| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
Linux kernel: two memory corruptions of SCTP
Synthesis of the vulnerability
An attacker can stop kernel and optionally run code by sending SCTP packets.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/05/2006.
Identifiers: BID-18085, CERTA-2002-AVI-035, CVE-2006-1857, CVE-2006-1858, DSA-1097-1, DSA-1103-1, FEDORA-2006-572, FEDORA-2006-573, MDKSA-2006:123, MDKSA-2006:150, RHSA-2006:057, RHSA-2006:0575-01, RHSA-2006:0617-01, SUSE-SA:2006:042, SUSE-SA:2006:047, VIGILANCE-VUL-5849.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The SCTP protocol (Stream Control Transmission Protocol) creates associations to send several streams. Its implementation in kernel has 2 new vulnerabilities.
An overflow can occur using a SCTP packet containing a HB-ACK chunk (CVE-2006-1857).
Size of chunks can be incorrectly computed, leading to a memory corruption (CVE-2006-1858).
An attacker can therefore conduct two denials of service and eventually run code on computers where SCTP is activated.
Full Vigil@nce bulletin... (Free trial) |
Word: buffer overflow
Synthesis of the vulnerability
An attacker can create a malicious Word document leading to code execution when it is opened.
Severity: 3/4.
Creation date: 22/05/2006.
Identifiers: 917336, 919637, BID-18037, CERTA-2006-AVI-239, CVE-2006-2492, MS06-027, VIGILANCE-VUL-5848, VU#446012.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
An attacker can create a malicious Word document leading to code execution when it is opened.
Technical details are currently unknown.
It is a buffer overflow, and the Word document can be included using OLE in another Office document.
This vulnerability is currently exploited by Ginwui and Mdropper trojan horses, which do not have replication method, and are thus sent to specific targets. Viruses could be soon created.
Full Vigil@nce bulletin... (Free trial) |
Sun Web/Application Server: Cross Site Scripting of error page
Synthesis of the vulnerability
An attacker can use error pages in order to run a Cross Site Scripting attack.
Severity: 2/4.
Creation date: 19/05/2006.
Identifiers: 102164, 6217658, 6239342, 6240422, 6240424, BID-18035, CVE-2006-2501, SNS Advisory No.87, VIGILANCE-VUL-5847, VU#114956.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
When an error occurs, the web server returns a HTML error page.
However, these error pages do not correctly manage double quotes ("). An attacker can use them in order to conduct a Cross Site Scripting attack.
An attacker can therefore execute Javascript in security context of the web site hosted on Sun Web/Application Server.
Full Vigil@nce bulletin... (Free trial) |
AWStats: command execution with migrate
Synthesis of the vulnerability
An attacker can use a special migrate parameter in order to execute a shell command on server.
Severity: 3/4.
Creation date: 19/05/2006.
Identifiers: BID-17844, CERTA-2006-AVI-184, CVE-2006-2237, DSA-1058-1, SUSE-SA:2006:033, VIGILANCE-VUL-5846.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The AWStats program generates web, ftp or mail statistics. It is written in PERL, and displays its statistics on a web server.
Data of "migrate" parameter are sent to PERL open() function. However, the '|' character is not filtered. An attacker can therefore run a shell command using the open() function.
This vulnerability therefore permits a remote attacker to execute commands with AWStats rights.
Full Vigil@nce bulletin... (Free trial) |
Sun N1 System Manager: password disclosure
Synthesis of the vulnerability
A local attacker can obtain passwords used by Sun N1 System Manager.
Severity: 2/4.
Creation date: 18/05/2006.
Identifiers: 102024, 6332648, BID-18023, VIGILANCE-VUL-5845.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The Sun N1 System Manager product manages the system infrastructure.
The /cr/hd_jobs_db.sh, /cr/hd_plan_checkin.sh and /cr/oracle_plan_checkin.sh scripts contains a password because they are not executed interactively. However, they are readable by all system users.
A local attacker can therefore obtain this password in order to administer Sun N1 System Manager.
Full Vigil@nce bulletin... (Free trial) |
NetWare: password logging by PORTAL.NLM/HTTPSTK.NLM
Synthesis of the vulnerability
During an error, the PORTAL.NLM/HTTPSTK.NLM module logs username and passwords in clear text.
Severity: 1/4.
Creation date: 17/05/2006.
Identifiers: 164123, BID-18017, CERTA-2006-AVI-204, CVE-2006-2185, TID10100870, TID2973698, VIGILANCE-VUL-5844.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The HTTPSTK.NLM module implements a HTTP server for Novell NetWare. The PORTAL.NLM module is the associated portal.
An attacker can create an error in PORTAL.NLM. In this case, username and password are logged in the abend.log file. A local attacker can thus read this information.
A new HTTPSTK.NLM module is available to correct this problem. So, we could suppose that error is located in this module, but Novell's announce indicates it occurs in PORTAL.NLM.
Full Vigil@nce bulletin... (Free trial) |
Sun Directory Server: password stored during installation
Synthesis of the vulnerability
During some installations of Sun Directory Server, the administrator password is stored in a file which is readable.
Severity: 2/4.
Creation date: 17/05/2006.
Identifiers: 102345, 4927976, BID-18018, VIGILANCE-VUL-5843.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The Sun Java System Directory Server 5.2 product can be installed natively (cdrom) or from a compressed archive downloaded on Sun's web site (PatchZip).
When PatchZip version is chosen, the password used during installation is saved in a file. However, this file is never deleted, so a local attacker can read it and obtain administrator's password.
This vulnerability affects the 5.2 PatchZip version where patches, such as Patch4, were eventually installed. This vulnerability does not affect the full 5.2 Patch4 PatchZip version which can be currently downloaded on Sun's website.
Full Vigil@nce bulletin... (Free trial) |
Bea WebLogic: several vulnérabilités
Synthesis of the vulnerability
BEA Systems wrote 11 announces related to Bea WebLogic Server.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 13.
Creation date: 16/05/2006.
Identifiers: BEA06-121.00, BEA06-124.00, BEA06-125.00, BEA06-126.00, BEA06-127.00, BEA06-128.00, BEA06-129.00, BEA06-130.00, BEA06-131.00, BEA06-132.00, BEA06-133.00, BID-17982, CVE-2006-2461, CVE-2006-2462, CVE-2006-2463, CVE-2006-2464, CVE-2006-2465, CVE-2006-2466, CVE-2006-2467, CVE-2006-2468, CVE-2006-2469, CVE-2006-2470, CVE-2006-2471, CVE-2006-2472, CVE-2006-2546, VIGILANCE-VUL-5842.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
BEA Systems wrote 11 new announces related to Bea WebLogic :
BEA06-121.00 : le script stopWebLogic.sh affiche le mot de passe sous Unix
BEA06-124.00 : les applications installées sur le serveur peuvent obtenir les clés privées
BEA06-125.00 : les adresses IP internes sont visibles
BEA06-126.00 : les politiques de sécurité des ressources JDBC peuvent être désactivées
BEA06-127.00 : lors d'une erreur, le serveur HTTP journalise le login et le mot de passe
BEA06-128.00 : un attaquant peut obtenir le nom du domaine via le formulaire d'authentification
BEA06-129.00 : la console affiche l'adresse IP du serveur WebLogic
BEA06-130.00 : un attaquant peut obtenir le code source JSP
BEA06-131.00 : le mot de passe admin est stocké en clair sur le disque lors de son changement d'après la méthode décrite dans la documentation antérieure au 10 octobre 2005
BEA06-132.00 : certaines transactions ne sont pas protégées par SSL
BEA06-133.00 : les transactions JTA ne sont pas protégées par SSL
Full Vigil@nce bulletin... (Free trial) |
Nagios: integer overflow of Content-Length
Synthesis of the vulnerability
An attacker can use a malicious HTTP request in order to generate an overflow in CGI scripts of Nagios.
Severity: 3/4.
Creation date: 16/05/2006.
Identifiers: BID-18059, CVE-2006-2489, DSA-1072-1, VIGILANCE-VUL-5841.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
Nagios uses several CGI scripts located for example in /usr/lib/cgi-bin/nagios directory, and reachable at http://server/nagios/cgi-bin/.
The Content-Length header of HTTP protocol indicates body size of query or reply.
The VIGILANCE-VUL-5814 bulletin describes a vulnerability related to a negative Content-Length. However, this vulnerability was not correctly corrected, so an attack variant is still possible. It leads to an integer overflow in Nagios CGI scripts.
An attacker can therefore conduct a denial of service and eventually execute code.
Full Vigil@nce bulletin... (Free trial) |
phpLDAPadmin: several Cross Site Scripting
Synthesis of the vulnerability
Several Cross Site Scripting of phpLDAPadmin can be done using "dn" and "scope" parameters.
Severity: 2/4.
Creation date: 15/05/2006.
Identifiers: BID-17643, CVE-2006-2016, DSA-1057-1, VIGILANCE-VUL-5840.
Full Vigil@nce bulletin... (Free trial)
Description of the vulnerability
The phpLDAPadmin program permits to administer a LDAP server using a web server.
It has several missing checks in:
- the "dn" parameter of:
+ compare_form.php
+ copy_form.php
+ rename_form.php
+ template_engine.php
+ delete_form.php
- the "scope" parameter of search.php
- the "Container DN", "Machine Name", "UID Number" fields of template_engine.php
These vulnerabilities permit an attacker to conduct a Cross Site Scripting attack.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page
1
21
41
61
81
101
121
141
161
181
201
221
241
261
281
301
321
341
361
381
401
421
441
461
481
501
521
541
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
581
601
621
641
661
681
701
721
741
761
781
801
821
841
861
881
901
921
941
961
981
1001
1021
1041
1061
1081
1101
1121
1141
1161
1181
1201
1221
1241
1261
1281
1301
1321
1341
1361
1381
1401
1421
1441
1461
1481
1501
1521
1541
1561
1581
1601
1621
1641
1661
1681
1701
1721
1741
1761
1781
1801
1821
1841
1861
1881
1901
1921
1941
1961
1981
2001
2021
2041
2061
2081
2101
2121
2141
2161
2181
2201
2221
2241
2261
2281
2301
2321
2341
2361
2381
2401
2421
2441
2461
2481
2501
2521
2541
2561
2581
2601
2621
2641
2661
2681
2701
2721
2741
2761
2781
2801
2821
2841
2861
2881
2901
2921
2927
|