AeroMail Server File Disclosure Vulnerability AeroMail JavaScript Execution Vulnerability BugTraq ID: 4214 BugTraq ID: 4215 Remote: Yes Date Published: Mar 01 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4214 http://www.securityfocus.com/bid/4215 Summary:
AeroMail is a web based email program maintained by Mark Cushman. AeroMail is designed for Windows and Unix systems. An issue exists in versions of AeroMail, which could allow a user to include files residing in the hosts web root, as an attachment to email messages. In addition, If a maliciously constructed email message is received by an AeroMail user, JavaScript included in the message will execute. CFS Multiple Buffer Overflow Vulnerabilities BugTraq ID: 4219 Remote: Yes Date Published: Mar 02 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4219 Summary: Cryptographic File System (CFS) for Unix is a file system encryption package. Versions prior to 1.3.3-8.1 are vulnerable to a number of buffer overflow issues. Whether or not these are exploitable to obtain privileges on the host is unknown at the pr esent time. They can be used to initiate a denial of service condition against the encrypted file system, however. ReBB Image Tag Cross-Site Scripting Vulnerability BugTraq ID: 4220 Remote: Yes Date Published: Mar 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4220 Summary: ReBB is web forum software which will run on most Unix and Linux variants, as well as Microsoft Windows operating systems. It is written in PHP and may be back-ended by a number of databases. HTML tags are not adequately filtered from within the image tags. It is possible to inject arbitrary script code into forum messages via these image tags. As a result, ReBB is prone to cross-site scripting attacks. Script code will be executed in the browser of the user viewing the forum message and may allow an attacker to steal cookie-based authentication credentials or perform actions as the victim user. Endymion Sake Mail Null Character File Disclosure Vulnerability BugTraq ID: 4223 Remote: Yes Date Published: Mar 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4223 Summary: Endymion Sake Mail is a webmail servlet, written in Java. It will run on most Unix and Linux variants, in addition to Microsoft Windows operating systems. It is prone to directory traversal attacks, potentially disclosing arbitrary web-readable files to remote attackers. Successful exploitation entails crafting a malicious web request, targetting an arbitrary web-readable file. The malicious request will include dot-dot-slash (../) sequences and a trailing null character (%00), causing the attacker's request to break out of wwwroot to disclose the contents of the targetted file. Endymion MailMan Alternate Templates File Disclosure Vulnerability BugTraq ID: 4222 Remote: Yes Date Published: Mar 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4222 Summary: Endymion MailMan is a webmail application written in Perl. It will run on most Linux and Unix variants, in addition to Microso ft Windows operating systems. Due to insufficient validation of input supplied to the ALTERNATE_TEMPLATES CGI variable, Endymion MailMan is prone to directory traversal attacks. An attacker may view arbitrary web-readable files by crafting a malicious web request containing dot-dot-slash (../) sequences, followed by the name of the requested file, followed by a trailing null character (%00). Real Networks RealPlayer Directory Traversal Vulnerability BugTraq ID: 4221 Remote: Yes Date Published: Mar 02 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4221 Summary: RealPlayer is a media player for Windows, Macintosh, Linux and Solaris. It has been reported that it is possible to traverse t he directory structure of a host, leading to a potential disclosure of sensitive data. It has been reported that RealPlayer uses a web server when playing streaming media files off the local system. Allegedly, submitting a HTTP GET request for the port RealPlayer listens on, along with '../' character sequences and a known file, could disclose the requested resource. [ pas open source, mais assez r�pandu ] Kame-Derived Stack Non-ESP IPV4 Forwarded Packets Policy Bypassing Vulnerability BugTraq ID: 4224 Remote: Yes Date Published: Mar 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4224 Summary: KAME is a freely available, open source IPv6 and IPSec implementation. It is distributed and maintained by the KAME Project. A problem with policy-based filtering may make it possible to pass unauthorized traffic through a router. The problem is in the filtering of specific types of traffic. When an IPv4 network is using Encapsulating Security Payload (ESP) between a system and router endpoints with non-ESP traffic blocked at the Security Gateway (SG), non-ESP IPv4 traffic sent to the SG would be forwarded by the SG. This could allow an attacker with arbitrary access to the network to pass traffic out of the network via the SG. It should be noted that traffic through the SG for the arbitrary host would be blocked, as the router implementation handles this traffic type correctly. Phorum User Information Disclosure Vulnerability BugTraq ID: 4226 Remote: Yes Date Published: Mar 02 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4226 Summary: Phorum is a PHP based web forums package. Due to an error in a administrative script, any user can view the most active user's information. The admin directory contains a script called 'stats.php', there are no privilege restrictions on this file and is accessible by any user. Upon obtaining this file, a user could obtain a list of the most active users and their email addresses. Zope Proxy Role Elevated Object Access Vulnerability BugTraq ID: 4229 Remote: Yes Date Published: Mar 01 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4229 Summary: Zope is an open source web application server, maintained by the Zope Project. Zope is available for Linux, Solaris and Windows based systems. Under some circumstances, a user with sufficient privileges who is defined in a subfolder of a site will be able to access objects at a higher level in the site. Multiple Vendor Radius Short Vendor-Length Field Denial Of Service Vulnerability BugTraq ID: 4230 Remote: Yes Date Published: Mar 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4230 Summary: A problem has been discovered in the handling of vendor-specific options. When a RADIUS packet is passed to a client or server, neither the client nor server validate the contents of the vendor-length field. When a RADIUS packet with a vendor-length specification of less than 2 is sent, the contents of the vendor-length field is interpretted as a negative number. This number may be passed to other functions of the RADIUS server or client, resulting in an unpredictable reaction, and a likely crash of the server or client. Multiple Vendor Java Virtual Machine Session Hijacking Vulnerability BugTraq ID: 4228 Remote: Yes Date Published: Mar 04 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4228 Summary: Various Java virtual machine implementations contain a vulnerability that may allow for interception and hijacking of web requests. The vulnerability is present when a client system is configured to use a HTTP proxy server. It is possible for malicious java code to redirect requests meant for the proxy server to an arbitrary host. This occurs transparently, without any client consent or knowledge. This vulnerability can be exploited with a maliciously crafted Java applet, possibly embedded in a webpage. The victim must run the applet in a vulnerable virtual machine. As a result a user's session information could be captured and be examined for sensitive information. Man-in-the-middle attacks may also be possible, as the response to any request may be crafted by the attacker. CVS Server Global Variable Denial Of Service Vulnerability BugTraq ID: 4234 Remote: Yes Date Published: Mar 05 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4234 Summary: Due to a programming error, a global variable used by the CVS Server program is improperly initialized. Because of this, a remote user may be able to create a set of circumstances that use the improperly initialized variable. This could result in the server reacting unpredictably, and crashing. HP ProCurve Switch Denial of Service Vulnerability BugTraq ID: 4212 Remote: Yes Date Published: Mar 01 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4212 Summary: A ProCurve switch could be led to deny telnet users service of the switch. When the switch is portscanned by a tool such as nmap, which is capable of producing a high amount of TCP connect() requests in a short period of time, the switch will no longer accept new telnet connections. Reportedly, this issue does not affect ICMP or SNMP management of the device, nor are existing telnet sessions disconnected. Rebooting the switch may be required in order to regain normal functionality. HP ProCurve 4000M with firmware version C.09.09 or C.08.22 are reported to be susceptible to this issue. [ hardware ] - Pour poster une annonce: [EMAIL PROTECTED]
