|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ22427415383876644_at_sans.org)
Date: Thu Feb 06 2003 - 15:25:24 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 005 (03.05)
Thursday, February 6, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
************************* Begin Advertisement ************************
SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 covers both CISSP and GIAC GSEC
topics and earns much higher teacher ratings than simple CISSP courses.
And Track 9 gives you both Security+ and GIAC GISO training. Two for
the price and time of one - and great teachers, too. Both are available
for groups in house, as are our other training tracks. They are also
being held in San Diego, Baltimore and many other cities.
See: http://www.sans.org
************************** End Advertisement *************************
Many significant vulnerabilities were found in the Opera Web browser
this past week. Anyone using Opera should read item {03.05.001} in the
cross-platform section. If you don't receive that item, you can always
view it online at http://archives.neohapsis.com/archives/sac/. You
also can add the cross-platform category to your subscription by
following the instructions at the bottom of this newsletter.
Last week's vote for consolidated PHP items resulted in a 30:1 ratio
in support of it. Thank you to everyone who voted; your opinion helps
us make SAC a more efficient resource.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.05.007} Win - Coldfusion MX NTLM authentication vulnerability
{03.05.009} Win - 32bit FTP client/server banner overflow
{03.05.010} Win - ByteCatcher FTP client banner overflow
{03.05.013} Win - Kazaa Media Desktop ad overflow
{03.05.002} Linux - Update {03.03.020}: VIM comments command execution
{03.05.003} Linux - Update {03.03.008}: MySQL multiple vulnerabilities
01/21
{03.05.006} Linux - Update {03.03.003}: CVS directory double-free
vulnerability
{03.05.015} Linux - Linux O_DIRECT
{03.05.001} Cross - Multiple Opera browser vulnerabilities
{03.05.004} Cross - Apache Tomcat path parsing vulnerability
{03.05.005} Cross - Courier CGI PostgreSQL authentication SQL tampering
{03.05.008} Cross - Kerberos FTP client shell execution
{03.05.011} Cross - noffle possible buffer overflow
{03.05.012} Cross - Compaq Web agent authentication reuse
{03.05.014} Cross - Majordomo address exposure
{03.05.016} Cross - qt-dcgui directory parser vulnerability
{03.05.017} Cross - http_fetcher lib overflow
{03.05.018} Cross - WebIntelligence predictable session IDs
{03.05.019} Cross - fnord CGI overflow
- --- Windows News -------------------------------------------------------
*** {03.05.007} Win - Coldfusion MX NTLM authentication vulnerability
Coldfusion MX contains a bug that may allow requests using NTLM
authentication in IIS to access files otherwise not normally accessible
to that user.
The vendor confirmed this vulnerability and released an update.
Source: Macromedia
http://archives.neohapsis.com/archives/vendor/2003-q1/0043.html
*** {03.05.009} Win - 32bit FTP client/server banner overflow
The 32bit FTP client (32bit is the proper name) version p9.49.01
reportedly contains a buffer overflow in the handling of large server
banners, thereby potentially allowing the execution of arbitrary code.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0054.html
*** {03.05.010} Win - ByteCatcher FTP client banner overflow
ByteCatcher FTP client version 1.04b reportedly contains a buffer
overflow in the handling of large server banners, thereby potentially
allowing the execution of arbitrary code.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0054.html
*** {03.05.013} Win - Kazaa Media Desktop ad overflow
The Kazaa Media Desktop version 2.0 contains a buffer overflow in the
handling of downloaded ads. Attackers able to intercept and inject
data into a user's network stream (by DNS redirection or compromise
of an upstream host/router) may be able to overflow a buffer and
execute arbitrary code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0008.html
- --- Linux News ---------------------------------------------------------
*** {03.05.002} Linux - Update {03.03.020}: VIM comments command
execution
Mandrake released updated VIM packages, which fix the vulnerability
discussed in {03.03.020} ("VIM comments command execution").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0069.html
*** {03.05.003} Linux - Update {03.03.008}: MySQL multiple
vulnerabilities 01/21
Mandrake released updated MySQL packages, which fix the vulnerabilities
discussed in {03.03.008} ("MySQL multiple vulnerabilities 01/21").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0070.html
*** {03.05.006} Linux - Update {03.03.003}: CVS directory double-free
vulnerability
Caldera released updated CVS packages, which fix the vulnerability
discussed in {03.03.003} ("CVS directory double-free vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0007.html
*** {03.05.015} Linux - Linux O_DIRECT
Linux 2.4.10 and later contain a vulnerability in the O_DIRECT file
system access option that could lead to a possible information leakage
and file system corruption.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0031.html
Source: Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-02/0031.html
- --- Cross-Platform News ------------------------------------------------
*** {03.05.001} Cross - Multiple Opera browser vulnerabilities
The Opera Web browser contains multiple vulnerabilities, including:
cross-domain access flaws; access to local files; local image
references allow CSS; and access to a user's browsing history. A
malicious Web site can use these vulnerabilities to execute
arbitrary JavaScript code, read local files and access sensitive
user information.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0055.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0056.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0057.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0058.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0059.html
*** {03.05.004} Cross - Apache Tomcat path parsing vulnerability
Apache Tomcat 3.x prior to 3.3.1a contains two bugs in the parsing
of null characters and backslashes that allow a remote attacker to
enumerate directory contents and access restricted files inside the
Web root.
This vulnerability is confirmed and fixed in version 3.3.1a.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2003-q1/0040.html
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0051.html
http://archives.neohapsis.com/archives/vendor/2003-q1/0040.html
*** {03.05.005} Cross - Courier CGI PostgreSQL authentication SQL
tampering
The Courier CGI suite contains an error in the PostgreSQL
authentication module that allows a remote attacker to execute
arbitrary SQL commands. Other SQL authentication modules are not
affected.
This vulnerability is confirmed. Updated Debian DEBs are listed at
the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0041.html
*** {03.05.008} Cross - Kerberos FTP client shell execution
The Kerberos FTP client passes FTP file names to a command shell,
thereby allowing a malicious FTP server to execute arbitrary commands
on the user's system.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0025.html
Source: Red Hat, VulnWatch
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0025.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0047.html
*** {03.05.011} Cross - noffle possible buffer overflow
A Debian advisory indicates that a buffer overflow in the noffle
news utility could possibly allow a malicious news server to execute
arbitrary code on the user's system.
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0038.html
*** {03.05.012} Cross - Compaq Web agent authentication reuse
The Compaq Web agent reportedly contains a bug that could potentially
allow a user to resume a previous Compaq Web agent session that had
not been terminated.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0362.html
*** {03.05.014} Cross - Majordomo address exposure
An advisory indicates that, under certain configurations, it's possible
for a remote user to gain a list of e-mail addresses subscribed to
a mailing list.
The vendor confirmed this vulnerability and released updates.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0030.html
*** {03.05.016} Cross - qt-dcgui directory parser vulnerability
Qt-dcgui prior to version 0.2.2 contains a bug in the directory
parser that allows a remote attacker to download files outside the
document root.
This vulnerability is confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0041.html
*** {03.05.017} Cross - http_fetcher lib overflow
Multiple buffer overflows were reported in the http_fetcher
library. The implications of these vulnerabilities depend on the
application that uses the library.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0034.html
*** {03.05.018} Cross - WebIntelligence predictable session IDs
Business Objects' WebIntelligence version 2.7.1 reportedly uses
predictable session IDs, thereby allowing a remote attacker to hijack
user sessions.
The vendor confirmed this vulnerability and released a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0014.html
*** {03.05.019} Cross - fnord CGI overflow
The fnord CGI utility contains a buffer overflow of some sort; however,
exploitation may not be possible.
This bug is confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0162.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+QsyT+LUG5KFpTkYRAqMSAJ9a4Y364KZIyO4OuDEYqUgjPfFgMwCff9Rc
HqXTLd6lgk+DTrQaINEG3rM=
=X1h3
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 covers both CISSP and GIAC GSEC
topics and earns much higher teacher ratings than simple CISSP courses.
And Track 9 gives you both Security+ and GIAC GISO training. Two for
the price and time of one - and great teachers, too. Both are available
for groups in house, as are our other training tracks. They are also
being held in San Diego, Baltimore and many other cities.
See: http://www.sans.org
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <sans
sans.org>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]