|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Jan 25 2001 - 13:49:55 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 081 (00.57)
Thursday, January 25, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** Sponsored by Tripwire, Inc. ***
Can you trust the integrity of your data and network?
With Tripwire software you can! Attend a FREE online seminar from
Tripwire, Inc.and receive a FREE copy of Richard Power's book, "Tangled
Web: Tales of Digital Crime from the Shadows of Cyberspace."
Sign up today! http://www.tripwire.com/products/register.cfml?semID=37
----------------------------------------------------------------------
An interesting report surfaced this week that detailed the inherent
problems of DHTML when used in combination with Web applications,
particularly Web-based e-mail. It's possible to construct an HTML page
that uses dynamic divisions and layers to place an invisible layer over
elements within the Web browser. This means, for example, a malicious
e-mail read in a Web-based e-mail viewer could actually 'capture' the
clicks of a user when he or she clicks on the various Web e-mail
controls (note: the controls do not have to be located in the actual
e-mail message body). This allows for various social engineering and
misrepresentation attacks to occur. Unfortunately, there is no easy
solution.
http://archives.neohapsis.com/archives/bugtraq/2001-01/0366.html
An interesting thread also spawned on the use of Windows 2000 EFS
(Encrypted File System). EFS seemingly will make a backup copy of a file
before encrypting the original. Upon successful encryption, the backup
file is merely deleted. However, the forensic experts in the crowd will
know that deleting a file does not actually delete the contents of the
file, which are still readable on the disk by a low-level sector editor.
Microsoft has documented this phenomenon already, and it is part of EFS
design. The company recommends using encrypted directories (as opposed
to single encrypted files). Ironically, Microsoft says EFS can be used
to secure temporary files created by applications such as Microsoft
Word. We suppose the company didn't say anything about the temporary
files created when encrypting those temporary files created by Word.
http://archives.neohapsis.com/archives/bugtraq/2001-01/0324.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0358.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0365.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{00.57.011} Win - MS01-002: PowerPoint file-parsing vulnerability
{00.57.012} Win - Malformed packet causes eEye Iris to crash
{00.57.019} Win - Netscape Fasttrack server caching DoS
{00.57.020} Win - LocalWeb2000 directory traversal vulnerability
{00.57.030} Win - FastStream FTP++ server multiple vulnerabilities
{00.57.031} Win - Goodtech Systems FTP server connection DoS
{00.57.001} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid applications
{00.57.002} Linux - Update {00.56.005}: PHP Apache module OPTIONS
directory configuration vulnerability
{00.57.008} Linux - Update {00.56.014}: jaZip DISPLAY environment
variable buffer overflow
{00.57.009} Linux - Update {00.56.031}: Multiple vulnerabilities in
splitvt
{00.57.021} Linux - Update {00.56.044}: SuSE rctab insecure temp file
handling
{00.57.033} Linux - Update {00.56.019}: wu-ftpd privatepw temp file
race condition
{00.57.005} Sol - /usr/bin/cu program name buffer overflow
{00.57.004} HPUX - DoS in Support Tools Manager
{00.57.027} NApps - Watchguard Firebox allows users with read access to
get read-write access
{00.57.035} NApps - Easycom/Safecom print server multiple
vulnerabilities
{00.57.006} Cross - Postaci arbitrary SQL execution
{00.57.007} Cross - FireWall-1 limited IP license DoS
{00.57.010} Cross - bing reverse DNS lookup buffer overflow
{00.57.013} Cross - Three vulnerabilities in MySQL
{00.57.014} Cross - Lotus SMTP server "mail to" buffer overflow when
policies enabled
{00.57.015} Cross - Multiple vulnerabilities in micq
{00.57.016} Cross - Update {00.53.036}: Oracle oidldapd multiple
vulnerabilities
{00.57.017} Cross - Update {00.48.026}: Oracle Connection Manager
Control buffer overflow
{00.57.018} Cross - Update {00.56.045}: Oracle XSQL Servlet
client-supplied style-sheet vulnerability
{00.57.022} Cross - SSH secure-rpc support exposes SSH 'magic phrases'
{00.57.023} Cross - Shoutcast server description buffer overflow/DoS
{00.57.024} Cross - Webmin insecure temp file handling
{00.57.025} Cross - icecast server fd_write() format string
vulnerability
{00.57.026} Cross - tinyproxy httperr() buffer overflow
{00.57.028} Cross - Oracle JSP/SQLJSP handlers allow arbitrary file
reading and .jsp execution
{00.57.029} Cross - wwwais query_string buffer overflow
{00.57.032} Cross - sash leaves /etc/shadow world-readable
{00.57.034} Cross - VNC authentication vulnerabilities
{00.57.003} Tools - Bind 9.1.0 now available
- --- Windows News -------------------------------------------------------
*** {00.57.011} Win - MS01-002: PowerPoint file-parsing vulnerability
Microsoft has released MS01-002 ("PowerPoint file-parsing
vulnerability"). A maliciously crafted PowerPoint presentation can
trigger a buffer overflow when PowerPoint opens the file. This can be
used to execute arbitrary code under the user's privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-002.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0011.html
*** {00.57.012} Win - Malformed packet causes eEye Iris to crash
EEye's Iris network analyzer (version 1.1) has been found to crash when
a particular malformed packet is captured and viewed. This results in
a denial of service against the Iris application.
This vulnerability has been confirmed by the vendor and has been fixed
in Iris version 2.0.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0343.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0352.html
*** {00.57.019} Win - Netscape Fasttrack server caching DoS
A vulnerability was reported in Netscape's Fasttrack server version 4.1
whereby a remote attacker can abuse the caching feature of the server
by requesting many unique URLs, degrading performance on the server.
The report indicates that the vendor confirmed the problem; however,
since Fasttrack was not meant to be used in production environments, it
will not be fixed immediately. A possible workaround is available at:
http://help.netscape.com/kb/corporate/20000313-1.html
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0031.html
*** {00.57.020} Win - LocalWeb2000 directory traversal vulnerability
LocalWeb2000 version 1.1.0 is vulnerable to a directory traversal
attack, whereby a remote attacker uses '../' URL notation to access
arbitrary files outside the Web root on the target server.
The report indicates confirmation of the vulnerability from the vendor,
which should fix it in a future release.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0346.html
*** {00.57.030} Win - FastStream FTP++ server multiple vulnerabilities
FastStream's FTP++ server (version 2 beta 10 build 2) contains multiple
vulnerabilities. A remote attacker can cause the service to be
unresponsive by sending an overly long user name upon login. Remote
users can also view arbitrary files on any drive (even logged in as
anonymous). Lastly, the password authentication has been reported to
have problems.
The report indicates vendor confirmation of these vulnerabilities; the
vendor has released version 2 beta 10 build 3, which is available at:
http://www.fastream.com/
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0027.html
*** {00.57.031} Win - Goodtech Systems FTP server connection DoS
Goodtech Systems' FTP server version 3.0.1.2.1.0 has been found to be
vulnerable to a denial of service that causes the service to become
unresponsive or crash when many consecutive connections are made by a
remote attacker.
The report indicates vendor confirmation; the vendor has an updated
version available for download from:
http://www.goodtechsys.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0350.html
- --- Linux News ---------------------------------------------------------
*** {00.57.001} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid applications
Immunix, Trustix and Mandrake have released updated glibc packages that
fix the vulnerability discussed in {00.56.034} ("glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps").
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0032.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0349.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0001.html
Source: Immunix, Mandrake, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0032.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0001.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0349.html
*** {00.57.002} Linux - Update {00.56.005}: PHP Apache module OPTIONS
directory configuration vulnerability
Mandrake and Conectiva have released updated php packages that fix the
vulnerability discussed in {00.56.005} ("PHP Apache module OPTIONS
directory configuration vulnerability").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0002.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0004.html
Source: Mandrake, Conectiva
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0002.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0004.html
*** {00.57.008} Linux - Update {00.56.014}: jaZip DISPLAY environment
variable buffer overflow
Debian has released updated jazip packages that fix the vulnerability
discussed in {00.56.014} ("jaZip DISPLAY environment variable buffer
overflow").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0009.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0009.html
*** {00.57.009} Linux - Update {00.56.031}: Multiple vulnerabilities in
splitvt
Debian has released updated splitvt packages that fix the vulnerability
discussed in {00.56.031} ("Multiple vulnerabilities in splitvt").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0010.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0010.html
*** {00.57.021} Linux - Update {00.56.044}: SuSE rctab insecure temp
file handling
SuSE has confirmed the vulnerability discussed in {00.56.044} ("SuSE
rctab insecure temp file handling").
Rctab will be removed from future SuSE distributions; current users
should replace the 'mkdir -p ${tmpdir}' line with 'mkdir ${tmpdir}' in
/sbin/rctab.
Source: SuSE (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0272.html
*** {00.57.033} Linux - Update {00.56.019}: wu-ftpd privatepw temp file
race condition
Debian has released an updated wu-ftpd package, which fixes the
vulnerability discussed in {00.56.019} ("wu-ftpd privatepw temp file
race condition").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0013.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0013.html
- --- Solaris News -------------------------------------------------------
*** {00.57.005} Sol - /usr/bin/cu program name buffer overflow
A buffer overflow has been reported in /usr/bin/cu that is triggered
when cu attempts to make a copy of the program name (argv[0]). The
vulnerability would allow a local attacker to gain euid uucp, which then
could possibly be leveraged to gain other privileges by installing
Trojaned versions of uuencode and uudecode.
This vulnerability has been confirmed by the vendor, which is in the
process of producing patches. You can reduce your risk in the meantime
by changing all uucp user-owned files (except those that are setuid) to
be owned by root instead, thus not allowing an attacker who gains uid
uucp to substitute a Trojan.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0289.html
- --- HP-UX News ---------------------------------------------------------
*** {00.57.004} HPUX - DoS in Support Tools Manager
HP has released patches that fix a denial of service found in the
Support Tools Manager package. No supporting information was provided
by HP.
This vulnerability is confirmed by vendor patch.
Patches available for download:
HP-UX 11.11: PHSS_23067
HP-UX 11.00: PHSS_23066
HP-UX 10.20/800: PHSS_23065
HP-UX 10.20/700: PHSS_23064
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0016.html
- --- Network Appliances News --------------------------------------------
*** {00.57.027} NApps - Watchguard Firebox allows users with read
access to get read-write access
A vulnerability has been found in Watchguard's Firebox II with firmware
versions 4.0 through 4.5 that would allow a user with read-only access
to gain read-write access to the Firebox, thus elevating his or her
privileges. This is due to the Firebox's allowing read-only users to
download a file that contains the read-write password hash, which is
then supplied to gain read-write access (no need to crack the password).
The vendor has confirmed the vulnerability and has released Hotfix
010107 to fix the vulnerability, available at:
https://www.watchguard.com/esupport.htm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0342.html
*** {00.57.035} NApps - Easycom/Safecom print server multiple
vulnerabilities
Easycom/Safecom's print server, with firmware version 404.590, is
vulnerable to multiple denial-of-service attacks. A remote attacker can
make malformed connections and requests to the myriad services provided
by the print server.
The vendor has not confirmed the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0375.html
- --- Cross-Platform News ------------------------------------------------
*** {00.57.006} Cross - Postaci arbitrary SQL execution
The Postaci Web mail software has been found to incorrectly filter user
input before passing the data to SQL queries. This allows remote
attackers to modify and execute arbitrary SQL queries, which could lead
to them tampering with the database and possible system interaction.
This vulnerability has not been confirmed by the vendor.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0287.html
*** {00.57.007} Cross - FireWall-1 limited IP license DoS
A denial of service has been reported for Checkpoint FireWall-1 version
4.1, using a limited IP license. A remote attacker can send packets with
spoofed source addresses to an internal FireWall-1 interface (such as
a DMZ), which would cause FireWall-1 to exceed its IP limit. For every
packet that exceeds the IP limit, the firewall will print a warning
indicating the condition, along with a listing of currently valid IPs.
By sending many packets, the attacker causes the console messages to
backlog, causing the firewall to stay at 100 percent CPU utilization.
Note that you cannot stop this attack with firewall rule sets, since
the IP limit count is down before rule sets are processed.
The report indicated vendor confirmation, and the suggested workaround
(until an appropriate fix is available) is to run 'fw ctl debug -buf'
on the target machine.
Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0298.html
*** {00.57.010} Cross - bing reverse DNS lookup buffer overflow
A buffer overflow has been found in bing. An attacker can construct a
particular DNS name that is returned on a reverse DNS query by bing,
which results in a buffer overflow. Since bing runs as setuid root, a
remote attacker can execute arbitrary code. A local attacker could also
use it to elevate his or her privileges.
This vulnerability has been confirmed by the FreeBSD development group.
FreeBSD's patch for the vulnerability can be found at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0333.html
Note: FreeBSD has been patched since 3/5/2000.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0330.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0333.html
*** {00.57.013} Cross - Three vulnerabilities in MySQL
Three vulnerabilities have been found in MySQL prior to version 3.23.31.
One buffer overflow exists in the sql_print_error() function, which is
only vulnerable if MySQL was compiled with debug support. Another buffer
overflow exists in the find_field_in_tables() function and would let an
attacker who is capable of connecting to the database execute arbitrary
code under the UID of the database. Lastly, a problem with the 'SHOW
GRANTS' parsing would allow an attacker who is capable of connecting to
the database to retrieve the password hashes of all users, which could
then be brute-forced offline.
These vulnerabilities have been confirmed by the vendor. The latest
version of MySQL is 3.23.32, which has been recently declared stable.
New versions can be downloaded from:
http://www.mysql.com/
Mandrake, Red Hat and Debian have also released updates.
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0012.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0005.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0019.html
Source: Mandrake, Debian, RedHat
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0012.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0005.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0019.html
*** {00.57.014} Cross - Lotus SMTP server "mail to" buffer overflow
when policies enabled
The Lotus Domino/Notes SMTP server version 5.0.5 and before contain a
buffer overflow in the checking of allowed incoming mail domains ("mail
to") when used in conjunction with mail relay policies. The report
indicates that the attacker may be able to execute arbitrary code;
however, Lotus believes it to be only a denial of service.
This vulnerability has been confirmed by the vendor and is fixed in
version 5.0.6.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0360.html
*** {00.57.015} Cross - Multiple vulnerabilities in micq
Micq versions 0.4.6 (and possibly prior) contain multiple buffer
overflows that may allow a remote attacker to execute arbitrary code on
the user's system under the uid of the user.
This vulnerability has been confirmed by Debian, which has released an
updated version.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0004.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2001-01/0307.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0004.html
*** {00.57.016} Cross - Update {00.53.036}: Oracle oidldapd multiple
vulnerabilities
Oracle has confirmed and provided patches for the vulnerability
discussed in {00.53.036} ("Oracle oidldapd multiple vulnerabilities").
Oracle has released OID version 2.0, release 2.0.6.3 for Solaris. Other
platforms are forthcoming; in the meantime, Oracle recommends changing
the permissions on oidldap and oidmon to 710.
Patches are available through Oracle's support site:
http://metalink.oracle.com/
Source: Oracle (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0325.html
*** {00.57.017} Cross - Update {00.48.026}: Oracle Connection Manager
Control buffer overflow
Oracle has confirmed and released patches for the vulnerability
discussed in {00.48.026} ("Oracle Connection Manager Control buffer
overflow").
Oracle has released patch sets for Oracle 8i releases 8.1.6 and 8.1.5,
as well as Oracle 8 releases 8.0.5, 8.0.4, and 8.0.3. The patch sets
are available on Oracle's support site: http://metalink.oracle.com/
Source: Oracle (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0316.html
*** {00.57.018} Cross - Update {00.56.045}: Oracle XSQL Servlet
client-supplied style-sheet vulnerability
Oracle has confirmed and released updates for the vulnerability
discussed in {00.56.045} ("Oracle XSQL Servlet client-supplied
style--sheet vulnerability").
The problem is found in the XSQL Servlet (release 1.0.0.0), which is
included in the Oracle Internet Application Server, release 1.0.0.0.
XSQL releases 1.0.1.0 through 1.0.3.0 on all platforms are also
affected. Oracle has released an updated version of the XSQL Servlet
(release 1.0.4.0), which can be downloaded from:
http://otn.oracle.com/tech/xml/xsql_servlet
Patch sets for Oracle 8i are forthcoming.
Source: Oracle (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0364.html
*** {00.57.022} Cross - SSH secure-rpc support exposes SSH 'magic
phrases'
SSH version 1.2.30 (and possibly prior) contains a vulnerability when
used in conjunction with secure-rpc support (which is typically only
found on Solaris systems). If a user generates a SSH key using
'SUN-DES-1' encryption for the magic phrase, it may be possible for
attackers to recover the magic phrase, allowing them to gain access to
a user's private SSH key.
This vulnerability has been confirmed by the vendor; a patch is
available at:
http://www.ipsec.com/products/ssh/patches.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0262.html
*** {00.57.023} Cross - Shoutcast server description buffer overflow/DoS
A vulnerability has been found in the Shoutcase Linux server version
1.7.1 (other versions and platforms may be affected). It is possible
for a remote attacker to crash the server by sending an overly long
description string to a server that is not already broadcasting a music
stream. It is unknown at this time if it is possible to execute
arbitrary code or if the vulnerability is limited to a denial of
service.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0305.html
*** {00.57.024} Cross - Webmin insecure temp file handling
Caldera has released an updated Webmin package that fixes a
vulnerability in Webmin that allows local attackers to possibly elevate
their privileges because of improper temporary file handling.
This vulnerabililty has been confirmed by a patch from Caldera.
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0344.html
Source: Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0344.html
*** {00.57.025} Cross - icecast server fd_write() format string
vulnerability
Icecast server version 1.3.8beta2 and prior contain a format bug in the
fd_write() function, which could result in a remote attacker executing
arbitrary code under the privileges of the icecast server.
This vulnerability has not been confirmed; however, a third-party patch
is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0348.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0348.html
*** {00.57.026} Cross - tinyproxy httperr() buffer overflow
A buffer overflow was found in tinyproxy versions 1.3.2 and 1.3.3, which
allows a remote attacker to execute arbitrary code on the server under
the privileges of the tinyproxy service.
The vulnerability has been confirmed by the vendor, which has released
version 1.3.3a:
http://tinyproxy.sourceforge.net/tinyproxy-1.3.3a.tar.gz
Debian has also released updated DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0012.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0012.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0280.html
*** {00.57.028} Cross - Oracle JSP/SQLJSP handlers allow arbitrary file
reading and .jsp execution
Oracle's JSP/SQLJSP handlers shipped with Oracle release 8.1.7 (Windows
2000 was the tested platform; others may be vulnerable as well) are
vulnerable to reverse directory traversal ('../') URL notation, thus
allowing the execution of .jsp files outside the Webroot. In addition,
because of the way the JSP handler caches Java source files, it is
possible to read arbitrary files on the same drive as the Webroot.
This vulnerability has not been confirmed; however, it has been reported
by a notable researcher.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0028.html
*** {00.57.029} Cross - wwwais query_string buffer overflow
A buffer overflow has been reported in the wwwais Web front end to WAIS.
The buffer overflow may allow a remote attacker to execute arbitrary
code under the uid of the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-01/0297.html
*** {00.57.032} Cross - sash leaves /etc/shadow world-readable
A bug in sash versions 3.4 causes it to not properly clone /etc/shadow,
which results in world-readable files.
This vulnerability has been confirmed by Debian, which has produced a
fix in version 3.4-4.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0007.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0007.html
*** {00.57.034} Cross - VNC authentication vulnerabilities
AT&T's VNC application (version 3.3.3 and prior) has weaknesses in the
used authentication mechanism, which could allow an attacker to pose a
man in the middle attacker, as well as possibly predict the challenge
provided by the server.
This vulnerability has not been confirmed by the vendor; however, the
vulnerability is reported by a well-known researcher. A suggested
workaround is to tunnel VNC authentication through cryptographic
channels such as SSH.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0039.html
- --- Tool Announcements News --------------------------------------------
*** {00.57.003} Tools - Bind 9.1.0 now available
Bind version 9.1.0 has been released. The new version contains bug fixes
as well as additional backwards-compatibility with Bind 8.x.
You can download the source at:
ftp://ftp.isc.org/isc/bind9/9.1.0/bind-9.1.0.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2001/0002.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6cIBW+LUG5KFpTkYRAkAWAJ9KbcmBFtNYUy6GQb7ILDBcRVw7IgCZAW0v
MSe8Qqm9i8bmt/nmSqEfwwo=
=xMco
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by Tripwire, Inc. ***
Can you trust the integrity of your data and network?
With Tripwire software you can! Attend a FREE online seminar from
Tripwire, Inc.and receive a FREE copy of Richard Power's book, "Tangled
Web: Tales of Digital Crime from the Shadows of Cyberspace."
Sign up today! http://www.tripwire.com/products/register.cfml?semID=37
----------------------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail containing a URL will
be sent to you at the e-mail address on record. With this URL, you can
make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved.
Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).
Powered by Neohapsis Inc., a Chicago-based security assessment and
integration services consulting group. infoneohapsis.com |
http://www.neohapsis.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]