The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability note CVE-2006-6305

net-snmp: write access granted to read-only users

Synthesis of the vulnerability

Read-only users or communities which were configured using the "rocommunity" or "rouser" snmpd.conf tokens can grant access to write access rights.
Severity: 2/4.
Creation date: 16/01/2006.
Identifiers: BID-21503, CVE-2006-6305, VIGILANCE-VUL-5520.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The net-snmp program is used to implement different versions of the SNMP protocol.

There is a bug in the new version of net-snmp that resulted in granting write access to read-only users or communities which were configured using the "rocommunity" or "rouser" snmpd.conf tokens.

This bug permits to this users to modify files on the machine using net-snmp.
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2005-3340

Tuxpaint: symlink attack

Synthesis of the vulnerability

The use in Tuxpaint of temporary files with predictable name in the "/tmp" folder permits symlink attack.
Severity: 1/4.
Creation date: 16/01/2006.
Identifiers: BID-16250, CVE-2005-3340, DSA-941-1, VIGILANCE-VUL-5519.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Tuxpaint program is a drawing tool designed for young children.

The tuxpaint-import script used by Tuxpaint creates a temporary file in the "/tmp" folder. The file created has a predictable name and the tuxpaint-import script does not verify symlink existence.

An attacker can thus realizes a symlink attack and corrupts files on the system.
Full Vigil@nce bulletin... (Free trial)

computer weakness announce CVE-2005-3655

Open Enterprise Server: heap memory corruption on httpstkd (Novel Remote Manager)

Synthesis of the vulnerability

By sending a huge or negative size via a HTTP request header to httpstkd it is possible to corrupt heap memory and so potentially execute code.
Severity: 1/4.
Creation date: 13/01/2006.
Revision date: 16/01/2006.
Identifiers: BID-16226, CERTA-2006-AVI-037, CVE-2005-3655, iDefense Security Advisory 01.13.06, SUSE-SA:2006:002, VIGILANCE-VUL-5518.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Novell Remote Manager is a browser-based utility that can be used to manage one or more NetWare servers from a remote location.

By sending a huge or negative size via a HTTP request header to httpstkd it is possible to corrupt heap memory.

An attacker can thus potentially execute code on the machine using Novell Remote Manager.
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2006-0207 CVE-2006-0208

PHP 5: session extension vulnerable to response splitting attacks and cross site scripting

Synthesis of the vulnerability

Lacks in PHP 5 session managing permit an attacker to use response splitting attacks and cross site scripting.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/01/2006.
Identifiers: 10310, 20060501-01-U, BID-16220, CVE-2006-0207, CVE-2006-0208, DSA-1331-1, FLSA-2006:175040, MDKSA-2006:028, RHSA-2006:027, RHSA-2006:0276-01, RHSA-2006:050, RHSA-2006:0501-02, SOL13519, SUSE-SR:2006:004, TLSA-2006-17, VIGILANCE-VUL-5517.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

PHP 5 uses a new session managing system.

This new session managing system accepts the user ID via a cookie during exchanges with the server. This exchanges are not verified by PHP 5 and the user can thus send any kind of ID to the server.

This lack of control permits an attacker to realize response splitting attacks and cross site scripting.
Full Vigil@nce bulletin... (Free trial)

cybersecurity alert CVE-2006-0200

PHP 5: format string vulnerability in the exception handling of mysqli

Synthesis of the vulnerability

The use of exceptions in error reporting of mysqli without control on format string permits an attacker to run code on the machine using mysqli.
Severity: 1/4.
Creation date: 12/01/2006.
Identifiers: BID-16219, CVE-2006-0200, VIGILANCE-VUL-5516.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

PHP 5 proposes a new extension to manage conection between PHP and MySQL server.

This extension integrates an new error reporting system using PHP exceptions.
PHP 5 do not carry verification on format string sent by the MySQL server when an error is reported. By default, the "reporting" mode is not activated for MySQL. If that's the case, it possible to use this vulnerability by sending a particular MySQL query.

An attacker can thus run code on the server using PHP if the MySQL server is not properly configured, or if he has an access to the machine to run a MySQL query using a malicious server.
Full Vigil@nce bulletin... (Free trial)

threat announce CVE-2006-0190

Solaris: root access gaining and denial of service

Synthesis of the vulnerability

A local unprivileged user may have the ability to gain root access or panic the Solaris operating system.
Severity: 2/4.
Creation date: 12/01/2006.
Identifiers: 102066, 6291662, 6293270, BID-16224, CVE-2006-0190, VIGILANCE-VUL-5513.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The mm driver is in particular used to manage memory under Solaris.

Sun announced that a local attacker could use a vulnerability of this driver to gain root access or to cause a denial of service of the machine.
Full Vigil@nce bulletin... (Free trial)

threat note CVE-2006-0191

Solaris: denial of service using find function

Synthesis of the vulnerability

A local user can cause a denial of service of the machine by carrying a research with find on "/proc".
Severity: 1/4.
Creation date: 12/01/2006.
Identifiers: 102066, 102108, 6291662, 6293270, BID-16222, CVE-2006-0191, VIGILANCE-VUL-5512.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The find() function permits to carry a research in command line in a directory hierarchy.

When a user without particular rights carry a research with find() on the "/proc" filesystem, he generates a system panic.

An attacker can thus use the find() function to cause a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2005-3745

Struts: error message cross site scripting

Synthesis of the vulnerability

The generated error message of struts does not perform sufficient controls and permits an attacker to lead to code execution by the user's browser via cross site scripting.
Severity: 1/4.
Creation date: 12/01/2006.
Identifiers: CVE-2005-3745, RHSA-2006:015, RHSA-2006:0157-01, RHSA-2006:016, RHSA-2006:0161-01, VIGILANCE-VUL-5511.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The open source framework struts is used to build web applications.

When attempting to access a non existent Struts action URL, the struts infrastructure generates an error echoing the path of the requested action. The mechanism generating this error does not perform sufficient input validation nor perform HTML encoding of the output.

These lacks permit a cross site scripting attack and thus permit an attacker to lead to code execution by the user's browser.
Full Vigil@nce bulletin... (Free trial)

weakness note CVE-2006-0054

FreeBSD: denial of service of ipfw using ip fragments

Synthesis of the vulnerability

In some ipfw configurations, an attacker can send an IP fragment in order to stop the firewall.
Severity: 3/4.
Creation date: 11/01/2006.
Identifiers: BID-16209, CERTA-2006-AVI-021, CVE-2006-0054, FreeBSD-SA-06:04.ipfw, VIGILANCE-VUL-5509.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The ipfw firewall permits administrator to define several behaviors:
 - deny: ignores the packet
 - reject: ignores the packet and sends an ICMP host unreachable
 - reset: ignores the packet and eventually sends a RST
 - reject: ignores the packet and sends an ICMP unreachable
 - etc.

When firewall has to send an error packet (reject, reset or unreach), it initializes this packet from the received packet. However, if this packet is a fragment, it does not contain an ICMP/TCP/UDP header, and data is thus incorrectly initialized. This error leads to firewall stop.

A network attacker can therefore send a fragmented packet, towards a system using reject, reset or unreach, in order to conduct a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2006-0055

FreeBSD: file corruption with ee

Synthesis of the vulnerability

A local attacker can alter a file during ee usage.
Severity: 1/4.
Creation date: 11/01/2006.
Identifiers: BID-16207, CVE-2006-0055, FreeBSD-SA-06:02.ee, VIGILANCE-VUL-5508.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The ee program is a text editor.

This program uses a temporary file in an insecure manner:
 - the filename is predictable (/tmp/ee._pid_)
 - the file is located is a directory publicly writable
 - ee does not check symlinks

A local attacker can thus create a symbolic link in order to corrupt a file with rights of ee user.
Full Vigil@nce bulletin... (Free trial)

   

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 520 521 522 523 524 525 526 527 528 530 532 533 534 535 536 537 538 539 540 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2901 2921 2922