Research:

- 2016 ----------------------------

Apple iOS/tvOS/watchOS Remote memory corruption through certificate

Opening a maliciously crafted certificate may lead to arbitrary code execution. A memory corruption issue existed in the handling of certificate profiles.
This issue was addressed through improved input validation.
 

About the security content of iOS 10.2
About the security content of tvOS 10.1
About the security content of watchOS 3.1.1

Apple macOS 10.12.1 and others SecureTransport SSL handshake OCSP MiTM and DoS

A validation issue existed in the handling of OCSP responder URLs. This issue was addressed by verifying OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate.
 

About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
About the security content of iOS 10.2
About the security content of tvOS 10.1
About the security content of watchOS 3.1.1

Apple macOS 10.11/10/.12 Antyvirus bypass (0-day)

GNU glibc catopen() Multiple unbounded stack allocations

An attacker could use this to cause a denial of service (application crash) or possibly execute arbitrary code.
 

USN-2985-2: GNU C Library regression
GNU C Library: Multiple vulnerabilities — GLSA 201602-02

Magento CMS Multiple Man-In The Middle

Lack of certificate validation on calls to external services enables man-in-the-middle attacks on those calls. This results in possible disclosure of customer information. The risk is low due to the effort needed to execute such an attack.
 

APPSEC-1106 - Lack of certificate validation enables MitM attacks

- 2015 ----------------------------

Apple libc Heap buffer overflow:
Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking. Processing a maliciously crafted package may lead to arbitrary code execution
https://cxsecurity.com/issue/WLB-2015120089
Apple MacOSX - About the security content of OS X El Capitan 10.11.2
https://support.apple.com/en-us/HT205637
Apple iPhone - About the security content of iOS 9.2
https://support.apple.com/en-us/HT205635
Apple Watch - About the security content of watchOS 2.1
https://support.apple.com/en-us/HT205641
Apple TV - About the security content of tvOS 9.1
https://support.apple.com/en-us/HT205640

Avast Antyvirus for Mac - USB flash drive Denial of Service
https://cxsecurity.com/issue/WLB-2015100155

Microsoft C++11 'regex_match' function stack exhaustion
https://cxsecurity.com/issue/WLB-2015110105

Apple Mac OS X Elcaptain 10.11
A glob-processing issue existed in tnftpd. This issue was addressed through improved glob validation.
https://support.apple.com/en-us/HT205267

phpMyAdmin 4.4.6.1 Man-In the Middle
https://www.phpmyadmin.net/security/PMASA-2015-3/

- 2014 ----------------------------

Apple Mac OS X Yosemite 10.10 Security Note
Heap-based buffer overflow in HFS Kernel
http://support.apple.com/kb/HT6535

PHP 5.6.0
PHP 5.6.0 SessionHandler Invalid memory read when create_sid()
https://bugs.php.net/bug.php?id=67972

clang trunk
libcxx C++11 regex cpu resource exhaustion
https://llvm.org/bugs/show_bug.cgi?id=20291
 
gcc 4.9.0
C++11 regex resources exhaustion
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61601
C++11 regex memory corruption
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61582
libobjc - unsafe malloc use instead objc_malloc
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61332

httpd 2.4.9
Improper Neutralization of user input in mod_proxy_balaner (XSS CWE-79)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56532
NULL pointer dereference on NON-POSIX systems in strdup() implementation
https://issues.apache.org/bugzilla/show_bug.cgi?id=56385
NULL pointer dereference on Windows system in win32_strftime_extra()
https://issues.apache.org/bugzilla/show_bug.cgi?id=56520

OpenSSH 5.6 remote denial of service http://lwn.net/Articles/598316/

Mozilla
Firefox YARR regexp Memory exhaustion and crash (New irregexp RE implementation)
https://bugzilla.mozilla.org/show_bug.cgi?id=981446
freebl unix_rand bypass file checking by truncated filename
https://bugzilla.mozilla.org/show_bug.cgi?id=981446

Others
Linux Kernel ft1000-usb null pointer deference
https://patchwork.kernel.org/patch/4486071
Juniper JunOS Remote Denial of Service (JSA10612 2014-01)
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612
Kaspersky 2014 Remote Denial of Service 2
http://cxsecurity.com/issue/WLB-2014030144
Kaspersky 2014 Remote Denial of Service
http://cxsecurity.com/issue/WLB-2014030106
STLport c_locale_glibc2 NULL pointer dereference
http://sourceforge.net/p/stlport/bugs/263

- old ----------------------------

filesystems:
Apple MacOSX 10.9 Hard Link Memory Corruption (CVE-2013-6799)
http://cxsecurity.com/issue/WLB-2013110059
MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability (CVE-2010-0105)
http://cxsecurity.com/issue/WLB-2010040284
libc:fts_*() Multiple Denial of Service PoC2 (CVE-2009-0537)
http://cxsecurity.com/issue/WLB-2009100063
fts_*():multiple vendors, Denial-of-service PoC1 (CVE-2009-0537)
http://cxsecurity.com/issue/WLB-2009030012

ftp:
Apple Web Server notifications (ftp.apple.com)
http://support.apple.com/kb/ht1318
MacOSX 10.8.3 ftpd Resource Exhaustion
http://cxsecurity.com/issue/WLB-2013040082
vsftpd 2.3.2 remote denial-of-service (CVE-2011-0762)
http://cxsecurity.com/issue/WLB-2011030139
multiple vendor ftpd - Cross-site request forgery (CVE-2008-4247 CVE-2008-4242)
http://cxsecurity.com/issue/WLB-2008090066
Multiple FTPD Server GLOB_BRACE|GLOB_LIMIT memory exhaustion (CVE-2011-0418)
http://cxsecurity.com/issue/WLB-2011050004
FreeBSD 9.1 ftpd Remote Denial of Service
http://cxsecurity.com/issue/WLB-2013020003

lib:
Juniper JunOS Remote Denial of Service (JSA10612 2014-01)
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612
Multiple Vendors libc/fnmatch(3) DoS (incl apache 2.2.17 poc) (CVE-2011-0419)
http://cxsecurity.com/issue/WLB-2011050133
NetBSD 5.1 libc/net multiple functions stack buffer overflow (CVE-2011-1656)
http://cxsecurity.com/issue/WLB-2011070105
Multiple BSD libc/regcomp(3) Multiple Vulnerabilities (CVE-2011-3336)
http://cxsecurity.com/issue/WLB-2011110082
GNU libc/regcomp(3) Multiple Vulnerabilities (CVE-2010-4051 CVE-2010-4052)
http://cxsecurity.com/issue/WLB-2011010121
Multiple Vendors libc/glob(3) remote ftpd resource exhaustion (CVE-2010-2632) (ftp.openbsd.org)
http://cxsecurity.com/issue/WLB-2010100135
Multiple Vendors libc/gdtoa printf(3) Array Overrun (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009060067
Multiple BSD printf(1) and multiple dtoa/*printf(3) vulnerabilities
http://cxsecurity.com/issue/WLB-2009100155
MacOS X 10.5/10.6 libc/strtod(3) buffer overflow (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2010010162
libzip 0.9.3 _zip_name_locate NULL Pointer Dereference (incl PHP 5.3.5)(CVE-2011-0421)
http://cxsecurity.com/issue/WLB-2011030174
libopie __readrec() off-by one (FreeBSD ftpd remote PoC) (CVE-2010-1938)
http://cxsecurity.com/issue/WLB-2010050285
KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009110030
inet_net_pton() integer overflow
http://cxsecurity.com/issue/WLB-2008080064
glibc x<=2.10.1 stdio/strfmon.c Multiple vulnerabilities (CVE-2008-1391)
http://cxsecurity.com/issue/WLB-2009090044
*BSD libc (strfmon) Multiple vulnerabilities (CVE-2008-1391)
http://cxsecurity.com/issue/WLB-2008030063

applications:
Kaspersky AV/IS 2010 (avp.exe) Remote Denial-of-Service (CVE-2009-2966)
http://cxsecurity.com/issue/WLB-2009080044
Apache 2.2.5 Undefined Charset UTF-7 XSS Vulnerability (CVE-2007-4465)
http://cxsecurity.com/issue/WLB-2007090030
Apache Insecure mod_rewrite PCRE Resource Exhaustion
http://cxsecurity.com/issue/WLB-2010120170
FreeBSD 8.1/7.3 vm.pmap kernel local race condition
http://cxsecurity.com/issue/WLB-2010090156
IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow (CVE-2009-1476)
http://cxsecurity.com/issue/WLB-2009050057
Sun Solaris 10 filesystem rm, find, etc denial of service
http://cxsecurity.com/issue/WLB-2010050128
Sun Solaris 10 libc/*convert (*cvt) buffer overflow
http://cxsecurity.com/issue/WLB-2010050129
Sun Solaris 10 ftpd Cross-site request forgery
http://cxsecurity.com/issue/WLB-2010050127
SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009110084
K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009110029
Opera 10.01 Remote Array Overrun (Arbitrary code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009110031
Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009120034
Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009120035
Sunbird 0.9 Array Overrun (code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009120036
Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2009120037
J 6.02.023 Array Overrun (code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2010010160
Matlab R2009b Array Overrun (code execution) (CVE-2009-0689)
http://cxsecurity.com/issue/WLB-2010010161

php:
PHP 5.3.8 Multiple vulnerabilities (CVE-2011-4153)
http://cxsecurity.com/issue/WLB-2012010103
PHP 5.3.5 grapheme_extract() NULL Pointer Dereference (CVE-2011-0420)
http://cxsecurity.com/issue/WLB-2011020155
PHP 5.3.6 ZipArchive invalid use glob(3) (CVE-2011-1657)
http://cxsecurity.com/issue/WLB-2011080235
PHP 5.3.6 multiple null pointer dereference
http://cxsecurity.com/issue/WLB-2011080236
PHP 5.3.3/5.2.14 ZipArchive::getArchiveComment NULL Pointer Deference (CVE-2010-3709)
http://cxsecurity.com/issue/WLB-2010110140
PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow (CVE-2010-4409)
http://cxsecurity.com/issue/WLB-2010120059
PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure (CVE-2009-2626)
http://cxsecurity.com/issue/WLB-2009080017
PHP 5.3.0 (main.c) open_basedir bypass
http://cxsecurity.com/issue/WLB-2009080016
PHP 5.2.6 (error_log) safe_mode bypass
http://cxsecurity.com/issue/WLB-2008110041
PHP 5.2.6 dba_replace() destroying file (CVE-2008-7068)
http://cxsecurity.com/issue/WLB-2008110058
PHP 5.3.0/5.2.10 ini_restore() related memory information disclosure (CVE-2009-2626)
http://cxsecurity.com/issue/WLB-2009120009
PHP 5.2.12/5.3.1 Multiple Vulnerabilities
http://cxsecurity.com/issue/WLB-2009110068
PHP 5.2.9 curl safe_mode & open_basedir bypass
http://cxsecurity.com/issue/WLB-2009040031
PHP 5.2.6 SAPI php_getuid() overload (CVE-2008-5624)
http://cxsecurity.com/issue/WLB-2008120011
PHP 5.2.6 posix_access() (posix ext) safe_mode bypass (CVE-2008-2665)
http://cxsecurity.com/issue/WLB-2008060053
PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass (CVE-2008-2666)
http://cxsecurity.com/issue/WLB-2008060054
PHP 5.2.5 and prior : *printf() functions Integer Overflow (CVE-2008-1384)
http://cxsecurity.com/issue/WLB-2008030052
PHP 5.2.5 cURL safe_mode bypass (CVE-2007-4850)
http://cxsecurity.com/issue/WLB-2008010060
PHP 5.2.3 PHP 4.4.7 htaccess safemode and open_basedir bypass (CVE-2007-3378)
http://cxsecurity.com/issue/WLB-2007060092
PHP 5.2.4 mail.force_extra_parameters unsecure (CVE-2007-3378)
http://cxsecurity.com/issue/WLB-2007110062
PHP 5.2.0 safe_mode bypass (by Writing Mode) (CVE-2007-0448)
http://cxsecurity.com/issue/WLB-2007010090
PHP 5.2.0 session.save_path safe_mode and open_basedir bypass (CVE-2006-6383)
http://cxsecurity.com/issue/WLB-2006120071
PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore() (CVE-2006-4625)
http://cxsecurity.com/issue/WLB-2006090047
PHP 4.4.2 and 5.1.2 tempnam() open_basedir bypass (CVE-2006-1494)
http://cxsecurity.com/issue/WLB-2006040013
PHP 4.4.2 and 5.1.2 function recursion() php/apache crash (CVE-2006-1549)
http://cxsecurity.com/issue/WLB-2006040012
PHP 5.1.2 and 4.4.2 phpinfo() Cross Site Scripting (CVE-2006-0996)
http://cxsecurity.com/issue/WLB-2006040011
PHP 4.4.2 and 5.1.4 cURL Safe Mode Bypass (CVE-2006-2563)
http://cxsecurity.com/issue/WLB-2006050153
PHP 4.4.2 and 5.1.4 cURL Safe Mode Bypass (CVE-2006-2660)
http://cxsecurity.com/issue/WLB-2006060074
PHP 4.4.2 and 5.1.4 error_log() Safe Mode Bypass (CVE-2006-3011)
http://cxsecurity.com/issue/WLB-2006060134
PHP 4.4.2 and 5.1.2 copy() Safe Mode Bypass
http://cxsecurity.com/issue/WLB-2006040014

PHP Scripts:
phpMyAdmin Local file inclusion 2.6.4-pl1 (CVE-2005-3299)
http://cxsecurity.com/issue/WLB-2005100029
phpMyAdmin 2.6.1 Remote file inclusion and XSS (CVE-2005-0567)
http://cxsecurity.com/issue/WLB-2005090049
phpBB 2.0.19 XSS (CVE-2006-0063)
http://cxsecurity.com/issue/WLB-2006010003
phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin (CVE-2006-0437 CVE-2006-0438)
http://cxsecurity.com/issue/WLB-2006020016
phpBB 2.0.18 XSS and Full Path Disclosure (CVE-2005-4358)
http://cxsecurity.com/issue/WLB-2005120049
phpBB 2.0.18 SQL Query problem (CVE-2005-3799)
http://cxsecurity.com/issue/WLB-2005090050
Multiple vulnerabilities in PostNuke <= 0.761 (CVE-2006-0800 CVE-2006-0801 CVE-2006-0802)
http://cxsecurity.com/issue/WLB-2006020060
PostNuke Critical SQL Injection 0.760-RC2=>x (CVE-2005-0615)
http://cxsecurity.com/issue/WLB-2005090033
PostNuke SQL Injection 0.760-RC2=>x (CVE-2005-0617)
http://cxsecurity.com/issue/WLB-2005090034
PostNuke Critical XSS x=>0.760-RC2 (CVE-2005-0616)
http://cxsecurity.com/issue/WLB-2005090035
phpBB 2.0.13 SQL error in session
http://cxsecurity.com/issue/WLB-2005090036
phpAdsNew 2.0.4-pr1 Multiple vulnerabilities (CVE-2005-0790 CVE-2005-0791)
http://cxsecurity.com/issue/WLB-2005090037
phpSysInfo 2.3 Multiple vulnerabilities (CVE-2005-0869 CVE-2005-0870)
http://cxsecurity.com/issue/WLB-2005090038
PhpNuke 7.6=>x Multiple vulnerabilities (CVE-2005-1024 CVE-2005-1023)
http://cxsecurity.com/issue/WLB-2005090039
phpnuke 7.6 Multiple vulnerabilities in Downloads Module
http://cxsecurity.com/issue/WLB-2005090040
phpnuke 7.6 Multiple vulnerabilities in Web_Links Module
http://cxsecurity.com/issue/WLB-2005090041
PostNuke SQL Injection 0.750=>x (CVE-2005-1694)
http://cxsecurity.com/issue/WLB-2005090042
PostNuke XSS 0.760{RC2,RC3} (CVE-2005-1695)
http://cxsecurity.com/issue/WLB-2005090043
PostNuke XSS and Full path disclosure 0.760RC3=>x (CVE-2005-1695 CVE-2005-1696)
http://cxsecurity.com/issue/WLB-2005090044
PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x (CVE-2005-1699)
http://cxsecurity.com/issue/WLB-2005090045
PHPNUKE 7.9=>x Bypass XSS filter
http://cxsecurity.com/issue/WLB-2005090051
PostNuke 0.760-RC4b=>x Multiple vulnerabilities (CVE-2005-2689 CVE-2005-2690)
http://cxsecurity.com/issue/WLB-2005090047
GeSHi 1.0.7.2 Local file inclusion (CVE-2005-3080)
http://cxsecurity.com/issue/WLB-2005090048
phpBB 2.0.20 Full Path Disclosure and SQL Errors (CVE-2006-2219 CVE-2006-2220)
http://cxsecurity.com/issue/WLB-2005090052
phpAdsNew/phpPgAds 2.0.5 Local file inclusion (CVE-2005-2635)
http://cxsecurity.com/issue/WLB-2005090046


Copyright 2015, cert.cx