Computer Security
[EN] no-pyccku

getPlus ActiveX code execution
updated since 25.02.2010
SecurityVulns ID:10654
Threat Level:
Description:Insufficient validation of domain name.
CVE:CVE-2010-0189 (A certain ActiveX control in NOS Microsystems getPlus Download Manager (aka DLM or Downloader), as used in Adobe Download Manager, improperly validates requests involving web sites that are not in subdomains, which allows remote attackers to force the download and installation of arbitrary programs via a crafted name for a download site.)
Original documentdocumentAkita Software Security, getPlus insufficient domain name validation vulnerability (01.03.2010)
 documentIDEFENSE, iDefense Security Advisory 02.23.10: Multiple Vendor NOS Microsystems getPlus Downloader Input Validation Vulnerability (25.02.2010)

Apache mod_security multiple security vulnerabilities
SecurityVulns ID:10656
Threat Level:
Description:DoS, protection bypass.
Affected:APACHE : mod_security 2.5
Original documentdocumentMANDRIVA, [ MDVSA-2010:050 ] apache-mod_security (01.03.2010)

Asterisk invalid ACL processing
SecurityVulns ID:10657
Threat Level:
Description:/0 CIDR in ACL is processed in unpredictable way.
Affected:ASTERISK : Asterisk 1.2
 DIGIUM : Asterisk 1.4
 ASTERISK : Asterisk 1.6
Original documentdocumentASTERISK, AST-2010-003: Invalid parsing of ACL rules can compromise security (01.03.2010)

sudo protection bypass
updated since 01.03.2010
SecurityVulns ID:10655
Threat Level:
Description:when a pseudocommand is enabled, it's possible to created an executable file with the same name, it will be executed by relative name with escalated privileges.
CVE:CVE-2010-1163 (The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.)
 CVE-2010-0426 (sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.)
Original documentdocumentAgazzini Maurizio, sudoedit local privilege escalation through PATH manipulation (22.04.2010)
 documentUBUNTU, [USN-928-1] Sudo vulnerability (19.04.2010)
 documentKingcope Kingcope, Todd Miller Sudo local root exploit discovered by Slouching (02.03.2010)
 documentMANDRIVA, [ MDVSA-2010:049 ] sudo (01.03.2010)
Files:Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod