OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ02618915924205889sans.org)
Date: Thu Jul 05 2001 - 19:51:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    Re: Your personalized newsletter

                          -- Security Alert Consensus --
                                Number 104 (01.27)
                              Thursday, July 5, 2001
                                Created for you by
                     Network Computing and the SANS Institute
                               Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to SANS' distribution of the Security Alert Consensus.

    ----------------------------------------------------------------------

    Need to bone up on building wireless infrastructure or provide better
    support for your mobile users? While at N+I 2001 in Atlanta, spend some
    time at the Network Computing Real-World Labs(R) LIVE, where we'll be
    demonstrating Mobile Computing and Wireless Connectivity products,
    technologies and solutions.

    WHERE: Georgia World Congress Center, Atlanta, GA
    WHEN: September 9 - 14, 2001
    http://www.networkcomputing.com/marketing/mediakit/events.html

    ----------------------------------------------------------------------

    Cisco was bitten by two bugs this week: a problem with its SSH
    {01.27.001} implementation and another bug with its on-board HTTP
    servers {01.27.008}. These vulnerabilities should serve as a reminder
    that not only do operating systems need patching and lock-down attention
    but infrastructure equipment does, as well. Security-savvy network
    administrators who have already shutdown the HTTP services on their
    Cisco devices proactively avoided this latest round of HTTP-based
    vulnerabilities.

    While organizations should still upgrade their vulnerable IOS and CatOS
    images, proactive lock-down efforts can definitely reduce potential
    risks. It's time to re-embrace some age-old wisdom: "If you aren't using
    it, turn it off."

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.27.006} Win - Update {01.24.016}: WatchGuard firebox SMTP proxy
                allows files through filter
    {01.27.010} Win - ArGoSoft FTP Server trojan LNK file access
    {01.27.018} Win - TrendMicro InterScan VirusWall multiple overflows
    {01.27.020} Win - Broker FTP Server trojan LNK file access
    {01.27.021} Win - CesarFTP HELP command overflow
    {01.27.025} Win - vWebServer multiple vulnerabilities
    {01.27.026} Win - SmallHTTP server long URL overflow
    {01.27.029} Win - WFTP server trojan LNK file access
    {01.27.030} Win - GHTTP server long URL overflow
    {01.27.032} Win - NFuse full path disclosure
    {01.27.007} Linux - Update {01.26.024}: Samba malicious NetBIOS name
                file overwrite
    {01.27.009} Linux - Update {01.25.017}: rxvt command line buffer
                overflow
    {01.27.012} Linux - Update {01.23.002}: gpg file name format string
                vulnerability
    {01.27.013} Linux - Update {01.24.020}: Potential buffer overflow in
                xinetd svc_logprint function
    {01.27.019} Linux - Update {01.18.017}: kdesu creates world-readable
                temp file to hold authentication info
    {01.27.022} Linux - GnatsWeb allows escalated access to files
    {01.27.028} Linux - Update {01.19.014}: Zope ZClasses permission
                remapping
    {01.27.034} Linux - Update {01.24.021}: Scotty ntping host name buffer
                overflow
    {01.27.023} HPUX - CIFS/9000 file overwrite during printing
    {01.27.033} HPUX - setrlimit() does not honor core file restrictions on
                suid/sgid apps
    {01.27.014} SCO - su command line buffer overflow
    {01.27.015} SCO - cron command line buffer overflow
    {01.27.016} SCO - uucp utilities command line buffer overflow
    {01.27.027} SCO - Package tools can display arbitrary files
    {01.27.001} NApps - Multiple IOS SSH vulnerabilities
    {01.27.008} NApps - Cisco IOS HTTP authorization vulnerability
    {01.27.002} Cross - JRun CSS vulnerability
    {01.27.003} Cross - JRun-controlled Web authentication bypass
    {01.27.004} Cross - JRun forward slash/Java regeneration DoS
    {01.27.005} Cross - JRun URL encoding file disclosure
    {01.27.011} Cross - Oracle 8i SQLNet remote DoS
    {01.27.017} Cross - Oracle 8i TNS listener NSPTCN packet overflow
    {01.27.024} Cross - Active Web Classifieds CGI authentication
                bypass/configuration modification
    {01.27.031} Cross - phpMyAdmin file disclosure
    {01.27.035} Cross - Tomcat CSS vulnerability
    {01.27.036} Cross - Resin CSS vulnerability
    {01.27.037} Cross - WebSphere/VisualAge CSS vulnerability
    {01.27.038} Cross - Lotus Domino CSS vulnerability
    {01.27.039} Cross - PHP mail() command may bypass safe_mode
    {01.27.040} Cross - xvt command line buffer overflow

    - --- Windows News -------------------------------------------------------

    *** {01.27.006} Win - Update {01.24.016}: WatchGuard firebox SMTP proxy
                    allows files through filter

    WatchGuard has released a patch for the vulnerability discussed in
    {01.24.016} ("WatchGuard firebox SMTP proxy allows files through
    filter").

    This bug has been fixed for the latest version of the code (4.61), which
    is available from WatchGuard.

    Source: Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0401.html

    *** {01.27.010} Win - ArGoSoft FTP Server trojan LNK file access

    ArGoSoft FTP server version 1.2.2.2 has been found to allow remote
    attackers with write permission to access files outside the FTP root
    directory by uploading a trojan .LNK file.

    This vulnerability has not been confirmed.

    Source: Win2k Security Advice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0002.html

    *** {01.27.018} Win - TrendMicro InterScan VirusWall multiple overflows

    Two buffer overflow vulnerabilities exist in InterScan VirusWall for
    Windows NT. These allow a remote attacker to execute an arbitrary
    command with local system privileges.

    The overflows exist in the HttpSaveC*P.dll and smtpscan.dll libraries
    and are vulnerable to attack when combined with a previously disclosed
    vulnerability.

    To get the patch, send e-mail to supportsupport.trendmicro.com or
    search for this issue on:
    http://solutionbank.antivirus.com/solutions/solutionSearch.asp

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0387.html
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0388.html

    *** {01.27.020} Win - Broker FTP Server trojan LNK file access

    Broker FTP Server version 5.9.5.0 has been found to allow remote
    attackers with write permission to access files outside the FTP root
    directory by uploading a trojan .LNK file.

    This vulnerability has not been confirmed.

    Source: Win2k Security Advice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0001.html

    *** {01.27.021} Win - CesarFTP HELP command overflow

    CesarFTP version 0.98 has been found to allow remote attackers to obtain
    elevated privileges by exploiting a buffer overflow in the handling of
    the HELP FTP command.

    This vulnerability has not been verified.

    Source: Win2k Security Advice
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0001.html

    *** {01.27.025} Win - vWebServer multiple vulnerabilities

    vWebServer version 1.2.0 has been found to contain three remotely
    exploitable vulnerabilities: ASP file source disclosure when an attacker
    appends a URL encoded space to the HTTP request; a denial of service if
    an attacker requests a DOS device name; and a buffer overflow in the
    long URL requests, which causes a denial of service and could
    potentially be used to execute arbitrary code.

    The advisory indicates vendor confirmation; no patches have been made
    available.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0723.html

    *** {01.27.026} Win - SmallHTTP server long URL overflow

    SmallHTTP server versions 2.x and 3.x contain an overflow in the
    handling of long URL requests, eventually causing the server to crash.
    This allows a remote attacker to perform a denial of service against
    the system.

    The advisory indicates vendor confirmation; no patches have been made
    available.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0723.html

    *** {01.27.029} Win - WFTP server trojan LNK file access

    WFTP server version 3.0R5 has been found to allow remote attackers with
    write permission to access files outside the FTP root directory by
    uploading a trojan .LNK file. Note that WFTP normally limits a user's
    manipulation of files ending in '.LNK'; however, by using the extension
    '.LNK.' an attacker can bypass WFTP's restrictions.

    This vulnerability has not been confirmed.

    Source: Win2K Security Advice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0000.html

    *** {01.27.030} Win - GHTTP server long URL overflow

    GHTTP server version 1.4 has recently been reported to contain a buffer
    overflow in the handling of long URL requests. This could allow a remote
    attacker to execute arbitrary code.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0011.html

    *** {01.27.032} Win - NFuse full path disclosure

    The NFuse Web application platform has been found to display the full
    physical path information of a virtual Web script within error messages.
    This may give an attacker information that could be used to reconstruct
    a layout of your virtual directories.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0018.html

    - --- Linux News ---------------------------------------------------------

    *** {01.27.007} Linux - Update {01.26.024}: Samba malicious NetBIOS
                    name file overwrite

    Multiple Linux vendors have issued patches addressing the vulnerability
    discussed in {01.26.024} ("Samba malicious NetBIOS name file
    overwrite").

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0138.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0016.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0137.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0360.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1581.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0002.html

    Source: RedHat, SuSE, Caldera, Immunix, Trustix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0138.html
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1581.html
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0360.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0137.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0016.html
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0002.html

    *** {01.27.009} Linux - Update {01.25.017}: rxvt command line buffer
                    overflow

    Immunix has officially reported that it is not vulnerable to the
    vulnerability discussed in {01.25.017} ("rxvt command line buffer
    overflow"), because the company does not ship rxvt setuid or setgid by
    default.

    For Immunix rxvt binary and source update information see:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0378.html

    Source: Immunix
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0138.html

    *** {01.27.012} Linux - Update {01.23.002}: gpg file name format string
                    vulnerability

    Caldera has released updated gnupg packages to fix the vulnerability
    discussed in {01.23.002} ("gpg file name format string vulnerability").

    Updated Caldera packages are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html

    *** {01.27.013} Linux - Update {01.24.020}: Potential buffer overflow
                    in xinetd svc_logprint function

    Multiple Linux vendors have released updated xinetd packages to fix the
    vulnerability discussed in {01.24.020} ("Potential buffer overflow in
    xinetd svc_logprint function").

    Updated SuSe RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1582.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0412.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0142.html
    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0016.html

    Source: SuSe, EnGarde, Immunix, Conectiva
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1582.html
    http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0010.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0142.html
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0016.html

    *** {01.27.019} Linux - Update {01.18.017}: kdesu creates
                    world-readable temp file to hold authentication info

    Mandrake has released updated kdelib packages to fix the vulnerability
    discussed in {01.18.017} ("kdesu creates world-readable temp file to
    hold authentication info").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0382.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0382.html

    *** {01.27.022} Linux - GnatsWeb allows escalated access to files

    GnatsWeb versions 2.7, 2.8.0, 2.8.1, 3.95 and 4.0 contain a
    vulnerability in the new help file system that allows a remote attacker
    to read or execute files accessible by the Web server. The vulnerability
    allows file execution if a file name value is provided in a request URL
    without checking the file name.

    RedHat/GNATS has confirmed the problem and released a patch:
    http://sources.redhat.com/gnats/gnatsWeb/advisory-jun-26-2001.html

    Source: Redhat / GNATSWeb Security Advisory
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0365.html

    *** {01.27.028} Linux - Update {01.19.014}: Zope ZClasses permission
                    remapping

    Conectiva has released updated Zope packages to fix the vulnerability
    discussed in {01.19.014} ("Zope ZClasses permission remapping ").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0017.html
    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0017.html

    *** {01.27.034} Linux - Update {01.24.021}: Scotty ntping host name
                    buffer overflow

    SuSE has released updated Scotty packages to fix the vulnerability
    discussed in {01.24.021} ("Scotty ntping host name buffer overflow").

    Updates RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/0011.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/0011.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.27.023} HPUX - CIFS/9000 file overwrite during printing

    HP has released an advisory indicating that it's possible, pending a
    certain configuration, for a remote attacker to overwrite arbitrary
    files via various print operations. It is unclear if this vulnerability
    is related to the recently discovered vulnerability discussed in
    {01.26.024} ("Samba malicious NetBIOS name file overwrite").

    HP9000 servers running CIFS/9000 A.01.06 or prior should install patch
    PHNE_24164.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q2/0074.html

    *** {01.27.033} HPUX - setrlimit() does not honor core file
                    restrictions on suid/sgid apps

    HP has released a patch to fix a bug in setrlimit() that would not
    properly limit the creation of core files, regardless of resource limit
    configurations, if an application was previously setuid or setgid.

    For a full list of available patches, view:
    http://archives.neohapsis.com/archives/hp/2001-q3/0000.html

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q3/0000.html

    - --- SCO News -----------------------------------------------------------

    *** {01.27.014} SCO - su command line buffer overflow

    The su commands that shipped with all versions of UnixWare 7 are
    vulnerable to a command line buffer overflow that allows a local
    attacker to obtain root privileges.

    SCO has released fixed su binaries and related libraries at:
    ftp://ftp.sco.com/pub/security/unixware/sr847407

    Source: SCO (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0359.html

    *** {01.27.015} SCO - cron command line buffer overflow

    The cron command is vulnerable to a command line argument buffer
    overflow that could allow a local attacker to gain elevated privileges.

    This vulnerability has been confirmed by SCO/Caldera. Updated binaries
    are available from SCO at:
    ftp://ftp.sco.com/pub/security/unixware/sr847406/

    Source: SCO (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0384.html

    *** {01.27.016} SCO - uucp utilities command line buffer overflow

    The uucp utilities shipped with UnixWare version 7 contain a command
    line parameter buffer overflow that could allow a local attacker to
    execute arbitrary code with elevated privileges.

    SCO/Caldera has confirmed this problem and released updated binaries,
    which are available at:
    ftp://ftp.sco.com/pub/security/unixware/sr847405

    Source: SCO (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0385.html

    *** {01.27.027} SCO - Package tools can display arbitrary files

    Caldera has released an advisory indicating that the various packaging
    tools shipped with UnixWare version 7 may allow a local attacker to view
    arbitrary files on the system.

    Caldera has released a patch to fix this problem:
    ftp://ftp.sco.com/pub/security/unixware/sr847997/

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0007.html

    - --- Network Appliances News --------------------------------------------

    *** {01.27.001} NApps - Multiple IOS SSH vulnerabilities

    Three different Cisco product lines are susceptible to multiple
    vulnerabilities in the Secure Shell (SSH) protocol. By exploiting a
    weakness in the SSH protocol, it is possible to insert arbitrary
    commands into an established SSH session, collect information that may
    help in brute force key recovery or brute force a session key.

    All devices running Cisco IOS software supporting SSH are affected.

    FAQ and patch:
    http://www.cisco.com/warp/public/707/SSH-multiple-pub.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2001-q2/0007.html

    *** {01.27.008} NApps - Cisco IOS HTTP authorization vulnerability

    A remote attacker can bypass the Cisco IOS built-in administration HTTP
    server's authentication, thereby allowing the execution of any command
    with "enable" level access when local authorization is used. All
    versions of IOS that support the HTTP server (starting with 11.3) are
    vulnerable.

    See full advisory for details:
    http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0362.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.27.002} Cross - JRun CSS vulnerability

    JRun versions 2.3.3 and 3.0 have been found vulnerable to a Cross-Site
    Scripting attack. This problem potentially allows a malicious e-mail or
    Web site to execute active scripting in a user's browser via the
    vulnerable JRun site.

    Allaire has released a patch:
    http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full

    Source: Allaire
    http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html

    *** {01.27.003} Cross - JRun-controlled Web authentication bypass

    JRun version 3.0 contains a vulnerability in the handling of
    JRun-controlled Web authentication. By using upper/lowercase characters
    different from those specified in Web.xml, a remote attacker can access
    a directory mapping and completely bypass the authentication mechanism.
    This problem occurs with the native Web server that comes with JRun
    (JWS), but it does not occur when using IIS.

    Macromedia/Allaire has confirmed the problem and released a patch, which
    is available at:
    http://www.allaire.com/handlers/index.cfm?ID=21497&Method=Full

    Source: Macromedia/Allaire
    http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html

    *** {01.27.004} Cross - JRun forward slash/Java regeneration DoS

    Macromedia/Allaire has released a security advisory detailing a denial
    of service vulnerability in JRun version 3.0. If a remote attacker
    submits a particular URL request with extra slashes, the JRun server
    will regenerate an additional set of supporting Java .class and .inf
    files. The attacker can continue submitting various requests, causing
    the server to continuously generate additional files until the file
    system has no more free space.

    For Macromedia/Allaire's patch, view:
    http://www.allaire.com/handlers/index.cfm?ID=21496&Method=Full

    Source: Macromedia/Allaire
    http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html

    *** {01.27.005} Cross - JRun URL encoding file disclosure

    JRun versions 2.3.3, 3.0 and 3.1 contain a vulnerability in the handling
    of URL encoded requests. It's possible for a remote attacker to gain
    access to a JSP file's source code, instead of the server processing
    it, if the attacker URL encodes portions of the file name. This problem
    occurs using the native Web server that comes with JRun (JWS) or IIS
    (4.0 and 5.0).

    Macromedia/Allaire has confirmed the problem and released a patch:
    http://www.allaire.com/handlers/index.cfm?ID=21495&Method=Full

    Source: Macromedia/Allaire
    http://archives.neohapsis.com/archives/vendor/2001-q2/0070.html

    *** {01.27.011} Cross - Oracle 8i SQLNet remote DoS

    Oracle 8i Standard and Enterprise Editions versions 8.1.5, 8.1.6 and
    8.1.7 as well as all previous versions for Windows, Linux, Solaris, AIX,
    HP-UX and Tru64 Unix are vulnerable to a remote denial of service attack
    against the TNS libraries that handle the various Oracle TNS services.
    The attacker does not need valid authentication credentials to mount an
    attack.

    Oracle has confirmed this problem and produced a patch (under bug number
    1656431), which is available at:
    http://metalink.oracle.com/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0380.html

    *** {01.27.017} Cross - Oracle 8i TNS listener NSPTCN packet overflow

    The Oracle TNS listener is vulnerable to a buffer overflow in the
    handling of NSPTCN packets. Exploitation could allow a remote attacker
    to gain elevated privileges (uid 'oracle' on Unix or local system on
    Windows). Authentication is not necessary to trigger the overflow.

    Oracle 8i Standard and Enterprise Editions version 8.1.5, 8.1.6 and
    8.1.7 as well as previous versions for Windows, Linux, Solaris, AIX,
    P-UX and Tru64 Unix are vulnerable.

    Oracle has released patches under bug number 1489683 at:
    http://metalink.oracle.com

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0381.html

    *** {01.27.024} Cross - Active Web Classifieds CGI authentication
                    bypass/configuration modification

    An advisory was recently posted indicating that it's possible to bypass
    various authentication methods used by the Active Web Classifieds CGI
    application version 1.0. This would potentially allow a remote attacker
    to modify various configuration values, which could then be leveraged
    into accessing local files or running command line commands.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0386.html

    *** {01.27.031} Cross - phpMyAdmin file disclosure

    Versions 2.1.0 and prior of the phpMyAdmin CGI application have been
    found to contain a vulnerability that could allow a remote attacker to
    read files readable by the Web server. This could potentially be
    combined with a trick to embed valid PHP in the Web server log files,
    thus allowing the attacker to execute arbitrary PHP code on the server.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0016.html

    *** {01.27.035} Cross - Tomcat CSS vulnerability

    Tomcat versions 3.2.1, 3.2.2 and 4.0 have been found vulnerable to a
    Cross-Site Scripting attack. This potentially allows a malicious e-mail
    or Web site to execute active scripting in a user's browser via the
    vulnerable Tomcat site.

    The advisory indicates vendor confirmation. A fix is available at:
    http://jakarta.apache.org/tomcat/news.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0021.html

    *** {01.27.036} Cross - Resin CSS vulnerability

    Resin Java servlet server version 1.2.2 has been found vulnerable to a
    Cross-Site Scripting attack. This potentially allows a malicious e-mail
    or Web site to execute active scripting in a user's browser via the
    vulnerable Resin site.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0021.html

    *** {01.27.037} Cross - WebSphere/VisualAge CSS vulnerability

    IBM WebSphere versions 3.5 and 3.02, as well as IBM VisualAge version
    3.5, have been found vulnerable to a Cross-Site Scripting attack. This
    potentially allows a malicious e-mail or Web site to execute active
    scripting in a user's browser via the vulnerable WebSphere site.

    The advisory indicates vendor confirmation. A fix is available at:
    http://www-4.ibm.com/software/Webservers/appserv/efix.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0021.html

    *** {01.27.038} Cross - Lotus Domino CSS vulnerability

    Lotus Domino server version 5.0.6 has been found vulnerable to a
    Cross-Site Scripting attack. This potentially allows a malicious e-mail
    or Web site to execute active scripting in a user's browser via the
    vulnerable Domino site.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0022.html

    *** {01.27.039} Cross - PHP mail() command may bypass safe_mode

    An advisory indicates that a new feature in the mail() command as of
    PHP 4.0.5 may allow an attacker, who has Web page authoring permissions,
    to bypass PHP's safe mode and execute arbitrary command line commands.
    This is a concern for ISPs and virtual Web hosting providers.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0003.html

    *** {01.27.040} Cross - xvt command line buffer overflow

    xvt version 2.1 contains a buffer overflow in the handling of various
    command line arguments. Exploitation of the overflow could allow a
    local attacker to execute arbitrary code with elevated privileges if
    xvt is setuid/setgid, which it is in some cases.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-07/0024.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7RQI/+LUG5KFpTkYRAsM9AJ0SMEPXNbgOfg+V/byyB7U3w5NJJgCfTnTM
    thYUSHh796EiWqjNKCV3J+k=
    =0Luu
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Need to bone up on building wireless infrastructure or provide better
    support for your mobile users? While at N+I 2001 in Atlanta, spend some
    time at the Network Computing Real-World Labs(R) LIVE, where we'll be
    demonstrating Mobile Computing and Wireless Connectivity products,
    technologies and solutions.

    WHERE: Georgia World Congress Center, Atlanta, GA
    WHEN: September 9 - 14, 2001
    http://www.networkcomputing.com/marketing/mediakit/events.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed to
    you and you would like to begin receiving our security e-mail newsletter
    on a weekly basis, we invite you to subscribe today.
    http://www.sans.org/sansnews/.

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
    can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form (http://www.sans.org/sansurl). On
    this form you can enter the SD number located near your name at the top
    of the newsletter. When you submit this form, an e-mail containing a
    URL will be sent to you at the e-mail address on record. With this URL
    you can make changes to your account (edit the content of your Consensus
    mailing, for example) without endangering the security of your personal
    URL. If you'd like to change your e-mail address or other information,
    or unsubscribe to this newsletter, please visit your new URL as
    described above. If you have any problems or questions, e-mail us at
    <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online. http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
    Rights Reserved. Distributed by Network Computing
    (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).