• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Cyrus-SASL Syslog Format String Vulnerability

Cyrus-SASL is an open-source implementation of SASL, the "Simple Authentication and Security Layer".

Cyrus SASL contains a format string vulnerability in it's internal logging function. Data that may be externally supplied is passed to syslog() as the format string argument.

This may allow for remote attackers who can inject format specifiers into a log message to execute arbitrary code.