The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability CVE-2005-3525

Shockwave Player: buffer overflow of installer

Synthesis of the vulnerability

An attacker can run code on user's computer when he installs Shockwave Player ActiveX.
Severity: 2/4.
Creation date: 24/02/2006.
Identifiers: APSB06-02, CVE-2005-3525, VIGILANCE-VUL-5643, VU#437212, ZDI-06-002.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Shockwave Player ActiveX is used to display video sequences.

During installation of this ActiveX, the installer does not correctly check size of two of its parameters.

An attacker can therefore invite user to install Shockwave Player in order to generate an overflow on his computer. This overflow then leads to code execution.
Full Vigil@nce bulletin... (Free trial)

security note CVE-2006-0884

Thunderbird: JavaScript code execution when answering an email

Synthesis of the vulnerability

When user answers a malicious HTML email, JavaScript code can be run on his computer.
Severity: 2/4.
Creation date: 23/02/2006.
Identifiers: BID-16770, CVE-2006-0884, MDKSA-2006:052, VIGILANCE-VUL-5642.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The IFRAME tag of HTML language is used to include a frame in a document.

When user answers to an email received in HTML, Thunderbird displays this message in edition mode to permit user to compose an HTLM answer. Scripts contained in this page are normally blocked.

However, the JavaScript code contained in an IFRAME is not blocked. This code is run in Thunderbird context.

An attacker can therefore send an HTML email containing JavaScript to be run when user answers the email.
Full Vigil@nce bulletin... (Free trial)

weakness note CVE-2006-0855 CVE-2006-1269

zoo: buffer overflow via long pathnames

Synthesis of the vulnerability

An attacker can create a ZOO archive containing long directory and file names in order to execute code on user's computer.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/02/2006.
Identifiers: BID-16790, BID-17126, CERTA-2006-AVI-115, CVE-2006-0855, CVE-2006-1269, DSA-991-1, SSA:2006-142-02, SUSE-SR:2006:005, SUSE-SR:2006:006, VIGILANCE-VUL-5641.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The zoo command supports archives compressed in ZOO format (based on Lempel-Ziv).

The fullpath() function of misc.c concatenates the directory name and the filename to obtain the full path. However, this path is stored in a twice shorter array.

An attacker can thus create an archive containing long names in order to generate an overflow.

This vulnerability therefore permits an attacker to run code on computer of users opening a malicious ZOO archive.
Full Vigil@nce bulletin... (Free trial)

computer threat announce 5640

PEAR-LiveUser: file deletion

Synthesis of the vulnerability

An attacker can use a malicious cookie in order to remove a file on the server.
Severity: 2/4.
Creation date: 22/02/2006.
Identifiers: BID-16761, VIGILANCE-VUL-5640.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The PEAR::LiveUser package is used to manage user's authentication.

An authentication item can be stored in a cookie. This cookie is then copied in the path used to open or delete a file located in the web server root.

However, contents of the cookie are not checked, so an attacker can use '../' to access to a file located outside root directory. The attacker can therefore check for file existence or remove a file.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 5639

PEAR-Auth: data injection

Synthesis of the vulnerability

An attacker can inject SQL data in PEAR::Auth package.
Severity: 2/4.
Creation date: 22/02/2006.
Revision date: 23/02/2006.
Identifiers: BID-16758, VIGILANCE-VUL-5639.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The PEAR::Auth package proposes authentication methods. Logins and passwords can for example be stored in a database.

An attacker can inject SQL requests in this package, when DB or LDAP containers are used.

When PEAR::Auth is employed to secure access to a service, an attacker can therefore alter the database entries, or bypass the authentication form.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2006-0188 CVE-2006-0195 CVE-2006-0377

SquirrelMail: several vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities of SquirrelMail permit an attacker to conduct a Cross Site Scripting attack or to inject IMAP commands.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 22/02/2006.
Revision date: 28/02/2006.
Identifiers: 10310, 20060501-01-U, BID-16756, CERTA-2006-AVI-095, CVE-2006-0188, CVE-2006-0195, CVE-2006-0377, DSA-988-1, FEDORA-2006-133, FEDORA-2006-134, FLSA:190884, FLSA-2006:190884, MDKSA-2006:049, RHSA-2006:028, RHSA-2006:0283-01, SNS Advisory No.86, SUSE-SR:2006:005, VIGILANCE-VUL-5638.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The SquirrelMail program permits users to read their mailbox using a web browser.

The webmail.php script does not correctly sanitize its right_frame parameter, which leads to a Cross Site Scripting attack (CVE-2006-0188).

The MagicHTML feature can be used to conduct a Cross Site Scripting attack, but only affects Internet Explorer (CVE-2006-0195).

The sqimap_mailbox_select parameter can be used to inject IMAP commands (CVE-2006-0377).
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin CVE-2006-0736

SuSE: buffer overflow of pam_micasa

Synthesis of the vulnerability

The pam_micasa module contains an overflow permitting a network attacker to run code on computer.
Severity: 3/4.
Creation date: 22/02/2006.
Identifiers: BID-16779, CVE-2006-0736, SUSE-SA:2006:010, VIGILANCE-VUL-5637.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The CASA environment (Common Authentication Service Adapter) provides libraries to authenticate on Linux, Novell and Windows products.

The pam_micasa module is added to /etc/pam.d/sshd to use CASA with SSH.

A buffer overflow is present in pam_micasa. Its technical details are unknown.

This vulnerability permits a remote attacker to access system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-0300

GNU tar: buffer overflow via a pax header

Synthesis of the vulnerability

An attacker can create a malicious tar archive in order to run code on user's computer.
Severity: 3/4.
Creation date: 22/02/2006.
Identifiers: 241646, 6407045, BID-16764, CERTA-2006-AVI-092, CVE-2006-0300, DSA-987-1, FLSA:183571-2, FLSA-2006:183571-2, MDKSA-2006:046, RHSA-2006:023, RHSA-2006:0232-01, SUSE-SR:2006:005, VIGILANCE-VUL-5636.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The "tar" archive format has several extensions:
 - ustar: supports devices and names of more than 255 characters (IEEE Std. 1003.1)
 - pax: an additional header is added to ustar in order to support files over 8GB
 - etc.

When a tar archive contains a malicious pax header, an overflow occurs in GNU tar.

This overflow leads to tar stop, and eventually to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2006-0709

Metamail: buffer overflow using long boundaries

Synthesis of the vulnerability

An attacker can create an email containing long boundaries in order to run code in Metamail.
Severity: 3/4.
Creation date: 21/02/2006.
Identifiers: 352482, BID-16611, CERTA-2006-AVI-109, CVE-2006-0709, DSA-995-1, MDKSA-2006:047, RHSA-2006:021, RHSA-2006:0217-01, SUSE-SR:2006:005, VIGILANCE-VUL-5635.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Metamail program analyzes emails containing multimedia data stored as MIME.

The MIME format is used to group several documents in one email. An email containing a text and an image has the following format (empty lines removed) :
 MIME-Version: 1.0
 Content-Type: multipart/Mixed; boundary="BOUNDARY"
 --BOUNDARY
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: 7bit
 HERE TEXT
 --BOUNDARY
 Content-Type: image/gif;
 Content-Transfer-Encoding: base64
 HERE AN IMAGE ENCODED IN BASE64
 --BOUNDARY--

However, Metamail does not check boundaries sizes before storing them in a fixed size array.

This overflow leads to Metamail stop, and eventually to code execution.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2006-0804

tin: buffer overflow of mail.c

Synthesis of the vulnerability

An attacker, owning a malicious NNTP server, can run code on computer of tin users.
Severity: 2/4.
Creation date: 21/02/2006.
Identifiers: BID-16728, CVE-2006-0804, SUSE-SR:2006:005, VIGILANCE-VUL-5634.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The tin program is a news reader.

The read_groups_descriptions() function of mail.c analyzes descriptions of each group. This function stores the group name in an allocated array. However, size of this array is insufficient to contain the nul string delimiter character.

An attacker can thus use a long group name in order to write one '\0' in memory.

This memory corruption generally leads to tin stop, and could lead to code execution.
Full Vigil@nce bulletin... (Free trial)

   

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 531 532 533 534 535 536 537 538 539 541 543 544 545 546 547 548 549 550 551 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2901 2921 2927