|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ16457091802394077
sans.org)Date: Thu Oct 11 2001 - 14:57:04 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 118 (01.41)
Thursday, October 11, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Our thoughts and prayers remain with the victims and families affected
by the tragic events of September 11th. Our support also goes out to
all the brave individuals working in the recovery efforts.
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
** Request your FREE Internet Security Handbook **
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS). Click here:
http://www.iss.net/mktg/sac10401/
----------------------------------------------------------------------
Those of you who use any open-source, PHP Web applications may
be interested in checking out item {01.41.019} in this issue's
Cross-Platform category. Seventeen different common PHP applications
were found to contain bugs that would let a user read files off the
local system.
Also, due to an overwhelming amount of inquiries in the last two weeks,
we'd like to reiterate two important points:
1. SAC is customizable -- you only receive the categories you chose
upon subscribing. You can always find all categories/items in our
archive, which is available at:
http://archives.neohapsis.com/archives/sac/
2. To unsubscribe or change your category selection(s), follow the
instructions that are at the bottom of every SAC newsletter.
Until next week,
--Security Alert Consensus Team
----------------------------------------------------------------------
A completely new kind of technical security conference is coming in
the Spring. Be a part of it by submitting a proposed talk.
http://www.sans.org/SANS2002/cfp.htm
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.41.010} Win - AIM HTML comment DoS
{01.41.013} Win - TYPSoft FTP server STOR/RETR DoS
{01.41.016} Win - MS00-050: Malformed Excel/PowerPoint document can
bypass macro security
{01.41.017} Win - Symantec LiveUpdate DNS redirection problems
{01.41.005} Linux - devfs security vulnerability
{01.41.006} Linux - iptables MAC filter short packet bypass
{01.41.015} Linux - Update {01.33.006}: groff/pic format vulnerability
circumvents -S
{01.41.012} BSD - OpenBSD socket owner mixup/SIGIO and SIGURG
vulnerability
{01.41.001} AIX - lpd buffer overflows
{01.41.002} AIX - uuq -r parameter overflow
{01.41.003} AIX - muxatmd overflow leads to DoS
{01.41.004} HPUX - Update {01.27.033}: setrlimit() does not honor core
file restrictions on suid/sgid apps
{01.41.008} NApps - Cisco CDP broadcast DoS
{01.41.009} NApps - Cisco PIX local auth DoS
{01.41.014} Other - Update {01.40.020}: (rpc.)ttdbserver syslog()
format string attack
{01.41.007} Cross - htdig/htsearch alternate config file vulnerability
{01.41.011} Cross - W3Mail Webmail CGI command execution
{01.41.018} Cross - phpBB bb_memberlist.php sortby SQL injection
{01.41.019} Cross - Multiple PHP CGI applications include file
vulnerabilities
- --- Windows News -------------------------------------------------------
*** {01.41.010} Win - AIM HTML comment DoS
The AOL Instant Messenger (AIM) client versions 4.7.2480 and prior,
as well as possibly others, have been found to contain a denial of
service. A remote attacker can send a particular message, which
contains a malformed HTML comment tag, and cause the AIM client
to crash. It is unknown at this time whether or not execution of
arbitrary code is possible.
Several third parties appear to have confirmed this
vulnerability. Various exploits have been published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0019.html
*** {01.41.013} Win - TYPSoft FTP server STOR/RETR DoS
TYPSoft's FTP server version 0.95 contains a buffer overflow in
the handling of large arguments passed to the STOR and RETR FTP
commands. This could allow a remote attacker to consume all CPU
processing time and crash the service.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0050.html
*** {01.41.016} Win - MS00-050: Malformed Excel/PowerPoint document can
bypass macro security
Microsoft has released MS00-050 ("Malformed Excel/PowerPoint document
can bypass macro security"). It's possible for a malicious Excel or
PowerPoint file to contain embedded macros that are automatically
executed regardless of the user's security preferences.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-050.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0000.html
*** {01.41.017} Win - Symantec LiveUpdate DNS redirection problems
A recently released advisory indicates some potential problems with
Symantec's LiveUpdate client. Essentially, the client will blindly
download files from "update.symantec.com." If an attacker can
redirect the client to a malicious FTP server, via DNS poisoning,
route modification or other network tricks, it's possible for the
attacker to cause that client to download and execute arbitrary files.
LiveUpdate version 1.4 is especially vulnerable. Version 1.6 uses
a cryptographic signature to prevent this problem, but a denial of
service attack is still possible.
The vendor has confirmed the problem. Users of version 1.4 should
upgrade to the latest 1.6.x version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0039.html
- --- Linux News ---------------------------------------------------------
*** {01.41.005} Linux - devfs security vulnerability
Mandrake has released an advisory indicating that a vulnerability
exists in the devfs file system. At this point in time we are unaware
if the vulnerability is limited to Mandrake distributions or if it
is a general Linux kernel problem.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0058.html
*** {01.41.006} Linux - iptables MAC filter short packet bypass
The MAC address filter included in the Linux kernel netfilter/iptables
firewall code contains a bug that would allow extremely small IP
packets to bypass the filter.
The vendor has confirmed this bug and released a patch, which is
available at:
http://netfilter.samba.org/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0057.html
*** {01.41.015} Linux - Update {01.33.006}: groff/pic format
vulnerability circumvents -S
Conectiva has released updated groff packages, which fix the
vulnerability discussed in {01.33.006} ("groff/pic format vulnerability
circumvents -S").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0000.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0000.html
- --- BSD News -----------------------------------------------------------
*** {01.41.012} BSD - OpenBSD socket owner mixup/SIGIO and SIGURG
vulnerability
A bug in the accept() function causes new socket connections to not
correctly contain the owner uid/gid. This means it's possible for a
local attacker to use this bug to send SIGIO and/or SIGURG signals
to arbitrary processes on the system.
This vulnerability has been verified. A third-party patch is
available at:
http://archives.neohapsis.com/archives/bugtraq/2001-10/0043.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0043.html
- --- AIX News -----------------------------------------------------------
*** {01.41.001} AIX - lpd buffer overflows
IBM has released APAR IY23037, which fixes alleged buffer overflows
in lpd. If we had to venture a guess, we would assume it's related
to {01.36.018} ("in.lpd job submission/view status overflow").
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q4/0000.html
*** {01.41.002} AIX - uuq -r parameter overflow
IBM has released APAR IY23401, which fixes a buffer overflow in uuq's
handling of the -r command line parameter. This vulnerability could
allow local attackers to elevate their privileges.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q4/0000.html
*** {01.41.003} AIX - muxatmd overflow leads to DoS
IBM has released APAR IY23402, which fixes a denial of service in
the muxatmd daemon whereby a remote attacker can send large amounts
of data to the service and cause it to crash.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q4/0000.html
- --- HP-UX News ---------------------------------------------------------
*** {01.41.004} HPUX - Update {01.27.033}: setrlimit() does not honor
core file restrictions on suid/sgid apps
HP has released patches for HPUX 10.26 that fix the vulnerability
discussed in {01.27.033} ("setrlimit() does not honor core file
restrictions on suid/sgid apps").
An updated patch matrix is available at:
http://archives.neohapsis.com/archives/hp/2001-q4/0007.html
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q4/0007.html
- --- Network Appliances News --------------------------------------------
*** {01.41.008} NApps - Cisco CDP broadcast DoS
Cisco has released updated IOS images that fix a potential denial of
service whereby an attacker located on the same segment as the target
Cisco router can spoof large amounts of CDP traffic. This causes the
target router to eventually exhaust all memory.
Cisco has confirmed this vulnerability and fixed the problem in interim
releases of Cisco IOS 12.x. A workaround for this vulnerability is
to disable CDP by executing "no cdp run" at an enabled configuration
prompt within IOS.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0061.html
http://archives.neohapsis.com/archives/bugtraq/2001-10/0062.html
*** {01.41.009} NApps - Cisco PIX local auth DoS
Cisco has released an advisory indicating that a denial of service
exists in the PIX firewall running various versions' software. It is
possible for a remote attacker to consume all available authentication
resources, preventing other users from remotely accessing the
device. Normal traffic passed through the device is not affected.
Cisco has confirmed this problem and released updated PIX software. A
full patch matrix is available at:
http://archives.neohapsis.com/archives/cisco/2001-q4/0001.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q4/0001.html
- --- Other News ---------------------------------------------------------
*** {01.41.014} Other - Update {01.40.020}: (rpc.)ttdbserver syslog()
format string attack
Compaq has released Tru64 patches for the vulnerability discussed in
{01.40.020} ("(rpc.)ttdbserver syslog() format string attack").
Download the appropriate patch from
http://ftp1.support.compaq.com/public/dunix/:
DUV40F17-C0056200-11703-ER-20010928.tar
T64V40G17-C0007000-11704-ER-20010928.tar
T64V50A17-C0015500-11705-ER-20010928.tar
T64V5117-C0065200-11706-ER-20010928.tar
T64V51Assb-C0000800-11707-ER-20010928.tar
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2001-q4/0000.html
- --- Cross-Platform News ------------------------------------------------
*** {01.41.007} Cross - htdig/htsearch alternate config file
vulnerability
The htdig search engine CGI versions 3.1.5, 3.2.0b3 and prior have
been found to contain a vulnerability whereby a remote attacker, who
has access to upload a trojan configuration file, could cause htdig
to use the alternate configuration file. This could potentially allow
access to other file system areas that are not normally accessible
to the attacker. A slight denial of service is also available.
The vendor has confirmed this vulnerability. Versions 3.1.6 and
3.2.0b4 contain a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0054.html
*** {01.41.011} Cross - W3Mail Webmail CGI command execution
The W3Mail suite of Webmail CGIs has been found to not properly
filter Unix metacharacters from user input. This could possibly allow
a remote attacker to execute arbitrary command line commands under
the privileges of the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0046.html
*** {01.41.018} Cross - phpBB bb_memberlist.php sortby SQL injection
phpBB version 1.4.2 does not properly filter the sortby URL parameter
passed to the bb_memberlist.php script. This allows a remote attacker
to execute arbitrary SQL commands in the backend database.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0052.html
*** {01.41.019} Cross - Multiple PHP CGI applications include file
vulnerabilities
A recently released advisory indicates problems in 17 different PHP
applications. All apps were found to not properly include supporting
files, thereby allowing a local attacker to view local files readable
by the Web server.
Below is the full list of vulnerable PHP applications:
Actionpoll -- http://sourceforge.net/projects/actionpoll
AWOL -- http://www.freshmeat.net/projects/awol
CCC -- http://www.cccsoftware.org
DarkPortal -- http://sourceforge.net/projects/darkportal
Empris -- http://empris.sourceforge.net
Moregroupware -- http://www.moregroupware.org
Phorecast -- http://phorecast.org
Phormation -- http://www.peaceworks.ca/phormation.php
PSlash -- http://www.pslash.com
The Gallery -- http://sourceforge.net/projects/gallery
Webodex -- http://homepage.mac.com/ghorwood/Webodex
Zorbstats -- http://freshmeat.net/projects/zorbstats
PhpAdsNew -- http://sourceforge.net/projects/phpadsnew
Myphppagetool -- http://myphppagetool.sourceforge.net
ActionPoll -- http://sourceforge.net/projects/actionpoll
SIPS -- http://sips.sourceforge.net
Thatware -- http://thatware.org
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0012.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7xfdJ+LUG5KFpTkYRAq1MAKCMrMQ9Nw3Ixf+gWK138F6sOsSUCQCeL3fq
2LQ8L92LyHeXgGAgXNVXId0=
=+/rj
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
** Request your FREE Internet Security Handbook **
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS). Click here:
http://www.iss.net/mktg/sac10401/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]