|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ59490908233764077
sans.org)Date: Thu Feb 21 2002 - 15:27:49 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 007 (02.07)
Thursday, February 21, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
** Request your FREE Internet Security Handbook **
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS). Click here:
http://www.iss.net/mktg/securitysolutions3/
----------------------------------------------------------------------
Many vendors have released patches for the SNMP problem discussed last
week. The full patch list is in this issue under Cross-Platform item
{02.07.001}. If you're not signed up for the Cross-Platform category,
you can view it in the online archive at:
http://archives.neohapsis.com/archives/sac/2002/
Microsoft this week also released a critical Internet Explorer
patch, which fixes six new problems as well as all known problems to
date. It's discussed under item {02.07.013}.
Lastly, last week's item {02.06.010} in the Windows category forgot
a digit in the MS advisory title, which should have been 'MS02-003.'
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.07.007} Win - Apple QuickTime player Content-Type overflow
{02.07.009} Win - PowerFTP multiple vulnerabilities
{02.07.010} Win - Identix BioLogon GINA bypass
{02.07.012} Win - NetWin CWMail CGI item parameter overflow
{02.07.013} Win - MS02-005: Cumulative security patch for IE
{02.07.021} Win - Falcon HTTP virtual directory authentication bypass
{02.07.022} Win - Dino's Web Server long request DoS
{02.07.024} Win - ScriptEase MiniWeb Server long URL DoS
{02.07.025} Win - MS SQL Server OpenRowSet/OpenQuery() overflow
{02.07.027} Win - Phusion Web server multiple vulnerabilities
{02.07.028} Win - Avirt telnet proxy prompt overflow
{02.07.029} Win - NetWin Webnews CGI utoken parameter overflow
{02.07.002} Linux - Update {02.05.018}: Faq-O-Matic CGI command
parameter CSS vulnerability
{02.07.005} Linux - Update {02.06.007}: hanterm long parameter overflow
{02.07.006} Linux - Update {02.03.025}: uuxqt --config vulnerability
{02.07.031} Linux - ncurses large window overflow
{02.07.008} HPUX - setrlimit() parameter DoS
{02.07.015} SCO - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
{02.07.019} SCO - World-readable sensitive files
{02.07.003} NApps - Update {02.06.014}: HP AdvanceStack password change
via HTTP service
{02.07.001} Cross - Update {02.06.011}: Multiple vendor SNMP problems
{02.07.004} Cross - CUPS attribute name buffer overflow
{02.07.011} Cross - Update {02.04.027}: NetInventory/NetRC hostcfg.ini
recovery
{02.07.014} Cross - Add2It mailman CGI parameter command execution
{02.07.016} Cross - DCP-Portal CGI path disclosure/CSS
{02.07.017} Cross - SiteNews CGI administrative authorization bypass
{02.07.018} Cross - pforum CGI user name SQL injection
{02.07.020} Cross - Ettercap decoders memcpy() overflow
{02.07.023} Cross - Slashcode CSS vuln
{02.07.026} Cross - GNUJSP servlet multiple vulnerabilities
{02.07.030} Cross - SIPS CGI admin privilege elevation
- --- Windows News -------------------------------------------------------
*** {02.07.007} Win - Apple QuickTime player Content-Type overflow
Apple's QuickTime player version 5.02 for Windows has a buffer overflow
in the handling of large Content-Type headers. This could allow a
malicious Web server to execute arbitrary code on the user's system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0072.html
*** {02.07.009} Win - PowerFTP multiple vulnerabilities
The PowerFTP server contains three vulnerabilities: access to files
outside the ftp root by using '..' notation in file requests; display
of full physical paths for working directories; and a buffer overflow
in the handling of long FTP commands.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0122.html
*** {02.07.010} Win - Identix BioLogon GINA bypass
The Identix BioLogon replacement GINA, which allows a local user to
authenticate via a biometrics device, allows a local attacker (with
physical access to the system) to have administrative access on the
system without having to log in. The vulnerability lies in the use
of the standard Windows 'browse' window available in the submenus of
the log-in page.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0136.html
*** {02.07.012} Win - NetWin CWMail CGI item parameter overflow
The NetWin CWMail CGI contains a buffer overflow in the handling of
the 'item' URL parameter, thereby allowing a remote attacker with a
valid Webmail account to execute arbitrary code on the server.
The vendor has confirmed this vulnerability and released a patch,
which is available at:
http://netwinsite.com/dmailweb/download2.htm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0126.html
*** {02.07.013} Win - MS02-005: Cumulative security patch for IE
Microsoft released MS02-005 ("Cumulative security patch for IE"). The
patch is a cumulative patch that fixes all problems known to date
with Internet Explorer. It also fixes many new vulnerabilities,
including a buffer overflow and the ability to execute JavaScript
even if active scripting is disabled.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0031.html
*** {02.07.021} Win - Falcon HTTP virtual directory authentication
bypass
The Falcon HTTP server prior to version 2.0.0.1021 allows a remote
attacker to access a virtual directory without authentication
when the directory is otherwise configured to require a valid user
name/password.
The vendor has confirmed this vulnerability and released version
2.0.0.1021.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0131.html
*** {02.07.022} Win - Dino's Web Server long request DoS
Dino's Web Server version 1.2 is vulnerable to a denial of service
attack whereby a remote attacker sends multiple large URL requests
and causes the service to consume all available CPU cycles.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0196.html
*** {02.07.024} Win - ScriptEase MiniWeb Server long URL DoS
Nombas' ScriptEase MiniWeb Server version 0.95 crashes when a remote
attacker submits a long URL request, thus causing a denial of service
attack.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0203.html
*** {02.07.025} Win - MS SQL Server OpenRowSet/OpenQuery() overflow
A released advisory indicates that the OpenRowSet() and OpenQuery()MS
SQL functions are vulnerable to a buffer overflow in the handling
of long provider names. This amounts to at least a denial of service
attack and possibly the execution of arbitrary code.
This vulnerability has not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0588.html
*** {02.07.027} Win - Phusion Web server multiple vulnerabilities
BBSoftware.com's Phusion HTTP server version 1.0 reportedly has
multiple vulnerabilities, including remotely exploitable buffer
overflows, arbitrary file retrieval and a denial of service attack.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0180.html
*** {02.07.028} Win - Avirt telnet proxy prompt overflow
The telnet proxy included with Avirt Gateway version 4.2 contains
a buffer overflow in the handling of large commands sent to the
telnet proxy prompt. This could allow a remote attacker to execute
arbitrary code.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0141.html
*** {02.07.029} Win - NetWin Webnews CGI utoken parameter overflow
NetWin's Webnews CGI contains a buffer overflow in the handling of a
malformed utoken URL parameter, which could allow a remote attacker
to execute arbitrary code on the server.
The vendor has confirmed this vulnerability and released a patch,
which is available at:
ftp://netwinsite.com/pub/webnews/beta/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0186.html
- --- Linux News ---------------------------------------------------------
*** {02.07.002} Linux - Update {02.05.018}: Faq-O-Matic CGI command
parameter CSS vulnerability
Debian has released updated faq-o-matic packages, which fix the
vulnerability discussed in {02.05.018} ("Faq-O-Matic CGI command
parameter CSS vulnerability").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0028.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0028.html
*** {02.07.005} Linux - Update {02.06.007}: hanterm long parameter
overflow
Debian released updated hanterm packages, which fix the vulnerability
discussed in {02.06.007} ("hanterm long parameter overflow").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0034.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0034.html
*** {02.07.006} Linux - Update {02.03.025}: uuxqt --config vulnerability
Conectiva released updated uucp packages, which fix the vulnerability
discussed in {02.03.025} ("uuxqt --config vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0016.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0016.html
*** {02.07.031} Linux - ncurses large window overflow
Debian released an advisory indicating that there is a buffer overflow
in the ncurses library, which has to do with large windows. The
advisory indicates this is not a Debian-exclusive problem.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0035.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0035.html
- --- HP-UX News ---------------------------------------------------------
*** {02.07.008} HPUX - setrlimit() parameter DoS
HP released an advisory indicating that a local denial of service
(kernel panic) was caused by an attacker passing malformed arguments
to a setrlimit() call.
Only HPUX 11.11 is affected; apply patch PHKL_26233.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0051.html
- --- SCO News -----------------------------------------------------------
*** {02.07.015} SCO - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
Caldera/SCO rereleased updated ftpd packages, which fix the
vulnerability discussed in {01.48.028} ("wu-ftpd unclosed glob heap
overflow").
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.36.2/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0010.html
*** {02.07.019} SCO - World-readable sensitive files
Caldera/SCO released an advisory indicating that various world-readable
files exist on OpenUnix/OpenServer and UnixWare systems. These files
contain sensitive data, including administrative passwords.
For a full list of which files on which platforms, please see the
reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0011.html
- --- Network Appliances News --------------------------------------------
*** {02.07.003} NApps - Update {02.06.014}: HP AdvanceStack password
change via HTTP service
HP has released a workaround for the vulnerability discussed in
{02.06.014} ("HP AdvanceStack password change via HTTP service").
Detailed information is available at the reference URL below.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0051.html
- --- Cross-Platform News ------------------------------------------------
*** {02.07.001} Cross - Update {02.06.011}: Multiple vendor SNMP
problems
Many vendors have released updated SNMP packages, which fix the
vulnerability discussed in {02.06.011} ("Multiple vendor SNMP
problems").
Microsoft Windows patches:
http://archives.neohapsis.com/archives/vendor/2002-q1/0032.html
HP updates for HPUX, HP Procurve switches and HP JetDirect servers:
http://archives.neohapsis.com/archives/hp/2002-q1/0053.html
Sun patches:
http://sunsolve.sun.com/pub-cgi/show.pl?target=home
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0015.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0030.html
Updated Cisco firmware for various Cisco devices:
http://archives.neohapsis.com/archives/cisco/2002-q1/0003.html
http://archives.neohapsis.com/archives/cisco/2002-q1/0004.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0165.html
Updates for Compaq Tru64, SANWorks Management Appliance and OpenVMS:
http://archives.neohapsis.com/archives/compaq/2002-q1/0053.html
Source: Microsoft, HP, Sun Conectiva, Debian, Cisco, Mandrake, Compaq
(SF Bugtraq)
http://archives.neohapsis.com/archives/vendor/2002-q1/0032.html
http://archives.neohapsis.com/archives/hp/2002-q1/0053.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
215&type=0&nav=sec.sbl&ttl=sec.sbl
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0015.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0030.html
http://archives.neohapsis.com/archives/cisco/2002-q1/0003.html
http://archives.neohapsis.com/archives/cisco/2002-q1/0004.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0165.html
http://archives.neohapsis.com/archives/compaq/2002-q1/0053.html
*** {02.07.004} Cross - CUPS attribute name buffer overflow
The CUPS package contains a buffer overflow in the handling of
attribute names. Versions prior to 1.1.14 are affected.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0029.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0166.html
Source: Debian, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/vendor/2002-q1/0029.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0166.html
*** {02.07.011} Cross - Update {02.04.027}: NetInventory/NetRC
hostcfg.ini recovery
BindView released updated NETrc packages, which fix the vulnerability
discussed in {02.04.027} ("NetInventory/NetRC hostcfg.ini recovery").
A patch is available at:
ftp://ftp.bindview.com/Products/NETrc/NETinventory_NETrc_HotFix.zip
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0132.html
*** {02.07.014} Cross - Add2It mailman CGI parameter command execution
Add2it.com's mailman CGI does not properly filter URL parameters
before passing them to an open() call, thereby allowing a remote
attacker to execute arbitrary command line commands.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0153.html
*** {02.07.016} Cross - DCP-Portal CGI path disclosure/CSS
The DCP-Portal CGI suite version 4.2 reportedly contains
vulnerabilities that will disclose the full physical path of the CGIs
as well as a cross-site scripting problem.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0163.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0164.html
*** {02.07.017} Cross - SiteNews CGI administrative authorization bypass
Linuxnetwork.nl's SiteNews CGI version 0.11 allows a remote attacker
to gain administrative access to the news system by supplying an
empty user ID and a known MD5 value.
This vulnerability has been confirmed. Version 0.12 has been released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0171.html
*** {02.07.018} Cross - pforum CGI user name SQL injection
The pforum CGI suite version 1.14 does not properly filter out
malicious characters from user-submitted data, thereby allowing a
remote attacker to execute arbitrary SQL commands on the backend
database. This vulnerability also allows the attacker to log into
the forum application with administrative privileges.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0173.html
*** {02.07.020} Cross - Ettercap decoders memcpy() overflow
Ettercap versions 0.6.3.1 and prior reportedly contain a vulnerability
in the various protocol decoders, which could allow a remote attacker
to execute arbitrary code on the system running ettercap. The exploit
requires a network topology that has an MTU >= 2000, which would
exclude common Ethernet.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0048.html
*** {02.07.023} Cross - Slashcode CSS vuln
Slashcode CGI prior to version 2.2.5 has a cross-site scripting
vulnerability that could expose a user's authentication
information. Details were not given.
Version 2.2.5 fixes the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0189.html
*** {02.07.026} Cross - GNUJSP servlet multiple vulnerabilities
The GNUJSP servlet contains multiple vulnerabilities that could allow a
remote attacker to access otherwise-restricted Web directories as well
as gain access to script source code and directory content listings.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0201.html
*** {02.07.030} Cross - SIPS CGI admin privilege elevation
The SIPS CGI suite prior to version 0.3.1 contains a vulnerability in
the handling of user-submitted data that allows normal users to elevate
their status to admin level, and thus compromise the application.
The vendor has confirmed this vulnerability and released version 0.3.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0129.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8dWSZ+LUG5KFpTkYRAq5nAJ9NNfcs0i7qm8sPAl9OnzlbemAGDwCgoSRa
phkso8YBNFjGj2disWft8Vc=
=hexp
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
** Request your FREE Internet Security Handbook **
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS). Click here:
http://www.iss.net/mktg/securitysolutions3/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]