OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ71299191643265738_at_sans.org)
Date: Thu Sep 12 2002 - 15:33:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 036 (02.36)
                     Thursday, September 12, 2002
                           Created for you by
                Network Computing and the SANS Institute
                         Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to SANS' distribution of the Security Alert Consensus.

    ----------------------------------------------------------------------

    Gold Standard Training for Securing Windows 2000 using
    the new consensus standards and free testing tools - 38
    cities. http://www.sans.org/Win2KWorldTour/

    SANS Network Security 2002 in October: Largest security conference &
    expo: http://www.sans.org/NS2002
    For security managers in military sites: click on the National
    Information Assurance Leadership Conference.

    ----------------------------------------------------------------------

    This week, a security researcher released an updated version of a
    report that uses various graphs to analyze the randomness of TCP ISN
    numbers. After being warned about problems a year ago, surprisingly,
    many vendors still have issues. More information is available at:
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0110.html

    Other notable vulnerabilities this week include a buffer overflow in
    PGP Corporate Desktop (item {02.36.017}); multiple bugs in the Cisco
    3000 series VPN concentrators (item {02.36.010}); and a patch for all
    versions of Windows to remove the SSL constraints bug, which affects
    Internet Explorer, IIS and other applications using the MS CryptoAPI
    SSL functions (item {02.36.013}).

    Coverage reminder: If you're missing an item in your issue, it's
    because you did not subscribe to the applicable category in which
    it's covered. SAC is a customizable newsletter, and you only get the
    OS types requested during the subscription process. You can change
    your subscription preferences by following the instructions at the
    bottom of this (and every) newsletter. Or, you can view the full
    issue online at: http://archives.neohapsis.com/archives/sac/

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.36.013} Win - MS02-049: IE can auto-execute Visual FoxPro
                applications
    {02.36.014} Win - MS02-050: SSL certificate constraint validation patch
    {02.36.017} Win - PGP long file name overflow
    {02.36.018} Win - WebServer 4 Everyone HTTP server Webroot escaping
    {02.36.022} Win - QuickTime control plugins page overflow
    {02.36.002} Linux - Update {02.35.003}: Ethereal ISIS decode overflow
    {02.36.003} Linux - Update {02.31.018}: GAIM Jabber plugin buffer
                overflow
    {02.36.005} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
                vulnerability
    {02.36.006} Linux - Update {02.34.016}: Mantis CGI private bug viewing
    {02.36.009} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
                certificate basic constraints
    {02.36.012} Linux - Update {02.35.017}: Python insecure temporary file
                handling
    {02.36.010} NApps - Cisco VPN 3000 series multiple vulnerabilities
    {02.36.016} Other - Polycom Viewstation multiple vulnerabilities
    {02.36.001} Cross - cacti CGI title string command execution
    {02.36.004} Cross - MHonarc HTML mail CSS vulnerability
    {02.36.007} Cross - wordtrans CGI command execution and CSS
    {02.36.008} Cross - Update {02.31.009}: RPC XDR array decoding overflow
    {02.36.011} Cross - AFD workdir buffer overflow
    {02.36.015} Cross - phpGB CGI multiple vulnerabilities
    {02.36.019} Cross - Various PHP CRLF injection
    {02.36.020} Cross - ZMerge grants Manager access
    {02.36.021} Cross - Woltlab Burning Board CGI SQL tampering
    {02.36.023} Cross - Aestiva HTML/OS CSS vulnerabilities
    {02.36.024} Cross - Zero-width GIF browser overflow
    {02.36.025} Cross - Amavis malformed tar file DoS

    - --- Windows News -------------------------------------------------------

    *** {02.36.013} Win - MS02-049: IE can auto-execute Visual FoxPro
                    applications

    Microsoft released MS02-049 ("IE can auto-execute Visual FoxPro
    applications"). Visual FoxPro 6.0 does not properly register its
    various file types with Internet Explorer, potentially allowing
    a malicious Web site to automatically execute a Visual FoxPro
    application.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-049.asp

    Source: Microsoft (NTBugtraq)
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0121.html

    *** {02.36.014} Win - MS02-050: SSL certificate constraint validation
                    patch

    Microsoft released MS02-050 ("SSL certificate constraint validation
    patch"). The CryptoAPI functions that validate SSL certificates do
    not properly account for SSL constraints, which would let an attacker
    create arbitrary valid SSL certificates. This vulnerability was
    previously reported as item {02.33.041}.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-050.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q3/0000.html

    *** {02.36.017} Win - PGP long file name overflow

    PGP Corporate Desktop version 7.1.1 contains a buffer overflow in
    the handling of long file names within encrypted files. This allows
    a malicious encrypted file to execute arbitrary code on the user's
    system when the user attempts to decrypt the file.

    The vendor confirmed this vulnerability and released a patch, which
    is available at:
    http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0106.html

    *** {02.36.018} Win - WebServer 4 Everyone HTTP server Webroot escaping

    The WebServer 4 Everyone HTTP server version 1.22 reportedly contains
    a vulnerability that allows a remote attacker to request files outside
    the Webroot by submitting an HTTP request that uses '..' notation in
    the URL name.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0045.html

    *** {02.36.022} Win - QuickTime control plugins page overflow

    The Apple QuickTime ActiveX control used for viewing QuickTime media
    within Internet Explorer contains a buffer overflow in the handling
    of the plugins page parameter. This allows a malicious Web site or
    e-mail to execute arbitrary code on the user's system.

    The vendor confirmed this vulnerability and released an update,
    which is available at:
    http://www.apple.com/quicktime/

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0111.html

    - --- Linux News ---------------------------------------------------------

    *** {02.36.002} Linux - Update {02.35.003}: Ethereal ISIS decode
                    overflow

    Debian released updated ethereal packages that fix the vulnerability
    discussed in {02.35.003} ("Ethereal ISIS decode overflow").

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0055.html

    *** {02.36.003} Linux - Update {02.31.018}: GAIM Jabber plugin buffer
                    overflow

    Mandrake released updated GAIM packages that fix the vulnerability
    discussed in {02.31.018} ("GAIM Jabber plugin buffer overflow").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0058.html

    *** {02.36.005} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
                    vulnerability

    Conectiva released updated mailman packages that fix the vulnerability
    discussed in {02.30.024} ("Mailman ml-name CGI CSS vulnerability").

    Updated RPMs are listed at the reference URL below.

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0019.html

    *** {02.36.006} Linux - Update {02.34.016}: Mantis CGI private bug
                    viewing

    Debian released updated mantis packages that fix the vulnerability
    discussed in {02.34.016} ("Mantis CGI private bug viewing").

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0054.html

    *** {02.36.009} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
                    certificate basic constraints

    Mandrake released updated kdelibs packages that fix the vulnerability
    discussed in {02.33.043} ("KDE Konqueror ignores SSL certificate
    basic constraints").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q3/0164.html

    *** {02.36.012} Linux - Update {02.35.017}: Python insecure temporary
                    file handling

    Debian rereleased updated python packages that fix the vulnerability
    discussed in {02.35.017} ("Python insecure temporary file
    handling"). The prior updates introduced an instability.

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0057.html

    - --- Network Appliances News --------------------------------------------

    *** {02.36.010} NApps - Cisco VPN 3000 series multiple vulnerabilities

    A Cisco advisory indicates that the VPN 3000 series concentrators
    contain multiple vulnerabilities, including information disclosure and
    authentication bypass. Software versions prior to 3.6.1 are vulnerable.

    An updated patch matrix is available at the reference URL below.

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q3/0006.html

    - --- Other News ---------------------------------------------------------

    *** {02.36.016} Other - Polycom Viewstation multiple vulnerabilities

    A released advisory indicates that multiple vulnerabilities exist
    in the Polycom Viewstation series of products, including: a default
    (empty) administrative password; escape from the Webroot by using
    unicode encoded HTTP requests; retrieval of the administrative
    password; use of the telnet service to mount a password brute force
    attack; and various denial of service attacks.

    The advisory indicates vendor confirmation.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0104.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.36.001} Cross - cacti CGI title string command execution

    The cacti CGI Web interface prior to version 0.6.8a allows a remote
    attacker to execute arbitrary command-line commands because it
    does not properly filtering shell metacharacters from the title
    string. The attacker will need administrative access to the CGI to
    perform the attack.

    The vendor confirmed this vulnerability.

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0019.html

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0019.html
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0028.html

    *** {02.36.004} Cross - MHonarc HTML mail CSS vulnerability

    The MHonarc e-mail archiver contains a cross-site scripting
    vulnerability in the handling of HTML e-mail.

    Debian confirmed this vulnerability and released updated DEBs, which
    are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0058.html

    *** {02.36.007} Cross - wordtrans CGI command execution and CSS

    The wordtrans CGI suite version 1.1pre8 does not properly filter out
    URL parameters, which allows cross-site scripting attacks as well as
    remote execution of arbitrary command-line commands.

    This vulnerability is confirmed.

    Updated Red Hat RPMS are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0073.html

    Source: Red Hat, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0070.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0073.html

    *** {02.36.008} Cross - Update {02.31.009}: RPC XDR array decoding
                    overflow

    Mandrake and HP released updated packages that fix the vulnerability
    discussed in {02.31.009} ("RPC XDR array decoding overflow").

    Updated Mandrake krb5 RPMS are listed at:
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q3/0162.html

    Updated libraries for HPUX are listed at:
    http://archives.neohapsis.com/archives/hp/2002-q3/0077.html

    Source: Mandrake, HP
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q3/0162.html
    http://archives.neohapsis.com/archives/hp/2002-q3/0077.html

    *** {02.36.011} Cross - AFD workdir buffer overflow

    The Automatic File Distributor version 1.2.14 reportedly contains a
    buffer overflow in the handling of the construction of the workdir
    variable. This leads to a local buffer overflow, which may let an
    attacker execute arbitrary code with elevated privileges.

    The advisory indicates vendor confirmation and the release of version
    1.2.15, which is available at:
    ftp://ftp.dwd.de/pub/afd/src-1.2.15.tar.bz2

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0029.html

    *** {02.36.015} Cross - phpGB CGI multiple vulnerabilities

    The phpGB CGI suite version 1.20 contains multiple vulnerabilities:
    savesettings.php allows arbitrary configuration settings to be changed,
    thereby leading to a denial of service or execution of arbitrary
    commands; cross-site scripting in the handling of guestbook elements;
    and SQL injection via the login interface.

    The advisory indicates vendor confirmation and the release of version
    1.20, which is available at:
    http://www.walzl.net/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0069.html
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0076.html
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0084.html

    *** {02.36.019} Cross - Various PHP CRLF injection

    The header() and fopen() functions within PHP pass additional headers
    when issuing Web requests/responses, which could potentially alter the
    logic flow. This is not a direct problem, but it may affect specific
    applications that are not aware of this 'feature.'

    Source: VulnWatch, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0109.html
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0086.html

    *** {02.36.020} Cross - ZMerge grants Manager access

    Granite Software's ZMerge version 5.x grants Manager access to
    anonymous Web users, potentially allowing remote attackers to modify
    the Notes import/export scripts, which then could be run by an
    unsuspecting administrator.

    The advisory indicates vendor confirmation. The suggested workaround
    is to restrict the ACLs on the zm50adm.nsf and zmevladm.nsf databases.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0107.html

    *** {02.36.021} Cross - Woltlab Burning Board CGI SQL tampering

    Woltlab Burning Board CGI suite versions 2.0 RC 1 and prior do not
    properly filter user parameters passed to the board.php file. This
    allows a remote attacker to execute arbitrary SQL queries.

    The advisory indicates confirmation by the vendor, which released
    version 2.0 RC 2.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0083.html

    *** {02.36.023} Cross - Aestiva HTML/OS CSS vulnerabilities

    Aestiva's HTML/OS reportedly contains a cross-site scripting bug in
    the handling of path info parameters passed to the error page.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0026.html

    *** {02.36.024} Cross - Zero-width GIF browser overflow

    A released advisory indicates multiple browsers are vulnerable to
    a zero-width GIF graphic file overflow, which could lead to the
    execution of arbitrary code. Netscape version 6.2.3 was specifically
    named as vulnerable. Mozilla and Opera also were mentioned as affected
    in some way.

    The advisory indicates vendor confirmation; the latest versions of
    Netscape and Mozilla are reportedly fixed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0050.html

    *** {02.36.025} Cross - Amavis malformed tar file DoS

    Amavis versions 0.2.x and prior contain a denial of service
    vulnerability when trying to search through a particularly malformed
    tar file.

    The vendor confirmed this vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0040.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9gPM++LUG5KFpTkYRAsaSAJ44jULl5KT3YGJJ2M/do4CEEmYnmQCfeaia
    ttSnmnECBWKdS0Ugibgk/5M=
    =LV2z
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Gold Standard Training for Securing Windows 2000 using
    the new consensus standards and free testing tools - 38
    cities. http://www.sans.org/Win2KWorldTour/

    SANS Network Security 2002 in October: Largest security conference &
    expo: http://www.sans.org/NS2002
    For security managers in military sites: click on the National
    Information Assurance Leadership Conference.

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.sans.org/sansnews/

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).