The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability announce 11347

Clearswift Email, Web Gateway: denial of service via iWork

Synthesis of the vulnerability

An attacker can use an iWork document containing an empty Zip64 header, in order to create an infinite loop in Clearswift products.
Impacted products: Clearswift Email Gateway, Clearswift Web Gateway.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 08/02/2012.
Identifiers: VIGILANCE-VUL-11347.

Description of the vulnerability

The Apple iWork office suite creates documents compressed in the Zip64 format.

Clearswift products decode iWork archives, in order to analyze their content. However, if a Zip64 header is empty, an infinite loop occurs when Clearswift tries to decode it.

An attacker can therefore use an iWork document containing an empty Zip64 header, in order to create an infinite loop in Clearswift products.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-1051

XnView: buffer overflow via JPEG2000

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious JPEG2000 image with XnView, in order to stop it or to execute code.
Impacted products: XnView.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 08/02/2012.
Identifiers: BID-51896, CVE-2012-1051, SA47352, VIGILANCE-VUL-11346.

Description of the vulnerability

The XnView software displays and converts images in various formats.

The JPEG 2000 norm (extension .JP2) defines a compressed image format, based on JPEG.

The quantization stage in the compression of a JPEG image ignores high frequency components (small variations).

When an image contains long QCD (Quantization Default) data, a buffer overflow occurs in Xjp2.dll. This vulnerability may have the same origin than VIGILANCE-VUL-11345.

An attacker can therefore invite the victim to open a malicious JPEG2000 image with XnView, in order to stop it or to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 11345

JasPer: buffer overflow via Quantization

Synthesis of the vulnerability

An attacker can create a JPEG 2000 image, and invite the victim to open it with an application linked to JasPer, in order to create a buffer overflow, which leads to a denial of service or to code execution.
Impacted products: Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Creation date: 08/02/2012.
Identifiers: SA47175, VIGILANCE-VUL-11345.

Description of the vulnerability

The JasPer library implements the processing of JPEG-2000 Part-1 images.

The quantization stage in the compression of a JPEG image ignores high frequency components (small variations).

The jpc_dec_cp_setfromqcx() function of the src/libjasper/jpc/jpc_dec.c file copies quantization information. However, an overflow can occur.

An attacker can therefore create a JPEG 2000 image, and invite the victim to open it with an application linked to JasPer, in order to create a buffer overflow, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2012-1033 CVE-2012-1191 CVE-2012-1192

DNS, ISC BIND: no expiry of revoked names

Synthesis of the vulnerability

When a domain name was revoked, an attacker can periodically query a recursive DNS server, in order to continuously renew data in the cache, which never expire.
Impacted products: BIG-IP Hardware, TMOS, Fedora, HP-UX, BIND, McAfee Email and Web Security, Windows 2008 R0, openSUSE, DNS protocol, RHEL, Slackware, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 6.
Creation date: 08/02/2012.
Revision date: 09/02/2012.
Identifiers: BID-51898, BID-52558, c03577598, CERTA-2012-AVI-663, CVE-2012-1033, CVE-2012-1191, CVE-2012-1192, CVE-2012-1193, CVE-2012-1194, CVE-2012-1570, ESX410-201211001, ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, ESX410-201211407-SG, FEDORA-2013-1176, FEDORA-2013-1204, FEDORA-2013-1301, FEDORA-2013-6279, FEDORA-2013-6316, openSUSE-SU-2012:0863-1, openSUSE-SU-2012:0864-1, RHSA-2012:0716-01, RHSA-2012:0717-01, SOL15481, SSA:2012-166-01, VIGILANCE-VUL-11344, VMSA-2012-0016, VU#542123.

Description of the vulnerability

A DNS recursive server keeps previous replies in its cache. For example, if a user requests "www.phishing.com":
 - his DNS server queries a server which is authoritative for ".com" : who is the DNS server of "phishing.com" ?
 - it receives the reply "ns.phishing.com" with the IP address 10.0.0.1, and a TTL (expiration time) of one day
 - it keeps it in its cache
 - it queries 10.0.0.1 : what is the address of "www.phishing.com" ?
 - it receives the reply, and keeps it in its cache, and then sends it back to the user
When another user queries "www.phishing.com", the values cached during one day are returned

If an authority decides to disable "phishing.com", the cached value is still used one day. After this date, the DNS server will query an authoritative server for ".com", which will reply that the domain does not exist.

However, an attacker can ensure that the "phishing.com" domain never expires from the cache of the DNS server. In order to do so, before the expiration of the TTL, the attacker has to:
 - add in his DNS server (ns.phishing.com) a reverse resolution for 10.0.0.1, indicating for example "ns1.phishing.com", which is also an authoritative DNS server for "phishing.com"
 - query the victim's recursive DNS server, for an inverse resolution of 10.0.0.1 (the reply will be ns1.phishing.com), which will be cached as the new DNS server of "phishing.com", with a TTL of one day
The "phishing.com" domain is thus valid during one more day.

When a domain name was revoked, an attacker can therefore periodically query a recursive DNS server, in order to continuously renew data in the cache, which never expire.

This vulnerability is due to a conception error in the DNS protocol.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-0194

AIX: denial of service via TCP Large Send Offload

Synthesis of the vulnerability

When TCP Large Send Offload is enabled on a network interface, an attacker can send a sequence of TCP packets, in order to stop the system.
Impacted products: AIX.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 06/02/2012.
Identifiers: BID-51864, CERTA-2012-AVI-062, CVE-2012-0194, IV13751, IV13820, IV13827, IV14209, IV14210, IV14211, VIGILANCE-VUL-11343.

Description of the vulnerability

The TCP Large Send Offload feature is used when the kernel does not fragment TCP packets greater than the MTU. The network device is thus in charge of this fragmentation.

However, when the kernel has to reply to some TCP packets, using the Offload, it panics.

When TCP Large Send Offload is enabled on a network interface, an attacker can therefore send a sequence of TCP packets, in order to stop the system.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-0835 CVE-2012-0836 CVE-2012-0837

Joomla: information disclosure

Synthesis of the vulnerability

An attacker can use three Joomla vulnerabilities, in order to obtain information.
Impacted products: Joomla! Core.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 03/02/2012.
Identifiers: BID-51857, CVE-2012-0835, CVE-2012-0836, CVE-2012-0837, VIGILANCE-VUL-11342.

Description of the vulnerability

Several vulnerabilities were announced in Joomla.

An attacker can obtain information. [severity:2/4; CVE-2012-0835]

A local attacker can read error logs. [severity:1/4; CVE-2012-0836]

An attacker can obtain the name of a path. [severity:1/4; CVE-2012-0837]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2012-0830

PHP: code execution via max_input_vars

Synthesis of the vulnerability

An attacker can use an url with several parameters of type array, in order to corrupt the PHP memory, which leads to a denial of service or to code execution.
Impacted products: Debian, Fedora, HP-UX, Mandriva Linux, openSUSE, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 03/02/2012.
Identifiers: BID-51830, c03368475, CERTA-2012-AVI-055, CVE-2012-0830, DSA-2403-1, DSA-2403-2, FEDORA-2012-1262, FEDORA-2012-1301, HPSBUX02791, MDVSA-2012:065, MDVSA-2012:071, openSUSE-SU-2012:0426-1, RHSA-2012:0092-01, RHSA-2012:0093-01, SSA:2012-041-02, SSRT100856, SUSE-SU-2012:0411-1, SUSE-SU-2012:0496-1, VIGILANCE-VUL-11341.

Description of the vulnerability

In order to correct the VIGILANCE-VUL-11379 (hash collision) vulnerability, a new configuration directive was added to PHP: max_input_vars. This directive limits the number of parameters of an url. For example, the following url contains three parameters:
  http://server/page.php?p1=a&p2=b&p3=c
If max_input_vars is set to 2, the "p3" parameter will be ignored. By default max_input_vars is set to 1000.

The php_register_variable_ex() function of the main/php_variables.c file stores variables, by limiting their number to max_input_vars. However, if variables are of type array ("p1[]=a&p2[]=b&p3[]=c"), the limit is not honored, and a loop continues to write in memory.

An attacker can therefore use an url with several parameters of type array, in order to corrupt the PHP memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2011-3464

libpng: memory corruption via PNG

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious PNG image with an application linked to libpng, in order to create an overflow of one byte, which stops the application, and could lead to code execution.
Impacted products: Fedora, libpng.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 02/02/2012.
Identifiers: BID-51823, CVE-2011-3464, FEDORA-2012-15613, VIGILANCE-VUL-11340.

Description of the vulnerability

The libpng library processes PNG images. It is used by several applications.

When an image is malformed, the png_formatted_warning() function of the pngerror.c file generates a warning message. However, if this message is too long, it is not correctly truncated, and an overflow of one byte occurs.

An attacker can therefore invite the victim to open a malicious PNG image with an application linked to libpng, in order to create an overflow of one byte, which stops the application, and could lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-4194

Novell Open Enterprise Server: buffer overflow via iPrint

Synthesis of the vulnerability

A remote attacker can generate a buffer overflow in Novell iPrint Server, in order to execute code.
Impacted products: OES.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 02/02/2012.
Identifiers: 7010084, BID-51791, CVE-2011-4194, VIGILANCE-VUL-11338, ZDI-12-031.

Description of the vulnerability

The IPP (Internet Printing Protocol) protocol is used to remotely manage printers.

The IPP Print-Job and Create-Job operations print a file, or create a print job. A Print-Job or Create-Job query can have attributes:
 - attributes-charset
 - attributes-natural-language
 - printer-uri
 - etc.

However, if an IPP query uses a long "attributes-natural-language" attribute, an overflow occurs in Novell iPrint Server.

A remote attacker can therefore generate a buffer overflow in Novell iPrint Server, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-1070 CVE-2012-1071 CVE-2012-1072

TYPO3: vulnerabilities of extensions

Synthesis of the vulnerability

An attacker can use several vulnerabilities of TYPO3 extensions in order to generate a Cross Site Scripting, to inject SQL, to obtain information, or to execute code.
Impacted products: TYPO3 Extensions ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, client access/rights, data reading, data creation/edition, data deletion.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 15.
Creation date: 02/02/2012.
Identifiers: BID-51825, BID-51834, BID-51837, BID-51838, BID-51843, BID-51844, BID-51845, BID-51846, BID-51848, BID-51849, BID-51850, BID-51851, BID-51852, BID-51854, BID-51855, CVE-2012-1070, CVE-2012-1071, CVE-2012-1072, CVE-2012-1073, CVE-2012-1074, CVE-2012-1075, CVE-2012-1076, CVE-2012-1077, CVE-2012-1078, CVE-2012-1079, CVE-2012-1080, CVE-2012-1081, CVE-2012-1082, CVE-2012-1083, CVE-2012-1084, CVE-2012-1085, CVE-2012-1086, CVE-2012-1087, TYPO3-EXT-SA-2012-001, VIGILANCE-VUL-11337.

Description of the vulnerability

Several vulnerabilities were announced in TYPO3 extensions.

An attacker can use a SQL injection in the Kitchen recipe (mv_cooking) extension. [severity:2/4; BID-51825, CVE-2012-1071]

An attacker can use a SQL injection and a Cross Site Scripting in the Category-System (toi_category) extension. [severity:2/4; BID-51834, CVE-2012-1072, CVE-2012-1073]

An attacker can use a SQL injection in the White Papers (mm_whtppr) extension. [severity:2/4; BID-51837, CVE-2012-1074]

An attacker can use a SQL injection and a Cross Site Scripting in the Documents download (rtg_files) extension. [severity:2/4; BID-51838, CVE-2012-1075, CVE-2012-1076]

An attacker can use a SQL injection and a Cross Site Scripting in the Post data records to facebook (bc_post2facebook) extension. [severity:2/4; BID-51846, CVE-2012-1077, CVE-2012-1087]

An attacker can obtain information via the System Utilities (sysutils) extension. [severity:1/4; BID-51844, CVE-2012-1078]

An attacker can execute code via the Webservices for TYPO3 (typo3_webservice) extension. [severity:3/4; BID-51843, CVE-2012-1079]

An attacker can use a Cross Site Scripting in the CSS styled Filelinks (css_filelinks) extension. [severity:2/4; BID-51850]

An attacker can use a Cross Site Scripting in the Modern FAQ (irfaq) extension. [severity:2/4; BID-51845, CVE-2012-1070]

An attacker can use a Cross Site Scripting in the Euro Calculator (skt_eurocalc) extension. [severity:2/4; BID-51848, CVE-2012-1080]

An attacker can use a Cross Site Scripting in the Yet another Google search (ya_googlesearch) extension. [severity:2/4; BID-51851, CVE-2012-1081]

An attacker can use a Cross Site Scripting and a Cross Site Request Forgery in the Terminal PHP Shell (terminal) extension. [severity:2/4; BID-51849, CVE-2012-1082, CVE-2012-1083]

An attacker can use a Cross Site Scripting and obtain information via the BE User Switch (beuserswitch) extension. [severity:2/4; BID-51852, CVE-2012-1084, CVE-2012-1085]

An attacker can use a Cross Site Scripting in the Additional TCA Forms (jftcaforms) extension. [severity:2/4; BID-51854]

An attacker can use a Cross Site Scripting in the UrlTool (aeurltool) extension. [severity:2/4; BID-51855, CVE-2012-1086]
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2819