OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #053
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Jul 13 2000 - 16:07:59 CDT



Re: Your personalized newsletter

                      -- Security Alert Consensus --
                            Number 053 (00.29)
                         Thursday, July 13, 2000
                            Created for you by
                  Network Computing and the SANS Institute

------------------------------------------------------------------------
                
Welcome to the latest edition of Security Alert Consensus! Below you
should find only the information pertaining to the categories you
requested. If you have any problems or questions, please e-mail us at
<consensusnwc.com>.

------------------------------------------------------------------------

This issue sponsored by Symantec. Corp.

On 6/20/00, Symantec introduced the Symantec Enterprise Security (SES)
solution during its Global Webcast. If you did not have an opportunity
to participate in the Webcast, it is available for viewing online at:
http://www.symantec.com/specprog/sym/101300.html

------------------------------------------------------------------------

This week saw many vendors releasing patched versions of ftpds. As it
turns out, the type of vulnerability that plagued WU-FTPD last week was
also found in OpenBSD ftpd and FreeBSD ftpd, as well as Opieftpd. The
original vulnerability was described as {00.27.007} and this week as
{00.29.002}. You will need to be a subscriber to the "Cross-Platform"
category to receive those alerts.

Keep in mind that SAC is archived, and the archives feature all
categories, so if you would like to see items not in your subscribed
category, you can view the issue at:

http://archives.neohapsis.com/archives/

Until next week,
- Security Alert Consensus Team

------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.29.015} MS00-048: Microsoft SQL Stored Procedure Permission
                vulnerability
--> {00.29.018} Blackboard CourseInfo stores admin passwords in registry
--> {00.29.023} Buffer overflow in Savant Web server
--> {00.29.025} WircSrv remote DoS
--> {00.29.007} Update to {00.24.006}: Innd control cancel request
                buffer overflow
--> {00.29.017} Local imwheel vulnerabilities
--> {00.29.003} Update to {00.28.003}: Canna remote buffer overflow in
                SR_INIT command
--> {00.29.008} Update to {00.25.006}: OpenSSH "Uselogin" allows
                commands to be run as root
--> {00.29.020} Update to {00.23.004}: QPop euidl buffer overflow
--> {00.29.022} XFree86 4.0 local buffer overflow
--> {00.29.016} Encoded URLs bypass BorderManager URL filtering
--> {00.29.010} PIX TCP reset DoS
--> {00.29.005} DoS in Oracle Web Listener
--> {00.29.001} BitchX /invite DoS and remote exploit
--> {00.29.002} Update to {00.27.007}: Wu-ftpd site exec remote buffer
                overflow
--> {00.29.004} Update to {00.27.010}: Remote command execution in ISC
                DHCP client
--> {00.29.006} Setproctitle() vulnerabilities in various ftpds
--> {00.29.009} Tnef remote root compromise
--> {00.29.011} Makewhatis /tmp symlink vulnerability
--> {00.29.012} Poll_It CGI file retrieval
--> {00.29.013} Update to {00.28.017}: Multiple Sawmill vulnerabilities
--> {00.29.014} Possible remote DoS in Checkpoint FW-1
--> {00.29.019} Update to {00.24.032} Multiple vulnerabilities in
                TACACS+ protocol/implementations
--> {00.29.021} Libedit local config file override
--> {00.29.024} LPRng should not be setuid root

--- Windows News -------------------------------------------------------

--> {00.29.015} MS00-048: Microsoft SQL Stored Procedure Permission
                vulnerability

Microsoft has released MS00-048 ("Patch Available for Stored Procedure
Permissions Vulnerability"). The vulnerability lets Microsoft SQL Server
version 7.0 database users call stored procedures they would otherwise
not have permission to use. This could be used to compromise the entire
database system and databases themselves.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-048.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q3/0000.html

--> {00.29.018} Blackboard CourseInfo stores admin passwords in registry

Blackboard's CourseInfo version 4.0 has been found to store the SQL
administrator user name and password in the registry under the key
HKEY_LOCAL_MACHINE\SOFTWARE\Blackboard, Inc.\CourseInfo40.

The vendor recommends setting registry permissions to restrict
unwarranted users from viewing the entry; however, users that must
access the software will still be able to gain access to the database
user name and password.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0020.html

--> {00.29.023} Buffer overflow in Savant Web server

A remotely exploitable buffer overflow has been found in Savant Web
server. An attacker can submit an overly long URL, which could lead to
the execution of arbitrary code.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0114.html

--> {00.29.025} WircSrv remote DoS

A remote denial of service has been found in WircSrv IRC Server version
5.07s. By sending malformed data to the WircSrv service, a remote
attacker can cause the service to stop responding.

No patches have been made available. Product home page:
http://www.wircsrv.com/

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0120.html

--- Linux News ---------------------------------------------------------

--> {00.29.007} Update to {00.24.006}: Innd control cancel request
                buffer overflow

Mandrake has released updated packages that correct the vulnerability
discussed in {00.24.006} ("Innd control cancel request buffer
overflow").

Updated RPMs:

http://www.rpmfind.net/linux/Mandrake/updates/6.0/RPMS/inews-2.2-13mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/6.0/RPMS/inn-2.2-13mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/6.0/RPMS/inn-devel-2.2-13mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/6.1/RPMS/inews-2.2-13mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/6.1/RPMS/inn-2.2-13mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/6.1/RPMS/inn-devel-2.2-13mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.0/RPMS/inews-2.2.2-6mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.0/RPMS/inn-2.2.2-6mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.0/RPMS/inn-devel-2.2.2-6mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.1/RPMS/inews-2.2.2-6mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.1/RPMS/inn-2.2.2-6mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.1/RPMS/inn-devel-2.2.2-6mdk.i586.rpm
                
Source: Mandrake (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0097.html

--> {00.29.017} Local imwheel vulnerabilities

Red Hat has released an advisory detailing two vulnerabilities with
imwheel: a symlink attack on input files and the possibility of a local
user killing the process.

Red Hat's official solution is to stop using imwheel.

Source: Red Hat (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0035.html

--- BSD News -----------------------------------------------------------

--> {00.29.003} Update to {00.28.003}: Canna remote buffer overflow in
                SR_INIT command

FreeBSD has released updated packages that fix the vulnerability
described in {00.28.003} ("Canna remote buffer overflow in SR_INIT
command").

FreeBSD packages:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/japanese/ja-Canna-3.2.2.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/japanese/ja-Canna-3.2.2.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/japanese/ja-Canna-3.2.2.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/japanese/ja-Canna-3.2.2.tgz
                
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0041.html

--> {00.29.008} Update to {00.25.006}: OpenSSH "Uselogin" allows
                commands to be run as root

FreeBSD has released a patch that corrects the vulnerability discussed
in {00.25.006} ("OpenSSH 'Uselogin' allows commands to be run as root").

Patch:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0040.html

--> {00.29.020} Update to {00.23.004}: QPop euidl buffer overflow

FreeBSD has released updated packages that correct the vulnerability
discussed in {00.23.004} ("QPop euidl buffer overflow").

Download updated packages:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/qpopper-2.53.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/qpopper-2.53.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/qpopper-2.53.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/qpopper-2.53.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/qpopper-2.53.tgz
                
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0036.html

--> {00.29.022} XFree86 4.0 local buffer overflow

FreeBSD has released updated packages that detail a local buffer
overflow in XFree86 version 4.0. The vulnerability lets a local attacker
gain root privileges.

Updated FreeBSD packages:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0037.html

--- NetWare News -------------------------------------------------------

--> {00.29.016} Encoded URLs bypass BorderManager URL filtering

Novell has confirmed in BorderManager versions 3.0 and 3.5 a
vulnerability that lets a user bypass URL filtering by using URL
encoding.

An update will be available shortly.

Source: Novell, Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0038.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0075.html

--- Network Appliances News --------------------------------------------

--> {00.29.010} PIX TCP reset DoS

Cisco Systems has released an advisory detailing a denial-of-service
attack in the PIX, whereby a remote attacker can flood the PIX with
spoofed RST packets, which will cause the PIX to keep closing
connections.

Cisco has updated software, which is available by contacting
Cisco.

Source: Cisco (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0134.html

--- AIX News -----------------------------------------------------------

--> {00.29.005} DoS in Oracle Web Listener

A report has surfaced that indicates a remotely exploitable denial of
service situation in Oracle's Web Listener version 4.0.7.0.0 and
4.0.8.1.0. By submitting various malformed requests, an attacker can
cause the service to stop responding.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0027.html

--- Cross-Platform News ------------------------------------------------

--> {00.29.001} BitchX /invite DoS and remote exploit

A bug has been found in the channel parsing code of BitchX that lets a
malicious users remotely execute arbitrary code by inviting them to a
channel that contains malicious characters in the name.

Official patches can be found at:
ftp://ftp.bitchx.org/pub/BitchX/source/1.0c16-format.patch
ftp://ftp.bitchx.org/pub/BitchX/source/75p3-format.patch

Red Hat RPMs:
ftp://updates.redhat.com/powertools/6.2/sparc/BitchX-1.0c16-1.sparc.rpm
ftp://updates.redhat.com/powertools/6.2/alpha/BitchX-1.0c16-1.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/i386/BitchX-1.0c16-1.i386.rpm

Mandrake RPMs:
http://www.rpmfind.net/linux/Mandrake/updates/6.1/RPMS/BitchX-75p3-12mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.0/RPMS/BitchX-75p3-12mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.1/RPMS/BitchX-75p3-12mdk.i586.rpm
                
FreeBSD packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/BitchX-1.0c16.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/BitchX-1.0c16.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/BitchX-1.0c16.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/BitchX-1.0c16.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/BitchX-1.0c16.tgz
                
Caldera RPMs:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/irc-BX-75p3-5.i386.rpm
                
Conectiva RPMs:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/BitchX-75p3-9cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wserv-1.13-2cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/BitchX-75p3-9cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wserv-1.13-2cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/BitchX-75p3-9cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wserv-1.13-2cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/BitchX-75p3-9cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wserv-1.13-2cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/BitchX-75p3-9cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wserv-1.13-2cl.i386.rpm
                
Source: Vuln-Dev, Bugtraq, Red Hat, Mandrake, FreeBSD, Caldera,
                Conectiva
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0018.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0063.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0071.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0105.html
http://archives.neohapsis.com/archives/freebsd/2000-07/0042.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0107.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0098.html

--> {00.29.002} Update to {00.27.007}: Wu-ftpd site exec remote buffer
                overflow

Multiple vendors have released updated packages that correct the
vulnerability discussed in {00.27.007} ("Wu-ftpd site exec remote buffer
overflow").

FreeBSD packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/wu-ftpd-2.6.0.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.0.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/wu-ftpd-2.6.0.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.0.tgz
                ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/wu-ftpd-2.6.0.tgz
                
Mandrake RPMs:
http://www.rpmfind.net/linux/Mandrake/updates/6.0/RPMS/wu-ftpd-2.6.0-7mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/6.1/RPMS/wu-ftpd-2.6.0-7mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.0/RPMS/wu-ftpd-2.6.0-7mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.1/RPMS/wu-ftpd-2.6.0-7mdk.i586.rpm
                
NetBSD has an updated package available at:
ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/net/wu-ftpd/

Source: FreeBSD, Mandrake, NetBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0039.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0017.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0130.html

--> {00.29.004} Update to {00.27.010}: Remote command execution in ISC
                DHCP client

SuSE and NetBSD have released updated packages that correct the
vulnerability discussed in {00.27.010} ("Remote command execution in
ISC DHCP client").

SuSE RPMs:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/dhclient-2.0pl2-3.alpha.rpm
                ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/dhclient-2.0pl2-3.alpha.rpm
                ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/dhclient-2.0pl2-3.i386.rpm
                ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/dhclient-2.0pl2-3.i386.rpm
                ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/dhclient-2.0pl2-3.i386.rpm
                ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/dhclient-2.0pl2-3.i386.rpm
                ftp://ftp.suse.com/pub/suse/ppc/update/6.3/n1/dhclient-2.0pl2-3.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/dhclient-2.0pl2-3.ppc.rpm

NetBSD:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-dhclient

Source: SuSE, NetBSD (Bugtraq)
http://archives.neohapsis.com/archives/vendor/2000-q3/0003.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0133.html

--> {00.29.006} Setproctitle() vulnerabilities in various ftpds

OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd have all been found
vulnerable to the setproctitle()-type of vulnerability that has recently
caused security problems in wu-ftpd.

OpenBSD patch:
http://www.openbsd.org/errata.html#ftpd

ProFTPd patch:
http://archives.neohapsis.com/archives/bugtraq/2000-07/0066.html

Opieftpd patch:
http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html

NetBSD patch:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-ftpd

Source: Bugtraq, OpenBSD, NetBSD
http://archives.neohapsis.com/archives/bugtraq/2000-07/0061.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0066.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0121.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0129.html

--> {00.29.009} Tnef remote root compromise

Tnef versions before 0-124 contain a vulnerability that would let a
remote attacker overwrite arbitrary files on the system by sending
compressed attachments with absolute path names, encoded in TNEF
(Microsoft Outlook) encoding.

SuSE has released updated RPMs:

ftp://ftp.suse.com/pub/suse/axp/update/6.3/ap1/tnef-0-124.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/ap1/tnef-0-124.alpha.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/tnef-0-124.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/tnef-0-124.i386.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.3/ap1/tnef-0-124.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/ap1/tnef-0-124.ppc.rpm

Source: SuSE
http://archives.neohapsis.com/archives/vendor/2000-q3/0002.html

--> {00.29.011} Makewhatis /tmp symlink vulnerability

The makewhatis script, which compiles keyword databases for "man," uses
predictable temporary file names in /tmp, letting local users reset file
permissions on arbitrary system files and elevate privilege.

RedHat RPMs:
ftp://updates.redhat.com/5.2/i386/man-1.5h1-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/alpha/man-1.5h1-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/man-1.5h1-2.5.x.sparc.rpm
ftp://updates.redhat.com/6.2/alpha/man-1.5h1-2.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/i386/man-1.5h1-2.6.x.i386.rpm
ftp://updates.redhat.com/6.2/sparc/man-1.5h1-2.6.x.sparc.rpm

Mandrake RPMs:
http://www.rpmfind.net/linux/Mandrake/updates/6.0/RPMS/man-1.5g-15mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/6.1/RPMS/man-1.5g-15mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.0/RPMS/man-1.5g-15mdk.i586.rpm
                http://www.rpmfind.net/linux/Mandrake/updates/7.1/RPMS/man-1.5g-15mdk.i586.rpm
                
SuSE:
Claims to not be vulnerable.

Caldera RPMs:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/man-1.5f-6.i386.rpm
                ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/man-1.5f-6.i386.rpm
                ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/PMS/man-1.5g-2.i386.rpm
                
Source: Red Hat, Mandrake, SuSE, Caldera
http://archives.neohapsis.com/archives/bugtraq/2000-07/0050.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0086.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0126.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0110.html

--> {00.29.012} Poll_It CGI file retrieval

Poll_It CGI version 2.0 contains a vulnerability that lets a remote
attacker read arbitrary system files that are readable by the HTTPd
process.

No patches have been made available. Product home page:
http://www.cgi-world.com/pollit.html

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0076.html

--> {00.29.013} Update to {00.28.017}: Multiple Sawmill vulnerabilities

FlowerFire has released Sawmill version 5.0.22, which corrects the
vulnerabilities discussed in {00.28.017}.

Download updated version from:
http://www.flowerfire.com/sawmill/

Source: FlowerFire (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html

--> {00.29.014} Possible remote DoS in Checkpoint FW-1

Reports have surfaced that indicate (another) remotely exploitable
denial of service in Checkpoint Firewall-1. By sending large amounts
of bogus traffic to port 264, the system utilization goes to 100 percent
and the GUI (both remote and local) become unresponsive. This has not
been widely confirmed, but we alert you so that you may be aware of
potential problems.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0085.html

--> {00.29.019} Update to {00.24.032} Multiple vulnerabilities in
                TACACS+ protocol/implementations

Cisco has released an updated version of its TACACS+ server, which was
found to be vulnerable, as discussed in {00.24.032} ("Multiple
vulnerabilities in TACACS+ protocol/implementations").

Download version F4.0.4alpha from:
ftp://ftp-eng.cisco.com/pub/tacacs

Source: Cisco (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0122.html

--> {00.29.021} Libedit local config file override

The libedit library has been found to read in configuration files
(.editrc) from the local directory, regardless of location and
ownership. This leads to the possibility of a user processing a
Trojaned .editrc left by a local attacker. Depending on the program
using libedit, it may be possible to run arbitrary programs as the user
(as in the case of ftp).

FreeBSD has made a patch available:
fetch
                ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-07/0046.html

--> {00.29.024} LPRng should not be setuid root

A note from the LPRng maintainer: LPRng should not be set setuid root.
Having LPRng setuid root lets local attackers append lpr trace messages
to any file on the system.

You should check to see if your lpd (shipped with LPRng) is setuid root,
and if so, chmod -s lpd.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0117.html

------------------------------------------------------------------------

This issue sponsored by Symantec. Corp.

On 6/20/00, Symantec introduced the Symantec Enterprise Security (SES)
solution during its Global Webcast. If you did not have an opportunity
to participate in the Webcast, it is available for viewing online at:
http://www.symantec.com/specprog/sym/101300.html

------------------------------------------------------------------------

Get the most comprehensive labs-based networking information and
comprehensive network case studies. Subscribe to NETWORK COMPUTING
magazine: http://subscribe.networkcomputing.com/sac1

------------------------------------------------------------------------

If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!

Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail will be sent to you
at the e-mail address on record, containing a URL. With this URL, you
can make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, please e-mail
us at <consensusnwc.com>.

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).