Info

Disclosure

Apr 13, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

JunkBuster contains a flaw that may allow a malicious user to modify the configuration setting. The issue is due to a heap corruption error in the filtering of URLs. When JunkBuster is configured to run in single-threaded mode, an attacker can modify the referrer setting with a specially crafted URL, resulting in a loss of confidentiality and integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 2.0.2-r3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Gentoo Foundation, Inc.

JunkBuster

2.0.2-r2

References

Bugtraq ID: 13146
Secunia Advisory ID: 14932 14955 15053
Related OSVDB ID: 15502
CVE ID: 2005-1109 (see also: NVD)
ISS X-Force ID: 20094
Vendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=88537
Vendor Specific Advisory URL: http://security.gentoo.org/glsa/glsa-200504-11.xml
Other Advisory URL: http://www.debian.org/security/2005/dsa-713

Credit

James Ranson -

Direct URL: http://osvdb.org/15503