17. My Postcards MagicCard.CGI Arbitrary File Disclosure Vulnerability
BugTraq ID: 5029
Remote: Yes
Date Published: Jun 15 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5029
Summary:
My Postcards is a commercial available eletronic postcard system. It is
available for Unix and Linux Operating Systems.
A problem with My Postcards could make it possible for a remote attacker
to disclose the contents of arbitrary files.
The magiccard.cgi script does not properly handle some types of input.
As a result, it may be possible for a remote user to specify the location
of a specific file on the system hosting the My Postcards software. Upon
specifying the location of a file that is readable by the web server
process, the user could disclose the contents of the specified file.
This problem could lead to a remote user gaining access to sensitive
information on a system. This could include information such as access
control passwords, or other information stored on the server not meant for
public access.
18. Caucho Technology Resin Server View_Source.JSP Arbitrary File Disclosure Vulnerability
BugTraq ID: 5031
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5031
Summary:
Caucho Technology Resin is a servlet and JSP (Java Server Pages) engine
that supports java and javascript. It is built for Unix and Linux variants
as well as Microsoft Windows operating environments.
A vulnerability has been reported in Resin Server 2.1.2, deployed on a
Microsoft Windows platform, that may allow remote attackers to view
contents of arbitrary files.
The 'view_source.jsp' script, found in an example folder as part of the
Resin Server installation, may allow remote attackers access to files
readable by the web server.
The vulnerability occurs when parsing requests for directory traversal.
The 'view_source.jsp' script prevents directory traversal via '/../'
sequences. However, an attacker attempting directory traversal via '\..\'
sequences will succeed. This may allow an attacker to request any files on
the vulnerable system readable by the web server.
This problem could lead to a remote user gaining access to sensitive
information on a system. This could include information such as access
control passwords, or other information stored on the server not meant for
public access.
19. Caucho Technology Resin Server Denial Of Service Vulnerability
BugTraq ID: 5032
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5032
Summary:
Caucho Technology Resin is a servlet and JSP (Java Server Pages) engine
that supports java and javascript. It is built for Unix and Linux variants
as well as Microsoft Windows operating environments.
A vulnerability has been reported in Resin Server 2.1.1, deployed on a
Microsoft Windows platform, that may cause Resin Server to cease
functioning properly leading to a denial of service condition.
The vulnerability occurs when a client accesses non-existent resources.
If large variables are defined for such requests, parts (if not all) of
Resin will cease to be fully operational. A denial of service condition
may result.
An attacker may take advantage of this vulnerability to deny service to
legitimate users.
20. Apache Chunked-Encoding Memory Corruption Vulnerability
BugTraq ID: 5033
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5033
Summary:
Apache is a freely available webserver for Unix and Linux variants, as
well as Microsoft operating systems.
The HTTP protocol specifies a method of data coding called 'Chunked
Encoding', designed to facilitate fragmentation of HTTP requests in
transit. A vulnerability has been discovered in the Apache implementation
of 'Chunked Encoding'.
When processing requests coded with the 'Chunked Encoding' mechanism,
Apache fails to properly calculate required buffer sizes. This may be due
to improper (signed) interpretation of an unsigned integer value.
Consequently, several conditions may occur that have security
implications. It has been reported that a buffer overrun and signal race
condition occur. Exploitation of these conditions may result in the
execution of arbitrary code.
On Windows and Netware platforms, Apache uses threads within a single
server process to handle concurrent connections. Causing the server
process to crash on these platforms may result in a denial of service.
It has been confirmed that this vulnerability may be exploited to execute
arbitrary code on both Win32 and UNIX platforms.
Note: Products which use or bundle Apache such as Oracle 9iAS or IBM
Websphere may also be affected.
21. Wolfram Research webMathematica File Disclosure Vulnerability
BugTraq ID: 5035
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5035
Summary:
Wolfram Research's webMathematica is a Java based product which allows the
inclusion of Mathematica content in a web environment. It includes CGI
programs which generate image content based on user supplied input.
A file disclosure vulnerability has been reported with the MSP CGI
program. MSP is capable of redirecting a HTTP request to a dynamically
generated image, and accepts the filename as a CGI parameter. The user
supplied file name is not properly validated before the file is displayed.
An attacker may include "../" characters in the specified filename, and
escape the specified web root. Arbitrary system files may be disclosed to
the remote user. The disclosure of sensitive system information may aid in
further attacks against the vulnerable system.
22. Zyxel Prestige 642R Malformed Packet Denial Of Service Vulnerability
BugTraq ID: 5034
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5034
Summary:
ZyXEL 642R routers have difficulties handling packets with certain TCP
options enabled. In particular, it is possible to deny services by
sending a vulnerable router a SYN-ACK packet. This type of malformed
packet will create a denial of service which can only be remedied by
restarting the device. To a lesser degree, the router also encounters
difficulties when handling SYN-FIN packets. SYN-FIN packets have been
reported to deny service for the duration of a few minutes. This issue
has also been reproduced with other types of malformed packets.
In both instances, some services provided by the router (telnet, FTP and
DHCP) will be denied, however, the device will continue to route network
traffic.
ZyXEL 642R-11 routers are reportedly affected by this vulnerability. It
is possible that other ZyNOS-based routers are also affected by this
vulnerability. ZxXEL 643 ADSL routers do not appear to be prone to this
issue.
This issue may be exploited in combination with the vulnerability
described in Bugtraq ID 3346.
23. NetGear RP114 Administrative Access Via External Interface Vulnerability
BugTraq ID: 5036
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5036
Summary:
The NetGear RP114 router includes administrative support through a variety
of mechanisms, including telnet and HTTP. Access to administration tools
is granted to systems with the address 192.168.0.1, reserved for use on
internal networks.
Reportedly, the RP114 router will accept traffic from addresses in the
192.168.x.x range on it's external interface. An attacker external to the
router may be able to connect to the device from this IP, and access the
administrative interface. An attacker may be able to gain access to
sensitive information, or to create a denial of service condition for
legitimate users of the router.
Authentication is still required, however the device has a commonly known
default username of 'admin' with the password '1234'.
Other related devices may share this vulnerability, this has not however
been confirmed.
24. PHPBB2 Install.PHP Remote File Include Vulnerability
BugTraq ID: 5038
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5038
Summary:
phpBB2 is an open-source web forum application that is written in PHP and
backended by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
A problem has been discovered in phpBB2 which may enable an attacker to
include an arbitrary attacker-supplied file which is located on a remote
host.
The problem is that an arbitrary path can be specified as a value for the
'phpbb_root_path' URL parameter. This issue exists in the 'install.php'
script. An attacker may exploit this vulnerability by supplying the
location of a remote file as the value for the 'phpbb_root_path' URL
parameter.
In the case that the remote file is a PHP script, this may allow commands
to be executed remotely with the privileges of the webserver. Successful
exploitation will allow a remote attacker to gain local, interactive
access to a host running the vulnerable software. This is especially a
concern for hosts running Microsoft Windows operating systems, as
webservers are generally run with SYSTEM privileges on these platforms.