Owl v0.71, the multi user document repository, fails to actually authenticate a login name given. If a completely fake login name is passed, an attacker can get in without any valid session id.
03f9bd851bb279e45b8bb81e862206499d29b6ff1c7a2b6bf67e4d7c8450af8f
Poster version.two, the PHP news posting system, suffers from a vulnerability in the index.php file that allows a user to edit their account. Since the user is allowed to change the embedded information in the code, they can achieve privilege escalation to an administrative level.
dc71044533eb04ee5b535377f6bf7916a5d9ffba89345827b2c427c81a5b49dc
Putty v0.52 and below remote exploit which poses as an ssh daemon and will bind cmd.exe on port 31337 of the victim sshing inbound. Tested against Windows XP and 98SE.
eafb21d90b54269b8a8b5aba1dbea160f82668e29aadfa66c25daf5443e53fc9
Local root exploit for Cdrecord versions 2.0 and below under Linux. Version 1.10 is not vulnerable.
914dac976a698edcc4171c58949751d969d9fb21519d7ad028595eb0ff3c9047
Microsoft's Windows Script Engine within the Windows operating system has a flaw in its implementation of jscript.dll. When a malicious web page is loaded with code that points to self.window() random errors and lock ups occur in Internet Explorer. Tested against IE versions: 5.01 (Win2000), 5.5(Win98SE), 6.0(WinXP). Vulnerable jscript.dll versions: 5.1.0.8513 (Win2000), 5.5.0.8513 (Win98SE), 5.6.0.6626 (WinXP Pro), 5.6.0.8513 (Win2000).
47ac1d606f466452571ac90777b13a37b24d69838cf1609016f6c7dfe9905845
Atstake Security Advisory A051203-1 - The Apple AirPort XORs a password with a fixed maximum of 32 bytes against a predefined key. If a password is set to one character, a simple sniff of the 32 byte block will reveal 31 bytes of the XOR key. The final byte can be obtained by XORing the obfuscated first byte against the first character of the plaintext password.
72c9a3c6b408f1e2bd344bc4e089fb5e6fd14d01b2497ba07065546cd0280432
Secunia Research Advisory - Opera browser versions 7.10 and 7.03 suffer from denial of service and possible remote code execution vulnerabilities due to incorrect handling of long filename extensions.
6813e2fb04422a621b2923b0573f448627a664e0e64d5de3ab7ba2ce8d64ae00
Snitz Forums v3.3.3 has an SQL injection vulnerability in its register.asp page with its Email variable. Because register.asp does not check user input, remote users can execute stored procedures, such as xp_cmdshell, to arbitrarily run non-interactive commands on the system.
88e2db0c77773604dc8879db1c1af96995d5144b910b58b58ca6716c337beb02
Linux x86 shellcode (48 bytes) which does setreuid(0,0); execve("/bin/bash", NULL); exit(0);
9b5c6592a60521c7b883d20faff2a3b2f672c2706732bafb65e60fe26cd543f8
Local root exploit for Leksbot binary KATAXWR that was accidentally packaged setuid. Tested against Debian Linux 3.0.
ccefd74ac440c99d2929476f1ac0e07bf8e39606aab167acff5334c8834e26e8
Firebird has 3 binaries: gds_inet_server, gds_drop, and gds_lock_mgr, which all use insufficent bounds checking in conjunction with getenv(), making each one susceptible to local exploitation. Enclosed are two local root exploits tested against versions 1.0.0 and 1.0.2 on FreeBSD.
7841bcf9369b0cfc917765429ceb7118d676bfc4a650b097f57716bfab790d9a
eServ's connection handling routine contains a memory leak that may be exploited to cause the eServ daemon to become unavailable. After several thousand successful connections, memory use on the system becomes exceedingly high, resulting in a denial of service.
d2f4390109435ee36d5dc375522685bfd5454f284c2857c2ce225b3a35457ead
Snuffi v0.1 is a linux kernel module that adds a hook to the incoming and outgoing queue of netfilter. Currently this module only supports traffic for IPv4 and TCP.
6e6f24562877cbfa3f9ec480e172b0a06585a614fbf1ae92d4b99776ec86193e
A buffer overflow exists in the ESMTP CMailServer 4.0.2002.11.24 SMTP Service, resulting in a denial of service attack. It is possible to overwrite the exception handler on the stack allowing a system compromise with code execution running as SYSTEM.
5b6c7e29cda4b4895c96fe3a992e7e4f08e616bb0355e42816d8f3195bf180b9
Logo for Rosiello Security.
0bfed6f5caae43af3e38e2ad5f5837e643c5bcfeee1d3d1070ce7bbe8ae7d868
Secure Network Operations, Inc. Advisory SRT2003-05-08-1137: A problem appears to be created by a series of strcat(), sprintf(), and strcpy() functions in ListProc <= 8.2.09 enabling an attacker to gain root privileges through a buffer overflow.
6f50fd0f97d230ad3274da01950442528af3f72db94c34f4def4b44e8d943785
This utility removes LKM rootkits that normally are undetectable via the help of vmalloc which manages the memory for a kernel module. Tested against Adore, Knark, Sinapse, Heroin, and others.
1a65bc5b515606ae0a738c74395b3b5abac289826e46616fd86d68bcd4dc0908
Kerio Personal Firewall <= 2.1.4 and Tiny Personal Firewall <= 2.0.15 remote exploit that makes use of a buffer overflow condition discovered in the PFEngine used for both products.
e09529ee95b595d74fd8ddc93ccb3d46340c18332d5c962f794898dac30815bb
Microsoft's Hotmail and Passport .NET accounts are vulnerable to having their password reset by a remote attacker due to lack of input validation for a secondary email address.
da7c4583da30ce3f7f9b4d3258dccc122a3632f5231b1b2da644115ac2f10a3d
The Intuity Audix voicemail system by default is maintained over port 23 (telnet) in a restricted command interface. If an attacker has a known account/password, they can circumvent this interface and get an unrestricted shell using rexec.
4fcde277b065ccb6ef5420098a7767fb530e514f5b5d5d99c34c266efcaab54a
Happymall E-Commerce software versions 4.3 and 4.4 are vulnerable to remote command execution due to a lack of input validation in the normal_html.cgi script.
eab0754ef30dce301af456ecddca51b467284212d77cc05906c7a6f626e4b8b0
Windows Media Player versions 7 and 8 are vulnerable to a directory traversal attack when skin files are downloaded from Internet. The vulnerability allows malicious users to upload an arbitrary file to an arbitrary location when a victim user views a web page.
6830f8477260f63dd614d39ad9542f854621edd6549ee5f678a0dddd09b987a6
NGSSoftware Insight Security Research Advisory #NISR07052003B - SLWebMail 3 is vulnerable to various buffer overflows in many of its ISAPI DLL applications including showlogin.dll, recman.dll, admin.dll, and globallogin.dll. It is also vulnerable to arbitrary file access via ShowGodLog.dll which does not even force authentication prior to use. Physical paths can also be determined by making invalid requests to certain DLLs.
54067ee210fce9b8f593df9b701aad1f9b7f8d14e93cc22925ce3b332df7bdb6
NGSSoftware Insight Security Research Advisory #NISR07052003A - SLMail 5.1.0.4420 suffers from multiple remotely exploitable buffer overflows in its SMTP engine, poppasswd and pop3 server.
f1596ac171952997d68b570e48c7d33e603793b70bb773d5a05f225bd2eec995
Cisco Security Advisory: Multiple vulnerabilities have been found in the Cisco VPN 3000 Concentrator series which includes models 3005, 3015, 3030, 3060, 3080 and the Cisco VPN 3002 Hardware Client. The enabling IPSec over TCP, malformed SSH initialization packet, and malformed ICMP traffic vulnerabilities are discussed.
af88958829ec7097e77e47c07920a93812b55c63f638f0ac556a6c8a32743dc5