Wowza Streaming Engine suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (Full) for ‘Everyone’ group. In combination with insecure file permissions the application suffers from an unquoted search path issue impacting the services ‘WowzaStreamingEngine450’ and ‘WowzaStreamingEngineManager450’ for Windows deployed as part of Wowza Streaming software. Version 4.5.0 build 18676 is affected.
Monthly Archives: July 2016
GLSA 201607-16: arpwatch: Privilege escalation
GLSA 201607-11: Bugzilla: Multiple vulnerabilities
GLSA 201607-13: libbsd: Arbitrary code execution
GLSA 201607-15: NTP: Multiple vulnerabilities
GLSA 201607-12: Exim: Arbitrary code execution
GLSA 201607-14: Ansible: Privilege escalation
DSA-3623 apache2 – security update
Scott Geary of VendHQ discovered that the Apache HTTPD server used the
value of the Proxy header from HTTP requests to initialize the
HTTP_PROXY environment variable for CGI scripts, which in turn was
incorrectly used by certain HTTP client implementations to configure the
proxy for outgoing HTTP requests. A remote attacker could possibly use
this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request.
Vuln: Libxml2 CVE-2016-4448 Remote Format String Vulnerability
Libxml2 CVE-2016-4448 Remote Format String Vulnerability
Vuln: Libxml2 'xmlLoadEntityContent()' Function CVE-2016-4449 Security Bypass Vulnerability
Libxml2 ‘xmlLoadEntityContent()’ Function CVE-2016-4449 Security Bypass Vulnerability