| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jul 2005 15:31:11 -0400 From: "SPI Labs" <spilabs@...dynamics.com> To: <pen-test@...urityfocus.com>, <bugtraq@...urityfocus.com>, <vuln-dev@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>, <webappsec@...urityfocus.com> Subject: Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2 Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2 ----------------------------------------------------------- Release Date: July 15 2005 Severity: Medium A vulnerability has been discovered in Sybase EAServer. If exploited, this can result in user-specified code being executed under the security context of the jagsrv.exe process. To complete this attack, you must be authenticated to /WebConsole/. By default, the jagadmin user password is set to blank so getting access might be trivial. After authenticating to /WebConsole/ if an attacker sets the value of the JavaScript parameter in TreeAction.do to a large value a return address can be overwritten due to a stack-based buffer overflow. For more information about this advisory, please visit our advisory page located at http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm [Remediation] For a complete list of version affected and patch required, please visit the complete advisory page http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm Vendor Information: Sybase was contacted on 05/05/2005. For more information about this advisory Please visited Sybase alert page http://www.sybase.com/detail?id=1036742 Contact Information spilabs@...dynamics.com SPI Dynamics, Inc. 115 Perimeter Center Place N.E. suite 1100 Atlanta, GA. 30346 Toll-Free Phone: (866) 774-2700 SPI Dynamics was founded in 2000 by a team of accomplished Web security specialists; SPI Dynamics is the leader in Web application security technology. With such signature products as WebInspect, SPI Dynamics is dedicated to protecting companies' most valuable assets. SPI Dynamics has created a new breed of Internet security products for the Web application, the most vulnerable yet least secure component of online business infrastructure. Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide.
Powered by blists - more mailing lists