lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F71BB5B89FB0384290F8085CFB84061EACD409@mcbain.spidynamics.com>
Date: Fri, 15 Jul 2005 15:31:11 -0400
From: "SPI Labs" <spilabs@...dynamics.com>
To: <pen-test@...urityfocus.com>, <bugtraq@...urityfocus.com>,
	<vuln-dev@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>,
	<webappsec@...urityfocus.com>
Subject: Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2


Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2
-----------------------------------------------------------

Release Date: July 15 2005
Severity: Medium

A vulnerability has been discovered in Sybase EAServer. If exploited,
this can result in
user-specified code being executed under the security context of the
jagsrv.exe process.  To complete this attack, you must be authenticated
to /WebConsole/.
By default, the jagadmin user password is set to blank so getting access
might be trivial.

After authenticating to /WebConsole/ if an attacker sets the value of
the JavaScript
parameter in TreeAction.do to a large value a return address can be 
overwritten due to a stack-based buffer overflow.

For more information about this advisory, please visit our advisory page
located at
http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm

[Remediation]
For a complete list of version affected and patch required, please visit
the complete advisory page 
http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm


Vendor Information:
Sybase was contacted on 05/05/2005. For more information about this
advisory
Please visited Sybase alert page http://www.sybase.com/detail?id=1036742


Contact Information
spilabs@...dynamics.com
SPI Dynamics, Inc.
115 Perimeter Center Place N.E.
suite 1100
Atlanta, GA. 30346
Toll-Free Phone: (866) 774-2700



SPI Dynamics was founded in 2000 by a team of accomplished Web security
specialists; SPI Dynamics is the leader in Web application security
technology. With such signature products as WebInspect, SPI Dynamics is
dedicated to protecting companies' most valuable assets. SPI Dynamics
has created a new breed of Internet security products for the Web
application, the most vulnerable yet least secure component of online
business infrastructure.

Copyright (c) 2005 SPI Dynamics, Inc. All rights reserved worldwide.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ