Full Disclosure mailing list archives
Re: DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple localvulnerabilities'
From: solemn <sohlow () gmail com>
Date: Mon, 2 May 2005 11:20:25 -0400
if you think that's funny, check out ArcIMS for windows and some of the permissions that are given to the files during the install. at least it was pretty entertaining with earlier versions of ArcIMS wonder if they fixed it in 9. don't forget the humor with certain tags when making custom xml queries to the server as well. ;-) -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of KF (lists) Sent: Saturday, April 30, 2005 4:47 PM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple localvulnerabilities' DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities' Author: Kevin Finisterre Vendor: http://www.esri.com/, http://www.esri.com/software/arcgis/arcinfo/index.html Product: 'ArcInfo Workstation for UNIX' References: http://www.digitalmunition.com/DMA[2005-0425a].txt Description: On any given day, more than 1,000,000 people around the world use ESRI's GIS to improve the way their organizations conduct business. ESRI software is used by more than 300,000 organizations worldwide including most U.S. federal agencies and national mapping agencies, 45 of the top 50 petroleum companies, all 50 U.S. state health departments, most forestry companies, and many others in dozens of industries. ESRI software is the standard in state and local government and is used by more than 24,000 state and local governments including Paris, France; Los Angeles, California, USA; Beijing, China; and Kuwait City, Kuwait. ESRI ArcGIS is an integrated collection of GIS software products for building a complete GIS. ArcGIS enables users to deploy GIS functionality wherever it is needed in desktops, servers, or custom applications; over the Web; or in the field. Several local overflows and format string conditions have been found in the Unix versions of ESRI ArcGIS products. ESRI Staff has promptly responded to and fixed the issues mentioned below. Patches for ArcGIS 9.x will be available at the time this advisory is published. (http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015) Our testing was performed against ARCInfo Workstation 9 on two of ESRI's supported UNIX platforms. We have currently only tested IRIX 6.5 and Solaris 10(beta). All UNIX ArcInfo installs are believed to be impacted by these vulnerabilities. It is currently unknown how older versions of ArcGIS are affected by these bugs. ESRI has stated that fixes for 8.x are forthcomming so I can only assume exploitation is similar for this particlar version. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple localvulnerabilities' solemn (May 02)