Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple localvulnerabilities'
From: solemn <sohlow () gmail com>
Date: Mon, 2 May 2005 11:20:25 -0400

if you think that's funny, check out ArcIMS for windows and some of
the permissions that are given to the files during the install. at
least it was pretty entertaining with earlier versions of ArcIMS
wonder if they fixed it in 9. don't forget the humor with certain tags
when making custom xml queries to the server as well. ;-)

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of KF
(lists)
Sent: Saturday, April 30, 2005 4:47 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple
localvulnerabilities'


DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities'
Author: Kevin Finisterre
Vendor: http://www.esri.com/,
http://www.esri.com/software/arcgis/arcinfo/index.html
Product: 'ArcInfo Workstation for UNIX'
References:
http://www.digitalmunition.com/DMA[2005-0425a].txt

Description:
On any given day, more than 1,000,000 people around the world use
ESRI's GIS to improve the
way their organizations conduct business.

ESRI software is used by more than 300,000 organizations worldwide
including most U.S. federal
agencies and national mapping agencies, 45 of the top 50 petroleum
companies, all 50 U.S. state
health departments, most forestry companies, and many others in dozens
of industries.

ESRI software is the standard in state and local government and is
used by more than 24,000
state and local governments including Paris, France; Los Angeles,
California, USA; Beijing, China;
and Kuwait City, Kuwait.

ESRI ArcGIS is an integrated collection of GIS software products for
building a complete GIS.
ArcGIS enables users to deploy GIS functionality wherever it is needed
in desktops, servers, or
custom applications; over the Web; or in the field.

Several local overflows and format string conditions have been found
in the Unix versions of ESRI
ArcGIS products. ESRI Staff has promptly responded to and fixed the
issues mentioned below. Patches
for ArcGIS 9.x will be available at the time this advisory is published.

(http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015)

Our testing was performed against ARCInfo Workstation 9 on two of
ESRI's supported UNIX platforms.
We have currently only tested IRIX 6.5 and Solaris 10(beta). All UNIX
ArcInfo installs are believed
to be impacted by these vulnerabilities. It is currently unknown how
older versions of ArcGIS are
affected by these bugs. ESRI has stated that fixes for 8.x are
forthcomming so I can only assume
exploitation is similar for this particlar version.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple localvulnerabilities' solemn (May 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault