | Kazuhiro Nishiyama found a vulnerability in hiki, a Wiki engine written in Ruby, which could allow a remote attacker to delete arbitrary files which are writable to the Hiki user, via a specially crafted session parameter. | |||||
| Alerts: |
| |||||
unicon-imc2: buffer overflow
| Package(s): | unicon-imc2 | CVE #(s): | CVE-2007-2835 | |||
| Created: | July 2, 2007 | Updated: | July 3, 2007 | |||
| Description: | The unicon-imc2 Chinese input method library does not safely use an environment variable. It is possible to use this to cause a buffer overflow and execute arbitrary code. | |||||
| Alerts: |
| |||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2007-3390 CVE-2007-3392 CVE-2007-3393 | ||||||||||||||||||||||||||||||
| Created: | June 28, 2007 | Updated: | February 27, 2008 | ||||||||||||||||||||||||||||||
| Description: | The wireshark network traffic analyzer has three vulnerabilities that can be used to create a denial of service. These include off-by-one overflows in the iSeries dissector, vulnerabilities in the MMS and SSL dissectors that can cause an infinite loop and an off-by-one overflow in the DHCP/BOOTP dissector. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
Updated vulnerabilities
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk | CVE #(s): | CVE-2007-1561 CVE-2007-1594 | |||||||||
| Created: | April 3, 2007 | Updated: | August 27, 2007 | |||||||||
| Description: | The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code. | |||||||||||
| Alerts: |
| |||||||||||
HelixPlayer: arbitrary code execution
| Package(s): | HelixPlayer | CVE #(s): | CVE-2007-3410 | ||||||||||||
| Created: | June 27, 2007 | Updated: | September 17, 2007 | ||||||||||||
| Description: | A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) | ||||||||||||||
| Alerts: |
| ||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2006-5453 CVE-2006-5454 CVE-2006-5455 | ||||||
| Created: | November 10, 2006 | Updated: | August 28, 2007 | ||||||
| Description: | Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before being passed back to users. Users can gain unauthorized access to read attachment descriptions while using diff mode. HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification. Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users. | ||||||||
| Alerts: |
| ||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-2650 | ||||||||||||||||||
| Created: | June 5, 2007 | Updated: | July 20, 2007 | ||||||||||||||||||
| Description: | A vulnerability in the OLE2 parser in ClamAV was found that could allow a remote attacker to cause a denial of service via resource consumption with a carefully crafted OLE2 file. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
denyhosts: denial of service
| Package(s): | denyhosts | CVE #(s): | ||||
| Created: | June 21, 2007 | Updated: | June 27, 2007 | |||
| Description: | Version 2.6 of Denyhosts has a problem in the way it scans for "User from .." messages in the log. The message is detected anywhere in the log, not just in the middle of the "bad protocol version" log where it belongs. This can be used to cause a denial of service. | |||||
| Alerts: |
| |||||
dovecot: directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2007-2231 | ||||||||||||
| Created: | May 8, 2007 | Updated: | May 21, 2008 | ||||||||||||
| Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ekg: several vulnerabilities
| Package(s): | ekg | CVE #(s): | CVE-2005-2448 CVE-2007-1663 CVE-2007-1664 CVE-2007-1665 | ||||||
| Created: | June 25, 2007 | Updated: | July 2, 2007 | ||||||
| Description: | Several endianess errors may allow remote attackers to cause a denial of service. A memory leak in handling image messages may lead to denial of service. A null pointer deference in the token OCR code may lead to denial of service. A memory leak in the token OCR code may lead to denial of service. | ||||||||
| Alerts: |
| ||||||||
emacs21: denial of service
| Package(s): | emacs21 | CVE #(s): | CVE-2007-2833 | ||||||||||||
| Created: | June 21, 2007 | Updated: | August 29, 2007 | ||||||||||||
| Description: | The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images". | ||||||||||||||
| Alerts: |
| ||||||||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail | CVE #(s): | CVE-2007-1558 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 8, 2007 | Updated: | August 7, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server | CVE #(s): | CVE-2007-3257 | ||||||||||||||||||||||||||||||||||||
| Created: | June 18, 2007 | Updated: | November 7, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array." | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
fail2ban: log injection vulnerability
| Package(s): | fail2ban | CVE #(s): | |||||||
| Created: | June 22, 2007 | Updated: | July 30, 2007 | ||||||
| Description: | fail2ban 0.8 is susceptible to a log injection vulnerability. See this ossec.net entry for more information. | ||||||||
| Alerts: |
| ||||||||
fail2ban: denial of service
| Package(s): | fail2ban | CVE #(s): | CVE-2006-6302 | |||
| Created: | February 16, 2007 | Updated: | July 30, 2007 | |||
| Description: | fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address. | |||||
| Alerts: |
| |||||
file: integer overflow
| Package(s): | file | CVE #(s): | CVE-2007-2799 | ||||||||||||||||||||||||||||||
| Created: | June 1, 2007 | Updated: | October 19, 2007 | ||||||||||||||||||||||||||||||
| Description: | Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird | CVE #(s): | CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 4, 2007 | Updated: | August 29, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869) Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362) A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
freetype: arbitrary code execution
| Package(s): | freetype | CVE #(s): | CVE-2007-2754 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | May 24, 2007 | Updated: | July 19, 2007 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | The Freetype font rendering library versions 2.3.4 and below has an integer sign error. Remote attackers may be able to create a specially crafted TrueType Font file with a negative n_points value that will cause an integer overflow and heap-based buffer overflow, allowing the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | October 10, 2007 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gcc: file overwrite vulnerability
| Package(s): | gcc | CVE #(s): | CVE-2006-3619 | ||||||||||||
| Created: | September 6, 2006 | Updated: | March 14, 2008 | ||||||||||||
| Description: | The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gd: buffer overflow
| Package(s): | gd | CVE #(s): | CVE-2007-0455 | ||||||||||||||||||||||||||||||
| Created: | February 7, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||||||||||||||
| Description: | The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
gd: denial of service
| Package(s): | gd | CVE #(s): | CVE-2007-2756 | ||||||||||||||||||
| Created: | June 14, 2007 | Updated: | February 28, 2008 | ||||||||||||||||||
| Description: | Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith | CVE #(s): | CVE-2006-6175 | |||
| Created: | January 17, 2007 | Updated: | March 7, 2008 | |||
| Description: | Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered string is used instead of a sanitized string to view local files. An authenticated attacker could craft an HTTP GET request that uses directory traversal techniques to execute any file on the web server as PHP code, which could allow information disclosure or arbitrary code execution with the rights of the user running the PHP application (usually the webserver user). | |||||
| Alerts: |
| |||||
ImageMagick: integer overflows
| Package(s): | imagemagick | CVE #(s): | CVE-2007-1797 | |||||||||||||||||||||||||||
| Created: | April 4, 2007 | Updated: | April 17, 2008 | |||||||||||||||||||||||||||
| Description: | Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
imlib2: arbitrary code execution
| Package(s): | imlib2 | CVE #(s): | CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809 | |||||||||||||||||||||
| Created: | November 6, 2006 | Updated: | August 13, 2007 | |||||||||||||||||||||
| Description: | M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
ipsec-tools: denial of service
| Package(s): | ipsec-tools | CVE #(s): | CVE-2007-1841 | |||||||||||||||||||||
| Created: | April 10, 2007 | Updated: | August 28, 2007 | |||||||||||||||||||||
| Description: | A flaw was discovered in the IPSec key exchange server "racoon". Remote attackers could send a specially crafted packet and disrupt established IPSec tunnels, leading to a denial of service. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
jasper: denial of service
| Package(s): | jasper | CVE #(s): | CVE-2007-2721 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | November 6, 2007 | ||||||||||||||||||
| Description: | The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kdebase: information leak
| Package(s): | kdebase | CVE #(s): | CVE-2007-2022 | |||||||||
| Created: | June 13, 2007 | Updated: | September 19, 2007 | |||||||||
| Description: | A problem with the interaction between the Flash Player and the Konqueror web browser was found. The problem could lead to key presses leaking to the Flash Player applet instead of the browser. NOTE: CVE number may be incorrect, see CVE entry | |||||||||||
| Alerts: |
| |||||||||||
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror | CVE #(s): | CVE-2007-0537 | |||||||||||||||
| Created: | February 5, 2007 | Updated: | August 13, 2007 | |||||||||||||||
| Description: | Konqueror 3.5.5 does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment, a related issue to CVE-2007-0478. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-1357 | |||||||||||||||||||||
| Created: | April 16, 2007 | Updated: | November 14, 2007 | |||||||||||||||||||||
| Description: | The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-5749 CVE-2006-4814 CVE-2006-6106 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 5, 2007 | Updated: | May 7, 2008 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock. Another vulnerability has been reported in Linux kernel caused by a boundary error within the handling of incoming CAPI messages in net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain Kernel data structures. | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-4623 | ||||||
| Created: | October 18, 2006 | Updated: | November 14, 2007 | ||||||
| Description: | The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. | ||||||||
| Alerts: |
| ||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2007-0005 CVE-2007-1000 | ||||||||||||||||||||||||
| Created: | March 15, 2007 | Updated: | November 14, 2007 | ||||||||||||||||||||||||
| Description: | The Linux kernel has a boundary error problem with the
Omnikey CardMan 4040 driver read and write functions. This can be used
to cause a buffer overflow and possible execution or arbitrary code with
kernel privileges.
The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c is vulnerable to a NULL pointer dereference. Local users can use this to crash the kernel or to disclose kernel memory. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-0007 CVE-2007-0006 | |||||||||||||||||||||
| Created: | February 15, 2007 | Updated: | November 14, 2007 | |||||||||||||||||||||
| Description: | Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service vulnerability. A remote attacker can cause the key_alloc_serial function's key serial number collision avoidance code to have a null dereference, resulting in a crash. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2006-4535 CVE-2006-4538 | |||||||||||||||||||||
| Created: | September 18, 2006 | Updated: | December 3, 2007 | |||||||||||||||||||||
| Description: | Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538) | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-1861 CVE-2007-2242 | |||||||||||||||||||||||||||||||||||||||
| Created: | May 1, 2007 | Updated: | February 8, 2008 | |||||||||||||||||||||||||||||||||||||||
| Description: | The netlink protocol has an infinite recursion bug that allows users to cause a kernel crash. Also the IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
kernel: denial of service by memory consumption
| Package(s): | kernel | CVE #(s): | CVE-2006-2936 |
| Created: | July 17, 2006 | Updated: | November 14, 2007 |
| Description: |