Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: SecurityFocus Newsletter #235
- From: Howell, Paul
- Date: Tue Feb 10 07:18:49 2004
-----Original Message-----
From: sf-news-return-150-grue=merit.edu@securityfocus.com
[mailto:sf-news-return-150-grue=merit.edu@securityfocus.com] On Behalf Of
John Boletta
Sent: Monday, February 09, 2004 3:56 PM
To: sf-news@securityfocus.com
Subject: SecurityFocus Newsletter #235
SecurityFocus Newsletter #235
------------------------------
This issue sponsored by: Astaro
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO. Firewall - Virus
protection - Spam protection - URL blocking - VPN - Wireless security.
Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_sf-news_040209
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Nessus, Part 3: Analysing Reports
2. We are pleased to announce a new search engine on SecurityFocus. II.
BUGTRAQ SUMMARY
1. PhpGedView Editconfig_gedcom.php Directory Traversal Vulnera...
2. GNU LibTool Local Insecure Temporary Directory Creation Vuln...
3. PhpGedView [GED_File]_conf.php Remote File Include Vulnerabi...
4. ChatterBox Remote Denial of Service Vulnerability
5. FreeBSD mksnap_ffs File System Option Reset Vulnerability
6. Sun Solaris PFExec Custom Profile Arbitrary Privileges Vulne...
7. JBrowser Browser.PHP Directory Traversal Vulnerability
8. Laurent Adda Les Commentaires PHP Script Multiple Module Fil...
9. JBrowser Unauthorized Admin Access Vulnerability
10. Leif M. Wright Web Blog Remote Command Execution Vulnerabili...
11. Aprox Portal File Disclosure Vulnerability
12. SqWebMail Authentication Response Information Leakage Weakne...
13. BugPort Unauthorized Configuration File Viewing Vulnerabilit...
14. Suidperl Unspecified Information Disclosure Vulnerability
15. PHP-Nuke Multiple Module SQL Injection Vulnerabilities
16. MiniHTTPServer WebForums Forum HTML Injection Vulnerability
17. Crob FTP Server Remote Information Disclosure Vulnerability
18. SGI IRIX Libdesktopicon.so Local Buffer Overflow Vulnerabili...
19. Sun Solaris TCSetAttr System Hang Denial Of Service Vulnerab...
20. Crob FTP Server Denial Of Service Vulnerability
21. 0verkill Game Client Multiple Local Buffer Overflow Vulnerab...
22. Open Text Corporation FirstClass Malicious File Execution Vu...
23. GNU Chess '-s' Local Buffer Overflow Vulnerability
24. SurgeFTP Surgeftpmgr.CGI Denial Of Service Vulnerability
25. Niti Telecom Caravan Business Server Remote Directory Traver...
26. Clearswift MAILsweeper For SMTP RAR Archive Denial Of Servic...
27. All Enthusiast Photopost PHP Pro SQL Injection Vulnerability
28. Util-Linux Login Program Information Leakage Vulnerability
29. PHP-Nuke GBook Module HTML Injection Vulnerability
30. Qualiteam X-Cart Remote Command Execution Vulnerability
31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne...
32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu...
33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln...
34. phpMyAdmin Export.PHP File Disclosure Vulnerability
35. Tunez Multiple Remote SQL Injection Vulnerabilities
36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl...
37. Cauldron Chaser Remote Denial Of Service Vulnerability
38. Microsoft Internet Explorer NavigateAndFind() Cross-Zone Pol...
39. PHPX Multiple Vulnerabilities
40. Linux Kernel R128 Device Driver Unspecified Privilege Escala...
41. Apache mod_digest Client-Supplied Nonce Verification Vulnera...
42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se...
43. TYPSoft FTP Server Remote Denial Of Service Vulnerability
44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul...
45. RXGoogle.CGI Cross Site Scripting Vulnerability.
46. Web Crossing Web Server Component Remote Denial Of Service V...
47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu...
48. GNU Radius Remote Denial Of Service Vulnerability
49. Multiple RealPlayer/RealOne Player Supported File Type Buffe...
50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ...
51. Multiple Check Point Firewall-1 HTTP Security Server Remote ...
52. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques...
53. IBM Cloudscape Database Remote Command Execution Vulnerabili...
54. Crossday Discuz! Cross Site Scripting Vulnerability
55. XLight FTP Server Long Directory Request Remote Denial Of Se...
56. BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil...
III. SECURITYFOCUS NEWS ARTICLES
1. Cable modem hackers conquer the co-ax
2. Heckenkamp Pleads Guilty
3. DARPA-funded Linux security hub withers
4. Unholy trio of RealOne Player holes unearthed
5. Clueless office workers help spread computer viruses
6. NetScreen takes on the mid-market
IV. SECURITYFOCUS TOP 6 TOOLS
1. RFC v2.0.0
2. Enigmail v0.83.2
3. Revelation v0.1.2
4. Dazuko v2.0.0
5. cosign v1.5
6. CVS-SSH2 Plug-in for Eclipse v0.1.2
V. SECURITYJOBS LIST SUMMARY
1. Looking for an Information Security Engineer positio... (Thread)
2. I need a multi platform AS 400 CISSP for a client in... (Thread)
3. Recent CISSP seeking in GA or NC. (Thread)
4. CISSP, Looking for assignment in Research Triangle P... (Thread)
5. Senior Account Executives - Amherst, NY (Thread)
6. Seeking network security position (Thread)
7. CISSP in Akron/Cleveland area looking for work (Thread)
8. Enterprise Security Integration Consultant - NY, DC... (Thread)
9. Contract work for Security Standards expert (Thread)
10. Dallas Area (Thread)
11. AOL Incident Response in Northern VA (Thread)
12. Secure Software Inc. seeks Auditors, and VP of Profe... (Thread)
13. ArcSight is looking for a Security Sales Engineer, S... (Thread)
14. Vulnerability Research Engineer Atlanta GA $75K-$100... (Thread)
15. JOB: US-NY-NYC: Security Service Support (Thread)
16. IT Security Manager role in the North of England (Thread)
17. UK application pen testers (Thread)
18. Pre Sales Engineer Manager (Atlanta) (Thread)
19. Network Security Manager role in Thames Valley , UK (Thread)
20. Position: Network Security Engineer Job#Soft147 (Thread)
21. Vulnerability Specialist - Helsinki, Finland (Thread)
22. Looking for an INFORMATION SECURITY / SYSTEM ADMINIS... (Thread)
23. Seeking Employment: Security Product Management/Mar... (Thread)
24. Security Consultant needed in NYC area. (Thread)
25. Seeking: Business Continuity / Information Security ... (Thread)
26. X-Force Engineering Manager Position Available - Int... (Thread)
27. Sales Representatives New York (Thread)
28. Security Technical Support Engineer, Silicon Valley (Thread)
29. IT Security Consultant - PKI Specialist, London, UK ... (Thread)
30. IT Security Consultant - Computer Forensics, UK (man... (Thread)
31. (security) SATCOM Technician I, II, & III - Location... (Thread)
32. LDAP Security Analyst (Thread)
VI. INCIDENTS LIST SUMMARY
1. Possible new Bugbear (Thread)
2. Type od DDoS in MyDoom???? (Thread)
3. Blaster Recurrence (Thread)
4. ezmlm warning (Thread)
5. Type od DDoS in MyDoom???? (Thread)
6. Scanned on 16 TCP ports, anyone seen this before? (Thread)
7. Yet another Visa scam scheme (Thread)
8. new IIS exploit? (Thread)
9. Good Advice Re: Anti-Virus Companies had a Virus Upd... (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Sambar 6.0 stack overflow (Thread)
2. Hacking USB Thumbdrives, Thumprint authentication (Thread)
3. R-SIP Protocol (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Looking for SQL security details (Thread)
2. Tightening up security for quarantine script (Thread)
3. Encrypt data - SQL Server 2000 (Thread)
4. Need free app for viewing metadata in Word documents (Thread)
5. MS 2000 DUN Connection Name issue (Thread)
6. Controlling Admin Access (Thread)
7. SecurityFocus Microsoft Newsletter #174 (Thread)
8. SMTP Service in private DMZ OK? (Thread)
9. Article Announcement: Faith No More (Thread)
IX. SUN FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2004-02-02 to 2004-02-09.
X. LINUX FOCUS LIST SUMMARY
1. exporting sudoers, good pratcice ? (Thread)
XI. UNSUBSCRIBE INSTRUCTIONS
XII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Nessus, Part 3: Analysing Reports
By Harry Anderson
This article, the last in the series about Nessus, will endeavor to explain
a Nessus report and how to analyze it. Nessus is a vulnerability scanner, a
program that looks for security bugs in software.
http://www.securityfocus.com/infocus/1759
2. We are pleased to announce a new search engine on SecurityFocus, offering
faster and more intuitive results. Features include site wide or section
specific searching by author, headline or entire document and sorting by
date, headline or URL. We have also added "email a friend" functionality to
allow users to share content that they feel is relevant to others.
II. BUGTRAQ SUMMARY
-------------------
1. PhpGedView Editconfig_gedcom.php Directory Traversal Vulnera... BugTraq
ID: 9529
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9529
Summary:
PhpGedView is web-based geneology software that is implemented in PHP.
A vulnerability has been reported to exist in PhpGedView that may allow a
remote attacker to access information outside the server root directory. The
problem exists due to insufficient sanitization of user-supplied data via
the 'gedcom_config' parameter of the 'editconfig_gedcom.php' script. The
issue may allow a remote attacker to traverse outside the server root
directory by using '../' character sequences.
Successful exploitation of this vulnerability may allow a remote attacker to
gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
PhpGedView versions 2.65.1 and prior have been reported to be prone to this
issue.
2. GNU LibTool Local Insecure Temporary Directory Creation Vuln... BugTraq
ID: 9530
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9530
Summary:
libtool is a freely available, open source library management script. It is
available for the Unix and Linux platforms.
A problem has been identified in the creation of temporary directories by
the libtool script. Because of this, an attacker may be able to corrupt
arbitrary files on a system.
libtool does not securely create temporary directories. When the script is
executed during compilation of a program, it creates a situation where an
attacker can potentially overwrite target files using predicted symbolic
links, potentially destroying data.
It should be noted that this issue only affects programs that use libtool
during compilation time. Additionally, resolution of this issue only limits
scope to programs that use the system libtool, and does not resolve the
issue in programs that package their own version of libtool.
3. PhpGedView [GED_File]_conf.php Remote File Include Vulnerabi... BugTraq
ID: 9531
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9531
Summary:
PhpGedView is web-based geneology software that is implemented in PHP.
A vulnerability has been reported to exist in the software that may allow an
attacker to include malicious files containing arbitrary code to be executed
on a vulnerable system. The problem reportedly exists because remote users
may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php
module, which specifies an include path that is used as an argument to the
PHP require() function.
Remote attackers could potentially exploit this issue via by influencing the
include path to specify a remote malicious PHP script, which will be
executed in the context of the web server hosting the vulnerable software.
PhpGedView versions 2.65.1 and prior have been reported to be prone to this
issue.
This issue may be related to PhpGedView Multiple PHP Remote File Include
Vulnerabilities BID 9368.
4. ChatterBox Remote Denial of Service Vulnerability
BugTraq ID: 9532
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9532
Summary:
ChatterBox is a multiple client, single server graphical chat program
implemented using Java with Swing user interface components. ChatterBox is
designed to run on any platform with a Java 2 runtime environment.
ChatterBox has been reported to be prone to a remote denial of service
vulnerability. This issue may be exploited by issuing irregular commands to
the chat server and is caused by a failure of the server to validate input.
Successful exploitation will cause a denial of service condition in the
server application, forcing the affected process to crash and deny service
to legitimate users.
5. FreeBSD mksnap_ffs File System Option Reset Vulnerability BugTraq ID:
9533
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9533
Summary:
FreeBSD 5.0-RELEASE and later includes a tool called mksnap_ffs to
facilitate taking snapsnots of file systems. This utility is only
accessible to administrative users by default.
A vulnerability has been reported in the FreeBSD mksnap_ffs utility that
could cause file system security properties to be reset. When the utility
is run, it does not preserve various file system flags. If the file system
is restored from the snapshot, these settings will have their default
values, which may impact security if file system security settings were
enabled on the file system prior to the utility being run to take a snapsnot
of the file system.
This could impact any extended access control lists that are enabled on the
file system or re-enable the use of setuid executables. The exact
consequences will depend on the security configuration that was in place
prior to the snapshot being taken and the file system being restored from
the snapshot.
6. Sun Solaris PFExec Custom Profile Arbitrary Privileges Vulne... BugTraq
ID: 9534
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9534
Summary:
Solaris is the Unix operating system distributed and maintained by Sun
Microsystems.
A problem in pfexec included with Sun Solaris has been identified. Because
of this issue, it may be possible for a local user to gain elevated
privileges.
pfexec is the profile execution command, used by the Role-Based Access
Control infrastructure to permit an attacker to execute certain commands as
a member of a specific group profile. This infrastructure can permit a
local user to execute certain commands that require privileges while
limiting or preventing access to other system commands.
It is possible for a system user that is a member of a specific custom
rights profile to abuse the rights profile to potentially execute additional
commands outside of the profile authorization. Specifics of this
vulnerability are not currently available. However, it is conjectured that
this issue could permit an attacker to gain access to additional system
authorizations.
7. JBrowser Browser.PHP Directory Traversal Vulnerability BugTraq ID: 9535
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9535
Summary:
JBrowser is a web-based image gallery application implemented using PHP.
JBrowser has been reported to be vulnerable to directory traversal
vulnerability that may allow a remote attacker to gain access to files
readable by the web-server that reside outside of the server root directory.
The problem exists due to insufficient sanitization of user-supplied data
via the 'directory' parameter of the 'browser.php' script.
Successful exploitation of this vulnerability may allow a remote attacker to
gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
8. Laurent Adda Les Commentaires PHP Script Multiple Module Fil... BugTraq
ID: 9536
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9536
Summary:
Laurent Adda Les Commentaires is a web based message board application
written in PHP.
A vulnerability has been reported to exist in the software that may allow an
attacker to include malicious external files containing arbitrary PHP code
to be executed on a vulnerable system. This vulnerability is reported to
exist because remote users can influence the 'rep' variable in the
'derniers_commentaires.php', 'admin.php', and 'fonctions.lib.php' modules to
specify an arbitrary include path.
Remote attackers could potentially exploit this issue via the vulnerable
variable to include a remote malicious script, which will be executed in the
context of the web server hosting the vulnerable software.
All versions of Les Commentaires have been reported to be prone to this
issue.
9. JBrowser Unauthorized Admin Access Vulnerability
BugTraq ID: 9537
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9537
Summary:
JBrowser is a web-based image gallery application implemented using PHP.
Due to a lack of access validation to the '_admin' directory, malevolent
users may be able to execute arbitrary admin scripts. Potentially
exploitable scripts located in the '_admin' directory include 'upload.php3',
'upload_ftp.php3' and 'list_all.php'.
Using the 'upload.php3' and 'upload_ftp.php3' scripts a malevolent user may
be able to upload arbitrary files to any location on the system accessible
by the webserver. By specifying the file location an attacker could save
malicious files to the system or potentially overwrite sensitive files.
Using the 'list_all.php' script a malevolent user may be able to traverse
outside of the web-server root directory by manipulating the 'folder'
parameter.
Exploitation of these issues could lead to disclosure of sensitive
information, which may facilitate further attacks against the affected
system. Furthermore these issues could allow an attacker to upload or
overwrite arbitrary files on the system. There may also be other
consequences associated with this vulnerability.
10. Leif M. Wright Web Blog Remote Command Execution Vulnerabili... BugTraq
ID: 9539
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9539
Summary:
Web Blog is a web application, written by Leif M. Wright.
Web Blog has been reported to be prone to a vulnerability that may permit
remote attackers to execute arbitrary commands in the context of the hosting
web server. This is due to insufficient sanitization of shell
metacharacters from variables which will be used as an argument to a
function that invokes the shell directly.
This issue exists in the blog.cgi script and is exposed via the 'file' URI
parameter when submitting a 'ViewFile' request to the script. Exploitation
could permit a remote attacker to gain interactive access to the underlying
operating system of the host.
11. Aprox Portal File Disclosure Vulnerability
BugTraq ID: 9540
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9540
Summary:
Aprox Portal is web portal software that is written in PHP.
Aprox Portal is prone to a vulnerability that may permit remote attackers to
gain access to files that are readable by the hosting web server. These
files may exist outside of the server root. The issue is reported to exist
in the 'index.php' script and may be exploited by providing the absolute
path to a system file as an argument for the 'show' parameter.
This could expose sensitive information that may be useful in further
attacks against the host.
12. SqWebMail Authentication Response Information Leakage Weakne... BugTraq
ID: 9541
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9541
Summary:
SqWebMail is a web-based e-mail application.
SqWebMail leaks sensitive information in authentication responses that may
permit aid an attacker in brute forcing the root password on the underlying
operating system. The software reportedly issues different responses when
the user authenticates successfully as the root user then when a failed
attempt occurs.
For example, when an authentication attempt fails, the web interface will
issue the following response: "invalid user or password"
When authentication succeeds for the root user, the interface reportedly
issues this response instead: "maildir doesn't exist or has incorrect
ownership or permission"
It should be noted that this may depend on there not being a Maildir for the
root user on the underlying operating system. This type of response could
also be issued for other users on the system that do not have a Maildir.
This vulnerability may provide a covert means of brute-forcing the root
password via the SqWebMail interface.
This issue reportedly exists when SqWebMail is run with qmail, qmailadmin,
vpopmail with vchkpw-auth. Other reports specify that this issue exists
solely in SqWebMail.
13. BugPort Unauthorized Configuration File Viewing Vulnerabilit... BugTraq
ID: 9542
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9542
Summary:
BugPort is a web-based bug tracking and development application that is
written in PHP.
A vulnerability has been reported in BugPort that has the potential to
disclose sensitive information to remote attackers. The contents of the
BugReport configuration file will be served to remote users who request the
file. The source of the vulnerability is that the configuration file
(conf/config.conf) will be served as opposed to interpreted due to the file
extension.
This could disclose sensitive configuration information that may be useful
when mounting further attacks.
14. Suidperl Unspecified Information Disclosure Vulnerability BugTraq ID:
9543
Remote: No
Date Published: Feb 01 2004
Relevant URL: http://www.securityfocus.com/bid/9543
Summary:
SuidPerl is the Perl interpreter for setuid Perl scripts. It is included
with distributions of the Perl package and is available for Linux and Unix
variant operating environments.
A vulnerability has been reported in Suidperl that may cause sensitive
information to be disclosed to unauthorized users. This could potentially
permit users to enumerate the existence of files or determine other
attributes that should not be accessible to unprivileged users.
This issue may be exploited by a malicious local user.
15. PHP-Nuke Multiple Module SQL Injection Vulnerabilities BugTraq ID: 9544
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9544
Summary:
PHP-Nuke is web portal software.
Multiple SQL injection vulnerabilities have been reported in various modules
included in PHP-Nuke versions 6.9 and earlier. These issues could permit
remote attackers to compromise PHP-Nuke user and administrative accounts.
The source of the problem is that affected modules do not adequately
sanitize user-supplied HTTP GET/POST data before including this input in a
database query. As a result, an attacker could modify the logic and
structure of database queries. Other attacks may also be possible, such as
gaining access to sensitive information.
These vulnerabilities were reported in the Web_Links, Downloads, Reviews,
Sections and Stories_Archive modules. Some of these issues may overlap with
previously reported SQL injection vulnerabilities in PHP-Nuke, but have all
been reportedly addressed in PHP-Nuke 7.0.
16. MiniHTTPServer WebForums Forum HTML Injection Vulnerability BugTraq ID:
9545
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9545
Summary:
MiniHTTPServer WebForums Server is a commercially-available HTTP server. It
is available for the Microsoft Windows platform.
MiniHTTPServer WebForums Forum has been reported prone to a HTML Injection
Vulnerability. A malicious remote attacker may use the "File Description:"
field when posting a file to the forum to inject arbitrary HTML into
dynamically generated content. This issue is due to a lack of sufficient
sanitization performed on the affected form field.
An attacker may exploit this vulnerability to execute arbitrary HTML and
script code in the browser of an unsuspecting user who views the malicious
forum post. Code execution will occur in the context of the vulnerable site.
This issue may be exploited to steal cookie based credentials. Other attacks
are also possible. It has been reported that this issue can successfully
exploited to gain access to login/password and session IDs of any user.
MiniHTTPServer WebForums Forum versions 1.6 and prior have been reported to
be affected by this issue.
17. Crob FTP Server Remote Information Disclosure Vulnerability BugTraq ID:
9546
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9546
Summary:
Crob FTP server is a file transfer utility developed for the Windows
platform.
A vulnerability has been reported in the Crob FTP server, which occurs due
to a lack of validation of input from the user. By issuing a request
for a file containing '../' strings, a malevolent user may be able to break
out of the ftp root directory.
This issue may allow a malevolent user to access files outside of the ftp
root directory, which may give an attacker access to sensitive system
information. Such information may be used to perpetrate further attacks
against the affected host.
This vulnerability was reported for Crob FTP Server 3.5.1, however earlier
versions may also be affected.
18. SGI IRIX Libdesktopicon.so Local Buffer Overflow Vulnerabili... BugTraq
ID: 9547
Remote: No
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9547
Summary:
A vulnerability has been reported in SGI IRIX that may allow an attacker to
execute arbitrary code on a vulnerable system in order to gain unauthorized
access.
The problem is reported to exist in libdesktopicon.so library. It has been
reported that the issue presents itself due to improper bounds checking of
the HOME environment variable. The HOME environment variable is set to a
long string. A buffer overflow condition may be caused by supplying
excessive data via this variable and invoking the '/usr/sbin/printers'
binary linked to the Libdesktopicon.so library. An attacker may leverage
the issues by exploiting an unbounded memory copy operation to overwrite the
saved return address/base pointer, causing the affected procedures to return
to an address of their choice.
Successful exploitation may allow a local attacker to ultimately execute
arbitrary code in order to gain unauthorized access to a system.
SGI IRIX versions 6.5.22 and prior may be prone to this issue.
19. Sun Solaris TCSetAttr System Hang Denial Of Service Vulnerab... BugTraq
ID: 9548
Remote: No
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9548
Summary:
Solaris is a freely available UNIX operating system distributed and
maintained by Sun Microsystems.
A vulnerability has been identified in the tcsetattr library call available
in default versions of Sun Solaris. Because of this, it may be possible for
an unprivileged local user to deny service to legitimate users.
The problem is in invocation of the library call. Under some circumstances,
it may be possible to invoke the library in a method that causes the system
to hang for a period of time. This could potentially result in a denial of
service to legitimate users of the system, and could potentially result in
an extended denial of service.
20. Crob FTP Server Denial Of Service Vulnerability
BugTraq ID: 9549
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9549
Summary:
Crob FTP server is a file transfer utility developed for the Windows
platform.
A vulnerability has been reported in the Crob FTP server, which occurs due
to a lack of validation of input from the user. By issuing a malformed
request a malevolent user may be able to force the server to crash, denying
service to legitimate users.
This vulnerability was reported for Crob FTP Server 3.5.1, however earlier
versions may also be affected.
21. 0verkill Game Client Multiple Local Buffer Overflow Vulnerab... BugTraq
ID: 9550
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9550
Summary:
0verkill is a client-server game. It is available for the Linux, OS/2 and
Windows operating systems.
The 0verkill game client has been reported prone to multiple instances of
exploitable buffer overrun vulnerabilities. The functions that have been
reported to be affected are load_cfg(), save_cfg() and send_message(). These
functions are implemented in client.c. It has been reported that due to a
lack of sufficient boundary checks performed on data contained in HOME
environment variables, a local attacker may overrun a 256 bytes stack based
buffer. Additionally excessive data supplied as values for the players name
and also the hostname, may also be used to corrupt sensitive process memory.
Finally, the potential buffer overflow reported to exist in the network
'chat' routines may be exploited to overwrite 2 bytes of data beyond the
affected buffer.
An attacker may exploit any one of these issues to potentially execute
arbitrary instructions in the security context of the 0verkill game client.
22. Open Text Corporation FirstClass Malicious File Execution Vu... BugTraq
ID: 9551
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9551
Summary:
FirstClass is a mail user agent distributed and maintained by the Open Text
Corporation. It is available for the Microsoft Windows platform.
A vulnerability has been reported to exist in the software that may allow an
attacker to execute arbitrary applications on a vulnerable system.
FirstClass client displays a warning prompt before a file is executed. It
has been reported due to improper sanitization of user-supplied file names,
malicious files with specially crafted names may be executed without a
warning prompt being displayed. This issue may be exploited by placing
special characters such as <>\/?*" at the end of the file extension such as:
test.exe<
Reportedly, the file is then downloaded and executed on the vulnerable
system. This issue may allow an attacker to execute arbitrary files on a
vulnerable system in the context of the user.
FirstClass version 7.1 has been reported to be prone to this issue.
23. GNU Chess '-s' Local Buffer Overflow Vulnerability
BugTraq ID: 9553
Remote: No
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9553
Summary:
GNU Chess is a chess game developed for Linux and Unix based systems.
It has been reported that GNU Chess is prone to a buffer overflow issue that
may allow an attacker to gain elevated privileges.
The problem is present due to improper handling of user-supplied data from
'-s' command line parameters. A buffer overflow condition may be caused by
supplying more than 652 bytes of data as a value for this parameter. The
condition is present due to insufficient boundary checking. A local attacker
may leverage the issue by exploiting an unbounded memory copy operation to
overwrite the saved return address/base pointer, causing the affected
procedures to return to an address of their choice.
Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the affected application, although
unconfirmed GNU Chess is likely installed with setgid games privileges on
most system.
24. SurgeFTP Surgeftpmgr.CGI Denial Of Service Vulnerability BugTraq ID:
9554
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9554
Summary:
SurgeFTP server is a file transfer server. SurgeFTP server ships with an
administrative web interface.
A vulnerability has been reported in the administrative interface
(surgeftpmgr.cgi) of the SurgeFTP server. The issue occurs due to a lack of
validation of input supplied as a value for URI parameters to the affected
script. By issuing a malformed request a malevolent user may be able to
force the server to crash.
Although unconfirmed, this vulnerability may potentially exist as a result
of a format string handling issue.
A remote attacker may exploit this vulnerability by supplying URI parameters
that contain "%%" symbols to the affected script. It has been reported that
this will result in the server failing, effectively denying service to
legitimate users.
25. Niti Telecom Caravan Business Server Remote Directory Traver... BugTraq
ID: 9555
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9555
Summary:
Caravan Business Server is a collection of web site development tools,
including a web server, database engine, application server and scripting
language. It is designed for Unix based systems, Linux and Windows.
Caravan Business Server by default contains a collection of sample script
files. One such sample script is Sample_showcode.html, which is designed to
display web based script text to remote users.
This sample activates the 'showcode.asp' script, which does not adequately
sanitize user input. The script accepts a single value passed via a URL
parameter called 'fname', which specifies the file to be displayed. A
malicious user may be able to specify and view any file readable by the web
server using '../' character sequences.
Furthermore, the script fails to properly check for the existence of
requested files. This could potentially allow a malevolent user to create
arbitrary files on a system by requesting to view a file that does not
exist.
This issue has been reported to affect version Caravan Business Server
2.00/03D, however it may affect previous versions as well.
26. Clearswift MAILsweeper For SMTP RAR Archive Denial Of Servic... BugTraq
ID: 9556
Remote: Yes
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9556
Summary:
MAILsweeper for SMTP is a commercial application for filtering e-mail
content at the gateway level.
MAILsweeper has been reported prone to a remote denial of service
vulnerability. The issue presents itself when MAILsweeper encounters an
email that has a malicious RAR archive attached. A properly constructed RAR
archive will trigger an infinite loop causing the affected software to
consume CPU system resources in an exponential manner.
A remote attacker may exploit this condition in order to deny service to
legitimate users of the targeted SMTP server.
27. All Enthusiast Photopost PHP Pro SQL Injection Vulnerability BugTraq ID:
9557
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9557
Summary:
Photopost PHP Pro is a web based gallery application written in PHP.
A vulnerability has been reported to exist in the software that may allow an
attacker to influence SQL query logic to disclose sensitive information that
could be used to gain unauthorized access.
The issue exists due to insufficient sanitization of user-supplied data via
the 'photo' parameter of 'showphoto.php' script. It has been reported that
a malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
underlying database.
Photopost PHP Pro versions 4.6 and prior have been reported to be prone to
this vulnerability.
28. Util-Linux Login Program Information Leakage Vulnerability BugTraq ID:
9558
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9558
Summary:
Login is a component of the util-linux package. It is available for the
Linux platform.
A problem has been identified in the handling of information by the login
component of the util-linux package. Because of this, an attacker may be
able to gain access to sensitive information.
The problem is an issue in the handling of pointers within the program. In
some situations, a function within the program may attempt to use a pointer
in system memory that has already been freed and reallocated by another
function. Under these circumstances, it would be possible for an attacker
to gain access to potentially sensitive information.
It is conjectured that this issue requires specific circumstances and
numerous attempts to glean useful information. However, no proof of
proof-of-concept exists upon which further analysis can be made.
29. PHP-Nuke GBook Module HTML Injection Vulnerability
BugTraq ID: 9559
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9559
Summary:
PHP-Nuke is web portal software. GBook is a guestbook module for PHP-Nuke.
A vulnerability has been reported to exist in the software that may allow a
remote attacker to carry out HTML injection attacks in order to steal
sensitive data such as authentication credentials.
It has been reported that due to insufficient sanitization of user-supplied
data, various parameters passed to the GBook module are vulnerable to HTML
injection. Some of the affected parameters include 'name', 'email', 'city',
and 'message'. As a result, users may include malicious HTML and script
code inside of guestbook entries. The attacker-supplied code will be
rendered in the web client of the user who views a malicious guestbook
entry, and will be executed in the security context of the site hosting the
guestbook software.
It has been noted that GBook employs HTTP POST requests to communicate with
the server and HTTP POST requests are filtered by PHP-Nuke. Due to this, an
attacker may not be able to directly inject HTML code into the site,
however, an attacker may pass malicious HTML code via a '$_COOKIE' array.
'$_COOKIE' arrays are reportedly not filtered by PHP-Nuke. If
administrative access is enabled in the software, this may allow the
attacker to steal cookie-based authentication credentials from the
administrative guestbook user. Other attacks may be possible as well.
Gbook script for PHP-Nuke version 1.0 has been tested for this issue,
however, it is likely that other versions of PHP-Nuke are vulnerable as
well.
30. Qualiteam X-Cart Remote Command Execution Vulnerability BugTraq ID: 9560
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9560
Summary:
X-Cart is a web based shopping card application implemented in PHP and
integrated with a MySQL database backend.
X-Cart has been reported to be prone to an issue that may allow remote
attackers to execute arbitrary commands on the affected system. The issue
is caused by a failure of the application to sanitize values specified by
parameters in the URI. This issue has been reported to affect the
'upgrade.php' and 'general.php' scripts which reside in the 'admin'
directory of the application.
The upgrade.php script expects the parameter 'perl_binary' to be specified
via the URI. The 'perl_binary' parameter is used by the application to
execute Perl scripts for upgrading the software. Due to insufficient
sanitization of the value passed through this parameter, it is possible to
specify any executable file that is readable by the web server.
The general.php expects the parameter 'config[General][perl_binary]' to be
specified via the URI. Insufficient sanitization of this value may also
allow remote command execution of applications that are readable by the web
server.
This issue is reported to affect X-Cart version 3.4.3, however other version
of the software may also be vulnerable.
31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne... BugTraq
ID: 9561
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9561
Summary:
Sun ONE Web Server is a web server implementation that is maintained by Sun
Microsystems. It has been rebranded from iPlanet.
A vulnerability has been reported to exist in the software that may allow a
remote attacker to steal sensitive information such as cookie-based
authentication credentials.
It has been reported that Sun ONE/iPlanet Web Server responds to the HTTP
TRACE request by default. The HTTP TRACE request used for debugging purposes
allows a web server to echo the contents of the request back to the client.
The complete request, including HTTP headers, is returned in the entity-body
of a TRACE response. This request also allows web sites to cause user
browsers to issue TRACE requests.
Enabling HTTP TRACE functionality by default may allow an attacker to
compromise user accounts by gaining access to sensitive header information.
This issue may be combined with other attacks such as cross-site scripting,
to steal cookie-based authentication credentials.
32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu... BugTraq
ID: 9562
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9562
Summary:
IOS is the device operating system available for the Cisco hardware
platform. It is maintained and distributed by Cisco.
A problem has been identified in the handling of specific types of traffic
by Cisco 6000, 6500, and 7600 routers with the MSFC2 device. Because of
this, an attacker could potentially crash a vulnerable system.
The problem is in the handling of malformed layer 2 frames. When a layer 2
frame encapsulating a layer 3 frame is sent to a Cisco device using an
affected version of IOS and the layer 2 frame length is inconsistent with
the encapsulated layer 3 packet. When an affected device receives such a
packet, it becomes unstable and crashes.
It should be noted that this vulnerability presents a risk under very
specific circumstances. The first circumstance is that a system on a
network segment local to the affected router can send a packet directly to
the router without intermediary hops that remove the layers 1 and 2 frames.
The other is the circumstance that a tunnel to carry layer 2 frames between
segments of networks exists, and a system on one segment of network can send
a malicious packet through the tunnel to a vulnerable router on another
segment of network.
33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln... BugTraq
ID: 9563
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9563
Summary:
X-Cart is a web based shopping card application implemented in PHP and
integrated with a MySQL database backend.
X-Cart has been reported to be prone to an issue that may allow remote
attackers to view any web server readable files on the affected system. The
issue is caused by a failure of the application to sanitize values specified
by parameters in the URI. This issue has been reported to affect the
'auth.php' script.
The auth.php script expects the parameters and 'shop_closed_file' to be
specified via the URI. The 'shop_closed_file' parameter is used by the
application to select the specified file to be viewed. Due to insufficient
sanitization of the value passed through this parameter, it is possible to
specify any file that is readable by the web server.
It has been reported that there is also an information disclosure issue with
the 'general.php' script that resides in the 'admin' directory of the
application. The 'mode' URI parameter can be set to request information on
the current PHP and Perl software versions, allowing potential attackers the
gain access to sensitive system details.
This issue is reported to affect X-Cart version 3.4.3, however other version
of the software may also be vulnerable.
34. phpMyAdmin Export.PHP File Disclosure Vulnerability
BugTraq ID: 9564
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9564
Summary:
phpMyAdmin is a freely available tool that provides a web interface for
handling MySQL administrative tasks.
phpMyAdmin is prone to a vulnerability that may permit remote attackers to
gain access to files that are readable by the hosting web server. These
files may exist outside of the server root. The issue is reported to exist
in the 'export.php' script and may be exploited by providing directory
traversal sequences and the absolute path to a system file as an argument
for the 'what' URI parameter.
This could expose sensitive information that may be useful in further
attacks against the host.
35. Tunez Multiple Remote SQL Injection Vulnerabilities
BugTraq ID: 9565
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9565
Summary:
Tunez is a freely available, open source web MP3 jukebox. It is available
for the Unix and Linux platforms.
Several problems in the handling of user-supplied input have been identified
in Tunez. Because of this, an attacker may be able to gain unauthorized
access to the backend database.
Specific details concerning these issues are not currently available.
However, it has been disclosed by the project maintainers that numerous SQL
injection issues exist that can permit an attacker to submit SQL directly to
the database, potentially allowing an attacker to perform unauthorized
database functions.
36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl... BugTraq
ID: 9566
Remote: No
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9566
Summary:
Linley Henzell Dungeon Crawl is a console based game.
Dungeon Crawl has been reported to be prone to an unspecified local buffer
overflow vulnerability. The condition is present due to insufficient
boundary checking.
It has been reported that the software copies various environment variables
into a fixed size buffer without proper bounds checking. An attacker may
pass excessive data to the vulnerable application via an affected
environment variable. Immediate consequences of an attack may result in a
denial of service condition.
A local attacker may leverage the issue by exploiting an unbounded memory
copy operation to overwrite the saved return address/base pointer, causing
the affected procedures to return to an address of their choice.
Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the affected application. Although
unconfirmed, Crawl is likely installed with setgid games privileges on most
system.
Crawl 4.0.0 beta 26 and prior may be prone to this issue.
37. Cauldron Chaser Remote Denial Of Service Vulnerability BugTraq ID: 9567
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9567
Summary:
Chaser is a client-server, first person shooter computer game. It is
available for the Windows operating system.
Chaser has been reported to be prone to a denial of service vulnerability.
This issue is caused by a lack of input validation of a size parameter
specified in UDP network communication packets. The process will attempt to
read the amount of data specified by the packet, without regard to the
amount of memory allocated. This will cause an attempt by the application to
dereference unallocated memory, producing an exception and causing the
process to crash.
The structure of the UDP packet is as follows:
Packet Layout: 00 00 00 00 00 ff 00 00 00 00 00 00 00 00
The bytes in the 7th and 8th position specify the size of the data to be
copied.
When the value stored in the size parameter exceed that which is allocated
by the process, the exception occurs. This issue affects both the Chaser
client and server.
Although it has been reported that this issue produces a denial of service
vulnerability, it may be theoretically possible to leverage this issue to
gain escalated privileges on the affected system.
38. Microsoft Internet Explorer NavigateAndFind() Cross-Zone Pol... BugTraq
ID: 9568
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9568
Summary:
A vulnerability has been reported in Microsoft Internet Explorer. Because of
this, an attacker may be able to violate cross-zone policy.
It has been reported that the issue presents itself due to a failure by
Internet Explorer to remove JavaScript URIs from the browser history list in
some circumstances.
It has been demonstrated that a JavaScript URI consisting of the following
method can be embedded in the Browser history list:
external.NavigateAndFind('res:','','')
(where the "res:" URI is a redirect to the Local Machine security zone)
This could be further employed by an attacker to have malicious Active
Content executed in the context of the Local Machine security zone. Code
execution will occur if the "Back Button" on the affected browser is
selected.
This issue is similar in nature to the vulnerability described in BID 9109.
39. PHPX Multiple Vulnerabilities
BugTraq ID: 9569
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9569
Summary:
PHPX is a PHP-based content management system.
Multiple vulnerabilities were reported in PHPX. The specific issues include
cross-site scripting, HTML injection and account hijacking via specially
crafted cookies.
Two cross-site scripting issues exist in the main.inc.php and help.inc.php
scripts. These are due to insufficient sanitization of input supplied via
URI parameters. In particular, main.inc.php does not sanitize input
supplied to the 'keywords' parameter while help.inc.php does not sanitize
input supplied to the 'body' parameter. An attacker could exploit these
issues by enticing a victim user to follow a malicious link that includes
embedded HTML and script code. This would mostly likely result in cookie
theft though other attacks are also possible.
HTML injection issues exist in the 'Subject' field for Personal Messages and
the Forum. This could permit a user of the software to persistently inject
hostile HTML and script code into the content management system. The
attacker could exploit this to steal cookies but it would also be possible
to influence site content.
An account hijacking vulnerability was reported due to insufficient
validation of values embedded in user-supplied cookies. Specifically, the
PXL cookie value corresponds to the userID and may be changed to an
arbitrary value, resulting in hijacking of other user and administrative
accounts.
These issues were reported to exist in PHPX 3.2.3. Earlier versions are
also likely affected.
40. Linux Kernel R128 Device Driver Unspecified Privilege Escala... BugTraq
ID: 9570
Remote: No
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9570
Summary:
The Linux Kernel supports numerous driver modules; one such is the R128 ATI
Rage 128 bit video card driver module.
It has been reported that the Linux Kernel is prone to an unspecified local
privilege escalation vulnerability. The issue is reportedly due to an R128
DRI limits checking issue and may lead to privilege escalation on affected
systems.
This BID will be updated with further technical details if more information
is made available.
41. Apache mod_digest Client-Supplied Nonce Verification Vulnera... BugTraq
ID: 9571
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9571
Summary:
mod_digest is a digest authentication module that is included in Apache
HTTPD.
Patches have been released for the Apache mod_digest module to include
digest replay protection. The module reportedly did not adequately verify
client-supplied nonces against the server issued nonce. The nonce is a
random server generated value that is sent for session verification purposes
during digest authentication. This vulnerability could permit a remote
attacker to replay the response of another website or section of the same
website under some circumstances, potentially allowing unauthorized access
to sessions.
It should be noted that this issue does not exist in mod_auth_digest module.
42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se... BugTraq
ID: 9572
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9572
Summary:
The FreeBSD netinet implementation has been reported prone to a
vulnerability that may allow remote attackers to deny service to affected
servers.
The issue presents itself, due to a lack of restrictions placed on TCP MSS
(Maximum Segment Size) values. When a TCP connection is negotiated the MSS
values are exchanged between the connected hosts. This may provide a remote
attacker an opportunity to set the Maximum Segment Size to a low value (>64
octets). This will result in data transmission that consists of large
amounts of small packets. As the server attempts to commit to the
transmission, processing and receiving of this malicious traffic, resources
may be exhausted. Ultimately the affected server may cease to serve
legitimate traffic.
A remote attacker may exploit this condition to deny service to legitimate
users.
43. TYPSoft FTP Server Remote Denial Of Service Vulnerability BugTraq ID:
9573
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9573
Summary:
TYPSoft FTP Server is a freely available ftp server implemented for the
Windows platform.
TYPSoft FTP server has been reported to be prone to a remote denial of
service vulnerability. A malevolent user may leverage this issue to cause
the ftp server to crash, denying service to legitimate users.
This issue can be leveraged by first authenticating with the server, and
then initiating the login sequence without supplying a user name. The
software attempts to carry out operations on an un-initialized buffer,
causing an dereference of unallocated memory and inevitably forcing the
server to crash.
This issue has been reported to affect version 1.10 of the software, however
previous versions may also be affected.
44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul... BugTraq
ID: 9574
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9574
Summary:
ReviewPost PHP Pro is a web based bulletin board application written in PHP.
Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to influence SQL query logic. This issue could be
exploited to disclose sensitive information that may be used to gain
unauthorized access.
The issues exist due to insufficient sanitization of user-supplied data via
the 'product' parameter of 'showproduct.php' script and the 'cat' parameter
of 'showcat.php' script. It has been reported that a malicious user may
influence database queries in order to view or modify sensitive information
potentially compromising the software or the underlying database.
Although unconfirmed, ReviewPost PHP Pro 2.5.1 and prior may be prone to
these issues.
45. RXGoogle.CGI Cross Site Scripting Vulnerability.
BugTraq ID: 9575
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9575
Summary:
RXGoogle.CGI is a free search script implemented in perl that facilitates
internet wide searching from a local web site.
It has been reported that the rxgoogle.cgi search script is prone to a cross
site scripting vulnerability. This issue is reportedly due to a failure to
sanitize user input and so allows various meta-characters that may
facilitate cross site scripting attacks.
This could permit a remote attacker to create a malicious link to the web
server that includes hostile HTML and script code. If this link were
followed, the hostile code may be rendered in the web browser of the victim
user. This would occur in the security context of the web server and may
allow for theft of cookie-based authentication credentials or other attacks.
46. Web Crossing Web Server Component Remote Denial Of Service V... BugTraq
ID: 9576
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9576
Summary:
Web Crossing is a collaboration server platform. Web Crossing ships with a
Web Server component.
The Web Crossing Web Server component has been reported prone to a remote
denial of service vulnerability. It has been reported that the issue will
present itself when the affected web server receives a malicious HTTP POST
request that contains negative or excessive values for the Content-Length
field in the HTTP header. When such a request is processed an integer
divide by zero operation will occur causing the affected server to crash
A remote attacker may exploit this issue to deny service to the Web Crossing
Web Server.
47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu... BugTraq
ID: 9577
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9577
Summary:
OpenBSD has been reported prone to a remote denial of service attack when
configured to process IPV6 traffic. The issue occurs when an affected host
handles ICMPV6 traffic that is configured with an arbitrarily low MTU size.
It has been reported that when traffic of the aforementioned type is handled
an unspecified kernel error occurs, denying service to the affected system.
A remote attacker may exploit this vulnerability to deny service to
legitimate users.
FreeBSD does not appear to be affected. It is undetermined if NetBSD is
similarly affected. This BID will be updated as further information
relating to this issue is disclosed.
48. GNU Radius Remote Denial Of Service Vulnerability
BugTraq ID: 9578
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9578
Summary:
GNU Radius is a server used primarily by Internet service providers as a
solution for authentication and accounting.
GNU Radius has been reported prone to a remote denial of service
vulnerability. The issue presents itself when a single UDP datagram is
processed that contains an Acct-Status-Type attribute without any other
data. When the affected server handles this datagram, the server will
segfault due to a NULL Pointer dereference.
Specifically, when the Acct-Status-Type attribute is encountered the
following operation is processed: avl_find(req->request,
DA_ACCT_STATUS_TYPE);
Because the datagram contains no other data the following operation will
result in a null value for the *sid_pair pointer: VALUE_PAIR *sid_pair =
avl_find(req->request, DA_ACCT_SESSION_ID);
Finally when a member is referenced in the sid_pair structure, via the
following operation: snprintf(nbuf, sizeof nbuf, "%ld",
sid_pair->avp_lvalue); The NULL pointer dereference operation will cause the
service process to fail.
It should be noted that although this issue has been reported to affect GNU
Radius version 1.1, pervious versions might also be affected.
49. Multiple RealPlayer/RealOne Player Supported File Type Buffe... BugTraq
ID: 9579
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9579
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.
It has been reported that various RealPlayer/RealOne Player releases are
prone to multiple exploitable stack and heap overrun vulnerabilities. This
is due to insufficient bounds checking when handling malformed files of
various supported file types (.RP, .RT, .RAM, .RPM and .SMIL). When the
player loads such a file, stack or heap memory may be corrupted with
embedded data in the file, possibly allowing for sensitive variables in
memory to be overwritten. In this manner, it would be possible to execute
arbitrary code on the client system in the context of the user invoking the
vulnerable player.
This issue could be exploited by forcing a user to visit a malicious website
that is hosting the file, causing it to be automatically invoked. File
attachments also provide an attack vector, but would require the user to
interactively upon the malformed file (with the exception of .RPM files,
which may automatically open).
50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ... BugTraq
ID: 9580
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9580
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.
RealPlayer/RealOne Players have been reported prone to an unspecified code
execution vulnerability. The issue occurs within the RMP file processing
routines of affected versions of the player.
Although unconfirmed it has been conjectured that arbitrary code execution
may occur when a malicious RMP file is processed. This will reportedly
cause malicious code to be downloaded and executed. Code execution would
occur in the context of the user who is running the affected player.
This BID will be updated as further details regarding this vulnerability are
disclosed.
51. Multiple Check Point Firewall-1 HTTP Security Server Remote ... BugTraq
ID: 9581
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9581
Summary:
Firewall-1 is a commercially available enterprise firewall software package.
It is distributed by Check Point, and available for the Unix, Linux, and
Microsoft Windows platforms.
Problems in the handling of some types of HTTP requests from remote users
have been identified in Check Point Firewall-1 HTTP Application Intelligence
and HTTP Security Server. Because of this, it is possible for a remote
attacker to gain unauthorized access to a vulnerable system with
administrative privileges.
It has been reported that several occurrences of format string
vulnerabilities exist in the HTTP Application Intelligence and HTTP Security
Server components of Firewall-1. One disclosed example cites placing an
invalid scheme in a URI and submitting it to the vulnerable component,
resulting an attacker passing an arbitrary format string to an
sprintf() call.
Other format string issues may result in heap corruption attacks. Since the
Firewall-1 software is most often executed as the administrative user on
systems, this issue has the potential to result in complete compromise of an
affected host.
52. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques... BugTraq
ID: 9582
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9582
Summary:
VPN-1, SecuRemote, and SecureClient are secure remote access components
distributed and maintained by Check Point Software. They are available for
the Unix, Linux, and Microsoft Windows platforms.
A problem has been identified in the handling of large Certificate Request
payload exchanges in Check Point VPN-1, SecuRemote, and SecureClient.
Because of this, it is possible for a remote attacker to gain unauthorized
access to vulnerable systems.
During the establishing of an ISAKMP session, it is possible for one system
to send to another a Certificate Request payload to solicit credentials.
However, bounds checking is not adequately performed on received Certificate
Request payload packets by clients or servers in the Check Point
implementations.
An attacker could take advantage of this issue to exploit a buffer overflow
in the client and server implementations, resulting in the execution of
attacker-supplied code with the privileges of the software, run as the
administrative user it typical configurations.
53. IBM Cloudscape Database Remote Command Execution Vulnerabili... BugTraq
ID: 9583
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9583
Summary:
IBM Cloudscape is a Java based SQL database solution.
A vulnerability has been reported in the Cloudscape database that could
permit remote attackers to execute arbitrary commands on a system hosting
the software. The source of this issue is reportedly insecure security
settings and library bugs in sun.* and org.apache.* packages that are
further complicated if Cloudscape is not run with a properly secured
Security Manager policy.
This issue may reportedly be exploited through a malicious SQL statement
that will cause an executable on the host file system to be run. Denial of
service attacks and exposure of sensitive information may also be the result
of successful exploitation.
It should be noted that although this vulnerability has been reported to
affect IBM Cloudscape version 5.1 when installed in conjunction with Sun JDK
1.4.2_03, other versions might also be affected.
54. Crossday Discuz! Cross Site Scripting Vulnerability
BugTraq ID: 9584
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9584
Summary:
Discuz! is web based message board software implemented in PHP.
It has been reported that Discuz! is prone to an Cross Site Scripting
vulnerability. This issue is caused by the application failing to properly
sanitize links embedded within user messages.
The software allows users to post images by enclosing the URL of an image
within [img]..[/img] tags. The application displays a thumbnail view of the
specified image as a link to the full size version. The URL of the file
that is specified between the image tags is not properly sanitized, allowing
a user to enter malicious script. This issue arises due to the user
specified URL being included inside JavaScript tags used to open the image
in a new browser window. This may allow the user to craft malicious script
and have it executed when an unsuspecting user follows the link.
An attacker may exploit this vulnerability to execute arbitrary HTML and
script code in the browser of an unsuspecting user who views the malicious
post. Code execution will occur in the context of the vulnerable site. This
issue may be exploited to steal cookie based credentials. Other attacks are
also possible.
55. XLight FTP Server Long Directory Request Remote Denial Of Se... BugTraq
ID: 9585
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9585
Summary:
XLight FTP Server is a commercially available FTP server. It is available
for the Microsoft Windows platform.
A problem in the handling of large requests has been reported to result in
service instability in XLight FTP Server under some circumstances. Because
of this, it may be possible for a remote attacker to deny service to
legitimate users of the software.
The problem is in the handling of requests by authenticated users that are
of excessive length. When the "Enable Log To Screen" option is enabled on a
vulnerable server (not the default configuration), and a server
administrator attempts to look at an FTP log in the main FTP server window,
the server crashes.
It is conjectured that this could be a boundary condition error with the
potential for exploitation. However, no conclusive proof exists.
56. BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil... BugTraq
ID: 9586
Remote: No
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9586
Summary:
A vulnerability has been reported to exist in the shmat system call used in
the BSD kernel. This may allow a local attacker to inject instructions into
the memory of a privileged process.
BSD systems support the System V Shared Memory interface that provides
primitives for sharing memory segments between separate processes. The
shmat(2) system call allows a shared memory segment that is created with the
the shmget(2) function to be mapped to the calling process's address space.
The issue presents itself due to an error in the shmat(2) system call which
is included with the System V Shared Memory interface.
shmat(2) is implemented in the sysv_shm.c file.
The vulnerability occurs when shmat(2) does not decrement the reference
count of a shared memory segment when an error occurs. Reportedly,
shmat(2) increments a count prior to attempting to reference a virtual
memory object, but fails to decrement the count when an error occurs. An
attacker could create two shared memory segments, then abuse the shmat
system call with invalid calls (the reported amount is 2^32-2 calls, or
4,294,967,294) to force a wrapping of the count in memory. Upon deferencing
one of the shared memory segments and executing a privileged program, the
attacker could force the privileged program to reuse the section of shared
memory still under control of the attacker.
The attacker could use this as a means of modifying the memory of the
running process, executing arbitrary attacker-supplied instructions injected
into the running process memory, granting privilege escalation to the
attacker.
III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Cable modem hackers conquer the co-ax
By: Kevin Poulsen
A cunning international group of renegade coders raise cable modem hacking
to a whole new level by tinkering with firmware. But all members really want
is a steady job.
http://www.securityfocus.com/news/7977
2. Heckenkamp Pleads Guilty
By: Kevin Poulsen
Accused eBay, Qualcomm hacker wasn't framed after all.
http://www.securityfocus.com/news/7959
3. DARPA-funded Linux security hub withers
By: Kevin Poulsen
System to reward auditors with karma points dies on the vine.
http://www.securityfocus.com/news/7947
4. Unholy trio of RealOne Player holes unearthed
By: John Leyden, The Register
http://www.securityfocus.com/news/7987
5. Clueless office workers help spread computer viruses
By: John Leyden, The Register
http://www.securityfocus.com/news/7986
6. NetScreen takes on the mid-market
By: John Leyden, The Register
http://www.securityfocus.com/news/7978
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. RFC v2.0.0
By: Claudio "sekko" Panichi <claudio.panichi@roma2.infn.it> Relevant URL:
http://rfc.sourceforge.net/
Platforms: POSIX
Summary:
RFC (Remote Filesystem Checker) is a set of scripts that aims to help system
administrators run a filesystem checker (like tripwire, aide, etc.) from a
"master-node" to several "slave-nodes" using ssh, scp, sudo, and few other
common shell commands.
2. Enigmail v0.83.2
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x which
allows users to access the authentication and encryption features provided
by the popular GnuPG software. Enigmail can encrypt/sign mail when sending,
and can decrypt/authenticate received mail. It can also import/export public
keys. Enigmail supports both the inline PGP format and the PGP/MIME format,
which can be used to encrypt attachments. Enigmail is cross-platform,
although binaries are supplied only for a limited number of platforms.
Enigmail uses inter-process communication to execute GPG to carry out
encryption/authentication.
3. Revelation v0.1.2
By: SnadBoy Software
Relevant URL: http://oss.wired-networks.net/revelation/
Platforms:
Summary:
Revelation enables you to obtain passwords that have been cached on your
computer. It essentially decodes those asterisks that automatically appear
in some log-in dialog boxes such as in Windows Dial-Up networking. With the
utility running, you drag an icon onto the password field you can't remember
and the software divulges the text.
4. Dazuko v2.0.0
By: John Ogness
Relevant URL: http://www.dazuko.org/
Platforms: FreeBSD, Linux
Summary:
This project provides a kernel module which provides 3rd-party applications
with an interface for file access control. It was originally developed for
on-access virus scanning. Other uses include a file-access monitor/logger or
external security implementations. It operates by intercepting file-access
calls and passing the file information to a 3rd-party application. The
3rd-party application then has the opportunity to tell the kernel module to
allow or deny the file-access. The 3rd-party application also receives
information about the file, such as type of access, process ID, user ID,
etc.
5. cosign v1.5
By: UMich Web Team
Relevant URL: http://weblogin.org/
Platforms: UNIX, Windows 2000, Windows NT
Summary:
cosign is a Web single sign on system that allows users to authenticate once
per session and access any protected Web resources at the institution. If
used, passwords are sent only to a single, central URL. Sessions have both
idle and hard timeouts, and users can logout of all protected services by
visiting a single URL. The use of public key cryptography ensures that a
compromise of a protected Web server has no impact on the security of other
participating servers.
6. CVS-SSH2 Plug-in for Eclipse v0.1.2
By: ymnk <ymnk@jcraft.com>
Relevant URL: http://www.jcraft.com/eclipse-cvsssh2/
Platforms: Os Independent
Summary:
CVS-SSH2 Plug-in for Eclipse is an Eclipse plug-in to allow CVS access on an
encrypted session by SSH2 protocol.
V. SECURITYJOBS LIST SUMMARY
----------------------------
1. Looking for an Information Security Engineer positio... (Thread) Relevant
URL:
http://www.securityfocus.com/archive/77/353077
2. I need a multi platform AS 400 CISSP for a client in... (Thread) Relevant
URL:
http://www.securityfocus.com/archive/77/353076
3. Recent CISSP seeking in GA or NC. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/353074
4. CISSP, Looking for assignment in Research Triangle P... (Thread) Relevant
URL:
http://www.securityfocus.com/archive/77/353072
5. Senior Account Executives - Amherst, NY (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/353071
6. Seeking network security position (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352984
7. CISSP in Akron/Cleveland area looking for work (Thread) Relevant URL:
http://www.securityfocus.com/archive/77/352889
8. Enterprise Security Integration Consultant - NY, DC... (Thread) Relevant
URL:
http://www.securityfocus.com/archive/77/352858
9. Contract work for Security Standards expert (Thread) Relevant URL:
http://www.securityfocus.com/archive/77/352837
10. Dallas Area (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352801
11. AOL Incident Response in Northern VA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352793
12. Secure Software Inc. seeks Auditors, and VP of Profe... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352792
13. ArcSight is looking for a Security Sales Engineer, S... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352790
14. Vulnerability Research Engineer Atlanta GA $75K-$100... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352715
15. JOB: US-NY-NYC: Security Service Support (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352699
16. IT Security Manager role in the North of England (Thread) Relevant URL:
http://www.securityfocus.com/archive/77/352696
17. UK application pen testers (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352695
18. Pre Sales Engineer Manager (Atlanta) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352694
19. Network Security Manager role in Thames Valley , UK (Thread) Relevant
URL:
http://www.securityfocus.com/archive/77/352691
20. Position: Network Security Engineer Job#Soft147 (Thread) Relevant URL:
http://www.securityfocus.com/archive/77/352687
21. Vulnerability Specialist - Helsinki, Finland (Thread) Relevant URL:
http://www.securityfocus.com/archive/77/352686
22. Looking for an INFORMATION SECURITY / SYSTEM ADMINIS... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352685
23. Seeking Employment: Security Product Management/Mar... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352338
24. Security Consultant needed in NYC area. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352313
25. Seeking: Business Continuity / Information Security ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352312
26. X-Force Engineering Manager Position Available - Int... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352311
27. Sales Representatives New York (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352309
28. Security Technical Support Engineer, Silicon Valley (Thread) Relevant
URL:
http://www.securityfocus.com/archive/77/352306
29. IT Security Consultant - PKI Specialist, London, UK ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352301
30. IT Security Consultant - Computer Forensics, UK (man... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352299
31. (security) SATCOM Technician I, II, & III - Location... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352291
32. LDAP Security Analyst (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/352284
VI. INCIDENTS LIST SUMMARY
--------------------------
1. Possible new Bugbear (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/352769
2. Type od DDoS in MyDoom???? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/352588
3. Blaster Recurrence (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/352479
4. ezmlm warning (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/352459
5. Type od DDoS in MyDoom???? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/352405
6. Scanned on 16 TCP ports, anyone seen this before? (Thread) Relevant URL:
http://www.securityfocus.com/archive/75/352404
7. Yet another Visa scam scheme (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/352401
8. new IIS exploit? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/352396
9. Good Advice Re: Anti-Virus Companies had a Virus Upd... (Thread) Relevant
URL:
http://www.securityfocus.com/archive/75/352180
VII. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Sambar 6.0 stack overflow (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/353087
2. Hacking USB Thumbdrives, Thumprint authentication (Thread) Relevant URL:
http://www.securityfocus.com/archive/82/352893
3. R-SIP Protocol (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/352617
VIII. MICROSOFT FOCUS LIST SUMMARY
----------------------------------
1. Looking for SQL security details (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/353139
2. Tightening up security for quarantine script (Thread) Relevant URL:
http://www.securityfocus.com/archive/88/353138
3. Encrypt data - SQL Server 2000 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/353137
4. Need free app for viewing metadata in Word documents (Thread) Relevant
URL:
http://www.securityfocus.com/archive/88/353136
5. MS 2000 DUN Connection Name issue (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/352885
6. Controlling Admin Access (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/352834
7. SecurityFocus Microsoft Newsletter #174 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/352808
8. SMTP Service in private DMZ OK? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/352581
9. Article Announcement: Faith No More (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/352240
IX. SUN FOCUS LIST SUMMARY
--------------------------
NO NEW POSTS FOR THE WEEK 2004-02-02 to 2004-02-09.
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. exporting sudoers, good pratcice ? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/353133
XI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
sf-news-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin@securityfocus.com and ask
to be manually removed.
XII. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Astaro
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO. Firewall - Virus
protection - Spam protection - URL blocking - VPN - Wireless security.
Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_sf-news_040209
------------------------------------------------------------------------
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
