Re: Remotely Anywhere 'Accept-Charset' Parameter NULL Pointer

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Remotely Anywhere 'Accept-Charset' Parameter NULL Pointer
From: patrick@xxxxxxxxxxx
Date: Tue, 11 Mar 2008 14:03:56 +1100
In-reply-to: <df4671b50803101957k68896e2fq8480064a81368459@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <df4671b50803101957k68896e2fq8480064a81368459@xxxxxxxxxxxxxx>

Re:

http://www.securityfocus.com/bid/28175

Remotely Anywhere 'Accept-Charset' Parameter NULL Pointer Denial Of Service
Vulnerability

I just thought I'd add (while you're at it) that there are a few other bugs.

1) There is a service 'RAMaint' (a watchdog task). It runs as LocalSystem
(doesn't everything?!) and uses an unsafe (unquoted - c:\program.exe) path
in versions earlier than v8. v8 and onwards uses an absolute path.

2) There is an XSS in the RemotelyAnywhere HTTP service, which you can use
to steal cookies. Of course, you need to entice your target to visit the
address and send the cookie somewhere.

/img/<script>alert(document.cookie);</script>.html

The error is interpreted by the browser as text/html.

-Patrick

Prev by Date: [USN-585-1] Python vulnerabilities
Next by Date: ACROS Security: Session Fixation Vulnerability in WebLogic Administration Console (#2008-03-11-2)
Previous by thread: [USN-585-1] Python vulnerabilities
Next by thread: ACROS Security: Session Fixation Vulnerability in WebLogic Administration Console (#2008-03-11-2)
Index(es):
- Date
- Thread