|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 37
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Sun Sep 19 2004 - 21:07:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A very tough week for security staff in most sites that rely on
Microsoft Office products. Trying to persuade Microsoft Office users
to jump through hoops to patch their systems appears to be thankless
and, at least partially, unproductive.
Good news on the "minimum security configuration" benchmarks front. The
Center for Internet Security just released four more benchmarks (and
free testing tools): Windows Server 2003 and FreeBSD operating systems,
and Pix Firewall and Apache Web Server. The Solaris benchmark update was
also released this week. Get them at http://www.cisecurity.org
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
September 20, 2004 Vol. 3. Week 37
*************************************************************************
Summary of the vulnerabilities reported this week:
Category # of Updates & Vulnerabilities
***********************************************************************
Windows 1 (#1)
Microsoft Office 1 (#3)
Third Party Windows Apps 5
Mac Os 2
Unix 6 (#5)
Cross Platform 14 (#2, #4, #6)
Web Application 9
Network Device 5
************************************************************************
**************** Sponsored This Week by FaceTime ************************
Secure IM and P2P
IM and P2P create serious corporate and security risks for the enterprise,
and traditional security tools provide an inadequate defense. Learn how to
protect your network from security threats and violations.
Download a free white paper from Osterman Research,
Managing IM and P2P Threats in the Enterprise.
http://www.facetime.com/secure
*************************************************************************
Table of Contents:
Part I -- Critical Vulnerabilities
from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
(1) HIGH: Microsoft JPEG Image Processing Overflow
(2) HIGH: Mozilla Application Suite Multiple Vulnerabilities
(3) MODERATE: Microsoft WordPerfect Converter Buffer Overflow
(4) MODERATE: Apache apr-util Library Buffer Overflow
(5) MODERATE: Multiple XPM File Parsers Buffer Overflow Vulnerabilities
Other SOftware
(6) MODERATE: Multiple Vendor MIME Content Check Bypass
Part II -- Comprehensive List of Newly Discovered Vulnerabilities
from Qualys (www.qualys.com)
-- Windows
04.37.1 - Microsoft JPEG Processing Buffer Overrun
- - -- Microsoft Office
04.37.2 - Microsoft WordPerfect Converter Remote Buffer Overflow
-- Third Party Windows Apps
04.37.3 - F-Secure Content Scanner Server Remote Denial of Service
04.37.4 - Gadu-Gadu Image Send Feature Remote Heap Overflow
04.37.5 - Serv-U FTP Server Remote Denial of Service
04.37.6 - TwinFTP Server Directory Traversal
04.37.7 - Tech-Noel Pigeon Server Remote Denial of Service
-- Mac Os
04.37.8 - Apple iChat Remote Link Application Execution
04.37.9 - Multiple Mac OS X Vulnerabilities
-- Unix
04.37.10 - Samba Remote Denial of Service
04.37.11 - Foomatic-rip Privilege Escalation
04.37.12 - CUPS UDP Packet Remote Denial of Service
04.37.13 - GDK-Pixbuf Multiple Vulnerabilities
04.37.14 - LibXpm Image Decoding Multiple Buffer Overflows
04.37.15 - Xine-lib VideoCD And Text Subtitle Stack Overflow Vulnerabilities
-- Cross Platform
04.37.16 - Mod_cplusplus Buffer Overflow Vulnerability
04.37.17 - Apache mod_ssl Remote Denial of Service
04.37.18 - Multiple Vendor MIME Encapsulation Vulnerabilities
04.37.19 - Multiple BEA Systems WebLogic Vulnerabilities
04.37.20 - Mozilla Multiple URI Processing Heap Overflow
04.37.21 - Mozilla Browser Vcard Handling Remote Buffer Overflow
04.37.22 - Mozilla Browser BMP Image Decoding Multiple Integer Overflows
04.37.23 - Mozilla Browser Non-ASCII Hostname Heap Overflow
04.37.24 - Mozilla/Firefox Browsers URL Cross-Domain Scripting Issue
04.37.25 - Mozilla/Firefox Browsers Unauthorized Clipboard Contents Disclosure
04.37.26 - Apache mod_dav LOCK Denial of Service
04.37.27 - MyServer Directory Traversal Vulnerability
04.37.28 - Apache Web Server Remote IPv6 Buffer Overflow
04.37.29 - GNU Radius SNMP String Length Remote Denial of Service
-- Web Application
04.37.30 - getSolutions getInternet Multiple SQL Injection Vulnerabilities
04.37.31 - PostNuke Subjects Module SQL Injection
04.37.32 - PerlDesk Arbitrary File Inclusion
04.37.33 - Turbo Seek Information Disclosure Vulnerability
04.37.34 - SnipSnap HTTP Response Splitting Vulnerability
04.37.35 - vBulletin SQL Injection Vulnerability
04.37.36 - BBS E-Market Professional Multiple File Disclosure
04.37.37 - Snitz Forums Down.ASP HTTP Response Splitting
04.37.38 - WebIntelligence Arbitrary File Deletion
-- Network Device
04.37.39 - Xpressa Handset Remote Denial of Service
04.37.40 - ZyXEL Prestige 681 ARP Request Information Disclosure
04.37.41 - Inkra 1504GX Remote Denial of Service
04.37.42 - HP Web Jetadmin Unspecified Arbitrary Command Execution
04.37.43 - SMC Router Authentication Bypass Vulnerability
************************** SPONSORED LINKS ******************************
Privacy notice: Sponsored links redirect to non-SANS web pages.
(1) Radware DefensePro secures networked applications against viruses,
malicious intrusions and Denial of Service at 3-Gbps. FREE Whitepaper.
http://www.sans.org/info.php?id=588
*************************************************************************
Featured Training program of the Week: SANS Cyber Defense Initiative CDI
is in two parts: CDI South in New Orleans November 1-4
(http://www.sans.org/cdisouth04) and CDI East in Washington, DC,
December 7-14 (http://www.sans.org/cdieast04)
New Orleans offers a whole new type of program that many people have
asked us to provide: 18 one and two day courses on issues shaping the
future of information security, from the newest hacker tools to changes
in legal issues surrounding security. Perfect for people who have taken
SANS courses and want updates and for people who just don't have time
to attend a full class. On the other hand, Washington offers 13 full
length immersion courses an a few short courses.
*************************************************************************
*************************************************************************
PART I Critical Vulnerabilities
Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/
****************************
Widely Deployed Software
****************************
(1) HIGH: Microsoft JPEG Image Processing Overflow
Affected:
Windows XP/2003
Internet Explorer version 6.0 SP1
Outlook 2002/2003
Microsoft .NET Framework version 1.0 (SP2) and version 1.1
Microsoft Office XP/2003
Other Microsoft and third party applications that use GDIplus.dll.
Description: Windows XP/2003 and multiple Windows applications use
GDIPlus.dll to display information on the screen and the printers. This
DLL contains a heap-based buffer overflow that can be triggered by a
specially crafted JPEG image. The overflow arises because the DLL does
not check the declared length of the "comment" section in a JPEG file.
Therefore, setting the comment section length to either 0 or 1 results
in a heap-based overflow. The flaw may be exploited to execute arbitrary
code on a system with the privileges of the application that opens the
specially crafted JPEG file. In order to exploit the flaw, an attacker
can either - (a) Send the JPEG image in an HTML email or as an email
attachment. (b) Host the JPEG image on a webserver or a shared folder,
and entice a user to view the image via a link in an email or another
webpage. Note that the JPEG may be embedded in a Word/PowerPoint or
other document. A proof-of-concept JPEG file has been publicly posted.
Status: Microsoft released the MS04-028 security bulletin on September
14, 2004. Apply the updates for operating system as well as various
applications as described in the bulletin. There is a concern that
third-party applications that are using their own copy of GDIPlus.dll
may not get detected by WindowsUpdate or the GDI+ detection tool.
Council Site Actions: All reporting council sites are responding to
this vulnerability. Several sites have already started the patch
deployment process. One site said they are only deploying the patches
that are available via SUS and will rely on anti-virus products to
reduce the threat from other affected applications. Another site
commented that the great majority of their systems have obtained the
Internet Explorer or Windows update through the public Windows Update
site, or through their local SUS server. A very small number of their
systems have obtained the Microsoft Office update. Their central IT
department has some prominent web pages that advise users to go to the
Office Update site and select "Check for Updates".
References:
Microsoft Advisory
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
Posting by Nick DeBaggis (Discovered the flaw)
http://www.securityfocus.com/archive/1/375204/2004-09-13/2004-09-19/0
PoC JPEG Images
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0498.html
http://archives.neohapsis.com/archives/bugtraq/2004-09/0188.html
JPEG Image File Layout
http://www.funducode.com/freec/Fileformats/format3/format3b.htm
GDI+ Overview
http://msdn.microsoft.com/library/en-us/gdicpp/GDIPlus/AboutGDIPlus/IntroductiontoGDIPlus/OverviewofGDIPlus.asp
Patch Installation Issues
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0190.html
SecurityFocus BID
http://www.securityfocus.com/bid/11173
****************************************************************
(2) HIGH: Mozilla Application Suite Multiple Vulnerabilities
Affected:
Mozilla versions prior to 1.7.3
Thunderbird mail client versions prior to 0.8
Firefox version 0.9.3 and prior
Netscape version 7.x
Description: Mozilla, Firefox and Netscape web browsers, and the
Thunderbird email client contain multiple buffer overflow
vulnerabilities. The flaws may potentially be exploited by a malicious
web page or an email to execute arbitrary code on a client system. The
vulnerabilities include (a) A stack-based overflow that can be triggered
by a specially crafted vcard (electronic business card). (b) A
heap-based overflow that can be triggered by a wide BMP image file. (c)
A heap-based overflow that can be triggered by non-ascii characters in
a link. The proof-of-concept exploits have been posted in the Mozilla's
bug repository.
Status: Mozilla confirmed. Upgrade to the Firefox preview version,
Mozilla version 1.7.3 and Thunderbird version 0.8. The patches also fix
a number of other less critical flaws in these products.
Council Site Actions: Only two of the reporting council sites are
responding to this issue. One site commented the vulnerable products
have a very limited usage, and they will apply the patch during their
next system update process. Another site sent the alert to their web
group for further review and investigation.
References:
Mozilla Security Page
http://www.mozilla.org/projects/security/known-vulnerabilities.html
CERT Advisory
http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Bugzilla Entries for buffer overflow vulnerabilities
http://bugzilla.mozilla.org/show_bug.cgi?id=257314
http://bugzilla.mozilla.org/show_bug.cgi?id=255067
http://bugzilla.mozilla.org/show_bug.cgi?id=256316
SecurityFocus BIDs
http://www.securityfocus.com/bid/11169
http://www.securityfocus.com/bid/11170
http://www.securityfocus.com/bid/11171
http://www.securityfocus.com/bid/11174
http://www.securityfocus.com/bid/11177
**************************************************************************
(3) MODERATE: Microsoft WordPerfect Converter Buffer Overflow
Affected Products:
Microsoft Office 2000/XP/2003
Microsoft Works Suites 2001/2002/2003/2004
Microsoft WordPerfect 5.x Converter
Description:
The Microsoft WordPerfect converter converts WordPerfect documents to
the Microsoft Word format. This converter contains a heap-based buffer
overflow vulnerability that can be exploited by a malicious WordPerfect
document to execute arbitrary code. The flaw can be exploited when any
application that uses the WordPerfect converter opens a malicious
document. The attacker could exploit the overflow by sending a malicious
WordPerfect document as an email attachment, which would be opened by
the user. Alternatively, the malicious file could also be hosted on a
website, and a user could be enticed (via another web page or email) to
view the file. If the malicious WordPerfect file is named with a ".doc"
extension, Internet Explorer would automatically invoke Word as a helper
application (which would trigger the overflow). Very limited technical
details have been publicly posted.
Status: Microsoft released the MS04-027 security bulletin on September
14, 2004. Apply the updates described in this bulletin. A workaround is
to uninstall the WordPerfect Converter. Note that the converter is
installed by default with Microsoft Office and is also available
separately as part of the Microsoft Office Converter Pack.
Council Site Actions: Two of the reporting council sites are already
in the process of distributing the patch. A third site will deploy the
patch during their next regularly scheduled system update process.
Another site plans to rely on the Microsoft AUTO UPDATE process to patch
their systems. One site does not plan to take any action at this time,
but rather rely on anti-virus for protection and are anxiously awaiting
Windows Update Service (WUS) that will support automatic deployment of
Office updates.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS04-027.mspx
NGSSoftware Advisory
http://www.nextgenss.com/advisories/wordperconv.txt
SecurityFocus BID
http://www.securityfocus.com/bid/11172
**************************************************************************
(4) MODERATE: Apache apr-util Library Buffer Overflow
Affected:
Apache version 2.0.35 up to and including 2.0.50
Description: The Apache Portable Runtime (apr) library provides APIs
that ensure a consistent application behavior across platforms. apr-util
is a companion library to the apr library, both of which are used by the
Apache server. The apr-util library contains a buffer overflow in the
"apr_uri_parse" function. The flaw can be triggered by a specially
crafted IPv6 address in the URI or the "Host" header field in an HTTP
request. The flaw may be potentially exploited on some platforms such
as BSD to execute arbitrary code.
Status: Apache has released version 2.0.51 that fixes this flaw. Many
other denial-of-service vulnerabilities have also been fixed in this
version.
Council Site Actions: Most of the reporting council sites are responding
to this vulnerability, but in different ways. One site will deploy the
patch as a required fix for their small number of Apache-2.0.x systems.
Another site plans to deploy during their next regularly schedule system
update process. A third site is still investigating if they have the
software in use and will treat this as a moderate problem if found.
Another site commented they have very few systems running the affected
version (none of which are critical servers). Those that are running
the affected version are primarily running Red Hat Enterprise Linux or
Debian GNU/Linux and are configured to retrieve all vendor updates.
Systems for which administrator intervention is needed to trigger
patching will most likely be updated later this month.
References:
Apache Advisory
http://www.apacheweek.com/features/security-20
NISCC Advisory
http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-3404.txt
apr_uri_parse Function
http://lxr.webperf.org/source.cgi/srclib/apr-util/uri/apr_uri.c#260
APR Homepage
http://apr.apache.org/
SecurityFocus BID
Not yet available.
**************************************************************************************
(5) MODERATE: Multiple XPM File Parsers Buffer Overflow Vulnerabilities
Affected:
X11R6 version prior to 6.8.1
gtk+ version 2.4.4 and prior
XFree86 versions 4.x
Description: X PixMap (XPM) is an ASCII image format popularly used by
the X Windows on UNIX systems. The libXpm and GdkPixBuf (ships with
gtk+2.x) libraries provide various functions to store and read XPM image
files. These libraries contain multiple stack-based and integer buffer
overflow vulnerabilities that can be triggered by specially crafted XPM
files. The flaws can be exploited to execute arbitrary code. In order
to exploit the flaws, an attacker has to entice a user (via email or
another webpage) to view a malicious XPM file. Multiple proof-of-concept
exploits have been posted.
Status: X.org has released version 6.8.1 of X11R6 that fixes the flaws.
Multiple Linux vendors such as RedHat, Mandrake and Debian have released
patches for the affected products.
Council Site Actions: Several council sites are responding to this
vulnerability. Two sites are running RedHat and/or Debian and as such,
they are configured to retrieve the vendor updates. Another site has
very limited usage of the software and plans to deploy the path during
their next regularly scheduled system update process. A final site is
still investigating if they are using the software, and if so, will
treat this as a moderate priority.
References:
Posting by Chris Evans
http://scary.beasts.org/security/CESA-2004-005.txt
http://scary.beasts.org/security/CESA-2004-003.txt
PoC XPM Image Files
http://scary.beasts.org/misc/gdk1.xpm
http://scary.beasts.org/misc/gdk2.xpm
http://scary.beasts.org/misc/doom.xpm
http://scary.beasts.org/misc/doom2.xpm
XPM File Format
http://koala.ilog.fr/lehors/xpm.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/11195
http://www.securityfocus.com/bid/11196
*******************
Other Software
*******************
(6) MODERATE: Multiple Vendor MIME Content Check Bypass
Affected:
ripMIME versions prior to 1.4.0.0
F-Secure Internet Gatekeeper, all versions
Description: Multipurpose Internet Mail Extensions (MIME) is a set of
standards for encoding email attachments and/or files for web transfer.
Multiple security products such as anti-virus software, email and web
content-checkers etc. are required to parse MIME encoded messages to
determine if the message is malicious. An array of techniques have been
published that may be used to bypass the security scan of a MIME encoded
message. These evasion techniques may be employed by virus and other
malware writers to avoid detection. The technical details regarding all
the evasion techniques have been posted.
Status: Multiple vendors like Sun, HP, Apple and Mozilla have reported
that they are not vulnerable. F-Secure's Gatekeeper version 6.4.1 will
fix the flaws. Upgrade to ripMIME version 1.4.0.0. For status on other
vendors, please refer to the NISCC advisory.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
NISCC Advisory
http://www.uniras.gov.uk/vuls/2004/380375/mime.htm
Corsaire Security Advisories
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0043.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0044.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0045.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0046.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0047.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0048.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0049.html
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0050.html
SecurityFocus BID
http://www.securityfocus.com/bid/11157
*****************************************************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 37, 2004
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3718 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________
04.37.1 CVE: CAN-2004-0200
Platform: Windows
Title: Microsoft JPEG Processing Buffer Overrun
Description: The Microsoft GDI+ (Graphics Device Interface) library
JPEG handler is vulnerable to a buffer overrun when processing JPEG
images. An attacker could create a specially crafted JPEG image to
execute arbitrary code when the picture is rendered by a Windows
application using the vulnerable library. Microsoft has released the
security bulletin MS04-028 to address this issue.
Ref: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
______________________________________________________________________
04.37.2 CVE: CAN-2004-0573
Platform: Microsoft Office
Title: Microsoft WordPerfect Converter Remote Buffer Overflow
Description: The Microsoft WordPerfect Converter is vulnerable to a
remote buffer overflow condition due to insufficient boundary checks
while handling certain malformed files. This could be exploited to
execute arbitrary code on the vulnerable host. All current versions
other than the one bundled with Microsoft Office 2003 Service Pack 1
are reported to be vulnerable to this issue.
Ref: http://www.microsoft.com/technet/security/bulletin/ms04-027.mspx
______________________________________________________________________
04.37.3 CVE: CAN-2004-0830
Platform: Third Party Windows Apps
Title: F-Secure Content Scanner Server Remote Denial of Service
Description: F-Secure anti-virus for Microsoft Exchange and F-Secure
Internet Gatekeeper are vulnerable to a remote denial of service while
handling certain malformed packets. F-Secure Anti-Virus for Microsoft
Exchange versions 6.21 and earlier as well as F-Secure Internet
Gatekeeper versions 6.32 and earlier are vulnerable.
Ref: http://www.f-secure.com/security/fsc-2004-2.shtml
______________________________________________________________________
04.37.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Gadu-Gadu Image Send Feature Remote Heap Overflow
Description: Gadu-Gadu is an instant messaging application. It is
reported to be vulnerable to a remote heap overflow issue. The issue
exists due to improper sanitization of "GG_MSG_IMAGE_REPLY" packets
for image transfer. Gadu-Gadu version 6.0 build 149 is reported to be
vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0100.html
______________________________________________________________________
04.37.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Serv-U FTP Server Remote Denial of Service
Description: The RhinoSoft Serv-U FTP server is reportedly vulnerable
to a denial of service condition due to its failure to handle certain
software exceptions gracefully. This causes the server to eventually
crash thus denying service to FTP clients. All versions of Serv-U are
reportedly affected by this vulnerability.
Ref: http://www.securityfocus.com/archive/1/374888
______________________________________________________________________
04.37.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: TwinFTP Server Directory Traversal
Description: Jigunet TwinFTP is an FTP server application. It is
reported to be vulnerable to a directory traversal issue. The
vulnerability exists due to improper sanitization of "CWD", "STOR" and
"RETR" commands. TwinFTP Enterprise and Standard version 1.0.3 R2 are
reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0106.html
______________________________________________________________________
04.37.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: Tech-Noel Pigeon Server Remote Denial of Service
Description: The Tech-Noel Pigeon Server is reported to be vulnerable
to a remote denial of service issue. The issue exists when a "login"
field longer than 8180 chars is sent on the port 3180. Version
3.03.146 was released to fix this issue.
Ref: http://aluigi.altervista.org/adv/pigeonx-adv.txt
______________________________________________________________________
04.37.8 CVE: CAN-2004-0873
Platform: Mac Os
Title: Apple iChat Remote Link Application Execution
Description: The Apple iChat instant messaging client is reportedly
vulnerable to a remote link application execution vulnerability. Using
this, an attacker can specify an application to be activated when a
link sent in an instant message is followed by a target user. This
could allow the attacker to execute arbitrary applications on the
vulnerable host. This issue was reported in Apple iChat versions 1 and
2.
Ref: http://secunia.com/advisories/12575/
______________________________________________________________________
04.37.9 CVE: Not Available
Platform: Mac Os
Title: Multiple Mac OS X Vulnerabilities
Description: Apple released a security update addressing
vulnerabilities in multiple components of Mac OS X. All Mac users are
advised to apply the update.
Ref: http://www.apple.com/support/downloads/securityupdate_2004-09-07_v_1_1_(10_2_8_Client).html
______________________________________________________________________
04.37.10 CVE: CAN-2004-0807, CAN-2004-0808
Platform: Unix
Title: Samba Remote Denial of Service
Description: The Samba file and printer sharing server is reportedly
affected by multiple remote denial of service issues. These issues are
due to a failure to properly parse ASN.1 and MailSlot packets. An
attacker could exploit these conditions to deny service to other
legitimate users of the service. These issues were reported for
versions 3.0.x of Samba.
Ref: http://www.securityfocus.com/archive/1/374980
______________________________________________________________________
04.37.11 CVE: CAN-2004-0801
Platform: Unix
Title: Foomatic-rip Privilege Escalation
Description: Foomatic integrates various print spoolers with freely
available printer drivers. Foomatic-rip is affected by an arbitrary
command execution vulnerability due to insufficient sanitization of
command lines and environment variables. Foomatic 3.0.2 has been
released to fix this issue.
Ref: http://www.linuxprinting.org/pipermail/foomatic-devel/2004q3/001996.html
______________________________________________________________________
04.37.12 CVE: CAN-2004-0558
Platform: Unix
Title: CUPS UDP Packet Remote Denial of Service
Description: CUPS (Common UNIX Printing System) is reported to be
vulnerable to a remote denial of service issue. The issue exists due
to improper sanitization of certain UDP packets on port 631. Debian
and RedHat have both released a patch for this issue.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0162.html
______________________________________________________________________
04.37.13 CVE: CAN-2004-0753, CAN-2004-0782, CAN-2004-0783,
CAN-2004-0788
Platform: Unix
Title: GDK-Pixbuf Multiple Vulnerabilities
Description: gdk-pixbuf is a GNOME multiple-format imaging library. It
is reportedly vulnerable to multiple security issues. These include
two denial of service conditions while decoding certain BMP and ICO
image files, and two memory corruption conditions while decoding
certain XPM images. These could be exploited to cause a denial of
service condition or execute arbitrary code on the vulnerable host.
All current gdk-pixbuf versions 0.x are reported to be vulnerable.
Ref: http://scary.beasts.org/security/CESA-2004-005.txt
______________________________________________________________________
04.37.14 CVE: Not Available
Platform: Unix
Title: LibXpm Image Decoding Multiple Buffer Overflows
Description: libXpm is a graphics library that decodes the X Pixmap
(XPM) image format. It is reportedly vulnerable to multiple buffer
overflow issues. These are due to insufficient boundary checks while
handling certain maliciously crafted XPM images. These could be
exploited to execute arbitrary code on the vulnerable host. The LibXpm
version that shipped with X.org X11R6 6.8.0 is reported vulnerable to
this issue.
Ref: http://scary.beasts.org/security/CESA-2004-003.txt
______________________________________________________________________
04.37.15 CVE: Not Available
Platform: Unix
Title: Xine-lib VideoCD And Text Subtitle Stack Overflow
Vulnerabilities
Description: Xine is a multimedia player. Xine-lib contains two buffer
overflows that could be exploited through malicious video cds or
subtitles in order to execute arbitrary code. Xine-lib versions 1-rc2
though 1-rc5 are known to be vulnerable.
Ref: http://www.open-security.org/advisories/6
______________________________________________________________________
04.37.16 CVE: Not Available
Platform: Cross Platform
Title: Mod_cplusplus Buffer Overflow Vulnerability
Description: John Sterling's mod_cplusplus is a module used to
implement Apache 2.0 handlers as C++ objects. mod_cplusplus is
vulnerable to a buffer overflow issue due to a failure to perform
boundary checks for a buffer size in the "ApacheRequestRec::istring()"
function. This issue could lead to remote arbitrary code execution.
mod_cplusplus versions 1.4.1 and earlier are reported to be
vulnerable.
Ref: https://sourceforge.net/project/shownotes.php?group_id=26896&release_id=266645
______________________________________________________________________
04.37.17 CVE: CAN-2004-0751
Platform: Cross Platform
Title: Apache mod_ssl Remote Denial of Service
Description: Apache 2.x mod_ssl is reported to be vulnerable to a
remote denial of service issue. The issue exists due to improper
exception handling in the "char_buffer_read()" function of the
"ssl_engine_io.c" file. Apache version 2.0.50 is reported to be
affected by this issue.
Ref: http://issues.apache.org/bugzilla/show_bug.cgi?id=30134
______________________________________________________________________
04.37.18 CVE: CAN-2003-1014, CAN-2003-1015, CAN-2003-1016,
CAN-2004-0051, CAN-2004-0052, CAN-2004-0053, CAN-2004-0161,
CAN-2004-0162
Platform: Cross Platform
Title: Multiple Vendor MIME Encapsulation Vulnerabilities
Description: MIME is a standard for encoding attachments to emails.
MIME is also used as an encoding method for transfer of files in the
HTTP protocol. Multiple vulnerabilties including content checking
bypass, remote code execution and denial of service were reported in
numerous software implementations.
Ref: http://www.uniras.gov.uk/vuls/2004/380375/mime.htm
______________________________________________________________________
04.37.19 CVE: Not Available
Platform: Cross Platform
Title: Multiple BEA Systems WebLogic Vulnerabilities
Description: BEA Systems has released advisories to address multiple
vulnerabilities in WebLogic Server and Express. These issues may allow
unauthorized access and information disclosure, or pose threats to
role and policy security. BEA has released BEA Systems WebLogic
Express 8.1 SP 3 to address these issues.
Ref: http://www.securityfocus.com/bid/11168/credit/
______________________________________________________________________
04.37.20 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Multiple URI Processing Heap Overflow
Description: Mozilla is vulnerable to multiple heap overflow issues
when processing URLs in emails. Mozilla versions 1.7.2 and earlier are
known to be vulnerable.
Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=258005
______________________________________________________________________
04.37.21 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Browser Vcard Handling Remote Buffer Overflow
Description: The Mozilla Browser is reportedly vulnerable to a remote
buffer overflow issue. This is exposed while handling certain
maliciously crafted "vcard" files due to insufficient boundary checks
in the parsing routine. Versions prior to Mozilla Browser 1.7.3 and
Mozilla Thunderbird 0.8 are reported to be vulnerable.
Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=257314#c1
______________________________________________________________________
04.37.22 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Browser BMP Image Decoding Multiple Integer Overflows
Description: Mozilla Browser is reportedly vulnerable to multiple
integer overflow issues in the image parsing routines. These issues
exist due to improper boundary checks in "nsBMPDecoder.cpp" and
"nsImageWin.cpp" files. Mozilla 1.7 is reported to be vulnerable.
Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=255067
______________________________________________________________________
04.37.23 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Browser Non-ASCII Hostname Heap Overflow
Description: The Mozilla browser is reportedly vulnerable to a
remotely exploitable heap overflow. This issue is exposed when the
browser handles non-ASCII characters in certain maliciously crafted
URLs. Successful exploitation would permit remote compromise in the
context of the client user. All versions prior to Mozilla Browser
1.7.3 and Mozilla Thunderbird 0.8 are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/11169/credit/
______________________________________________________________________
04.37.24 CVE: Not Available
Platform: Cross Platform
Title: Mozilla/Firefox Browsers URL Cross-Domain Scripting Issue
Description: Mozilla and Firefox are cross platform web browsers. They
are reported to be vulnerable to a cross-domain scripting issue.
Mozilla Browser versions prior to 1.7.3 and Mozilla Firefox version
0.10 are reported to be vulnerable.
Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=250862
______________________________________________________________________
04.37.25 CVE: Not Available
Platform: Cross Platform
Title: Mozilla/Firefox Browsers Unauthorized Clipboard Contents
Disclosure
Description: Mozilla and Firefox are cross-platform browsers. They are
reported to be vulnerable to unauthorized clipboard contents
disclosure. This vulnerability exists due to improper sanitization of
unsafe keyevents such as "CTRL-Insert" and "SHIFT-Insert". Mozilla has
released Browser 1.7.3 and Firefox Preview Release to fix this issue.
Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=257523
______________________________________________________________________
04.37.26 CVE: CAN-2004-0809
Platform: Cross Platform
Title: Apache mod_dav LOCK Denial of Service
Description: The Apache web server's "mod_dav" module is reportedly
vulnerable to a denial of service condition. This issue is exposed
when the server receives a specific sequence of "LOCK" commands from
an authorized user. This allows an attacker to crash the Apache
thread/process making a denial of service attack against other
legitimate clients possible. All versions of Apache 2.0, prior to
2.0.51 are reported vulnerable.
Ref: http://secunia.com/advisories/12527/
______________________________________________________________________
04.37.27 CVE: Not Available
Platform: Cross Platform
Title: MyServer Directory Traversal Vulnerability
Description: MyServer is an application and web server. It is reported
to be vulnerable to a directory traversal attack due to a lack of URL
sanitization. MyServer version 0.7 is known to be vulnerable.
Ref: http://www.securiteinfo.com/attaques/hacking/myServer0_7.shtml
______________________________________________________________________
04.37.28 CVE: CAN-2004-0786
Platform: Cross Platform
Title: Apache Web Server Remote IPv6 Buffer Overflow
Description: Apache web server is reported to be vulnerable to a
remote buffer overflow issue. The issue presents itself when a
malformed URL is used with IPv6. The issue exists due to improper
sanitization of "apr_uri_parse()" function of the affected server.
Ref: http://www.apache.org/dist/httpd/Announcement2.html
______________________________________________________________________
04.37.29 CVE: CAN-2004-0849
Platform: Cross Platform
Title: GNU Radius SNMP String Length Remote Denial of Service
Description: GNU Radius is a server used primarily by Internet Service
Providers (ISPs) as a solution for authentication and accounting. GNU
Radius is reported to be vulnerable to a denial of service issue. This
issue exists due to improper sanitization of SNMP input in the
"asn1.c" file. GNU Radius version 1.2 is reported to be vulnerable.
Ref:
http://www.idefense.com/application/poi/display?id=141&type=vulnerabilities&flashstatus=true
______________________________________________________________________
04.37.30 CVE: Not Available
Platform: Web Application
Title: getSolutions getInternet Multiple SQL Injection
Vulnerabilities
Description: getSolutions getInternet is a content management system
implemented in ASP. It is reported to be vulnerable to multiple remote
SQL injection issues. These issues exist due to improper sanitization
of URL parameters in multiple scripts.
Ref: http://www.securityfocus.com/bid/11150
______________________________________________________________________
04.37.31 CVE: Not Available
Platform: Web Application
Title: PostNuke Subjects Module SQL Injection
Description: The PostNuke "Subjects" Module is a module for postnuke
application. It is reported to be vulnerable to an SQL injection
issue. The issue exists due to improper sanitization of "pageid",
"subid" and "catid" parameters. PostNuke "Subjects" Module version 2.0
is reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0098.html
______________________________________________________________________
04.37.32 CVE: Not Available
Platform: Web Application
Title: PerlDesk Arbitrary File Inclusion
Description: PerlDesk is a web-based help desk and email management
application. PerlDesk is vulnerable to an arbitrary file inclusion
issue due to insufficient user-data sanitization of the "lang"
parameter in the "pdesk.cgi" script.
Ref: http://nikyt0x.webcindario.com/
______________________________________________________________________
04.37.33 CVE: Not Available
Platform: Web Application
Title: Turbo Seek Information Disclosure Vulnerability
Description: FocalMedia.net Turbo Seek is a web-based search
application. It is reported to be vulnerable to an information
disclosure issue due to improper sanitization of the "location"
argument in the "tseekdir.cgi" script. Turbo Seek versions prior to
1.7.2 are reported to be vulnerable.
Ref: http://secunia.com/advisories/12500/
______________________________________________________________________
04.37.34 CVE: Not Available
Platform: Web Application
Title: SnipSnap HTTP Response Splitting Vulnerability
Description: SnipSnap is a web-based blog and wiki application. It is
reportedly vulnerable to an HTTP response splitting attack. Through
the "referer" parameter, an attacker could inject "CR/LF" sequences
into the HTTP response headers. This could trick a browser into
misinterpreting served content and could be used towards information
theft or other attacks. This issue was identified in SnipSnap versions
0.5.2a and prior.
Ref: http://www.securityfocus.com/advisories/7217
______________________________________________________________________
04.37.35 CVE: Not Available
Platform: Web Application
Title: vBulletin SQL Injection Vulnerability
Description: The vBulletin bulletin board is reportedly vulnerable to
a remote SQL injection issue due to insufficient sanitization of
user-supplied input via the "x_invoice_num" parameter. This allows
attackers to compromise the remote backend database. vBulletin
versions 3.0 through to 3.0.3 are reported to be vulnerable.
Ref: http://www.vbulletin.com/forum/showthread.php?p=734250#post734250
______________________________________________________________________
04.37.36 CVE: Not Available
Platform: Web Application
Title: BBS E-Market Professional Multiple File Disclosure
Description: BBS E-Market Professional is a web-based e-commerce
application implemented in PHP. It is reported to be vulnerable to
multiple file disclosure issues. These issues exist due to improper
sanitization of the "filename" and the "dn_path" parameters. BBS
E-Market patch level bf_130 (v1.3.0) and prior are reported to be
vulnerable.
Ref: http://secunia.com/advisories/12509/
______________________________________________________________________
04.37.37 CVE: Not Available
Platform: Web Application
Title: Snitz Forums Down.ASP HTTP Response Splitting
Description: Snitz Forums is reportedly vulnerable to a HTTP response
splitting attack. The "down.asp" script allows an attacker to inject
"CR/LF" sequences into the HTTP response headers. This could trick a
browser into misinterpreting served content and could be used towards
information theft or other attacks. Snitz Forums 2000 version 3.4.04
is reported to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/375430
______________________________________________________________________
04.37.38 CVE: CAN-2004-0533
Platform: Web Application
Title: WebIntelligence Arbitrary File Deletion
Description: Business Objects WebIntelligence is a web query,
reporting, and analysis application. A vulnerability in the
application allows an authenticated user to bypass the access controls
and delete arbitrary documents from the application. WebIntelligence
version 2.7 with Business Objects 5.1 is reported to be vulnerable.
The vendor has released a patch to fix the issue.
Ref: http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0056.html
______________________________________________________________________
04.37.39 CVE: Not Available
Platform: Network Device
Title: Xpressa Handset Remote Denial of Service
Description: Pingtel Xpressa is a Voice-over-IP (VoIP) phone. Its web
interface is reportedly vulnerable to a remote denial of service
condition due to insufficient boundary checks on the HTTP "GET"
request arguments. This issue is reported to affect the Xpressa Model
PX-1 handset.
Ref: http://www.securityfocus.com/archive/1/375054
______________________________________________________________________
04.37.40 CVE: Not Available
Platform: Network Device
Title: ZyXEL Prestige 681 ARP Request Information Disclosure
Description: ZyXEL Prestige 681 SDSL router is an Internet broadband
router. The device sends ARP requests containing a memory dump that
could leak sensitive information. ZyNOS version Vt020225a is known to
be vulnerable.
Ref: http://www.securityfocus.com/archive/1/375025
______________________________________________________________________
04.37.41 CVE: Not Available
Platform: Network Device
Title: Inkra 1504GX Remote Denial of Service
Description: The Inkra 1504GX is a hardware device designed for load
balancing, SSL acceleration, and intrusion prevention. It is reported
to be vulnerable to a denial of service issue. The issue presents
itself when the switch receives a malicious packet. Inkra 1504GX
routers with VSM release 2.1.4.b003 are reported to be vulnerable.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0136.html
______________________________________________________________________
04.37.42 CVE: Not Available
Platform: Network Device
Title: HP Web Jetadmin Unspecified Arbitrary Command Execution
Description: HP Web Jetadmin is a web-based interface for remote
management of network peripheral devices. It is reported to be
vulnerable to an arbitrary command execution issue. HP Web Jetadmin
version 7.5 is reported to be vulnerable.
Ref: http://xforce.iss.net/xforce/xfdb/15607
______________________________________________________________________
04.37.43 CVE: Not Available
Platform: Network Device
Title: SMC Router Authentication Bypass Vulnerability
Description: SMC 7004VWBR and 7008ABR devices are Internet broadband
routers. They are reported to be vulnerable to an authentication
bypass issue in their web administration interface.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0150.html
______________________________________________________________________
(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.
==end==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBThiq+LUG5KFpTkYRAodOAJ40E3J+LXgfCbmFXv7rI9XCrxTF/gCglLuE
1i+dxaPIax+Rgl0okHyRsks=
=aRp4
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]