|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Feb 15 2001 - 15:19:18 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 084 (00.60)
Thursday, February 15, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** This issue sponsored by Foundstone, Inc. ***
INTERNET SECURITY IS A MOVING TARGET.
Foundstone, the leader in security assessments, introduces a managed
approach to meet today's security challenges. Our_FoundScan - Managed
Security Service continuously assesses your environment for
vulnerabilities and actively monitors your enterprise.
Take the FoundScan Virtual Tour at http://www.foundstone.com/mss/1/
----------------------------------------------------------------------
Many issues were reported this week dealing with vulnerabilities in SSH
programs that implement the SSH 1 protocol. Among them is the ability
of an attacker to execute arbitrary code remotely via a vulnerability
in the CRC attack detection code. Another possible scenario is the
ability of attackers to derive the session key used by a server,
allowing them to decrypt traffic that uses the found session key. (Both
issues are reported in the Cross-Platform category in this issue.)
This is a good time to review what versions of SSH servers you are
running and to patch/upgrade them appropriately. Note that SSH servers
using the SSH 2 protocol (exclusively) are not vulnerable; however, some
SSH 2 servers allow backward-compatible SSH 1 access, which may contain
the vulnerability.
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.07.004} Win - MS01-008: NTLMSSP privilege elevation vulnerability
{01.07.024} Win - MS01-009: Malformed PPTP packet stream vulnerability
{01.07.026} Win - PcAnywhere large data stream DoS/buffer overflow
{01.07.035} Win - ServerWorx reverse directory traversal/file retrieval
{01.07.005} Linux - Kernel memory read via negative sysctl() parameter
value
{01.07.006} Linux - Kernel allows ptrace() of suid/sgid applications
{01.07.009} Linux - Update {01.06.022}: gnuserv/xemacs remote buffer
overflow/code execution
{01.07.014} Linux - Update {00.49.027}: Slocate user supplied database
buffer overflow
{01.07.037} Linux - Update {00.49.032}: Updated Netscape packages
{01.07.038} Linux - Update {01.06.024}: man -l format string
vulnerability
{01.07.003} BSD - Update {01.05.029}: mars_nwe syslog format string
vulnerability
{01.07.015} HPUX - Update {00.57.004}: DoS in support tools manager
{01.07.001} Cross - elvrec (ja-elvis/ko-helvis) buffer overflow
{01.07.002} Cross - ja-xklock buffer overflow
{01.07.007} Cross - Update {00.56.042}: ProFTPD various memory leaks
{01.07.008} Cross - ProFTPD format string buffer overflows
{01.07.010} Cross - Update {01.06.023}: XMail CTRLServer multiple
buffer overflows
{01.07.011} Cross - Multiple XFree86 vulnerabilities
{01.07.012} Cross - Update {01.05.001}: Multiple Bind buffer overflows
(TSIG/infoleak)
{01.07.016} Cross - Lotus Domino/Notes HTML attachment font tag buffer
overflow
{01.07.017} Cross - Lotus Notes stored form vulnerability
{01.07.018} Cross - Way-board CGI file disclosure via database parameter
{01.07.019} Cross - ROADS search CGI file disclosure via form parameter
{01.07.020} Cross - Muscat Empower CGI full path disclosure via
database parameter
{01.07.021} Cross - WebSPIRS CGI file disclosure via sp.netform
parameter
{01.07.022} Cross - HIS Auktion CGI file disclosure via menu parameter
{01.07.023} Cross - PALS/Webpals CGI file disclosure/command execution
via document name parameter
{01.07.025} Cross - PHP-Nuke file disclosure/script execution via
opendir script
{01.07.027} Cross - Multivendor SSH1 CRC attack detect code
vulnerability
{01.07.028} Cross - SSH1 Bleichenbacher session key attack
{01.07.029} Cross - OpenSSH RSA auth bypass
{01.07.030} Cross - Merant Microfocus Cobol insecure file
permissions/temp file handling
{01.07.031} Cross - Commerce-cgi.com CGI file disclosure via page
parameter
{01.07.032} Cross - QNX RTP ftp server stat command buffer overflow
{01.07.033} Cross - Chili!Soft ASP inherits root group permissions
{01.07.034} Cross - Infobot fortran math command execution
{01.07.036} Cross - dc20ctrl buffer overflow yields gid dialer
{01.07.039} Cross - MySQL multiple vulnerabilities
{01.07.040} Cross - FreSSH weak PRNG when there is no /dev/urandom
{01.07.041} Cross - Update {00.57.028}: Oracle JSP/SQLJSP handlers
allow arbitrary file reading and .jsp execution
{01.07.042} Cross - Oracle JVM 'all files' policy allows file retrieval
outside Web root
{01.07.013} Tools - Bind 9.1.1rc2 available (fixes possible DoS)
- --- Windows News -------------------------------------------------------
*** {01.07.004} Win - MS01-008: NTLMSSP privilege elevation
vulnerability
Microsoft has released MS01-008 ("NTLMSSP privilege elevation
vulnerability"). The vulnerability allows an attacker, who can execute
arbitrary programs on the system locally, to execute code under local
system privileges.
Windows NT 4.0 platforms, including Terminal Server, are affected.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-008.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0034.html
*** {01.07.024} Win - MS01-009: Malformed PPTP packet stream
vulnerability
Microsoft has released MS01-009 ("Malformed PPTP packet stream
vulnerability"). It is possible for an attacker to crash a system via
PPTP by sending malformed PPTP packets, which will cause the server to
leak memory. Note that a valid PPTP session must first be established.
Windows NT 4.0 using PPTP service is affected.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-009.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0040.html
*** {01.07.026} Win - PcAnywhere large data stream DoS/buffer overflow
PcAnywhere version 9.0 has been reported to contain a buffer overflow
that is triggered by sending a large stream of data (130K+) to the
listening PcAnywhere service. Currently, this is deemed a denial of
service attack (as the application crashed), but it may be possible to
execute arbitrary code. The vendor has not confirmed the problem.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0331.html
*** {01.07.035} Win - ServerWorx reverse directory traversal/file
retrieval
Soft Lite's ServerWorx HTTP server, version 3.0, allows a remote
attacker to retrieve arbitrary files from the system by using reverse
directory traversal ('..') notation in a URL request.
Please note that version 5.0 is the current version, and it may not be
vulnerable.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0137.html
- --- Linux News ---------------------------------------------------------
*** {01.07.005} Linux - Kernel memory read via negative sysctl()
parameter value
A bug has been found in the 2.2.x and 2.4.x series of Linux kernels that
allows a local attacker to read portions of kernel memory by passing a
negative parameter length. Linux kernel developers have confirmed this
vulnerability.
A patch, which is to be included in 2.2.18-pre9, is listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-02/0191.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0052.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0040.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0009.html
Source: Immunix, RedHat, Caldera
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0052.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0040.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0009.html
*** {01.07.006} Linux - Kernel allows ptrace() of suid/sgid applications
A bug was found in the 2.2.x series of Linux kernels that would allow
a local user to potentially ptrace() a suid/sgid application. In turn,
the user would be allowed to elevate his or her privileges (possibly to
root). A rare condition causes this vulnerability, which has been
confirmed, although it has not been confirmed whether the bug exists
also in the 2.4.x series.
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0052.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0040.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0009.html
Source: Caldera, RedHat, Immunix
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0009.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0040.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0052.html
*** {01.07.009} Linux - Update {01.06.022}: gnuserv/xemacs remote
buffer overflow/code execution
RedHat has released updated xemacs packages to fix the vulnerability
discussed in {01.06.022} ("gnuserv/xemacs remote buffer overflow/code
execution").
Updated RedHat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0042.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0043.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0042.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0043.html
*** {01.07.014} Linux - Update {00.49.027}: Slocate user supplied
database buffer overflow
TurboLinux has released an updated slocate package to fix the
vulnerability discussed in {00.49.027} ("Slocate user supplied database
buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/
2001-q1/0002.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/
2001-q1/0002.html
*** {01.07.037} Linux - Update {00.49.032}: Updated Netscape packages
TurboLinux has released updated Netscape packages that fix the
vulnerability discussed in {00.49.032} ("Updated Netscape packages").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/
2001-q1/0003.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/
2001-q1/0003.html
*** {01.07.038} Linux - Update {01.06.024}: man -l format string
vulnerability
Debian has released updated man packages that fix the vulnerability
discussed in {01.06.024} ("man -l format string vulnerability").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0036.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0036.html
- --- BSD News -----------------------------------------------------------
*** {01.07.003} BSD - Update {01.05.029}: mars_nwe syslog format string
vulnerability
FreeBSD has released updated mars_nwe ports to fix the vulnerability
discussed in {01.05.029} ("mars_nwe syslog format string
vulnerability").
The ports collection as of January 30, 2001, contains the updated
versions. Individual packages are available for download and are listed
at: http://archives.neohapsis.com/archives/freebsd/2001-02/0081.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-02/0081.html
- --- HP-UX News ---------------------------------------------------------
*** {01.07.015} HPUX - Update {00.57.004}: DoS in support tools manager
HP has released its advisory concerning the vulnerability discussed in
{00.57.004} ("DoS in support tools manager"). The company has updated
the available patch listing; you can view it at the URL listed below.
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0040.html
- --- Cross-Platform News ------------------------------------------------
*** {01.07.001} Cross - elvrec (ja-elvis/ko-helvis) buffer overflow
FreeBSD has found a buffer overflow in the elvrec utility included in
the ja-elvis and ko-helvix packages. A local attacker can exploit the
buffer overflow to gain root privileges. FreeBSD has confirmed this
vulnerability.
The FreeBSD ports collection as of January 28, 2001, contains the
updated versions. Individual packages for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-02/0082.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-02/0082.html
*** {01.07.002} Cross - ja-xklock buffer overflow
FreeBSD has found a buffer overflow in ja-xklock. The buffer overflow
allows a local attacker to gain root privileges. FreeBSD has confirmed
this vulnerability.
The official fix is to discontinue use of ja-xklock and use xlock or
xlockmore.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-02/0079.html
*** {01.07.007} Cross - Update {00.56.042}: ProFTPD various memory leaks
ProFTPD has released an updated ProFTPD package that fixes the
vulnerability discussed in {00.56.042} ("ProFTPd various memory leaks").
ProFTPD has confirmed the problem and released an updated version:
ftp://ftp.proftpd.org/distrib/proftpd-1.2.0rc3.tar.gz
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0048.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0038.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0011.html
Source: Mandrake, Debian
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0048.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0038.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0011.html
*** {01.07.008} Cross - ProFTPD format string buffer overflows
ProFTPD has released an updated version of ProFTPD that fixes multiple
format string buffer overflows. The vulnerabilities could allow a remote
attacker to execute arbitrary code on the system.
Updated ProFTPD package:
ftp://ftp.proftpd.org/distrib/proftpd-1.2.0rc3.tar.gz
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0038.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0048.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0011.html
Source: Mandrake, Debian, Conectiva, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0048.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0038.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0011.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0117.html
*** {01.07.010} Cross - Update {01.06.023}: XMail CTRLServer multiple
buffer overflows
The vendor has confirmed the vulnerability discussed in {01.06.023}
("XMail CTRLServer multiple buffer overflows"). The vulnerability will
be corrected in XMail version 0.68.
Product homepage:
http://www.mycio.com/davidel/xmail
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0163.html
*** {01.07.011} Cross - Multiple XFree86 vulnerabilities
Debian has released an advisory detailing many buffer overflow and
temporary file handling vulnerabilities in various XFree86 components.
For a complete list, view the Debian advisory URL listed below.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0039.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0039.html
*** {01.07.012} Cross - Update {01.05.001}: Multiple Bind buffer
overflows (TSIG/infoleak)
NetBSD and IBM have released BIND updates that fix the vulnerability
discussed in {01.05.001} ("Multiple Bind buffer overflows
(TSIG/infoleak)").
The current, 1.4, and 1.5 branches of NetBSD were all updates as of
January 28, 2001.
IBM has released an emergency fix (multiple_bind_vulns_efix.tar.Z),
which can be downloaded at:
ftp://ftp.software.ibm.com/aix/efixes/security
Source: NetBSD, IBM
http://archives.neohapsis.com/archives/netbsd/2001-q1/0069.html
http://archives.neohapsis.com/archives/aix/2001-q1/0008.html
*** {01.07.016} Cross - Lotus Domino/Notes HTML attachment font tag
buffer overflow
Lotus Domino Server versions 5.04 up to, but not including 5.06 contain
a buffer overflow in the handling of particular HTML font tags in HTML
mail attachments. It's possible for a malicious e-mail to execute
arbitrary code on the server when a Notes client attempts to view an
attachment. Lotus has confirmed the vulnerability.
Lotus Domino Server version 5.06 is not vulnerable.
Source: Symantec
http://archives.neohapsis.com/archives/axent/2001-q1/0001.html
*** {01.07.017} Cross - Lotus Notes stored form vulnerability
A report has surfaced indicating a potential avenue for attack via Lotus
Notes. In a Notes environment, it is possible to include alternate
e-mail forms within an e-mail message, which are then used when viewing
the message. This could result in the execution of malicious
LotusScript code. This vulnerability has not been confirmed by the
vendor; however, third parties have confirmed it.
The suggested fix is to disable the 'Allowed Stored Forms' option in
the mailbox database properties. Proper configuration of ECLs (Execution
Control Lists) has also been mentioned.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0175.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0188.html
*** {01.07.018} Cross - Way-board CGI file disclosure via database
parameter
The way-board bulletin board CGI application allows a remote attacker
to see the contents of files viewable by the Web server. No patches have
been made available.
Product homepage:
http://way.co.kr/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0212.html
*** {01.07.019} Cross - ROADS search CGI file disclosure via form
parameter
The ROADS search system CGI has been found to allow a remote attacker
to view the contents of files on the system that are readable by the
Web server. No patches have been made available.
Product homepage:
http://www.roads.lut.ac.uk/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0213.html
*** {01.07.020} Cross - Muscat Empower CGI full path disclosure via
database parameter
Muscat's Empower CGI has been found to print the full local path when
a request is made with an invalid database URL parameter. No patches
have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0216.html
*** {01.07.021} Cross - WebSPIRS CGI file disclosure via sp.netform
parameter
Silver Platter's WebSPIRS CGI allows a remote attacker to see the
contents of files viewable by the Web server. No patches have been made
available. A third party confirms that version 3.1 is vulnerable and
that version 4.2 is not vulnerable.
Vendor homepage:
http://www.silverplatter.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0217.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0254.html
*** {01.07.022} Cross - HIS Auktion CGI file disclosure via menu
parameter
HIS' Auktion CGI version 1.62 allows a remote attacker to view the
contents of files readable by the Web server. No patches have been made
available.
Vendor homepage:
http://www.his-software.de/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0218.html
*** {01.07.023} Cross - PALS/Webpals CGI file disclosure/command
execution via document name parameter
The PALS CGI application (pals-cgi), which serves as an interface to
the PALS library system, allows a remote attacker to view files readable
by the Web server. It also allows attackers to execute command line
commands. No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0220.html
*** {01.07.025} Cross - PHP-Nuke file disclosure/script execution via
opendir script
PHP-Nuke version 4.4 contains a vulnerability in the handling of the
requesturl URL parameter when passed to the opendir.php script. It is
possible for a remote attacker to view the contents of files readable
by the Web server. It is also possible for the attacker to submit a URL
to an external PHP script (on another host), which would be retrieved
and included/executed. The vendor has confirmed the vulnerability, but
has not issued any patches.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0214.html
*** {01.07.027} Cross - Multivendor SSH1 CRC attack detect code
vulnerability
A vulnerability has been found in the CRC attack detection routine of
various SSH implementations. The vulnerability would allow a remote
attacker to execute arbitrary code on the system with root privileges.
This vulnerability has been confirmed.
OpenSSH prior to version 2.3.0, SSH versions 1.2.24 through 1.2.31
(inclusive) from SSH Communications, F-Secure SSH versions 1.3.X and
OSSH versions 1.5.7 and prior are all vulnerable.
OpenSSH versions 2.3.0 and after are not vulnerable. OSSH version 1.5.8
fixes the vulnerability. SSH Communications has depreciated the 1.2.X
line; use SSH 2.x. A third-party patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-02/0158.html
Smoothwall has also released an updated SSH version (2.3.0):
ftp://146.101.126.9/pub/updates/smoothwall-openssh-2.3.0p1.tar.gz
FreeBSD has released an updated OpenSSH port. Details can be found at:
http://archives.neohapsis.com/archives/freebsd/2001-02/0207.html
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0035.html
Source: SecurityFocus Bugtraq, FreeBSD, Debian
http://archives.neohapsis.com/archives/bugtraq/2001-02/0158.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0168.html
http://archives.neohapsis.com/archives/freebsd/2001-02/0207.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0035.html
*** {01.07.028} Cross - SSH1 Bleichenbacher session key attack
A vulnerability in the SSH version 1 protocol allows a remote attacker,
who is able to capture all SSH traffic while making many connections to
the SSH server, to derive the session key used for the captured SSH
traffic and thus decrypt it. This is due to the server acting as an
'oracle'--providing bits of information that are used to derive the key.
All SSH servers supporting SSH version 1.5 key exchange are vulnerable.
OpenSSH has released version 2.3.1.
FreeBSD has released updated SSH ports:
http://archives.neohapsis.com/archives/freebsd/2001-02/0207.html
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0035.html
Source: FreeBSD, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/freebsd/2001-02/0207.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0128.html
*** {01.07.029} Cross - OpenSSH RSA auth bypass
Development copies of OpenSSH version 2.3.1 downloaded between January
18, 2001, and February 8, 2001, contain a vulnerability in the RSA
authentication routine that grants access to a remote attacker without
the appropriate RSA private key. The vendor has confirmed this
vulnerability.
Versions outside the dates mentioned above are not vulnerable.
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-02/0808.html
*** {01.07.030} Cross - Merant Microfocus Cobol insecure file
permissions/temp file handling
The Apptrack feature of Merant's Microfocus Cobol version 4.1 has been
found to insecurely set file permissions on various directories and
scripts. This allows local attackers to modify the contents to
potentially run commands under root privileges. There also is an issue
with the creation of temporary files, which allows a local symlink
attack. This vulnerability has not been confirmed, and no patches have
been released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0205.html
*** {01.07.031} Cross - Commerce-cgi.com CGI file disclosure via page
parameter
Commerce-cgi.com's shopping cart CGI application allows a remote
attacker to view the contents of files readable by the Web server. The
vendor has confirmed this vulnerability and released an updated version.
Vendor homepage:
http://www.commerce-cgi.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0208.html
*** {01.07.032} Cross - QNX RTP ftp server stat command buffer overflow
The QNX RTP ftp server contains a buffer overflow in the handling of
the stat command, which could allow a remote attacker with proper
authentication credentials to execute arbitrary code on the system. No
patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0031.html
*** {01.07.033} Cross - Chili!Soft ASP inherits root group permissions
Chili!Soft's ASP application for Unix systems has been found to not
properly drop group 'root' privileges when configured for inherited
security mode. The vendor has confirmed this problem, and it will be
fixed in the upcoming version, 3.6.
Vendor homepage:
http://www.chilisoft.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0112.html
*** {01.07.034} Cross - Infobot fortran math command execution
The Infobot IRC bot version 0.44.5.3 contains a vulnerability in the
fortran math feature that would allow a remote attacker (via IRC) to
execute commands on the Infobot system under the privileges of the
Infobot service. This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0127.html
*** {01.07.036} Cross - dc20ctrl buffer overflow yields gid dialer
The dc20ctrl Kodak DC20 interface program, version 0.4_1, has been found
to contain a locally exploitable buffer overflow that gives an attacker
group 'dialer' privileges. FreeBSD has confirmed this vulnerability.
The FreeBSD ports collection as of February 7, 2001, contains an updated
version. Individual packages available for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-02/0083.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-02/0083.html
*** {01.07.039} Cross - MySQL multiple vulnerabilities
MySQL version 3.23.33 has been released, which fixes multiple buffer
overflows that may allow a local user to execute arbitrary code under
the privileges of the MySQL server.
Updates are available at:
http://www.mysql.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0183.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0242.html
*** {01.07.040} Cross - FreSSH weak PRNG when there is no /dev/urandom
FreSSH has been found to fall back on a weakly seeded PRNG (portable
random number generator) when the /dev/urandom device doesn't exist.
This results in the weak generation of keys, which compromises secure
communication channels. This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0248.html
*** {01.07.041} Cross - Update {00.57.028}: Oracle JSP/SQLJSP handlers
allow arbitrary file reading and .jsp execution
Oracle has released an updated version of OJSP that fixes the
vulnerability discussed in {00.57.028} ("Oracle JSP/SQLJSP handlers
allow arbitrary file reading and .jsp execution").
OJSP version 1.1.2.0.0 is available on the Oracle Technology Network
Web site.
Source: Oracle (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-02/0239.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0240.html
*** {01.07.042} Cross - Oracle JVM 'all files' policy allows file
retrieval outside Web root
The JVM shipped with Oracle8i version 8.1.7 and Oracle 9 iAS release
1.0.2.0.1 contain a vulnerability that could allow a remote attacker to
retrieve files outside of the defined Web root if the service is
configured with the '<<ALL FILES>>' file system permission grant.
Oracle's recommended fix is to grant permission specifically to the
document root path and not to the '<<ALL FILES>>' wildcard.
Source: Oracle (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-02/0255.html
- --- Tool Announcements News --------------------------------------------
*** {01.07.013} Tools - Bind 9.1.1rc2 available (fixes possible DoS)
Bind 9.1.1rc2 has been released. This new version fixes multiple bugs
that could possibly allow a remote attacker to cause the service to
crash. There have also been reports of portscans causing Bind version
9.1.0 to crash. Version 9.1.1rc2 includes a workaround for this anomaly,
which is due to a bug in the Linux kernel.
The source package can be downloaded at:
ftp://ftp.isc.org/isc/bind9/9.1.1rc2/bind-9.1.1rc2.tar.gz
Source: ISC BIND
http://archives.neohapsis.com/archives/bind/2001/0011.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6jEUz+LUG5KFpTkYRAvT0AJ47PrrK0D+hGIsnOGqgcAARp293KACfQD96
t6ygdxX4hOFcCBRyITcW6dM=
=01qU
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** This issue sponsored by Foundstone, Inc. ***
INTERNET SECURITY IS A MOVING TARGET.
Foundstone, the leader in security assessments, introduces a managed
approach to meet today's security challenges. Our_FoundScan - Managed
Security Service continuously assesses your environment for
vulnerabilities and actively monitors your enterprise.
Take the FoundScan Virtual Tour at http://www.foundstone.com/mss/1/
----------------------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at
(http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at
http://www.sans.org/sansurl, where you can enter the SD number located
near your name at the top of the newsletter. When you submit this form,
an e-mail containing a URL will be sent to you at the e-mail address on
record. With this URL you can make changes to your account (edit the
content of your Consensus mailing, for example) without endangering the
security of your personal URL. If you'd like to change your e-mail
address or other information, or unsubscribe to this newsletter, please
visit your new URL as described above. If you have any problems or
questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group.
infoneohapsis.com | http://www.neohapsis.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]