|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 23
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Sun Jun 13 2004 - 21:59:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A rather troubling vulnerability in Internet Explorer (Number 1 below)
is already being exploited while users wait for Microsoft to find a way
to fix it.
Also, today is the deadline for special hotel rates in Monterey - Don't
forget to book your hotel reservation for SANSFire (July 5-13) to
receive the special SANS rate. Wednesday is also the deadline before the
$150 late fee kicks in so make sure to register for the conference and
your hotel room at http://www.sans.org/sansfire2004/
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
June 14, 2004 Vol. 3. Week 23
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I, supported by TippingPoint and Cisco). It also includes a
comprehensive list of all new vulnerabilities discovered in the past
week (PART II, supported by Qualys).
- -----------------------------------------------------------------------
Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities
(Found in Part I(Item #) or Part II)
- -----------------------------------------------------------------------
Windows - 1 (#1)
Other Microsoft Products - 6
Third Party Windows Apps - 5 (#4)
MacOS - 2
Linux - 1 (#9)
BSD - 1
Solaris - 1
UNIX - 2 (#3, #6, #8)
Cross Platform -10 (#2)
Web Application -10 (#5, #7)
Network Device - 5
Hardware - 1
- -----------------------------------------------------------------------
Part I Critical Vulnerabilities
Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/
******************
Contents of Part I
Widely Deployed Software
(1) HIGH: Internet Explorer Multiple Vulnerabilities
(2) MODERATE: Oracle E-Business Suite SQL Injection Vulnerabilities
(3) MODERATE: CVS Server Remote Code Execution Vulnerabilities
(4) MODERATE: Real Networks RealPlayer Multiple Vulnerabilities
Other Software
(5) HIGH: PHP Shell Escape Functions Remote Command Execution
(6) MODERATE: Squid Web Proxy NTLM Authentication Buffer Overflow
(7) MODERATE: Invision Power Board SQL Injection
(8) LOW: Apache "mod_proxy" Module Buffer Overflow
Exploit Code
(9) Firebird/Borland Interbase Database Buffer Overflow
************************** SPONSORED LINK ***************************
Note: this link takes you to a non-SANS site.
(1) Discover, audit, remediate and report vulnerabilities - increasing
the efficiency of your overall threat reduction strategy. Free Trial:
http://www.sans.org/click.php?id=474
***********************************************************************
This Week's Featured Security Training Program: SANSFIRE 2004
Monterey, CA, July 5-13,2004
SANSFIRE offers you 14 immersion training tracks in one of the most
beautiful and romantic places in America. Phenomenal training for
auditors who want to master the challenges of security auditors, for
managers who want to build a great security program, for security
beginners who want to get a fast start, and, of course, the only place
to go for technologists who want to master the most current methods for
protecting systems and networks. SANSFIRE also offers lots of evening
programs, extra one-day classes ranging from security business law to
cyberwarrior training, and vendor exhibits, too.
Register soon to get a seat at your choice of courses.
http://www.sans.org/sansfire2004
***********************************************************************
******************************
Widely Deployed Software
******************************
(1) HIGH: Internet Explorer Multiple Vulnerabilities
Affected: IE 6.0 and 6.0 SP1
Description: Fully patched versions of Internet Explorer reportedly
contain the following vulnerabilities that are being exploited in the
wild to compromise client systems. (a) Internet Explorer successfully
processes a webserver response that redirects the location of a resource
to a file on the client system. Note that this file can be accessed in
the security context of the "Local Computer Zone". (b) Internet Explorer
contains a cross-domain vulnerability that can be triggered when
handling a frame, and a "modal dialog box" that is invoked from the
frame. These vulnerabilities can be exploited by a malicious website to
execute arbitrary code on a client system. The technical details and the
exploits have been publicly posted.
Status: Microsoft not confirmed, no patches available.
Council Site Actions: Most of the reporting council sites are awaiting
the vendor patches. Some sites plan to roll out the patch during the
normal system update cycle and others plan to expedite the rollout.
Several sites have already notified their desktop support teams to be
aware of the problem.
References:
Posting by Rafel Ivgi
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0031.html
Analysis by Jelmer
http://62.131.86.111/analysis.htm
Proof-of-Concept Exploits
http://62.131.86.111/security/idiots/repro/installer.htm
http://62.131.86.111/security/idiots/repro/sp0/installer.htm
CERT Advisory
http://www.kb.cert.org/vuls/id/713878
Modal Dialog Box Reference
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/methods/showmodaldialog.asp
SecurityFocus BIDs
http://www.securityfocus.com/bid/10473
http://www.securityfocus.com/bid/10472
****************************************************************
(2) MODERATE: Oracle E-Business Suite SQL Injection Vulnerabilities
Affected:
Oracle E-Business Suite versions 11i, 11.5.1 to 11.5.8
Oracle Applications version 11.0
Description: Oracle E-Business suite offers a set of applications to
automate business processes such as marketing, customer services,
supply-chain management etc. The pertinent business information is
typically stored in a single database, and accessed via the web
front-end offered by the E-Business suite applications. This suite
contains multiple SQL injection vulnerabilities. These flaws can be
exploited via malicious HTTP requests to execute arbitrary SQL
statements and procedures against the back-end database, possibly
resulting in the compromise of the entire database. Note that the
Internet facing web servers hosting the E-Business suite applications
face the maximum risk. Very limited technical details regarding how to
exploit the flaws have been posted.
Status: Vendor confirmed, updates available.
Council Site Actions: Only one of the reporting council sites is using
the affected software; however their Oracle servers are internal facing
only. They plan to install the patches after regression testing.
References:
Posting by Integrigy Security
http://archives.neohapsis.com/archives/vulnwatch/2004-q2/0032.html
Oracle Security Advisory
http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
Oracle E-Business Suite Homepage
http://www.oracle.com/applications/index.html
SecurityFocus BID
http://www.securityfocus.com/bid/10465
****************************************************************
(3) MODERATE: CVS Server Remote Code Execution Vulnerabilities
Affected:
CVS feature release version 1.12.8 and prior
CVS stable release version 1.11.16 and prior
Description: CVS, the most popular source code control and versioning
system, contains multiple vulnerabilities. These flaws were found after
an inspection of the CVS source code. Many of the vulnerabilities found
can cause only a DoS, or require CVS commit access for further
exploitation. However, the following vulnerabilities can be exploited
to execute arbitrary code, and require only authentication to the CVS
server: (a) A vulnerability in the implementation of "Argumentx" command
can be exploited by an authenticated user to execute arbitrary code on
the CVS server. The Argumentx command adds more data to the current
"argument" being saved. The problem arises because the server fails to
check the existence of a previously declared argument. This results in
freeing the same memory twice (double free bug). (b) A vulnerability
in the implementation of "serve_notify" function can be exploited by an
authenticated user to execute arbitrary code. The problem arises because
this function does not properly handle empty data lines. Note that a CVS
repository configured for "anonymous read-only" access also faces the
risk of getting compromised. The technical details required to leverage
the flaws have been posted. Further information can be obtained by
examining the fixed and the vulnerable version of the software.
Status: Vendor confirmed, fixes available. Upgrade to version 1.12.9 or
1.11.17.
Council Site Actions: Only one of the reporting council sites is using
the affected software on a very small number of systems. Given that
users with CVS write privileges also have login access to their CVS
server machines, they consider this vulnerability to be unimportant.
References:
Posting by Stefan Essar
http://www.securityfocus.com/archive/1/365541/2004-06-07/2004-06-13/0
CVS Client Server Protocol
http://www.cvsnt.org/cvsclient/Requests.html
Vendor Homepage
http://www.cvshome.org
SecurityFocus BID
http://www.securityfocus.com/bid/10499
****************************************************************
(4) MODERATE: Real Networks RealPlayer Multiple Vulnerabilities
Affected:
RealOne Player
RealOne Player v2
RealPlayer 10
RealPlayer 8
RealPlayer Enterprise
Description: RealPlayer is one of the popular internet media players
that has a reported user base of over 200 million. The player contains
following vulnerabilities: (a) The "embd3260.dll" is responsible for
handling error messages for the player. This dll contains a heap-based
overflow that can be triggered by a malformed movie embedded in a
webpage. (b) The player contains another overflow that can be triggered
by URLs containing a large number of "." characters. Both these flaws
can be exploited by a malicious webpage to execute arbitrary code on a
client system with the privileges of the media player. The technical
details required to leverage the vulnerabilities have been posted.
Status: Vendor confirmed, patches available.
Council Site Actions: All of the reporting council sites are using the
affected software. However, most sites do not officially support the
software. One site does plan to roll out the patches during their
normal system upgrade process. Another site is investigating if they can
provide the users the patch. The remaining sites will rely on the users
to install the patch if necessary.
References:
eEye Advisory
http://www.securityfocus.com/archive/1/365709/2004-06-07/2004-06-13/0
iDefense Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0293.html
Real Networks Advisory
http://service.real.com/help/faq/security/040610_player/EN/
SecurityFocus BIDs
http://www.securityfocus.com/bid/10518
http://www.securityfocus.com/bid/10527
**********************
Other Software
**********************
(5) HIGH: PHP Shell Escape Functions Remote Command Execution
Affected: PHP version prior to 4.3.7 on Windows platforms
Description: PHP, a widely used web scripting language, contains a
vulnerability in its implementation of "escapeshellcmd()" and
"escapeshellarg()" functions. These functions perform sanitization of
the user-supplied input before it is passed to any command execution PHP
functions such as "system()". However, the functions fail to perform
proper checking for some shell metacharacters on Windows platform.
Hence, the flaws can be possibly exploited to execute arbitrary commands
on a web server. Note that only PHP scripts that invoke command
execution functions with the user-supplied arguments are vulnerable. The
technical details and proof-of-concept exploits have been posted.
Status: Vendor confirmed, upgrade to version 4.3.7.
Council Site Actions: Only three of the reporting council sites are
using the affected software and they have notified their UNIX support
teams to be aware of the problem. Two of the sites will roll out the
patch during their normal system update process. The third site does
not believe their users would run commands with arguments from an
untrusted site; thus they do not plan any action at this time.
References:
iDefense Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0123.html
Posting by Daniel Fabian
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0100.html
Vendor Homepage
http://www.php.net
SecurityFocus BID
http://www.securityfocus.com/bid/10471
****************************************************************
(6) MODERATE: Squid Web Proxy NTLM Authentication Buffer Overflow
Affected: Squid Proxy version 2.5.x and 3.x
Description: Squid is a popularly used open-source web proxy server on
UNIX systems. The Squid proxy can be configured to use NTLM
authentication scheme for user authentication, if compiled with the NTLM
helper. In such a configuration, the squid proxy contains a stack-based
buffer overflow in the "ntlm_check_auth" function. The flaw can be
exploited to execute arbitrary code on the server. The posted advisory
contains the technical details required to leverage the vulnerability.
Status: Vendor confirmed, patch available.
Council Site Actions: Three of the reporting council sites are using
the affected software. However two of them are not using NTLM
authentication; thus no action is necessary. The third site was using
NTLM authentication but has reverted to other means until the patches
can be installed. They plan to roll out the patches during their
normal system update process.
References:
iDefense Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0191.html
Patch Download
http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch
Squid NTLM Authentication
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
http://squid.sourceforge.net/ntlm/faq.html
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind
SecurityFocus BID
http://www.securityfocus.com/bid/10500
****************************************************************
(7) MODERATE: Invision Power Board SQL Injection
Affected: Invision Power Board version 1.3.1 Final
Description: Invision Power Board, a forum software, reportedly contains
a SQL injection vulnerability. The problem exists because the "ssi.php"
module does not perform proper sanitization for the user-supplied values
to the HTTP parameters. An attacker can exploit the flaw to execute
arbitrary SQL statements against the forum's database server, and
possibly compromise the forum application. The posting shows how to
craft a malicious HTTP request to leverage the flaw.
Status: Vendor not confirmed, no patches available.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Postings by JvdR
http://www.securityfocus.com/archive/1/365473/2004-06-07/2004-06-13/0
http://www.securityfocus.com/archive/1/365697/2004-06-07/2004-06-13/0
SecurityTracker Advisory
http://www.securitytracker.com/alerts/2004/Jun/1010448.html
Vendor Homepage
http://www.invisionboard.com
SecurityFocus BID
Not yet available.
****************************************************************
(8) LOW: Apache "mod_proxy" Module Buffer Overflow
Affected: mod_proxy module in Apache version 1.3.31 and earlier
Description: The Apache "mod_proxy" module implements forward and
reverse proxy functionality for FTP, SSL and HTTP protocols. This module
contains a heap-based buffer overflow in its "ap_bread" function. The
flaw can be triggered when a malicious web server sends an HTTP response
with a negative content-length to the Apache proxy. For example, an
attacker can entice a client, whose HTTP requests are being handled by
the Apache proxy, to connect to a malicious web server. The buffer
overflow can be possibly exploited to execute arbitrary code with the
Apache server's privileges (not confirmed). The posted advisory contains
the technical details and a proof-of-concept exploit.
Status: Vendor confirmed, upgrade to the Apache version 1.3.32-dev. An
unofficial fix is also included in the posted advisory.
Council Site Actions: Two of the reporting council sites are using the
mod_proxy module. One site will address the issue when Apache 1.3.32
is available for the proxies they have built. They will also start
requesting vendors to include mod_proxy in the proxy appliances they
sell. They other site has a small number of Apache web servers that
support mod_proxy. They are investigating if any of them are unpatched
and if so, will notify the system administrators to upgrade.
References:
Posting by Georgi Guninski
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0276.html
Secunia Advisory
http://secunia.com/advisories/11841
Apache mod_proxy Documentation
http://httpd.apache.org/docs/mod/mod_proxy.html
SecurityFocus BID
http://www.securityfocus.com/bid/10508
************************
Exploit Code
************************
(9) Firebird/Borland Interbase Database Buffer Overflow
An exploit has been released that targets Borland Interbase database.
This vulnerability was discussed in the last week's RISK newsletter.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Exploit Code by Priv8Security.com
http://www.packetstormsecurity.com/0406-exploits/priv8ibserver.pl
Previous RISK newsletter Posting
http://www.sans.org/newsletters/risk/vol3_22.php (Item #6)
****************************************************************
______________________________________________________________________
Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23 2004
______________________________________________________________________
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3474 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Other Microsoft Products 6
Third Party Windows Apps 5
Mac Os 2
Linux 1
BSD 1
Solaris 1
Unix 2
Cross Platform 10
Web Application 10
Network Device 5
Hardware 1
______________________________________________________________________
04.23.1 - Other Microsoft Products - Microsoft Internet Explorer URL
Local Resource Access
04.23.2 - Other Microsoft Products - Microsoft Internet Explorer Dialog
Zone Bypass Vulnerability
04.23.3 - Other Microsoft Products - Microsoft DirectX DirectPlay
Remote Denial of Service
04.23.4 - Other Microsoft Products - Microsoft Internet Explorer File
Installation Vulnerability
04.23.5 - Other Microsoft Products - Microsoft Internet Explorer URL
Obfuscation Weakness
04.23.6 - Other Microsoft Products - Microsoft Crystal Reports
Directory Traversal
04.23.7 - Third Party Windows Apps - FoolProof Security Password
Recovery Vulnerability
04.23.8 - Third Party Windows Apps - PHP Windows Shell Functions
Command Execution
04.23.9 - Third Party Windows Apps - AspDotNetStorefront ReturnURL
Cross-Site Scripting
04.23.10 - Third Party Windows Apps - ignitionServer IRC Server
Authentication Bypass
04.23.11 - Third Party Windows Apps - WinAgents TFTP Server Remote
Buffer Overrun
04.23.12 - Mac Os - Qualcomm Eudora Internet Mail Server Remote Buffer
Overflow
04.23.13 - Mac Os - Apple Mac OS X Multiple Security Vulnerabilities
04.23.14 - Linux - SMTP.Proxy Remote Format String Vulnerability
04.23.15 - BSD - OpenBSD ISAKMPD Denial of Service
04.23.16 - Solaris - Sun Crypto Accelerator 4000 Software OpenSSL
Vulnerabilities
04.23.17 - Unix - Squid Proxy NTLM Authentication Buffer Overflow
04.23.18 - Unix - Webmin Module Configuration Information Disclosure
04.23.19 - Cross Platform - Oracle E-Business Suite Multiple SQL
Injection Vulnerabilities
04.23.20 - Cross Platform - L2TPD BSS Buffer Overflow
04.23.21 - Cross Platform - cPanel Unauthorized DNS Information Deletion
Vulnerability
04.23.22 - Cross Platform - PostgreSQL ODBC Driver Remote Buffer
Overflow
04.23.23 - Cross Platform - IBM GSKit SSL Handshake Denial of Service
04.23.24 - Cross Platform - NetWin SurgeMail/WebMail Input Validation
Weakness
04.23.25 - Cross Platform - jCIFS Invalid Username Authentication
Weakness
04.23.26 - Cross Platform - Apache mod_proxy Remote Buffer Overflow
04.23.27 - Cross Platform - RealNetworks RealPlayer Remote Buffer
Overflows
04.23.28 - Cross Platform - Subversion Remote Heap Overflow
04.23.29 - Web Application - PHP-Nuke Reviews Module Cross-Site Scripting
04.23.30 - Web Application - Crafty Syntax Live Help Multiple HTML
Injection Vulnerabilities
04.23.31 - Web Application - Webmin Multiple Vulnerabilities
04.23.32 - Web Application - Blosxom Writeback Cross-Site Scripting
Vulnerability
04.23.33 - Web Application - Roundup Remote File Disclosure
04.23.34 - Web Application - Horde IMP Input Validation Vulnerability
04.23.35 - Web Application - AspDotNetStorefront Improper Access
Validation
04.23.36 - Web Application - Invision Power Board SSI.PHP SQL Injection
04.23.37 - Web Application - Blackboard Learning System File Download
Vulnerability
04.23.38 - Web Application - Open Webmail Content Injection
04.23.39 - Network Device - Symantec Gateway 360R Wireless VPN Bypass
04.23.40 - Network Device - U.S. Robotics Broadband Router Insecure
Password Vulnerability
04.23.41 - Network Device - Cisco CatOS TCP-ACK Denial of Service
04.23.42 - Network Device - Billion BIPAC-640 AE Administration
Authentication Bypass
04.23.43 - Network Device - Edimax EW7205-APL Default Backdoor Account
04.23.44 - Hardware - Linksys Web Camera File Disclosure
______________________________________________________________________
04.23.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer URL Local Resource Access
Description: Microsoft Internet Explorer is vulnerable to a URL
processing weakness that could allow malicious web pages to reference
and load local resources contrary to computer security policy
settings. Internet Explorer 6.0 SP1 is known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/365293
______________________________________________________________________
04.23.2 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer Dialog Zone Bypass Vulnerability
Description: Microsoft Internet Explorer may permit cross-zone access,
allowing an attacker to execute malicious script code in the context
of the Local Zone. This vulnerability could be exploited in
combination with a number of other types of attacks such as execution
of arbitrary code. Internet Explorer versions 6.0 and 6.0 SP1 are
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/10473
______________________________________________________________________
04.23.3 CVE: CAN-2004-0202
Platform: Other Microsoft Products
Title: Microsoft DirectX DirectPlay Remote Denial of Service
Description: The Microsoft DirectX DirectPlay service is reportedly
vulnerable to a remote denial of service condition. This issue
manifests itself when the service receives a specifically malformed
network packet. The service fails to validate the malformed data and
enters a denial of service condition. Microsoft has released a patch
to remedy this issue.
Ref: http://www.microsoft.com/technet/security/bulletin/MS04-016.mspx
______________________________________________________________________
04.23.4 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer File Installation Vulnerability
Description: Microsoft Internet Explorer is reportedly vulnerable to
an arbitrary local file creation and overwrite issue. If a user opens
a local HTML file in Internet Explorer, a malicious script embedded in
the HTML file can use the ActiveX "ADODB.Stream" object to create or
overwrite arbitrary files on the local filesystem. For this to occur,
the script must retrieve an external malicious file from an attacker
specified web site using the "XMLHTTP" ActiveX object.
Ref: http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html
______________________________________________________________________
04.23.5 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer URL Obfuscation Weakness
Description: Microsoft Internet Explorer may allow an attacker to
obfuscate the URL of a link. Under certain conditions the true URL of
the site displayed in the browser window may be obfuscated by a
combination of special characters. This exploit works only if the
redirect URL is hosted by IIS 4.0.
Ref: http://secunia.com/advisories/11830/
______________________________________________________________________
04.23.6 CVE: CAN-2004-0204
Platform: Other Microsoft Products
Title: Microsoft Crystal Reports Directory Traversal
Description: Crystal Reports and the Crystal Enterprise Web viewers
are vulnerable to a directory traversal issue. Insufficient
sanitization of HTTP requests exposes this vulnerability. This issue
affects Visual Studio .NET 2003, Outlook 2003 with Business Contact
Manager and Microsoft Business Solutions CRM 1.2.
Ref: http://www.microsoft.com/technet/security/bulletin/ms04-017.mspx
______________________________________________________________________
04.23.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: FoolProof Security Password Recovery Vulnerability
Description: SmartStuff FoolProof is a policy enforcement engine for
managing computer resources. It has been reported that FoolProof is
vulnerable to a password recovery weakness. An unprivileged user could
use this weakness to gain administrative control of the policy engine.
FoolProof versions 3.9.7 for Windows 98/ME and 3.9.4 for Windows 95
are reported to be vulnerable. Later versions are unaffected.
Ref: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0081.html
______________________________________________________________________
04.23.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: PHP Windows Shell Functions Command Execution
Description: PHP offers shell escape functions that aid a developer in
sanitizing user input. A command execution vulnerability exists in the
shell escape functions on the Windows platform. Insufficient user
input sanitization in the "escapeshellarg()" and "escapeshellcmd()"
functions expose this issue. PHP versions 4.3.5 and earlier are
affected.
Ref: http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities&flashstatus=true
______________________________________________________________________
04.23.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: AspDotNetStorefront ReturnURL Cross-Site Scripting
Description: AspDotNetStorefront is a web based e-commerce solution.
Insufficient sanitization of the "returnurl" parameter of the
"signin.aspx" script exposes a cross-site scripting issue.
AspDotNetStorefront versions 3.3 and earlier are affected.
Ref: http://seclists.org/lists/bugtraq/2004/Jun/0140.html
______________________________________________________________________
04.23.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: ignitionServer IRC Server Authentication Bypass
Description: ignitionServer is an IRC server package available for
Microsoft Windows. It has been reported that ignitionServer doesn't
authenticate credentials when peer servers link to create an IRC
network. By default linking is turned off, but if turned on any IRC
server that connects can cause a denial of service or inject malicious
content into the IRC network. ignitionServer version 0.3.1 is reported
to be vulnerable.
Ref: http://forums.ignition-project.com/viewtopic.php?t=187
______________________________________________________________________
04.23.11 CVE: Not Available
Platform: Third Party Windows Apps
Title: WinAgents TFTP Server Remote Buffer Overrun
Description: WinAgents TFTP Server is a TFTP server available for the
Windows platform. The server is vulnerable to a remote buffer overrun.
The problem exists when it processes filename requests. A filename
request of 1000 bytes or more will cause the overflow. WinAgents TFTP
Server version 3.0 is reported to be vulnerable.
Ref: http://secunia.com/advisories/11840/
______________________________________________________________________
04.23.12 CVE: Not Available
Platform: Mac Os
Title: Qualcomm Eudora Internet Mail Server Remote Buffer Overflow
Description: Qualcomm Eudora Internet Mail Server (EIMS) for Mac OS 7
is a POP3 and SMTP server. EIMS for Mac OS 7 is reportedly vulnerable
to a remote heap overflow. When at least 588 bytes of data are sent to
port 105 of the target, a heap-based buffer overflows due to lack of
sufficient boundary checks. This memory corruption could be leveraged
to execute arbitrary code, or more likely cause a denial of service
condition on the target.
Ref: http://www.securityfocus.com/bid/10443/
______________________________________________________________________
04.23.13 CVE: CAN-2004-0538, CAN-2004-0539
Platform: Mac Os
Title: Apple Mac OS X Multiple Security Vulnerabilities
Description: Multiple security vulnerabilities exist in Mac OS X.
"LaunchServices", "DiskImageMounter" and "Safari" have several
problems that result in irregular user experiences and could be used
to compromise security. Mac OS X versions 10.2.8 and 10.3 are
affected.
Ref: http://docs.info.apple.com/article.html?artnum=61798
______________________________________________________________________
04.23.14 CVE: Not Available
Platform: Linux
Title: SMTP.Proxy Remote Format String Vulnerability
Description: SMTP.proxy is an SMTP gateway available for UNIX variant
operating systems. SMTP.proxy is subject to a remotely exploitable
format string vulnerability. The issue occurs in routines that log
SMTP headers in email passed through the proxy. The vulnerability has
been reported in versions 1.1.3 and prior. The vendor has released
version 1.3.3 to address this issue.
Ref: http://secunia.com/advisories/11823/
______________________________________________________________________
04.23.15 CVE: Not Available
Platform: BSD
Title: OpenBSD ISAKMPD Denial of Service
Description: OpenBSD isakmpd is an IKE key management daemon.
Insufficient sanitization of malformed UDP isakmp packets exposes a
denial of service issue. A specially crafted packet can cause isakmpd
to drop tunneled connections. All current versions are reported to be
affected.
Ref: http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html
______________________________________________________________________
04.23.16 CVE: CAN-2004-0079, CAN-2004-0081, CAN-2004-0112
Platform: Solaris
Title: Sun Crypto Accelerator 4000 Software OpenSSL Vulnerabilities
Description: Solaris 8 and Solaris 9 systems equipped with Sun Crypto
Accelerator 4000 v1.0 boards which are configured to use the Apache
web server may be vulnerable to denial of service or remote code
execution issues. This is due to buffer overflows in the OpenSSL
library. The vendor has released a patch to remedy this issue.
Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57571
______________________________________________________________________
04.23.17 CVE: CAN-2004-0541
Platform: Unix
Title: Squid Proxy NTLM Authentication Buffer Overflow
Description: Squid Web Proxy Cache is reportedly vulnerable to a
buffer overflow issue. This vulnerability manifests itself while
processing NTLM authentication credentials. This issue was reported
for Squid-Proxy branches 2.5.x-STABLE and 3.x-PRE when Squid-Proxy is
compiled with the NTLM helper enabled.
Ref: www.idefense.com/application/poi/display?id=107&type=vulnerabilities
______________________________________________________________________
04.23.18 CVE: Not Available
Platform: Unix
Title: Webmin Module Configuration Information Disclosure
Description: Webmin is a web-based UNIX system administration tool. It
has been reported that Webmin is vulnerable to configuration
disclosure due to insufficient administration access validation. Given
the configuration of a module, it could be possible to use that
information in escalated attacks against the server.
Ref: http://www.webmin.com/changes-1.150.html
______________________________________________________________________
04.23.19 CVE: Not Available
Platform: Cross Platform
Title: Oracle E-Business Suite Multiple SQL Injection Vulnerabilities
Description: The Oracle E-Business Suite is reportedly affected by
multiple SQL injection issues. These issues could allow an attacker to
corrupt the backend E-Business database. The Oracle E-Business Suite
version 11i 11.5.9 is fixed and not vulnerable.
Ref: http://www.securityfocus.com/archive/1/365173
______________________________________________________________________
04.23.20 CVE: Not Available
Platform: Cross Platform
Title: L2TPD BSS Buffer Overflow
Description: l2tpd is a Layer 2 Tunneling Protocol daemon. l2tpd is
reportedly affected by a Block Started by Symbol (BSS) based buffer
overflow vulnerability. This issue exposes itself due to insufficient
sanitization of the "wbuf" variable inside the "write_packet()"
function of the "control.c" file. All current versions of l2tpd are
affected.
Ref: http://seclists.org/lists/fulldisclosure/2004/Jun/0094.html
______________________________________________________________________
04.23.21 CVE: Not Available
Platform: Cross Platform
Title: cPanel Unauthorized DNS Information Deletion Vulnerability
Description: cPanel is a multi-platform web hosting control panel
which includes web-based account management. cPanel reportedly allows
administrators to delete arbitrary customer DNS settings. This attack
can cause a denial of service condition against the modified web
sites. cPanel versions 5.0 through 9.1 are reported to be vulnerable.
Ref: http://www.securitytracker.com/alerts/2004/Jun/1010398.html
______________________________________________________________________
04.23.22 CVE: Not Available
Platform: Cross Platform
Title: PostgreSQL ODBC Driver Remote Buffer Overflow
Description: The PostgreSQL ODBC driver is reportedly vulnerable to an
unspecified remote buffer overflow. PostgreSQL version 7.2.1 was
reported vulnerable.
Ref: http://www.securityfocus.com/advisories/6819
______________________________________________________________________
04.23.23 CVE: Not Available
Platform: Cross Platform
Title: IBM GSKit SSL Handshake Denial of Service
Description: IBM Global Security Toolkit (GSKit) is a security toolkit
that provides SSL functionality. IBM has reported that during SSL
handshakes, malformed packets can either crash the affected
application, or cause performance degradation. All products using
GSKit versions 3.9, 4.1 and 5.1 are affected.
Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21169222
______________________________________________________________________
04.23.24 CVE: Not Available
Platform: Cross Platform
Title: NetWin SurgeMail/WebMail Input Validation Weakness
Description: SurgeMail and WebMail are mail server applications.
Insufficient sanitization of user-supplied input expose multiple path
disclosure and cross-site scripting issues. SurgeMail versions 1.9 and
earlier and WebMail 3.1d and earlier are affected.
Ref: http://www.exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt
______________________________________________________________________
04.23.25 CVE: Not Available
Platform: Cross Platform
Title: jCIFS Invalid Username Authentication Weakness
Description: jCIFS is a Java implementation of the Common Internet
File System (CIFS) protocol. When using jCIFS to authenticate with a
CIFS server that has the "guest" account enabled, jCIFS will fall back
to using the "guest" account if the supplied username is invalid. An
attacker could exploit this issue to gain unauthorized access.
Versions prior to 0.9.1 are reported to be vulnerable to this issue.
Ref: http://www.securityfocus.com/bid/10494/
______________________________________________________________________
04.23.26 CVE: Not Available
Platform: Cross Platform
Title: Apache mod_proxy Remote Buffer Overflow
Description: mod_proxy is a proxy module that ships with the Apache
web server. It has been reported that a remote buffer overflow exists
in mod_proxy. By passing a negative number in the "Content-Length"
header, it is possible to cause a denial of service by crashing the
Apache instance. Apache version 1.3.x has been reported to be
vulnerable.
Ref: http://www.guninski.com/modproxy1.html
______________________________________________________________________
04.23.27 CVE: Not Available
Platform: Cross Platform
Title: RealNetworks RealPlayer Remote Buffer Overflows
Description: RealPlayer is a media player for multiple operating
systems, including Windows, Linux and Mac OS. It has been reported
that multiple buffer overflows exist across multiple RealPlayer
software packages. RealNetworks has released multiple product updates
to remedy this issue.
Ref: http://www.service.real.com/help/faq/security/040610_player/EN/
______________________________________________________________________
04.23.28 CVE: CAN-2004-0413
Platform: Cross Platform
Title: Subversion Remote Heap Overflow
Description: Subversion, a software version control system, is
reportedly vulnerable to a remote heap overflow issue. This issue
manifests itself due to an integer overflow in the "svn" protocol
parser. Subversion versions 1.0.4 and prior are reported to be
vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0164.html
______________________________________________________________________
04.23.29 CVE: Not Available
Platform: Web Application
Title: PHP-Nuke Reviews Module Cross-Site Scripting
Description: The "reviews" module written for PHP-Nuke is reportedly
vulnerable to a cross-site scripting issue. This is due to
insufficient user input sanitization on the "id" parameter. This can
allow an attacker to steal cookie-based authentication credentials
from legitimate PHP-Nuke users. PHP-Nuke versions 6.x through 7.3 are
reportedly vulnerable.
Ref: http://www.securityfocus.com/archive/1/365368
______________________________________________________________________
04.23.30 CVE: Not Available
Platform: Web Application
Title: Crafty Syntax Live Help Multiple HTML Injection
Vulnerabilities
Description: Crafty Syntax Live Help (CSLH) is a web-based chat
application. Due to insufficient user-input sanitization, it is
vulnerable to multiple HTML injection issues. Cratfy Syntax Live Help
versions 2.7.3 and prior are known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/365137
______________________________________________________________________
04.23.31 CVE: Not Available
Platform: Web Application
Title: Webmin Multiple Vulnerabilities
Description: Webmin is a web-based system administration interface for
Unix systems. The vendor has reported multiple vulnerabilities
including denial of service conditions and information disclosure
issues. Webmin versions 1.140 and prior are vulnerable.
Ref: http://www.webmin.com/changes-1.150.html
______________________________________________________________________
04.23.32 CVE: Not Available
Platform: Web Application
Title: Blosxom Writeback Cross-Site Scripting Vulnerability
Description: Blosxom is a web log management system. It has been
reported that Blosxom contains a cross-site scripting vulnerability in
its comment plug-in. The plug-in performs insufficient user input
sanitization, allowing a malicious user to inject HTML into the web
log. Blosxom version 2.0 is reported to be vulnerable.
Ref: http://kylem.xwell.org/blosxom.cgi/tech/security/km-2004-01.html
______________________________________________________________________
04.23.33 CVE: Not Available
Platform: Web Application
Title: Roundup Remote File Disclosure
Description: Roundup is a utility used to track issues during the
software development cycle. Insufficient sanitization of user-supplied
input exposes a file disclosure issue in the application. A remote
user can disclose files by using "../" directory traversal sequences.
Roundup versions 0.6.11 and earlier are affected.
Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=961511&group_id=31577&atid=402788
______________________________________________________________________
04.23.34 CVE: Not Available
Platform: Web Application
Title: Horde IMP Input Validation Vulnerability
Description: Horde IMP is a web-based IMAP email interface written in
PHP. Insufficient sanitization of email messages that contain
malicious HTML or script code expose an arbitrary HTML injection and
script execution issue. All current releases in the 3.x branch are
affected.
Ref: http://www.horde.org/imp/3.2/
______________________________________________________________________
04.23.35 CVE: Not Available
Platform: Web Application
Title: AspDotNetStorefront Improper Access Validation
Description: AspDotNetStorefront is a web-based e-commerce package. It
is reportedly vulnerable to an improper access validation issue. This
issue occurs because the "deleteicon.aspx" script in the "/admin"
administrative directory does not validate user credentials. This
allows unauthenticated remote users to delete arbitrary data.
AspDotNetStorefront version 3.3 is reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0127.html
______________________________________________________________________
04.23.36 CVE: Not Available
Platform: Web Application
Title: Invision Power Board SSI.PHP SQL Injection
Description: Invision Power Board is a web forum package. An SQL
injection vulnerability has been identified in its improper
sanitization of the "f" URI parameter in the "ssi.php" script. If
properly utilized, a malicious user could view or inject information
into the database. Invision Power Board versions 1.3.1 Final and
earlier are affected.
Ref: http://seclists.org/lists/bugtraq/2004/Jun/0124.html
______________________________________________________________________
04.23.37 CVE: Not Available
Platform: Web Application
Title: Blackboard Learning System File Download Vulnerability
Description: Blackboard Learning System is web-based educational
software. Insufficient authorization checks in the application allow
unauthorized users to download files intended only for course
administrators. Blackboard Learning System Basic Edition Release 6 and
earlier are affected.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0147.html
______________________________________________________________________
04.23.38 CVE: Not Available
Platform: Web Application
Title: Open Webmail Content Injection
Description: Open WebMail is a web-based e-mail system. It has been
reported that Open WebMail is vulnerable to an HTML/script injection
attack due to improper validation of the "Content-Type:" header. Open
WebMail version 2.32 is reported to be vulnerable.
Ref: http://www.openwebmail.com/openwebmail/doc/changes.txt
______________________________________________________________________
04.23.39 CVE: Not Available
Platform: Network Device
Title: Symantec Gateway 360R Wireless VPN Bypass
Description: Symantec Gateway Security 360R may be vulnerable to a
weakness that could allow a remote attacker to establish an insecure
wireless connection with an internal computer. Symantec Gateway can be
configured to only allow wireless VPN traffic, but due to a design
error the settings will not block unencrypted wireless traffic. This
weakness reportedly affects Symantec Gateway Security 360R firmware
2.1 build 300 and build 415.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0122.html
______________________________________________________________________
04.23.40 CVE: Not Available
Platform: Network Device
Title: U.S. Robotics Broadband Router Insecure Password Vulnerability
Description: U.S. Robotics Broadband Router 8003 is vulnerable to a
web interface insecure password issue. Client authentication is
performed by JavaScript, which contains clear-text credential
information viewable in web page source. Firmware version 1.04.08 is
reported to be vulnerable.
Ref: http://seclists.org/lists/bugtraq/2004/Jun/0116.html
______________________________________________________________________
04.23.41 CVE: Not Available
Platform: Network Device
Title: Cisco CatOS TCP-ACK Denial of Service
Description: CatOS is the operating system used on Cisco Catalyst
switches. Cisco CatOS is vulnerable to a denial of service attack.
This vulnerability can be reproduced by initiating a broken 3-way TCP
handshake causing affected devices to cease functioning or reboot.
Catalyst 6000, 5000, 4500, 4000, 2948G, 2980G, 2980G-A, 4912G, 2901,
2902, 2926[T,F,GS,GL], and 2948 series are vulnerable. Cisco has
released upgrades to remedy this issue.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0124.html
______________________________________________________________________
04.23.42 CVE: Not Available
Platform: Network Device
Title: Billion BIPAC-640 AE Administration Authentication Bypass
Description: Billion BIPAC-640 AE is an appliance firewall and a NAT
network device. It is reportedly vulnerable to an authentication
bypass issue. Specially-crafted HTTP requests can bypass the
authentication on the administrative web interface. This vulnerability
was reported for Billion BIPAC-640 AE firmware version 3.33.
Ref: http://secunia.com/advisories/11813/
______________________________________________________________________
04.23.43 CVE: Not Available
Platform: Network Device
Title: Edimax EW7205-APL Default Backdoor Account
Description: The Edimax 7205APL is an 802.11b wireless access point.
It has been reported that a backdoor account is hard-coded into the
firmware allowing for configuration backups. If malicious users use
this backdoor account, they could download the router configuration
which contains the administrator password. Edimax firmware version
2.40a-00 is reported to be vulnerable.
Ref: http://www.edimax.com.tw/download/manual/EW-7205APL_M.pdf
______________________________________________________________________
04.23.44 CVE: Not Available
Platform: Hardware
Title: Linksys Web Camera File Disclosure
Description: Linksys Web Camera drivers include HTTP serving
capabilities. It has been revealed that the HTTP server is susceptible
to a file disclosure vulnerability. This issue is caused by
insufficient sanitization of URL parameters. Linksys Web Camera
software version 2.10 is known to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0103.html
______________________________________________________________________
(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
==end==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFAzP+6+LUG5KFpTkYRAgdUAKCg9T00UObZLVywOM2Pcxarp5lOZgCfR2vI
hY6S4QPezYXSRtfDNfao5Ls=
=QAEA
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]