|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Apr 19 2001 - 13:05:40 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 093 (01.16)
Thursday, April 19, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** Sponsored by PKWare, Inc. ***
Concerned about Email viruses? Do you use X.509v.3-based Public Key
Certificates and want to authenticate and detect changes to any data
file type? Use PKZIP Explorer to Compress and Digitally Sign one or
thousands of files. TRY IT NOW!
http://www.pkware.com/catalog/pkzipe11.html
----------------------------------------------------------------------
Due to the recent barrage of e-mails we've received, I once again would
like to give my periodic explanation of how Security Alert Consensus
(SAC) works.
First off, SAC is an unbiased publication -- we report on as many
plausible security vulnerabilities as we can get our hands on. Due to
those fun things known as 'deadlines,' all vulnerabilities released
during a Wednesday through the following Tuesday period are compiled
into one issue. That means issues that come out Wednesday or early
Thursday will not appear in that immediate Thursday's issue, but rather
the following Thursday's issue. This was witnessed with the recent
Microsoft/VeriSign certificate issue.
SAC is a category-centric publication, meaning that you can pick which
categories of information you wish to receive. This allows you to
minimize the content of your newsletter and personalize it according to
your interests. But this personalization can be a double-edged sword:
If you do it incorrectly -- that is, you do not subscribe to the right
categories -- you may miss information you want. Once again, I would
like to draw everyone's attention to the 'Cross-Platform' category. Many
vulnerabilities fall under this heading, and odds are it will contain
items of interest (at times) to just about any administrator.
Many people also are concerned about the fact that we lack specific
categories for particular platforms, which results in us not reporting
issues for that platform. This is why we have the wonderful catch-all
category of 'Other.' If the vulnerability doesn't naturally fall into
'Cross-Platform' and we have no specific category to place it in, it
will be found in 'Other.' However, we are evaluating the addition of
more categories for future issues.
Don't worry if you haven't picked the correct category selections.
Instructions on changing your category selections are included at the
end of this and every other SAC newsletter. You also can catch missed
items by viewing the archived versions of the newsletter, which contain
every item. They are viewable at:
http://archives.neohapsis.com/archives/sac/
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.16.008} Win - MS01-021: Invalid Web request crashes ISA Web proxy
service
{01.16.012} Win - Xitami Web server DOS device request causes server to
crash
{01.16.013} Win - SimpleServer:WWW Web server DOS device request causes
server to crash
{01.16.014} Win - GoAhead Web server DOS device request causes server
to crash
{01.16.019} Win - Symantec Ghost configuration server DoS
{01.16.029} Win - QPC QVT/Net popd server authentication buffer overflow
{01.16.001} Linux - Update {01.15.012}: Netscape GIF comment may
contain malicious JavaScript
{01.16.003} Linux - Update {01.13.004}: Malicious embedded VIM control
codes
{01.16.005} Linux - Update {01.13.019}: Multiple OpenSSH vulnerabilities
{01.16.009} Linux - Update {01.13.018}: Linux kernel 2.2.19 released
{01.16.032} Linux - IPTables FTP RELATED connections bypass filters
{01.16.015} BSD - Update {01.15.006}: IPFilter fragmented packet bypass
vulnerability
{01.16.016} Sol - ipcs TZ environment variable buffer overflow
{01.16.017} Sol - Xsun HOME environment variable buffer overflow
{01.16.025} Sol - kcsSUNWIOsolf.so KCMS_PROFILES environment variable
buffer overflow
{01.16.026} Sol - dtsession LANG environment variable buffer overflow
{01.16.007} HPUX - Another unauthorized user access to OmniBack client
{01.16.018} SCO - Massive SCO buffer overflow fixes
{01.16.021} NApps - Cisco VPN3000 concentrator IP options DoS
{01.16.022} NApps - Cisco Catalyst 802.1x network DoS
{01.16.023} NApps - Lightwave ConsoleServer authentication concern
{01.16.002} Cross - Pine/pico insecure temp file handling
{01.16.004} Cross - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
{01.16.006} Cross - exuberant-ctags insecure temp file handling
{01.16.010} Cross - iPlanet Web server redirect header vulnerability
{01.16.011} Cross - Netscape SmartDownload plugin long URL buffer
overflow
{01.16.020} Cross - Multiple DoS attacks in Lotus Domino
{01.16.024} Cross - cfingerd syslog format string buffer overflows
{01.16.027} Cross - IBM NetCommerce/Net.Data long URL DoS
{01.16.028} Cross - TrendMicro Interscan Viruswall Web server CGI
vulnerabilities
{01.16.030} Cross - Hylafax hfaxd -q parameter format string
vulnerability
{01.16.031} Cross - DCScripts.com DCForum CGI az parameter
vulnerabilities
{01.16.033} Cross - Marketrends.net nph-maillist.pl CGI arbitrary
command execution
- --- Windows News -------------------------------------------------------
*** {01.16.008} Win - MS01-021: Invalid Web request crashes ISA Web
proxy service
Microsoft has released MS01-021 ("Invalid Web request crashes ISA Web
proxy service"). Sending long URLs to the Web proxy service included
with ISA server version 1.0 causes the Web proxy service to crash.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-021.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q2/0007.html
*** {01.16.012} Win - Xitami Web server DOS device request causes
server to crash
Xitami Web server version 2.54d (and possibly prior versions) contains
a denial of service whereby a remote attacker can make a request for a
DOS device (con, aux and so on). This request will cause the server to
either become unresponsive or crash.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0277.html
*** {01.16.013} Win - SimpleServer:WWW Web server DOS device request
causes server to crash
SimpleServer:WWW Web server version 1.08 (and possibly prior versions)
contains a denial of service whereby a remote attacker can make a
request for a DOS device (con, aux and so on) . This request will cause
the server to either become unresponsive or crash.
The vendor has confirmed this vulnerability and released version 1.13.
Vendor homepage:
http://www.analogx.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0279.html
*** {01.16.014} Win - GoAhead Web server DOS device request causes
server to crash
GoAhead Web server version 2.1 (and possibly prior versions) contains
a denial of service whereby a remote attacker can make a request for a
DOS device (con, aux and so on). This request will cause the server to
either become unresponsive or crash.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0281.html
*** {01.16.019} Win - Symantec Ghost configuration server DoS
Symantec Ghost version 6.5 comes with a configuration server that
listens on the network for remote configuration requests. It's possible
for a remote attacker to send a large amount of data, thereby causing
the configuration server to crash.
Symantec has confirmed the problem, which has been fixed in Ghost 7.0.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0175.html
*** {01.16.029} Win - QPC QVT/Net popd server authentication buffer
overflow
QPC's pop server version 4.20, which is included in its QVT/Net suite,
contains a buffer overflow in the handling of long user names. This
could allow a remote attacker to execute arbitrary code on the server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0227.html
- --- Linux News ---------------------------------------------------------
*** {01.16.001} Linux - Update {01.15.012}: Netscape GIF comment may
contain malicious JavaScript
RedHat, Immunix and Conectiva have released updated Netscape packages
to fix the vulnerability discussed in {01.15.012} ("Netscape GIF comment
may contain malicious JavaScript").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0028.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0007.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0001.html
Source: RedHat, Immunix, Conectiva
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0028.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0007.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0001.html
*** {01.16.003} Linux - Update {01.13.004}: Malicious embedded VIM
control codes
Caldera has released updated VIM packages to fix the vulnerability
discussed in {01.13.004} ("Malicious embedded VIM control codes").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0003.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0003.html
*** {01.16.005} Linux - Update {01.13.019}: Multiple OpenSSH
vulnerabilities
Progeny has released updated OpenSSH packages to fix the vulnerability
discussed in {01.13.019} ("Multiple OpenSSH vulnerabilities").
Updated Progeny DEBs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0208.html
Source: Progeny (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0208.html
*** {01.16.009} Linux - Update {01.13.018}: Linux kernel 2.2.19 released
RedHat and Debian have released updated kernel packages to fix the
vulnerability discussed in {01.13.018} ("Linux kernel 2.2.19 released").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0027.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0006.html
Source: RedHat, Debian
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0027.html
http://archives.neohapsis.com/archives/vendor/2001-q2/0006.html
*** {01.16.032} Linux - IPTables FTP RELATED connections bypass filters
A vulnerability in the ip_conntrack_ftp module, which is responsible
for tracking incoming FTP connections, has been found. This
vulnerability could be used to bypass IPTables firewall rules if
IPTables is configured to allow RELATED connections to pass unhindered,
which is a standard configuration used with FTP servers. An attacker
can trick the ip_conntrack_ftp module into creating RELATED connections,
thus allowing various outbound connections to the network of the
firewall itself.
The vendor has confirmed this vulnerability and released a patch, which
is available at:
http://netfilter.samba.org/security-fix/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0271.html
- --- BSD News -----------------------------------------------------------
*** {01.16.015} BSD - Update {01.15.006}: IPFilter fragmented packet
bypass vulnerability
FreeBSD has released an updated IPFilter package to fix the
vulnerability discussed in {01.15.006} ("IPFilter fragmented packet
bypass vulnerability").
FreeBSD 3.5-STABLE and 4.2-STABLE as of April 7, 2001, contain the fixed
versions. A patch for 4.2-STABLE is available at:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-04/0338.html
- --- Solaris News -------------------------------------------------------
*** {01.16.016} Sol - ipcs TZ environment variable buffer overflow
The ipcs binary shipped with Solaris 7 and 8 (possibly other versions,
as well) contains a buffer overflow in the handling of the TZ
environment variable. This could allow a local attacker to execute
arbitrary code under elevated privileges ('sys' group).
Sun has confirmed the vulnerability and is currently producing patches.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0217.html
*** {01.16.017} Sol - Xsun HOME environment variable buffer overflow
The Xsun binary shipped with Solaris 7 and 9 contains a buffer overflow
in the handling of the HOME environment variable. This could allow a
local attacker to execute arbitrary code under uid root (on Solaris x86)
or gid root (on Solaris Sparc).
Sun has confirmed the vulnerability and currently is producing patches.
Sun guru Casper Dik indicates that you can remove the setuid/setgid
permissions from Xsun safely if you run Xsun through dtlogin or xdm.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0158.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0213.html
*** {01.16.025} Sol - kcsSUNWIOsolf.so KCMS_PROFILES environment
variable buffer overflow
The kcsSUNWIOsolf.so library has been reported vulnerable to a buffer
overflow in the handling of the KCMS_PROFILES environment variable. When
used in conjunction with a suid application (particularly
kcms_configure), this could allow local attackers to elevate their
privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
*** {01.16.026} Sol - dtsession LANG environment variable buffer
overflow
The dtsession binary has been reported vulnerable to a buffer overflow
in the handling of the LANG environment variable. Potentially, this
could allow a local attacker to execute arbitrary code with elevated
privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
- --- HP-UX News ---------------------------------------------------------
*** {01.16.007} HPUX - Another unauthorized user access to OmniBack
client
HP has released another vague-as-sin description for a patch that fixes
a problem where a "user can gain an unauthorized access to an OmniBack
client." Keep in mind this is a completely different patch than the one
discussed in {01.05.021} ("Unauthorized user access to OmniBack
client").
HP has released the following patches:
HP-UX 10.xx: PHSS_23107
HP-UX 11.00: PHSS_23108
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q2/0006.html
http://archives.neohapsis.com/archives/hp/2001-q2/0007.html
- --- SCO News -----------------------------------------------------------
*** {01.16.018} SCO - Massive SCO buffer overflow fixes
SCO has released a patch that fixes buffer overflows in the following
applications:
/usr/bin/accept
/usr/bin/cancel
/usr/mmdf/bin/deliver
/usr/bin/disable
/usr/bin/enable
/usr/lib/libcurses.a
/usr/bin/lp
/usr/lib/lpadmin
/usr/lib/lpfilter
/usr/lib/lpforms
/usr/lib/lpmove
/usr/lib/lpshut
/usr/bin/lpstat
/usr/lib/lpusers
/usr/bin/recon
/usr/bin/reject
/usr/bin/rmail
/usr/lib/sendmail
/usr/bin/tput
A few of the listed applications were previously reported ({01.14.001},
{01.14.002}, {01.14.003}, {01.14.004}, {01.14.005} and {01.14.006}).
The mega patch SSE072B can be downloaded at:
ftp://ftp.sco.com/SSE/sse072b.tar.Z
Source: SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0196.html
- --- Network Appliances News --------------------------------------------
*** {01.16.021} NApps - Cisco VPN3000 concentrator IP options DoS
Cisco has released an advisory indicating a denial of service in the
VPN3000 concentrator with software versions prior to 2.5.2F. It's
possible for remote attackers to cause the device to hang when they sent
a particular packet with an invalid IP option.
Cisco has confirmed the problem; version 2.5.2F fixes the vulnerability.
Source: Cisco (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0185.html
*** {01.16.022} NApps - Cisco Catalyst 802.1x network DoS
Cisco has released an advisory detailing a denial of service situation
in the Catalyst 5000 series switch whereby a particular 802.1x frame
could be forwarded into a VLAN, even if it was received on a STP blocked
port. As a result, a network packet storm could ensue between vulnerable
Catalyst switches, creating a denial of service.
Cisco has confirmed the problem and released updated software images.
For a complete listing of vulnerable and nonvulnerable configurations,
consult the reference URL below.
Source: Cisco (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0243.html
*** {01.16.023} NApps - Lightwave ConsoleServer authentication concern
A report was released recently concerning the Lightwave ConsoleServer
3200. If a remote attacker can connect to the administrative service
listening on port 5000, he or she can obtain a list of currently
logged-in users without any authentication information. The list of
obtained users then can be used in a brute-force attack to the telnet
service. The telnet service neither limits, logs nor imposes any
repercussions on invalid login attempts.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0170.html
- --- Cross-Platform News ------------------------------------------------
*** {01.16.002} Cross - Pine/pico insecure temp file handling
Pine (and the included pico editor) have been found to handle temporary
files insecurely. Potentially, this allows a local attacker to overwrite
files writable by a user when that user uses pine or pico.
Various Linux vendors have confirmed this vulnerability.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0018.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0008.html
Source: RedHat, Immunix
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0018.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0008.html
*** {01.16.004} Cross - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
Multiple vendors have released updates for the vulnerability discussed
in {01.15.001} ("ntpd/xntpd control request parsing buffer overflow").
Updated source code for all platforms is available at:
ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
SCO has released a patch for OpenServer release 5.0.6 at:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0186.html
SCO also has released a patch for UnixWare 7 at:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0270.html
Although we already reported last week on FreeBSD's fixes, the official
FreeBSD advisory can be viewed at:
http://archives.neohapsis.com/archives/freebsd/2001-04/0260.html
A post to Bugtraq also indicates that Cisco IOS 11.x may be vulnerable.
See:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0179.html
Progeny Linux also has rereleased its update. It seems the prior update
introduced a denial of service. See:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0225.html
Source: FreeBSD, SCO, Progeny, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/freebsd/2001-04/0260.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0179.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0186.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0225.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0270.html
*** {01.16.006} Cross - exuberant-ctags insecure temp file handling
The exuberant-ctags application has been found to handle temporary files
insecurely. Potentially, this would allow a local attacker to overwrite
files writable by a user when that user uses the ctags application.
Debian has confirmed this vulnerability.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0005.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q2/0005.html
*** {01.16.010} Cross - iPlanet Web server redirect header vulnerability
Versions 4.1 and prior of the iPlanet Web server contain a vulnerability
that allows remote attackers to view portions of the Web server memory
when they submit a particular malformed 'Host' header. The server will
incorrectly use this header when constructing a redirect 'Location'
header.
iPlanet has confirmed this vulnerability and suggests upgrading to
iPlanet Web Server version 4.1sp7. Patches are available at:
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html
Source: iPlanet (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0278.html
*** {01.16.011} Cross - Netscape SmartDownload plugin long URL buffer
overflow
Versions 1.3 and prior of the Netscape SmartDownload plugin for Netscape
and other browsers contains a buffer overflow in the handling of large
URLs. This buffer overflow could allow a remote Web site to execute
arbitrary code on a user's system.
Netscape has confirmed this vulnerability and released SmartDownload
version 1.4, which is available at:
http://home.netscape.com/download/smartdownload.html
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0024.html
*** {01.16.020} Cross - Multiple DoS attacks in Lotus Domino
Lotus Domino R5 prior to 5.0.7 contains multiple denial of service
attacks that could result in the Domino service crashing or consuming
large amounts of memory and CPU time. An attacker can trigger the
vulnerabilities by sending particular malformed HTTP headers in a
request, by sending a large amount of Unicode or URL encoded characters
in a HTTP request, by requesting a DOS device file name or by sending
large amounts of data to the listening CORBA service.
Lotus has confirmed all of the problems; Domino version 5.0.7 contains
the appropriate fixes.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0174.html
*** {01.16.024} Cross - cfingerd syslog format string buffer overflows
cfingerd versions 1.4.3 and prior contain multiple remotely exploitable
format string buffer overflows that could allow a remote attacker to
execute arbitrary code under the uid of the cfingerd service (typically
root).
This vulnerability has not been confirmed. A third-party patch is
available at:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0202.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0202.html
*** {01.16.027} Cross - IBM NetCommerce/Net.Data long URL DoS
IBM's NetCommerce/Net.Data platform has been reported vulnerable to a
denial of service situation in which a long URL composed of '%0d' could
cause the server to crash.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0200.html
*** {01.16.028} Cross - TrendMicro Interscan Viruswall Web server CGI
vulnerabilities
TrendMicro's Interscan Viruswall version 3.01 (and possibly prior
versions) contains a vulnerability in the included Web administration
server (which is available if remote administration is enabled.
Potentially, a remote attacker could use various buffer overflows in
the included CGI applications to execute arbitrary code on the server.
The report indicates that TrendMicro has confirmed the problem, which
is fixed in version 3.6.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0218.html
*** {01.16.030} Cross - Hylafax hfaxd -q parameter format string
vulnerability
Hylafax server version 4.1beta2 has been found to contain a format
string vulnerability in the handling of the '-q' command line parameter.
This could allow a local attacker to execute arbitrary code under uid
'uucp'.
The vendor has confirmed this vulnerability and released the following
patch:
http://www.hylafax.org/patches/hfaxd-vulnerability.patch
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0236.html
*** {01.16.031} Cross - DCScripts.com DCForum CGI az parameter
vulnerabilities
DCScripts.com's DCForum 2000 CGI application has been found to contain
a vulnerability in the handling of the az URL parameter. It's possible
for an attacker to read (and potentially execute) files on the system.
When combined with the ability to place files on the server (DCForum
includes file upload functionality, as well), this could result in the
execution of perl code under the Web server's privileges.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0269.html
*** {01.16.033} Cross - Marketrends.net nph-maillist.pl CGI arbitrary
command execution
The nph-maillist.pl CGI script from marketrends.net contains a
vulnerability in the handling of user-supplied e-mail addresses. It's
possible for a remote attacker to embed particular shell metacharacters
in the e-mail address, which results in the execution of command line
commands when the e-mail address is parsed by the program.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0163.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE63ybs+LUG5KFpTkYRAtkjAJ9JIZiIwCgIqF9E5h43AN5FR1toiQCfe9aP
zHMq48BqPXpt4LaNaA0Lrm4=
=g1Kx
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by PKWare, Inc. ***
Concerned about Email viruses? Do you use X.509v.3-based Public Key
Certificates and want to authenticate and detect changes to any data
file type? Use PKZIP Explorer to Compress and Digitally Sign one or
thousands of files. TRY IT NOW!
http://www.pkware.com/catalog/pkzipe11.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]