|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #019
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu May 15 2003 - 18:08:46 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 019 (03.19)
Thursday, May 15, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Sygate Technologies.
FREE GUIDE: STOP INSTANT MESSAGING, MP3s AND MORE. Learn how
"endpoint security" technology helps you put an end to unwanted
instant messaging, eliminate MP3s and other downloads, enforce
anti-virus, firewalls, patches and other updates. Click here:
http://www.sygate.connectthe.com/ssac.2
************************** End Advertisement *************************
Windows Update is a crucial tool in the management of Windows patches
and updates. However, it recently has been the topic of heated debate:
What if Windows Update fails? What if it misses a patch? It turns out
this may be the case more than you think. A good summary NTBugtraq post
by Russ Cooper is available at:
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0081.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.19.005} Win - SLMail and SLWebMail multiple vulns
{03.19.006} Win - MS03-017: Windows Media Player skin download vuln
{03.19.008} Win - CMailServer large parameter overflow
{03.19.009} Win - Snitz Forum CGI register.asp SQL tampering
{03.19.017} Win - IP Messenger long file name overflow
{03.19.001} Linux - Updated patches for previous vulnerabilities
{03.19.010} HP-UX - wall local vuln
{03.19.004} NetDev - Cisco VPN 3000 multiple vulns
{03.19.015} NetDev - PowerLink WAN Aggregator remote file reading
{03.19.018} NetDev - Neoteris IVE cross-site scripting
{03.19.002} Cross - fuzz insecure temp file handling
{03.19.003} Cross - Vulnerable PHP applications 05/13
{03.19.007} Cross - HappyMall CGI file param command exec
{03.19.011} Cross - kopete gpg message command exec
{03.19.012} Cross - Firebird DB env var overflows
{03.19.013} Cross - cdrecord scsiopen.c format vuln
{03.19.014} Cross - Listproc catmail ULISTPROC_UMASK overflow
{03.19.016} Cross - unzip directory traversal vuln #2
- --- Windows News -------------------------------------------------------
*** {03.19.005} Win - SLMail and SLWebMail multiple vulns
SLMail version 5.1.0.4420 suffers from multiple vulnerabilities: a
buffer overflow in the SMTP ETRN and XTRN commands; a buffer overflow
in the handling of large strings sent to the POPPASSWD service; and a
buffer overflow in the handling of large user passwords by the POP3
service. SLWebMail version 3 contains numerous buffer overflows in the
various ISAPI DLL files. It also allows the reading of arbitrary files
on the system.
The vendor confirmed these problems and released a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0054.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0055.html
*** {03.19.006} Win - MS03-017: Windows Media Player skin download vuln
Microsoft released MS03-017 ("Windows Media Player skin download
vulnerability"). Windows Media Player 7.1 and Windows Media Player for
Windows XP download skin files to known locations, which allows an
attacker to potentially execute arbitrary programs on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-017.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0010.html
*** {03.19.008} Win - CMailServer large parameter overflow
CMailServer version 4.0.2003.03.27 contains a buffer overflow in the
handling of large parameters passed to the 'MAIL FROM' or 'RCPT TO' SMTP
commands, which allows a remote attacker to execute arbitrary code on
the system.
This vulnerability is confirmed and fixed in version 4.0.2003.03.30.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0062.html
*** {03.19.009} Win - Snitz Forum CGI register.asp SQL tampering
The Snitz Forum CGI suite prior to version 3.4.03 does not properly
filter the 'e-mail' parameter passed to the register.asp page, which
allows a remote attacker to execute arbitrary SQL queries on the backend
database.
This vulnerability is confirmed and fixed in version 3.4.03.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0067.html
*** {03.19.017} Win - IP Messenger long file name overflow
IP Messenger for Windows versions 2.02 and prior contain a buffer
overflow in the handling of long file names sent by a malicious attacker
during file transfers.
The advisory indicates confirmation by the vendor, which released
version 2.03.
Source: VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-05/0131.html
- --- Linux News ---------------------------------------------------------
*** {03.19.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:002-01: KDE
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0054.html
RHSA-2003:160-01: xinetd
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0055.html
- --- Mandrake:
MDKSA-2003:053-1: mgetty
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0102.html
- --- Debian:
DSA-301-1: libgtop
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0516.html
- --- Conectiva:
CLA-2003:643: slocate
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0031.html
- --- Caldera:
CSSA-2003-020.0: kernel
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0005.html
CSSA-2003-021.0: mgetty
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0006.html
Source: Red Hat, Mandrake, Debian, Conectiva, Caldera
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0054.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0055.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0102.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0516.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0031.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0005.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0006.html
- --- HP-UX News ---------------------------------------------------------
*** {03.19.010} HP-UX - wall local vuln
The wall utility contains a locally exploitable vulnerability that could
allow an attacker to gain elevated privileges. Further details were not
released.
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0033.html
- --- Network Devices News -----------------------------------------------
*** {03.19.004} NetDev - Cisco VPN 3000 multiple vulns
The Cisco VPN 3000 Concentrator contains three vulnerabilities: TCP
packets can be routed to the internal network if IPSec over TCP is
enabled; a malformed SSH packet can cause the device to reload; and
malformed ICMP traffic can cause a denial of service.
Cisco confirmed these vulnerabilities. Update information is available
at the reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q2/0005.html
*** {03.19.015} NetDev - PowerLink WAN Aggregator remote file reading
AstroCorp's PowerLink WAN Aggregator includes a vulnerable version of
the Boa Web server, which allows remote attackers to read arbitrary
files on the system that are readable by the Web server. This could
expose device configuration information.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0106.html
*** {03.19.018} NetDev - Neoteris IVE cross-site scripting
An advisory has surfaced indicating that the Neoteris IVE version 3.01
is vulnerable to a cross-site scripting attack, which could allow an
attacker to hijack a user's connection and gain VPN access to the
internal network.
This vulnerability is confirmed and fixed in version 3.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0130.html
- --- Cross-Platform News ------------------------------------------------
*** {03.19.002} Cross - fuzz insecure temp file handling
The fuzz software-testing tool insecurely handles temporary files, which
allows a local attacker to gain the privileges of the user running fuzz.
Debian confirmed this vulnerability and released updated DEBs, listed
at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0517.html
*** {03.19.003} Cross - Vulnerable PHP applications 05/13
The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
miniPortal 2.2 and prior: admin access
http://archives.neohapsis.com/archives/bugtraq/2003-05/0094.html
ttCMS 2.2: remote file include command execution; SQL injection
http://archives.neohapsis.com/archives/bugtraq/2003-05/0104.html
ttForum: remote file include command execution; SQL injection
http://archives.neohapsis.com/archives/bugtraq/2003-05/0104.html
Phorum 3.4.1: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-05/0107.html
PHP-Nuke 6.5: SQL injection; cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-05/0122.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0140.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0147.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0094.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0104.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0107.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0122.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0140.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0147.html
*** {03.19.007} Cross - HappyMall CGI file param command exec
The HappyMall CGI suite does not properly filter the 'file' URL
parameter, which allows a remote attacker to execute arbitrary
command-line commands under the privileges of the Web server. The flaw
also allows the reading of arbitrary files that are readable by the Web
server.
The advisory indicates confirmation by the vendor as well as a fix.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0058.html
*** {03.19.011} Cross - kopete gpg message command exec
kopete prior to version 0.6.2 insecurely invokes gpg to handle encrypted
incoming messages, which potentially allows a malicious message to
execute arbitrary command-line commands.
This vulnerability is confirmed and fixed in version 0.6.2.
Updated Mandrake RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0103.html
*** {03.19.012} Cross - Firebird DB env var overflows
The Firebird database versions 1.0.2 and prior include binaries that
are vulnerable to various overflows of the environment variables. This
allows a local attacker to gain 'firebird' user privileges, which then
could be potentially elevated to root.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0061.html
*** {03.19.013} Cross - cdrecord scsiopen.c format vuln
The cdrecord utility version 2.0 contains a format string vulnerability
that could allow a local attacker to execute arbitrary code with
elevated privileges.
The vulnerability is fixed in versions 2.01a14 and later.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0144.html
*** {03.19.014} Cross - Listproc catmail ULISTPROC_UMASK overflow
The catmail utility included in the Listproc suite contains a buffer
overflow in the handling of the ULISTPROC_UMASK environment variable,
which allows a local attacker to execute arbitrary code with root
privileges.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0060.html
*** {03.19.016} Cross - unzip directory traversal vuln #2
The open-source unzip utility version 5.50 reportedly contains a bug
whereby a malicious zip file can overwrite files outside the intended
unzip location via a malformed '..' style attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0113.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+xAHH+LUG5KFpTkYRAmm9AJ0fq20sEDD21C8qRDD58lfq17rqnwCaAyCE
Zlp0XqRP8hmCiCBDxh9Q+tY=
=XPYC
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Sygate Technologies.
FREE GUIDE: STOP INSTANT MESSAGING, MP3s AND MORE. Learn how
"endpoint security" technology helps you put an end to unwanted
instant messaging, eliminate MP3s and other downloads, enforce
anti-virus, firewalls, patches and other updates. Click here:
http://www.sygate.connectthe.com/ssac.2
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]