Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2000

Security Express Archives: Network Computing Security Express #

Network Computing Security Express #027

Subject: Network Computing Security Express #027
From: Network Computing Express (expresslist.nwc.com)
Date: Thu Jan 13 2000 - 09:01:50 CST

Next message: Network Computing Express: "Network Computing Security Express #028"
Previous message: Network Computing Express: "Network Computing Security Express #026"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Network Computing Security Express #027
1/13/00
-- Number 027 (00.02) ----------------------------------------------------

Welcome to the latest edition of Security Express! Below you'll
find only the information pertaining to the categories you requested.
Please bear in mind that there may be little or no information in
particular categories--this means no security problems pertaining to
those categories were found this week. If you have any problems or
questions, please e-mail us at expressnwc.com.

Enjoy Security Express!

--------------------------------------------------------------------------

Many services have been taking a beating this week. Hotmail,
WebTV and First Telecom are among those that have been dealing
with various security problems. Hotmail, in particular, has a daunting
task--filtering all possible methods by which an HTML document may
contain JavaScript. Georgi Guninski released the first problem, which
Microsoft promptly patched. He then released two more that were very
similar, showing that Microsoft is fixing individual cases and not proactively
working toward a better solution.

For those of you who feel your Palm Pilot was a lousy investment,
Noncon may have a fix: The company has released PalmCrack, a Unix,
NT and Cisco dictionary-based password cracker for the PalmOS.
You can download it at http://www.noncon.org/noncon/pc-1.1-dist.zip

Until next week,
-Security Express Team

--------------------------------------------------------------------------

---------------------------------------------------------

Key Area: Windows
Key Element: Messaging

{00.02.004} MS00-001: "Malformed IMAP Request" patch
Microsoft has released MS00-001, a patch for the "Malformed IMAP
Request" vulnerability. A buffer overflow in the IMAP service of
Microsoft Commercial Internet System (MCIS) versions 2.0 and 2.5
allow the execution of arbitrary code.

-FAQ and patch:

http://www.microsoft.com/security/bulletins/00/MS00-001faq.asp
Source: Microsoft
http://www.security-express.com/archives/vendor/2000-q1/0001.html

----

{00.02.007} IMail IMonitor server DoS A denial of service has been found in IMail IMonitor 5.08. A remote attacker can make successive calls to status.cgi on port 8181 of a server running IMonitor, which could cause it to crash.

-No patches have been made available. Product home page:

http://www.ipswitch.com/Products/IMail_Server/index.asp Source: Technotronic http://www.security-express.com/archives/technotronic/2000-q1/0005.html

---------------------------------------------------------

Key Area: Windows Key Element: Information Publishing

{00.02.009} Multiple vulnerabilities in WarFTPd War FTP Daemon versions 1.7 and 1.67b2 contain various vulnerabilities that let remote attackers view any file. Further, version 1.7 allows the execution of commands as administrator via a previously reported ODBC bug. Version 1.7 also lets a remote attacker gather various system information.

-Patches are available at:

ftp://ftp.no.jgaa.com/pub/ Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0078.html

---------------------------------------------------------

Key Area: Windows Key Element: Applications

{00.02.012} Buffer overflow in Winamp Winamp 2.10 contains a buffer overflow in it's processing of .pls (playlist) files that allows for the execution of arbitrary code. Internet Explorer will download and open .pls files without user interaction if Winamp is installed.

-Reports indicate Winamp version 2.5E is not vulnerable.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0113.html

----

{00.02.015} IE security restriction delay Internet Explorer 5 has a vulnerability that lets a new Web document access the previous document until the new document is fully loaded. This means malicious Web sites can read files from the user's hard drive and bypass other cross-document restrictions.

-No patches have been made available.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0089.html

---------------------------------------------------------

Key Area: Solaris Key Element: Applications

{00.02.008} Solstice Backup lets users recover files Sun's Solstice Backup 5.1 has a flaw that lets local users employ the recover application to retrieve system files, including /etc/shadow.

-No patches have been made available. We suggest you remove world-execute permissions.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0073.html

----

{00.02.010} Possible local buffer overflow in chkperm /usr/vmsys/bin/chkperm shipped with Solaris 7 and prior contains a buffer overflow in the argument supplied to the -n option. It is unknown if exploitation is possible.

-No patches have been released. We recommend you remove the suid bit from /usr/vmsys/bin/chkperm.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0087.html http://www.security-express.com/archives/bugtraq/2000-01/0091.html

---------------------------------------------------------

Key Area: Linux and BSD Key Element: Applications

{00.02.003} 3c509 NICs crash Linux kernels The Linux kernel version 2.2.x ships with a generic 3Com NIC driver that may cause the kernel to lock up during periods of high network congestion (80 Mbps to 90 Mbps) with a 3c905 or 3c905B NIC.

-3Com has released updated drivers for the 3c905B and 3c905C network cards:

http://support.3com.com/infodeli/tools/nic/linux.htm Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0086.html

----

{00.02.011} Debian has released new nvi package Debian has released nvi version 1.79-9.1, which fixes a vulnerability where upon boot the /etc/init.d/nviboot script could be used to delete various files by placing files with particular file names in /var/tmp/vi.recover.

-Download the new package: http://security.debian.org/dists/stable/updates/ binary-alpha/nvi_1.79-9.1_alpha.deb http://security.debian.org/dists/stable/updates/ binary-i386/nvi_1.79-9.1_i386.deb http://security.debian.org/dists/stable/updates/ binary-m68k/nvi_1.79-9.1_m68k.deb http://security.debian.org/dists/stable/updates/ binary-sparc/nvi_1.79-9.1_sparc.deb

Source: Debian http://www.security-express.com/archives/vendor/2000-q1/0004.html

----

{00.02.017} Multiple vulnerabilities in lpr/lpd The lpd service in Linux suffers from two vulnerabilities: -Host names were not properly checked, therefore anyone who has control of the reverse DNS for his or her IP can gain print access to the service. -Remote attacks can use the print service to submit alternate sendmail configuration files, which can be used to run arbitrary commands.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0112.html

----

{00.02.018} Local root access in Red Hat user helper A vulnerability in the user helper application lets a local user specify an alternate application to execute (other than the proper PAM module), allowing the execution of binaries as root.

-Red Hat has released a new user mode and PAM packages: ftp://updates.redhat.com/6.1/i386/pam-0.68-10.i386.rpm ftp://updates.redhat.com/6.1/i386/usermode-1.17-1.i386.rpm ftp://updates.redhat.com/6.1/alpha/pam-0.68-10.alpha.rpm ftp://updates.redhat.com/6.1/alpha/usermode-1.17-1.alpha.rpm ftp://updates.redhat.com/6.1/sparc/pam-0.68-10.sparc.rpm ftp://updates.redhat.com/6.1/sparc/usermode-1.17-1.sparc.rpm

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0044.html

---------------------------------------------------------

Key Area: Other Key Element: Messaging

{00.02.002} Patch available for local majordomo privilege elevation A patch has been released for {00.01.015}, a local user privilege elevation with majordomo (version 1.94.4). The vulnerability lets local users elevate their privileges to match the majordomo wrapper, which in some cases is root.

-Patch available at:

http://www.security-express.com/archives/bugtraq/2000-01/0019.html Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0019.html

---------------------------------------------------------

Key Area: Other Key Element: Information Publishing

{00.02.001} PHP safe_mode allows unrestricted popen() PHP 3.0.13 (and earlier versions) has a bug in its safe_mode configuration. Normally when safe_mode is active, scripts are allowed to execute only those binaries located in a special safe_mode_exec_dir. However, with safe_mode enabled, it is possible to execute arbitrary binaries via popen().

-Version 3.0.14 has been released, which includes a fix.

http://www.php.net/download-php.php3 Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0013.html

----

{00.02.005} Vulnerabilities in Allaire Spectra Allaire has released two security advisories for Spectra version 1.0. ASB00-01: Enhancing authenticated Webtop user security in Allaire Spectra 1.0: Because of a missing configuration line, users with access to any portion of the Webtop can access any other portion of the Webtop, regardless of restrictions. ASB00-02: Addressing potential denial of service problems with installation files in Allaire Spectra 1.0: A portion of the Spectra install is Web-based, and the installation files are left on the system after the install. An attacker can access the setup components and cause the system to re-index various document collections, causing a high system load that can lead to a denial of service attack.

-ASB00-01: Add the following line to your /Allaire/spectra/webtop/application.cfm: <cfset request.cfa.security.bIsSecure = 1> The line needs to appear after the <cfa_applicationInitialize> tag.

ASB00-02: Remove the /allaire/spectra/install directory and contents once Spectra has been successfully installed.

Source: Allaire http://www.security-express.com/archives/vendor/2000-q1/0002.html

----

{00.02.006} Cold Fusion CFCACHE tag exposes system information Allaire has released ASB00-03, making a patch available for potential information exposure by the CFCACHE tag. The vulnerability applies to Cold Fusion version 4.x. When CFCACHE is used, a cfcache.map file is created in the Web-accessible directory of the corresponding template. Cfcache.map contains physical path information, URL parameters and time-stamp information for all cached templates.

-A patch is available at:

http://download.allaire.com/AllaireSecurityBulletin(ASB00-03)New4.0xCfcache.zip Source: Allaire http://www.security-express.com/archives/vendor/2000-q1/0002.html

----

{00.02.013} Directory browsing via SolutionScripts.com's Home Free CGI package SolutionScripts.com's Home Free CGI package lets a remote attack view the contents of directories on the server via search.cgi.

-No patches have been made available. Product home page:

http://solutionscripts.com/vault/homefree/index.shtml Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0025.html

---------------------------------------------------------

Key Area: Other Key Element: Applications

{00.02.016} Network access to Palm Pilot files via Hotsync Handspring Visor and 3Com Palm Pilot ship with "Hotsync" software to manage the data on the PDA. When network access is enabled, a remote attack can download the PDA's file, provided the attacher knows the name used on the PDA.

-No patches have been released.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0085.html

----

{00.02.019} Users with grant privilege can change MySQL passwords MySQL versions 3.22.27, 3.22.29, 3.23.8 (and possibly prior) improperly handle the grant privilege, letting any user with the privilege change any other user's password, including the administrator's. To worsen matters, MySQL ships with test accounts that have this privilege.

-A patch has been posted at:

http://www.security-express.com/archives/bugtraq/2000-01/0126.html Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0126.html

---------------------------------------------------------

Key Area: Network Hardware Key Element: Applications

{00.02.014} Multiple vulnerabilities in Intel InBusiness E-mail Station Intel InBusiness E-mail Station1.04 (and earlier) lets a remote attacker issue various administrative commands to an admin service running on Port 244. An attacker can delete files, make directories and reset configuration information.

-Intel has indicated the problem will be corrected in a future version.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/2000-01/0036.html

--------------------------------------------------------- If this e-mail was passed to you and you would like to begin receiving our e-mail newsletter on a weekly basis, we invite you to subscribe today. Just go to http://www.networkcomputing.com/express/ to become a Security Express member.

We'd like to know what you think about the newsletter and what information you'd like to see in future editions. E-mail your comments to mailto:expressnwc.com.

If you'd like to change your account information for this newsletter please go to http://www.0mm.com/express/login.html.

To unsubscribe, reply to this message and include REMOVE or UNSUBSCRIBE in the subject line.

Copyright 2000 CMP Media Inc. A service of Network Computing. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Network Computing, is prohibited.

Distributed by MessageMedia, Inc. -- http://www.messagemedia.com/

Next message: Network Computing Express: "Network Computing Security Express #028"
Previous message: Network Computing Express: "Network Computing Security Express #026"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Thu Jan 13 2000 - 09:03:27 CST