Computer Security
[EN] securityvulns.ru no-pyccku


Postfix mail server hardlinks privilege escalation
updated since 14.08.2008
Published:02.09.2008
Source:
SecurityVulns ID:9222
Type:local
Threat Level:
4/10
Description:It's possible to cause Postfix to deliver mail to system file by using hardlinks to symlink (available against standard in Linux, IRIX, Solaris).
Affected:POSTFIX : Postfix 2.3
 POSTFIX : Postfix 2.4
 POSTFIX : postfix 2.5
 POSTFIX : postfix 2.6
CVE:CVE-2008-2937 (Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name.)
 CVE-2008-2936 (Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.)
Original documentdocumentRoman Medina, PoCfix (PoC for Postfix local root vuln - CVE-2008-2936) (02.09.2008)
 documentWietse Venema, Postfix local privilege escalation via hardlinked symlinks (14.08.2008)
Files:PoC for Postfix local root vuln - CVE-2008-2936

Postfix DoS
Published:02.09.2008
Source:
SecurityVulns ID:9252
Type:local
Threat Level:
4/10
Description:File descriptor leaks under Linux.
Affected:POSTFIX : Postfix 2.4
 POSTFIX : postfix 2.5
 POSTFIX : postfix 2.6
Original documentdocumentWietse Venema, Postfix Linux-only local denial of service (02.09.2008)

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:02.09.2008
Source:
SecurityVulns ID:9253
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. myPHPNuke: SQL injection.
Affected:MYPHPNUKE : myPHPNuke 1.8
 VTIGER : vtigerCRM 5.0
 PLESK : Plesk 8.6
CVE:CVE-2008-3101 (Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php.)
 CVE-2008-2553 (Cross-site scripting (XSS) vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to inject arbitrary web script or HTML via the userfield parameter.)
 CVE-2008-2231
Original documentdocumentDEBIAN, [SECURITY] [DSA 1633-1] New slash packages fix multiple vulnerabilities (02.09.2008)
 documentFelix Buenemann, Plesk 8.6.0 authentication flaw allows to gain virtual user priviledges (02.09.2008)
 documentFabian Fingerle, Multiple Cross Site Scripting (XSS) Vulnerabilities in vtigerCRM 5.0.4, CVE-2008-3101 (02.09.2008)
 documentMustLive, SQL Injection vulnerability in myPHPNuke (02.09.2008)

Dreambox DM500 DoS
Published:02.09.2008
Source:
SecurityVulns ID:9254
Type:remote
Threat Level:
4/10
Description:Device crashes on oversized HTTP request.
Affected:DREAMMULTIMEDIAT : Dreambox DM500
Original documentdocumentMarc Ruef, [scip_Advisory 3807] Dreambox DM500 webserver long URL request denial of service (02.09.2008)

VMWare multiple applications security vulnerabilities
Published:02.09.2008
Source:
SecurityVulns ID:9255
Type:remote
Threat Level:
5/10
Description:Multiple ActiveX vulnerabilities, privilege escalation, ISAPI filters DoS, third party components updates.
Affected:VMWARE : VMware Workstation 5.5
 VMWARE : VMware Player 1.0
 VMWARE : VMware Server 1.0
 VMWARE : VMware ACE 1.0
 VMWARE : VMWare Workstation 6.0
 VMWARE : VMware Player 2.0
 VMWARE : VMWare ACE 2.0
 VMWARE : VMware ESX 3.0
CVE:CVE-2008-3698 (Unspecified vulnerability in the OpenProcess function in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 on Windows allows local host OS users to gain privileges on the host OS via unknown vectors.)
 CVE-2008-3697 (An unspecified ISAPI extension in VMware Server before 1.0.7 build 108231 allows remote attackers to cause a denial of service (IIS crash) via a malformed request.)
 CVE-2008-3696 (Unspecified vulnerability in a certain ActiveX control in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, and CVE-2008-3695.)
 CVE-2008-3695 (Unspecified vulnerability in a certain ActiveX control in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, and CVE-2008-3696.)
 CVE-2008-3694 (Unspecified vulnerability in a certain ActiveX control in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3695, and CVE-2008-3696.)
 CVE-2008-3693 (Unspecified vulnerability in a certain ActiveX control in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-3691, CVE-2008-3692, CVE-2008-3694, CVE-2008-3695, and CVE-2008-3696.)
 CVE-2008-3692 (Unspecified vulnerability in a certain ActiveX control in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-3691, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, and CVE-2008-3696.)
 CVE-2008-3691 (Unspecified vulnerability in a certain ActiveX control in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, and CVE-2008-3696.)
 CVE-2008-2101 (The VMware Consolidated Backup (VCB) command-line utilities in VMware ESX 3.0.1 through 3.0.3 and ESX 3.5 place a password on the command line, which allows local users to obtain sensitive information by listing the process.)
 CVE-2008-1808 (Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.)
 CVE-2008-1807 (FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption.)
 CVE-2008-1806 (Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow.)
 CVE-2008-1447 (The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug.")
 CVE-2007-5503 (Multiple integer overflows in Cairo before 1.4.12 might allow remote attackers to execute arbitrary code, as demonstrated using a crafted PNG image with large width and height values, which is not properly handled by the read_png function.)
 CVE-2007-5438 (Unspecified vulnerability in a certain ActiveX control in Reconfig.DLL in EMC VMware Player might allow local users to cause a denial of service to the Virtual Disk Mount Service (vmount2.exe), related to the ConnectPopulatedDiskEx function.)
 CVE-2007-5269 (Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations.)
Original documentdocumentVMWARE, VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. (02.09.2008)

WordNet library multiple buffer overflows
Published:02.09.2008
Source:
SecurityVulns ID:9256
Type:library
Threat Level:
5/10
Affected:WORDNET : WordNet 3.0
CVE:CVE-2008-3908 (Multiple buffer overflows in Princeton WordNet (wn) 3.0 allow context-dependent attackers to execute arbitrary code via (1) a long argument on the command line; a long (2) WNSEARCHDIR, (3) WNHOME, or (4) WNDBVERSION environment variable; or (5) a user-supplied dictionary (aka data file). NOTE: since WordNet itself does not run with special privileges, this issue only crosses privilege boundaries when WordNet is invoked as a third party component.)
 CVE-2008-2149 (Stack-based buffer overflow in the searchwn function in Wordnet 2.0, 2.1, and 3.0 might allow context-dependent attackers to execute arbitrary code via a long command line option. NOTE: this issue probably does not cross privilege boundaries except in cases in which Wordnet is used as a back end.)
Original documentdocumentRob Holland, [oCERT-2008-014] WordNet stack and heap overflows (02.09.2008)

Netscape / RedHat Directory Server multiple security vulnerabilities
Published:02.09.2008
Source:
SecurityVulns ID:9257
Type:remote
Threat Level:
6/10
Description:DoS, Crossite scripting.
CVE:CVE-2008-2932 (Heap-based buffer overflow in Red Hat adminutil 1.1.6 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via % (percent) encoded HTTP input to unspecified CGI scripts in Fedora Directory Server. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-2929.)
 CVE-2008-2930 (Red Hat Directory Server 7.1 before SP7, Red Hat Directory Server 8, and Fedora Directory Server 1.1.1 allow remote attackers to cause a denial of service (CPU consumption and search outage) via crafted LDAP search requests with patterns, related to a single-threaded regular-expression subsystem.)
 CVE-2008-2929 (Multiple cross-site scripting (XSS) vulnerabilities in the adminutil library in the Directory Server Administration Express and Directory Server Gateway (DSGW) web interface in Red Hat Directory Server 7.1 before SP7 and 8 EL4 and EL5, and Fedora Directory Server, allow remote attackers to inject arbitrary web script or HTML via input values that use % (percent) escaping.)
 CVE-2008-2928 (Multiple buffer overflows in the adminutil library in CGI applications in Red Hat Directory Server 7.1 before SP7 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted Accept-Language HTTP header.)
Original documentdocumentHP, HPSBUX02354 SSRT080113 rev.1 - HP-UX Running Netscape / Red Hat Directory Server, Remote Cross Site Scripting (XSS) or Remote Denial of Service (DoS) (02.09.2008)

Softalk IMAP Server DoS
Published:02.09.2008
Source:
SecurityVulns ID:9259
Type:remote
Threat Level:
5/10
Description:IMAP APPEND command handling vulnerability.
Affected:SOFTALK : Softalk IMAP Server 8.5
Original documentdocumentJoгo Antunes, [AJECT] Softalk IMAP Server 8.5.1 DoS vulnerability (02.09.2008)

HP OpenView Network Node Manager DoS
updated since 02.09.2008
Published:27.10.2008
Source:
SecurityVulns ID:9258
Type:remote
Threat Level:
5/10
Affected:HP : OpenView Network Node Manager 7.01
 HP : OpenView Network Node Manager 7.51
 HP : OpenView Network Node Manager 7.53
 HP : OpenView Report 3.70
 HP : HP Performance Agent 4.70
CVE:CVE-2008-3545 (Unspecified vulnerability in ovtopmd in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3536, CVE-2008-3537, and CVE-2008-3544. NOTE: due to insufficient details from the vendor, it is not clear whether this is the same as CVE-2008-1853.)
 CVE-2008-3537 (Unspecified vulnerability in ovalarmsrv in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3536.)
 CVE-2008-3536\7
 CVE-2008-3536 (Unspecified vulnerability in ovalarmsrv in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3537.)
 CVE-2007-4349 (The Shared Trace Service (aka OVTrace) in HP Performance Agent C.04.70 (aka 4.70), HP OpenView Performance Agent C.04.60 and C.04.61, HP Reporter 3.8, and HP OpenView Reporter 3.7 (aka Report 3.70) allows remote attackers to cause a denial of service via an unspecified series of RPC requests (aka Trace Event Messages) that triggers an out-of-bounds memory access, related to an erroneous object reference.)
Original documentdocumentSECUNIA, Secunia Research: HP OpenView Products Shared Trace Service Denial of Service (27.10.2008)
 documentHP, [security bulletin] HPSBMA02374 SSRT080046 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS) (09.10.2008)
 documentHP, [security bulletin] HPSBMA02362 SSRT080044, SSRT080045, SSRT080042 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS), Execute Arbitrary Code (09.10.2008)
 documentHP, [security bulletin] HPSBMA02362 SSRT080044, SSRT080045 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS) (02.09.2008)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod