iDEFENSE Security Advisory 06.16.03: The pam_wheel module of Linux-PAM uses getlogin() in an insecure manner, thereby allowing attackers to bypass certain restrictions. The pam_wheel module is often used with the su command to allow users belonging to a trusted group to utilize the command without supplying a password. The module utilizes the getlogin() function to determine the name of the currently logged in user. This name is then compared against a list of members of a trusted group as specified in the configuration file. If the trust option is enabled in the pam_wheel configuration file and the use_uid option is disabled, any local user may spoof the username returned by getlogin() and gain access to a super-user account without supplying a password.
c65f3b99c2e44aca0273c3c270501fa89200aeeec261693c53ac01a45de16c3e
The product Mailtraq suffers from multiple vulnerabilities that range from access to files that reside outside the bounding HTML root directory through decryption of locally stored password, to a cross site scripting vulnerability in the web mail interface.
0fccaf9934ee9baa9e271e3755695428f4343300ad90ccad092c5010d7861a0e
The ntdll.dll remote exploit through WebDAV that was originally written by kralor. This version is ported to Linux by Dotcom.
2c2a25135d00b80b6afe08a65594cfb418ba630c1c156a70363d9fcc3f00201e
It is possible to evade the BlackICE PC Protection IDS logging of cross site scripting attempts due to a lack of it checking HEAD, PUT, DELETE, and TRACE requests for the <script> pattern.
ea50d43db68e3d4aeaaf1d9927e9cd734abfff473651ddcbc8ce4ef1fed187ae
Secure Network Operations, Inc. Advisory SRT2003-06-13-1009: Progress Database dbagent make the use of several helper .dll and .so binaries. When looking for shared object files _dbagent looks at the argument passed to the command line option "-installdir". No verification is performed upon the object that is located thus local non super users can make themselves root.
8b6fdcc0365bbcfd0d2a95fd0575bd8ddea798ae6c1a17fcde6e9e197f0d13af
Local exploit for E-term that escalates privileges to gid utmp via insufficient bounds checking performed on an environment variable that is copied into an internal memory buffer.
f237a0eba9a4f56b1498cd561335e4be5638015d0d619676b960dacd3044a6bd
Local root exploit for XaoS that makes use of a specially crafted command line -language argument to cause it to execute arbitrary code.
69d8770f8159a752b55a03fa0726456bce230f5b5d5be8647880d72636ed92d3
Remote format string exploit for Magic Winmail Server version 2.3. Sending a format string in the USER field during the authentication process, a remote attacker can cause the server to execute arbitrary code.
3500425cf62ca44b00af89fefa96dcebeb90a65e3253fbf1c84596b3df100aeb
Proof of concept remote root exploit for atftpd version 0.6. Makes use of the filename overflow found by Rick Patel. Tested against Debian 3.0.
9f6808a16e0468c6d54152cfeec1e9d9af5e7c3678ec1fac83789785f111fae5
Proof of concept exploit for mnoGoSearch 3.2.10 that spawns a shell as the webserver user id by overflowing the tmplt variable.
c15d5316bdf16f81657526878c11a47b32fd6928f4c75148f179c287d6f99817
Proof of concept exploit for mnoGoSearch 3.1.20 that performs remote command execution as the webserver user id.
168a6ae597d201173eb31793c1ca63cc6a43809ec5bbf130f10d5b38f5213886
Local root exploit for the diagrpt command on AIX 5.x and 4.x.
ea76fd0e38b7dc4fdbc4ca8ecf5110ed81045a414cff5c409777afa873f01ad8
Local root exploit for the errpt command on AIX5L.
e3ea043de54e16662166f004a6421bfbc615b1dae74eb7573d3e48d6a8e56cda
Local root exploit for the command lsmcode on AIX 4.3.3.
2fe67fa839a51b0dec7666b43d6df49f44ba93f7e2fa676f1864caf575b06a7b
THCsql exploits the vulnerability in MSSQL OpenDataSource function found by David Litchfield in June of 2002. Tested on Windows 2000 Server SP2 with SQLservers SP0 and SP2.
8ec23baef348542a74bd1eb310301df8044857c91c1e8d7544218a18b67a034a
D-Link routers with a firmware of 2.70 and below are vulnerable to a denial of service vulnerability providing the attacker has the ability to see the internal interface on the router. Sending a malformed URL to the syslog script will caused a DNS query. Multitudes of this query can result in a DoS and other odd forms of behavior.
802c81b31a6ec34d42defd9d16029f1790493faf92d67f06228dcf953950b333
Boss 3.2.1 with Jetty is vulnerable to full JSP source code disclosure when using a null byte.
5fa351f9ce58e57f2eea703a4be52cd1c81ec605244c7ecb9a5c8efb1cfdf9cf