-----BEGIN PGP SIGNED MESSAGE-----

Guardent Client Advisory
Multiple wordtrans-web Vulnerabilities

September 6th, 2002

Summary:

Guardent has discovered vulnerabilities in the wordtrans-web package. The
vulnerabilities allow for remote execution of arbitrary code under the
privileges of user running the webserver and a cross-site scripting
vulnerability.

Scope:

Guardent has verified that all versions prior to and including the current
development version of wordtrans-1.1pre9 are vulnerable.

The current distribution of Red Hat Linux 7.3 is vulnerable.
Earlier versions of Red Hat Linux do not contain the vulnerable package.

The Debian wordtrans-web package version 1.0beta-2-2.4 in unstable is
vulnerable. Note that this package is not present in the stable release,
Debian 3.0 (woody).

Description:

The wordtrans-web package provides an interface to query multilingual
dictionaries via a web browser. Improper input validation allows for the
execution of arbitrary code or injection of cross-site scripting code by
passing in unexpected parameters to the wordtrans.php script. The
wordtrans.php script in turn executes the "wordtrans" binary unsafely with
the unexpected parameters.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0837 to this issue.

Detection:

Red Hat Linux administrators are encouraged to verify the presence and
version of their wordtrans-web package using the
command:
     rpm -qi wordtrans-web

Guardent has provided the following snort signature to assist users in
detecting accesses of the vulnerable wordtrans-web component.

alert tcp $EXTERNAL_NET any -> $WEB_SERVERS 80 (msg:"WEB-MISC wordtrans-web
access"; flags:A+; uricontent:"/wordtrans.php"; nocase;
classtype:attempted-recon; sid:1082322; rev:1;)

Clients of Guardent's Security Defense Appliance for Managed Intrusion
Detection Security Services are already being monitored for abuses of this
vulnerability.

Recommendations:

Users of the Red Hat Network can update their systems using the 'up2date'
tool.

Users of Debian can download the fixed wordtrans-web package version
1.0beta2-2.5 from http://packages.debian.org/wordtrans-web

Guardent has provided the following workarounds for popular versions of the
wordtrans-web package. These workarounds are not meant to be a substitute
for recommended vendor packages.

The following patch is for version wordtrans-1.1pre8.php:

*** wordtrans-1.1pre8.php.old
- --- wordtrans-1.1pre8.php
***************
*** 15,20 ****
- --- 15,21 ----
  <head>
  <title>
  <?
+ $dict=ereg_replace("[^[:alnum:]-]","",$dict);
  if ($word == "") {
        if ($lang == "es")
                echo "Interfaz Web de Wordtrans";

The following patch is for version wordtrans-1.1pre9.php:

*** wordtrans-1.1pre9.php.old
- --- wordtrans-1.1pre9.php
***************
*** 20,25 ****
- --- 20,26 ----
  <head>
  <title>
  <?
+ $dict=ereg_replace("[^[:alnum:]-]","",$dict);
  if ($word == "") {
        if ($lang == "es")
                echo "Interfaz Web de Wordtrans";

References:

Guardent Client Advisory - Multiple wordtrans-web Vulnerabilities
     http://www.guardent.com/comp_news_advisories.html

Red Hat Errata RHSA-2002-188
     http://rhn.redhat.com/errata/RHSA-2002-188.html

Debian wordtrans-web package
     http://packages.debian.org/wordtrans-web

The Common Vulnerability and Exposures project - CAN-2002-0837
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0837

Credits:

This vulnerability was discovered and researched by Allen Wilson of
Guardent, Inc. Guardent would like to thank Mark J. Cox and the entire Red
Hat Security Response Team as well as Matt Zimmerman of Debian GNU/Linux for
their response and handling of this vulnerability.

About Guardent:

Guardent provides security and privacy programs for Global 2000
organizations. Integrating consulting and managed services, Guardent helps
financial services, life sciences, manufacturing, government and technology
clients achieve their business objectives through the use of appropriate
security and privacy measures. Guardent can assist your organization with
Vulnerability Assessment Services, Managed Intrusion Detection and Firewall
Services. Guardent can also provide assistance in developing an Incident
Response Plan.

For clients requiring support for these issues, please contact the Guardent
Operations Center at (888) 456-3210 ext. 4 or by e-mailing
clientcareguardent.com.

All media inquiries should be directed to:

Dan McCall
(617) 577-6500
dan.mccallguardent.com

(C) Copyright 2002 Guardent, Inc.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the express
written consent of Guardent, Inc.

Disclaimer: The information within this document may change without notice.
Guardent will keep an updated version of this advisory on its web site at
www.guardent.com for a limited period of time. Use of this information
constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its
use. ANY USE OF THIS INFORMATION IS AT THE USER'S RISK. In no event shall
Guardent be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.1.90-nr1

iQCVAwUBPXisNsH4ptnoIp0ZAQGJNAP+JwRLdinpC0TZh4PSvHlvPP9IN/ROdnwZ
+tIen40I0KcNKMOiOu1bYz8PZPz/HfvJB6vXaZZJIxuXraTYZz/LCngVqH1qzB7K
K/gn/F2fyDVTNPkUoYOlh0WaWdjv/acQV1X9SjCK1Jvx5EcKRRhgdBY49HF1ACpl
J7a9Eqplfrc=
=V2yJ
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]