Red Hat Security Advisory 2016-1420-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
7cede861a05dabf8a87aa3760a62b71b991e7fc3605adcc358f10a01192a48e5Ubuntu Security Notice 3038-1 - It was discovered that the Apache HTTP Server would set the HTTP_PROXY environment variable based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with CGI scripts that honour the HTTP_PROXY variable to redirect outgoing HTTP requests.
74e95b5addef4fc8153088ab09870ab4f82e6df17b22f4b1bc874aa554309f32Red Hat Security Advisory 2016-1421-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
436fc4e839cc2887a759542674a0dc2989aec34c7b74fe6ed4b9921e48d2096dRed Hat Security Advisory 2016-1422-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
87acaf1ab290cbcda124e1031ca7e28dc94b6eaedf153777e3ce2d06a749ae8bIPFire, a free linux based open source firewall distribution, versions prior to 2.19 Update Core 101 contain a remote command execution vulnerability in the proxy.cgi page.
4455d8714ad0f2e393232ebc31503bf395db118a9964e731f57356a841e46f2aUbuntu Security Notice 2995-1 - Yuriy M. Kaminskiy discovered that the Squid pinger utility incorrectly handled certain ICMPv6 packets. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly cause Squid to leak information into log files. Yuriy M. Kaminskiy discovered that the Squid cachemgr.cgi tool incorrectly handled certain crafted data. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
19d45016c93c515ab0067629562c37bd5711e3322bb091870d52f61616af52a2Red Hat Security Advisory 2016-1140-01 - The "squid34" packages provide version 3.4 of Squid, a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Note that apart from "squid34", this version of Red Hat Enterprise Linux also includes the "squid" packages which provide Squid version 3.1. Security Fix: A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code.
4ddd25072f9b7bdc9d460f29a486fcdf22fc646b8001810de74d8404286f2dfbRed Hat Security Advisory 2016-1139-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
68a695fb82d9a9d930f969e15232aa6c79c5983c8c4aadcb320c3f086f496e89Red Hat Security Advisory 2016-1138-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
1b45107a7d5870831ac496e28e1912accc9d20214d4ac341cdeaae582ad76b51The TP-Link SC2020n Network Video Camera is vulnerable to OS Command Injection via the web interface. By firing up the telnet daemon, it is possible to gain root on the device. The vulnerability exists at /cgi-bin/admin/servetest, which is accessible with credentials.
6d9bcf28b50744ae1b54ed55f4fdaa3d592c14f7b0231ff8fe3e82e0cf7640caCisco Security Advisory - A vulnerability in a CGI script in the Cisco UCS Manager and the Cisco Firepower 9000 Series appliance could allow an unauthenticated, remote attacker to execute arbitrary commands on the Cisco Unified Computing System (UCS) Manager or the Cisco Firepower 9000 Series appliance. The vulnerability is due to unprotecting calling of shell commands in the CGI script. An attacker could exploit this vulnerability by sending a crafted HTTP request to the Cisco UCS Manager or the Cisco Firepower 9000 Series appliance. An exploit could allow the attacker to execute arbitrary commands on the Cisco UCS Manager or the Cisco Firepower 9000 Series appliance. Cisco has released software updates that address this vulnerability.
9c8fe5c6f50edaa9c3f0047fc7cc1967a178d3b69c2eb01ef7ae36795f502b11Stanford's CGI subdomain suffers from a cross site scripting vulnerability.
b828d5f3b9d6e3d8a71e219a8d7e4af37707c72dd459f17ab0df4a06df946b7dThis Metasploit module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This Metasploit module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This Metasploit module was tested against firmware version 1322_D1.98.
2d07c4e5c3e954a7d9efc2a4e7d397f7e69058ab0c07cd400854d45c65db2f07Debian Linux Security Advisory 3405-1 - Tero Marttila discovered that the Debian packaging for smokeping installed it in such a way that the CGI implementation of Apache httpd (mod_cgi) passed additional arguments to the smokeping_cgi program, potentially leading to arbitrary code execution in response to crafted HTTP requests.
093436dd8877007cc38f10a273809c83511466a1c55d6c0914d14c87e2b9cf4cThis Metasploit module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to 2.2.x, as well as 2.4.1 and 2.5.x.
93595333575588a0761fd710896979bd064097e42ff0603d14d9ecebcedd6cffNikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.
c1731ae4133d3879718bb7605a8d395b2036668505effbcbbcaa4dae4e9f27f2Core Security Technologies Advisory - The AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera is vulnerable to an OS command injection vulnerability in the snwrite.cgi binary.
21c2101703c779b440b5b09b966619ab442997dafefe43dda29ce74298fae4b6Core Security Technologies Advisory - AirLive MD-3025, BU-3026, BU-2015, WL-2000CAM, and POE-200CAM are IP cameras designed for professional surveillance and security applications. The built-in IR LEDs provide high quality nighttime monitoring. These AirLive devices are vulnerable to an OS Command Injection Vulnerability. In the case of the MD-3025, BU-3026 and BU-2015 cameras, the vulnerability lies in the cgi_test.cgi binary file. In the case of the WL-2000CAM and POE-200CAM cameras, the command injection can be performed using the vulnerable wireless_mft.cgi binary file.
4f5dfe0ba3159b241b97dd31fdce3b6857722610dfebf00e92c39d6677ccf2b6The CGI script used in the iBall 150M Wireless-N ADSL2+ router does not validate credentials. Hence any page in the router can be directly accessed by replacing page extension with .cgi.
4f6130f32632281e0a685611d0f071ae4329ca63096fc5c385e01cbcf5abc5fcThis Metasploit module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parameters. The vulnerability doesn't require authentication. This Metasploit module has been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
e3284b80df8a49e84fe10eeeefb856090ee5b49ba6f62e629a9763e62071ed9aCore Security Technologies Advisory - The InFocus IN3128HD Projector is vulnerable to an authentication bypass in its web interface login page, and is missing authentication for the "webctrl.cgi.elf" CGI file, which allows several actions to be performed or configured inside the device. Firmware 0.26 is verified vulnerable.
43fb2590b9fc435e2c9ebe21968f5729e87d0846d203db8e44a8e274d09e864cMandriva Linux Security Advisory 2015-076 - Updated python3 packages fix security vulnerabilities. ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips. A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code. It was reported that a patch added to Python 3.2 caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True. Python are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access. The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root.
ab76b20f26c250158d7fa23532b4b88bd262202a2dbe4ad2a031d1e8a96c39ebMandriva Linux Security Advisory 2015-075 - A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code. This updates the python package to version 2.7.6, which fixes several other bugs, including denial of service flaws due to unbound readline() calls in the ftplib and nntplib modules. Denial of service flaws due to unbound readline() calls in the imaplib, poplib, and smtplib modules. A gzip bomb and unbound read denial of service flaw in python XMLRPC library. Python are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access. The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root. Python before 2.7.8 is vulnerable to an integer overflow in the buffer type. When Python's standard library HTTP clients (httplib, urllib, urllib2, xmlrpclib) are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against the requested host. It was possible to configure a trust root to be checked against, however there were no faculties for hostname checking. The python-pip and tix packages was added due to missing build dependencies.
3b0a1e39fae22b4d6476806ca1197785de85b0ad0d0836ae88ff10eef9f34bcfThis Metasploit module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing remote unauthenticated attackers to execute arbitrary code. This Metasploit module was tested in an emulated environment, using the version 1.10.16.m of the firmware.
164f73d50b085d0c2335092e7f16da683c66b3f7e546e57619eee75d165cbf97Ubuntu Security Notice 2501-1 - Stefan Esser discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. CVE-2015-0231) Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. A local attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. Various other issues were also addressed.
87581be317b7551f9d11aa00fc90c8ccbf8b821794084bfafde6b9df107ac894
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed