|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ62377059047564832
sans.org)Date: Thu Feb 07 2002 - 14:24:43 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 005 (02.05)
Thursday, February 7, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
Five-Minute Workout: Securing Content
To fully protect your corporate data from foes, both internal and
external, you must be prepared to monitor and filter your content at
the gateway, on the server and at the client. To help you on your way
to safe content, Bradley F. Shimmin and Sean Doherty have created a
multimedia how-to on setting up a monitoring system, sponsored by
SurfControl.
http://www.nwc.com/go/fivemin.html
----------------------------------------------------------------------
An interesting post to this week's SecurityFocus Bugtraq list relates
to a 'situation' that can occur when you intermix NDS configurations on
Novell and Windows NT systems. Basically, certain (nonrecommended)
configurations can lead to a normal user being able to access NT domain
systems with 'domain admin' privileges. The exact configuration is a
little in-depth, so if you're running NDS you should review the post,
which is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0392.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.05.004} Win - MIRC server response buffer overflow
{02.05.006} Win - BlackIce Defender large ping flood DoS
{02.05.007} Win - MS02-00: Domain trust fake SID vulnerability
{02.05.010} Win - Lotus Domino DOS device name DoS
{02.05.020} Win - Eshare Expressions server '..' file retrieval
{02.05.022} Win - EServ FTP server PASV DoS and bounce attack
{02.05.024} Win - Castelle Faxpress authentication information exposure
{02.05.001} Linux - Update {02.02.043}: LPRng/groff overflow
{02.05.002} Linux - Update {02.02.041}: Gzip long file name potential
overflow
{02.05.008} Linux - Update {02.02.008}: Pine metacharacter URL passed
via command line
{02.05.016} Linux - KICQ service malformed data DoS
{02.05.011} NApps - NetScreen trusted interface port timeout DoS
{02.05.023} NApps - Update {02.02.020}: Cacheflow CacheOS memory
fragment leaking via HTTP
{02.05.005} Cross - Mrtg/RRD CGI multiple vulnerabilities
{02.05.009} Cross - Portix PHP CGI multiple vulnerabilities
{02.05.012} Cross - Lotus Domino Web ACL bypass
{02.05.013} Cross - Lotus Domino user name enumeration via mailboxes
{02.05.014} Cross - Cisco tac_plus local file permission vulnerability
{02.05.015} Cross - DCForum CGI reset password predictable
{02.05.017} Cross - WWWThreads/UBBThreads file upload extension
restriction bypass
{02.05.018} Cross - Faq-O-Matic CGI command parameter CSS vulnerability
{02.05.019} Cross - WWWebBB CGI forum file disclosure
{02.05.021} Cross - PhpSmsSend PHP CGI command execution
{02.05.003} Tools - BIND 8.3.1 available
- --- Windows News -------------------------------------------------------
*** {02.05.004} Win - MIRC server response buffer overflow
The MIRC IRC client prior to version 6.0 contains a buffer overflow
in the handling of malformed server responses. This could allow a
malicious IRC server to execute arbitrary code on the user's system.
This vulnerability has been confirmed. Version 6.0 contains a fix;
it's available at:
http://www.mirc.com/
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0322.html
*** {02.05.006} Win - BlackIce Defender large ping flood DoS
BlackIce Defender version 2.9 crashes when a flood of overly large
ping packets is sent to the protected system. This results in a denial
of service attack.
ISS has confirmed this problem and is working on a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0423.html
*** {02.05.007} Win - MS02-00: Domain trust fake SID vulnerability
Microsoft has released MS02-00 ("Domain trust fake SID
vulnerability"). A bug was found in the way that domain trust
works. It's potentially possible for an attacker, who's able to take
over a resource domain, to gain domain administrator access in other
domains trusting the compromised domain.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-001.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0019.html
*** {02.05.010} Win - Lotus Domino DOS device name DoS
Lotus Domino prior to version 5.0.9a becomes unresponsive if
an attacker requests URLs with Windows DOS device names ('NUL',
'PRN', etc). This is apparently different from the same denial of
service attack discussed in {01.16.020} ("Multiple DoS attacks in
Lotus Domino").
Lotus has confirmed this problem and released version 5.0.9a.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0037.html
*** {02.05.020} Win - Eshare Expressions server '..' file retrieval
Eshare Expressions HTTP server version 4 allows a remote attacker to
request arbitrary files from the system by using reverse directory
traversal notation ('..') in a URL request.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0443.html
*** {02.05.022} Win - EServ FTP server PASV DoS and bounce attack
The EServ FTP server version 2.97 closes sockets opened with the PASV
command, thereby allowing a remote attacker to consume all available
sockets and render passive transfers unavailable to other users. It
is also possible to use the server to perform an FTP bounce attack,
which is common in indirect port scanning.
The advisory indicates vendor confirmation. A patch is available at:
ftp://ftp.eserv.ru/pub/beta/2.98/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0354.html
*** {02.05.024} Win - Castelle Faxpress authentication information
exposure
Castelle's Faxpress fax software reportedly logs the authentication
information used to print to a remote printer into a user-accessible
file, which means the auth info can be retrieved.
The advisory indicates confirmation by the vendor, which will fix
the problem in the next release.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0448.html
- --- Linux News ---------------------------------------------------------
*** {02.05.001} Linux - Update {02.02.043}: LPRng/groff overflow
Debian has released updated jgroff packages, which fix the
vulnerability discussed in {02.02.043} ("LPRng/groff overflow").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0018.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0018.html
*** {02.05.002} Linux - Update {02.02.041}: Gzip long file name
potential overflow
Mandrake has released updated gzip packages, which fix the
vulnerability discussed in {02.02.041} ("Gzip long file name potential
overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0389.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0389.html
*** {02.05.008} Linux - Update {02.02.008}: Pine metacharacter URL
passed via command line
Conectiva has released updated pine packages, which fix the
vulnerability discussed in {02.02.008} ("Pine metacharacter URL passed
via command line").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0013.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0013.html
*** {02.05.016} Linux - KICQ service malformed data DoS
KICQ, an ICQ client for KDE, crashes when a remote attacker connects
to the listening KICQ client's port and sends random data.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0400.html
- --- Network Appliances News --------------------------------------------
*** {02.05.011} NApps - NetScreen trusted interface port timeout DoS
NetScreen ScreenOS version 2.6.1 contains a denial of service
in the handling of port scans received on the internal trusted
interface. Pending particular configurations, it's possible for the
device's session table to fill up, causing a denial of service.
NetScreen has confirmed this problem and offered workarounds and
solutions, which are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0454.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0395.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0454.html
*** {02.05.023} NApps - Update {02.02.020}: Cacheflow CacheOS memory
fragment leaking via HTTP
CacheFlow has released CacheOS version 4.0.14, which fixes the
vulnerability discussed in {02.02.020} ("Cacheflow CacheOS memory
fragment leaking via HTTP").
The updated version can be downloaded from:
http://download.cacheflow.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0444.html
- --- Cross-Platform News ------------------------------------------------
*** {02.05.005} Cross - Mrtg/RRD CGI multiple vulnerabilities
The Mrtg/RRD CGI script, which allows graphical Web access to MRTG
data, contains multiple vulnerabilities. These include physical file
path disclosure, reading the first line of files readable by the Web
server and cross-site scripting attacks. Version 1.1p15 reportedly
is vulnerable.
These vulnerabilities have not been confirmed.
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0038.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0421.html
*** {02.05.009} Cross - Portix PHP CGI multiple vulnerabilities
The Portix PHP portal CGI suite version 0.4.0 contains two bugs. One
allows a remote attacker to read files readable by the Web server
by tampering with certain URL parameters. The other allows a remote
attacker to gain administrative access to the Portix CGI with a
malformed cookie.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0279.html
*** {02.05.012} Cross - Lotus Domino Web ACL bypass
A posted advisory indicates that it's possible to bypass
authentication-required ACLs on .NSF documents by requesting a
particular malformed URL of a certain size.
This vulnerability has not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0328.html
*** {02.05.013} Cross - Lotus Domino user name enumeration via mailboxes
A bug found in Lotus Domino version 5.0.8a (and possibly prior)
allows a remote attacker to submit a URL that will indicate whether
or not a user name is valid. This could serve as a user name oracle
used in brute forcing valid logins.
Third parties have confirmed this vulnerability.
Source: Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0258.html
*** {02.05.014} Cross - Cisco tac_plus local file permission
vulnerability
Cisco's tac_plus TACACS+ application version F4.0.4 reportedly creates
local files with insecure file permissions, thereby allowing a local
user to modify the contents.
Cisco's implementation of tac_plus is unsupported, so a fix timeline
is unknown.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0374.html
*** {02.05.015} Cross - DCForum CGI reset password predictable
DCScripts.com's DCForum CGI suite contains a bug in the resetting of
a user's password, which makes it possible for a remote attacker to
gain access to any DCForum account.
The vendor has confirmed this vulnerability. A patch is available at:
http://www.dcscripts.com/bugtrac/DCForumID7/3.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0396.html
*** {02.05.017} Cross - WWWThreads/UBBThreads file upload extension
restriction bypass
A bug in InfoPop's WWWThreads/UBBThreads CGI suite versions 5.5dev11
and prior allows a remote attacker to upload files withextensions that
are not explicitly listed in the 'allowfiles' configuration option.
The vendor has confirmed this vulnerability and released version 5.5.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0364.html
*** {02.05.018} Cross - Faq-O-Matic CGI command parameter CSS
vulnerability
The Faq-O-Matic CGI script version 2.712 contains a cross-site
scripting vulnerability in the handling of the command URL parameter.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0418.html
*** {02.05.019} Cross - WWWebBB CGI forum file disclosure
The WWWebBB CGI forum suite version 3.82beta discloses the file
contents of files readable by the Web server when an attacker uses
reverse directory traversal notation ('..') in the value passed as
a URL parameter.
This vulnerability has not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0369.html
*** {02.05.021} Cross - PhpSmsSend PHP CGI command execution
The PhpSmsSend PHP CGI script passes unfiltered user data to a command
line execute all, which allows a remote attacker to execute arbitrary
command line commands under the privileges of the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0353.html
- --- Tool Announcements News --------------------------------------------
*** {02.05.003} Tools - BIND 8.3.1 available
BIND version 8.3.1 was released. It contains a critical bug, which
helps counter 'DNS storms' that were possible in version 8.3.0.
Updated source available at:
ftp://ftp.isc.org/isc/bind/src/8.3.1/bind-src.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2002/0002.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8YuDK+LUG5KFpTkYRAr3sAJsH6dje5EWOaJGuQ7to/HfIwWF4zwCfRCa2
N017sHbRxuazf68nPMRMJT8=
=6LYp
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Five-Minute Workout: Securing Content
To fully protect your corporate data from foes, both internal and
external, you must be prepared to monitor and filter your content at
the gateway, on the server and at the client. To help you on your way
to safe content, Bradley F. Shimmin and Sean Doherty have created a
multimedia how-to on setting up a monitoring system, sponsored by
SurfControl.
http://www.nwc.com/go/fivemin.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]