| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
History of vulnerabilities analyzed by Vigil@nce:
Linux kernel: two memory corruptions of SCTP
Synthesis of the vulnerability
An attacker can stop kernel and optionally run code by sending SCTP packets.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, Mandriva NF, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: administrator access/rights, data flow.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/05/2006.
Identifiers: BID-18085, CERTA-2002-AVI-035, CVE-2006-1857, CVE-2006-1858, DSA-1097-1, DSA-1103-1, FEDORA-2006-572, FEDORA-2006-573, MDKSA-2006:123, MDKSA-2006:150, RHSA-2006:057, RHSA-2006:0575-01, RHSA-2006:0617-01, SUSE-SA:2006:042, SUSE-SA:2006:047, VIGILANCE-VUL-5849.
Description of the vulnerability
The SCTP protocol (Stream Control Transmission Protocol) creates associations to send several streams. Its implementation in kernel has 2 new vulnerabilities.
An overflow can occur using a SCTP packet containing a HB-ACK chunk (CVE-2006-1857).
Size of chunks can be incorrectly computed, leading to a memory corruption (CVE-2006-1858).
An attacker can therefore conduct two denials of service and eventually run code on computers where SCTP is activated.
Full Vigil@nce bulletin... (Free trial) |
Word: buffer overflow
Synthesis of the vulnerability
An attacker can create a malicious Word document leading to code execution when it is opened.
Impacted products: Office, Word.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 22/05/2006.
Identifiers: 917336, 919637, BID-18037, CERTA-2006-AVI-239, CVE-2006-2492, MS06-027, VIGILANCE-VUL-5848, VU#446012.
Description of the vulnerability
An attacker can create a malicious Word document leading to code execution when it is opened.
Technical details are currently unknown.
It is a buffer overflow, and the Word document can be included using OLE in another Office document.
This vulnerability is currently exploited by Ginwui and Mdropper trojan horses, which do not have replication method, and are thus sent to specific targets. Viruses could be soon created.
Full Vigil@nce bulletin... (Free trial) |
Sun Web/Application Server: Cross Site Scripting of error page
Synthesis of the vulnerability
An attacker can use error pages in order to run a Cross Site Scripting attack.
Impacted products: Oracle iPlanet Web Server, Sun AS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/05/2006.
Identifiers: 102164, 6217658, 6239342, 6240422, 6240424, BID-18035, CVE-2006-2501, SNS Advisory No.87, VIGILANCE-VUL-5847, VU#114956.
Description of the vulnerability
When an error occurs, the web server returns a HTML error page.
However, these error pages do not correctly manage double quotes ("). An attacker can use them in order to conduct a Cross Site Scripting attack.
An attacker can therefore execute Javascript in security context of the web site hosted on Sun Web/Application Server.
Full Vigil@nce bulletin... (Free trial) |
AWStats: command execution with migrate
Synthesis of the vulnerability
An attacker can use a special migrate parameter in order to execute a shell command on server.
Impacted products: Debian, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 19/05/2006.
Identifiers: BID-17844, CERTA-2006-AVI-184, CVE-2006-2237, DSA-1058-1, SUSE-SA:2006:033, VIGILANCE-VUL-5846.
Description of the vulnerability
The AWStats program generates web, ftp or mail statistics. It is written in PERL, and displays its statistics on a web server.
Data of "migrate" parameter are sent to PERL open() function. However, the '|' character is not filtered. An attacker can therefore run a shell command using the open() function.
This vulnerability therefore permits a remote attacker to execute commands with AWStats rights.
Full Vigil@nce bulletin... (Free trial) |
Sun N1 System Manager: password disclosure
Synthesis of the vulnerability
A local attacker can obtain passwords used by Sun N1 System Manager.
Impacted products: Solaris.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user shell.
Creation date: 18/05/2006.
Identifiers: 102024, 6332648, BID-18023, VIGILANCE-VUL-5845.
Description of the vulnerability
The Sun N1 System Manager product manages the system infrastructure.
The /cr/hd_jobs_db.sh, /cr/hd_plan_checkin.sh and /cr/oracle_plan_checkin.sh scripts contains a password because they are not executed interactively. However, they are readable by all system users.
A local attacker can therefore obtain this password in order to administer Sun N1 System Manager.
Full Vigil@nce bulletin... (Free trial) |
NetWare: password logging by PORTAL.NLM/HTTPSTK.NLM
Synthesis of the vulnerability
During an error, the PORTAL.NLM/HTTPSTK.NLM module logs username and passwords in clear text.
Impacted products: Netware.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: user shell.
Creation date: 17/05/2006.
Identifiers: 164123, BID-18017, CERTA-2006-AVI-204, CVE-2006-2185, TID10100870, TID2973698, VIGILANCE-VUL-5844.
Description of the vulnerability
The HTTPSTK.NLM module implements a HTTP server for Novell NetWare. The PORTAL.NLM module is the associated portal.
An attacker can create an error in PORTAL.NLM. In this case, username and password are logged in the abend.log file. A local attacker can thus read this information.
A new HTTPSTK.NLM module is available to correct this problem. So, we could suppose that error is located in this module, but Novell's announce indicates it occurs in PORTAL.NLM.
Full Vigil@nce bulletin... (Free trial) |
Sun Directory Server: password stored during installation
Synthesis of the vulnerability
During some installations of Sun Directory Server, the administrator password is stored in a file which is readable.
Impacted products: Oracle Directory Server.
Severity: 2/4.
Consequences: administrator access/rights, data reading.
Provenance: user shell.
Creation date: 17/05/2006.
Identifiers: 102345, 4927976, BID-18018, VIGILANCE-VUL-5843.
Description of the vulnerability
The Sun Java System Directory Server 5.2 product can be installed natively (cdrom) or from a compressed archive downloaded on Sun's web site (PatchZip).
When PatchZip version is chosen, the password used during installation is saved in a file. However, this file is never deleted, so a local attacker can read it and obtain administrator's password.
This vulnerability affects the 5.2 PatchZip version where patches, such as Patch4, were eventually installed. This vulnerability does not affect the full 5.2 Patch4 PatchZip version which can be currently downloaded on Sun's website.
Full Vigil@nce bulletin... (Free trial) |
Bea WebLogic: several vulnérabilités
Synthesis of the vulnerability
BEA Systems wrote 11 announces related to Bea WebLogic Server.
Impacted products: WebLogic.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 13.
Creation date: 16/05/2006.
Identifiers: BEA06-121.00, BEA06-124.00, BEA06-125.00, BEA06-126.00, BEA06-127.00, BEA06-128.00, BEA06-129.00, BEA06-130.00, BEA06-131.00, BEA06-132.00, BEA06-133.00, BID-17982, CVE-2006-2461, CVE-2006-2462, CVE-2006-2463, CVE-2006-2464, CVE-2006-2465, CVE-2006-2466, CVE-2006-2467, CVE-2006-2468, CVE-2006-2469, CVE-2006-2470, CVE-2006-2471, CVE-2006-2472, CVE-2006-2546, VIGILANCE-VUL-5842.
Description of the vulnerability
BEA Systems wrote 11 new announces related to Bea WebLogic :
BEA06-121.00 : le script stopWebLogic.sh affiche le mot de passe sous Unix
BEA06-124.00 : les applications installées sur le serveur peuvent obtenir les clés privées
BEA06-125.00 : les adresses IP internes sont visibles
BEA06-126.00 : les politiques de sécurité des ressources JDBC peuvent être désactivées
BEA06-127.00 : lors d'une erreur, le serveur HTTP journalise le login et le mot de passe
BEA06-128.00 : un attaquant peut obtenir le nom du domaine via le formulaire d'authentification
BEA06-129.00 : la console affiche l'adresse IP du serveur WebLogic
BEA06-130.00 : un attaquant peut obtenir le code source JSP
BEA06-131.00 : le mot de passe admin est stocké en clair sur le disque lors de son changement d'après la méthode décrite dans la documentation antérieure au 10 octobre 2005
BEA06-132.00 : certaines transactions ne sont pas protégées par SSL
BEA06-133.00 : les transactions JTA ne sont pas protégées par SSL
Full Vigil@nce bulletin... (Free trial) |
Nagios: integer overflow of Content-Length
Synthesis of the vulnerability
An attacker can use a malicious HTTP request in order to generate an overflow in CGI scripts of Nagios.
Impacted products: Debian, Nagios Open Source.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 16/05/2006.
Identifiers: BID-18059, CVE-2006-2489, DSA-1072-1, VIGILANCE-VUL-5841.
Description of the vulnerability
Nagios uses several CGI scripts located for example in /usr/lib/cgi-bin/nagios directory, and reachable at http://server/nagios/cgi-bin/.
The Content-Length header of HTTP protocol indicates body size of query or reply.
The VIGILANCE-VUL-5814 bulletin describes a vulnerability related to a negative Content-Length. However, this vulnerability was not correctly corrected, so an attack variant is still possible. It leads to an integer overflow in Nagios CGI scripts.
An attacker can therefore conduct a denial of service and eventually execute code.
Full Vigil@nce bulletin... (Free trial) |
phpLDAPadmin: several Cross Site Scripting
Synthesis of the vulnerability
Several Cross Site Scripting of phpLDAPadmin can be done using "dn" and "scope" parameters.
Impacted products: Debian, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: user account.
Creation date: 15/05/2006.
Identifiers: BID-17643, CVE-2006-2016, DSA-1057-1, VIGILANCE-VUL-5840.
Description of the vulnerability
The phpLDAPadmin program permits to administer a LDAP server using a web server.
It has several missing checks in:
- the "dn" parameter of:
+ compare_form.php
+ copy_form.php
+ rename_form.php
+ template_engine.php
+ delete_form.php
- the "scope" parameter of search.php
- the "Container DN", "Machine Name", "UID Number" fields of template_engine.php
These vulnerabilities permit an attacker to conduct a Cross Site Scripting attack.
Full Vigil@nce bulletin... (Free trial) |
Previous page Next page Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2870
|