|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 18
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon May 10 2004 - 12:44:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A quiet week, except for Checkpoint VPN users who are busy transitioning
and re-establishing all of their VPN tunnels. (See Number 4, below.)
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
May 9, 2004 Vol. 3. Week 18
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
- -----------------------------------------------------------------------
Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities
(Found in Part I(Item #) or Part II)
- -----------------------------------------------------------------------
Other Microsoft Products - 1
Third Party Windows Apps - 4 (#8)
MacOS - 1 (#2)
Linux - 2
Irix - 1
UNIX - 4 (#3, #7)
Cross Platform - 5 (#1, #4, #6)
Web Application -15 (#5)
- -----------------------------------------------------------------------
Part I Critical Vulnerabilities
Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/
******************
Contents of Part I
Moderate to Widely Deployed Software
(1) MODERATE: Apple QuickTime Player Integer Overflow
(2) MODERATE: AppleFileServer "LoginExt" Buffer Overflow
(3) MODERATE: LHA Multiple Buffer Overflow Vulnerabilities
(4) MODERATE: CheckPoint VPN-1 ISAKMP Buffer Overflow
Other Software
(5) HIGH: Coppermine, PHPX, P4DB, and oMail Remote Command Execution
Vulnerabilities
(6) MODERATE: DeleGate SSL Filter Buffer Overflow
(7) MODERATE: Exim Multiple Buffer Overflow Vulnerabilities
(8) MODERATE: Netwin SurgeLDAP Authentication Bypass
***********************************************************************
This Week's Featured Security Training Program: SANSFIRE 2004
Monterey, CA, July 5-13, 2004
SANSFIRE offers you 14 immersion training tracks in one of the most
beautiful and romantic places in America. Phenomenal training for
auditors who want to master the challenges of security auditors, for
managers who want to build a great security program, for security
beginners who want to get a fast start, and, of course, the only place
to go for technologists who want to master the most current methods for
protecting systems and networks. SANSFIRE also offers lots of evening
programs, extra one-day classes ranging from security business law to
cyberwarrior training, and vendor exhibits, too.
Register soon to get a seat at your choice of courses.
http://www.sans.org/sansfire2004
***********************************************************************
*************************************
Moderate to Widely Deployed Software
*************************************
(1) MODERATE: Apple QuickTime Player Integer Overflow
Affected:
iTunes version 4.2.0.72
QuickTime version 6, 6.1 and 6.5, on Windows and Mac platforms.
Description: Apple's QuickTime and iTunes are very popular digital
multimedia players that have been reportedly downloaded over 275 million
times. The players' "QuickTime.qts" component, which is also used by
many applications such as web browsers to open a QuickTime media file,
contains an integer overflow vulnerability. The problem occurs because
the QuickTime player does not perform a length check on the number of
"entries" declared in a media file's "sample-to-chunk" atom. A malicious
media file can exploit this flaw to overwrite heap memory, and execute
arbitrary code on a client system. An attacker may deliver such a media
file to the client via a web page or an email. The technical details
required to exploit the vulnerability have been posted.
Status: Vendor confirmed. Upgrade to QuickTime version 6.5.1.
Council Site Actions: Most of the council sites reported that the
vulnerable software is in use at most sites, but the software is not
officially supported. Several sites sent out a notification to their
appropriate support groups. A smaller number of sites that do support
the software plan to push the updated version out within 30 days or at
some point in the future.
References:
eEye Advisory
http://www.eeye.com/html/Research/Advisories/AD20040502.html
CERT Advisory
http://www.kb.cert.org/vuls/id/782958
QuickTime Homepage
http://www.apple.com/quicktime/
QuickTime File Format
http://developer.apple.com/documentation/QuickTime/QTFF/index.html
SecurityFocus BID
http://www.securityfocus.com/bid/10257
****************************************************************
(2) MODERATE: AppleFileServer "LoginExt" Buffer Overflow
Affected:
Mac OS X 10.2.8, 10.3.2, 10.3.3
Description: Apple Filing Protocol (AFP) enables file sharing across
networked Mac OS computers. The protocol serves functions similar to
SMB, which is the file sharing protocol in Windows environment. An
AppleFileServer, which provides AFP services, contains a stack-based
buffer overflow. The overflow can be triggered by a specially crafted
"LoginExt" (authentication) request that contains a "PathName" parameter
longer than its declared length. An unauthenticated attacker can exploit
this flaw to execute arbitrary code on the AppleFileServer with possibly
root privileges. The technical details regarding the vulnerability have
been posted. Note that the AFP service is not enabled by default.
Status: Apple has confirmed the flaw and released security updates for
Mac OS X 10.2.8 and 10.3.3 versions. A workaround is to block traffic
destined to the AFP ports 548/tcp and 548/udp at the network perimeter.
Council Site Actions: Only a few of the reporting council sites are
using and support this application. Two of them plan to push out the
corrected version at some point in the future. Another site plans to
scan for activity on port 548 to estimate the size of the problem. They
said most of their systems would be patched/updated through the Software
Update Facility.
References:
Stake Advisory
http://archives.neohapsis.com/archives/vulnwatch/2004-q2/0023.html
Apple Security Updates
http://docs.info.apple.com/article.html?artnum=61798
CERT Advisory
http://www.kb.cert.org/vuls/id/648406
AFP Protocol Details
http://developer.apple.com/documentation/Networking/Conceptual/AFP/index.html#//apple_ref/doc/uid/TP40000854
ClearText Password Packet Structure
http://developer.apple.com/documentation/Networking/Conceptual/AFP/index.html#//apple_ref/doc/uid/TP40000854
SecurityFocus BID
http://www.securityfocus.com/bid/10271
****************************************************************
(3) MODERATE: LHA Multiple Buffer Overflow Vulnerabilities
Affected:
LHA versions 1.14d through 1.14i and 1.17 on UNIX platforms
Description: LHA is a file compression utility similar to zip and gzip.
It ships with many Linux distributions and has been ported to BSD,
Solaris and other operating systems. The software contains two
stack-based overflows that can be triggered by specially compressed
archives containing overlong file or directory names. The flaws can be
exploited to execute arbitrary code with the privileges of the LHA
process. Note that the software is used by many virus scanners to unpack
LHA archives, and web browsers to automatically uncompress LHA archives
upon download. Hence, an attacker can exploit the flaw via a specially
crafted email or a malicious web page. The technical details and an
exploit have been posted.
Status: Various Linux vendors like RedHat and Slackware have released
updated packages. Unofficial patches have been included in the
discoverer's posting.
Council Site Actions: Three of the reporting sites are using the
affected software, and they report no special actions are planned at
this time. Two of the sites stated that the affected application will
be updated through their standard, automatic Linux update feature. The
third site is not planning any action until the threat level increases.
References:
Posting by Ulf Harnhammar
http://archives.neohapsis.com/archives/vulnwatch/2004-q2/0021.html
RedHat Advisory
http://archives.neohapsis.com/archives/linux/redhat/2004-q2/0007.html
Exploit Code
http://www.securiteam.com/exploits/5MP010KCVY.html
Vendor Homepages
http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/
http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm
SecurityFocus BID
http://www.securityfocus.com/bid/10243
****************************************************************
(4) MODERATE: CheckPoint VPN-1 ISAKMP Buffer Overflow
Affected:
Check Point VPN-1/FireWall-1 VSX NG
Check Point VPN-1 SecuRemote
Check Point VPN-1 SecureClient
Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI)
Check Point VPN-1/Firewall-1 NG
Check Point FireWall-1 GX 2.x
Description: The CheckPoint VPN software contains a stack-based buffer
overflow vulnerability. The flaw can be triggered by crafted ISAKMP
packets during negotiation of a VPN tunnel. The overflow can be
exploited to possibly execute arbitrary code. No further technical
details regarding the vulnerability are currently available.
Status: CheckPoint reported the flaw and has issued hotfixes for various
products.
Council Site Actions: Four of the reporting council sites are running
the affected software. All sites are in the process of upgrading to the
corrected version. The upgrade process is somewhat time-consuming since
sites must upgrade to the new NG platform, thus the VPN tunnels must be
transitioned and re-established.
References:
CheckPoint Advisory
http://www.checkpoint.com/techsupport/alerts/ike_vpn.html
Vendor Homepage
http://www.checkpoint.com
SecurityFocus BID
http://www.securityfocus.com/bid/10273
**************************
Other Software
**************************
(5) HIGH: Coppermine, PHPX, P4DB, and oMail Remote Command Execution Vulnerabilities
Affected:
Coppermine, a photo gallery software, version 1.2.0 and 1.2.2b
PHPX, a content management software, version 3.26 and prior
P4DB, a source code repository interface, version 2.01 and prior
oMail, a web mail software, version 0.98.5
Description: The following web-based software packages reportedly
contain one or more remote command execution vulnerabilities:
Coppermine, PHPX, P4DB and oMail. These flaws can be exploited to run
arbitrary commands on the web servers hosting the affected software
packages. The postings contain the technical details required to craft
the malicious HTTP requests to exploit the flaws.
Status:
Coppermine - Vendor confirmed, updates to be available.
PHPX - Vendor confirmed, upgrade to version 3.3.0 or above.
P4DB - Vendor not confirmed, unofficial patch available at:
http://www.weak.org/~jammer/p4db_v2.01_patch_4.txt.
Current users should try to migrate to P4Web from Perforce.
oMail - Vendor not confirmed, posted advisory contains a workaround.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Coppermine Photo Gallery Software
Posting by Janek Vindhttp://archives.neohapsis.com/archives/bugtraq/2004-05/0009.html
Vendor Homepage
http://coppermine.sourceforge.net/
SecurityFocus BID
http://www.securityfocus.com/bid/10253
PHPX Content Management Software
Posting by JeiAr
http://www.securityfocus.com/archive/1/362230/2004-05-03/2004-05-09/0
Vendor Homepage
http://www.phpx.org
SecurityFocus BID
http://www.securityfocus.com/bid/10283
P4DB Source Code Repository Interface
Posting by Jon McClintock
http://www.securityfocus.com/archive/1/362291/2004-05-03/2004-05-09/0
Vendor Homepage
http://www.mydata.se/ftp/P4DB
Perforce Software
http://www.perforce.com
SecurityFocus BID
http://www.securityfocus.com/bid/10286
oMail Web Mail Software
Posting by Thijs Dalhuijsen
http://www.securityfocus.com/archive/1/362226/2004-05-03/2004-05-09/0
Vendor Homepage
http://webmail.omnis.ch/omail.pl?action=about
SecurityFocus BID
http://www.securityfocus.com/bid/10274
****************************************************************
(6) MODERATE: DeleGate SSL Filter Buffer Overflow
Affected: DeleGate version 8.9.2 and prior
Description: DeleGate is a multi-protocol proxy server that runs on a
wide variety of platforms such as Unix, Windows and Mac OS. The
software's filter program "sslway", enables communications for any
protocols to be wrapped within SSL. This filter program contains a
stack-based buffer overflow that can be triggered by a malformed
certificate. A certificate with issuer name or subject longer than 256
bytes triggers the overflow that can be exploited to possibly execute
arbitrary code. However, the code execution is believed to be
challenging due to a restricted set of characters that may be employed
for the purpose. The technical details and a proof-of-concept exploit
have been posted.
Status: Vendor confirmed, upgrade to version 8.9.3
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by Joel Eriksson
http://0xbadc0ded.org/advisories/0401.txt
Vendor Homepage
http://www.delegate.org/delegate/
SecurityFocus BID
http://www.securityfocus.com/bid/10295
****************************************************************
(7) MODERATE: Exim Multiple Buffer Overflow Vulnerabilities
Affected:
Exim version 3.35 and 4.32
Description: Exim is a mail transfer agent (MTA) for Unix systems
similar to sendmail. The MTA contains two stack-based buffer overflows
- - (1) If the "sender_verify" is set to true in the configuration file,
a specially crafted sender address can trigger a buffer overflow. (2)
If the header checking is enabled in the configuration file, malformed
email headers can trigger a buffer overflow. The flaws may be exploited
to execute arbitrary code with possibly root privileges. The technical
details and proof-of-concept exploits have been posted.
Status: Vendor has been notified. A workaround is to upgrade to version
4.32 and disable the header checking option. Note that version 4.32
contains only the 2nd buffer overflow listed above.
Council Site Actions: Only one of the reporting council sites is running
the affected software. They don't have any special actions planned at
this time and assume their affected Debian GNU/Linux systems will obtain
the update in the near future.
References:
Posting by Georgi Guninski
http://www.guninski.com/exim1.html
Secunia Advisory
http://secunia.com/advisories/11558/
Vendor Homepage
http://www.exim.org/
SecurityFocus BID
Not yet available.
****************************************************************
(8) MODERATE: Netwin SurgeLDAP Authentication Bypass
Affected: SurgeLDAP version 1.0g Build 12 on Windows platform
Description: SurgeLDAP, an LDAP server, contains a vulnerability in its
web administration interface. A remote user can bypass authentication,
and access the administrative functions directly via specially crafted
HTTP requests. The posted advisory shows how to craft such requests.
Status: Vendor not confirmed, no patches available. A workaround is to
restrict traffic to the administrative web interface which runs on port
6680/tcp by default.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
SecurityTracker Advisory
http://www.securitytracker.com/alerts/2004/May/1010068.html
Vendor Homepage
http://netwinsite.com/surgeldap/
SecurityFocus BID
http://www.securityfocus.com/bid/10294
*******************************************************************
______________________________________________________________________
Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 18 2004
______________________________________________________________________
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3418 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Other Microsoft Products 1
Third Party Windows Apps 4
Mac Os 1
Linux 2
Solaris 1
Irix 1
Unix 4
Cross Platform 5
Web Application 15
______________________________________________________________________
04.18.1 - Other Microsoft Products - Internet Explorer Meta Data Foreign Domain Spoofing
04.18.2 - Third Party Windows Apps - Citrix MetaFrame XP Client Drive Access
04.18.3 - Third Party Windows Apps - Aweb Sensitive Information Disclosure
04.18.4 - Third Party Windows Apps - Aldo's Web Server Input Validation Vulnerabilities
04.18.5 - Third Party Windows Apps - Titan FTP Server Denial of Service
04.18.6 - Mac Os - OS X Multiple Unspecified Vulnerabilities
04.18.7 - Linux - ipmenu Insecure Temporary File Creation
04.18.8 - Linux - Pam-PGSQL Remote SQL Injection
04.18.9 - Solaris - Solaris Patch Information Disclosure
04.18.10 - Irix - IRIX Unspecified UDP Denial of Service
04.18.11 - Unix - Heimdal k5admind Remote Heap Overflow
04.18.12 - Unix - Exim Multiple Buffer Overflows
04.18.13 - Unix - FLIM Insecure Temporary File Creation Vulnerability
04.18.14 - Unix - Kolab Server OpenLDAP Root Password Disclosure
04.18.15 - Cross Platform - Check Point VPN-1 ISAKMP Remote Buffer Overflow
04.18.16 - Cross Platform - DeleGate SSLway Filter Buffer Overflow
04.18.17 - Cross Platform - SurgeLDAP User Authentication Bypass
04.18.18 - Cross Platform - Eudora URL Handling Buffer Overrun
04.18.19 - Cross Platform - APSIS Pound Remote Format String Vulnerability
04.18.20 - Web Application - PHPNuke Modules.php SQL Injection
04.18.21 - Web Application - Simple Machines Forum Size Tag Cross-Site Scripting
04.18.22 - Web Application - PHPX Multiple Vulnerabilities
04.18.23 - Web Application - OMail Webmail Remote Command Execution
04.18.24 - Web Application - Verity Ultraseek Error Message Path Disclosure
04.18.25 - Web Application - JForum Authorization Bypass Vulnerability
04.18.26 - Web Application - P4DB Multiple Input Validation Vulnerabilities
04.18.27 - Web Application - Message Foundry Denial of Service
04.18.28 - Web Application - Coppermine Photo Gallery Input Validation Vulnerabilities
04.18.29 - Web Application - ReciPants SQL Injection and Cross-Site Scripting
04.18.30 - Web Application - Web Wiz Forum Multiple Vulnerabilities
04.18.31 - Web Application - Moodle Cross-Site Scripting Vulnerability
04.18.32 - Web Application - PROPS Input Validation Vulnerabilities
04.18.33 - Web Application - Crystal Reports Multiple Vulnerabilities
04.18.34 - Web Application - YaBB Bulletin Board Corruption Vulnerability
______________________________________________________________________
04.18.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Internet Explorer Meta Data Foreign Domain Spoofing
Description: A weakness has been reported in Internet Explorer which
could aid certificate spoofing attacks. To spoof a domain which the
user trusts an attacker would embed a certificate and content from a
foreign domain into a web page. The user is prompted to authorize the
certificate, creating the impression that the page is originating from
the real domain. This technique may be combined with web page
scripting to harvest sensitive data from users.
Ref: http://www.securityfocus.com/archive/1/361860
______________________________________________________________________
04.18.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Citrix MetaFrame XP Client Drive Access
Description: MetaFrame is a remote terminal/desktop software suite.
MetaFrame XP specifically has been reported to have a client drive
access vulnerability. A MetaFrame administrator can freely access the
mapped drives of a client using the client's Independent Computing
Architecture (ICA) method of connection.
Ref: http://support.citrix.com/kb/entry.jspa?entryID=4289&categoryID=118
______________________________________________________________________
04.18.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Aweb Sensitive Information Disclosure
Description: Aweb is a file sharing HTTP server and proxy. Multiple
vulnerabilities have been reported in the request processing functions
that could allow a user to disclose configuration information, or
browse arbitrary files on the filesystem. Aweb version 1.5 is reported
to be vulnerable.
Ref: http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt
______________________________________________________________________
04.18.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Aldo's Web Server Input Validation Vulnerabilities
Description: Aldo's Web Server is reported to be vulnerable to
information disclosure and directory traversal issues. The directory
traversal issue can be exploited by "../" sequences in the URI while
the information leak issue exposes the server root and full
installation path. Aldo's Web Server versions 1.5 and earlier are
affected.
Ref: http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt
______________________________________________________________________
04.18.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Titan FTP Server Denial of Service
Description: Titan FTP is an FTP server for Microsoft Windows. It has
been revealed that Titan FTP server is subject to a denial of service
attack when given a non-existent socket using the "LIST" command.
Successful exploitation of this vulnerability results in a denial of
service, as the server will crash. Titan FTP version 3.10 build 163 is
reported vulnerable. Titan FTP version 3.10 build 169 has been
released to remedy the issue.
Ref: http://secunia.com/advisories/11547/
______________________________________________________________________
04.18.6 CVE: CAN-2004-0428, CAN-2004-0430
Platform: Mac Os
Title: OS X Multiple Unspecified Vulnerabilities
Description: Apple has released a patch for OS X which fixes a number
of security issues. Buffer overflow vulnerabilities are known to exist
in AppleFileServer and the Apple CoreFoundation libraries.
Ref: http://docs.info.apple.com/article.html?artnum=61798
______________________________________________________________________
04.18.7 CVE: Not Available
Platform: Linux
Title: ipmenu Insecure Temporary File Creation
Description: ipmenu is a user interface for netfilter/iptables and
Linux policy routing. ipmenu creates a "tmp/ipmenu.log" temporary
file without proper access restrictions. This causes a symlink
targeted file to be overwritten when ipmenu is executed. Versions
0.0.3 and earlier are affected.
Ref: http://www.securitytracker.com/alerts/2004/May/1010064.html
______________________________________________________________________
04.18.8 CVE: CAN-2004-0366
Platform: Linux
Title: Pam-PGSQL Remote SQL Injection
Description: Leon J Breedt's "pam-pgsql" is a PAM module which uses
PostgreSQL. Insufficient sanitization of the password passed via PAM
exposes a SQL injection issue. This problem has been fixed in version
0.5.2-3woody2 ("Woody") and version 0.5.2-7.1 ("Sid").
Ref: http://www.securityfocus.com/advisories/6659
______________________________________________________________________
04.18.9 CVE: Not Available
Platform: Solaris
Title: Solaris Patch Information Disclosure
Description: Patches released for Solaris 9, 113579-02 through
113579-05 for Sparc, and 114342-02 through 114342-05 for x86 have
created vulnerabilities in the NIS services in regard to secure maps.
A local or remote user could gain access to secure maps or encrypted
passwords using command line NIS utilities. The patches have been
withdrawn from distribution and a fix from Sun is pending.
Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57554
______________________________________________________________________
04.18.10 CVE: Not Available
Platform: Irix
Title: IRIX Unspecified UDP Denial of Service
Description: IRIX is reportedly vulnerable to a remotely exploitable
denial of service. The exact nature of the attack has not been
revealed, however it is known to be related to the handling of certain
types of UDP traffic.
Ref: ftp://patches.sgi.com/support/free/security/advisories/20040502-02-P.asc
______________________________________________________________________
04.18.11 CVE: CAN-2004-0434
Platform: Unix
Title: Heimdal k5admind Remote Heap Overflow
Description: The k5admind daemon is an administrative interface to the
Kerberos Key Distribution Center. A problem has been reported in the
Heimdal implementation of this daemon. Insufficient validation of the
length field specified by Kerberos 4 network packets exposes a buffer
overflow issue. All Heimdal versions earlier than 0.6.2 are affected.
Ref: http://www.pdc.kth.se/heimdal/advisory/2004-05-06/
______________________________________________________________________
04.18.12 CVE: Not Available
Platform: Unix
Title: Exim Multiple Buffer Overflows
Description: Exim is a Mail Transfer Agent (MTA) available for UNIX
variants. Exim is reportedly vulnerable to remote buffer overflows.
The vulnerability expresses itself in its email parsing functionality.
A specially crafted email could allow an attacker to execute arbitrary
code. Exim versions 3.35 and 4.32 are both reported vulnerable.
Ref: http://www.guninski.com/exim1.html
______________________________________________________________________
04.18.13 CVE: CAN-2004-0422
Platform: Unix
Title: FLIM Insecure Temporary File Creation Vulnerability
Description: FLIM is an Emacs program for working with Internet
messages. It creates temporary files with insufficient permissions.
This can be exploited by local users via a symlink attack to overwrite
arbitrary files. FLIM versions 1.14.3 and earlier are reported to be
vulnerable.
Ref: http://www.debian.org/security/2004/dsa-500
______________________________________________________________________
04.18.14 CVE: Not Available
Platform: Unix
Title: Kolab Server OpenLDAP Root Password Disclosure
Description: Kolab, a groupware server, is reportedly vulnerable to a
local password disclosure issue. This occurs because the OpenLDAP root
passwords are stored in clear text in the "slapd.conf" file. This was
reported for version 1.x of the server.
Ref: http://www.kolab.org/pipermail/kolab-users/2004-April/000215.html
______________________________________________________________________
04.18.15 CVE: CAN-2004-0040
Platform: Cross Platform
Title: Check Point VPN-1 ISAKMP Remote Buffer Overflow
Description: An ISAKMP vulnerability has been discovered affecting
Check Point VPN-1 products. During negotiations for a VPN tunnel a
buffer overrun could be exploited, potentially compromising the
gateway. The most recent Hotfix Accumulators (HFAs) address this
issue.
Ref: http://www.checkpoint.com/techsupport/alerts/ike_vpn.html
______________________________________________________________________
04.18.16 CVE: Not Available
Platform: Cross Platform
Title: DeleGate SSLway Filter Buffer Overflow
Description: DeleGate is a multi-purpose application level gateway
which runs on many platforms. A boundary checking error exists in the
"SSLway" filter which may be exploited using a specially crafted
certificate. Due to the nature of the problem it is likely that this
may be leveraged to execute arbitrary code on the vulnerable server.
DeleGate versions 8.9.2 and earlier are known to be affected.
Ref: http://0xbadc0ded.org/advisories/0401.txt
______________________________________________________________________
04.18.17 CVE: Not Available
Platform: Cross Platform
Title: SurgeLDAP User Authentication Bypass
Description: SurgeLDAP's administrative web interface is reportedly
vulnerable to an authentication bypass issue. This allows attackers to
gain administrative level access to the resources. This was reported
for version 1.0g Build 12 of the software.
Ref: http://secunia.com/advisories/11549/
______________________________________________________________________
04.18.18 CVE: Not Available
Platform: Cross Platform
Title: Eudora URL Handling Buffer Overrun
Description: Eudora is a multi-platform mail reader application. A
buffer overflow has been discovered in the URL handling functionality
which may be exploited by sending a mail message containing an
excessively long link. Theoretically this overflow could be leveraged
to execute arbitrary code, however exploitation does require the user
to click on the malicious link.
Ref: http://www.maths.usyd.edu.au/u/psz/securepc.html#Eudoraxx
______________________________________________________________________
04.18.19 CVE: Not Available
Platform: Cross Platform
Title: APSIS Pound Remote Format String Vulnerability
Description: Pound is a reverse-proxy and load-balancer. Pound
versions 1.5 and earlier are vulnerable to a format string issue that
may lead to arbitrary code execution.
Ref: http://www.namazu.org/~takesako/pound/errata.html
______________________________________________________________________
04.18.20 CVE: Not Available
Platform: Web Application
Title: PHPNuke Modules.php SQL Injection
Description: PHPNuke is a web-based content management application
implemented in PHP. Reportedly the "modules.php" script is susceptible
to SQL injection attacks due to poor sanitization of user supplied
data. PHPNuke versions 7.2 and prior are reported to be affected by
this issue.
Ref: http://www.waraxe.us/index.php?modname=sa&id=27
______________________________________________________________________
04.18.21 CVE: Not Available
Platform: Web Application
Title: Simple Machines Forum Size Tag Cross-Site Scripting
Description: Simple Machines Forum (SMF) is a web forum application.
Insufficient sanitization of the font attribute "size" exposes a
cross-site scripting issue. Exploitation of this issue could allow for
theft of cookie-based authentication credentials. SMF versions 1.0
Beta 5 public and earlier are affected.
Ref: http://seclists.org/lists/bugtraq/2004/May/0051.html
______________________________________________________________________
04.18.22 CVE: Not Available
Platform: Web Application
Title: PHPX Multiple Vulnerabilities
Description: PHPX is a web-based content management system. It is
reportedly vulnerable to multiple cross-site scripting and
authorization bypass issues due to insufficient user-input
sanitization in various scripts. This problem was reported for version
3.x of PHPX.
Ref: http://secunia.com/advisories/11554/
______________________________________________________________________
04.18.23 CVE: Not Available
Platform: Web Application
Title: OMail Webmail Remote Command Execution
Description: OMail is a webmail application implemented in Perl. An
input validation problem reportedly allows remote attackers to execute
arbitrary commands by submitting specially crafted URI data. OMail
versions 0.98.5 and prior are reported vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-05/0032.html
______________________________________________________________________
04.18.24 CVE: CAN-2004-0050
Platform: Web Application
Title: Verity Ultraseek Error Message Path Disclosure
Description: Verity Ultraseek is a web based search application. The
application discloses the path of the document root when an invalid
request consisting of a standard device name such as NUL, CON, AUX,
COM1, or COM2 is issued. Verity Ultraseek versions 5.2.1 and earlier
are affected.
Ref: http://www.corsaire.co.uk/advisories/c040113-001.txt
______________________________________________________________________
04.18.25 CVE: Not Available
Platform: Web Application
Title: JForum Authorization Bypass Vulnerability
Description: JForum is a web based bulletin board system. JForum
reportedly has a problem with access management. An unauthorized user
could get access to a normally restricted message board. The
vulnerability is exercised by modifying URL requests, allowing an
attacker to view and post messages.
Ref: http://www.jforum.net/posts/list/137.page
______________________________________________________________________
04.18.26 CVE: Not Available
Platform: Web Application
Title: P4DB Multiple Input Validation Vulnerabilities
Description: P4DB is a web-based interface to Perforce source code
repositories. It is vulnerable to multiple input validation issues
potentially allowing an attacker to execute system commands or to
perform cross-site scripting attacks. P4DB version 2.x is known to be
vulnerable.
Ref: http://secunia.com/advisories/11559/
______________________________________________________________________
04.18.27 CVE: Not Available
Platform: Web Application
Title: Message Foundry Denial of Service
Description: Message Foundry version 2.75.0003 doesn't handle HTTP GET
requests for reserved DOS device names like COM1. The daemon will
still accept connections, but will not process further requests.
Ref: http://www.oliverkarow.de/research/AppFoundryCOM1_Dos.txt
______________________________________________________________________
04.18.28 CVE: Not Available
Platform: Web Application
Title: Coppermine Photo Gallery Input Validation Vulnerabilities
Description: Coppermine Photo Gallery is a web application implemented
in PHP. The software is afflicted by a number of input validation
issues which result in cross-site scripting, directory traversal and
remote command execution vulnerabilities. These issues are known to
affect Coppermine version 1.2 standalone implementation.
Ref: http://www.zone.ee/waraxe//index.php?modname=sa&id=26
______________________________________________________________________
04.18.29 CVE: Not Available
Platform: Web Application
Title: ReciPants SQL Injection and Cross-Site Scripting
Description: ReciPants is a web-based recipe management application.
Insufficient sanitization of user supplied input in "user.cgi" and
"recipe_search.cgi" exposes multiple cross-site scripting and SQL
injections issues. ReciPants versions 1.1.1 and earlier are affected.
Ref: http://archives.neohapsis.com/archives/secunia/2004-q2/0261.html
______________________________________________________________________
04.18.30 CVE: Not Available
Platform: Web Application
Title: Web Wiz Forum Multiple Vulnerabilities
Description: Web Wiz Forums is a web-based bulletin-board system for
Microsoft Windows. It has been revealed that Web Wiz Forum is
susceptible to multiple vulnerabilities. The vulnerabilities fall
under the umbrella of improper user input sanitization and include SQL
injection and authentication bypass. Web Wiz Forum versions 7.0 to 7.5
are reported to be vulnerable.
Ref: http://secunia.com/advisories/11525/
______________________________________________________________________
04.18.31 CVE: Not Available
Platform: Web Application
Title: Moodle Cross-Site Scripting Vulnerability
Description: Moodle is a course management system written in PHP. A
cross-site scripting vulnerability has been reported in the "help.php"
script. The "text" parameter can be injected with arbitrary HTML and
script code. Moodle versions 1.3dev and previous are known
vulnerable.
Ref: http://secunia.com/advisories/11535/
______________________________________________________________________
04.18.32 CVE: Not Available
Platform: Web Application
Title: PROPS Input Validation Vulnerabilities
Description: PROPS is an internet publishing and content management
system. PROPS is reportedly vulnerable to SQL injection and cross-site
scripting attacks as a result of the application's failure to
correctly sanitize user supplied data. These issues have been fixed in
version 0.6.2 of PROPS. All prior versions are affected.
Ref: http://www.securityfocus.com/archive/1/361906
______________________________________________________________________
04.18.33 CVE: Not Available
Platform: Web Application
Title: Crystal Reports Multiple Vulnerabilities
Description: Crystal Reports is a data management and reporting
application for .Net and Java. Multiple vulnerabilities have been
reported in the web interface which would allow a remote attacker to
access and modify files on the server. Crystal Reports versions up to
and including 10.0 are reported to be affected.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-05/0007.html
______________________________________________________________________
04.18.34 CVE: Not Available
Platform: Web Application
Title: YaBB Bulletin Board Corruption Vulnerability
Description: YaBB is a web-based bulletin board. The non-SQL
implementation of the package is reportedly vulnerable to arbitrary
character injection in the Subject field of a newly created thread.
This corrupts the bulletin board, and could cause a denial of service
condition for legitimate users of the board.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-05/0014.html
______________________________________________________________________
(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
==end==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAn3Gf+LUG5KFpTkYRAlbSAJ9hpkooBbNTaBcCtheW6oz+ljtaQQCeNokM
Mc0nYzmPcZp4/bKx0uLb0F0=
=bipu
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]