|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 3
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Jan 22 2004 - 07:23:09 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This week, there is only one high risk vulnerability in a widely
deployed system. It affects Cisco CallManager and related products when
they are implemented on IBM servers with older operating systems. This
type of problem is not limited to Cisco. It arises whenever product
developers ignore the need to verify that their installation scripts do
not leave vulnerabilities in either their software or in the underlying
operating system. It's an easy mistake to make and it often causes
problems beyond the application that created the vulnerability. Let's
work cooperatively to highlight the packages that cause such problems.
Please let us know of any popular software products that have an
installation script that creates one or more vulnerabilities in the
underlying operating system that can be exploited remotely to gain
unauthorized access. The problem may be caused by the automated script
or it may be caused by a requirement that the vendor places upon the
installer to eliminate a safe security setting in order to install and
use the product. Send your submissions to infosans.org with the
subject "Installation-caused vulnerabilities."
The best ones will get nice rewards.
Alan
***********************************************************************
RISK: The Consensus Security Vulnerability Alert
January 22, 2004 Vol. 3. Week 3
***********************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
- -----------------------------------------------------------------------
Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities
(Found in Part I or Part II)
- -----------------------------------------------------------------------
Third Party Windows Apps - 10 (Parts I and II)
Tru64 - 1 (Parts I and II)
Unix - 5 (Parts I and II)
Novell - 1 (Part II)
Cross Platform - 9 (Parts I and II)
Web Application - 9 (Parts I and II)
Network Device - 1 (Part II)
- -----------------------------------------------------------------------
Part I Critical Vulnerabilities
Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed
description on the process may be found at
http://www.sans.org/newsletters/cva/#process Archives at
http://www.sans.org/newsletters/Table of Contents]
******************
Contents of Part I
Widely Deployed Software
(1) HIGH: Cisco Voice IBM Director Agent Vulnerabilities
(2) LOW: qmail Long SMTP Session Handling Vulnerability
(3) LOW: HP Tru64 Unix IPsec and SSH Vulnerabilities
Other Software
(4) HIGH: Multiple Vendor PHP Remote File Include Vulnerabilities
(5) MODERATE: Multiple Vendor SQL Injection Vulnerabilities
(6) MODERATE: Mabry FTPServer/X Format String Vulnerability
(7) MODERATE: tcpdump RADIUS and ISAKMP Decoding Vulnerabilities
(8) MODERATE: Sun J2EE PointBase Remote Command Injection
(9) LOW: Vicomsoft RapidCache WebServer Host Field Buffer Overflow
(10) LOW: RitLabs Bat! Email Client Memory Overwrite Vulnerability
Exploit Code Update
(11) SSL/TLS ASN.1 Parsing Vulnerabilities
(12) lftp Client Buffer Overflow Exploit
********************** SPONSORED LINKS ********************************
Note, unless otherwise noted, these links take you to non-SANS sites.
(1) Instantly stop network security threats and optimize bandwidth
utilization. Hands-on, online demo.
http://www.sans.org/cgi-bin/sanspromo/CVA120
(2) How to upgrade and simplify security? ***Free White Paper ***
'The Secret to Simplified Firewall and VPN Security'
http://www.sans.org/cgi-bin/sanspromo/CVA121
(3) Simplify secure file transfer! Download a white paper and
free evaluation software from VanDyke Software.
http://www.sans.org/cgi-bin/sanspromo/CVA122
***********************************************************************
Featured Security Training Program: By choosing among San Diego,
Washington, Atlanta and New Orleans, you may attend any of SANS eight
most popular training tracks in the next six weeks - all in smaller
venues that give you lots of time with the instructor and the other
students. Auditors and security managers and system administrators (both
Windows and Linux/UNIX) and intrusion detection analysts and firewall
wizards each will find courses designed exactly for their needs.
On the other hand, if you want a mega-conference with a big product
exposition and great evening sessions an dlot sof advanced one-day
programs and much more, come to Orlando for SANS 2004.
For detailed schedule information see http://www.sans.org/
***********************************************************************
****************************
Widely Deployed Software
****************************
(1) HIGH: Cisco Voice IBM Director Agent Vulnerabilities
Affected: The following Cisco products are potentially vulnerable when
installed on IBM Servers with OS versions prior to 2000.2.6:
Cisco CallManager
Cisco IP Interactive Voice Response
Cisco IP Call Center Express
Cisco Personal Assistant
Cisco Emergency Responder
Cisco Conference Connection
Cisco Internet Service Node
Description: Multiple voice-related Cisco products contain two
vulnerabilities when installed on IBM servers and running in the default
configuration. Both problems arise because the Cisco software installs
the IBM Director Agent insecurely, leaving the agent's management ports
(14247 udp and tcp) exposed to the network. The first vulnerability
allows a remote attacker to gain administrative access without
authentication by connecting to either exposed port with any Director
Server/Console agent. The second flaw allows an attacker to cause a
denial-of-service by forcing the server to consume 100% CPU until
rebooted. The DoS problem can reportedly be triggered by running a
security scanner against a Director Agent port. No special exploit code
is required to take advantage of either vulnerability.
Status: Vendor confirmed, a repair script is available for download.
The script will close the hole without requiring a software update.
Council Site Actions: Due to the late breaking nature of this issue, we
were unable to solicit input from the council members. The council site
actions taken in response to these vulnerabilities will be provided in
next week's newsletter.
References:
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml
SecurityFocus BIDs
http://www.securityfocus.com/bid/9468
http://www.securityfocus.com/bid/9469
***********************************************************
(2) LOW: qmail Long SMTP Session Handling Vulnerability
Affected: qmail version 1.03 running on Linux
Description: qmail is the second most popular SMTP server (next to the
sendmail) used on the Internet. qmail reportedly contains a
vulnerability in its handling of long SMTP sessions. The flaw may be
exploited to overwrite qmail process memory with user-supplied data. By
manipulating the user-supplied data, it is possible to crash the active
SMTP session and it may be possible to execute arbitrary code.
Researchers investigating the problem currently believe the flaw is not
exploitable for code execution purposes however. A proof-of-concept
program that causes the memory overwrite has been publicly posted.
Status: Vendor has been notified. No updates are available.
Council Site Actions: The affected software is in use (on internal
networks) at only two of the reporting council sites. These sites plan
to deploy the patches once they are available. One site plans to do a
more extensive assessment of their qmail deployment if evidence surfaces
that indicates that the problem can be remotely exploited.
References:
Posting by Georgi Guninski (discovered the flaw)
http://archives.neohapsis.com/archives/fulldisclosure/2004-01/0452.html
http://www.guninski.com/qmailcrash.html
Posting by Gregory Steuck
http://archives.neohapsis.com/archives/fulldisclosure/2004-01/0730.html
Secunia Advisory
http://www.secunia.com/advisories/10649
qmail Homepage
http://www.qmail.org
SecurityFocus BID
http://www.securityfocus.com/bid/9432
***********************************************************
(3) LOW: HP Tru64 Unix IPsec and SSH Vulnerabilities
Affected: HP Tru64 Unix 5.1x systems running IPsec software prior to
version 2.1.1 and SSH software prior to version 3.2.2
Description: HP has issued updates for the Tru64 SSH and IPsec packages.
These updates reportedly fix vulnerabilities that can lead to remote
compromise of Tru64 Unix systems. No further technical details regarding
the vulnerabilities have been made public by HP. Currently it is
speculated that the updates fix previously reported vulnerabilities
related to OpenSSL ASN.1 parsing and Client_Master_Key message handling.
Status: Vendor confirmed. Updated packages are available.
Council Site Actions: Only one of the reporting council sites is using
the affected software. They reported very limited use of this package.
If additional information is released that indicates a higher
probability of exploitation, they will scan for all possible machines
running the affected software and ensure they are updated.
References:
HP Advisory
http://archives.neohapsis.com/archives/tru64/2004-q1/0001.html
SecurityFocus BID
http://www.securityfocus.com/bid/9414
**********************
Other Software
**********************
(4) HIGH: Multiple Vendor PHP Remote File Include Vulnerabilities
Affected:
PhpDig search engine, version 1.6.x
Mambo web content management system, versions 4.5 and 4.6
Description: The following open source software packages reportedly
contain PHP remote file include vulnerabilities: PhpDig and Mambo. These
flaws can be exploited by a remote attacker to run arbitrary PHP code
on the web server hosting the vulnerable software package(s). The
postings contain the technical details required to craft the malicious
HTTP requests needed to exploit the flaws.
Status:
PhpDig - Vendor confirmed, a patch is available.
Mambo - Unknown. The posted advisory contains link to an unofficial
patch.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
PhpDig Search Engine
Posting by FraMe (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0112.html
Secunia Advisory
http://www.secunia.com/advisories/10638
Vendor supplied patch
http://www.phpdig.net/showthread.php?s=b54df0e08025175457e4033438760b4c&threadid=393
Vendor Homepage
http://www.phpdig.net
SecurityFocus BID
http://www.securityfocus.com/bid/9424
Mambo Web Content Management System
Posting by FraMe (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0141.html
Vendor Homepage
http://www.mamboserver.com
SecurityFocus BID
Not yet available.
**************************************************************
(5) MODERATE: Multiple Vendor SQL Injection Vulnerabilities
Affected:
PhpGedView genealogy viewer software, versions 2.65 beta and prior
phpShop e-commerce software, version 0.6.1-b and possibly prior Metadot
portal software, version 5.6.5.4b5 and prior Xtreme ASP photo-gallery
software, version 2.0 YaBBSE bulletin board software, version 1.5.4,
1.5.3 and possibly prior
Description: The following web-based software packages reportedly
contain SQL injection vulnerabilities: PhpGedView, phpShop, Metadot,
Xtreme photo gallery and YaBBSE. These flaws can be exploited to
manipulate SQL queries issued against the backend databases, potentially
leading to compromise of the affected application. In all cases, the
technical details required for exploitation have been posted.
Status:
PhpGedView- Vendor confirmed. Upgrade to version 2.65.
phpShop- Vendor has been contacted. No updates available at present.
Metadot- Vendor confirmed. Upgrade to version 5.6.5.4 or higher.
Xtreme Photo-gallery- Vendor has been contacted. No updates available
at present.
YaBBSE- Vendor confirmed. Upgrade to version 1.5.5.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
PhpGedView Genealogy Viewer Software
Posting by JeiAr (discovered the flaws)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0089.html
Secunia Advisory
http://www.secunia.com/advisories/10602
Project Homepage
http://phpgedview.sourceforge.net/
SecurityFocus BID
Not yet available.
phpShop e-commerce Software
Posting by JeiAr (discovered the flaws)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0130.html
Vendor Homepage
http://www.phpshop.org
SecurityFocus BID
http://www.securityfocus.com/bid/9437
Metadot Portal Software
Posting by JeiAr (discovered the flaws)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0129.html
Secunia Advisory
http://www.secunia.com/advisories/10656
Vendor Homepage
http://www.metadot.com
SecurityFocus BID
http://www.securityfocus.com/bid/9439
Xtreme ASP Photo-gallery Software
Posting by posidron (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0128.html
Product Page
http://www.pensacolawebdesigns.com/xtremeasp
SecurityFocus BID
http://www.securityfocus.com/bid/9438
YaBBSE Bulletin Board Software
Posting by backspace (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0150.html
Vendor Homepage
http://www.yabbse.org/
SecurityFocus BID
http://www.securityfocus.com/bid/9449
**********************************************************
(6) MODERATE: Mabry FTPServer/X Format String Vulnerability
Affected: Mabry FTPServer/X version 1.00.050 on Windows
Description: The Mabry FTPServer/X software can be used as a stand-alone
FTP server, or its ActiveX/COM component can be integrated with
arbitrary Windows programs to provide an FTP service. The software
reportedly contains a format string vulnerability which can be triggered
by specially crafted user data. For example, an unauthenticated user
can send "%s%s%s" or "%999d" as username to crash the FTP server. The
vulnerability can be exploited to cause a denial of service and possibly
to execute arbitrary code with the FTP server's privileges. Note that
any Windows application that has integrated a vulnerable version of
FTPServer/X may be affected. The technical details required to exploit
the flaws have been posted.
Status: Vendor confirmed, upgrade to version 1.00.051.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by Securma Massine (discovered the flaw)
http://www.securitytracker.com/alerts/2004/Jan/1008667.html
Secunia Advisory
http://www.secunia.com/advisories/10608/
Product Homepage
http://www.mabry.com/ftpserv/index.htm
SecurityFocus BIDs
http://www.securityfocus.com/bid/9402
http://www.securityfocus.com/bid/9403
******************************************************************
(7) MODERATE: tcpdump RADIUS and ISAKMP Decoding Vulnerabilities
Affected: tcpdump version 3.8.1 and prior
Description: tcpdump is a popular open source network sniffer which can
decode multiple protocols. The tcpdump parsing routines for the RADIUS
and ISAKMP protocols contain vulnerabilities that can be exploited to
crash the tcpdump program, and possibly to execute arbitrary code with
the privileges of the user running the sniffer. To successfully exploit
the flaws, an attacker would need to inject specially crafted RADIUS or
ISAKMP packets into the network traffic being processed by tcpdump, or
entice a victim to open a malicious traffic capture file. Note that any
application based on tcpdump or its source code may also be affected.
The technical details required to exploit the flaws have been posted.
Status: Vendor (tcpdump.org) has not confirmed the vulnerability. RedHat
Linux has released updated packages for tcpdump and libpcap.
Council Site Actions: Most of the reporting council sites are running
the affected software. However, they all commented they have very
limited deployments and in most cases are not running the specific
configuration that is vulnerable. Many sites notified their system
support group and are allowing those groups to determine the appropriate
action. Some sites plan to deploy the patches during their regularly
scheduled system update process. One site plans to remove the tcpdump
program from systems where it is not needed.
References:
CERT Vulnerability Notes
http://www.kb.cert.org/vuls/id/955526 (RADIUS)
http://www.kb.cert.org/vuls/id/174086 (ISAKMP)
http://www.kb.cert.org/vuls/id/738518 (ISAKMP)
Secunia Advisory
http://www.secunia.com/advisories/10636
RedHat Security Advisory
http://rhn.redhat.com/errata/RHSA-2004-007.html
SecurityFocus BID
http://www.securityfocus.com/bid/6974 (ISAKMP)
http://www.securityfocus.com/bid/7090 (RADIUS)
******************************************************************
(8) MODERATE: Sun J2EE PointBase Remote Command Injection
Affected: Sun J2EE Reference Implementation 1.4 with PointBase database
version 4.6
Description: PointBase is a relational database management system
included in Sun's J2EE reference implementation. It is reported that
due to improper permission settings in the J2EE's PointBase
installation, a remote attacker can execute arbitrary commands on the
Pointbase server. The flaw can also be exploited to crash the Java
virtual machine running PointBase. Technical details and a
proof-of-concept exploit have been publicly posted.
Status: Unknown. Neither the Sun nor the PointBase websites mention this
security issue.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by Marc Schoenefeld (discovered the flaw)
http://archives.neohapsis.com/archives/bugtraq/2004-01/0148.html
PointBase Developer's Guide
http://www.pointbase.com/support/docs/pbdeveloper.pdf
SecurityFocus BID
Not yet available.
***************************************************************
(9) LOW: Vicomsoft RapidCache WebServer Host Field Buffer Overflow
Affected: Vicomsoft RapidCache Webserver version 2.2.6 and prior
Description: RapidCache, a web-caching server, is reportedly vulnerable
to a buffer overflow that can be triggered by an HTTP request with an
overlong "Host" field. The flaw can be exploited to crash the server
and potentially to execute arbitrary code with the server's privileges
(unconfirmed). Technical details have been posted.
Status: Unknown. The vendor website does not mention the vulnerability.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by Peter-Winter Smith (discovered the flaw)
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0014.html
Posting by Dave Aitel
http://archives.neohapsis.com/archives/vulndiscuss/2004-q1/0001.html
Secunia Advisory
http://www.secunia.com/advisories/10650
Product Homepage
http://www.vicomsoft.com/rapidcache/rapidcache.main.html
SecurityFocus BID
http://www.securityfocus.com/bid/9427
***************************************************************
(10) LOW: RitLabs Bat! Email Client Memory Overwrite Vulnerability
Affected: The Bat! email client version 2.01
Description: Ritlab's "The Bat!" email client, version 2.01, contains
a memory overwrite vulnerability. The problem occurs when the software
processes specially crafted PGP-signed email messages. The flaw can
potentially be exploited to execute arbitrary code. The discoverer of
the vulnerability has posted an example malicious email attachment that
causes the vulnerable client to throw an exception.
Status: Reportedly the vendor has investigated the issue and has
concluded that version 2.03 Beta is not vulnerable. The latest stable
release, 2.02, is also believed immune but that fact has not been
confirmed.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by 3APA3A
http://archives.neohapsis.com/archives/bugtraq/2004-01/0124.html
Product Homepage
http://www.ritlabs.com/en/products/thebat/
SecurityFocus BID
http://www.securityfocus.com/bid/9433
***********************
Exploit Code Update
***********************
(11) SSL/TLS ASN.1 Parsing Vulnerabilities
A proof-of-concept tool has been released that will trigger various
ASN.1 parsing vulnerabilities in SSL implementations. These
vulnerabilities were reported in a previous issue of the CVA newsletter
(the predecessor to RISK). The tool works by brute force, sending many
various malformed client certificates to a target SSL server.
Council Site Actions: Two of the reporting council sites may use the
exploit code to access their level of vulnerability. As of yet they have
not taken any action. Another site reported they have already patched
the affected systems. The remaining council sites are not using the
affected software.
References:
Posting by Bram Matthys
http://archives.neohapsis.com/archives/bugtraq/2004-01/0122.html
Previous CVA Posting
http://www.sans.org/newsletters/cva/vol2_39.php (Item #1)
***************************************************************
(12) lftp Client Buffer Overflow Exploit
Exploit code has been released for the lftp client vulnerabilities
discussed in a previous issue of the RISK newsletter.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Exploit Code by Li0n7
http://www.securiteam.com/exploits/5GP0B0UBPS.html
Previous RISK Posting
http://www.sans.org/newsletters/risk/vol2_52.php (Item #1)
______________________________________________________________________
Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 3 2004
______________________________________________________________________
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3183 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that can not be scanned remotely.
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Third Party Windows Apps 10
Tru64 1
Unix 5
Novell 1
Cross Platform 9
Web Application 9
Network Device 1
______________________________________________________________________
04.3.1 - Third Party Windows Apps - LionMax Software WWW File Share
Pro Multiple Vulnerabilities
04.3.2 - Third Party Windows Apps - Whale Communications e-Gap
Security Appliance Login Page Vulnerability
04.3.3 - Third Party Windows Apps - The Bat! PGP Message Memory
Writing Vulnerability
04.3.4 - Third Party Windows Apps - Pablo's FTP Server File Existence
Checking
04.3.5 - Third Party Windows Apps - Veritas Net Backup Remote Drive
Access Vulnerability
04.3.6 - Third Party Windows Apps - GetWare Web Server Component
Denial Of Service Vulnerability
04.3.7 - Third Party Windows Apps - DUpics File Upload Vulnerability
04.3.8 - Third Party Windows Apps - DUware Software Unauthorised Admin
Access Vulnerabilities
04.3.9 - Third Party Windows Apps - Cisco Voice Product IBM Director
Agent Unauthorized Access Vulnerability
04.3.10 - Third Party Windows Apps - Cisco Voice Product IBM Director
Denial Of Service Vulnerability
04.3.11 - Tru64 - Tru64 UNIX Unspecified Remote Buffer Overflow
Vulnerabilities
04.3.12 - Unix - Snort_Inline Rule 2077 Failure Vulnerability
04.3.13 - Unix - KDE Personal Information Management Suite VCF File
Remote Buffer Overflow Vulnerability
04.3.14 - Unix - ELM frm Command Remote Buffer Overflow
Vulnerability
04.3.15 - Unix - QMail-SMTPD Long SMTP Session Denial of Service
Vulnerability
04.3.16 - Unix - HoneyD Virtual Host Detection Vulnerability
04.3.17 - Novell - Novell iChain Web Server Failed Login Page
Cross-Site Scripting Vulnerability
04.3.18 - Cross Platform - Symantec Web Security Block Page Message
Cross-Site Scripting Vulnerability
04.3.19 - Cross Platform - Real Networks Helix Server/Gateway
Administration Service Denial Of Service Vulnerability
04.3.20 - Cross Platform - TCPDump Multiple Remote Buffer Overflow
Vulnerabilities
04.3.21 - Cross Platform - Vicomsoft RapidCache DoS Vulnerability
04.3.22 - Cross Platform - Vicomsoft RapidCache Directory Traversal
Vulnerability
04.3.23 - Cross Platform - OpenCA Crypto-Utils.Lib Signature
Verification Vulnerability
04.3.24 - Cross Platform - GoAhead WebServer Directory Management
Policy Bypass Vulnerability
04.3.25 - Cross Platform - Mephistoles Cross-Site Scripting
Vulnerability
04.3.26 - Cross Platform - GoAhead WebServer Excessive Resource
Consumption Vulnerability
04.3.27 - Web Application - nCipher payShield SPP Library Bad Request
Verification Vulnerability
04.3.28 - Web Application - PHPDig Config.PHP Remote Command
Execution Vulnerability
04.3.29 - Web Application - FishCart Rounding Function Wraparound
Vulnerability
04.3.30 - Web Application - PHPShop Project Multiple Vulnerabilities
04.3.31 - Web Application - XtremeASP PhotoGallery SQL Injection
Vulnerability
04.3.32 - Web Application - MetaDot Portal Server Multiple
Vulnerabilities
04.3.33 - Web Application - Mambo mod_mainmenu.php Remote File
Include Vulnerability
04.3.34 - Web Application - YaBB SE SQL Injection Vulnerability
04.3.35 - Web Application - WebTrends Reporting Center Path
Disclosure Vulnerability
04.3.36 - Network Device - NetScreen Security Manager Insecure
Default Remote Communication Vulnerability
______________________________________________________________________
04.3.1 CVE: Not Available
Platform: Third Party Windows Apps
Title: LionMax Software WWW File Share Pro Multiple Vulnerabilities
Description: LionMax Software WWW File Share Pro is an HTTP server, it
has been found to be affected by multiple vulnerabilities. These
vulnerabilities may result in information disclosure, denial of
service and loss of information integrity, these issues are all
exploitable trough HTTP requests.
Ref: http://aluigi.altervista.org/adv/wfshare-adv.txt
______________________________________________________________________
04.3.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Whale Communications e-Gap Security Appliance Login Page
Vulnerability
Description: Whale Communications e-GAP appliance provides for a
secure remote web access platform, a source code disclosure
vulnerability has been discovered which may reveal the login script.
This information could be used to aid further attacks. The security
hole was found on version 2.5, other versions might also be affected.
Ref: http://www.procheckup.com/security_info/vuln_pr0307.html
______________________________________________________________________
04.3.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: The Bat! PGP Message Memory Writing Vulnerability
Description: The Bat! is a commercially-available mail user agent for
Microsoft Windows, distributed and maintained by Rit Research Labs. It
has been found that this software is prone to memory corruption, this
could potentially lead to execution of arbitrary attacker-supplied
code. This issue was reported to affect The Bat! 2.01. The vendor has
reported that the issue could not be reproduced on The Bat! 2.03 beta
and that 2.02 CE is probably not vulnerable.
Ref: http://www.securityfocus.com/archive/1/349989
______________________________________________________________________
04.3.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Pablo's FTP Server File Existence Checking
Description: Pablo's FTP server is a multi-threaded FTP server for
Windows, a problem with the DEL command allows logged in users to test
for the existence of any file on the host. This problem has been fixed
in version 1.8 of the software.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-01/0149.html
______________________________________________________________________
04.3.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Veritas Net Backup Remote Drive Access Vulnerability
Description: Veritas Net Backup Professional is a backup utility, it
has been discovered that the Open Transaction Manager component
creates a shared drive on the host during client backup operations.
This share is created without any access controls thus allowing anyone
on the network full access to files on a system during backup.
Ref: http://seer.support.veritas.com/docs/264538.htm
______________________________________________________________________
04.3.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: GetWare Web Server Component Denial Of Service Vulnerability
Description: The GetWare Web Server component has a denial of service
vulnerability. When repeated HTTP requests are made with negative
values for the Content-Length field, the server reportedly crashes.
This was reported to affect WebCam Live versions up to and including
2.01 and PhotoHost versions up to and including version 4.0 .
Ref: http://www.securityfocus.com/archive/1/350236
______________________________________________________________________
04.3.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: DUpics File Upload Vulnerability
Description: DUpics is a web based application from DUWare software,
it has been found to be affected by an issue which permits attackers
to upload potentially malicious files to the webserver.
Ref: http://www.security-corporation.com/advisories-026.html
______________________________________________________________________
04.3.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: DUware Software Unauthorised Admin Access Vulnerabilities
Description: DUware makes various web-based software products, all of
these have been found to be vulnerable to unauthorised admin access
due to weakness in the inc_menu.asp script.
Ref: http://www.security-corporation.com/advisories-026.html
______________________________________________________________________
04.3.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: Cisco Voice Product IBM Director Agent Unauthorized Access
Vulnerability
Description: IBM Director installed with Cisco voice products has been
reported to permit attackers to gain remote administrative access via
the administrative port (14247). The default installation of the
software leaves this port open to connections from arbitrary
addresses, thus giving remote users full access to the system.
Ref:
http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml
______________________________________________________________________
04.3.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: Cisco Voice Product IBM Director Denial Of Service
Vulnerability
Description: IBM Director installed with Cisco voice products has been
reported prone to a remote denial of service vulnerability, when port
14247 is scanned with a port scanner it begins to consume excessive
resources and the server becomes unresponsive.
Ref:
http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml
______________________________________________________________________
04.3.11 CVE: Not Available
Platform: Tru64
Title: Tru64 UNIX Unspecified Remote Buffer Overflow Vulnerabilities
Description: HP has reported multiple local and remote buffer overflow
vulnerabilities in Tru64 UNIX running IPsec and SSH software, these
could lead to execution of arbitrary code or denial of service. HP
Tru64 UNIX versions 5.1B PK2 (BL22), PK3 (BL24) and V5.1A running
IPsec and SSH software kits prior to IPsec 2.1.1 and SSH 3.2.2 are
vulnerable to these issues.
Ref: http://www.tru64.org/stories.php?story=04/01/13/1256295
______________________________________________________________________
04.3.12 CVE: Not Available
Platform: Unix
Title: Snort_Inline Rule 2077 Failure Vulnerability
Description: Snort-inline is designed to work with iptable to analyse
packets based on a snort rule set. The issue occurs when snort_inline
is configured so that the action for rule 2077 (Mambo Site Server
Arbitrary File Upload Vulnerability) is to drop the packets, however
it will still permit the attackers requests. This may lead a
administrator into a false sense of security.
Ref: http://sourceforge.net/tracker/index.php
?func=detail&aid=876404&group_id=78497&atid=553467
______________________________________________________________________
04.3.13 CVE: CAN-2003-0988
Platform: Unix
Title: KDE Personal Information Management Suite VCF File Remote
Buffer Overflow Vulnerability
Description: KDE Personal Information Management Suite (kdepim) helps
users organize mail, tasks, appointments, contacts etc. A buffer
overflow vulnerability has been found in kdepim that may allow remote
attackers to execute arbitrary code in the context of the user. This
vulnerability is due insufficient boundary checking of the VCF file.
Ref: http://www.kde.org/info/security/advisory-20040114-1.txt
______________________________________________________________________
04.3.14 CVE: CAN-2003-0966
Platform: Unix
Title: ELM frm Command Remote Buffer Overflow Vulnerability
Description: ELM is a mail user agent for unix, a buffer overrun has
been discovered in the 'frm' command that may allow a remote attacker
to execute arbitrary code as the user. This issue was found in the
HEADER field of version 2.5.6, prior versions might also be affected.
Ref: http://www.securitytracker.com/alerts/2004/Jan/1008720.html
______________________________________________________________________
04.3.15 CVE: Not Available
Platform: Unix
Title: QMail-SMTPD Long SMTP Session Denial of Service Vulnerability
Description: qmail is a popular Mail Transfer Agent, which is prone to
a denial of service within the qmail-smtp process. The vulnerability
causes memory corruption that could be leveraged to allow arbitrary
code execution. This issue was found on qmail 1.03 on linux, other
versions and platform might be affected as well.
Ref: http://www.guninski.com/qmailcrash.html
______________________________________________________________________
04.3.16 CVE: Not Available
Platform: Unix
Title: HoneyD Virtual Host Detection Vulnerability
Description: HoneyD incorrectly handles some IP packets and may
respond to specially crafted packets in a manner which permits the
identification of virtual hosts. This permits attackers to identify
HoneyD hosts and either ignore them from future attacks or to
specifically target the HoneyD software with appropriate exploits.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2004-01/0851.html
______________________________________________________________________
04.3.17 CVE: Not Available
Platform: Novell
Title: Novell iChain Web Server Failed Login Page Cross-Site Scripting
Vulnerability
Description: Novell iChain Server is a web-based security product
designed to implement and maintain various network-based access
controls. A vulnerability has been found in the software that may
allow a remote user to perform cross-site scripting attacks.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials.
Ref:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm
______________________________________________________________________
04.3.18 CVE: Not Available
Platform: Cross Platform
Title: Symantec Web Security Block Page Message Cross-Site Scripting
Vulnerability
Description: A vulnerability has been found in Symantec Web Security
that may allow a remote user to launch cross-site scripting attacks,
this is due to improper sanitization of user-supplied data.
Exploitation of this vulnerability may allow an attacker to steal
cookie-based authentication credentials. Symantec Web Security
versions 2.5, 3.0.0, and 3.0.1 have been reported to be vulnerable to
this issue.
Ref: http://www.sarc.com/avcenter/security/Content/2004.01.13.html
______________________________________________________________________
04.3.19 CVE: Not Available
Platform: Cross Platform
Title: Real Networks Helix Server/Gateway Administration Service
Denial Of Service Vulnerability
Description: Helix Universal Server is a media delivery server
distributed and maintained by Real Networks. This server is prone to
a vulnerability which is due to the handling of HTTP post requests and
may cause a denial of services. Currently to exploit this
vulnerability, the attacker needs legitimate administrative login
credentials. This problem is also known to affect the Helix Universal
Gateway, Helix Universal Mobile Server, and Helix Universal Mobile
Gateway.
Ref: http://www.service.real.com/help/faq/security/040112_dos/
______________________________________________________________________
04.3.20 CVE: CAN-2004-0057,CAN-2004-0055,CAN-2003-0989
Platform: Cross Platform
Title: TCPDump Multiple Remote Buffer Overflow Vulnerabilities
Description: tcpdump is a freely available open source network
monitoring tool. Many buffer overflow vulnerabilities have been found
in tcpdump and may allow a remote attacker to gain unauthorized
access. The conditions are present due to insufficient boundary
checking. Some issues reportedly affect all versions up to and
including tcpdump 3.8.1.
Ref: http://www.secunia.com/advisories/10636/
______________________________________________________________________
04.3.21 CVE: Not Available
Platform: Cross Platform
Title: Vicomsoft RapidCache DoS Vulnerability
Description: Vicomsoft RapidCache is a web caching server that runs on
Apple MacOS and Microsoft Windows platforms. A remote DoS has been
found in versions 2.2.6 and prior of this software, the issue resides
in the host argument of GET request. This issue could be leveraged
using specially crafted requests to allow the execution of arbitrary
code within the context of the web server process.
Ref: http://www.securityfocus.com/archive/1/349464
______________________________________________________________________
04.3.22 CVE: Not Available
Platform: Cross Platform
Title: Vicomsoft RapidCache Directory Traversal Vulnerability
Description: Vicomsoft RapidCache is a web-caching server that runs on
Apple MacOS and Microsoft Windows platforms. It is possible for an
attacker to access information outside the root directory due to
insufficient sanitization of user input, this vulnerability may allow
an attacker to access sensitive information. RapidCache versions 2.2.6
and prior are vulnerable.
Ref: http://www.securityfocus.com/archive/1/349464
______________________________________________________________________
04.3.23 CVE: CAN-2004-0004
Platform: Cross Platform
Title: OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
Description: OpenCA is an Open Source Certification Authority
solution. OpenCA includes a library to support cryptographic
operations, this library is named crypto-utils.lib. The developers
have found a vulnerability in the crypto-utils.lib library that may
inadvertently lead to the acceptance of a malicious certificate which
could be abused to establish a false trust relationship. This issue
has been reported to affect all versions of OpenCA up to and including
OpenCA version 0.9.1.6.
Ref: http://www.openca.org/news/CAN-2004-0004.txt
______________________________________________________________________
04.3.24 CVE: Not Available
Platform: Cross Platform
Title: GoAhead WebServer Directory Management Policy Bypass
Vulnerability
Description: GoAhead WebServer allows users to configure a policy for
how requests are handled on a per directory basis. GoAhead WebServer
is vulnerable to an issue that may allow remote attackers to bypass
this directory management policy. GoAhead versions up to and including
2.1.8 are affected.
Ref: http://www.securityfocus.com/archive/1/350231
______________________________________________________________________
04.3.25 CVE: Not Available
Platform: Cross Platform
Title: Mephistoles Cross-Site Scripting Vulnerability
Description: Mephistoles is a simple web server written in perl, due
to insufficient sanitization of user input the server is vulnerable to
cross site scripting attacks via the server error pages.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-01/0184.html
______________________________________________________________________
04.3.26 CVE: Not Available
Platform: Cross Platform
Title: GoAhead WebServer Excessive Resource Consumption Vulnerability
Description: GoAhead WebServer has a vulnerability in the handling of
specially crafted HTTP requests with unusual content-length sizes.
Using this a remote attacker may be able consume excessive resources
on the underlying host, resulting in a denial of service condition.
This was reported to affect all versions up to and including 2.1.8 .
Ref: http://www.securityfocus.com/archive/1/350235
______________________________________________________________________
04.3.27 CVE: Not Available
Platform: Web Application
Title: nCipher payShield SPP Library Bad Request Verification
Vulnerability
Description: nCipher payShield is a software/appliance solution, for
an e-payment security infrastructure. A vulnerability was found in the
payShield SPP Library that may result in bad requests being verified.
An attacker may exploit this issue by flooding the affected software
with invalid requests until eventually a "Status_OK" response is
returned.
Ref:
http://www.ncipher.com/support/advisories/advisory8_payshield.html
______________________________________________________________________
04.3.28 CVE: Not Available
Platform: Web Application
Title: PHPDig Config.PHP Remote Command Execution Vulnerability
Description: PhpDig is a freely available, open source search engine
written in PHP. A defect has been found in the handling of includes in
PhpDig. A remote attacker may supply a $relative_script_path variable
to the config.php script, making it possible to include a script from
a remote system to be executed in the context of the web server
process.
Ref: http://www.secunia.com/advisories/10638/
______________________________________________________________________
04.3.29 CVE: Not Available
Platform: Web Application
Title: FishCart Rounding Function Wraparound Vulnerability
Description: FishCart is a commercially available, open source
shopping cart software package. A defect in the handling of number
rounding has been discovered in FishNet FishCart which could be use by
an attacker to interrupt operation, and create other security issues.
Ref: http://www.securityfocus.com/archive/1/349695
______________________________________________________________________
04.3.30 CVE: Not Available
Platform: Web Application
Title: PHPShop Project Multiple Vulnerabilities
Description: phpShop Project is a web based application development
platform written in php.
Many vulnerabilities have been found in the software that allow an
attacker to carry out attacks against the database, disclose sensitive
information, and execute HTML or script code in a user's browser.
phpShop versions 0.6.1-b and prior are reported to be vulnerable to
these issues.
Ref: http://www.gulftech.org/01152004.php
______________________________________________________________________
04.3.31 CVE: Not Available
Platform: Web Application
Title: XtremeASP PhotoGallery SQL Injection Vulnerability
Description: XtremeASP PhotoGallery is a web-based picture gallery
script written in ASP.
A vulnerability was found in the script adminlogin.asp that allows
SQL injection. This issue is due to improper sanitization of user
input. Exploitation could compromise access to the photo gallery or
may permit to an attacker to exploit vulnerabilities in the underlying
database implementation.
Ref: http://www.securityfocus.com/archive/1/350028
______________________________________________________________________
04.3.32 CVE: Not Available
Platform: Web Application
Title: MetaDot Portal Server Multiple Vulnerabilities
Description: MetaDot Portal Server is an open source portal software,
a number of vulnerabilities have been found primarily the result of a
failure to properly validate user input. An attacker may be able to
carry out SQL injection attacks in addition to Cross-site scripting
exploits. MetaDot versions 5.6.5.4 b5 and prior have been reported as
vulnerable.
Ref: http://www.gulftech.org/01122004.php
______________________________________________________________________
04.3.33 CVE: Not Available
Platform: Web Application
Title: Mambo mod_mainmenu.php Remote File Include Vulnerability
Description: Mambo Open Source is a web based content management
system, a vulnerability exists in versions 4.5 and 4.6 which allows a
remote attacker to execute arbitrary php code in the context of the
webserver. The vulnerability exists in the mod_mainmenu.php script.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-01/0141.html
______________________________________________________________________
04.3.34 CVE: Not Available
Platform: Web Application
Title: YaBB SE SQL Injection Vulnerability
Description: YaBB SE is an open source port of Yet Another Bulletin
Board (YaBB). The SSI.php script in the package reportedly has a SQL
injection vulnerability. Versions prior to 1.5.5 are affected by this
issue.
Ref: http://www.securityfocus.com/archive/1/350244
______________________________________________________________________
04.3.35 CVE: Not Available
Platform: Web Application
Title: WebTrends Reporting Center Path Disclosure Vulnerability
Description: WebTrends Reporting Center is a web interface used to
display usage information over multiple web server environments, the
web interface discloses the installation path when a non-existent
resource is requested. This information may be helpful to an attacker
in launching further attacks against the host, the issue affects
version 6.1a on Microsoft Windows, other versions and platforms are
likely to be affected.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-01/0180.html
______________________________________________________________________
04.3.36 CVE: Not Available
Platform: Network Device
Title: NetScreen Security Manager Insecure Default Remote
Communication Vulnerability
Description: NetScreen-Security Manager is used to communicate with
remote ScreenOS 5.0 devices, by default no encryption is enabled.
Information sent between the ScreenOS devices and NetScreen-Security
Manager will be transferred in plain text, enabling sniffing and
interception.
Ref:
http://www.netscreen.com/services/security/alerts/1_19_04_58290.jsp
______________________________________________________________________
(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.
==END OF PART II==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAD7v8+LUG5KFpTkYRAlYnAKCdzmD6I8uEV3bbG7Z24+y8jcdI/ACfYAG+
xm3KtysZHAY0aYET5TFKyo8=
=ZdXz
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]