OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #059
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Aug 24 2000 - 15:11:02 CDT


To: Security Express (SD397643)
Re: Your personalized newsletter

                     -- Security Alert Consensus --
                            Number 059 (00.35)
                         Thursday, August 24, 2000
                            Created for you by
                  Network Computing and the SANS Institute

----------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

----------------------------------------------------------------------

Tivoli Systems, Inc. has compiled a list of its top 10 recommendations
for companies seeking to align their e-business security policies with
business objectives and practices. Click below and view the top 10
recommendations within our Press Releases section.

http://info.tivoli.com/security/nc34

----------------------------------------------------------------------

This week saw a slight return in vulnerabilities involving cross-site
scripting, discussed at the beginning of this year ({00.07.004}
"Cross-site scripting vulnerability"). Critical Path's Web mail service,
which is used by AltaVista, US West, ICQ and Etrade, has been found to
be vulnerable to various types of JavaScript injection. Another advisory
also detailed how it is possible to induce IIS 5.0 to return various
user-submitted HTML, also making it vulnerable to cross-site scripting.
http://archives.neohapsis.com/archives/bugtraq/2000-08/0268.html
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0105.html

While on the topic of Web-based e-mail services, a slight privacy
invasion was found in Hotmail. When used in conjunction with its instant
message service, expired accounts seemingly do not have their contact
list deleted. Therefore, if an account expires and is reregistered,
the new registrant will gain the prior user's list of contacts.
http://archives.neohapsis.com/archives/bugtraq/2000-08/0172.html

We are now signing the Consensus newsletter with PGP. The new SANS' PGP
key is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org)

Until next week,
Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

*** {00.35.007} MS00-059: IE Java VM Applet Vulnerability
*** {00.35.015} NAI VirusScan insecure application setting registry
                permissions
*** {00.35.017} Ipswitch Imail Web service DoS
*** {00.35.019} Win4U weak password encoding
*** {00.35.022} Webshield SMTP infinite loop DoS
*** {00.35.005} Update to {00.34.005}: Users can give themselves extra
                roles in Zope
*** {00.35.014} Trustix wrong permissions on httpsd binary
*** {00.35.030} Gnome lokkit leaves ports exposed
*** {00.35.001} Update to {00.27.010}: Remote command execution in ISC
                DHCP client
*** {00.35.002} Update to {00.30.001}: Cvsweb can provide shell access
*** {00.35.003} Update to {00.26.012}: Zope exposes insecure method
*** {00.35.004} FreeBSD proftpd port contains remote root compromise
*** {00.35.011} Update to {00.33.007}: Ntop web mode remote file reading
*** {00.35.026} HP-UX net.init /tmp/stcp.conf symlink attack
*** {00.35.010} SGI ProPack for Linux kernel capabilities patch
*** {00.35.031} SGI WorldView Wnn buffer overflow
*** {00.35.009} Watchguard Firebox Authentication DoS
*** {00.35.013} RapidStream VPN "rsadmin" default account
*** {00.35.012} OS/2 Warp FTP server DoS
*** {00.35.006} Xlockmore local root password retrieval
*** {00.35.008} Update to {00.33.010}: Brown Orifice Netscape
                vulnerability
*** {00.35.016} BEA WebLogic server proxy buffer overflows
*** {00.35.018} Netauth CGI directory transversal vulnerability
*** {00.35.020} Htgrep arbitrary file viewing via header/footer
                parameter
*** {00.35.021} Xchat executes commands embedded in URLs
*** {00.35.023} Becky! SMTP content-type buffer overflow
*** {00.35.024} ISS RealSecure SYN fragment DoS
*** {00.35.025} Update to {00.30.017}: Java Web server remote command
                execution
*** {00.35.027} Darxite multiple vulnerabilities
*** {00.35.028} Helix Gnome /tmp/helix-install permission vulnerability
*** {00.35.029} Helix installer system configuration file overwrite
*** {00.35.032} PHP-Nuke authentication bypass

- --- Windows News -------------------------------------------------------

*** {00.35.007} MS00-059: IE Java VM Applet Vulnerability

Microsoft has released MS00-059 ("Patch Available for Java VM Applet
Vulnerability"). The vulnerability lets a malicious Web site "proxy"
connections off the user's system.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-059.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q3/0048.html

*** {00.35.015} NAI VirusScan insecure application setting registry
                permissions

A vulnerability has been found in Network Associates' VirusScan version
4.03a. The permissions of the
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\Tasks\Update
registry key allow all authenticated users to have modify access. This
allows a local user to set parameters that will cause VirusScan to
execute a provided command under LOCAL_SYSTEM privilege.

No patches have been made available. We suggest restricting the
permissions on the above-mentioned registry key to give authenticated
users just read-only access.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0087.html

*** {00.35.017} Ipswitch Imail Web service DoS

A denial of service has been found in Ipswitch Imail version 6.0. A
remote user can submit a long Host: header, which will cause a thread
to crash; repeatedly done, this will consume all the resources on a
server.

A patch is available at:
http://www.ipswitch.com/support/patches-upgrades.html#IMail

Source: Win2KSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0071.html

*** {00.35.019} Win4U weak password encoding

Win4U versions including and before 5.1 use a weak encoding scheme to
store passwords, making them easily retrievable by local users.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0201.html

*** {00.35.022} Webshield SMTP infinite loop DoS

Webshield SMTP server has been found vulnerable to a denial-of-service
attack whereby an e-mail addressed to a user at the local domain that
includes a trailing period will cause the server to recursively send
itself the message, eventually eating many resources on the system.

No patches have been made available. A recommended workaround suggests
adding "your.domain." in addition to "your.domain" to your local domain
list.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0101.html

- --- Linux News ---------------------------------------------------------

*** {00.35.005} Update to {00.34.005}: Users can give themselves extra
                roles in Zope

Many vendors have released updated packages that correct the
vulnerability discussed in {00.34.005} ("Users can give themselves extra
roles in Zope").

Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-2.1.7-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-components-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-core-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-pcgi-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-services-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-zpublisher-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/Zope-ztemplates-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-2.1.7-5
cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-components-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-core-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-pcgi-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-services-2.1.7-5
cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-zpublisher-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/Zope-ztemplates-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-components-
2.1.7-5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-core-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-pcgi-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-services-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-zpublisher-2.1.7-
5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/Zope-ztemplates-2.1.7-
5cl.i386.rpm

Mandrake Linux:
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-2.1.6-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-components-2.1.6-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-core-2.1.6-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-pcgi-2.1.6-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-services-2.1.6-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-zpublisher-2.1.6-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-zserver-2.1.6-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
Zope-ztemplates-2.1.6-2mdk.i586.rpm

Red Hat Linux:
ftp://updates.redhat.com/powertools/6.2/noarch/Zope-Hotfix-DTML-
08_17_2000-1.noarch.rpm

Debian Linux:
http://security.debian.org/dists/potato/updates/main/binary-alpha/
zope_2.1.6-5.2_alpha.deb

http://security.debian.org/dists/potato/updates/main/binary-arm/
zope_2.1.6-5.2_arm.deb

http://security.debian.org/dists/potato/updates/main/binary-i386/
zope_2.1.6-5.2_i386.deb

http://security.debian.org/dists/potato/updates/main/binary-sparc/
zope_2.1.6-5.2_sparc.deb

Source: Debian, Red Hat, Mandrake, Conectiva (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0231.html
http://archives.neohapsis.com/archives/vendor/2000-q3/0047.html

*** {00.35.014} Trustix wrong permissions on httpsd binary

Trustix has released a note indicating that the Apache-SSL binary ships
with world-writable permissions. This lets a local user potentially
compromise the system.

The immediate fix would be to run:
chmod 755 /usr/sbin/httpsd

Trustix has also released updated RPMs:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
apache-ssl-1.3.12_1.39-7tr.i586.rpm

Source: Trustix (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-08/0179.html

*** {00.35.030} Gnome lokkit leaves ports exposed

The Gnome lokkit firewall rule-generation utility before version 0.41
may generate rules that leave open ports exposed, even though the user
indicated to disallow access to all ports.

Version 0.41 corrects the vulnerability:
ftp://ftp.linux.org.uk/pub/linux/alan/Lokkit/gnome-lokkit-0.41.tar.gz

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0252.html

- --- BSD News -----------------------------------------------------------

*** {00.35.001} Update to {00.27.010}: Remote command execution in ISC
                DHCP client

FreeBSD has released an updated dhcp port package to correct the
vulnerability discussed in {00.27.010} ("Remote command execution in
ISC DHCP client").

Download updated packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/
isc-dhcp3-3.0.b1.17.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/
isc-dhcp3-3.0.b1.17.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/
isc-dhcp3-3.0.b1.17.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/
isc-dhcp3-3.0.b1.17.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/
isc-dhcp3-3.0.b1.17.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-08/0093.html

*** {00.35.002} Update to {00.30.001}: Cvsweb can provide shell access

FreeBSD has released an updated cvsweb port package to correct the
vulnerability discussed in {00.30.001} ("Cvsweb can provide shell
access").

Download updated packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/
cvsweb-1.93.1.10.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/
cvsweb-1.93.1.10.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/
cvsweb-1.93.1.10.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/
cvsweb-1.93.1.10.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/
cvsweb-1.93.1.10.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-08/0096.html

*** {00.35.003} Update to {00.26.012}: Zope exposes insecure method

FreeBSD has released updated Zope port packages that correct the
vulnerability discussed in {00.26.012} ("Zope exposes insecure method").

Download updated packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/
zope-2.2.0.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/
zope-2.2.0.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/
zope-2.2.0.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/
zope-2.2.0.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/
zope-2.2.0.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-08/0099.html

*** {00.35.004} FreeBSD proftpd port contains remote root compromise

FreeBSD has released updated port packages of proftpd to correct the
previously discussed format string vulnerability/remote buffer overflow.

Download updated packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/
proftpd-1.2.0rc2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/
proftpd-1.2.0rc2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/
proftpd-1.2.0rc2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/
proftpd-1.2.0rc2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/
proftpd-1.2.0rc2.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-08/0094.html

*** {00.35.011} Update to {00.33.007}: Ntop web mode remote file reading

FreeBSD has released an updated port package of ntop that corrects the
vulnerability discussed in {00.33.007} ("Ntop web mode directory
transversal/remote file reading").

Download updated packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/
ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/
ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/
ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/
ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/
ntop-1.1.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-08/0095.html

- --- HP-UX News ---------------------------------------------------------

*** {00.35.026} HP-UX net.init /tmp/stcp.conf symlink attack

A local symlink attack has been found in HP-UX version 11.00. It is
possible for a local user to create a symlink from /tmp/stcp.conf (if
it doesn't already exist), which will cause the system to
overwrite/create a file (with root permissions) on the next system
reboot.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0261.html

- --- SGI News -----------------------------------------------------------

*** {00.35.010} SGI ProPack for Linux kernel capabilities patch

SGI has released ProPack for Linux patches that correct the
vulnerability previously discussed in {00.25.004} ("Linux kernel
setuid/setcap vulnerability").

ProPack for Linux patches are available at:
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

Source: SGI
http://archives.neohapsis.com/archives/bugtraq/2000-08/0163.html

*** {00.35.031} SGI WorldView Wnn buffer overflow

A remotely exploitable buffer overflow was found in Omron's WorldView
Wnn server when installed on Irix.

SGI has released a temporary workaround, available at:
http://archives.neohapsis.com/archives/vendor/2000-q3/0046.html

Source: SGI
http://archives.neohapsis.com/archives/vendor/2000-q3/0046.html

- --- Network Appliances News --------------------------------------------

*** {00.35.009} Watchguard Firebox Authentication DoS

A denial of service has been found in Watchguard's Firebox II. A remote
attacker can submit a malformed URL to the authentication service
listening on Port 4100, which will cause the device to become
unresponsive.

Watchguard has released an updated service pack, available
at:
http://www.watchguard.com/support

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0162.html

*** {00.35.013} RapidStream VPN "rsadmin" default account

RapidStream VPN appliance models 2000, 4000 and 6000 with firmware
version 2.1 beta ship with a default account (rsadmin, no password)
hardcoded into the SSH server.

Version 2.1 is not affected; RapidStream recommends users of version
2.1 beta should block access to the SSH service.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0216.html

- --- Other News ---------------------------------------------------------

*** {00.35.012} OS/2 Warp FTP server DoS

OS/2 Warp 4.5's included FTP server is vulnerable to a denial of service
whereby a remote attacker can send large amounts of data to the FTP
command channel, which will cause the service to stop responding.

IBM has released a patch for version 4.3 of the FTP service, available
at:
ftp://ftp.software.ibm.com/ps/products/tcpip/fixes/v4.3os2/ic27721/

For FTP versions prior to version 4.3, contact IBM support.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0166.html

- --- Cross-Platform News ------------------------------------------------

*** {00.35.006} Xlockmore local root password retrieval

A vulnerability has been found in the xlockmore (and xlockmore-gl)
application that lets local users gain read access to /etc/shadow.

A third-party patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2000-08/0191.html

Debian Linux:
http://security.debian.org/dists/slink/updates/binary-alpha/
xlockmore-gl_4.12-5_alpha.deb

http://security.debian.org/dists/slink/updates/binary-alpha/
xlockmore_4.12-5_alpha.deb

http://security.debian.org/dists/slink/updates/binary-i386/
xlockmore-gl_4.12-5_i386.deb

http://security.debian.org/dists/slink/updates/binary-i386/
xlockmore_4.12-5_i386.deb

http://security.debian.org/dists/slink/updates/binary-sparc/
xlockmore-gl_4.12-5_sparc.deb

http://security.debian.org/dists/slink/updates/binary-sparc/
xlockmore_4.12-5_sparc.deb

http://security.debian.org/dists/potato/updates/main/binary-alpha/
xlockmore-gl_4.15-9_alpha.deb

http://security.debian.org/dists/potato/updates/main/binary-alpha/
xlockmore_4.15-9_alpha.deb

http://security.debian.org/dists/potato/updates/main/binary-arm/
xlockmore-gl_4.15-9_arm.deb

http://security.debian.org/dists/potato/updates/main/binary-arm/
xlockmore_4.15-9_arm.deb

http://security.debian.org/dists/potato/updates/main/binary-i386/
xlockmore-gl_4.15-9_i386.deb

http://security.debian.org/dists/potato/updates/main/binary-i386/
xlockmore_4.15-9_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
xlockmore-gl_4.15-9_sparc.deb

http://security.debian.org/dists/potato/updates/main/binary-sparc/
xlockmore_4.15-9_sparc.deb

Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/i386/xlockmore-4.17-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/xlockmore-4.17-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/xlockmore-4.17-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/xlockmore-4.17-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/xlockmore-4.17-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/xlockmore-4.17-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ecomm/i386/xlockmore-4.17-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferrgraf/i386/xlockmore-4.17-
1cl.i386.rpm

Source: Debian, Conectiva (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-08/0191.html
http://archives.neohapsis.com/archives/vendor/2000-q3/0045.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0212.html

*** {00.35.008} Update to {00.33.010}: Brown Orifice Netscape
                vulnerability

Netscape version 4.75 corrects the vulnerability discussed in
{00.30.010} ("Brown Orifice Netscape vulnerability"), which lets a
hostile Java applet view files on a user's computer and make them
available via the network to other users. Various vendors have provided
fixes.

Mandrake Linux:
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/
netscape-common-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/
netscape-communicator-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/
netscape-navigator-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/
netscape-common-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/
netscape-communicator-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/
netscape-navigator-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
netscape-castellano-4.75-1mdk.noarch.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
netscape-common-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
netscape-communicator-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
netscape-francais-4.75-1mdk.noarch.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
netscape-navigator-4.75-2mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
netscape-walon-4.75-1mdk.noarch.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-castellano-4.75-1mdk.noarch.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-catalan-4.75-1mdk.noarch.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-common-4.75-3mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-communicator-4.75-3mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-euskara-4.75-1mdk.noarch.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-francais-4.75-1mdk.noarch.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-navigator-4.75-3mdk.i586.rpm

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-russian-4.75-1mdk.noarch.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
netscape-walon-4.75-1mdk.noarch.rpm

Red Hat Linux:
ftp://updates.redhat.com/6.2/alpha/netscape-common-4.75-0
.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/netscape-communicator-4.75-
0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/netscape-navigator-4.75-
0.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/i386/netscape-common-4.75-
0.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/netscape-communicator-4.75-
0.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/netscape-navigator-4.75-
0.6.2.i386.rpm

Caldera Linux:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
communicator-4.75-1OL.i386.rpm

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
communicator-4.75-1S.i386.rpm

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
communicator-4.75-1.i386.rpm

Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-common-4.75-
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-communicator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/4.0/i386/netscape-navigator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-common-
4.75-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-communicator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/4.0es/i386/netscape-navigator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-common-
4.75-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-communicator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/4.1/i386/netscape-navigator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-common-
4.75-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-communicator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/4.2/i386/netscape-navigator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-common-
4.75-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-communicator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/5.0/i386/netscape-navigator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-common-
4.75-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-communicator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/5.1/i386/netscape-navigator-
4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/
netscape-common-4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/
netscape-communicator-4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/
netscape-navigator-4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/
netscape-common-4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/
netscape-communicator-4.75-1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/
netscape-navigator-4.75-1cl.i386.rpm

Source: Caldera, Conectiva, Red Hat, Mandrake (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-08/0265.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0230.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0236.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0263.html

*** {00.35.016} BEA WebLogic server proxy buffer overflows

Multiple buffer overflows have been found in all the proxy "plugins"
shipped with BEA's WebLogic server. It is possible for a remote attacker
to execute arbitrary code on the server running the proxy plugins
(available for Netscape Server, IIS, and Apache running on AIX, HP-UX,
Linux, Solaris and Windows).

BEA has released updated proxy plugins:
ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0500.zip

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0186.html

*** {00.35.018} Netauth CGI directory transversal vulnerability

Netauth.cgi from netwinsite.com has allows the reading of arbitrary
files by using ".." notation in a HTTP request.

An updated copy of netauth.cgi is available at:
http://netwinsite.com/netauth/

Source: Win2KSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q3/0072.html

*** {00.35.020} Htgrep arbitrary file viewing via header/footer
                parameter

The htgrep CGI allows a remote attacker to view arbitrary files on the
system (readable by the Web server's uid) by requesting the file to read
as a header or footer in the HTTP request.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0208.html

*** {00.35.021} Xchat executes commands embedded in URLs

Xchat version 1.3.9 through (and including) 1.4.2 will execute commands
embedded in a URL if a user selects the URL to be opened in Netscape.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0215.html

*** {00.35.023} Becky! SMTP content-type buffer overflow

A buffer overflow has been found in Becky! Internet Mail server version
1.26.03. It is possible for a remote attacker to execute arbitrary code
on the mail server.

Version 1.26.05 corrects the problem. It is available at:
http://www.rimarts.co.jp/index.html

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0234.html

*** {00.35.024} ISS RealSecure SYN fragment DoS

IIS' RealSecure versions 3.2.1 and 3.2.2 on NT and Solaris are
vulnerable to various denial-of-service attacks involving fragmented
packets with the SYN flag set. Depending on the platform, this can lead
to the IDS engine crashing or consuming all available CPU time, while
failing to log other network activity during that time.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0267.html

*** {00.35.025} Update to {00.30.017}: Java Web server remote command
                execution

An updated advisory was released concerning the vulnerability discussed
in {00.30.017} ("Java Web server remote command execution"). It is
possible for a remote attacker to execute arbitrary commands on the Web
server by using various included sample applications and servlets
shipped with Sun Java Web server. It is also possible to leverage this
vulnerability through the administration server (Port 9090).

Patches for Java Web server versions 1.1.3 and 2.0 are available at:
http://java.sun.com/products/java-server/jws113patch3.html
http://java.sun.com/products/java-server/jws20patch3.html

Source: Bugtraq

*** {00.35.027} Darxite multiple vulnerabilities

Darxite version 0.4 and prior contain multiple vulnerabilities. A
remotely exploitable buffer overflow is possible if an attacker sends
a long user name or password. The included daemon also defaults to no
password. Finally, various other buffer overflows let a remote site
crash the service upon retrieval.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0256.html

*** {00.35.028} Helix Gnome /tmp/helix-install permission vulnerability

Helix has released an advisory that details problems with the Helix
update, versions 0.1 through 0.5. It is possible for a local user to
create the /tmp/helix-install directory and therefore place RPMs for
installation by root into the directory.

An updated RPM is available:

Caldera OpenLinux eDesktop systems:
http://spidermonkey.helixcode.com/distributions/Caldera-2.4/
helix-update-0.6-0_helix_2.i386.rpm

LinuxPPC systems:
http://spidermonkey.helixcode.com/distributions/LinuxPPC/
helix-update-0.6.0_helix_2.ppc.rpm

Linux Mandrake systems:
http://spidermonkey.helixcode.com/distributions/Mandrake/
helix-update-0.6-0mdk_helix_2.i586.rpm

Red Hat Linux systems:
http://spidermonkey.helixcode.com/distributions/RedHat-6/
helix-update-0.6-0_helix_2.i386.rpm

Solaris systems:
http://spidermonkey.helixcode.com/distributions/Solaris/
helix-update-0.6-0_helix_1.sparc64.rpm

SuSE 6.3 systems:
http://spidermonkey.helixcode.com/distributions/SuSE/
hupdate-0.6-0_helix_2.i386.rpm

SuSE 6.4 systems:
http://spidermonkey.helixcode.com/distributions/SuSE-6.4/
hupdate-0.6-0_helix_2.i386.rpm

TurboLinux systems:
http://spidermonkey.helixcode.com/distributions/TurboLinux-6/
helix-update-0.6-0_helix_3.i386.rpm

Source: Helix (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-08/0240.html

*** {00.35.029} Helix installer system configuration file overwrite

A vulnerability in the Helix installer versions 0.1 through 0.5 may let
a local attacker cause blank system configuration files
(/etc/config.d/bashrc, /etc/config.d/csh.cshrc, /etc/rc.config, etc) to
be written if they create particular /tmp directories.

Updated installers are available.

Supported i386 systems:
http://spidermonkey.helixcode.com/installer-latest-intel.gz

Supported PPC systems:
http://spidermonkey.helixcode.com/installer-latest-ppc.gz

Supported UltraSparc Solaris systems:
http://spidermonkey.helixcode.com/installer-latest-solaris.Z

Source: Helix (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-08/0251.html

*** {00.35.032} PHP-Nuke authentication bypass

PHP-Nuke versions prior to 3.0 contain a vulnerability that allow a
remote user to gain administrative access by submitting a particular
authentication URL.

Version 3.0 corrects the vulnerability:
http://http://www.ncc.org.ve/php-nuke.php3

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0243.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE5pXbU+LUG5KFpTkYRAvahAJ4xvTtTGr3bQGc/XJqqiaVLdq7bcQCeKRn1
9Wp4k5YW/zwu0FcwIPUYXhA=
=2Xaj
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

Tivoli Systems, Inc. has compiled a list of its top 10 recommendations
for companies seeking to align their e-business security policies with
business objectives and practices. Click below and view the top 10
recommendations within our Press Releases section.

http://info.tivoli.com/security/nc34

----------------------------------------------------------------------

If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.sans.org/sansnews/. Become a Security
Alert Consensus member!

Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail containing a URL will
be sent to you at the e-mail address on record. With this URL, you can
make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).