OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Apr 05 2001 - 21:34:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    Re: Your personalized newsletter

                         -- Security Alert Consensus --
                               Number 091 (01.14)
                            Thursday, April 5, 2001
                               Created for you by
                   Network Computing and the SANS Institute
                              Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to SANS' distribution of the Security Alert Consensus.

    ----------------------------------------------------------------------

    Sponsored by VeriSign - The Internet Trust Company

    Do you need to encrypt all your online transactions? Whatever security
    your site needs, you'll find the perfect solution in this FREE Guide
    from VeriSign, "Securing Your Web site for Business." Get your copy
    today! Click here!
    http://www.verisign.com/cgi-bin/go.cgi?a=n094530110016000

    ----------------------------------------------------------------------

    A lot of recent talk has surrounded Internet worms. While worms like
    "1i0n" and "adore" have made headlines and are problems with which we
    should be concerned, we'd like to remind readers that these worms are
    based on exploiting KNOWN vulnerabilities (Bind, LPRng and so on).
    Organizations that have stayed on top of their patching efforts need
    not worry. Organizations that haven't have some work to do! For those
    interested, information on the latest worm trends can be found on the
    GIAC site:
    http://www.sans.org/giac.htm

    Those users trying to manage the onslaught of service packs, hot fixes
    and patches spewed forth by Microsoft on an almost-daily basis will be
    happy to receive three new resources to aid in the battle. First off,
    Microsoft has released a searchable tool that allows users to query the
    appropriate hot fixes for their system based on installed products and
    service packs:
    http://archives.neohapsis.com/archives/vendor/2001-q1/0092.html

    Next, XATO has taken the time to document and produce tools for users
    trying to keep their Windows 2000 IIS servers free of defacements:
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0124.html

    Finally, Phil Cox has publicly released his Windows 2000 hardening
    guidelines:
    http://archives.neohapsis.com/archives/ntbugtraq/2001-q1/0051.html

    Until next week,
    - Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.14.017} Win - MS01-019: Passwords for compressed folders are
                recoverable
    {01.14.021} Win - MS01-020: Incorrect MIME header can cause IE to
                execute e-mail attachment
    {01.14.024} Win - Website Pro HTTP manager service /dyn/ DoS
    {01.14.026} Win - Update {01.13.011}: MS01-017: Spoofed MS VeriSign
                certificates released
    {01.14.030} Win - IE MSScriptControl.ScriptControl local file exposure
    {01.14.032} Win - The Bat! attachment cloaking
    {01.14.033} Win - Navision Financials Server long request DoS
    {01.14.034} Win - Trend Micro ScanMail for Exchange exposes
                administrative credentials
    {01.14.035} Win - Trend Micro Virus Buster long e-mail header buffer
                overflow
    {01.14.038} Win - JavaServer Web Dev Kit file retrieval
    {01.14.041} Win - Elron Internet Manager HTTP server file retrieval
    {01.14.042} Win - 602Pro Lansuite multiple '..' HTTP request DoS
    {01.14.043} Win - Internet Publisher OLEDB may act as proxy
    {01.14.007} Linux - Update {01.11.011}: ePerl buffer overflows
    {01.14.008} Linux - Update {01.10.012}: JOE reads configuration file
                from current directory
    {01.14.009} Linux - Update {01.13.019}: Multiple OpenSSH vulnerabilities
    {01.14.018} Linux - Update {01.13.004}: Malicious embedded VIM control
                codes
    {01.14.019} Linux - Update {01.11.018}: MIT Kerberos improper temp file
                handling
    {01.14.028} Linux - Pitbull LX sysctl() can bypass security restrictions
    {01.14.036} Sol - tip environment variable buffer overflow
    {01.14.011} AIX - lsfs calls lslv/grep via user's PATH
    {01.14.012} AIX - Update {01.08.007}: Vixie cron long user name buffer
                overflow
    {01.14.013} AIX - Obtuse Kerberos-related security problem fixed
    {01.14.020} NW - BorderManager VPN connection flood DoS
    {01.14.014} HPUX - CDE periodic patch fixes rpc.cmsd buffer overflow
    {01.14.001} SCO - lpshut command line argument buffer overflow
    {01.14.002} SCO - lpusers -u command line parameter buffer overflow
    {01.14.003} SCO - recon command line argument buffer overflow
    {01.14.004} SCO - lpforms command line argument buffer overflow
    {01.14.005} SCO - Deliver command line argument buffer overflow
    {01.14.006} SCO - lpadmin command line argument buffer overflow
    {01.14.040} SCO - MMDF sendmail command line argument buffer overflow
    {01.14.015} NApps - Cisco VPN3000 concentrator telnet/SSL flood DoS
    {01.14.016} NApps - NetScreen allows 'denied' traffic to pass to DMZ
    {01.14.010} Cross - Bind 9.1.1 released
    {01.14.022} Cross - Silent Runner SMTP HELO command buffer overflow
    {01.14.023} Cross - Apache Tomcat source code disclosure
    {01.14.025} Cross - Inframail malformed HTTP POST URL DoS
    {01.14.027} Cross - BEA Weblogic Server exposes source code (take three)
    {01.14.029} Cross - Shareplex qview exposes file contents
    {01.14.031} Cross - CrazyWWWBoard ASC cookie buffer overflow
    {01.14.037} Cross - Anaconda Clipper HTTP server file retrieval
    {01.14.039} Cross - CCC/Harvest weak password authentication mechanism

    - --- Windows News -------------------------------------------------------

    *** {01.14.017} Win - MS01-019: Passwords for compressed folders are
                    recoverable

    Microsoft has released MS01-019 ("Passwords for compressed folders are
    recoverable"). The password protection mechanism included with the
    folder compression feature in Plus! 98 and Windows ME has been found to
    record the passwords into a file. This could allow an attacker, who has
    access to the user's hard drive, to retrieve the passwords and thus the
    contents in protected compressed folders.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-019.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q1/0090.html

    *** {01.14.021} Win - MS01-020: Incorrect MIME header can cause IE to
                    execute e-mail attachment

    Microsoft has released MS01-020 ("Incorrect MIME header can cause IE to
    execute e-mail attachment"). Windows Explorer and Internet Explorer have
    been found to automatically launch/preview files ending in an .EML
    extension (or appropriate MIME type). While not specifically limited to
    e-mail, e-mail does offer the easiest route of exploitation. The end
    result is that a user may execute a malicious application/e-mail
    attachment.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q1/0094.html

    *** {01.14.024} Win - Website Pro HTTP manager service /dyn/ DoS

    Website Pro version 3.0.37 has been found to contain a denial of service
    in the included remote Web manager. It's possible for a remote attacker
    to eventually cause the service to crash by making multiple connections
    to the /dyn/ directory.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0425.html

    *** {01.14.026} Win - Update {01.13.011}: MS01-017: Spoofed MS VeriSign
                    certificates released

    Microsoft has released the patch that fixes the vulnerability discussed
    in {01.13.011} ("MS01-017: Spoofed MS VeriSign certificates released").
    The patch contains a local Certificate Revocation List (CRL), which
    includes the two spoofed certificates.

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q1/0091.html

    *** {01.14.030} Win - IE MSScriptControl.ScriptControl local file
                    exposure

    The MSScriptControl.ScriptControl ActiveX control shipped with Internet
    Explorer 5.5 (tested on Windows 2000) has been found to allow a
    malicious Web site to access arbitrary files on the user's system.

    This vulnerability has not been confirmed.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0128.html

    *** {01.14.032} Win - The Bat! attachment cloaking

    An advisory has surfaced indicating that it's possible to misrepresent,
    or 'cloak,' a malicious attachment in an e-mail viewed by The Bat!
    e-mail reader version 1.51. The malicious attachment may appear as
    another legitimate document type, which may deceive the user into
    executing/double-clicking on it.

    The advisory indicates vendor confirmation and a forthcoming patch.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0013.html

    *** {01.14.033} Win - Navision Financials Server long request DoS

    It has been reported that Navision Financials Server versions 2.50 and
    2.60 contain a denial of service whereby a remote attacker can send a
    particularly large amount of characters to the listening service,
    causing it to crash.

    Navision has released a patch, which is available at:
    http://www.navision.com/com/view.asp?documentID=258

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0002.html

    *** {01.14.034} Win - Trend Micro ScanMail for Exchange exposes
                    administrative credentials

    Trend Micro's ScanMail for Exchange has been found to use a weak
    encoding scheme to store the administrative credentials used by the
    service in the Windows registry. The registry keys allow anyone full
    access, which may allow an attacker to gain the encoded credentials,
    decode them and use them to log into the specified domain with
    administrative privileges.

    The advisory indicates that the vendor has confirmed the problem and
    recommends changing the ACLs on the appropriate registry keys (list in
    advisory below) as a workaround.

    Source: NTBugtraq
    http://archives.neohapsis.com/archives/ntbugtraq/2001-q1/0049.html

    *** {01.14.035} Win - Trend Micro Virus Buster long e-mail header
                    buffer overflow

    Trend Micro's Virus Buster 2001 (Japanese virus scanner) version 8.02
    has been found to contain a buffer overflow in the handling of long
    e-mail headers -- viewed when a user imports e-mail via POP.

    Version 8.03 is not vulnerable and is available (in Japanese) at:

    http://www.trendmicro.co.jp/homeuser/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0453.html

    *** {01.14.038} Win - JavaServer Web Dev Kit file retrieval

    The JavaServer Web Dev Kit (JSWDK) version 1.0.1 (tested on Windows
    2000) has been found to allow a remote attacker to access files outside
    the Web root by submitting a reverse directory notatation ('..') URL
    request.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0437.html

    *** {01.14.041} Win - Elron Internet Manager HTTP server file retrieval

    Elron's Internet Manager product suite prior to version 3.0.4 includes
    an HTTP server that has been found to allow a remote attacker to access
    arbitrary files by using reverse directory notation ('..') in URL
    requests.

    The vendor has confirmed the problem. Version 3.0.4 is patched.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0345.html
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0382.html

    *** {01.14.042} Win - 602Pro Lansuite multiple '..' HTTP request DoS

    602Software's Lansuite version 1.0.34 has been found to contain a denial
    of service whereby a remote attacker can submit a URL request with a
    large number of '..' characters. The service crashes as a result.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0374.html

    *** {01.14.043} Win - Internet Publisher OLEDB may act as proxy

    A noted researcher has issued an advisory indicating that it may be
    possible for a malicious Web site or e-mail to 'bounce', or proxy, off
    a user's system by using the "Microsoft OLE DB Provider for Internet
    Publishing" ActiveX scripting control. It also may be possible to read
    Web-based Exchange e-mail, if a user's system is set to
    auto-authenticate to the Exchange Web server (this may occur if the user
    has already authenticated).

    No patches have been made available.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0123.html

    - --- Linux News ---------------------------------------------------------

    *** {01.14.007} Linux - Update {01.11.011}: ePerl buffer overflows

    SuSE has released updated ePerl packages that fix the vulnerability
    discussed in {01.11.011} ("ePerl buffer overflows").

    Updated SuSE RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/1542.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/1542.html

    *** {01.14.008} Linux - Update {01.10.012}: JOE reads configuration
                    file from current directory

    SuSE has released updated JOE packages that fix the vulnerability
    discussed in {01.10.012} ("JOE reads configuration file from current
    directory").

    Updated SuSE RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/1543.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/1543.html

    *** {01.14.009} Linux - Update {01.13.019}: Multiple OpenSSH
                    vulnerabilities

    Conectiva and Trustix have released updated OpenSSH packages that fix
    the vulnerability discussed in {01.13.019} ("Multiple OpenSSH
    vulnerabilities").

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0022.html

    Updated Trustix RPM information:
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0447.html

    Source: Conectiva, Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0022.html
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0447.html

    *** {01.14.018} Linux - Update {01.13.004}: Malicious embedded VIM
                    control codes

    Immunix has released updated VIM packages to fix the vulnerability
    discussed in {01.13.004} ("Malicious embedded VIM control codes").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0092.html

    Source: Immunix
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0092.html

    *** {01.14.019} Linux - Update {01.11.018}: MIT Kerberos improper temp
                    file handling

    Immunix has released updated Kerberos packages to fix the vulnerability
    discussed in {01.11.018} ("MIT Kerberos improper temp file handling").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0093.html

    Source: Immunix
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0093.html

    *** {01.14.028} Linux - Pitbull LX sysctl() can bypass security
                    restrictions

    Argus' Pitbull LX has been found to not properly restrict calls to the
    sysctl() system function, although it does limit access to /proc/sys/.
    This allows local users to read system configuration information and
    the local root user to bypass the security restrictions and tamper with
    the system.

    Argus has confirmed the problem and released a patch:
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0485.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0475.html
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0485.html

    - --- Solaris News -------------------------------------------------------

    *** {01.14.036} Sol - tip environment variable buffer overflow

    The tip application shipped with Solaris 2.5 through 8 has been found
    vulnerable to a buffer overflow in the handling of environmental
    variables. This allows a local attacker to gain 'uucp' privileges.

    Sun is currently working on a patch. An exploit has been published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0394.html

    - --- AIX News -----------------------------------------------------------

    *** {01.14.011} AIX - lsfs calls lslv/grep via user's PATH

    IBM has released an APAR for lsfs to fix a security vulnerability that
    would allow local attackers to place trojaned lslv and grep binaries in
    their path, causing lsfs to execute them with elevated privileges.

    IBM has released APAR IY16909, which fixes the problem.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q2/0000.html

    *** {01.14.012} AIX - Update {01.08.007}: Vixie cron long user name
                    buffer overflow

    IBM has released APARs IY17048 and IY17261 to fix the vulnerability
    discussed in {01.08.007} ("Vixie cron long user name buffer overflow").

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q2/0000.html

    *** {01.14.013} AIX - Obtuse Kerberos-related security problem fixed

    IBM has released APAR 17480 to fix a "security issue" in Kerberos 4. If
    we had to hazard a guess, we'd say it was related to {01.11.018} ("MIT
    Kerberos improper temp file handling"). If anyone from IBM is reading,
    please hear our plea for verbosity beyond what you currently provide:

    PROBLEM DESCRIPTION:
    Kerberos 4 security problem

    PROBLEM SUMMARY:
    Security issue

    PROBLEM CONCLUSION:
    Security issue resolved

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q2/0000.html

    - --- NetWare News -------------------------------------------------------

    *** {01.14.020} NW - BorderManager VPN connection flood DoS

    A report has surfaced indicating that BorderManager version 3.5 is
    vulnerable to a denial of service attack. Multiple connections to the
    VPN key exchange service listening on port 353 will cause the
    BorderManage service to no longer accept incoming VPN connections.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0020.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.14.014} HPUX - CDE periodic patch fixes rpc.cmsd buffer overflow

    In our fight against vendors that hide security vulnerabilities with
    very vague problem/resolution descriptions, we'd like to mention that
    HP has released its periodic CDE update to fix a "buffer overflow in
    rpc.cmsd." We have no further information on the vulnerability; we don't
    even know for sure if it is a security vulnerability -- although it's
    hard to imagine that a buffer overflow in a previously vulnerable
    network-accessible RPC service is "not" a security problem.

    We believe this is not related to the popular multivendor rpc.cmsd
    vulnerability found over a year ago ("{99.11.023} HP-UX update for
    rpc.cmsd").

    Patches are as follows:
    HP-UX 10.10: PHSS_23355
    HP-UX 10.20: PHSS_23516
    HP-UX 11.00: PHSS_23517

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q1/0102.html

    - --- SCO News -----------------------------------------------------------

    *** {01.14.001} SCO - lpshut command line argument buffer overflow

    The lpshut application shipped with SCO OpenServer version 5.0.6 has
    been found to contain an exploitable buffer overflow in the handling of
    command line arguments. The lpshut app is suid bin, allowing local users
    to elevate their privileges.

    The advisory indicates vendor confirmation. No patches have been
    released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0404.html

    *** {01.14.002} SCO - lpusers -u command line parameter buffer overflow

    The lpusers application shipped with SCO OpenServer version 5.0.6 has
    been found to contain an exploitable buffer overflow in the handling of
    the '-u' command line argument parameter. The lpusers app is suid bin,
    allowing local users to elevate their privileges.

    The advisory indicates vendor confirmation. No patches have been
    released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0407.html

    *** {01.14.003} SCO - recon command line argument buffer overflow

    The recon application shipped with SCO OpenServer version 5.0.6 has been
    found to contain an exploitable buffer overflow in the handling of
    command line arguments. The recon app is suid root, allowing local users
    to elevate their privileges.

    The advisory indicates vendor confirmation. No patches have been
    released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0410.html

    *** {01.14.004} SCO - lpforms command line argument buffer overflow

    The lpforms application shipped with SCO OpenServer version 5.0.6 has
    been found to contain an exploitable buffer overflow in the handling of
    command line arguments. The lpforms app is suid bin, allowing local
    users to elevate their privileges.

    The advisory indicates vendor confirmation. No patches have been
    released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0416.html

    *** {01.14.005} SCO - Deliver command line argument buffer overflow

    The Deliver application shipped with the SCO OpenServer version 5.0.6
    MMDF package has been found to contain an exploitable buffer overflow
    in the handling of command line arguments. The deliver app is suid root,
    allowing local users to elevate their privileges.

    The advisory indicates vendor confirmation. This vulnerability is
    related to {00.09.004} ("SCO SSE062: Patch for MMDF buffer overflow").
    No patches have been released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0418.html

    *** {01.14.006} SCO - lpadmin command line argument buffer overflow

    The lpadmin application shipped with SCO OpenServer version 5.0.6 has
    been found to contain an exploitable buffer overflow in the handling of
    command line arguments. The lpadmin app is suid bin, allowing local
    users to elevate their privileges.

    The advisory indicates vendor confirmation. No patches have been
    released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0421.html

    *** {01.14.040} SCO - MMDF sendmail command line argument buffer
                    overflow

    The sendmail application shipped with the SCO OpenServer version 5.0.6
    MMDF package has been found to contain an exploitable buffer overflow
    in the handling of command line arguments. Sendmail is suid root,
    allowing local users to elevate their privileges.

    The advisory indicates vendor confirmation. No patches have been
    released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0417.html

    - --- Network Appliances News --------------------------------------------

    *** {01.14.015} NApps - Cisco VPN3000 concentrator telnet/SSL flood DoS

    Cisco has released an advisory indicating a denial of service attack
    against the VPN3000 concentrator devices. A remote attacker can flood
    the telnet and/or SSL ports of the device, causing it to reboot.
    Firmware versions prior to 3.0.0 are vulnerable.

    Firmware version 3.0.0 is available from Cisco.

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2001-q1/0016.html

    *** {01.14.016} NApps - NetScreen allows 'denied' traffic to pass to DMZ

    NetScreen has released an advisory indicating a vulnerability that may
    allow traffic, which is explicitly denied by the firewall rules, to be
    passed to the DMZ segment. NetScreen-10 and NetScreen-100 devices are
    affected.

    NetScreen has released updated ScreenOS firmware for both NetScreen-10
    and NetScreen-100 devices:
    1.6x -> 1.66r2
    2.0 -> 2.01r8
    2.5 -> 2.5.0r6

    Source: NetScreen (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0375.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.14.010} Cross - Bind 9.1.1 released

    Bind version 9.1.1 is now available. Version 9.1.1 is a maintenance
    release, meaning that its primary purpose is to correct known bugs. A
    few of the bugs could be used in denial of service situations;
    therefore, we highly recommend upgrading.

    Source code is available at:
    ftp://ftp.isc.org/isc/bind9/9.1.1/bind-9.1.1.tar.gz

    Source: BIND
    http://archives.neohapsis.com/archives/bind/2001/0019.html

    *** {01.14.022} Cross - Silent Runner SMTP HELO command buffer overflow

    Silent Runner Collector (the network 'sniffer' portion of the Silent
    Runner suite) version 1.6.1 has been found to contain a buffer overflow
    in the handling of SMTP HELO commands that are sniffed from the network.
    The vulnerability causes the Collector application to crash, thus
    disabling network/IDS monitoring.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0454.html

    *** {01.14.023} Cross - Apache Tomcat source code disclosure

    Various versions of Apache Tomcat, including 4.0-b2 and prior, contain
    multiple malformed URL vulnerabilities what would either expose the
    source code of a JSP page or allow directory browsing on the server.
    Please note that we are consolidating multiple advisories into one item,
    since the exploit mechanism is approximately the same.

    The Apache Tomcat team has confirmed some of the vulnerabilities. No
    patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0436.html
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0464.html
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0492.html
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0498.html
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0003.html

    *** {01.14.025} Cross - Inframail malformed HTTP POST URL DoS

    The Inframail Internet service suite has been found vulnerable to a
    denial of service in the included HTTP Web and management services. A
    remote attacker can cause the entire suite to crash by submitting
    particular malformed HTTP POST requests.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Vendor's homepage:
    http://www.infradig.com/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0428.html

    *** {01.14.027} Cross - BEA Weblogic Server exposes source code (take
                    three)

    An advisory has surfaced indicating a source code exposure vulnerability
    in BEA Weblogic version 5.1.0sp6 and possibly prior. By submitting the
    request URL with particular URL hex encoding, a remote attacker can gain
    access to a page's source code.

    This vulnerability has not been confirmed.

    Please note that this source code disclosure vulnerability uses a
    different mechanism than those previously reported as {00.32.025},
    {00.27.014), and {00.25.023}. Some of the vulnerabilities may be unique
    only to the combination of WebLogic and iPlanet servers (WebLogic and
    Apache seem to be immune).

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0463.html

    *** {01.14.029} Cross - Shareplex qview exposes file contents

    A vulnerability in the included qview application of Quest Software's
    Shareplex suite prior to version 2.1.3.21 allows a local attacker to
    view the contents of arbitrary files on the system.

    The vendor has confirmed this vulnerability and released version
    2.1.3.21.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0482.html

    *** {01.14.031} Cross - CrazyWWWBoard ASC cookie buffer overflow

    CrazyWWWBoard versions 2000p4 and 2000LEp5 have been found to contain
    a buffer overflow in the handling of the ASC cookie value. This allows
    a remote attacker to execute arbitrary code under the privileges of the
    Web server.

    This vulnerability has not been confirmed. An exploit has been released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0487.html

    *** {01.14.037} Cross - Anaconda Clipper HTTP server file retrieval

    Anaconda's Clipper HTTP server version 3.3 has been found to allow a
    remote attacker to retrieve arbitrary files from the server (readable
    by the Web server UID) by using reverse directory traversal ('..')
    notation in the template parameter of a URL request.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0395.html

    *** {01.14.039} Cross - CCC/Harvest weak password authentication
                    mechanism

    The password authentication mechanism used by Computer Associates'
    CCC/Harvest application (version 5.0 tested) has been found to be
    trivially crackable. This may allow attackers to decode
    captured/retrieved passwords (they are passed in plain text over the
    network) and access the CCC/Harvest application with the acquired
    credentials.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0444.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE6zR+c+LUG5KFpTkYRAn+YAJ0b6R/jbC9LfwNS8DDVGJ9VQiY2HwCfScG4
    Vaq8nObyWgFFM5h5wSZqP94=
    =ieJO
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Sponsored by VeriSign - The Internet Trust Company

    Do you need to encrypt all your online transactions? Whatever security
    your site needs, you'll find the perfect solution in this FREE Guide
    from VeriSign, "Securing Your Web site for Business." Get your copy
    today! Click here!
    http://www.verisign.com/cgi-bin/go.cgi?a=n094530110016000

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed to
    you and you would like to begin receiving our security e-mail newsletter
    on a weekly basis, we invite you to subscribe today at:
    http://www.sans.org/sansnews/.

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
    can be accessed from the SANS Web site: http://www.sans.org.

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form, located at:
    http://www.sans.org/sansurl. On this form you can enter the SD number
    located near your name at the top of the newsletter. When you submit
    this form, an e-mail containing a URL will be sent to you at the e-mail
    address on record. With this URL you can make changes to your account
    (edit the content of your Consensus mailing, for example) without
    endangering the security of your personal URL. If you'd like to change
    your e-mail address or other information, or unsubscribe to this
    newsletter, please visit your new URL as described above. If you have
    any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online at:
    http://archives.neohapsis.com/.

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
    Rights Reserved. Distributed by Network Computing
    (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).