R�sum�. Info2www CGI Input Handling Vulnerability BugTraq ID: 1995 Remote: Yes Date Published: 1998-03-03 Relevant URL: http://www.securityfocus.com/bid/1995 Summary: The info2www script allows HTTP access to information stored in GNU EMACS Info Nodes. This script fails to properly parse input and can be used to execute commands on the server with permissions of the web server, by passing commands as part of a variable. Potential consequences of a successful exploitation involve anything the web server process has permissions to do, including possibly web site defacement. Twig Remote Arbitrary Script Execution Vulnerability BugTraq ID: 1998 Remote: Yes Date Published: 2000-11-25 Relevant URL: http://www.securityfocus.com/bid/1998 Summary: Twig is a popular web-based email system written in PHP3. Version 2.5.1 and possibly earlier versions of Twig contain a vulnerability that may allow a remote attacker to gain local access to the webserver on which it is installed with httpd privileges. Bourne Shell /tmp file Vulnerability BugTraq ID: 2006 Remote: No Date Published: 2000-11-23 Relevant URL: http://www.securityfocus.com/bid/2006 Summary: Bourne Shell is part of the standard system utilities distributed with all UNIX and UNIX Clone Operating Systems. A vulnerability exists that could allow arbitrary writing to files. The problem exists in the insecure creation of files in the /tmp directory. When using redirection, files are created in the /tmp directory without first checking for existance of the file. This could result in a symbolic link attack that could be used to corrupt any file that the owner of the redirecting shell has access to write to. [ je pense que ce sont pour les HERE documents, ie <<EOF ] S.u.S.E. in.identd Denial of Service Vulnerability BugTraq ID: 2015 Remote: Yes Date Published: 2000-11-29 Relevant URL: http://www.securityfocus.com/bid/2015 Summary: The in.identd service is used to provide remote systems with usernames associated with tcp connection port pairs. The version of in.identd that ships with S.u.S.E. Linux contains a remotely exploitable denial of service vulnerability that may result in the service crashing. Though the denial of service is the result of oversized input recieved by the server, it is not an overflow. What happens is that the identd server realizes that the input is too long and changes the value of some pointer to NULL. The server then attempts to dereference this pointer and terminates due to a segmentation violation. The S.u.S.E. ident daemon is multithreaded and is not spawned via inetd. There is only one in.identd process started, usually by init. As a result, if it is terminated it is not restarted. A denial of the identd service occurs until manually restarted. Midnight Commander Directory Viewing Command Execution Vulnerability BugTraq ID: 2016 Remote: No Date Published: 2000-11-28 Relevant URL: http://www.securityfocus.com/bid/2016 Summary: Midnight Commander is a popular file management tool for unix systems. Among many other features, Midnight Commander allows users to traverse their filesystem using a menu-style console interface. There exists a vulnerability in the way Midnight Commander handles directories that may allow for arbitrary commands to be executed when maliciously created directories are opened. Attackers can embed commands into directory names after certain byte values (0x03 and 0x14) that will be executed when a user running Midnight Commander opens them. Because Midnight Commander doesn't list entire directory names in the filesystem window if they are long, this sequence of characters (nonprintable) and the commands can be hidden from the user if enough printable/normal looking characters preceed them. This vulnerability requires direct user interaction (user must open the malicious directory with Midnight commander) to be exploited. If exploited, this vulnerability can result in an elevation of privileges for the attacker. GlimpseHTTP and WebGlimpse Piped Command Vulnerability BugTraq ID: 2026 Remote: Yes Date Published: 1996-07-03 Relevant URL: http://www.securityfocus.com/bid/2026 Summary: WebGlimpse and GlimpseHTTP are web indexing and search engine programs with some associated management scripts. GlimpseHTTP up to and including 2.0, and WebGlimpse prior to version 1.5, suffer from a common vulnerability involving the component "aglimpse". This script fails to filter the pipe metacharacter, allowing arbitrary command execution. The demonstration exploit for this vulnerability includes the unix shell "IFS" (Internal Field Separator) variable for situations where the web server filters space characters - by setting this to an acceptable character ("5" in the example exploit) it is possible to use commands with more than one field. (eg., "mail [EMAIL PROTECTED]"). Majordomo Config-file admin_password Configuration Vulnerability BugTraq ID: 2028 Remote: Yes Date Published: 2000-12-01 Relevant URL: http://www.securityfocus.com/bid/2028 Summary: Majordomo is a popular open-source e-mail list server written in Perl. There exists a common configuration error in Majordomo's authentication system that may allow for remote attackers to execute administrative commands. Majordomo authenticates list administrators using passwords each time an administrative command is issued. During authentication, the supplied password is first compared to the value of the admin_password option in the list configuration file. If the two match, the administrator is authenticated and the command is executed. If not, majordomo attempts to open a file in the lists directory with a filename in the format: "listname.passwd", where "listname" is the name of the current list. The password is then read from that file. Many Majordomo setup/installation guides instruct the user configuring Majordomo not to set a real password as the value of admin_password, rather assign the option the value of the filename to be opened containing the password (in the list.passwd filename format). If this is done, the filename specified as the value for admin_passwd effectively becomes a valid password and can be used to authenticate an administrator. If a system has been configured this way, a remote attacker can guess the name of the file (listname.passwd) and use it as the password to successfully execute administrator commands. [ inutile d'essayer ici :) ] - Pour poster une annonce: [EMAIL PROTECTED]
