OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Apr 19 2001 - 13:05:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                      -- Security Alert Consensus --
                            Number 093 (01.16)
                         Thursday, April 19, 2001
                            Created for you by
                 Network Computing and the SANS Institute
                            Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below you
    should find information pertaining only to the categories you requested.
    If you have any problems or questions, please e-mail us at
    <consensusnwc.com>.

    ----------------------------------------------------------------------

    *** Sponsored by PKWare, Inc. ***

    Concerned about Email viruses? Do you use X.509v.3-based Public Key
    Certificates and want to authenticate and detect changes to any data
    file type? Use PKZIP Explorer to Compress and Digitally Sign one or
    thousands of files. TRY IT NOW!
    http://www.pkware.com/catalog/pkzipe11.html

    ----------------------------------------------------------------------

    Due to the recent barrage of e-mails we've received, I once again would
    like to give my periodic explanation of how Security Alert Consensus
    (SAC) works.

    First off, SAC is an unbiased publication -- we report on as many
    plausible security vulnerabilities as we can get our hands on. Due to
    those fun things known as 'deadlines,' all vulnerabilities released
    during a Wednesday through the following Tuesday period are compiled
    into one issue. That means issues that come out Wednesday or early
    Thursday will not appear in that immediate Thursday's issue, but rather
    the following Thursday's issue. This was witnessed with the recent
    Microsoft/VeriSign certificate issue.

    SAC is a category-centric publication, meaning that you can pick which
    categories of information you wish to receive. This allows you to
    minimize the content of your newsletter and personalize it according to
    your interests. But this personalization can be a double-edged sword:
    If you do it incorrectly -- that is, you do not subscribe to the right
    categories -- you may miss information you want. Once again, I would
    like to draw everyone's attention to the 'Cross-Platform' category. Many
    vulnerabilities fall under this heading, and odds are it will contain
    items of interest (at times) to just about any administrator.

    Many people also are concerned about the fact that we lack specific
    categories for particular platforms, which results in us not reporting
    issues for that platform. This is why we have the wonderful catch-all
    category of 'Other.' If the vulnerability doesn't naturally fall into
    'Cross-Platform' and we have no specific category to place it in, it
    will be found in 'Other.' However, we are evaluating the addition of
    more categories for future issues.

    Don't worry if you haven't picked the correct category selections.
    Instructions on changing your category selections are included at the
    end of this and every other SAC newsletter. You also can catch missed
    items by viewing the archived versions of the newsletter, which contain
    every item. They are viewable at:
    http://archives.neohapsis.com/archives/sac/

    Until next week,
    - Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.16.008} Win - MS01-021: Invalid Web request crashes ISA Web proxy
                service
    {01.16.012} Win - Xitami Web server DOS device request causes server to
                crash
    {01.16.013} Win - SimpleServer:WWW Web server DOS device request causes
                server to crash
    {01.16.014} Win - GoAhead Web server DOS device request causes server
                to crash
    {01.16.019} Win - Symantec Ghost configuration server DoS
    {01.16.029} Win - QPC QVT/Net popd server authentication buffer overflow
    {01.16.001} Linux - Update {01.15.012}: Netscape GIF comment may
                contain malicious JavaScript
    {01.16.003} Linux - Update {01.13.004}: Malicious embedded VIM control
                codes
    {01.16.005} Linux - Update {01.13.019}: Multiple OpenSSH vulnerabilities
    {01.16.009} Linux - Update {01.13.018}: Linux kernel 2.2.19 released
    {01.16.032} Linux - IPTables FTP RELATED connections bypass filters
    {01.16.015} BSD - Update {01.15.006}: IPFilter fragmented packet bypass
                vulnerability
    {01.16.016} Sol - ipcs TZ environment variable buffer overflow
    {01.16.017} Sol - Xsun HOME environment variable buffer overflow
    {01.16.025} Sol - kcsSUNWIOsolf.so KCMS_PROFILES environment variable
                buffer overflow
    {01.16.026} Sol - dtsession LANG environment variable buffer overflow
    {01.16.007} HPUX - Another unauthorized user access to OmniBack client
    {01.16.018} SCO - Massive SCO buffer overflow fixes
    {01.16.021} NApps - Cisco VPN3000 concentrator IP options DoS
    {01.16.022} NApps - Cisco Catalyst 802.1x network DoS
    {01.16.023} NApps - Lightwave ConsoleServer authentication concern
    {01.16.002} Cross - Pine/pico insecure temp file handling
    {01.16.004} Cross - Update {01.15.001}: ntpd/xntpd control request
                parsing buffer overflow
    {01.16.006} Cross - exuberant-ctags insecure temp file handling
    {01.16.010} Cross - iPlanet Web server redirect header vulnerability
    {01.16.011} Cross - Netscape SmartDownload plugin long URL buffer
                overflow
    {01.16.020} Cross - Multiple DoS attacks in Lotus Domino
    {01.16.024} Cross - cfingerd syslog format string buffer overflows
    {01.16.027} Cross - IBM NetCommerce/Net.Data long URL DoS
    {01.16.028} Cross - TrendMicro Interscan Viruswall Web server CGI
                vulnerabilities
    {01.16.030} Cross - Hylafax hfaxd -q parameter format string
                vulnerability
    {01.16.031} Cross - DCScripts.com DCForum CGI az parameter
                vulnerabilities
    {01.16.033} Cross - Marketrends.net nph-maillist.pl CGI arbitrary
                command execution

    - --- Windows News -------------------------------------------------------

    *** {01.16.008} Win - MS01-021: Invalid Web request crashes ISA Web
                    proxy service

    Microsoft has released MS01-021 ("Invalid Web request crashes ISA Web
    proxy service"). Sending long URLs to the Web proxy service included
    with ISA server version 1.0 causes the Web proxy service to crash.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-021.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q2/0007.html

    *** {01.16.012} Win - Xitami Web server DOS device request causes
                    server to crash

    Xitami Web server version 2.54d (and possibly prior versions) contains
    a denial of service whereby a remote attacker can make a request for a
    DOS device (con, aux and so on). This request will cause the server to
    either become unresponsive or crash.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0277.html

    *** {01.16.013} Win - SimpleServer:WWW Web server DOS device request
                    causes server to crash

    SimpleServer:WWW Web server version 1.08 (and possibly prior versions)
    contains a denial of service whereby a remote attacker can make a
    request for a DOS device (con, aux and so on) . This request will cause
    the server to either become unresponsive or crash.

    The vendor has confirmed this vulnerability and released version 1.13.
    Vendor homepage:
    http://www.analogx.com/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0279.html

    *** {01.16.014} Win - GoAhead Web server DOS device request causes
                    server to crash

    GoAhead Web server version 2.1 (and possibly prior versions) contains
    a denial of service whereby a remote attacker can make a request for a
    DOS device (con, aux and so on). This request will cause the server to
    either become unresponsive or crash.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0281.html

    *** {01.16.019} Win - Symantec Ghost configuration server DoS

    Symantec Ghost version 6.5 comes with a configuration server that
    listens on the network for remote configuration requests. It's possible
    for a remote attacker to send a large amount of data, thereby causing
    the configuration server to crash.

    Symantec has confirmed the problem, which has been fixed in Ghost 7.0.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0175.html

    *** {01.16.029} Win - QPC QVT/Net popd server authentication buffer
                    overflow

    QPC's pop server version 4.20, which is included in its QVT/Net suite,
    contains a buffer overflow in the handling of long user names. This
    could allow a remote attacker to execute arbitrary code on the server.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0227.html

    - --- Linux News ---------------------------------------------------------

    *** {01.16.001} Linux - Update {01.15.012}: Netscape GIF comment may
                    contain malicious JavaScript

    RedHat, Immunix and Conectiva have released updated Netscape packages
    to fix the vulnerability discussed in {01.15.012} ("Netscape GIF comment
    may contain malicious JavaScript").

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0028.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0007.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0001.html

    Source: RedHat, Immunix, Conectiva
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0028.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0007.html
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0001.html

    *** {01.16.003} Linux - Update {01.13.004}: Malicious embedded VIM
                    control codes

    Caldera has released updated VIM packages to fix the vulnerability
    discussed in {01.13.004} ("Malicious embedded VIM control codes").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0003.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0003.html

    *** {01.16.005} Linux - Update {01.13.019}: Multiple OpenSSH
                    vulnerabilities

    Progeny has released updated OpenSSH packages to fix the vulnerability
    discussed in {01.13.019} ("Multiple OpenSSH vulnerabilities").

    Updated Progeny DEBs:
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0208.html

    Source: Progeny (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0208.html

    *** {01.16.009} Linux - Update {01.13.018}: Linux kernel 2.2.19 released

    RedHat and Debian have released updated kernel packages to fix the
    vulnerability discussed in {01.13.018} ("Linux kernel 2.2.19 released").

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0027.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2001-q2/0006.html

    Source: RedHat, Debian
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0027.html
    http://archives.neohapsis.com/archives/vendor/2001-q2/0006.html

    *** {01.16.032} Linux - IPTables FTP RELATED connections bypass filters

    A vulnerability in the ip_conntrack_ftp module, which is responsible
    for tracking incoming FTP connections, has been found. This
    vulnerability could be used to bypass IPTables firewall rules if
    IPTables is configured to allow RELATED connections to pass unhindered,
    which is a standard configuration used with FTP servers. An attacker
    can trick the ip_conntrack_ftp module into creating RELATED connections,
    thus allowing various outbound connections to the network of the
    firewall itself.

    The vendor has confirmed this vulnerability and released a patch, which
    is available at:
    http://netfilter.samba.org/security-fix/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0271.html

    - --- BSD News -----------------------------------------------------------

    *** {01.16.015} BSD - Update {01.15.006}: IPFilter fragmented packet
                    bypass vulnerability

    FreeBSD has released an updated IPFilter package to fix the
    vulnerability discussed in {01.15.006} ("IPFilter fragmented packet
    bypass vulnerability").

    FreeBSD 3.5-STABLE and 4.2-STABLE as of April 7, 2001, contain the fixed
    versions. A patch for 4.2-STABLE is available at:
    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-04/0338.html

    - --- Solaris News -------------------------------------------------------

    *** {01.16.016} Sol - ipcs TZ environment variable buffer overflow

    The ipcs binary shipped with Solaris 7 and 8 (possibly other versions,
    as well) contains a buffer overflow in the handling of the TZ
    environment variable. This could allow a local attacker to execute
    arbitrary code under elevated privileges ('sys' group).

    Sun has confirmed the vulnerability and is currently producing patches.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0217.html

    *** {01.16.017} Sol - Xsun HOME environment variable buffer overflow

    The Xsun binary shipped with Solaris 7 and 9 contains a buffer overflow
    in the handling of the HOME environment variable. This could allow a
    local attacker to execute arbitrary code under uid root (on Solaris x86)
    or gid root (on Solaris Sparc).

    Sun has confirmed the vulnerability and currently is producing patches.
    Sun guru Casper Dik indicates that you can remove the setuid/setgid
    permissions from Xsun safely if you run Xsun through dtlogin or xdm.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0158.html
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0213.html

    *** {01.16.025} Sol - kcsSUNWIOsolf.so KCMS_PROFILES environment
                    variable buffer overflow

    The kcsSUNWIOsolf.so library has been reported vulnerable to a buffer
    overflow in the handling of the KCMS_PROFILES environment variable. When
    used in conjunction with a suid application (particularly
    kcms_configure), this could allow local attackers to elevate their
    privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html

    *** {01.16.026} Sol - dtsession LANG environment variable buffer
                    overflow

    The dtsession binary has been reported vulnerable to a buffer overflow
    in the handling of the LANG environment variable. Potentially, this
    could allow a local attacker to execute arbitrary code with elevated
    privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.16.007} HPUX - Another unauthorized user access to OmniBack
                    client

    HP has released another vague-as-sin description for a patch that fixes
    a problem where a "user can gain an unauthorized access to an OmniBack
    client." Keep in mind this is a completely different patch than the one
    discussed in {01.05.021} ("Unauthorized user access to OmniBack
    client").

    HP has released the following patches:
    HP-UX 10.xx: PHSS_23107
    HP-UX 11.00: PHSS_23108

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q2/0006.html
    http://archives.neohapsis.com/archives/hp/2001-q2/0007.html

    - --- SCO News -----------------------------------------------------------

    *** {01.16.018} SCO - Massive SCO buffer overflow fixes

    SCO has released a patch that fixes buffer overflows in the following
    applications:

    /usr/bin/accept
    /usr/bin/cancel
    /usr/mmdf/bin/deliver
    /usr/bin/disable
    /usr/bin/enable
    /usr/lib/libcurses.a
    /usr/bin/lp
    /usr/lib/lpadmin
    /usr/lib/lpfilter
    /usr/lib/lpforms
    /usr/lib/lpmove
    /usr/lib/lpshut
    /usr/bin/lpstat
    /usr/lib/lpusers
    /usr/bin/recon
    /usr/bin/reject
    /usr/bin/rmail
    /usr/lib/sendmail
    /usr/bin/tput

    A few of the listed applications were previously reported ({01.14.001},
    {01.14.002}, {01.14.003}, {01.14.004}, {01.14.005} and {01.14.006}).

    The mega patch SSE072B can be downloaded at:
    ftp://ftp.sco.com/SSE/sse072b.tar.Z

    Source: SCO (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0196.html

    - --- Network Appliances News --------------------------------------------

    *** {01.16.021} NApps - Cisco VPN3000 concentrator IP options DoS

    Cisco has released an advisory indicating a denial of service in the
    VPN3000 concentrator with software versions prior to 2.5.2F. It's
    possible for remote attackers to cause the device to hang when they sent
    a particular packet with an invalid IP option.

    Cisco has confirmed the problem; version 2.5.2F fixes the vulnerability.

    Source: Cisco (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0185.html

    *** {01.16.022} NApps - Cisco Catalyst 802.1x network DoS

    Cisco has released an advisory detailing a denial of service situation
    in the Catalyst 5000 series switch whereby a particular 802.1x frame
    could be forwarded into a VLAN, even if it was received on a STP blocked
    port. As a result, a network packet storm could ensue between vulnerable
    Catalyst switches, creating a denial of service.

    Cisco has confirmed the problem and released updated software images.
    For a complete listing of vulnerable and nonvulnerable configurations,
    consult the reference URL below.

    Source: Cisco (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0243.html

    *** {01.16.023} NApps - Lightwave ConsoleServer authentication concern

    A report was released recently concerning the Lightwave ConsoleServer
    3200. If a remote attacker can connect to the administrative service
    listening on port 5000, he or she can obtain a list of currently
    logged-in users without any authentication information. The list of
    obtained users then can be used in a brute-force attack to the telnet
    service. The telnet service neither limits, logs nor imposes any
    repercussions on invalid login attempts.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0170.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.16.002} Cross - Pine/pico insecure temp file handling

    Pine (and the included pico editor) have been found to handle temporary
    files insecurely. Potentially, this allows a local attacker to overwrite
    files writable by a user when that user uses pine or pico.

    Various Linux vendors have confirmed this vulnerability.

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0018.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0008.html

    Source: RedHat, Immunix
    http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0018.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0008.html

    *** {01.16.004} Cross - Update {01.15.001}: ntpd/xntpd control request
                    parsing buffer overflow

    Multiple vendors have released updates for the vulnerability discussed
    in {01.15.001} ("ntpd/xntpd control request parsing buffer overflow").

    Updated source code for all platforms is available at:
    ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz

    SCO has released a patch for OpenServer release 5.0.6 at:
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0186.html

    SCO also has released a patch for UnixWare 7 at:
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0270.html

    Although we already reported last week on FreeBSD's fixes, the official
    FreeBSD advisory can be viewed at:
    http://archives.neohapsis.com/archives/freebsd/2001-04/0260.html

    A post to Bugtraq also indicates that Cisco IOS 11.x may be vulnerable.
                    See:
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0179.html

    Progeny Linux also has rereleased its update. It seems the prior update
    introduced a denial of service. See:
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0225.html

    Source: FreeBSD, SCO, Progeny, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/freebsd/2001-04/0260.html
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0179.html
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0186.html
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0225.html
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0270.html

    *** {01.16.006} Cross - exuberant-ctags insecure temp file handling

    The exuberant-ctags application has been found to handle temporary files
    insecurely. Potentially, this would allow a local attacker to overwrite
    files writable by a user when that user uses the ctags application.

    Debian has confirmed this vulnerability.

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2001-q2/0005.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2001-q2/0005.html

    *** {01.16.010} Cross - iPlanet Web server redirect header vulnerability

    Versions 4.1 and prior of the iPlanet Web server contain a vulnerability
    that allows remote attackers to view portions of the Web server memory
    when they submit a particular malformed 'Host' header. The server will
    incorrectly use this header when constructing a redirect 'Location'
    header.

    iPlanet has confirmed this vulnerability and suggests upgrading to
    iPlanet Web Server version 4.1sp7. Patches are available at:
    http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html

    Source: iPlanet (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0278.html

    *** {01.16.011} Cross - Netscape SmartDownload plugin long URL buffer
                    overflow

    Versions 1.3 and prior of the Netscape SmartDownload plugin for Netscape
    and other browsers contains a buffer overflow in the handling of large
    URLs. This buffer overflow could allow a remote Web site to execute
    arbitrary code on a user's system.

    Netscape has confirmed this vulnerability and released SmartDownload
    version 1.4, which is available at:
    http://home.netscape.com/download/smartdownload.html

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0024.html

    *** {01.16.020} Cross - Multiple DoS attacks in Lotus Domino

    Lotus Domino R5 prior to 5.0.7 contains multiple denial of service
    attacks that could result in the Domino service crashing or consuming
    large amounts of memory and CPU time. An attacker can trigger the
    vulnerabilities by sending particular malformed HTTP headers in a
    request, by sending a large amount of Unicode or URL encoded characters
    in a HTTP request, by requesting a DOS device file name or by sending
    large amounts of data to the listening CORBA service.

    Lotus has confirmed all of the problems; Domino version 5.0.7 contains
    the appropriate fixes.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0174.html

    *** {01.16.024} Cross - cfingerd syslog format string buffer overflows

    cfingerd versions 1.4.3 and prior contain multiple remotely exploitable
    format string buffer overflows that could allow a remote attacker to
    execute arbitrary code under the uid of the cfingerd service (typically
    root).

    This vulnerability has not been confirmed. A third-party patch is
    available at:
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0202.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0202.html

    *** {01.16.027} Cross - IBM NetCommerce/Net.Data long URL DoS

    IBM's NetCommerce/Net.Data platform has been reported vulnerable to a
    denial of service situation in which a long URL composed of '%0d' could
    cause the server to crash.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0200.html

    *** {01.16.028} Cross - TrendMicro Interscan Viruswall Web server CGI
                    vulnerabilities

    TrendMicro's Interscan Viruswall version 3.01 (and possibly prior
    versions) contains a vulnerability in the included Web administration
    server (which is available if remote administration is enabled.
    Potentially, a remote attacker could use various buffer overflows in
    the included CGI applications to execute arbitrary code on the server.

    The report indicates that TrendMicro has confirmed the problem, which
    is fixed in version 3.6.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0218.html

    *** {01.16.030} Cross - Hylafax hfaxd -q parameter format string
                    vulnerability

    Hylafax server version 4.1beta2 has been found to contain a format
    string vulnerability in the handling of the '-q' command line parameter.
    This could allow a local attacker to execute arbitrary code under uid
    'uucp'.

    The vendor has confirmed this vulnerability and released the following
    patch:
    http://www.hylafax.org/patches/hfaxd-vulnerability.patch

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0236.html

    *** {01.16.031} Cross - DCScripts.com DCForum CGI az parameter
                    vulnerabilities

    DCScripts.com's DCForum 2000 CGI application has been found to contain
    a vulnerability in the handling of the az URL parameter. It's possible
    for an attacker to read (and potentially execute) files on the system.
    When combined with the ability to place files on the server (DCForum
    includes file upload functionality, as well), this could result in the
    execution of perl code under the Web server's privileges.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0269.html

    *** {01.16.033} Cross - Marketrends.net nph-maillist.pl CGI arbitrary
                    command execution

    The nph-maillist.pl CGI script from marketrends.net contains a
    vulnerability in the handling of user-supplied e-mail addresses. It's
    possible for a remote attacker to embed particular shell metacharacters
    in the e-mail address, which results in the execution of command line
    commands when the e-mail address is parsed by the program.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-04/0163.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE63ybs+LUG5KFpTkYRAtkjAJ9JIZiIwCgIqF9E5h43AN5FR1toiQCfe9aP
    zHMq48BqPXpt4LaNaA0Lrm4=
    =g1Kx
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    *** Sponsored by PKWare, Inc. ***

    Concerned about Email viruses? Do you use X.509v.3-based Public Key
    Certificates and want to authenticate and detect changes to any data
    file type? Use PKZIP Explorer to Compress and Digitally Sign one or
    thousands of files. TRY IT NOW!
    http://www.pkware.com/catalog/pkzipe11.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed to
    you and you would like to begin receiving our security e-mail newsletter
    on a weekly basis, we invite you to subscribe today at:
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
    can be accessed from the SANS Web site: http://www.sans.org.

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form, located at:
    http://www.sans.org/sansurl. On this form you can enter the SD number
    located near your name at the top of the newsletter. When you submit
    this form, an e-mail containing a URL will be sent to you at the e-mail
    address on record. With this URL you can make changes to your account
    (edit the content of your Consensus mailing, for example) without
    endangering the security of your personal URL. If you'd like to change
    your e-mail address or other information, or unsubscribe to this
    newsletter, please visit your new URL as described above. If you have
    any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online at:
    http://archives.neohapsis.com/.

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
    Rights Reserved. Distributed by Network Computing
    (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).