|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Jan 11 2001 - 14:06:13 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 079 (00.55)
Thursday, January 11, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
World-class training for those who must secure systems and networks.
Firewalls, Intrusion Detection, SANS Security Essentials and more.
----------------------------------------------------------------------
Think it's a no-brainer to be aware of what an application does to your
system when you install it, as well as know how it is initially
configured? Sure it makes sense, but you'd be surprised what many
admins don't know. A large amount of Web defacements are owed to
improper configuration of publishing systems (such as FrontPage) or
default CGI applications (samples scripts and whatnot).
This week many people were debating the "security threat" of a default
Informix Webdriver install. The installation and manual indicate how to
configure the system properly so that it's secure; yet some admins may
not take the necessary steps. Those interested in the discussion can
read the "Vulnerabilities in Informix Webdriver" thread at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/
Security problems also can be introduced when a software vendor requires
you to make a configuration change. This has happened with the Exact
Dental application by Infocure. Infocure requires a full access,
non-password-protected file share be created for the software to work.
All admins should cringe at this requirement.
http://archives.neohapsis.com/archives/bugtraq/2001-01/0089.html
Lastly, there are times when the software makes modifications that are
hard to detect. For example, WinRoute Pro disables memory write
protection in Windows 2000. This is to allow the software to function
correctly, but it impacts the overall security of the system.
http://archives.neohapsis.com/archives/bugtraq/2001-01/0008.html
Security can be a tough battle, but a security-conscience admin should
be highly aware of the applications present on his or her systems, and
the associated impact of these apps. This is why proper use of staging
servers and change control are a vital aspect of security.
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{00.55.009} Win - The Bat! attachment directory override vulnerability
{00.55.015} Win - ImageCast Control Center DoS
{00.55.018} Win - IIS %3f+.htr file retrieval
{00.55.002} Linux - Update {00.54.012}: GTK+ arbitrary code execution
via GTK_MODULES environment variable
{00.55.007} Linux - Update {00.49.027}: Slocate user supplied database
buffer overflow
{00.55.003} NW - BorderManager mail proxy hangs when passing a large
attachment
{00.55.013} HPUX - Inetd swait DoS
{00.55.001} Cross - Emacs improper permissions on slave PTYs
{00.55.004} Cross - Exmh exmhErrorMsg symlink vulnerability
{00.55.005} Cross - IBM WebSphere ApfaCache memory leak DoS
{00.55.006} Cross - IBM WebSphere insecure configuration file
permissions
{00.55.008} Cross - Fastgraf whois/ping/traceroute/finger CGI command
execution
{00.55.010} Cross - Lotus Domino /.nsf/ arbitrary file reading
{00.55.011} Cross - Update {00.54.002}: Macromedia Shockwave Flash
plugin buffer overflow
{00.55.012} Cross - Extropia.com bbs_forum CGI arbitrary file reading
{00.55.014} Cross - News Desk CGI arbitrary file retrieval
{00.55.016} Cross - PGP 7 does not warn on tampered/changed signed
exported key blocks
{00.55.017} Cross - Lotus Domino incorrect user mailbox access
vulnerability
- --- Windows News -------------------------------------------------------
*** {00.55.009} Win - The Bat! attachment directory override
vulnerability
Ritlab's The Bat! version 1.48f and prior contain a vulnerability that
lets a malicious e-mail place an attachment in an arbitrary location on
the drive where The Bat! normally places attachments.
Version 1.49 fixes the problem, and is available from:
http://www.thebat.net/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0060.html
*** {00.55.015} Win - ImageCast Control Center DoS
StorageSoft's ImageCast version 4.1.0 contains a denial of service
vulnerability against the Control Center service. A remote attacker can
cause all system memory to be consumed or cause a crash by sending
malformed data packets to the service.
The vulnerability will be fixed in the next version of ImageCast.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0071.html
*** {00.55.018} Win - IIS %3f+.htr file retrieval
An advisory was released that indicates it is possible to retrieve the
source to files by appending "%3f+.htr" to the end of the request URL.
This problem is an extension of the "File Fragment" vulnerability
(previously reported in {00.21.005}, "MS00-031: Undelimited .HTR Request
and File Fragment Reading via .HTR patch").
No patches have been made available. Only IIS 5.0 is reported
vulnerable.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0011.html
- --- Linux News ---------------------------------------------------------
*** {00.55.002} Linux - Update {00.54.012}: GTK+ arbitrary code
execution via GTK_MODULES environment variable
We wanted to provide closure for the vulnerability discussed in
{00.54.012} ("GTK+ arbitrary code execution via GTK_MODULES environment
variable"). The GTK+ development team has reported that GTK+ was not
intended for setuid/setgid operation, therefore any applications that
use GTK+ should not be setuid/setgid.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0027.html
*** {00.55.007} Linux - Update {00.49.027}: Slocate user supplied
database buffer overflow
Conectiva has released updated slocate packages, which fixes the
vulnerability discussed in {00.49.027} ("Slocate user supplied database
buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0000.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0000.html
- --- NetWare News -------------------------------------------------------
*** {00.55.003} NW - BorderManager mail proxy hangs when passing a
large attachment
Novell has released a patch for BorderManager that corrects a problem
when an incoming e-mail has an attachment that is larger than the
configured spool directory or maximum message size. This causes the
mail proxy to hang or crash (abend).
Novell has released bm35c10.exe.
Source: Novell
http://10.9.200.13/archives/novell-technews/2001-q1/0000.html
- --- HP-UX News ---------------------------------------------------------
*** {00.55.013} HPUX - Inetd swait DoS
HP has released patches to fix a denial of service in inetd that is
enabled if inetd is configured with the "swait" parameter. Note that
by default HP-UX does not use the swait parameter.
HP-UX patches:
HP-UX 10.20: PHNE_20747
HP-UX 10.24: PHNE_21699
HP-UX 11.00: PHNE_21835
HP-UX 11.04: PHNE_23068
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0009.html
- --- Cross-Platform News ------------------------------------------------
*** {00.55.001} Cross - Emacs improper permissions on slave PTYs
Mandrake has released a security bulletin indicating that Emacs does
not set permissions on slave PTYs properly, letting a malicious attacker
eavesdrop or send data to a local user's Emacs client. Emacs version
20.6 and prior are vulnerable.
Mandrake has released updated RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0001.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0001.html
*** {00.55.004} Cross - Exmh exmhErrorMsg symlink vulnerability
Exmh has been found to write out an error log file to /tmp/exmhErrorMsg
whenever an error is indicated (by the user) to be sent to the
maintainer. Since exmh will follow symlinks, a malicious local attacker
could perform a symlink attack, causing arbitrary files to be
overwritten.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0009.html
*** {00.55.005} Cross - IBM WebSphere ApfaCache memory leak DoS
IBM WebSphere version 3.52 for Windows NT contains a memory leak in the
ApfaCache that may result in a remote attacker consuming all the
system's memory. The attacker can trigger the memory leak by sending a
malformed URL. This only affects WebSphere installations using Apache.
IBM recommends disabling the ApfaCache module until a fix is available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0079.html
*** {00.55.006} Cross - IBM WebSphere insecure configuration file
permissions
A report has recently surfaced that indicates IBM WebSphere does not
properly restrict access to the admin.config file, which contains user
IDs and passwords for database connections. This lets a local attacker
gain access to this information, and possibly leverage it to tamper with
the database(s).
No patches have been made available. We suggest you limit read access
to only the Web server's UID; however, if local users are allowed to
place dynamic Web content on the server (CGIs, PHP, ASP and so on), they
can still read the file.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0021.html
*** {00.55.008} Cross - Fastgraf whois/ping/traceroute/finger CGI
command execution
Fastgraf.com publishes various CGI utilities, including whois, ping,
traceroute and finger. All four contain vulnerabilities that let a
remote attacker execute command-line instructions under the UID of the
Web server.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0055.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0059.html
*** {00.55.010} Cross - Lotus Domino /.nsf/ arbitrary file reading
A vulnerability has been found in Lotus Domino version 5.0.5 and prior
that lets a remote attacker read arbitrary files on the drive that
contains the Web content served by Lotus Domino.
Lotus has confirmed the problem and is working on a fix.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0007.html
*** {00.55.011} Cross - Update {00.54.002}: Macromedia Shockwave Flash
plugin buffer overflow
Macromedia has looked into the the vulnerability discussed in
{00.54.002} ("Macromedia Shockwave Flash plugin buffer overflow"). The
company claims there is no way to execute arbitrary code, limiting the
problem to a denial of service (malicious Web sites can still crash the
user's Web browser).
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0099.html
*** {00.55.012} Cross - Extropia.com bbs_forum CGI arbitrary file
reading
The bbs_forum CGI from Extropia.com contains a vulnerability in the
handling of the read URL parameter that results in a remote attacker
viewing arbitrary files readable by the Web server's UID.
A vendor patch is available at:
http://www.extropia.com/hacks/bbs_security.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0097.html
*** {00.55.014} Cross - News Desk CGI arbitrary file retrieval
The News Desk CGI application by Ibrow.com contains a vulnerability that
lets a remote attacker view arbitrary files on the Web server that are
readable by the Web server's UID. It also may be possible to execute
command-line instructions as well.
A fix is intended for the next version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0042.html
*** {00.55.016} Cross - PGP 7 does not warn on tampered/changed signed
exported key blocks
A vulnerability in PGP version 7 has been found where PGP will ignore
the signature on signed exported key block. If an attacker can gain
write access to the exported key block, he or she can change the
contained key and PGP will not warn of the change (even though the key
block is signed).
All Windows platforms have been reported as vulnerable; however, we
wanted to make other platforms aware of the problem.
NAI has been contacted but not released any patches.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0072.html
*** {00.55.017} Cross - Lotus Domino incorrect user mailbox access
vulnerability
A report was released detailing a problem in Lotus Domino that would
let an authenticated user access any other user's mailbox by modifying
the returned value for the mailbox storage location.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0077.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6Xg+A+LUG5KFpTkYRAnCIAKCQMyVhKq0+c7noFmlVS09ou4nMoQCeOPrA
sPEGa/HiYFib/2u5VStHnfs=
=zOXR
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
World-class training for those who must secure systems and networks.
Firewalls, Intrusion Detection, SANS Security Essentials and more.
----------------------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail containing a URL will
be sent to you at the e-mail address on record. With this URL, you can
make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved.
Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).
Powered by Neohapsis, Inc., a Chicago-based security assessment and
integration services consulting group. infoneohapsis.com |
http://www.neohapsis.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]