|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Tue May 07 2002 - 09:49:50 CDT
To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 5 Num. 4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 5, Number 4
May 6, 2002
Jennifer Kolde, SAIC
Editorial Board:
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (MTE Software, Inc.)
Steve Lewis (PROintelligent)
Dr. Gene Schultz (University of California, Berkeley Lab)
Copyright 2002 The SANS Institute. All Rights Reserved.
You may forward this issue to your co-workers.
We are now signing the Windows Security
Digest with PGP. The new SANS PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
Microsoft released two cumulative security patches last month, one
for Internet Explorer (MS02-015) and one for Internet Information
Server (MS02-018). The patches address critical vulnerabilities,
and users should apply the patches immediately to affected systems.
Also, please note that this will be the final issue of the SANS
Windows Digest. Much of the content of the Digest is addressed
in the SANS Security Alert Consensus, resulting in a fair amount
of duplicate effort. To subscribe to the Security Alert Consensus,
grab your SD number (next to your name at the top of this message)
and visit the URL below. You will be sent a personal URL via E-mail,
from which you can edit your SANS newsletter subscription information.
Change subscription information: http://www.sans.org/sansurl
More information about the weekly Security Alert Consensus can be
found at http://www.sans.org/newlook/digests/SAC.htm. Please use this
URL if you received this newsletter from a friend and do not already
subscribe to SANS newsletters.
The Windows Digest editorial board extends our thanks to all of our
readers for your support of the Digest over the years.
As always, please send comments and feedback to windowssans.org.
JEK
**********************************************************************
"This is the best course I've taken in nearly 10 years in the IT
industry: best material, best relevance, best instructor."
Austin Troxell, Acclaim, Inc.
"No matter how well you think you know Windows security, there will
be some new, valuable information available in this course."
Gordon Taylor, Royal Bank
Take a SANS Windows security course from Jason Fossen in Boston,
Denver or New York or schedule a full in house class at your facility.
Boston: http://www.sans.org/SANSFIRE02/
Denver: http://www.sans.org/BeyondFirewalls/
New York: http://www.sans.org/BigApple/
**********************************************************************
Table of Contents
Section I: Articles and Features
1. Microsoft Security News
1.1 Microsoft releases security rollup package for Windows NT 4.0,
Terminal Server Edition.
1.2 Microsoft releases new Microsoft Baseline Security Analyzer.
1.3 Microsoft and IBM jointly propose web services security standards.
1.4 Shavlik Technologies offers free version of HfNetChkPro.
Section II: Security Alert Summary
2. Microsoft Security Bulletins
****CRITICAL Risk Bulletins
2.1 MS02-015 28 March 2002 Cumulative Patch for Internet Explorer
2.2 MS02-018 Cumulative Patch for Internet Information Services
(Q319733)
2.3 MS02-019 Unchecked Buffer in Internet Explorer and Office for
Mac Can Cause Code to Execute (Q321309)
*** HIGH Risk Bulletins
There were no HIGH risk bulletins issued this month.
** MODERATE Risk Bulletins
2.4 MS02-016 Q318593: Opening Group Policy Files for Exclusive Read
Blocks Policy Application
2.5 MS02-017 Q311967: Unchecked buffer in the Multiple UNC Provider
Could Enable Code Execution
2.6 MS02-020 SQL Extended Procedure Functions Contain Unchecked Buffers
(Q319507)
2.7 MS02-021 E-mail Editor Flaw Could Lead to Script Execution on
Reply or Forward (Q321804)
* LOW Risk Bulletins
There were no LOW risk bulletins issued this month.
3. Additional Microsoft Software Issues
3.1 Internet Explorer Issues
3.1.1 Microsoft Internet Explorer History List Script Injection
Vulnerability ("Back Button" Vulnerability)
3.1.2 Microsoft Internet Explorer Dialog Same Origin Policy Bypass
Vulnerability
3.2 Microsoft Office Issues
3.2.1 Microsoft Outlook IFrame Embedded URL Vulnerability
3.2.2 Microsoft Outlook IFrame Embedded Media Player File Vulnerability
3.2.3 Microsoft Outlook Javascript Execution Vulnerability
3.2.4 Microsoft Office Web Components Multiple Vulnerabilities
3.3 Other Microsoft Product Issues
3.3.1 Microsoft Temporary Internet File Execution Vulnerability
3.3.2 Microsoft IIS CodeBrws.ASP Sample Script Multiple Vulnerabilities
3.3.3 Microsoft Windows 2000 Lanman Denial of Service Vulnerability
3.3.4 Microsoft BackOffice Server Web Administration Authentication
Bypass Vulnerability
4. Virus Alerts
4.1 New Klez Worm Variant
4.2 Proof-of-concept "rivpas" virus first to affect SAP systems
5. Third-Party Software Issues
5.1 Buffer Overflows
5.1.1 Icecast AVLLib Buffer Overflow Vulnerability
5.1.2 Sambar Server Authentication Buffer Overflow Vulnerability
5.1.3 TalentSoft Web+ WML Request Cookie Buffer Overflow Vulnerability
5.2 Abyss Web Server Multiple Vulnerabilities
5.3 Apache Win32 Batch File Remote Command Execution Vulnerability
5.4 BitVise WinSSHD Numerous Connections DoS Vulnerability
5.5 ColdFusion DOS Device File Request System Information Disclosure
Vulnerability
5.6 CGISCRIPT.NET CGI Scripts Multiple Vulnerabilities
5.7 Demarc PureSecure Authentication Check SQL Injection Vulnerability
5.8 Foundstone FScan Banner Grabbing Format String Vulnerability
5.9 Funk Software Proxy Multiple Vulnerabilities
5.10 Hosting Controller Weak Permissions Checking Vulnerability
5.11 Lotus Domino MS-DOS Device Path Disclosure Vulnerability
5.12 Oracle 9i TNS Denial of Service Vulnerability
5.13 Qualcomm Eudora WebBrowser Control Embedded Media Player File
Vulnerability
5.14 Snitz Forums 2000 Members.ASP SQL Injection Vulnerability
5.15 Symantec Raptor / Enterprise Firewall FTP Bounce Vulnerability
5.16 WorkforceROI XPede Multiple Vulnerabilities
5.17 WWWIsis Multiple Vulnerabilities
5.18 ZoneLabs ZoneAlarm MailSafe Extension Dot Filtering Bypass
Vulnerability
6. Updates
6.1 MS02-006 Updated to include patches for Win98/Win98SE
**********************************************************************
Section I: Articles and Features
1. Microsoft Security News
1.1 Microsoft releases security rollup package for Windows NT 4.0,
Terminal Server Edition.
On April 25, Microsoft released its first Security Rollup Package
(SRP1) for Windows NT 4.0, Terminal Server Edition.
http://www.microsoft.com/technet/security/news/nt4tsesr.asp
++++++++++
1.2 Microsoft releases new Microsoft Baseline Security Analyzer.
On April 4, Microsoft released its new Microsoft Baseline Security
Analyzer (MBSA) tool. The new MBSA runs on Win2K or XP and is designed
to replace the Microsoft Personal Security Analyzer. It will check for
missing hotfixes using the HfNetChk tool, and also scans for common
vulnerabilities on the following systems: Windows NT 4.0, 2000,
and XP; IIS 4.0 and 5.0; SQL Server 7.0 and 2000; IE 5.01 and later;
and Office 2000 and 2002.
http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp
++++++++++
1.3 Microsoft and IBM propose web services security standards.
In early April, Microsoft and IBM released a joint whitepaper outlining
their proposal for security standards for web-based services.
The paper emphasizes the use of existing standards such as XML,
SOAP, PKI, and Kerberos to provide vendor-neutral interoperability
and security.
http://msdn.microsoft.com/library/en-us/dnwssecur/html/securitywhitepaper.asp
++++++++++
1.4 Shavlik Technologies offers free version of HfNetChkPro.
Shavlik Technologies is offering a limited version of its HfNetChkPro
software free of charge. The free version is limited to scanning
a single machine at a time (local or remote). The software can be
downloaded from http://www.shavlik.com/security/prod_hffree.asp.
**********************************************************************
Section II: Security Alert Summary
2. Microsoft Security Bulletins
2.1 MS02-015 28 March 2002 Cumulative Patch for Internet Explorer
- released 28 March 2002
- revised 8 April 2002
Risk: ****CRITICAL
- Internet systems: CRITICAL
- Intranet systems: CRITICAL
- Client systems: CRITICAL
Impact: Run code of attacker's choice
Systems Affected:
- Internet Explorer 6.0
- Internet Explorer 5.5
- Internet Explorer 5.01
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable. Note that Microsoft ONLY supports IE
5.01 at SP2 or higher, and ONLY on NT 4.0 and Windows 2000.
Summary:
Microsoft has released a patch intended to address all known
vulnerabilities in Internet Explorer to date, with the exception of
the VBScript vulnerability addressed in MS00-009 (a separate patch is
available for that vulnerability). In addition, this patch addresses
two new vulnerabilities:
1. Cookie-based script execution. Andreas Sandblad discovered a
vulnerability in the way that IE handles HTML scripts embedded in
cookies. Under normal conditions, scripts should be executed in the
Security Zone of the originating web site (normally the Internet Zone).
Embedding an HTML script in a cookie will cause the script to be
saved to the user's hard drive, such that when the web site opens the
cookie, the script will execute in the Local Computer Zone instead,
with the privileges of the logged-in user. (NOTE: IE 5.01 SP2 is NOT
vulnerable to this issue.)
2. Local executable invocation via object tag. The CODEBASE
HTML tag is used to specify a location for downloading "helper"
applications for displaying web content where those applications may
not be present on the user's system. A flaw in the way IE handles
the CODEBASE tag causes programs invoked using the tag to be run in
the Local Computer Zone instead of the Zone of the originating site
(normally the Internet Zone). As a result, an attacker could use a
malicious web site or HTML email to run an executable located on the
victim's machine. The attacker would need to know the location of
the executable, and would not be able to pass any parameters to the
program. Users running Outlook 2002, Outlook Express 6, or Outlook
98 or 2000 with the email security patch installed are protected from
the email-borne version of this exploit.
Details:
* MS02-015 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-015.asp
* Knowledge Base Articles:
- Q319182: MS02-015: March 28, 2002
Cumulative Patch for Internet Explorer,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319182
* CVE Information:
- Cookie-based script execution: CAN-2002-0078,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0078
- Local executable invocation via object tag: CAN-2002-0077,
http://www.cve.mitre.org/cti-bin/cvename.cgi?name=CAN-2002-0077
* Additional references:
- Original bulletin on Object Tag vulnerability:
http://marc.theaimsgroup.com/?l=bugtraq&m=101103188711920&w=2
++++++++++
2.2 MS02-018 Cumulative Patch for Internet Information Services
(Q319733)
- released 10 April 2002
- revised 11 April 2002
- revised 12 April 2002
Risk: ****CRITICAL
- Internet systems: CRITICAL
- Intranet systems: CRITICAL
- Client systems: MODERATE
Impact: Run code of attacker's choice
Systems Affected:
- - Internet Information Server (IIS) 4.0
- - Internet Information Server (IIS) 5.0
- - Internet Information Server (IIS) 5.1 (ships with Windows XP
Professional)
- - Internet Information Server (IIS) 6.0 - this affects users running
the BETA version of .NET Server PRIOR to Build 3605.
- - Previous versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
Microsoft has released a patch intended to address all known
vulnerabilities in Internet Information Server (IIS) to date, including
several non-security fixes described in Q319733. In addition, this
patch addresses ten new security vulnerabilities. (NOTE: The patch
does NOT address four IIS 4.0 vulnerabilities that must be corrected
by "administrative action," nor does it address vulnerabilities
in add-on products such as Front Page Extensions or Index Server.
See MS02-018 for details.)
1. Buffer overrun in Chunked Encoding mechanism. The HTTP
specification allows clients to transmit large amounts of data to a web
server by encoding them in "chunks" of a size defined by the client.
eEye Digital Security discovered an arithmetic error in the ISAPI
extension that handles chunks via Active Server Pages causes IIS
to miscalculate the size of the buffer needed to handle the chunk.
This creates a buffer overrun condition where an attacker could cause
the IIS service to crash, or possible execute code in the context of
the IIS server (by default, SYSTEM on IIS 4.0 and IWAM_machinename on
IIS 5.0). IIS 5.1 is NOT affected by this vulnerability. Users who
have configured IIS to serve static pages only (i.e., by using the
IISLockdown tool) are also not affected. This attack could be blocked
by using Microsoft's URLScan tool.
2. Microsoft-discovered variant of Chunked Encoding buffer overrun.
This vulnerability is similar to the preceding one, but it affects all
versions of IIS (4.0, 5.0, and 5.1) and cannot be blocked by URLScan.
Microsoft did not release any additional details on this vulnerability.
3. Buffer overrun in HTTP header handling. When a client sends a
request to a web server, it includes various parameters in the HTTP
headers. Each header is bounded by delimiting characters, and IIS
normally checks for the existence of those characters to determine
that they are present and that each header is an appropriate length.
Serge Mister of Entrust discovered a vulnerability where it is
possible to spoof the normal checking that IIS performs so that IIS
would consider the headers valid when they were not. An attacker
could exploit this to send excess data to the server within the HTTP
headers, resulting in a buffer overrun that could crash the IIS service
or possibly run code in the context of the IIS server (SYSTEM on IIS
4.0, IWAM_machinename on IIS 5.0/5.1). Users who have configured
IIS to serve static pages only (i.e., using the IISLockdown tool) are
not vulnerable. URLScan can also be used to block this type of attack.
4. Buffer overrun in ASP Server-Side Include function. Microsoft has
discovered a flaw in the way that IIS handles file name requests as
part of Active Server Pages using Server-Side includes. An attacker
could craft a URL that requested an overly long, invalid file name.
When processed as part of a server-side include the file name length
is not checked before it is parsed, allowing an attacker to disrupt
the IIS service or possibly run code in the context of the IIS server
(SYSTEM on IIS 4.0, IWAM_machinename on IIS 5.0/5.1). Users who have
configured IIS to serve static pages only (i.e., using the IISLockdown
tool) are not vulnerable. URLScan can also be used to block this
type of attack.
5. Buffer overrun in HTR ISAPI extension. Dave Aitel of Stake
and Peter Grundl of KPMG have discovered a vulnerability in the way
that the HTR ISAPI extension calculates the buffer required to handle
requests. Due to the miscalculation, an attacker could send a series
of malformed requests to the server and take advantage of this buffer
overrun condition to crash the IIS server or possibly run code in the
context of the IIS server (SYSTEM on IIS 4.0, IWAM_machinename on IIS
5.0). IIS 5.1 is NOT affected by this vulnerability. HTR extensions
are used primarily to enable web-based password management; Microsoft
recommends that they be disabled.
6. Access violation in URL error handling. Dave Aitel of Stake has
discovered a flaw in the way IIS handles particular error conditions.
When one of the ISAPI filters installed with Front Page Server
Extensions or Microsoft ASP.NET receives a request for a URL that is
too long, IIS mishandles the error, resulting in an access violation
that will crash the IIS service and cause a denial of service.
7. Denial of service via FTP status request. A flaw in the way that
IIS processes requests for the status of an FTP connection would allow
an attacker to crash the FTP service by sending a specially malformed
request to the server. Because FTP services are provided by IIS,
the attacker could crash the IIS service via this attack as well.
8. - 10. Three cross-site scripting vulnerabilities (in the IIS Help
File search facility, in HTTP error pages, and in the IIS redirect
response message). IIS 4.0 is NOT affected by the vulnerability
in the IIS Help File search facility. Cross-site scripting
vulnerabilities in various IIS components could allow an attacker
to create a malicious web site that would run a script in the user's
browser in the context of a third-party web site. The script would
be able to access information in any cookies from the third-party
site, and might also be able to take other action on the user's
machine, depending on the security context of the third-party site.
These vulnerabilities were discovered by Joe Smith and zenomorph,
Thor Larholm, and Keigo Yamazaki, respectively.
Details:
* MS02-018(including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
* Knowledge Base Articles:
- Q319733: MS02-018: April 2002 Cumulative
Patch for Internet Information Services,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319733
* CVE Information:
- Buffer overrun in Chunked Encoding mechanism: CAN-2002-0079,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079
- Microsoft-discovered variant of Chunked
Encoding buffer overrun: CAN-2002-0079,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0147
- Buffer overrun in HTTP header handling: CAN-2002-0150,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0150
- Buffer overrun in ASP Server-Side Include function: CAN-2002-149,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0149
- Buffer overrun in HTR ISAPI extension: CAN-2002-0071,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0071
- Access violation in URL error handling: CAN-2002-0072,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0072
- Denial of service via FTP status request: CAN-2002-0073,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0073 -
Cross-site scripting in IIS Help File search facility: CAN-2002-0074,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0074
- Cross-site scripting in HTTP error page: CAN-2002-0148,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0148 -
Cross-site scripting in Redirect Response message: CAN-2002-0075,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0075
* Additional references:
- CERT Advisory: CA-2002-09 Multiple Vulnerabilities in Microsoft
IIS (includes links to individual CERT Vulnerability Notes),
http://www.cert.org/advisories/CA-2002-09.html
- - ISS Alert: Multiple Remote Vulnerabilities in Microsoft IIS,
http://www.iss.net/security_center/alerts/advise114.php
- eEye Security original advisory:
http://www.eeye.com/html/Research/Advisories/AD20020410.html
- Original Stake advisory:
http://www.atstake.com/research/advisories/2002/a041002-1.txt
- Original KPMG advisories:
http://marc.theaimsgroup.com/?l=bugtraq&m=101854087828265&w=2,
http://marc.theaimsgroup.com/?l=bugtraq&m=101853851025208&w=2 -
Thor Larholm's original advisory: http://jscript.dk/adv/TL001/
- Keigo Yamazaki's original advisory:
http://marc.theaimsgroup.com/?l=bugtraq&m=101854677802990&w=2
++++++++++
2.3 MS02-019 Unchecked Buffer in Internet Explorer and Office for
Mac Can Cause Code to Execute (Q321309)
- released 16 April 2002
Risk: ****CRITICAL
- Internet systems: NONE
- Intranet systems: NONE
- Client systems: CRITICAL
Impact: Run code of attacker's choice
Systems Affected:
- Internet Explorer 5.1 for Macintosh OS 8, 9, and X
- Outlook Express 5.0 - 5.0.3 for Macintosh
- Microsoft Entourage 2001 and X for Macintosh
- Microsoft PowerPoint 98, 2001, and X for Macintosh
- Microsoft Excel 2001 and X for Macintosh
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
Microsoft has released a patch intended to address all known
vulnerabilities in Internet Explorer 5.1 for Macintosh and Office
98, 2001 and X for Macintosh. In addition, this patch addresses two
new vulnerabilities:
1. Unchecked buffer in HTML element. A buffer overflow exists in the
way that Internet Explorer and Office (which supports HTML) handle a
particular HTML element. An attacker could craft a malicious web page
or HTML email to exploit this buffer overflow, causing the application
to crash or possibly executing code of the attacker's choice on the
victim machine in the context of the currently logged-in user.
2. Local AppleScript invocation. A flaw in the way IE handles
HTML elements that invoke AppleScripts. An attacker could craft a
malicious web page or HTML email that invoked a local AppleScript via a
particular HTML element. Invoking the script in this way would cause
IE to execute the script in the (more restrictive) browser context,
allowing the attacker to bypass the stricter security checks that
would normally be run on a locally-executed script. The attacker
would have to know the full path and file name of the AppleScript.
This vulnerability only affects IE 5.1 for Mac OS 8 and 9.
Details:
* MS02-019 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-019.asp *
Knowledge Base Articles:
- Q321309: MS02-019: Security Vulnerabilities in Internet
Explorer and Office for Mac Can Cause Code to Run,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321309
* CVE Information:
- Unchecked buffer in HTML element: CAN-2002-0152,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0152
- Local AppleScript invocation: CAN-2002-0153,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0153
* Additional references:
- Original w00w00 advisory:
http://www.w00w00.org/files/advisories/ms_macos.txt
++++++++++
2.4 MS02-016 Q318593: Opening Group Policy Files for Exclusive Read
Blocks Policy Application
- released 4 April 2002
- revised 8 April 2002
Risk: ** MODERATE
- Internet systems: LOW
- Intranet systems: MODERATE
- Client systems: NONE
Impact: Block application of Group Policy
Systems Affected:
- Windows 2000 Server, Advanced Server, and Datacenter Server
Summary:
A malicious user could open the files used to configure and apply
Group Policy for exclusive read access. Because the files are locked
by the exclusive read operation, Group Policy settings would not be
applied to subsequent user or computer logins, as long as the policy
files remained locked. An attacker would need to have a legitimate
user account in order to carry out this attack.
Details:
* MS02-016 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-016.asp *
Knowledge Base Articles:
- Q318593, MS02-016: Opening Group Policy Files
for Exclusive Read Blocks Policy Application,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q318593
* CVE Information:
- CAN-2002-0051,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0051
* Additional references:
- Original 3APA3A advisory:
http://online.securityfocus.com/archive/1/244329
++++++++++
2.5 MS02-017 Q311967: Unchecked buffer in the Multiple UNC Provider
Could Enable Code Execution
- released 4 April 2002
Risk: ** MODERATE
- Internet systems: LOW
- Intranet systems: MODERATE
- Client systems: MODERATE
Impact: Privilege elevation, run code of attacker's choice
Systems Affected:
- Windows NT 4.0 and NT 4.0 Terminal Server Edition
- Windows 2000 and Windows 2000 Terminal Services
- Windows XP
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
NSFocus has discovered a buffer overrun condition in the Multiple
Universal Naming Convention (UNC) Provider. A locally logged on user
could submit a specially malformed request for a resource (such as
a file) using a UNC name, overrunning the buffer to crash the system
or possibly run code of the attacker's choice in the SYSTEM context.
Details:
* MS02-017 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-017.asp *
Knowledge Base Articles:
- Q311967, MS02-017: Unchecked Buffer in the Multiple UNC Provider,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q311967
* CVE Information:
- CAN-2002-0151,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0151
* Additional references:
- Original NSFocus bulletin:
http://www.nsfocus.com/english/homepage/sa2002-02.htm
++++++++++
2.6 MS02-020 SQL Extended Procedure Functions Contain Unchecked Buffers
(Q319507)
- released 17 April 2002
Risk: ** MODERATE
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: MODERATE
Impact: Run code of attacker's choice
Systems Affected:
- Microsoft SQL Server 7.0
- Microsoft SQL Server 2000
- Previous versions are no longer supported, have not been tested,
and may or may not be vulnerable.
Summary:
An extended stored procedure is an external routine written in a
programming language such as C. These procedures can be called and
executed by various SQL Server procedures. Several of the external
stored procedures included in SQL Server by default contain unchecked
buffers. An attacker who could call one of the affected procedures,
either locally of through a web page front end, could overrun the
buffer to crash the system or possibly execute code in the context
of the SQL Server (by default, SQL Server runs as a domain user).
Details:
* MS02-020 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-020.asp *
Knowledge Base Articles:
- Q319507, FIX: SQL Extended Procedure
Functions Contain Unchecked Buffers,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q319507
* CVE Information:
- CAN-2002-0154,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0154
* Additional references:
- Original Cesar Cerrudo advisory:
http://marc.theaimsgroup.com/?l=bugtraq&m=101535353331625&w=2
- Original Stake advisory:
http://www.atstake.com/research/advisories/2001/a122001-1.txt
++++++++++
2.7 MS02-021 E-mail Editor Flaw Could Lead to Script Execution on
Reply or Forward (Q321804)
- released 25 April 2002
Risk: ** MODERATE
- Internet systems: NONE
- Intranet systems: NONE
- Client systems: MODERATE
Impact: Run code of attacker's choice
Systems Affected:
- Microsoft Outlook 2000
- Microsoft Outlook 2002
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
A flaw in the way Outlook 2000 and 2002 apply security settings could
allow an attacker to create a malicious HTML email containing a script
that would be executed in the context of the currently logged on
user if the user replied to or forwarded the message. When a user
reads an HTML email, the HTML is rendered using Internet Explorer
Security Zone settings that prevent script execution. However,
if a user replies to or forwards the message, and the user is using
Microsoft Word as their email editor, the HTML message is opened in
Word for editing and the script is allowed to run.
Details:
* MS02-021 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-021.asp *
Knowledge Base Articles:
- Q321804. Microsoft has listed this KB article as describing the
vulnerability, but it was not available at the time of publication
(27 April 2002).
* CVE Information:
- CAN-2002-1056,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1056
* Additional references:
- Original Georgi Guninski advisory:
http://www.guninski.com/m$oxp-2.html
+-+-+-+-+-+-+-+-+-+-+
3. Additional Microsoft Software Issues
3.1 Internet Explorer Issues
3.1.1 Microsoft Internet Explorer History List Script Injection
Vulnerability ("Back Button" Vulnerability)
* Risk: MODERATE
* Impact: Run code in weaker security context
* Summary: Internet Explorer will store javascript: URLs in the
browser's History list. Javascript: URLs are normally executed in
the security zone of the last viewed page. However, a user could
navigate to a javascript: URL by calling it from the browser history
list (i.e., by clicking the "Back" button). This could result in the
script executing in the security zone of a different page, possibly
with more permissive security settings.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4505
- Original Sandblad advisory: http://online.securityfocus.com/archive/1/267561
* Discovered by: Andreas Sandblad
++++++++++
3.1.2 Microsoft Internet Explorer Dialog Same Origin Policy Bypass
Vulnerability
* Risk: MODERATE
* Impact: Run code in weaker security context
* Summary: Internet Explorer uses the showModalDialog and
showModelessDialog methods to display dialog boxes on web pages.
The dialogArguments property enforces security by ensuring that
the information displayed in the dialog box originates from the same
domain as the calling page. However, if the URL that calls the dialog
includes a redirect from the calling page to a secondary page, the
security checks are not performed on the secondary page. This could
allow an attacker to insert executable code from an untrusted site
into the dialog box.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4527
- Larholm advisory: http://jscript.dk/adv/TL002/
* Discovered by: Thor Larholm
++++++++++
3.2 Microsoft Office Issues
3.2.1 Microsoft Outlook IFrame Embedded URL Vulnerability
* Risk: LOW
* Impact: Initiate download of unknown files
* Summary: Microsoft Outlook 2002 will automatically attempt to access
URLs embedded in IFrame tags within an HTML email message. If the URL
pointed to a downloadable file, the Outlook user would be prompted
to download the file as soon as he or she opened the email message.
The user would have to actually accept the file download and/or run
or open the malicious file.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4334
- Smith advisory: http://online.securityfocus.com/archive/1/263304
* Discovered by: Richard M. Smith
++++++++++
3.2.2 Microsoft Outlook IFrame Embedded Media Player File Vulnerability
* Risk: MODERATE
* Impact: Automatic execution of code
* Summary: Microsoft Outlook 2002 will automatically attempt to access
URLs embedded in IFrame tags within an HTML email message. If the
URL points to a Windows Media Player file, any javascript commands
embedded in the file may execute when the email message is viewed.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4340
- - Smith advisory: http://online.securityfocus.com/archive/1/263429
* Discovered by: Richard M. Smith
++++++++++
3.2.3 Microsoft Outlook Javascript Execution Vulnerability
* Risk: MODERATE
* Impact: Automatic execution of code
* Summary: Microsoft Outlook will execute Javascript that is
embedded in an about: or javascript: URL of an HREF tag included in
an HTML email, even if scripting is disabled in Internet Explorer.
An attacker could include such a URL in a malicious email and the
script would be executed if the victim clicked on the URL.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4337
- Smith advisory: http://online.securityfocus.com/archive/1/263304
* Discovered by: Richard M. Smith
++++++++++
3.2.4 Microsoft Office Web Components Multiple Vulnerabilities
* Risk: MODERATE
* Impact: Information disclosure, execution of code
* Summary: Office Web Components are a series of ActiveX objects that
provide Office functionality to web pages. Various vulnerabilities
that could be used by malicious web pages have been reported with
these ActiveX components. Vulnerabilities include the ability to
verify the existence of local files of a known location; read local
files of a known location; control the clipboard; or execute arbitrary
script even if scripting is disabled.
* More Information:
- Active Script Execution Vulnerability,
http://www.securityfocus.com/bid/4449
- Local File Read Vulnerability, http://www.securityfocus.com/bid/4453
- Chart Local File Existence Disclosure Vulnerability,
http://www.securityfocus.com/bid/4454
- - Spreadsheet XMLURL Local File Existence Disclosure Vulnerability,
http://www.securityfocus.com/bid/4455
- DataSourceControl ConnectionFile Local File Existence Disclosure
Vulnerability, http://www.securityfocus.com/bid/4456
- Clipboard Information Disclosure Vulnerability,
http://www.securityfocus.com/bid/4457
- - GreyMagic advisories: http://security.greymagic.com/adv/gm005-ie/,
http://security.greymagic.com/adv/gm006-ie/,
http://security.greymagic.com/adv/gm007-ie/,
http://security.greymagic.com/adv/gm008-ie/
* Discovered by: GreyMagic Software
++++++++++
3.3 Other Microsoft Product Issues
3.3.1 Microsoft Temporary Internet File Execution Vulnerability
* Risk: HIGH
* Impact: execution of code
* Summary: Internet Explorer and other HTML-enabled applications
store external files in Temporary Internet Files (TIFs). It may be
possible to encapsulate a set of malicious files using MIME base-64
encoding such that they are transferred to a known location as TIFs
and subsequently executed.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4387
- Original advisory: http://online.securityfocus.com/archive/1/264590
++++++++++
3.3.2 Microsoft IIS CodeBrws.ASP Sample Script Multiple Vulnerabilities
* Risk: LOW
* Impact: Information disclosure
* Summary: The CodeBrws.asp sample script included with IIS 5.0
contains multiple vulnerabilities. These include the ability to
display files with other than standard (.htm, .html, .asp, or .inc)
extensions, and the ability to navigate outside the web root using
Unicode representations for directory traversal. Good security
practices dictate that sample scripts should be removed from any
production server.
* More Information:
- Source Code Disclosure Vulnerability,
http://www.securityfocus.com/bid/4525
- File Extension Check Out By One Vulnerability,
http://www.securityfocus.com/bid/4543
* Discovered by: Chris Anley, HD Moore
++++++++++
3.3.3 Microsoft Windows 2000 Lanman Denial of Service Vulnerability
* Risk: LOW
* Impact: Denial of service
* Summary: Sending malformed data packets to TCP port 445 on a
Windows 2000 system can cause the LanMan service to allocate kernel
memory and consume 100% CPU usage, causing a denial of service.
Microsoft has released Q320751 describing a workaround to the problem.
Good security practices dictate blocking TCP port 445 at the perimeter.
* More Information:
- KPMG Advisory: http://online.securityfocus.com/archive/1/268066
- Bugtraq: http://www.securityfocus.com/bid/4532
- Microsoft Knowledge Base:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320751
* Discovered by: Peter Grundl, KPMG
++++++++++
3.3.4 Microsoft BackOffice Server Web Administration Authentication
Bypass Vulnerability
* Risk: MODERATE
* Impact: Bypass authentication
* Summary: It is possible to bypass the authentication page in the
BackOffice Server Web Administrator component by submitting a URL
request directly for the services.asp page. This attack only works
if the server is set for "basic" authentication. Also, by default the
Web Administrator only allows connections from localhost (127.0.0.1).
A patch is available from Microsoft.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4528
- Original advisory: http://www.ngssoftware.com/advisories/boa.txt
- Microsoft Knowledge Base (including patch location):
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q316838
* Discovered by: David Litchfield
+-+-+-+-+-+-+-+-+-+-+
4. Virus Alerts
4.1 New Klez Worm Variant
A new variant of the Klez worm (w32.klez) has been circulating in the
wild. The code for the new variant has been sufficiently modified that
it may elude anti-virus software patched against earlier versions of
the worm. The Klez worm arrives as an email with a random subject line
and randomly-named attachment. The worm uses a mass-emailing routine
to propagate, copies itself to local and mapped drives, and attempts
to disable common anti-virus software. During the mass-mailing
process, the worm randomly attaches a file from the local system to
the outbound message, possibly releasing confidential information.
Finally, the worm drops a copy of the Elkern virus (w32.elkern)
for execution, which may crash the computer or destroy all files on
local hard drives based on a date trigger. The virus attempts to
take advantage of the vulnerability described in Microsoft security
bulletin MS01-020, and may execute automatically on systems running
unpatched versions of Internet Explorer.
More information:
- ISS Alert: Outbreak of Klez Family Hybrid Threats,
http://www.iss.net/security_center/alerts/advise115.php
- Symantec Klez writeup:
mm.html">http://www.symantec.com/avcenter/venc/data/w32.klez.hmm.html
- McAfee Klez writeup: http://vil.nai.com/vil/content/v_99455.htm
- Symantec Elkern writeup:
http://securityresponse.symantec.com/avcenter/venc/data/w32.elkern.3326.html
- McAfee Elkern writeup: http://vil.nai.com/vil/content/v_99238.htm
- Microsoft Security Bulletin MS01-020:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
++++++++++
4.2 Proof-of-concept "rivpas" virus first to affect SAP systems
Anti-virus vendors received a non-working copy of what appears to be
the first proof-of-concept virus written specifically to affect SAP
R/3 business information systems. The Rivpas (ABAP.rivpas) virus
was written in the Advanced Business Application Programming (ABAP)
More information:
- Symantec writeup:
http://securityresponse.symantec.com/avcenter/venc/data/abap.rivpas.a.html
- McAfee writeup: http://vil.nai.com/vil/content/v_99453.htm
+-+-+-+-+-+-+-+-+-+-+
5. Third-Party Software Issues
5.1 Buffer Overflows
* Risk: HIGH
Buffer overflows can generally be used to execute arbitrary code
on the victim host; as such, they should be considered HIGH risk.
Many buffer overflows are discovered each month. We report the ones
we know about here. In addition, we have tried to give you a little
more information in a concise format. To that end, certain items are
marked with an (F) and/or (E). (E) means that an exploit for this issue
is publicly available. (F) means that a fix is currently available.
++++++++++
5.1.1 Icecast AVLLib Buffer Overflow Vulnerability (E,F)
* Summary: Icecast does not properly validate input received from
a client. A client could submit an overly long string of data
to the Icecast server, possibly allowing execution of code in the
server context. Users should upgrade to the latest version of Icecast
(if available). A workaround is also available.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4415
- CVE: CAN-2002-0177,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0177
- Icecast home page: http://www.icecast.org
++++++++++
5.1.2 Sambar Server Authentication Buffer Overflow (F)
* Summary: The Sambar web server contains a buffer overflow in the
code that handles authentication. If an overly long username and/or
password are submitted to the server, it is possible to overwrite
stack memory and execute code in the SYSTEM context. A patch is
available from the vendor.
* More Information:
- Litchfield advisory: http://www.nextgenss.com/advisories/sambar.txt
- Bugtraq: http://www.securityfocus.com/bid/4404
- Sambar Server home page: http://www.sambar.com
* Discovered by: Mark Litchfield
++++++++++
5.1.3 TalentSoft Web+ WML Request Cookie Buffer Overflow Vulnerability
(F)
* Summary: TalentSoft Web+ contains a buffer overflow condition.
By requesting a WML file and providing an overly long cookie, it
is possible to execute arbitrary code in the context of the web
server (by default, SYSTEM if TalentSoft is running on IIS 4.0,
IWAM_machinename if it is running on IIS 5.0).
* More Information:
- Litchfield advisory:
http://www.nextgenss.com/advisories/webplus3.txt
- Bugtraq: http://www.securityfocus.com/bid/4530
- Talentsoft home page: http://www.talentsoft.com
* Discovered by: David Litchfield
++++++++++
5.2 Abyss Web Server Multiple Vulnerabilities
* Risk: MODERATE
* Impact: Information disclosure
* Summary: Abyss Web Server contains two vulnerabilities. First, the
administrative password is stored in plain text in the configuration
file. Second, the server is vulnerable to "dot dot slash" directory
traversal attacks, which could allow an attacker to view a file
(including the configuration file) at a known location.
* More Information:
- Bugtraq: Plaintext Administrative Password Vulnerability,
http://www.securityfocus.com/bid/4467
- Bugtraq: File Disclosure Vulnerability,
http://www.securityfocus.com/bid/4466
- Aprelium Software home page:
http://www.aprelium.com/abyssws/index.html
* Discovered by: Jeremy Roberts
++++++++++
5.3 Apache Win32 Batch File Remote Command Execution Vulnerability
* Risk: MODERATE
* Impact: Execution of code
* Summary: Apache web server for Windows does not properly filter
special characters such as | when calling batch files via the web
interface. This may enable an attacker to execute arbitrary code in
the context of the web server (usually SYSTEM). Users should upgrade
to version 1.3.24.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4335
- CVE: CAN-2002-0061,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061
- Apache home page: http://httpd.apache.org/
* Discovered by: Ory Segal
++++++++++
5.4 BitVise WinSSHD Numerous Connections DoS Vulnerability
* Risk: LOW
* Impact: Denial of service
* Summary: Establishing numerous incomplete connections to a WinSSHD
server may cause the server to stop accepting new connections, causing
a denial of service. Users should upgrade to the latest version of
the software.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4300
- BitVise web site: http://www.bitvise.com/existing-users.html
++++++++++
5.5 ColdFusion DOS Device File Request System Information Disclosure
Vulnerability
* Risk: LOW
* Impact: Information disclosure
* Summary: On Windows versions of ColdFusion, submitting a request
for an invalid .cfm or .dbm file will generate an error message that
contains the location of the web root. The problem can be mitigated
by editing the Site-Wide Error Handling template to specify what is
displayed in error messages.
* More Information:
- KPMG Advisory: http://online.securityfocus.com/archive/1/268263
- Bugtraq: http://www.securityfocus.com/bid/4542
- Allaire (Macromedia) home page: http://www.macromedia.com
* Discovered by: Peter Grundl, KPMG
++++++++++
5.6 CGISCRIPT.NET CGI Scripts Multiple Vulnerabilities
* Risk: HIGH
* Impact: Execution of code
* Summary: CGISCRIPT.NET provides multiple CGI scripts to run on
Unix and Windows web servers. Vulnerabilities have been discovered
in numerous scripts. These vulnerabilities could allow an attacker
to run Perl script in the context of the web server. Users should
upgrade to the latest version of the affected script, if available.
* More Information:
- CSSearch Remote Command Execution Vulnerability,
http://www.securityfocus.com/bid/4368
- CSNews Professional Remote Command Execution Vulnerability,
http://www.securityfocus.com/bid/4451
- CSChat-R-Box Remote Command Execution
Vulnerability, http://www.securityfocus.com/bid/4452
- CSLiveSupport Remote Command Execution Vulnerability,
http://www.securityfocus.com/bid/4450 - CGISCRIPT.NET download page:
http://www.cgiscript.net/download/download.htm
* Discovered by: Steve Gustin
++++++++++
5.7 Demarc PureSecure Authentication Check SQL Injection Vulnerability
* Risk: HIGH
* Impact: Privilege elevation
* Summary: Demarc PureSecure provides network monitoring functions
and also runs as a graphical front end to Snort. Demarc will accept
user input to construct SQL statements, which could allow an attacker
to gain administrative privileges on the system. Users should upgrade
to version 1.6.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4520
- Demarc home page: http://www.demarc.org
* Discovered by: pokleyzz sakamaniaka
++++++++++
5.8 Foundstone FScan Banner Grabbing Format String Vulnerability
* Risk: MODERATE
* Impact: Execution of code
* Summary: The Windows version of FScan is subject to format
string attacks via the banner grabbing function of the software.
A maliciously malformed banner could be used to overwrite the stack
of a scanning host and execute arbitrary code. Users should upgrade
to FScan 1.14.
* More Information:
- KPMG advisory: http://online.securityfocus.com/archive/1/268581
- Bugtraq: http://www.securityfocus.com/bid/4549
- Foundstone home page: http://www.foundstone.com
* Discovered by: Peter Grundl, KPMG
++++++++++
5.9 Funk Software Proxy Multiple Vulnerabilities
* Risk: MODERATE
* Impact: Information disclosure
* Summary: Funk Software Proxy contains multiple vulnerabilities.
Funk Proxy is available stand-alone, and is also included in BindView
NETrc. The administrator password is stored using weak encryption,
allowing for easy recovery of the password. Further, the program
creates a named pipe upon execution that grants the "Everyone" group
Full Control permissions. Finally, the software is installed with weak
default directory and registry permissions on Windows NT 4.0 and 2000,
allowing the Everyone group excessive access. Users should upgrade
to the latest version of Funk Proxy to address the named pipe issue,
and institute vendor workarounds to tighten permissions on other files.
* More Information:
- - BindView Advisory: http://online.securityfocus.com/archive/1/266464
- - Weak Password Storage Vulnerability,
http://www.securityfocus.com/bid/4459
- - CVE: CAN-2002-0065,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0065
- - Named Pipe Weak Permissions Arbitrary Access Vulnerability,
http://www.securityfocus.com/bid/4460
- - CVE: CAN-2002-0066,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0066
- - Weak Default Installation Permissions Vulnerability,
http://www.securityfocus.com/bid/4458
- - CVE: CAN-2002-0064,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0064
- - Funk Software home page: http://www.funk.com
* Discovered by: BindView
++++++++++
5.10 Hosting Controller Weak Permissions Checking Vulnerability
* Risk: MODERATE
* Impact: Information disclosure or modification
* Summary: Hosting Controller does not properly check user credentials
when restricted web pages are requested. An attacker could user "dot
dot slash" directory traversal along with requests for certain Active
Server pages to read, modify or delete files outside the web root.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4311
- Hosting Controller home page: http://www.hostingcontroller.com
* Discovered by: Phuong Nguyen
++++++++++
5.11 Lotus Domino MS-DOS Device Path Disclosure Vulnerability
* Risk: LOW
* Impact: Information disclosure
* Summary: By issuing a request for a DOS device file name, it is
possible to cause the Domino server to generate an error message that
reveals the path to the web root. Users should upgrade to v5.0.10.
* More Information:
- KPMG Advisory: http://online.securityfocus.com/archive/1/265380
- Bugtraq: http://www.securityfocus.com/bid/4406
- Lotus home page: http://www.lotus.com
* Discovered by: Peter Grundl, KPMG
++++++++++
5.12 Oracle 9i TNS Denial of Service Vulnerability
* Risk: LOW
* Impact: Denial of service
* Summary: Sending a malformed packet to the Oracle TNS Listener
on port 1521 will cause the server to consume all available CPU,
resulting in denial of service.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4391
- Oracle home page: http://www.oracle.com
* Discovered by: Andrey Gordienko
++++++++++
5.13 Qualcomm Eudora WebBrowser Control Embedded Media Player File
Vulnerability
* Risk: MODERATE
* Impact: Execution of code
* Summary: Qualcomm Eudora uses the WebBrowser control to use Internet
Explorer to render HTML email content. If a <t:video> tag is used
within an HTML email to reference a Windows Media Player file, any
javascript embedded in the file will automatically execute when the
message is viewed. Users should disable use of Microsoft's viewer
within Eudora.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4343
* Discovered by: GreyMagic Software
++++++++++
5.14 Snitz Forums 2000 Members.ASP SQL Injection Vulnerability
* Risk: MODERATE
* Impact: Information disclosure; possible data modification or execution of code
* Summary: The members.asp page of Snitz Forums fails to properly
filter requests made to that page. An attacker could construct a URL
to include a SQL statement, allowing the attacker to view sensitive
information, or possibly modify data or carry out further attacks on
the system. Users should implement the vendor workaround.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4558
- Snitz workaroud: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26776
- Snitz homepage: http://forum.snitz.com
* Discovered by: acemi
++++++++++
5.15 Symantec Raptor / Enterprise Firewall FTP Bounce Vulnerability
* Risk: MODERATE
* Impact: Connect to arbitrary server
* Summary: Raptor Firewall/Symantec Enterprise Firewall is susceptible
to FTP bounce attacks. If an attacker is able to connect to an FTP
server behind the firewall, he or she can cause the FTP server to
connect to an arbitrary host, even if the FTP server itself is not
vulnerable to FTP bounce. Users should apply the vendor patch.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4522
- Symantec Raptor support page:
http://www.symantec.com/techsupp/enterprise/products/raptor_firewall/files.html
* Discovered by: Roy Hills
++++++++++
5.16 WorkforceROI XPede Multiple Vulnerabilities
* Risk:
* Impact: Information disclosure, elevation of privileges
* Summary: Multiple vulnerabilities have been reported in
WorforceROI's XPede software. Users are not prompted for credentials
if they attempt to access an administrative script, possibly allowing
regular users to access administrative functions. In addition, the
database user's name may be revealed to unauthenticated web users,
possibly allowing for brute-forcing of the user's password. Sensitive
files are stored in the world-readable /reports/temp directory,
possibly allowing access by unauthorized users. Weak authentication
in the ets_app_process.asp script could allow access to other users'
time sheets. Finally, the sprc.asp script does not properly filter
user input, allowing a malicious user to craft a URL containing
SQL statements that would allow the user to read or possibly modify
information in the underlying database.
* More Information:
- Unprotected Administrative Facilities Vulnerability
http://www.securityfocus.com/bid/4552
- DataSource.ASP Information Disclosure Vulnerability
http://www.securityfocus.com/bid/4553
- Weak File Protection Vulnerability
http://www.securityfocus.com/bid/4554
- Sprc.ASP SQL Injection Vulnerability
http://www.securityfocus.com/bid/4555
- Arbitrary Time Sheet Disclosure Vulnerability
http://www.securityfocus.com/bid/4556
- Original advisory: http://online.securityfocus.com/archive/1/268645
- WorkforceROI home page: http://workforceroi.com/index.shtml
* Discovered by: Cerberus Vulgaris
++++++++++
5.17 WWWIsis Multiple Vulnerabilities
* Risk: HIGH
* Impact: Information disclosure, execution of code
* Summary: WWWisis does not properly filter user input. It is
possible to craft a malicious URL that would allow an attacker to
read any web-readable file on the system, or to execute arbitrary
code in the context of the web server. Users should upgrade to the
latest version of the software.
* More Information:
- Remote Command Execution Vulnerability
http://www.securityfocus.com/bid/4383
- File Disclosure Vulnerability
http://www.securityfocus.com/bid/4384
- Original advisory: http://online.securityfocus.com/archive/1/264682
- WWWisis home page: http://www.bireme.br/isis/I/wwwi.htm
* Discovered by: Klaus Ripke
++++++++++
5.18 ZoneLabs ZoneAlarm MailSafe Extension Dot Filtering Bypass
Vulnerability
* Risk: MODERATE
* Impact: Failure to block attachments
* Summary: ZoneAlarm's MailSafe feature can be configured to block
certain attachments based on filename extensions. Appending an extra
dot ( . ) to the end of a restricted filename extension will allow
the file to bypass MailSafe's filtering mechanisms.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4407
- ZoneLabs home page: http://www.zonelabs.com
* Discovered by: Edvice Security Services
+-+-+-+-+-+-+-+-+-+-+
6. Updates
6.1 MS02-006 Updated to include patches for Win98/Win98SE
Microsoft security bulletin MS02-006 (Unchecked Buffer in SNMP
Service Could Enable Arbitrary Code to be Run) has been updated to
include the availability of patches for Windows 98 / Windows 98 Second
Edition systems.
http://www.microsoft.com/technet/security/bulletin/MS02-006.asp
=======================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE819+Y+LUG5KFpTkYRAvnEAJ4l1hmfl8IYYJBUdJyWgSMP7vew6gCfWU7f
7KANIKGXUvP5WZhFZQbk23E=
=Nj4U
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]