|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ59856442007416191
sans.org)Date: Thu Jan 17 2002 - 16:53:19 CST
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 002 (02.02)
Thursday, January 17, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
** Penetration Tests - FREE White Paper **
Do you need evidence that vulnerabilities exist on your network?
Penetration Tests provide the basis for an action plan to minimize
potential threats. Download this **FREE** white paper from Internet
Security Systems to discover how Penetration Tests provide critical
reporting about possible vulnerabilities in your network!
** Click here:
http://www.iss.net/mktg/pentestwp4
----------------------------------------------------------------------
A recent post to the VulnWatch mailing list points out notable security
researcher David Litchfield has found seven new vulnerabilities in
Oracle 9i. Unfortunately, we do not have any details beyond the subject
of the advisories. We will report the details properly in SAC when
they are officially released. Until then, Oracle users should keep
an eye out for Oracle updates. So much for Oracle's "Unbreakable"
marketing campaign!
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0011.html
As a side note, this week's issue of SAC is the largest in our two-plus
year history, sporting 52 items. Bugs in Linux LIDS ({02.02.024})
and sudo ({02.02.007}) rank as the more widespread vulnerabilities
this week.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.02.012} Win - Web Server 4D multiple vulnerabilities
{02.02.017} Win - ZBServer large URL DoS
{02.02.021} Win - iPlanet/Netscape ?wp-html-rend DoS
{02.02.023} Win - AOLServer file restriction bypass
{02.02.026} Win - EServ file restriction bypass
{02.02.027} Win - Dino's Web Server '..' file retrieval
{02.02.028} Win - Nevrona MiraMail stores authentication information in
plain text
{02.02.034} Win - Novell client help file login bypass
{02.02.039} Win - Sambar large CGI URL DoS
{02.02.040} Win - BlackMoon FTP server command overflow
{02.02.044} Win - Flash standalone player vulnerability
{02.02.047} Win - IIS 4 log file modification
{02.02.052} Win - CDONTS.Newmail e-mail spoofing
{02.02.001} Linux - Mandrake bind9 insecure configuration file
permission
{02.02.002} Linux - Update {02.01.003}: Cross - Mutt e-mail address
handling overflow
{02.02.003} Linux - Update {01.51.024}: glibc glob()/globfree()
vulnerability
{02.02.004} Linux - Update {02.01.002}: Cross - stunnel format string
vulnerability
{02.02.006} Linux - Update {01.46.007}: IMP Webmail CSS vulnerability
{02.02.009} Linux - CIPE short packet DoS
{02.02.011} Linux - xchat IRC session hijacking
{02.02.024} Linux - LIDS LD_PRELOAD passes capabilities
{02.02.035} Linux - cdrdao insecure file handling
{02.02.036} Linux - Update {02.01.028}: Multiple Bugzilla
vulnerabilities
{02.02.041} Linux - Gzip long file name potential overflow
{02.02.049} Linux - Update {01.36.007}: Multiple xinetd vulnerabilities
{02.02.050} Sol - Update {01.45.019}: Overflow in dtspcd via DCE SPC
library
{02.02.019} SGI - Update {01.49.014}: UNICOS NQSD job schedule format
string vulnerability
{02.02.046} SGI - nsd cache fill up DoS
{02.02.025} SCO - dtterm/xterm xrm parameter overflow
{02.02.031} SCO - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
{02.02.010} NApps - Cisco SN5420 multiple vulnerabilities
{02.02.020} NApps - Cacheflow CacheOS memory fragment leaking via HTTP
{02.02.038} NApps - Netgear RP-114 nmap scan DoS when filtering
{02.02.051} NApps - Alcatel SpeedTouch modem DoS
{02.02.032} Other - Handspring Visor nmap DoS
{02.02.048} Other - Siemens invalid SMS message DoS
{02.02.007} Cross - sudo passes unclean environment to MTA
{02.02.008} Cross - Pine metacharacter URL passed via command line
{02.02.014} Cross - Pi3Web large CGI URL DoS
{02.02.015} Cross - Eterm HOME environment variable overflow
{02.02.016} Cross - Possible local PHP session ID leakage
{02.02.018} Cross - FAQManager CGI toc parameter file reading
{02.02.022} Cross - iPlanet/Netscape ?wp-force-auth brute force
{02.02.029} Cross - Vtund crypto weaknesses
{02.02.030} Cross - Slashcode user login privilege elevation
{02.02.033} Cross - Legato Networker daemon.log plain text
authentication information
{02.02.037} Cross - Clanlib HOME environment variable overflow
{02.02.042} Cross - ProFTPD ACL bypass and DoS
{02.02.043} Cross - LPRng/groff overflow
{02.02.045} Cross - Geeklog CGI UID tampering changes users
{02.02.005} Tools - Bind 8.3.0 released
{02.02.013} Tools - Sendmail 8.12.2 released
- --- Windows News -------------------------------------------------------
*** {02.02.012} Win - Web Server 4D multiple vulnerabilities
Two vulnerabilities where found in mdg.com's Web Server 4D HTTP server
version 3.5.3. The first is a denial of service, which causes the
server to crash when an attacker sends a very large URL request. It's
also possible to access files outside the Web root by using URL
encoded reverse directory traversal notation in a URL request.
These vulnerabilities have not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0017.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0018.html
*** {02.02.017} Win - ZBServer large URL DoS
ZBServer Pro Web server version 1.50-r13 has been found to crash after
receiving a few HTTP requests with very long URLs. This results in
a denial of service situation.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0020.html
*** {02.02.021} Win - iPlanet/Netscape ?wp-html-rend DoS
The iPlanet/Netscape Web server has been found vulnerable to a denial
of service whereby a remote attacker makes requests containing the
'?wp-html-rend' URL parameter. If Web publishing is enabled, this
results in an eventual server crash.
This vulnerability has been confirmed. Netscape has released a
'disrend.dll' module, which needs to be loaded into the server. See
the reference URL below for more details.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0007.html
*** {02.02.023} Win - AOLServer file restriction bypass
An advisory has surfaced indicating it's possible to gain access to
an AOLServer URL that is otherwise normally restricted (requires
authentication) by appending a '.' character to the URL. This is
limited to AOLServer version 3.4.2 on Windows platforms.
This vulnerability has not been confirmed.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0006.html
*** {02.02.026} Win - EServ file restriction bypass
The EServ HTTP server version 2.97 has been found to allow a remote
attacker access to restricted files (requiring authentication) by
requesting them with a particular malformed URL request.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0010.html
*** {02.02.027} Win - Dino's Web Server '..' file retrieval
Dino's Web Server version 1.x has been found to not properly filter
out reverse direcory traversal notation ('..') from URL requests.
This means a remote attacker can access files outside the Web root.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0110.html
*** {02.02.028} Win - Nevrona MiraMail stores authentication
information in plain text
Nevrona's MiraMail version 1.04 has been found to store POP user
credentials unencrypted in a plain text file. This would allow a
local attacker to recover the authentication information used for
every POP user.
The advisory indicates confirmation by the vendor, which will add
stronger password storage to the next version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0115.html
*** {02.02.034} Win - Novell client help file login bypass
A bug has been found in the Novell login client for Windows. It's
possible for an attacker (with physical access to the system) to
execute arbitrary programs by following the 'Help' link on the main
login screen and then using the help reader to open and execute any
files on the system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0151.html
*** {02.02.039} Win - Sambar large CGI URL DoS
Sambar Web server version 5.1 has been found to crash when a remote
attacker submits a very large URL request to a CGI. This results in
a denial of service situation.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0188.html
*** {02.02.040} Win - BlackMoon FTP server command overflow
BlackMoon FTP server version 1.5 has been found to incorrectly handle
large FTP commands. This results in a buffer overflow that can lead
to arbitrary code execution.
The vendor has confirmed this vulnerability and released version 1.5
release 2 (build 1550), which is available at:
http://www.blackmoon.filetap.com
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0190.html
*** {02.02.044} Win - Flash standalone player vulnerability
A security advisory issued by Macromedia indicates a potential
security problem within the standalone Flash player distributed with
the Macromedia Flash suite. Apparently, a Flash-based virus is on the
loose, and it will infect other Flash files. Flash content embedded
on Web sites is not capable of transporting the virus -- only content
embedded in e-mail or viewed locally.
More information and a fix are available at:
http://www.macromedia.com/support/flash/ts/documents/swf_clear.htm
Source: Macromedia (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0138.html
*** {02.02.047} Win - IIS 4 log file modification
An advisory was released that discusses a particular situation in
which Windows applications create and open files in such a manner
that allows other applications to modify those files.
One such application is IIS 4.0, which opens its log files in a shared
manner. Because of the permissions on the log file, it's possible for
any program to modify the log file in place. This could allow local
attackers with no privileges to cover their tracks.
The advisory indicates confirmation by the vendor, which has released
KB Q315986 to address the problem.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0019.html
*** {02.02.052} Win - CDONTS.Newmail e-mail spoofing
According to details is an analysis paper that was released,
it's possibility for an attacker to trick an ASP page using the
CDONTS.Newmail component into sending spoofed e-mail.
Full details are available at:
http://www.nextgenss.com/papers/aspmail.pdf
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0152.html
- --- Linux News ---------------------------------------------------------
*** {02.02.001} Linux - Mandrake bind9 insecure configuration file
permission
Mandrake has released updated bind9 packages, which fix permission
problems on some of the bind configuration files. This vulnerability
is limited to Mandrake Linux versions 8.0 and 8.1.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0096.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0096.html
*** {02.02.002} Linux - Update {02.01.003}: Cross - Mutt e-mail address
handling overflow
RedHat and Mandrake have released updated mutt packages, which fix
the vulnerability discussed in {02.01.003} ("Cross - Mutt e-mail
address handling overflow").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0105.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0007.html
Source: RedHat, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0105.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0007.html
*** {02.02.003} Linux - Update {01.51.024}: glibc glob()/globfree()
vulnerability
Mandrake and Debian have released updated glibc packages, which fix the
vulnerability discussed in {02.01.015} ("Linux - Update {01.51.024}:
glibc glob()/globfree() vulnerability").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0134.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0003.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0134.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0003.html
*** {02.02.004} Linux - Update {02.01.002}: Cross - stunnel format
string vulnerability
EnGarde has released updated stunnel packages, which fix the
vulnerability discussed in {02.01.002} ("Cross - stunnel format
string vulnerability").
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0001.html
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0001.html
*** {02.02.006} Linux - Update {01.46.007}: IMP Webmail CSS
vulnerability
Caldera has released updated imp packages, which fix the vulnerability
discussed in {01.46.007} ("IMP Webmail CSS vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0143.html
Source: Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0143.html
*** {02.02.009} Linux - CIPE short packet DoS
The CIPE VPN software has been found to contain a bug that causes the
service to crash if a particularly crafted short packet is received.
Debian has confirmed this vulnerability and released updated DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0005.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0005.html
*** {02.02.011} Linux - xchat IRC session hijacking
A vulnerability in the xchat IRC client allows another IRC user to
cause the vulnerable xchat client to execute IRC commands via the
CTCP PING command, thus hijacking that client's session.
This vulnerability has been confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0001.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0019.html
Source: Debian, RedHat
http://archives.neohapsis.com/archives/vendor/2002-q1/0001.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0019.html
*** {02.02.024} Linux - LIDS LD_PRELOAD passes capabilities
A bug was found in the LIDS Linux kernel capabilities system whereby
a local attacker can use the LD_PRELOAD environment variable to pass
control to a trojan library, which will inherit the capabilities
normally given to the target program.
This vulnerability has been confirmed. For updated source tarballs
for 2.4 kernel:
http://www.lids.org/download/lids-1.1.1pre2-2.4.16.tar.gz
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0004.html
Source: EnGarde, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0107.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0004.html
*** {02.02.035} Linux - cdrdao insecure file handling
The cdrdao package has been found to not drop suid privileges before
reading and writing files specified by the user. This could allow a
local attacker to gain root access by performing a symlink attack.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0156.html
*** {02.02.036} Linux - Update {02.01.028}: Multiple Bugzilla
vulnerabilities
RedHat has released updated Bugzilla packages, which fix the
vulnerabilities discussed in {02.01.028} ("Multiple Bugzilla
vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0016.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0016.html
*** {02.02.041} Linux - Gzip long file name potential overflow
A potential buffer overflow has been found in gzip's handling of
large file names. While this bug has not been deemed exploitable,
Debian has released updated gzip packages "just in case."
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0002.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0002.html
*** {02.02.049} Linux - Update {01.36.007}: Multiple xinetd
vulnerabilities
HP has released updated xinetd packages for HP Secure OS software
for Linux that fix the vulnerabilities discussed in {01.36.007}
("Multiple xinetd vulnerabilities").
Users should install patch HPTL_00008, which is available at:
http://itrc.hp.com/
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0007.html
- --- Solaris News -------------------------------------------------------
*** {02.02.050} Sol - Update {01.45.019}: Overflow in dtspcd via DCE
SPC library
Sun has released updated CDE patches, which fix the vulnerability
discussed in {01.45.019} ("Overflow in dtspcd via DCE SPC library").
Apply the applicable patch:
SunOS 5.8: 108949-07
SunOS 5.8_x86: 108950-07
SunOS 5.7: 106934-04
SunOS 5.7_x86: 106935-04
SunOS 5.6: 105669-11
SunOS 5.6_x86: 105670-10
SunOS 5.5.1: 108363-02
SunOS 5.5.1_x86: 108364-02
Source: Sun (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0112.html
- --- SGI News -----------------------------------------------------------
*** {02.02.019} SGI - Update {01.49.014}: UNICOS NQSD job schedule
format string vulnerability
IRIX has released updated NQE packages, which fix the vulnerability
discussed in {01.49.014} ("UNICOS NQSD job schedule format string
vulnerability"). It appears that SGI shipped Cray's NQS under the title
"Network Queuing Environment."
SGI's official solution is to uninstall this product, since it has
been retired.
Source: SGI
http://archives.neohapsis.com/archives/bugtraq/2002-01/0073.html
*** {02.02.046} SGI - nsd cache fill up DoS
An advisory released by SGI indicates that a bug in the name service
daemon (nsd) could allow a remote attacker to consume all the disk
space, thereby causing a denial of service situation. IRIX 6.5.4
through 6.5.11 are vulnerable.
The official fix is to upgrade to IRIX 6.5.12 or later.
Source: SGI (VulnWatch)
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0024.html
- --- SCO News -----------------------------------------------------------
*** {02.02.025} SCO - dtterm/xterm xrm parameter overflow
The xterm and dtterm commands shipped with Unixware version 7.0.1
reportedly have a buffer overflow in the handling of the 'xrm'
command line parameter. This may allow a local attacker to execute
arbitrary code.
This vulnerability has not been confirmed. An exploit has been
published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0099.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0104.html
*** {02.02.031} SCO - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
Caldera/SCO has released updated wu-ftpd packages, which fix the
vulnerability discussed in {01.48.028} ("wu-ftpd unclosed glob heap
overflow").
Fixed binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.1/
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0000.html
- --- Network Appliances News --------------------------------------------
*** {02.02.010} NApps - Cisco SN5420 multiple vulnerabilities
Cisco SN5420 storage routers running versions 1.1(5) and prior have
been found to contain multiple vulnerabilities. These include a buffer
overflow in the HTTP service, which results in a denial of service
attack; halting of the system when forwarding a fragmented packet over
the gigabit interface, which results in a denial of service attack;
and access by unauthorized users to the stored configuration file.
Cisco has confirmed these vulnerabilities, which have been fixed in
version 1.1(7) and are available from Cisco.
Source: Cisco
http://archives.neohapsis.com/archives/bugtraq/2002-01/0106.html
*** {02.02.020} NApps - Cacheflow CacheOS memory fragment leaking via
HTTP
The administrative HTTP server included with the Cacheflow CacheOS
has been found to leak data from other HTTP sessions when it receives
a particular invalid HTTP request. This could potentially expose
sensitive HTTP data to a remote attacker.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0089.html
*** {02.02.038} NApps - Netgear RP-114 nmap scan DoS when filtering
The Netgear RP-114 router has been found to lock up during a port scan
(such as that exhibited by nmap) if port filtering is enabled. The
end result is a denial of service against the device.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0183.html
*** {02.02.051} NApps - Alcatel SpeedTouch modem DoS
The Alcatel SpeedTouch ADSL modem has been found to reboot when a
remote attacker performs an nmap OS identification scan against it.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0150.html
- --- Other News ---------------------------------------------------------
*** {02.02.032} Other - Handspring Visor nmap DoS
A released report indicates that the Handspring Visor, which is
equipped with a Xircom wireless Ethernet card, crashes when it is
scanned with the popular nmap port-scanning tool. This can lead to
a denial of service.
Third parties have confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0127.html
*** {02.02.048} Other - Siemens invalid SMS message DoS
The Siemens mobile phone model 3568i has been found to crash when a
particular SMS message containing extended characters is received. The
phone will not operate until the SMS message is deleted using a
computer or other device to delete it from the SIM.
This vulnerability has not been confirmed. An exploit has been
published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0163.html
- --- Cross-Platform News ------------------------------------------------
*** {02.02.007} Cross - sudo passes unclean environment to MTA
Sudo versions prior to 1.6.4 have been found to not properly clean
up the environment before invoking the local mail transport agent to
send out an e-mail notification of an unauthorized sudo attempt.
Many Linux vendors have released patches.
Source downloaded:
http://www.sudo.ws/sudo/dist/
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0015.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0006.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0245.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0002.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0004.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0194.html
Source: Conectiva, Mandrake, Debian, RedHat, SuSE, EnGarde
http://archives.neohapsis.com/archives/vendor/2002-q1/0006.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0015.html
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0245.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0002.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0004.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0194.html
*** {02.02.008} Cross - Pine metacharacter URL passed via command line
The Pine e-mail reader can be configured to shell out and run an
external Web browser (such as Lynx) for URLs embedded in e-mails. It's
been found that Pine will pass any embedded shell metacharacters to
the command line, thus allowing a malicious e-mail to potentially
execute arbitrary commands under the user's privileges.
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0003.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0017.html
Source: EnGarde, RedHat
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0003.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0017.html
*** {02.02.014} Cross - Pi3Web large CGI URL DoS
Pi3Web Web server version 2.0 has been found to crash when a remote
attacker submits a very large URL request to a CGI. This results in
a denial of service situation.
This vulnerability has not been confirmed. Only the Windows version
was tested.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0015.html
*** {02.02.015} Cross - Eterm HOME environment variable overflow
A report has surfaced that indicates eterm version 0.9.1-2 is
vulnerable to a buffer overflow in the handling of the HOME environment
variable. This could lead to a local attacker gaining elevated
privileges if eterm is suid/sgid, which the advisory indicates it is.
This vulnerability has not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0151.html
*** {02.02.016} Cross - Possible local PHP session ID leakage
The session mechanism used by PHP 4.x uses temporary files in /tmp/
to store session information. The problem is that the file name
contains the session ID. This means a local attacker can list the
contents of /tmp/ and possibly gain a list of active session IDs,
which then can be used to hijack the sessions.
No official workarounds or fixes have been released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0170.html
*** {02.02.018} Cross - FAQManager CGI toc parameter file reading
The FAQManager CGI Perl script prior to version 2.2.6 has been found
to allow a remote attacker to view files readable by the Web server
by specifying the absolute path to the file in the 'toc' URL parameter.
The vendor has confirmed this vulnerability and released version
2.2.6 to fix the problem. It can be downloaded from:
http://www.fourteenminutes.com/code/faqmanager/FAQmanager_2.2.6.zip
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0065.html
*** {02.02.022} Cross - iPlanet/Netscape ?wp-force-auth brute force
An advisory was released indicating that a remote attacker can
force an iPlanet/Netscape Web server into requiring authentication
(if Web publishing is enabled) by using the '?wp-force-auth' URL
parameter. This allows the attacker to mount a brute force attack to
guess valid user name/password combinations.
This vulnerability has been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0008.html
*** {02.02.029} Cross - Vtund crypto weaknesses
A paper was released indicating some weaknesses in the cryptography
used in vtund. The vulnerabilities include packet modification and
replay, as well as potential password guessing. Full details of the
analysis are available at the reference URL below.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0119.html
*** {02.02.030} Cross - Slashcode user login privilege elevation
The Slash(code) portal suite has been found to contain a vulnerability
whereby it's possible for a user to log in as any other user,
including administrators.
This vulnerability has been confirmed and fixed in version 2.2.3, which
is available at:
http://slashcode.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0121.html
*** {02.02.033} Cross - Legato Networker daemon.log plain text
authentication information
Legato Networker prior to version 6.1.1 has been found to write
sensitive NetApp authentication information in the world-readable
daemon.log file in /nsr/logs. This means it's possible for a local
user to recover the information needed to log into the NetApp daemon
remotely.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0128.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0130.html
*** {02.02.037} Cross - Clanlib HOME environment variable overflow
The Clanlib library used by various apps, including the Super Methane
Brothers game and kwirk, has been found to not properly handle the
HOME environment variable, which leads to a buffer overflow. It is
unclear if the overflow is exploitable at this point in time.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0187.html
*** {02.02.042} Cross - ProFTPD ACL bypass and DoS
Two bugs have been found in ProFTPD. The first allows a remote attacker
to bypass any configured access control lists because ProFTPD does
not properly forward resolving clients. The second bug is a denial
of service attack, accomplished by sending a particular malformed
LIST command.
These vulnerabilities have been confirmed.
Conectiva Linux has released updated RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0003.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0003.html
*** {02.02.043} Cross - LPRng/groff overflow
A buffer overflow found in the groff command can be exploited via
LPRng. If a remote attacker is allowed to submit print jobs, it's
possible to remotely exploit this bug to execute arbitrary code.
RedHat has released updated RPMs, listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0014.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0014.html
*** {02.02.045} Cross - Geeklog CGI UID tampering changes users
The Geeklog Weblog CGI has been found vulnerable to cookie
tampering. A remote attacker can assume the identity of other users
by guessing/changing the UID value stored in the cookie.
This vulnerability has been confirmed, and a fix is available at:
http://www.geeklog.org
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0125.html
- --- Tool Announcements News --------------------------------------------
*** {02.02.005} Tools - Bind 8.3.0 released
Bind version 8.3.0 has been released. It contains new features not
found in version 8.2.5, including: minor bug fixes and portability
changes; some new resolver API elements; improved operational
reporting; IPv6 transport support in the resolver (from KAME); and
EDNS0 support. It also can now AXFR unknown RR types (in, out or
both). The new version does not contain any security-related fixes.
Source: BIND
http://archives.neohapsis.com/archives/bind/2002/0001.html
*** {02.02.013} Tools - Sendmail 8.12.2 released
Sendmail version 8.12.2 has been released. It features many bug
fixes over version 8.12.1, although none is security-related. A full
changelog is available at the reference URL below.
The source can be downloaded from:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.2.tar.gz
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2002-q1/0000.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8R01y+LUG5KFpTkYRAlzAAJ41OfkMQtEKwTrbnGCy/IVGSWgVkwCgoX9U
Sy99iE70VefJSvEugz8cPYc=
=piR6
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
** Penetration Tests - FREE White Paper **
Do you need evidence that vulnerabilities exist on your network?
Penetration Tests provide the basis for an action plan to minimize
potential threats. Download this **FREE** white paper from Internet
Security Systems to discover how Penetration Tests provide critical
reporting about possible vulnerabilities in your network!
** Click here:
http://www.iss.net/mktg/pentestwp4
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]