|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ02618915924205889
sans.org)Date: Thu Jul 05 2001 - 19:51:13 CDT
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 104 (01.27)
Thursday, July 5, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
Need to bone up on building wireless infrastructure or provide better
support for your mobile users? While at N+I 2001 in Atlanta, spend some
time at the Network Computing Real-World Labs(R) LIVE, where we'll be
demonstrating Mobile Computing and Wireless Connectivity products,
technologies and solutions.
WHERE: Georgia World Congress Center, Atlanta, GA
WHEN: September 9 - 14, 2001
http://www.networkcomputing.com/marketing/mediakit/events.html
----------------------------------------------------------------------
Cisco was bitten by two bugs this week: a problem with its SSH
{01.27.001} implementation and another bug with its on-board HTTP
servers {01.27.008}. These vulnerabilities should serve as a reminder
that not only do operating systems need patching and lock-down attention
but infrastructure equipment does, as well. Security-savvy network
administrators who have already shutdown the HTTP services on their
Cisco devices proactively avoided this latest round of HTTP-based
vulnerabilities.
While organizations should still upgrade their vulnerable IOS and CatOS
images, proactive lock-down efforts can definitely reduce potential
risks. It's time to re-embrace some age-old wisdom: "If you aren't using
it, turn it off."
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.27.006} Win - Update {01.24.016}: WatchGuard firebox SMTP proxy
allows files through filter
{01.27.010} Win - ArGoSoft FTP Server trojan LNK file access
{01.27.018} Win - TrendMicro InterScan VirusWall multiple overflows
{01.27.020} Win - Broker FTP Server trojan LNK file access
{01.27.021} Win - CesarFTP HELP command overflow
{01.27.025} Win - vWebServer multiple vulnerabilities
{01.27.026} Win - SmallHTTP server long URL overflow
{01.27.029} Win - WFTP server trojan LNK file access
{01.27.030} Win - GHTTP server long URL overflow
{01.27.032} Win - NFuse full path disclosure
{01.27.007} Linux - Update {01.26.024}: Samba malicious NetBIOS name
file overwrite
{01.27.009} Linux - Update {01.25.017}: rxvt command line buffer
overflow
{01.27.012} Linux - Update {01.23.002}: gpg file name format string
vulnerability
{01.27.013} Linux - Update {01.24.020}: Potential buffer overflow in
xinetd svc_logprint function
{01.27.019} Linux - Update {01.18.017}: kdesu creates world-readable
temp file to hold authentication info
{01.27.022} Linux - GnatsWeb allows escalated access to files
{01.27.028} Linux - Update {01.19.014}: Zope ZClasses permission
remapping
{01.27.034} Linux - Update {01.24.021}: Scotty ntping host name buffer
overflow
{01.27.023} HPUX - CIFS/9000 file overwrite during printing
{01.27.033} HPUX - setrlimit() does not honor core file restrictions on
suid/sgid apps
{01.27.014} SCO - su command line buffer overflow
{01.27.015} SCO - cron command line buffer overflow
{01.27.016} SCO - uucp utilities command line buffer overflow
{01.27.027} SCO - Package tools can display arbitrary files
{01.27.001} NApps - Multiple IOS SSH vulnerabilities
{01.27.008} NApps - Cisco IOS HTTP authorization vulnerability
{01.27.002} Cross - JRun CSS vulnerability
{01.27.003} Cross - JRun-controlled Web authentication bypass
{01.27.004} Cross - JRun forward slash/Java regeneration DoS
{01.27.005} Cross - JRun URL encoding file disclosure
{01.27.011} Cross - Oracle 8i SQLNet remote DoS
{01.27.017} Cross - Oracle 8i TNS listener NSPTCN packet overflow
{01.27.024} Cross - Active Web Classifieds CGI authentication
bypass/configuration modification
{01.27.031} Cross - phpMyAdmin file disclosure
{01.27.035} Cross - Tomcat CSS vulnerability
{01.27.036} Cross - Resin CSS vulnerability
{01.27.037} Cross - WebSphere/VisualAge CSS vulnerability
{01.27.038} Cross - Lotus Domino CSS vulnerability
{01.27.039} Cross - PHP mail() command may bypass safe_mode
{01.27.040} Cross - xvt command line buffer overflow
- --- Windows News -------------------------------------------------------
*** {01.27.006} Win - Update {01.24.016}: WatchGuard firebox SMTP proxy
allows files through filter
WatchGuard has released a patch for the vulnerability discussed in
{01.24.016} ("WatchGuard firebox SMTP proxy allows files through
filter").
This bug has been fixed for the latest version of the code (4.61), which
is available from WatchGuard.
Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0401.html
*** {01.27.010} Win - ArGoSoft FTP Server trojan LNK file access
ArGoSoft FTP server version 1.2.2.2 has been found to allow remote
attackers with write permission to access files outside the FTP root
directory by uploading a trojan .LNK file.
This vulnerability has not been confirmed.
Source: Win2k Security Advice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0002.html
*** {01.27.018} Win - TrendMicro InterScan VirusWall multiple overflows
Two buffer overflow vulnerabilities exist in InterScan VirusWall for
Windows NT. These allow a remote attacker to execute an arbitrary
command with local system privileges.
The overflows exist in the HttpSaveC*P.dll and smtpscan.dll libraries
and are vulnerable to attack when combined with a previously disclosed
vulnerability.
To get the patch, send e-mail to supportsupport.trendmicro.com or
search for this issue on:
http://solutionbank.antivirus.com/solutions/solutionSearch.asp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0387.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0388.html
*** {01.27.020} Win - Broker FTP Server trojan LNK file access
Broker FTP Server version 5.9.5.0 has been found to allow remote
attackers with write permission to access files outside the FTP root
directory by uploading a trojan .LNK file.
This vulnerability has not been confirmed.
Source: Win2k Security Advice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0001.html
*** {01.27.021} Win - CesarFTP HELP command overflow
CesarFTP version 0.98 has been found to allow remote attackers to obtain
elevated privileges by exploiting a buffer overflow in the handling of
the HELP FTP command.
This vulnerability has not been verified.
Source: Win2k Security Advice
http://archives.neohapsis.com/archives/bugtraq/2001-07/0001.html
*** {01.27.025} Win - vWebServer multiple vulnerabilities
vWebServer version 1.2.0 has been found to contain three remotely
exploitable vulnerabilities: ASP file source disclosure when an attacker
appends a URL encoded space to the HTTP request; a denial of service if
an attacker requests a DOS device name; and a buffer overflow in the
long URL requests, which causes a denial of service and could
potentially be used to execute arbitrary code.
The advisory indicates vendor confirmation; no patches have been made
available.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0723.html
*** {01.27.026} Win - SmallHTTP server long URL overflow
SmallHTTP server versions 2.x and 3.x contain an overflow in the
handling of long URL requests, eventually causing the server to crash.
This allows a remote attacker to perform a denial of service against
the system.
The advisory indicates vendor confirmation; no patches have been made
available.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0723.html
*** {01.27.029} Win - WFTP server trojan LNK file access
WFTP server version 3.0R5 has been found to allow remote attackers with
write permission to access files outside the FTP root directory by
uploading a trojan .LNK file. Note that WFTP normally limits a user's
manipulation of files ending in '.LNK'; however, by using the extension
'.LNK.' an attacker can bypass WFTP's restrictions.
This vulnerability has not been confirmed.
Source: Win2K Security Advice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0000.html
*** {01.27.030} Win - GHTTP server long URL overflow
GHTTP server version 1.4 has recently been reported to contain a buffer
overflow in the handling of long URL requests. This could allow a remote
attacker to execute arbitrary code.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0011.html
*** {01.27.032} Win - NFuse full path disclosure
The NFuse Web application platform has been found to display the full
physical path information of a virtual Web script within error messages.
This may give an attacker information that could be used to reconstruct
a layout of your virtual directories.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0018.html
- --- Linux News ---------------------------------------------------------
*** {01.27.007} Linux - Update {01.26.024}: Samba malicious NetBIOS
name file overwrite
Multiple Linux vendors have issued patches addressing the vulnerability
discussed in {01.26.024} ("Samba malicious NetBIOS name file
overwrite").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0138.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0016.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0137.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0360.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1581.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0002.html
Source: RedHat, SuSE, Caldera, Immunix, Trustix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0138.html
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1581.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0360.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0137.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0016.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0002.html
*** {01.27.009} Linux - Update {01.25.017}: rxvt command line buffer
overflow
Immunix has officially reported that it is not vulnerable to the
vulnerability discussed in {01.25.017} ("rxvt command line buffer
overflow"), because the company does not ship rxvt setuid or setgid by
default.
For Immunix rxvt binary and source update information see:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0378.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0138.html
*** {01.27.012} Linux - Update {01.23.002}: gpg file name format string
vulnerability
Caldera has released updated gnupg packages to fix the vulnerability
discussed in {01.23.002} ("gpg file name format string vulnerability").
Updated Caldera packages are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html
*** {01.27.013} Linux - Update {01.24.020}: Potential buffer overflow
in xinetd svc_logprint function
Multiple Linux vendors have released updated xinetd packages to fix the
vulnerability discussed in {01.24.020} ("Potential buffer overflow in
xinetd svc_logprint function").
Updated SuSe RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1582.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0412.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0142.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0016.html
Source: SuSe, EnGarde, Immunix, Conectiva
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1582.html
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0010.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0142.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0016.html
*** {01.27.019} Linux - Update {01.18.017}: kdesu creates
world-readable temp file to hold authentication info
Mandrake has released updated kdelib packages to fix the vulnerability
discussed in {01.18.017} ("kdesu creates world-readable temp file to
hold authentication info").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0382.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-06/0382.html
*** {01.27.022} Linux - GnatsWeb allows escalated access to files
GnatsWeb versions 2.7, 2.8.0, 2.8.1, 3.95 and 4.0 contain a
vulnerability in the new help file system that allows a remote attacker
to read or execute files accessible by the Web server. The vulnerability
allows file execution if a file name value is provided in a request URL
without checking the file name.
RedHat/GNATS has confirmed the problem and released a patch:
http://sources.redhat.com/gnats/gnatsWeb/advisory-jun-26-2001.html
Source: Redhat / GNATSWeb Security Advisory
http://archives.neohapsis.com/archives/bugtraq/2001-06/0365.html
*** {01.27.028} Linux - Update {01.19.014}: Zope ZClasses permission
remapping
Conectiva has released updated Zope packages to fix the vulnerability
discussed in {01.19.014} ("Zope ZClasses permission remapping ").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0017.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0017.html
*** {01.27.034} Linux - Update {01.24.021}: Scotty ntping host name
buffer overflow
SuSE has released updated Scotty packages to fix the vulnerability
discussed in {01.24.021} ("Scotty ntping host name buffer overflow").
Updates RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0011.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0011.html
- --- HP-UX News ---------------------------------------------------------
*** {01.27.023} HPUX - CIFS/9000 file overwrite during printing
HP has released an advisory indicating that it's possible, pending a
certain configuration, for a remote attacker to overwrite arbitrary
files via various print operations. It is unclear if this vulnerability
is related to the recently discovered vulnerability discussed in
{01.26.024} ("Samba malicious NetBIOS name file overwrite").
HP9000 servers running CIFS/9000 A.01.06 or prior should install patch
PHNE_24164.
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q2/0074.html
*** {01.27.033} HPUX - setrlimit() does not honor core file
restrictions on suid/sgid apps
HP has released a patch to fix a bug in setrlimit() that would not
properly limit the creation of core files, regardless of resource limit
configurations, if an application was previously setuid or setgid.
For a full list of available patches, view:
http://archives.neohapsis.com/archives/hp/2001-q3/0000.html
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0000.html
- --- SCO News -----------------------------------------------------------
*** {01.27.014} SCO - su command line buffer overflow
The su commands that shipped with all versions of UnixWare 7 are
vulnerable to a command line buffer overflow that allows a local
attacker to obtain root privileges.
SCO has released fixed su binaries and related libraries at:
ftp://ftp.sco.com/pub/security/unixware/sr847407
Source: SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-06/0359.html
*** {01.27.015} SCO - cron command line buffer overflow
The cron command is vulnerable to a command line argument buffer
overflow that could allow a local attacker to gain elevated privileges.
This vulnerability has been confirmed by SCO/Caldera. Updated binaries
are available from SCO at:
ftp://ftp.sco.com/pub/security/unixware/sr847406/
Source: SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-06/0384.html
*** {01.27.016} SCO - uucp utilities command line buffer overflow
The uucp utilities shipped with UnixWare version 7 contain a command
line parameter buffer overflow that could allow a local attacker to
execute arbitrary code with elevated privileges.
SCO/Caldera has confirmed this problem and released updated binaries,
which are available at:
ftp://ftp.sco.com/pub/security/unixware/sr847405
Source: SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-06/0385.html
*** {01.27.027} SCO - Package tools can display arbitrary files
Caldera has released an advisory indicating that the various packaging
tools shipped with UnixWare version 7 may allow a local attacker to view
arbitrary files on the system.
Caldera has released a patch to fix this problem:
ftp://ftp.sco.com/pub/security/unixware/sr847997/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/bugtraq/2001-07/0007.html
- --- Network Appliances News --------------------------------------------
*** {01.27.001} NApps - Multiple IOS SSH vulnerabilities
Three different Cisco product lines are susceptible to multiple
vulnerabilities in the Secure Shell (SSH) protocol. By exploiting a
weakness in the SSH protocol, it is possible to insert arbitrary
commands into an established SSH session, collect information that may
help in brute force key recovery or brute force a session key.
All devices running Cisco IOS software supporting SSH are affected.
FAQ and patch:
http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q2/0007.html
*** {01.27.008} NApps - Cisco IOS HTTP authorization vulnerability
A remote attacker can bypass the Cisco IOS built-in administration HTTP
server's authentication, thereby allowing the execution of any command
with "enable" level access when local authorization is used. All
versions of IOS that support the HTTP server (starting with 11.3) are
vulnerable.
See full advisory for details:
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0362.html
- --- Cross-Platform News ------------------------------------------------
*** {01.27.002} Cross - JRun CSS vulnerability
JRun versions 2.3.3 and 3.0 have been found vulnerable to a Cross-Site
Scripting attack. This problem potentially allows a malicious e-mail or
Web site to execute active scripting in a user's browser via the
vulnerable JRun site.
Allaire has released a patch:
http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full
Source: Allaire
http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html
*** {01.27.003} Cross - JRun-controlled Web authentication bypass
JRun version 3.0 contains a vulnerability in the handling of
JRun-controlled Web authentication. By using upper/lowercase characters
different from those specified in Web.xml, a remote attacker can access
a directory mapping and completely bypass the authentication mechanism.
This problem occurs with the native Web server that comes with JRun
(JWS), but it does not occur when using IIS.
Macromedia/Allaire has confirmed the problem and released a patch, which
is available at:
http://www.allaire.com/handlers/index.cfm?ID=21497&Method=Full
Source: Macromedia/Allaire
http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html
*** {01.27.004} Cross - JRun forward slash/Java regeneration DoS
Macromedia/Allaire has released a security advisory detailing a denial
of service vulnerability in JRun version 3.0. If a remote attacker
submits a particular URL request with extra slashes, the JRun server
will regenerate an additional set of supporting Java .class and .inf
files. The attacker can continue submitting various requests, causing
the server to continuously generate additional files until the file
system has no more free space.
For Macromedia/Allaire's patch, view:
http://www.allaire.com/handlers/index.cfm?ID=21496&Method=Full
Source: Macromedia/Allaire
http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html
*** {01.27.005} Cross - JRun URL encoding file disclosure
JRun versions 2.3.3, 3.0 and 3.1 contain a vulnerability in the handling
of URL encoded requests. It's possible for a remote attacker to gain
access to a JSP file's source code, instead of the server processing
it, if the attacker URL encodes portions of the file name. This problem
occurs using the native Web server that comes with JRun (JWS) or IIS
(4.0 and 5.0).
Macromedia/Allaire has confirmed the problem and released a patch:
http://www.allaire.com/handlers/index.cfm?ID=21495&Method=Full
Source: Macromedia/Allaire
http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html
*** {01.27.011} Cross - Oracle 8i SQLNet remote DoS
Oracle 8i Standard and Enterprise Editions versions 8.1.5, 8.1.6 and
8.1.7 as well as all previous versions for Windows, Linux, Solaris, AIX,
HP-UX and Tru64 Unix are vulnerable to a remote denial of service attack
against the TNS libraries that handle the various Oracle TNS services.
The attacker does not need valid authentication credentials to mount an
attack.
Oracle has confirmed this problem and produced a patch (under bug number
1656431), which is available at:
http://metalink.oracle.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0380.html
*** {01.27.017} Cross - Oracle 8i TNS listener NSPTCN packet overflow
The Oracle TNS listener is vulnerable to a buffer overflow in the
handling of NSPTCN packets. Exploitation could allow a remote attacker
to gain elevated privileges (uid 'oracle' on Unix or local system on
Windows). Authentication is not necessary to trigger the overflow.
Oracle 8i Standard and Enterprise Editions version 8.1.5, 8.1.6 and
8.1.7 as well as previous versions for Windows, Linux, Solaris, AIX,
P-UX and Tru64 Unix are vulnerable.
Oracle has released patches under bug number 1489683 at:
http://metalink.oracle.com
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0381.html
*** {01.27.024} Cross - Active Web Classifieds CGI authentication
bypass/configuration modification
An advisory was recently posted indicating that it's possible to bypass
various authentication methods used by the Active Web Classifieds CGI
application version 1.0. This would potentially allow a remote attacker
to modify various configuration values, which could then be leveraged
into accessing local files or running command line commands.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0386.html
*** {01.27.031} Cross - phpMyAdmin file disclosure
Versions 2.1.0 and prior of the phpMyAdmin CGI application have been
found to contain a vulnerability that could allow a remote attacker to
read files readable by the Web server. This could potentially be
combined with a trick to embed valid PHP in the Web server log files,
thus allowing the attacker to execute arbitrary PHP code on the server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0016.html
*** {01.27.035} Cross - Tomcat CSS vulnerability
Tomcat versions 3.2.1, 3.2.2 and 4.0 have been found vulnerable to a
Cross-Site Scripting attack. This potentially allows a malicious e-mail
or Web site to execute active scripting in a user's browser via the
vulnerable Tomcat site.
The advisory indicates vendor confirmation. A fix is available at:
http://jakarta.apache.org/tomcat/news.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0021.html
*** {01.27.036} Cross - Resin CSS vulnerability
Resin Java servlet server version 1.2.2 has been found vulnerable to a
Cross-Site Scripting attack. This potentially allows a malicious e-mail
or Web site to execute active scripting in a user's browser via the
vulnerable Resin site.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0021.html
*** {01.27.037} Cross - WebSphere/VisualAge CSS vulnerability
IBM WebSphere versions 3.5 and 3.02, as well as IBM VisualAge version
3.5, have been found vulnerable to a Cross-Site Scripting attack. This
potentially allows a malicious e-mail or Web site to execute active
scripting in a user's browser via the vulnerable WebSphere site.
The advisory indicates vendor confirmation. A fix is available at:
http://www-4.ibm.com/software/Webservers/appserv/efix.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0021.html
*** {01.27.038} Cross - Lotus Domino CSS vulnerability
Lotus Domino server version 5.0.6 has been found vulnerable to a
Cross-Site Scripting attack. This potentially allows a malicious e-mail
or Web site to execute active scripting in a user's browser via the
vulnerable Domino site.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0022.html
*** {01.27.039} Cross - PHP mail() command may bypass safe_mode
An advisory indicates that a new feature in the mail() command as of
PHP 4.0.5 may allow an attacker, who has Web page authoring permissions,
to bypass PHP's safe mode and execute arbitrary command line commands.
This is a concern for ISPs and virtual Web hosting providers.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0003.html
*** {01.27.040} Cross - xvt command line buffer overflow
xvt version 2.1 contains a buffer overflow in the handling of various
command line arguments. Exploitation of the overflow could allow a
local attacker to execute arbitrary code with elevated privileges if
xvt is setuid/setgid, which it is in some cases.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0024.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7RQI/+LUG5KFpTkYRAsM9AJ0SMEPXNbgOfg+V/byyB7U3w5NJJgCfTnTM
thYUSHh796EiWqjNKCV3J+k=
=0Luu
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Need to bone up on building wireless infrastructure or provide better
support for your mobile users? While at N+I 2001 in Atlanta, spend some
time at the Network Computing Real-World Labs(R) LIVE, where we'll be
demonstrating Mobile Computing and Wireless Connectivity products,
technologies and solutions.
WHERE: Georgia World Congress Center, Atlanta, GA
WHEN: September 9 - 14, 2001
http://www.networkcomputing.com/marketing/mediakit/events.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form (http://www.sans.org/sansurl). On
this form you can enter the SD number located near your name at the top
of the newsletter. When you submit this form, an e-mail containing a
URL will be sent to you at the e-mail address on record. With this URL
you can make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information,
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online. http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]