NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 21

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Jun 02 2003 - 11:31:06 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
June 2, 2003 Vol. 2. No. 21
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week, and
provides guidance on appropriate actions to protect your systems.
Details on the CVA process: http://www.sans.org/newsletters/cva/#process

***********************************************************************

Table of Contents:
Widely Deployed Software:
(1) HIGH: ntdll.dll Vulnerability Revised to Include Windows NT/XP
(2) HIGH: Apache Portable Runtime (APR) Function Vulnerability
(3) MODERATE: IIS Multiple Vulnerabilities
(4) MODERATE: IIS Windows Media ISAPI Extension Buffer Overflow
(5) MODERATE: Vignette Server Multiple Vulnerabilities
(6) LOW: Sun ONE Application Server Multiple Vulnerabilities

Other Software:
(7) HIGH: Axis Network Camera Authentication Bypass
(8) HIGH: WsMP3d Server Multiple Vulnerabilities
(9) HIGH: AnalogX Proxy Long URL Buffer Overflow
(10) MODERATE: iisProtect Password Protection Bypass and SQL Injection

*************** Sponsored Links For This Week *************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Simplify secure file transfer! Download a white paper and
     evaluation software.
http://www.sans.org/cgi-bin/sanspromo/CVA57
- --------------------------------------------------------
(2) Does it pay to upgrade and simplify security?
     ***Free White Paper *** 'Security: Redemption or Remortgage?'
http://www.sans.org/cgi-bin/sanspromo/CVA58
- --------------------------------------------------------
(3) Alert! Spam & email attacks are getting worse.
     Learn 10 techniques to stop them. ***white paper***
http://www.sans.org/cgi-bin/sanspromo/CVA59
***********************************************************************

Highlighted Training Program of the Week!
Local mentor-led courses are SANS fastest growing program - because they
allow you to attend training after hours in your local area. We are
often asked whether the program might not be too basic for people who
have been in the field for several years. Here is what one student
recently told us:

"I consider myself to be pretty much up-to-date in the computer security
field, but I was pleasantly surprised to learn new things at every
session."
- --Niles Mills, Investors Title Insurance Company, Raleigh, NC

Over the next 60 days, local mentor led courses will start in the
following 60 locations:
Aberdeen, MD Ghent, BE Philadelphia, PA
Allentown, PA Grand Rapids, MI Portland, OR
Atlanta, GA Hanover, NH Provo, UT
Austin, TX Harrisburg, PA Raleigh, NC
Birmingham, AL Hartford, CT Rapid City, SD
Boca Raton, FL Honolulu, HI Reno, NV
Boston, MA Houston, TX Rio de Janiero, BR
Brisbane, AU Jacksonville, FL Sacramento, CA
Calgary, AB Johannesburg, ZA San Diego, CA
Chapel Hill, NC Kansas City, MO San Jose, CA
Charleston, SC Lansing, MI Sao Paulo, BR
Charlotte, NC Lisbon, PT Scarsdale, NY
Chicago, IL Madison, WI Seattle, WA
Cincinnati, OH Midland, MI Singapore
Dallas, TX Minneapolis, MN Springfield, MO
Denver, CO Montreal, QE St. Louis, MO
Detroit, MI New York, NY oronto, ON
Eugene, OR North Ryde, AU Tulsa, OK
Everett, WA Ottawa, ON Vancouver, BC
Frankfort, KY Omaha, NE Wilmington, DE

Please contact Scott Weil, sweilsans.org for registration instructions
or more details on the course in your area.

***********************************************************************

*******************************
Widely Deployed Software
*******************************

(1) HIGH: ntdll.dll Vulnerability Revised to Include Windows NT/XP

Affected Products:
Windows NT4/2000/XP

Description:
Microsoft has released an updated advisory, and additional patches for
the Windows 2000 ntdll.dll vulnerability reported in March 2003. This
buffer overflow vulnerability in a core operating system component can
be exploited via many attack vectors, the most popular being through
the IIS WebDAV component. In the course of researching the problem,
Microsoft determined that Windows NT and Windows XP also contain the
vulnerability and has made patches available for these platforms as
well.

Windows NT does not support WebDAV and is therefore not susceptible to
exploitation via that particular approach. Windows XP can be configured
to run IIS and WebDAV (these do not run by default), and thus could be
exploited via the WebDAV attack vector. Like Windows 2000, Windows NT
and XP are vulnerable to attacks via any number of other programs that
rely on the flawed ntdll.dll operating system component.

Council Site Actions:
All reporting council sites are responding to this vulnerability. Many
of them have NT4 or Win2K systems that are Internet facing. These sites
have either already deployed the patches, or are in the process of
deploying the patches to the Internet facing systems. All sites plan to
deploy the patches to their internal systems during their next regularly
schedule system update. One site reported they have already disabled
WebDAV via the registry.

Risk: Remote SYSTEM-level compromise of computers running Windows
NT4/2000/XP.

Deployment: Widely deployed. This problem affects a core Windows
operating system component, and can potentially be exploited through
many different applications that rely on the faulty component. A
mitigating factor is that most XP/NT systems are unlikely to be
vulnerable to the most popular attack vector (IIS WebDAV).

Ease of Exploitation: Straightforward. Multiple exploits for this
problem on Windows 2000 are publicly available, and could potentially
be adapted to attack Windows XP/NT. SecurityFocus notes that a
proof-of-concept worm using the WebDAV attack vector is available to
the attacker community.

Status: Vendor confirmed, patches available. Questions have been raised
about the order in which this patch should be applied (see links below).

References:
Revised Microsoft Advisory MS03-007:
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

Potential Issues with Applying the Patch:
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0106.html
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0108.html

Previous SANS CVA Report (Item #2):
http://archives.neohapsis.com/archives/sans/2003/0040.html

SecurityFocus BID
http://www.securityfocus.com/bid/7116

****************************************************************

(2) HIGH: Apache Portable Runtime (APR) Function Vulnerability

Affected Products:
Apache versions 2.0.37 through 2.0.45 (both Windows and Unix)
Other applications relying on older versions of APR

Description:
Apache's Portable Runtime (APR) library contains functions that enable
server portability across many different operating systems. One of these
functions, apr_psprintf, contains a heap memory corruption vulnerability
in handling very long input strings. Any program that accepts user data
and passes it to the vulnerable library function could thus provide an
avenue for attack. One currently known attack vector lies in the mod_dav
module that provides WebDAV support to Apache. Attackers can send a
specially crafted WebDAV request to the server to trigger the bug and
crash Apache. Other attack vectors using different Apache modules and
procedures are currently under investigation. Code execution is also
believed possible but has not yet been proven.

Council Site Actions:
Due to the late-breaking nature of this issue, we were unable to solicit
input from the council site members.

Risk: Remote attackers can crash the Apache server and cause it to stop
servicing client requests, or compromise the server and gain the
privileges of the Apache process (typically a non-privileged user).

Deployment: Very widely deployed.
According to the Netcraft survey, Apache holds the number one position
in the web server market with over 25 million installations worldwide.

Ease of Exploitation:
A) DoS -- Straightforward.
According to the iDefense advisory, a specially crafted WebDAV XML
object request of more than 12,250 bytes (non-Windows platforms) or
20,000 bytes (Windows platforms) crashes the server.
B) Compromise -- Difficult.
To date, researchers have not been able to exploit the flaw successfully
to execute code. iDefense states that it would be difficult to craft a
reliable code execution exploit, but acknowledges that it may be
possible.

Status: Vendor confirmed. The vulnerability is fixed in Apache version
2.0.46. A source code patch has been made available for earlier
versions. Additionally, WebDAV support may be disabled as a workaround
to prevent exploitation via the mod_dav attack vector.

References:
iDefense Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0095.html

Other Applications using Affected Versions of APR
http://apr.apache.org/projects.html#open_source

Other Apache Modules under Investigation for Different Attack Vectors
http://www.securiteam.com/securitynews/5RP130AA0K.html

SecurityFocus BID
http://www.securityfocus.com/bid/7723

Netcraft Web Server Survey
http://news.netcraft.com/archives/web_server_survey.html

****************************************************************

(3) MODERATE: IIS Multiple Vulnerabilities

Affected Products
Microsoft IIS 4.0, 5.0, and 5.1 running on Windows NT4/2000/XP

Description:
Microsoft has released a cumulative patch for IIS that includes fixes
for four new vulnerabilities:
1) Remote attackers can crash the IIS server by sending an overlong
WebDAV PROPFIND or SEARCH request.
2) Attackers can execute arbitrary code on the IIS server by exploiting
a buffer overflow in the Server Side Include (SSI) file handling code.
Exploitation requires that the attacker be able to upload a file to the
server, and then be able to access the uploaded file via a web request.
3 & 4) The two remaining vulnerabilities are a cross-site scripting bug
and a different denial of service flaw that requires that the attacker
be able to upload files to the server.

Council Site Actions:
All council sites are responding to this vulnerability in a similar way
as item 1 above. Internet facing systems have either already been
patched or are in the process of being patched. Internal systems will
be patched during the next regularly scheduled systems update. One site
commented that they are not affected by the SSI exploit since they do
not allow file uploads on any of their web servers. The other
vulnerabilities are all DoS attacks, which by policy they do not fix
unless the vulnerabilities are being actively exploited.

Risk: Remote attackers can cause IIS to restart (IIS 5.0 and 5.1) or
hang (IIS 4.0) by sending a malformed WebDAV request. The attack can be
repeated multiple times leading to a sustained denial of service.
Servers that allow clients to upload files are additionally at risk of
compromise via a different vulnerability in SSI file handling. Attackers
able to compromise the server in this manner gain SYSTEM-level
privileges.

Deployment: Very widely deployed.
According to the Netcraft survey, IIS holds the number two position in
the web server market with over 11 million installations worldwide.
These vulnerabilities affect most IIS installations. IIS WebDAV support
(needed for the DoS attack) is enabled by default.

Ease of Exploitation:
A) DoS -- Straightforward.
According to the SPI Dynamics advisory, an attacker only needs to send
a WebDAV PROPFIND or SEACH request with a data payload of more than
49,153 bytes. Exploit code has been posted (said to address the DoS)
that sends a request of the form "SEARCH /[long-buffer]" where
[long-buffer] is 65535 bytes long.
B) Compromise based on SSI handling -- Straightforward.
This is a stack-based overflow that can be triggered by remotely
requesting a SHTML file with an overlong filename. A challenging aspect
of the exploit is that an attacker must be able to create a file on the
web server in order to bypass a security check.

Status: Vendor confirmed, cumulative patch available.

References:
Advisory by SPI Dynamics (PROPFIND/SEARCH DoS)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0089.html

Advisory by NSFocus (SSI Buffer Overflow)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0094.html

Microsoft Advisory
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp

SecurityFocus BIDs
http://www.securityfocus.com/bid/7735 (PROPFIND/SEACH DoS)
http://www.securityfocus.com/bid/7734 (SSI Buffer Overflow)
http://www.securityfocus.com/bid/7733 (ASP Header DoS)
http://www.securityfocus.com/bid/7731 (Cross-Site Scripting)

Exploit Code Posted for the PROPFIND/SEACH DoS
http://packetstormsecurity.nl/filedesc/ne0.c.html

Netcraft Web Server Survey
http://news.netcraft.com/archives/web_server_survey.html

******************************************************************

(4) MODERATE: IIS Windows Media ISAPI Extension Buffer Overflow

Affected Products:
Windows Media Services ISAPI Extension for IIS 4.0/5.0 running on
Windows NT4/2000

Description:
IIS' Windows Media Services ISAPI Extension performs logging for
tracking client participation during streaming audio and video
broadcasts. This feature is provided in Windows 2000 Server, Advanced
Server, and DataCenter Server, and a version can be downloaded for all
Windows NT 4.0 Server-based OSs. In all installations, when streaming
media logging is enabled a buffer overflow vulnerability exists. A
remote attacker can send a malformed request to the logger and cause a
memory fault that hangs the IIS server. Further, Microsoft has
determined that the flaw can be remotely exploited to execute
attacker-supplied code. (Note: The original MS advisory only
acknowledged the DoS problem. An update was released a few days later
acknowledging the potential for code execution.)

Council Site Actions:
Only three of the reporting council sites are running the affected
software and are currently responding to this vulnerability. They all
plan to roll out the patch during the next regularly scheduled system
update and they are either already blocking these types of requests at
the security perimeter or plan to, in the near future. A fourth site
is scanning their systems to determine if any hosts are running this
software, and a fifth site found only a single system with the affected
DLL installed. They are treating this as a low risk and have not taken
any action at this time.

Risk: Remote attackers can disable the IIS server and cause it to stop
servicing client requests, or compromise the server and gain the
privileges of the IIS process (IWAM_machinename account).

Deployment: Moderate.
This vulnerability affects only one specific, non-default configuration
of IIS. The server must have streaming media logging enabled.

Ease of Exploitation: Unknown.
The vulnerable component is named nsiislog.dll, and is installed in the
IIS /scripts directory. An attacker can trigger the overflow by sending
a chunked-encoded POST request to the vulnerable DLL. The discoverer of
the flaw has built a working code execution exploit, but has not
released it to the public.

Status: Vendor confirmed, patch available.

References:
Microsoft Advisory
http://www.microsoft.com/technet/security/bulletin/MS03-019.asp

Posting by Marc Maiffret
http://archives.neohapsis.com/archives/bugtraq/2003-05/0329.html

Posting by Brett Moore (discovered the bug)
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0112.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0096.html

SecurityFocus BID
http://www.securityfocus.com/bid/7727

******************************************************************

(5) MODERATE: Vignette Server Multiple Vulnerabilities

Affected Products:
Vignette StoryServer 4, StoryServer 5 and V/5

Description:
Multiple vulnerabilities have been reported in the Vignette family of
server products. Remote unauthenticated attackers can potentially:
1) Execute arbitrary SELECT queries against the backend database by
sending specially crafted web requests.
2) Execute arbitrary TCL code on the server by sending specially crafted
web requests.
3) Execute arbitrary server side include (SSI) code by providing the
code in text data that the server accepts from the user and then
attempts to "show" requires SSI support to be enabled on the server).
4) Tamper with server licensing information, causing a DoS.
5) Gain sensitive information about the system.
6) Perform cross-site scripting attacks against other users.

Council Site Actions:
The affected software is not in production or widespread use at all but
one of the council sites. They reported that no action was necessary.
At the remaining council site, the do not plan to take any action at
this time since the vulnerabilities are not yet confirmed by the vendor.

Risk: Remote compromise of systems running Vignette server products.
Successful attackers gain the privileges of the server process.

Deployment: Significant.
The Vignette corporate website provides case studies discussing Vignette
server deployments at many high profile organizations.

Ease of Exploitation: Varies, mostly straightforward.
The multiple advisories provide technical details describing how the
different attacks may be accomplished.

Status: These vulnerabilities have not been confirmed, and the technical
accuracy of one of the reports (TCL code injection) has been disputed.

References:
VulnWatch Posting
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0085.html

Vendor Website
http://www.vignette.com/

SSI Script Injection Vulnerability
http://www.s21sec.com/en/avisos/s21sec-016-en.txt
http://www.securityfocus.com/bid/7685

Legacy Tool SQL Access Vulnerability
http://www.s21sec.com/en/avisos/s21sec-017-en.txt
http://www.securityfocus.com/bid/7683

NEEDS and VALID_PATH Command TCL Code Injection
http://www.s21sec.com/en/avisos/s21sec-024-en.txt
http://www.securityfocus.com/bid/7690
http://archives.neohapsis.com/archives/bugtraq/2003-05/0306.html

Memory Disclosure Vulnerability
http://www.s21sec.com/en/avisos/s21sec-018-en.txt
http://www.securityfocus.com/bid/7684

Multiple Cross-Site Scripting Vulnerabilities
http://www.s21sec.com/en/avisos/s21sec-023-en.txt
http://www.securityfocus.com/bid/7687

Style Template Information Leak
http://www.s21sec.com/en/avisos/s21sec-019-en.txt
http://www.securityfocus.com/bid/7688

Login Template Username Information Leak
http://www.s21sec.com/en/avisos/s21sec-020-en.txt
http://www.securityfocus.com/bid/7691

License Template Denial of Service
http://www.s21sec.com/en/avisos/s21sec-021-en.txt
http://www.securityfocus.com/bid/7694

******************************************************************

(6) LOW: Sun ONE Application Server Multiple Vulnerabilities

Affected Products:
Sun ONE Application Server 7.0 for Windows XP/2000

Description:
The Sun ONE server has been reported to contain multiple
vulnerabilities. The most severe problem allows remote attackers to
easily view the source code of JSP files. Additional issues allow
attackers to evade logging mechanisms and perform cross-site scripting
attacks.

Council Site Actions:
The affected software is in use at only one of the reporting council
sites. They are in the process of investigating changing the default
permission settings of sensitive files like C:\Sun\appserver7\statefile.
They are also investigating modifying the server message response files
to prevent the return of user-supplied data. Risk: Information
exposure. Attackers can inspect the source code of JSP programs in order
to discover vulnerabilities.

Deployment: Significant.
According to the Netcraft survey, SunONE holds the number four position
in the web server market with over 400,000 installations worldwide.

Ease of Exploitation: Trivial.
An attacker can obtain JSP source code by manipulating the filename
capitalization in a web request. Example: requesting "file.jsp" as
"file.JSP" causes a vulnerable server to respond with the raw file
contents (source code).
Status: These vulnerabilities have not been confirmed.

References:
Advisory by SPI Dynamics
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0087.html

SecurityFocus BIDs
http://www.securityfocus.com/bid/7709
http://www.securityfocus.com/bid/7710
http://www.securityfocus.com/bid/7711

Netcraft Web Server Survey
http://news.netcraft.com/archives/web_server_survey.html

********************
Other Software
********************

(7) HIGH: Axis Network Camera Authentication Bypass

Affected Products:
Axis 2100/2110/2120/2130/2420 Network Camera
Axis 2460 Network DVR
Axis 2400/2401/2505 Video Server

Description:
Axis network camera platforms provide a web server interface for remote
configuration and management. A vulnerability has been discovered where
a remote attacker can bypass the web server's authentication mechanism
and reconfigure the device without providing a username and password.
This flaw allows a remote attacker to gain complete control (includes
command-line access) over a vulnerable device.

Council Site Actions:
Only one council site has known instances of the affected
hardware/software. They have notified their UNIX support team and
requested that the system firmware be updated as soon as possible since
the ability to bypass the admin/password feature is so trivial. A second
council sites suspects they have one or more of these devices deployed
and are currently investigating their location and the urgency to
correct the problem.

Risk: Remote compromise of Axis network camera platforms.

Deployment: Moderate.
According to the vendor website, Axis cameras are number one in the
worldwide network camera market. Cameras are utilized for a variety of
tasks, including security monitoring of physical resources.

Ease of Exploitation: Trivial.
An attacker can access the web-based administrative page directly
(bypasses authentication) by simply adding an extra slash character to
the requested URL. Example: (notice the extra slash after
camera.ip.address)
http://camera.ip.address//admin/admin.shtml

Status: This vulnerability has been confirmed. Software update
information is provided in the Core Advisory.

References:
Security Advisory by Core Security Technologies
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0086.html

Posting about Additional Common Misconfiguration Problem
http://archives.neohapsis.com/archives/bugtraq/2003-05/0301.html

Axis Network Camera Product Page
http://www.axis.com/products/video/camera/index.htm

SecurityFocus BID
http://www.securityfocus.com/bid/7652

******************************************************************

(8) HIGH: WsMP3d Server Multiple Vulnerabilities

Affected Products:
WsMP3d daemon v. 0.0.10 and earlier
web_server (previous name for WsMP3d) v. 0.0.7 and earlier

Description: WsMP3d is an open source web server for Linux that also
functions as a shoutcast server. The software reportedly contains
several vulnerabilities allowing remote attackers to access files
outside the webroot, execute arbitrary shell commands, and exploit a
heap-based buffer overflow vulnerability to execute attacker-supplied
code.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote compromise of systems running WsMP3d at the privilege level
of the server process, typically root.

Deployment: Small.
WsMP3d is a sourceforge project that appears to be in the early stages
of development.

Ease of Exploitation: Trivial.
Exploit code and attack details have been posted.

Status: These vulnerabilities have not been confirmed.

References:
INetCop Security Advisory (webroot escaping)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0077.html

INetCop Security Advisory (heap overflow)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0078.html

Exploit code for heap overflow by dong-h0un U
http://www.securiteam.com/exploits/5HP0N1PA0K.html

SecurityFocus BIDs
http://www.securityfocus.com/bid/7642
http://www.securityfocus.com/bid/7643
http://www.securityfocus.com/bid/7645

******************************************************************

(9) HIGH: AnalogX Proxy Long URL Buffer Overflow

Affected Products:
AnalogX version 4.13

Description:
AnalogX Proxy is a proxy server for small network environments that
supports multiple communications protocols. The server contains a buffer
overflow vulnerability in handling URLs longer than 340 bytes. An attack
can be accomplished by connecting to the proxy on port 6588/tcp and
supplying an overlong URL. Attackers can exploit the flaw to execute
arbitrary code with the privileges of the AnalogX process, typically
Administrator.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote compromise of servers running the AnalogX Proxy program.
Successfully attackers gain the privileges of the server process,
typically Administrator.

Deployment: Moderate. AnalogX Proxy is a popular freeware program for
Windows.

Ease of Exploitation: Straightforward. According to the advisory,
connecting to port 6588/tcp and sending an URL of 340+ characters will
trigger a stack-based buffer overflow on the server. No exploit code
has yet been published.

Status: This vulnerability has been confirmed and fixed in version 4.14.

References:
Advisory by Network Intelligence India
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0082.html

Vendor Product Page
http://www.analogx.com/contents/download/network/proxy.htm

SecurityFocus BID
http://www.securityfocus.com/bid/7681

******************************************************************

(10) MODERATE: iisProtect Password Protection Bypass and SQL Injection

Affected Products:
iisProtect prior to version 2.2.0.9

Description:
IisProtect is an application that allows fine-grained access controls
to be applied to directories and files served by IIS. Specifically,
iisProtect allows each page to be password protected, but remote
attackers can easily bypass the password check by partially hex-encoding
the HTTP request for a protected file. In addition, input sanitization
problems in the iisProtect web-based administration interface allow
remote attackers to execute arbitrary SQL commands against iisProtect's
backend database. In some configurations the SQL injection can be
further leveraged to execute arbitrary shell commands on the server
(e.g. by invoking MS SQL Server's xp_cmdshell function).

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote compromise of systems running iisProtect and/or
unauthorized exposure of information protected by iisProtect.

Deployment: Moderate.
iisProtect is commercial software that supports enterprise environments
with thousands of users, and is part of the Microsoft Certified Partner
program.

Ease of Exploitation: Simple.
Examples have been posted demonstrating how both types of attacks may
be accomplished.

Status: Vendor confirmed. These vulnerabilities are fixed in the current
version of iisProtect.

References:
iDefense Security Advisory (Password Protection Bypass)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0080.html

Advisory by Torben 'Gyrniff' Frohn (SQL Injection)
http://archives.neohapsis.com/archives/bugtraq/2003-05/0252.html

Vendor Website
http://www.iisprotect.com/

SecurityFocus BIDs
http://www.securityfocus.com/bid/7661
http://www.securityfocus.com/bid/7675

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org for
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+216j+LUG5KFpTkYRAgZGAJ9++W8zvnpzbeP9KSvDGvS+cohIbACeNarD
oh4eWwbUIHkulVJoi6Lai3k=
=38aq
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]