|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Apr 05 2001 - 21:34:37 CDT
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 091 (01.14)
Thursday, April 5, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
Sponsored by VeriSign - The Internet Trust Company
Do you need to encrypt all your online transactions? Whatever security
your site needs, you'll find the perfect solution in this FREE Guide
from VeriSign, "Securing Your Web site for Business." Get your copy
today! Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n094530110016000
----------------------------------------------------------------------
A lot of recent talk has surrounded Internet worms. While worms like
"1i0n" and "adore" have made headlines and are problems with which we
should be concerned, we'd like to remind readers that these worms are
based on exploiting KNOWN vulnerabilities (Bind, LPRng and so on).
Organizations that have stayed on top of their patching efforts need
not worry. Organizations that haven't have some work to do! For those
interested, information on the latest worm trends can be found on the
GIAC site:
http://www.sans.org/giac.htm
Those users trying to manage the onslaught of service packs, hot fixes
and patches spewed forth by Microsoft on an almost-daily basis will be
happy to receive three new resources to aid in the battle. First off,
Microsoft has released a searchable tool that allows users to query the
appropriate hot fixes for their system based on installed products and
service packs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0092.html
Next, XATO has taken the time to document and produce tools for users
trying to keep their Windows 2000 IIS servers free of defacements:
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0124.html
Finally, Phil Cox has publicly released his Windows 2000 hardening
guidelines:
http://archives.neohapsis.com/archives/ntbugtraq/2001-q1/0051.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.14.017} Win - MS01-019: Passwords for compressed folders are
recoverable
{01.14.021} Win - MS01-020: Incorrect MIME header can cause IE to
execute e-mail attachment
{01.14.024} Win - Website Pro HTTP manager service /dyn/ DoS
{01.14.026} Win - Update {01.13.011}: MS01-017: Spoofed MS VeriSign
certificates released
{01.14.030} Win - IE MSScriptControl.ScriptControl local file exposure
{01.14.032} Win - The Bat! attachment cloaking
{01.14.033} Win - Navision Financials Server long request DoS
{01.14.034} Win - Trend Micro ScanMail for Exchange exposes
administrative credentials
{01.14.035} Win - Trend Micro Virus Buster long e-mail header buffer
overflow
{01.14.038} Win - JavaServer Web Dev Kit file retrieval
{01.14.041} Win - Elron Internet Manager HTTP server file retrieval
{01.14.042} Win - 602Pro Lansuite multiple '..' HTTP request DoS
{01.14.043} Win - Internet Publisher OLEDB may act as proxy
{01.14.007} Linux - Update {01.11.011}: ePerl buffer overflows
{01.14.008} Linux - Update {01.10.012}: JOE reads configuration file
from current directory
{01.14.009} Linux - Update {01.13.019}: Multiple OpenSSH vulnerabilities
{01.14.018} Linux - Update {01.13.004}: Malicious embedded VIM control
codes
{01.14.019} Linux - Update {01.11.018}: MIT Kerberos improper temp file
handling
{01.14.028} Linux - Pitbull LX sysctl() can bypass security restrictions
{01.14.036} Sol - tip environment variable buffer overflow
{01.14.011} AIX - lsfs calls lslv/grep via user's PATH
{01.14.012} AIX - Update {01.08.007}: Vixie cron long user name buffer
overflow
{01.14.013} AIX - Obtuse Kerberos-related security problem fixed
{01.14.020} NW - BorderManager VPN connection flood DoS
{01.14.014} HPUX - CDE periodic patch fixes rpc.cmsd buffer overflow
{01.14.001} SCO - lpshut command line argument buffer overflow
{01.14.002} SCO - lpusers -u command line parameter buffer overflow
{01.14.003} SCO - recon command line argument buffer overflow
{01.14.004} SCO - lpforms command line argument buffer overflow
{01.14.005} SCO - Deliver command line argument buffer overflow
{01.14.006} SCO - lpadmin command line argument buffer overflow
{01.14.040} SCO - MMDF sendmail command line argument buffer overflow
{01.14.015} NApps - Cisco VPN3000 concentrator telnet/SSL flood DoS
{01.14.016} NApps - NetScreen allows 'denied' traffic to pass to DMZ
{01.14.010} Cross - Bind 9.1.1 released
{01.14.022} Cross - Silent Runner SMTP HELO command buffer overflow
{01.14.023} Cross - Apache Tomcat source code disclosure
{01.14.025} Cross - Inframail malformed HTTP POST URL DoS
{01.14.027} Cross - BEA Weblogic Server exposes source code (take three)
{01.14.029} Cross - Shareplex qview exposes file contents
{01.14.031} Cross - CrazyWWWBoard ASC cookie buffer overflow
{01.14.037} Cross - Anaconda Clipper HTTP server file retrieval
{01.14.039} Cross - CCC/Harvest weak password authentication mechanism
- --- Windows News -------------------------------------------------------
*** {01.14.017} Win - MS01-019: Passwords for compressed folders are
recoverable
Microsoft has released MS01-019 ("Passwords for compressed folders are
recoverable"). The password protection mechanism included with the
folder compression feature in Plus! 98 and Windows ME has been found to
record the passwords into a file. This could allow an attacker, who has
access to the user's hard drive, to retrieve the passwords and thus the
contents in protected compressed folders.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-019.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0090.html
*** {01.14.021} Win - MS01-020: Incorrect MIME header can cause IE to
execute e-mail attachment
Microsoft has released MS01-020 ("Incorrect MIME header can cause IE to
execute e-mail attachment"). Windows Explorer and Internet Explorer have
been found to automatically launch/preview files ending in an .EML
extension (or appropriate MIME type). While not specifically limited to
e-mail, e-mail does offer the easiest route of exploitation. The end
result is that a user may execute a malicious application/e-mail
attachment.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0094.html
*** {01.14.024} Win - Website Pro HTTP manager service /dyn/ DoS
Website Pro version 3.0.37 has been found to contain a denial of service
in the included remote Web manager. It's possible for a remote attacker
to eventually cause the service to crash by making multiple connections
to the /dyn/ directory.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0425.html
*** {01.14.026} Win - Update {01.13.011}: MS01-017: Spoofed MS VeriSign
certificates released
Microsoft has released the patch that fixes the vulnerability discussed
in {01.13.011} ("MS01-017: Spoofed MS VeriSign certificates released").
The patch contains a local Certificate Revocation List (CRL), which
includes the two spoofed certificates.
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0091.html
*** {01.14.030} Win - IE MSScriptControl.ScriptControl local file
exposure
The MSScriptControl.ScriptControl ActiveX control shipped with Internet
Explorer 5.5 (tested on Windows 2000) has been found to allow a
malicious Web site to access arbitrary files on the user's system.
This vulnerability has not been confirmed.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0128.html
*** {01.14.032} Win - The Bat! attachment cloaking
An advisory has surfaced indicating that it's possible to misrepresent,
or 'cloak,' a malicious attachment in an e-mail viewed by The Bat!
e-mail reader version 1.51. The malicious attachment may appear as
another legitimate document type, which may deceive the user into
executing/double-clicking on it.
The advisory indicates vendor confirmation and a forthcoming patch.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0013.html
*** {01.14.033} Win - Navision Financials Server long request DoS
It has been reported that Navision Financials Server versions 2.50 and
2.60 contain a denial of service whereby a remote attacker can send a
particularly large amount of characters to the listening service,
causing it to crash.
Navision has released a patch, which is available at:
http://www.navision.com/com/view.asp?documentID=258
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0002.html
*** {01.14.034} Win - Trend Micro ScanMail for Exchange exposes
administrative credentials
Trend Micro's ScanMail for Exchange has been found to use a weak
encoding scheme to store the administrative credentials used by the
service in the Windows registry. The registry keys allow anyone full
access, which may allow an attacker to gain the encoded credentials,
decode them and use them to log into the specified domain with
administrative privileges.
The advisory indicates that the vendor has confirmed the problem and
recommends changing the ACLs on the appropriate registry keys (list in
advisory below) as a workaround.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2001-q1/0049.html
*** {01.14.035} Win - Trend Micro Virus Buster long e-mail header
buffer overflow
Trend Micro's Virus Buster 2001 (Japanese virus scanner) version 8.02
has been found to contain a buffer overflow in the handling of long
e-mail headers -- viewed when a user imports e-mail via POP.
Version 8.03 is not vulnerable and is available (in Japanese) at:
http://www.trendmicro.co.jp/homeuser/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0453.html
*** {01.14.038} Win - JavaServer Web Dev Kit file retrieval
The JavaServer Web Dev Kit (JSWDK) version 1.0.1 (tested on Windows
2000) has been found to allow a remote attacker to access files outside
the Web root by submitting a reverse directory notatation ('..') URL
request.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0437.html
*** {01.14.041} Win - Elron Internet Manager HTTP server file retrieval
Elron's Internet Manager product suite prior to version 3.0.4 includes
an HTTP server that has been found to allow a remote attacker to access
arbitrary files by using reverse directory notation ('..') in URL
requests.
The vendor has confirmed the problem. Version 3.0.4 is patched.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0345.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0382.html
*** {01.14.042} Win - 602Pro Lansuite multiple '..' HTTP request DoS
602Software's Lansuite version 1.0.34 has been found to contain a denial
of service whereby a remote attacker can submit a URL request with a
large number of '..' characters. The service crashes as a result.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0374.html
*** {01.14.043} Win - Internet Publisher OLEDB may act as proxy
A noted researcher has issued an advisory indicating that it may be
possible for a malicious Web site or e-mail to 'bounce', or proxy, off
a user's system by using the "Microsoft OLE DB Provider for Internet
Publishing" ActiveX scripting control. It also may be possible to read
Web-based Exchange e-mail, if a user's system is set to
auto-authenticate to the Exchange Web server (this may occur if the user
has already authenticated).
No patches have been made available.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0123.html
- --- Linux News ---------------------------------------------------------
*** {01.14.007} Linux - Update {01.11.011}: ePerl buffer overflows
SuSE has released updated ePerl packages that fix the vulnerability
discussed in {01.11.011} ("ePerl buffer overflows").
Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1542.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1542.html
*** {01.14.008} Linux - Update {01.10.012}: JOE reads configuration
file from current directory
SuSE has released updated JOE packages that fix the vulnerability
discussed in {01.10.012} ("JOE reads configuration file from current
directory").
Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1543.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1543.html
*** {01.14.009} Linux - Update {01.13.019}: Multiple OpenSSH
vulnerabilities
Conectiva and Trustix have released updated OpenSSH packages that fix
the vulnerability discussed in {01.13.019} ("Multiple OpenSSH
vulnerabilities").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0022.html
Updated Trustix RPM information:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0447.html
Source: Conectiva, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0022.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0447.html
*** {01.14.018} Linux - Update {01.13.004}: Malicious embedded VIM
control codes
Immunix has released updated VIM packages to fix the vulnerability
discussed in {01.13.004} ("Malicious embedded VIM control codes").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0092.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0092.html
*** {01.14.019} Linux - Update {01.11.018}: MIT Kerberos improper temp
file handling
Immunix has released updated Kerberos packages to fix the vulnerability
discussed in {01.11.018} ("MIT Kerberos improper temp file handling").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0093.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0093.html
*** {01.14.028} Linux - Pitbull LX sysctl() can bypass security
restrictions
Argus' Pitbull LX has been found to not properly restrict calls to the
sysctl() system function, although it does limit access to /proc/sys/.
This allows local users to read system configuration information and
the local root user to bypass the security restrictions and tamper with
the system.
Argus has confirmed the problem and released a patch:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0485.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0475.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0485.html
- --- Solaris News -------------------------------------------------------
*** {01.14.036} Sol - tip environment variable buffer overflow
The tip application shipped with Solaris 2.5 through 8 has been found
vulnerable to a buffer overflow in the handling of environmental
variables. This allows a local attacker to gain 'uucp' privileges.
Sun is currently working on a patch. An exploit has been published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0394.html
- --- AIX News -----------------------------------------------------------
*** {01.14.011} AIX - lsfs calls lslv/grep via user's PATH
IBM has released an APAR for lsfs to fix a security vulnerability that
would allow local attackers to place trojaned lslv and grep binaries in
their path, causing lsfs to execute them with elevated privileges.
IBM has released APAR IY16909, which fixes the problem.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q2/0000.html
*** {01.14.012} AIX - Update {01.08.007}: Vixie cron long user name
buffer overflow
IBM has released APARs IY17048 and IY17261 to fix the vulnerability
discussed in {01.08.007} ("Vixie cron long user name buffer overflow").
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q2/0000.html
*** {01.14.013} AIX - Obtuse Kerberos-related security problem fixed
IBM has released APAR 17480 to fix a "security issue" in Kerberos 4. If
we had to hazard a guess, we'd say it was related to {01.11.018} ("MIT
Kerberos improper temp file handling"). If anyone from IBM is reading,
please hear our plea for verbosity beyond what you currently provide:
PROBLEM DESCRIPTION:
Kerberos 4 security problem
PROBLEM SUMMARY:
Security issue
PROBLEM CONCLUSION:
Security issue resolved
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q2/0000.html
- --- NetWare News -------------------------------------------------------
*** {01.14.020} NW - BorderManager VPN connection flood DoS
A report has surfaced indicating that BorderManager version 3.5 is
vulnerable to a denial of service attack. Multiple connections to the
VPN key exchange service listening on port 353 will cause the
BorderManage service to no longer accept incoming VPN connections.
This vulnerability has not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0020.html
- --- HP-UX News ---------------------------------------------------------
*** {01.14.014} HPUX - CDE periodic patch fixes rpc.cmsd buffer overflow
In our fight against vendors that hide security vulnerabilities with
very vague problem/resolution descriptions, we'd like to mention that
HP has released its periodic CDE update to fix a "buffer overflow in
rpc.cmsd." We have no further information on the vulnerability; we don't
even know for sure if it is a security vulnerability -- although it's
hard to imagine that a buffer overflow in a previously vulnerable
network-accessible RPC service is "not" a security problem.
We believe this is not related to the popular multivendor rpc.cmsd
vulnerability found over a year ago ("{99.11.023} HP-UX update for
rpc.cmsd").
Patches are as follows:
HP-UX 10.10: PHSS_23355
HP-UX 10.20: PHSS_23516
HP-UX 11.00: PHSS_23517
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0102.html
- --- SCO News -----------------------------------------------------------
*** {01.14.001} SCO - lpshut command line argument buffer overflow
The lpshut application shipped with SCO OpenServer version 5.0.6 has
been found to contain an exploitable buffer overflow in the handling of
command line arguments. The lpshut app is suid bin, allowing local users
to elevate their privileges.
The advisory indicates vendor confirmation. No patches have been
released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0404.html
*** {01.14.002} SCO - lpusers -u command line parameter buffer overflow
The lpusers application shipped with SCO OpenServer version 5.0.6 has
been found to contain an exploitable buffer overflow in the handling of
the '-u' command line argument parameter. The lpusers app is suid bin,
allowing local users to elevate their privileges.
The advisory indicates vendor confirmation. No patches have been
released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0407.html
*** {01.14.003} SCO - recon command line argument buffer overflow
The recon application shipped with SCO OpenServer version 5.0.6 has been
found to contain an exploitable buffer overflow in the handling of
command line arguments. The recon app is suid root, allowing local users
to elevate their privileges.
The advisory indicates vendor confirmation. No patches have been
released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0410.html
*** {01.14.004} SCO - lpforms command line argument buffer overflow
The lpforms application shipped with SCO OpenServer version 5.0.6 has
been found to contain an exploitable buffer overflow in the handling of
command line arguments. The lpforms app is suid bin, allowing local
users to elevate their privileges.
The advisory indicates vendor confirmation. No patches have been
released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0416.html
*** {01.14.005} SCO - Deliver command line argument buffer overflow
The Deliver application shipped with the SCO OpenServer version 5.0.6
MMDF package has been found to contain an exploitable buffer overflow
in the handling of command line arguments. The deliver app is suid root,
allowing local users to elevate their privileges.
The advisory indicates vendor confirmation. This vulnerability is
related to {00.09.004} ("SCO SSE062: Patch for MMDF buffer overflow").
No patches have been released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0418.html
*** {01.14.006} SCO - lpadmin command line argument buffer overflow
The lpadmin application shipped with SCO OpenServer version 5.0.6 has
been found to contain an exploitable buffer overflow in the handling of
command line arguments. The lpadmin app is suid bin, allowing local
users to elevate their privileges.
The advisory indicates vendor confirmation. No patches have been
released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0421.html
*** {01.14.040} SCO - MMDF sendmail command line argument buffer
overflow
The sendmail application shipped with the SCO OpenServer version 5.0.6
MMDF package has been found to contain an exploitable buffer overflow
in the handling of command line arguments. Sendmail is suid root,
allowing local users to elevate their privileges.
The advisory indicates vendor confirmation. No patches have been
released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0417.html
- --- Network Appliances News --------------------------------------------
*** {01.14.015} NApps - Cisco VPN3000 concentrator telnet/SSL flood DoS
Cisco has released an advisory indicating a denial of service attack
against the VPN3000 concentrator devices. A remote attacker can flood
the telnet and/or SSL ports of the device, causing it to reboot.
Firmware versions prior to 3.0.0 are vulnerable.
Firmware version 3.0.0 is available from Cisco.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q1/0016.html
*** {01.14.016} NApps - NetScreen allows 'denied' traffic to pass to DMZ
NetScreen has released an advisory indicating a vulnerability that may
allow traffic, which is explicitly denied by the firewall rules, to be
passed to the DMZ segment. NetScreen-10 and NetScreen-100 devices are
affected.
NetScreen has released updated ScreenOS firmware for both NetScreen-10
and NetScreen-100 devices:
1.6x -> 1.66r2
2.0 -> 2.01r8
2.5 -> 2.5.0r6
Source: NetScreen (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-03/0375.html
- --- Cross-Platform News ------------------------------------------------
*** {01.14.010} Cross - Bind 9.1.1 released
Bind version 9.1.1 is now available. Version 9.1.1 is a maintenance
release, meaning that its primary purpose is to correct known bugs. A
few of the bugs could be used in denial of service situations;
therefore, we highly recommend upgrading.
Source code is available at:
ftp://ftp.isc.org/isc/bind9/9.1.1/bind-9.1.1.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2001/0019.html
*** {01.14.022} Cross - Silent Runner SMTP HELO command buffer overflow
Silent Runner Collector (the network 'sniffer' portion of the Silent
Runner suite) version 1.6.1 has been found to contain a buffer overflow
in the handling of SMTP HELO commands that are sniffed from the network.
The vulnerability causes the Collector application to crash, thus
disabling network/IDS monitoring.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0454.html
*** {01.14.023} Cross - Apache Tomcat source code disclosure
Various versions of Apache Tomcat, including 4.0-b2 and prior, contain
multiple malformed URL vulnerabilities what would either expose the
source code of a JSP page or allow directory browsing on the server.
Please note that we are consolidating multiple advisories into one item,
since the exploit mechanism is approximately the same.
The Apache Tomcat team has confirmed some of the vulnerabilities. No
patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0436.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0464.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0492.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0498.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0003.html
*** {01.14.025} Cross - Inframail malformed HTTP POST URL DoS
The Inframail Internet service suite has been found vulnerable to a
denial of service in the included HTTP Web and management services. A
remote attacker can cause the entire suite to crash by submitting
particular malformed HTTP POST requests.
This vulnerability has not been confirmed. No patches have been made
available.
Vendor's homepage:
http://www.infradig.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0428.html
*** {01.14.027} Cross - BEA Weblogic Server exposes source code (take
three)
An advisory has surfaced indicating a source code exposure vulnerability
in BEA Weblogic version 5.1.0sp6 and possibly prior. By submitting the
request URL with particular URL hex encoding, a remote attacker can gain
access to a page's source code.
This vulnerability has not been confirmed.
Please note that this source code disclosure vulnerability uses a
different mechanism than those previously reported as {00.32.025},
{00.27.014), and {00.25.023}. Some of the vulnerabilities may be unique
only to the combination of WebLogic and iPlanet servers (WebLogic and
Apache seem to be immune).
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0463.html
*** {01.14.029} Cross - Shareplex qview exposes file contents
A vulnerability in the included qview application of Quest Software's
Shareplex suite prior to version 2.1.3.21 allows a local attacker to
view the contents of arbitrary files on the system.
The vendor has confirmed this vulnerability and released version
2.1.3.21.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0482.html
*** {01.14.031} Cross - CrazyWWWBoard ASC cookie buffer overflow
CrazyWWWBoard versions 2000p4 and 2000LEp5 have been found to contain
a buffer overflow in the handling of the ASC cookie value. This allows
a remote attacker to execute arbitrary code under the privileges of the
Web server.
This vulnerability has not been confirmed. An exploit has been released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0487.html
*** {01.14.037} Cross - Anaconda Clipper HTTP server file retrieval
Anaconda's Clipper HTTP server version 3.3 has been found to allow a
remote attacker to retrieve arbitrary files from the server (readable
by the Web server UID) by using reverse directory traversal ('..')
notation in the template parameter of a URL request.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0395.html
*** {01.14.039} Cross - CCC/Harvest weak password authentication
mechanism
The password authentication mechanism used by Computer Associates'
CCC/Harvest application (version 5.0 tested) has been found to be
trivially crackable. This may allow attackers to decode
captured/retrieved passwords (they are passed in plain text over the
network) and access the CCC/Harvest application with the acquired
credentials.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0444.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6zR+c+LUG5KFpTkYRAn+YAJ0b6R/jbC9LfwNS8DDVGJ9VQiY2HwCfScG4
Vaq8nObyWgFFM5h5wSZqP94=
=ieJO
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Sponsored by VeriSign - The Internet Trust Company
Do you need to encrypt all your online transactions? Whatever security
your site needs, you'll find the perfect solution in this FREE Guide
from VeriSign, "Securing Your Web site for Business." Get your copy
today! Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n094530110016000
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.sans.org/sansnews/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]