|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 8
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Feb 26 2004 - 10:10:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This week, several Council sites focused their patching efforts on their
Cisco optical storage devices. TFTP was turned on by default and allows
GET and PUT actions without requiring authentication.
Alan
***********************************************************************
RISK: The Consensus Security Vulnerability Alert
February 26, 2004 Vol. 3. Week 8
***********************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
- -----------------------------------------------------------------------
Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities
(Found in Part I(Item #) or Part II)
- -----------------------------------------------------------------------
Windows - 2 (Parts I(#2) and II)
Other Microsoft Products - 1 (Part II)
Third Party Windows Apps -12 (Parts I(#3,#7) and II)
Linux - 1 (Part I(#1))
UNIX - 3 (Part II)
Mac OS - 1 (Part II)
Cross Platform - 8 (Part II)
Web Application - 8 (Parts I(#4) and II)
Network Device - 2 (Parts I(#5,#6) and II)
- -----------------------------------------------------------------------
Part I Critical Vulnerabilities
Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/
******************
Contents of Part I
Widely Deployed Software
(1) MODERATE: metamail Multiple Buffer Overflow Vulnerabilities
(2) LOW: Windows XP Explorer Multiple Buffer Overflows
Other Software
(3) HIGH: Infopulse Proxy-Pro GateKeeper Buffer Overflow
(4) MODERATE: Multiple Vendor SQL Injection Vulnerabilities
(5) MODERATE: Cisco ONS Platform Multiple Vulnerabilities
(6) MODERATE: APC SmartSlot Web/SNMP Management Card Default Password
Exploit Code Release
(7) Ipswitch IMail LDAP Daemon Buffer Overflow
********************** SPONSORED LINK *********************************
Note, this link takes you to a non-SANS site.
How much is employee Internet abuse costing your organization? Click
here to find out! http://www.sans.org/click.php?id=335
***********************************************************************
This Week's Featured Security Training Program:
Security managers and analysts, system and network administrators,
auditors and forensic analysts will each find immersion training focused
on their special needs, and all taught by the highest-rated instructors
in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004
***********************************************************************
************************************
Widely Deployed Software
************************************
(1) MODERATE: metamail Multiple Buffer Overflow Vulnerabilities
Affected: metamail version 2.7 and prior
Description: metamail, a popular implementation of Multipurpose Internet
Mail Extensions (MIME), contains multiple format-string and buffer
overflow vulnerabilities. The metamail package ships by default with
many flavours of Linux, and is used by several mail handling
applications and news clients for processing MIME encoded attachments.
A malicious email can exploit the flaws to execute arbitrary code on a
client system. Proof-of-concept attachments, which can trigger the
flaws, have been posted.
Status: Multiple Linux vendors including RedHat, Mandrake, Slackware
and Debian have issued updates. The discoverer of the flaws has also
posted an unofficial patch.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by Ulf Harnhammar
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0041.html
CERT Vulnerability Notes
http://www.kb.cert.org/vuls/id/513062
http://www.kb.cert.org/vuls/id/518518
Proof-of-Concept Exploits and Unofficial Patch
http://labben.abm.uu.se/~ulha9485/metamail.advisory-data.tar.gz
metamail Man page
http://www.die.net/doc/linux/man/man1/metamail.1.html
Secunia Advisory
http://secunia.com/advisories/10908
SecurityFocus BID
http://www.securityfocus.com/bid/9692
****************************************************************
(2) LOW: Windows XP Explorer Multiple Buffer Overflows
Affected: Windows XP
Description: Windows XP Explorer reportedly contains integer and
heap-based buffer overflows, which can be triggered by specially crafted
enhanced metafiles. Enhanced metafiles, typically named with a ".emf"
extension, are used to store graphics in a device independent format.
The overflows may be exploited to possibly execute arbitrary code on a
client system. Technical details required to exploit the flaws have been
posted. Note that Internet Explorer and Microsoft Outlook automatically
open enhanced metafiles. Hence, these products may also be vulnerable
if their relevant code base is similar to the Windows Explorer.
Status: Microsoft has not confirmed, no patches available.
Council Site Actions: Five of the reporting council sites plan to deploy
the patch or hotfix roll-up when it becomes available. A sixth site has
a limited use of XP and does not plan any action.
References:
Posting by sunglasses
http://www.securityfocus.com/archive/1/354783/2004-02-21/2004-02-27/2
Posting by Chris Calabrese
http://www.securityfocus.com/archive/1/354824/2004-02-21/2004-02-27/0
Information on Metafiles
http://msdn.microsoft.com/library/en-us/gdi/metafile_8xpq.asp
http://www.companionsoftware.com/PR/WMRC/WindowsMetafileFaq.html
SecurityFocus BID
http://www.securityfocus.com/bid/9707
***********************************
Other Software
***********************************
(3) HIGH: Infopulse Proxy-Pro GateKeeper Buffer Overflow
Affected: GateKeeper Professional version 4.7
Description: Proxy-Pro Gatekeeper's web proxy component reportedly
contains a buffer overflow that can be triggered by an overlong HTTP
request (over 4100 bytes). The flaw can be exploited to possibly execute
arbitrary code with the privileges of the "GKService.exe" process. An
exploit that leverages the flaw to run arbitrary code has been posted.
Status: Vendor not confirmed, no patches available.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by Ivan Rodriguez Almuina
http://archives.neohapsis.com/archives/fulldisclosure/2004-02/1149.html
Secunia Advisory
http://secunia.com/advisories/10947
Product Homepage
http://www.infopulse.ro/eng/products/Gatekeeper.html
SecurityFocus BID
Not yet available.
****************************************************************
(4) MODERATE: Multiple Vendor SQL Injection Vulnerabilities
Affected:
Ecommerce Online Store Kit, a shopping cart software, version 3.0
WebCortex WebStores2000, an online-store software, version 6.0
XMB Partagium, a message board software, version 1.8 Final SP2
Description: The following web-based software packages reportedly
contain one or more SQL injection vulnerabilities: Online Store Kit,
WebStores2000 and XMB Partagium. These flaws can be exploited to
manipulate SQL queries issued against the backend databases, potentially
leading to compromise of the affected application. The posted advisories
contain technical details and/or show how to craft malicious HTTP
requests to exploit the flaws.
Status:
Online Store Kit - Vendor notified, no patches available yet.
WebStores2000 - Vendor confirmed, patches available.
XMB Partagium - Unknown.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Ecommerce Online Store Kit
Posting by Zetalabs
http://www.securityfocus.com/archive/1/354290/2004-02-13/2004-02-19/0
Posting by David Sopas Ferreira
http://www.systemsecure.org/advisories/ssadvisory16022004.php
Vendor Homepage
http://www.ecommerce.com
SecurityFocus BIDs
http://www.securityfocus.com/bid/9687
http://www.securityfocus.com/bid/9676
WebCortex WebStores2000
Posting by Nick Gudov
http://archives.neohapsis.com/archives/bugtraq/2004-02/0487.html
Secunia Advisory
http://secunia.com/advisories/10920
Product Homepage
http://www.webcortex.com/site2000/products.asp
SecurityFocus BID
http://www.securityfocus.com/bid/7766
XMB Partagium
Posting by Janek Vind
http://www.securityfocus.com/archive/1/354778/2004-02-21/2004-02-27/0
Vendor Homepage
http://www.xmbforum.com
SecurityFocus BID
Not yet available.
****************************************************************
(5) MODERATE: Cisco ONS Platform Multiple Vulnerabilities
Affected:
Cisco ONS 15327 Edge Optical Transport Platform
Cisco ONS 15454 Optical Transport Platform
Cisco ONS 15454 SDH Multiplexer Platform
Cisco ONS 15600 Multiservice Switching Platform
Description: Multiple Cisco platforms contain a vulnerability in the
TFTP service. The service is enabled by default and allows an attacker
to execute the TFTP "GET" and "PUT" commands without any authentication.
This can be exploited to upload arbitrary device configuration files,
which may result in a denial-of-service to the device. In addition, an
invalid 3-way handshake on port 1080/tcp may also result in a
denial-of-service to the device.
Status: Vendor confirmed, patches available.
Council Site Actions: Four of the reporting council sites are using the
affected software. Two of these sites have already patched the affected
systems. The third site is still investigating if they are running the
affected version, if so, they will deploy the patches. The final site
blocks the ports at the perimeter. They do not plan any further action
at this time.
References:
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20040219-ONS.shtml
SecurityFocus BID
http://www.securityfocus.com/bid/9699
****************************************************************
(6) MODERATE: APC SmartSlot Web/SNMP Management Card Default Password
Affected: AP9606 running AOS version 3.2.1 or 3.0.3
Description: APS SmartSwitch and UPS products have a Web and SNMP
management card, which ships with a default undocumented password. An
attacker can exploit this flaw to obtain unauthorized access to the
devices. Technical details required to leverage the vulnerability have
been posted.
Status: Vendor confirmed, patches available. It is reported that the
workaround of disabling the telnet service does not work.
Council Site Actions: The affected software is only in use at two of
the reporting council sites. One site is still investigating if their
APC's are running the affected software. The second site blocks
external access to their APC's' thus, no action is required on their
part.
References:
Posting by Dave Tarbatt
http://www.securityfocus.com/archive/1/354169/2004-02-13/2004-02-19/0
Posting by thiago
http://www.securityfocus.com/archive/1/354230/2004-02-13/2004-02-19/0
Vendor Homepage
http://www.apc.com/index.cfm?ISOCountryCode=us
SecurityFocus BID
http://www.securityfocus.com/bid/9681
****************************************************************
****************************
Exploit Code Release
****************************
(7) Ipswitch IMail LDAP Daemon Buffer Overflow
An exploit is available for the IpSwitch IMail LDAP service buffer
overflow described in the last issue of the RISK newsletter. An
increase in scanning activity for the LDAP port (389/tcp) has been
reported since the exploit was released.
References:
Exploit Code
http://www.coromputer.net/files/ldaped.c
Previous RISK Posting
http://www.sans.org/newsletters/risk/vol3_7.php (Item #1)
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
***********************************************************************
______________________________________________________________________
Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8 2004
______________________________________________________________________
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3278 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that can not be scanned remotely.
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Windows 2
Other Microsoft Products 1
Third Party Windows Apps 12
Mac Os 1
Unix 3
Cross Platform 8
Web Application 8
Network Device 2
______________________________________________________________________
04.8.1 - Windows - Microsoft Windows Help And Support Center Interface Spoofing Weakness
04.8.2 - Windows - Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities
04.8.3 - Other Microsoft Products - Multiple Outlook/Outlook Express Predictable File Location Weaknesses
04.8.4 - Third Party Windows Apps - Avirt Voice HTTP GET Remote Buffer Overrun
04.8.5 - Third Party Windows Apps - Avirt Soho Web Service Buffer Overrun
04.8.6 - Third Party Windows Apps - SmallFTPD Remote Denial Of Service Vulnerability
04.8.7 - Third Party Windows Apps - Zone Labs ZoneAlarm SMTP Remote Buffer Overflow
04.8.8 - Third Party Windows Apps - AIM Stores Buddy Icons In Predictable Location
04.8.9 - Third Party Windows Apps - TYPSoft FTP Server Remote Denial Of Service
04.8.10 - Third Party Windows Apps - Team Factor Memory Corruption Vulnerability
04.8.11 - Third Party Windows Apps - GateKeeper Pro Buffer Overflow Vulnerability
04.8.12 - Third Party Windows Apps - Apache Cygwin Directory Traversal Vulnerability
04.8.13 - Third Party Windows Apps - BadBlue Server phptest.php Path Disclosure
04.8.14 - Third Party Windows Apps - Ghost Recon Game Engine Denial Of Service Vulnerability
04.8.15 - Third Party Windows Apps - Gamespy SDK Remote Denial Of Service
04.8.16 - Mac Os - Apple Security Update 2004-02-23
04.8.17 - Unix - Confirm E-Mail Header Remote Command Execution
04.8.18 - Unix - Multiple XFree86 Vulnerabilities
04.8.19 - Unix - Jabber Gadu-Gadu Transport Denial Of Service Vulnerabilities
04.8.20 - Cross Platform - Platform LSF EAuth Privilege Escalation Vulnerability
04.8.21 - Cross Platform - Libxml2 Remote URI Parsing Buffer Overrun
04.8.22 - Cross Platform - Platform LSF EAuth Buffer Overflow
04.8.23 - Cross Platform - Metamail Buffer Overflow and Format String Vulnerabilities
04.8.24 - Cross Platform - Oracle 9i Application/Database Server Denial Of Service Vulnerability
04.8.25 - Cross Platform - Oracle9i Lite Multiple Unspecified Vulnerabilities
04.8.26 - Cross Platform - PSOProxy Remote Buffer Overflow Vulnerability
04.8.27 - Cross Platform - Jigsaw Webserver URI Parsing Bug
04.8.28 - Web Application - EZBoard Font Tag HTML Injection
04.8.29 - Web Application - XMB Forum Multiple Input Validation Vulnerabilities
04.8.30 - Web Application - phpNewsManager Arbitrary File Access
04.8.31 - Web Application - OWLS Workshop Multiple Remote File Disclosure Vulnerabilities
04.8.32 - Web Application - WebStores2000 Cross-Site Scripting Vulnerability
04.8.33 - Web Application - PunkBuster Database Remote SQL Injection Vulnerability
04.8.34 - Web Application - LiveJournal HTML Injection
04.8.35 - Web Application - Opt-X Remote PHP File Include
04.8.36 - Network Device - Cisco ONS Vulnerabilities
04.8.37 - Network Device - nCipher Hardware Security Module Firmware Secrets Disclosure Vulnerability
______________________________________________________________________
04.8.1 CVE: CAN-2003-0711
Platform: Windows
Title: Microsoft Windows Help And Support Center Interface Spoofing
Weakness
Description: A weakness has been identified in Microsoft Windows that
could reportedly allow aspects of the Help and Support Center
interface to be spoofed via a malicious link. This weakness employs
the connection.htm error page to present attacker-specified web pages
in the interface with various misleading properties, such as an
arbitrary title and instructional text.
Ref: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-044.asp
______________________________________________________________________
04.8.2 CVE: Not Available
Platform: Windows
Title: Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow
Vulnerabilities
Description: The Microsoft Windows Abstract Syntax Notation 1 (ASN.1)
handling Library (MSASN1.dll) is reportedly vulnerable to multiple
stack overflow issues. These boundary errors reportedly occur while
handling specific externally supplied length fields in the ASN1 BER
Decoding process.
Ref: http://www.securityfocus.com/archive/1/355135
______________________________________________________________________
04.8.3 CVE: Not Available
Platform: Other Microsoft Products
Title: Multiple Outlook/Outlook Express Predictable File Location
Weaknesses
Description: Microsoft Outlook and Outlook Express are reported to be
prone to store various files which may contain attacker-supplied
content in predictable locations, aiding in exploitation of other
possible security vulnerabilities. Outlook Express stores a temporary
copy of embedded sound files in a predictable location (profileLocal
SettingsTemp[filename].[ext])
Ref: http://www.securityfocus.com/archive/1/354622
______________________________________________________________________
04.8.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Avirt Voice HTTP GET Remote Buffer Overrun
Description: Avirt Voice is an H.323 gateway product for Microsoft
Windows operating systems. It is prone to a remotely exploitable
buffer overrun when handling HTTP GET requests of excessive length via
the embedded server component listening on TCP port 1080. This issue
was reported in Avirt Voice 4.0.
Ref: http://www.autistici.org/fdonato/advisory/avirtVoice4.0-adv.txt
______________________________________________________________________
04.8.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Avirt Soho Web Service Buffer Overrun
Description: Avirt Soho provides internet sharing for Windows, it is
susceptible to a buffer overrun when handling long HTTP GET requests
to ports 1080 and 8080. Exploitation of this bug may corrupt process
memory, causing a server crash and may potentialy lead to arbitrary
code execution on the server.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0597.html
______________________________________________________________________
04.8.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: SmallFTPD Remote Denial Of Service Vulnerability
Description: SmallFTPD is reportedly vulnerable to a remote denial of
service condition while handling excessively long directory request
strings. This issue was reported for the 1.0.3 version of the
software.
Ref: http://www.securityfocus.com/archive/1/354378
______________________________________________________________________
04.8.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: Zone Labs ZoneAlarm SMTP Remote Buffer Overflow
Description: ZoneAlarm is a firewall software package designed for
Microsoft Windows operating systems. The issue is caused by an
unchecked buffer in SMTP processing, and presents itself when the
target is operating as an SMTP server on TCP port 25. Consequences of
an attack may result in a denial of service condition. ZoneAlarm
family of products and Integrity client versions 4.0 and above are
prone to this issue.
Ref: http://download.zonelabs.com/bin/free/securityAlert/8.html
______________________________________________________________________
04.8.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: AIM Stores Buddy Icons In Predictable Location
Description: AOL Instant Messenger stores Buddy Icons in a predictable
filesystem location, "c:\documents and settings\username\application
data\aim\bart\cache", attackers may use this to upload content to the
host which may then executed via Internet Explorer. Versions 4.3 to
5.5 are known to be affected, other versions may also have this flaw.
Ref: http://www.michaelevanchik.com/security/microsoft/ie/aim/aim.txt
______________________________________________________________________
04.8.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: TYPSoft FTP Server Remote Denial Of Service
Description: TYPSoft FTP Server is available for the Windows platform,
it has been discovered that it is possible to cause the ftp server to
crash by issuing ftp commands with '//../qwerty' as a parameter.
Version 1.10 of the software is affected.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0115.html
______________________________________________________________________
04.8.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: Team Factor Memory Corruption Vulnerability
Description: Singularity Software's Team Factor game is reportedly
vulnerable to an integer handling related memory corruption issue.
This could potentially be used to cause a denial of service or even
remote command execution on the target host. This was reported for
versions 1.25 and prior.
Ref: http://aluigi.altervista.org/adv/tfboom-adv.txt
______________________________________________________________________
04.8.11 CVE: Not Available
Platform: Third Party Windows Apps
Title: GateKeeper Pro Buffer Overflow Vulnerability
Description: GateKeeper Pro is a proxy/firewall system for Windows,
the software is vulnerable to a remotely exploitable buffer overflow
in the handling of HTTP GET requests of excessive length. Attackers
may leverage this to execute arbitrary code on the vulnerable server.
Ref: http://www.coromputer.net/index?m=articles&s=5&id=32&l=2
______________________________________________________________________
04.8.12 CVE: Not Available
Platform: Third Party Windows Apps
Title: Apache Cygwin Directory Traversal Vulnerability
Description: The Apache web server running under Cygwin is reportedly
vulnerable to a directory traversal vulnerability when '..' sequences
are used in the HTTP requests.
Ref: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
______________________________________________________________________
04.8.13 CVE: Not Available
Platform: Third Party Windows Apps
Title: BadBlue Server phptest.php Path Disclosure
Description: BadBlue is a P2P sharing application for Windows, remote
users may exploit a flaw in the software to determine the installation
path. An attacker may request the 'phptest.php' script which contains
the installation path to the software.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0640.html
______________________________________________________________________
04.8.14 CVE: Not Available
Platform: Third Party Windows Apps
Title: Ghost Recon Game Engine Denial Of Service Vulnerability
Description: Ghost Recon Game Engine, a computer game engine, is
reportedly vulnerable to a denial of service condition while handling
certain types of text strings.
Ref: http://www.securityfocus.com/archive/1/355051
______________________________________________________________________
04.8.15 CVE: Not Available
Platform: Third Party Windows Apps
Title: Gamespy SDK Remote Denial Of Service
Description: The GameSpy SDK is used to develop network components for
a number of video games including Battlefield 1942, Halo, Haegemonia
and others. A problem has been discovered in the core libraries which
can be exploited remotely to cause a denial of service in the affected
servers.
Ref: http://aluigi.altervista.org/adv/gshboom-adv.txt
______________________________________________________________________
04.8.16 CVE:
CAN-2003-0989,CAN-2004-0165,CAN-2004-0055,CAN-2004-0057,CAN-2004-0164,
CAN-2004-0166,CAN-2004-0167,CAN-2004-0168,CAN-2004-0169
Platform: Mac Os
Title: Apple Security Update 2004-02-23
Description: Apple has released Security Update 2004-02-23 to fix
multiple vulnerabilitities in Safari, Quicktime server, tcpdump, Ipsec
key exchange mechanism, pppd.
Ref: http://docs.info.apple.com/article.html?artnum=61798
______________________________________________________________________
04.8.17 CVE: Not Available
Platform: Unix
Title: Confirm E-Mail Header Remote Command Execution
Description: Confirm, a Procmail spam-filtering script, is reportedly
vulnerable to a remote command execution due to improper handling of
metacharacters in email headers.
Ref: http://secunia.com/advisories/10966/
______________________________________________________________________
04.8.18 CVE: CAN-2003-0690 CAN-2004-0083 CAN-2004-0084 CAN-2004-0106
CAN-2004-0093 CAN-2004-0094
Platform: Unix
Title: Multiple XFree86 Vulnerabilities
Description: XFree86 is a freely available implementation of the X
Window System. Xfree is vulnerable to some denial of service and
buffer overflow vulnerabilities. Xfree86 version prior to 4.3.99.903
Release Candidate are vulnerable.
Ref: http://www.xfree.org/security/
______________________________________________________________________
04.8.19 CVE: Not Available
Platform: Unix
Title: Jabber Gadu-Gadu Transport Denial Of Service Vulnerabilities
Description: Jabber Gadu-Gadu Transport is a gateway between Jabber
and Gadu-Gadu. Jabber-gg-transport version prior to 2.0.8 are
vulnerable to multiple remote denial of service vulnerabilities that
may cause the server to crash and therefore deny service to legitimate
users.
Ref: http://jabber-gg-transport.jabberstudio.org/NEWS
______________________________________________________________________
04.8.20 CVE: Not Available
Platform: Cross Platform
Title: Platform LSF EAuth Privilege Escalation Vulnerability
Description: Load Sharing Facility, a load balancing software package,
is reported vulnerable to a privilege escalation issue due to its
reliance on an environment variable to determine the UID of an user
invoking the binary.
Ref: http://secunia.com/advisories/10969/
______________________________________________________________________
04.8.21 CVE: Not Available
Platform: Cross Platform
Title: Libxml2 Remote URI Parsing Buffer Overrun
Description: Libxml2 is an XML parser and toolkit that is implemented
in C. It is reported that the software is vulnerable to a buffer
overrun issue due to insufficient bounds checking in the URI parsing
code in the nanohttp and nanoftp modules. It is conjectured that
exploitation of this vulnerbility may lead to arbitrary code
execution.
Ref: http://secunia.com/advisories/10958/
______________________________________________________________________
04.8.22 CVE: Not Available
Platform: Cross Platform
Title: Platform LSF EAuth Buffer Overflow
Description: Load Sharing Facility (LSF) is high availability load
balancing software. EAuth is the component within LSF which controls
authentication. A specially crafted data string can cause a failure of
the EAuth binary and allow remote code execution. Every host in the
LSF cluster running versions 4.x, 5.x, 6.x is vulnerable.
Ref: http://www.securityfocus.com/archive/1/354782/2004-02-21/2004-02-
27/0
______________________________________________________________________
04.8.23 CVE: CAN-2004-0104, CAN-2004-0105
Platform: Cross Platform
Title: Metamail Buffer Overflow and Format String Vulnerabilities
Description: Metamail is a multi-platform utility developed by
Bellcore that parses and decodes MIME encoded email. Two buffer
overflow vulnerabilities have been identified which exist due to a
lack of sufficient boundary checks being performed on user-supplied
data. Additionally, two format string-handling vulnerabilities have
been reported. Any one of these issues may be exploited by a remote
attacker to execute arbitrary code.
Ref: http://www.securityfocus.com/archive/1/354362/2004-02-15/2004-02-
21/0
______________________________________________________________________
04.8.24 CVE: Not Available
Platform: Cross Platform
Title: Oracle 9i Application/Database Server Denial Of Service
Vulnerability
Description: Oracle 9i Application and Database services are
reportedly vulnerable to a denial of service condition when malformed
DTDs are passed via XML inside SOAP messages to an Oracle HTTP Server.
If the SOAP interface does not require authentication, this could be
used for remote denial of service attacks on the service.
Ref: http://otn.oracle.com/deploy/security/pdf/2004alert65.pdf
______________________________________________________________________
04.8.25 CVE: Not Available
Platform: Cross Platform
Title: Oracle9i Lite Multiple Unspecified Vulnerabilities
Description: Oracle has reported multiple unspecified vulnerabilities
existing in Oracle 9i Lite. It has been reported that user
authentication to Oracle9i Lite Mobile Server is required in order to
carry out a successful attack. Successful exploitation of these
vulnerabilities may result in unauthorized access to a connected
Oracle database server. Oracle9i Lite versions 5.0.0.0.0 to 5.0.2.9.0
have been reported to be vulnerable.
Ref: http://otn.oracle.com/deploy/security/pdf/2004alert63.pdf
______________________________________________________________________
04.8.26 CVE: Not Available
Platform: Cross Platform
Title: PSOProxy Remote Buffer Overflow Vulnerability
Description: PSOProxy is an application designed to facilitate the
loading of content onto Nintendo's Gamecube Console. The server is
reported to be vulnerable to a remote buffer overrun which may be
exploited by remote users to corrupt process memory and potentially
execute arbitrary code on the server.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0569.html
______________________________________________________________________
04.8.27 CVE: Not Available
Platform: Cross Platform
Title: Jigsaw Webserver URI Parsing Bug
Description: Jigsaw is a web server produced by the W3C and
implemented in Java. A bug in the URI parsing has been reported by
developers. The exact nature and consequences of the issue are
unavailable but it is conjectured that crafted URI's may lead to the
disclosure of content outside of the webserver root.
Ref: http://www.w3.org/Jigsaw/RelNotes.html#2.2.4
______________________________________________________________________
04.8.28 CVE: Not Available
Platform: Web Application
Title: EZBoard Font Tag HTML Injection
Description: EZBoard is a web based bulletin board system. An attacker
may exploit this issue by including hostile HTML and script code
encapsulated in [font] tags of posts to the bulletin board. This
vulnerability has been reported to affect EZBoard version 7.3u.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0605.html
______________________________________________________________________
04.8.29 CVE: Not Available
Platform: Web Application
Title: XMB Forum Multiple Input Validation Vulnerabilities
Description: XMB Forum is a web-based discussion forum. Version 1.8
SP2 is known to be vulnerable to multiple cross-site scripting, HTML
injection and SQL injection vulnerabilities.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0595.html
______________________________________________________________________
04.8.30 CVE: Not Available
Platform: Web Application
Title: phpNewsManager Arbitrary File Access
Description: phpNewsManager is a web-based content management
application. It is reported that the software is vulnerable to
directory traversal attacks via the 'functions.php' script. Remote
attackers can exploit this issue to read files outside the web server
root directory.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0627.html
______________________________________________________________________
04.8.31 CVE: Not Available
Platform: Web Application
Title: OWLS Workshop Multiple Remote File Disclosure Vulnerabilities
Description: OWLS Workshop has been reported to suffer from
insufficient validation of user-supplied input that can be exploited
to retrieve arbitrary files from the remote filesystem. This issue was
reported for version OWLS 1.0 of the software.
Ref: http://www.securityfocus.com/archive/1/354289
______________________________________________________________________
04.8.32 CVE: Not Available
Platform: Web Application
Title: WebStores2000 Cross-Site Scripting Vulnerability
Description: WebCortex WebStores2000 is an ASP application which
implements shopping cart functionality. The error.asp script is
reported to be vulnerable to a cross site scripting issue which would
permit attackers to inject arbitrary HTML code into a victim's
browser.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0487.html
______________________________________________________________________
04.8.33 CVE: Not Available
Platform: Web Application
Title: PunkBuster Database Remote SQL Injection Vulnerability
Description: PunkBuster, a screenshot management system, is reported
to be vulnerable to SQL injection attacks due to insufficient
sanitization of input parameters.
Ref: http://www.securityfocus.com/archive/1/354453
______________________________________________________________________
04.8.34 CVE: Not Available
Platform: Web Application
Title: LiveJournal HTML Injection
Description: LiveJournal is a freely available web based personal
journal application. The application filters HTML tags but it fails to
filter semicolons and parenthesis. This may allow a user to inject
malicious script code, either via the BODY tag or via a malicious
style sheet.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-02/0546.html
______________________________________________________________________
04.8.35 CVE: Not Available
Platform: Web Application
Title: Opt-X Remote PHP File Include
Description: Opt-X is a network monitoring tool implemented in PHP.
Remote attackers may exploit a vulnerability in the 'header.php'
script to execute arbitrary PHP code on the vulnerable server. This
vulnerability has been reported to affect Opt-X version 0.7.2.
Ref: http://www.zone-h.org/en/advisories/read/id=4036/
______________________________________________________________________
04.8.36 CVE: Not Available
Platform: Network Device
Title: Cisco ONS Vulnerabilities
Description: Multiple vulnerabilities exist in the Cisco ONS 15327
Edge Optical Transport Platform, the Cisco ONS 15454 Optical Transport
Platform, the Cisco ONS 15454 SDH Multiplexer Platform, and the Cisco
ONS 15600 Multiservice Switching Platform that allow unauthorized
access and denial of service attacks.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20040219-ONS.shtml
______________________________________________________________________
04.8.37 CVE: Not Available
Platform: Network Device
Title: nCipher Hardware Security Module Firmware Secrets Disclosure
Vulnerability
Description: nCipher HSM firmware has been reported to be vulnerable
to disclosure of infrastructure and application keys if the GeneralSEE
feature has been enabled.
Ref: http://www.securityfocus.com/archive/1/354763
______________________________________________________________________
(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
==END OF PART II==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAPgyc+LUG5KFpTkYRAltzAJ9FMg3Tv3Ox8nEUTLgBMZf8UsjrjACbBLmB
jfW8uumnNvFVIJh65EDi1Js=
=1y12
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]