OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ90303768192504379sans.org)
Date: Thu Feb 28 2002 - 14:20:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                      -- Security Alert Consensus --
                            Number 008 (02.08)
                       Thursday, February 28, 2002
                            Created for you by
                 Network Computing and the SANS Institute
                           Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    RSA Conference 2002 Report: On-Site Report
    What's bad about the RSA security conference this year? So many
    interesting sessions are packed into such a short amount of time that
    it's hard to decide which one to attend.
    Day One: http://www.nwc.com/1304/1304colfratto_rsa.html
    Day Two: http://www.nwc.com/1304/1304colfratto_rsa2.html

    ----------------------------------------------------------------------

    This week has definitely been 'rumor central' on the Vuln-Dev
    mailing list. While we don't normally like to perpetuate rumors,
    there are enough of them that their validity could potentially be
    true. Because of this possibility, we decided we should at least
    alert you to potential problems so you can be on the lookout.

    First, there was the rumor of a vulnerability in PHP's handling of
    file uploads, which has been confirmed (and reported in this issue as
    {02.08.034}). Then there was the rumor of a bug in the processing of
    client certificates in mod_ssl prior to 2.8.7, which also has been
    confirmed (and reported in this issue as {02.08.035}. And finally,
    there was a claim of problems in qmail, bind9, Apache and various
    SSH agents.
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0660.html
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0665.html
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0678.html

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.08.007} Win - Update {02.07.025}: MS SQL Server
                OpenRowSet/OpenQuery() overflow
    {02.08.008} Win - MS02-008: XMLHTTP control local file reading
    {02.08.009} Win - MS02-009: Another IE cross-frame VBScript problem
    {02.08.010} Win - MS02-010: Commerce Server 2000 AuthFilter ISAPI
                buffer overflow
    {02.08.011} Win - Essentia Web server file retrieval and DoS
    {02.08.016} Win - AdMentor CGI authentication SQL tampering
    {02.08.019} Win - Netwin WebNews CGI backdoor accounts
    {02.08.020} Win - LilHTTP server protected file access
    {02.08.021} Win - Gator GAIN installer remote setup.ex_ execution
    {02.08.025} Win - Norton AV LiveUpdate authentication information in
                registry
    {02.08.026} Win - BadBlue file sharing CSS and file retrieval
    {02.08.032} Win - CNet catchup RVP template trojan execution
    {02.08.006} Linux - Update {02.06.011}: Multiple vendor SNMP problems
    {02.08.018} Linux - Update {02.07.031}: ncurses large window overflow
    {02.08.024} Linux - Update {02.07.004}: CUPS attribute name buffer
                overflow
    {02.08.001} AIX - diagnostics library DIAGNOSTICS environment variable
                overflow
    {02.08.002} AIX - Obscure cu overflow
    {02.08.003} AIX - Obscure lscfg overflow
    {02.08.004} AIX - Login cannot handle 100+ environment variables
    {02.08.005} AIX - vague AIX 'security issue'
    {02.08.033} NW - Groupwise authentication bypass
    {02.08.013} SCO - Webtop CGIs allow root access
    {02.08.030} Other - OpenVMS ACMS process privilege vulnerability
    {02.08.012} Cross - Squid multiple vulnerabilities
    {02.08.014} Cross - ScriptEase MiniWeb server multiple DoS
                vulnerabilities
    {02.08.015} Cross - Update {02.07.026}: GNUJSP servlet multiple
                vulnerabilities
    {02.08.017} Cross - Avenger's News System CGI command execution
    {02.08.022} Cross - pforum CGI user name CSS
    {02.08.023} Cross - OpenBB CGI img tag CSS vulnerability
    {02.08.027} Cross - XMB CGI img tag CSS vulnerability
    {02.08.028} Cross - CHAP weaknesses
    {02.08.029} Cross - Greymatter CGI authentication information exposure
    {02.08.031} Cross - ScriptEase comment2.jse file reading
    {02.08.034} Cross - PHP file upload vulnerabilities
    {02.08.035} Cross - mod_ssl session serializing overflow

    - --- Windows News -------------------------------------------------------

    *** {02.08.007} Win - Update {02.07.025}: MS SQL Server
                    OpenRowSet/OpenQuery() overflow

    Microsoft released patches, which fix the vulnerability discussed in
    {02.07.025} ("MS SQL Server OpenRowSet/OpenQuery() overflow").

    The full MS advisory can be seen at:
    http://www.microsoft.com/technet/security/bulletin/MS02-007.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0036.html

    *** {02.08.008} Win - MS02-008: XMLHTTP control local file reading

    Microsoft released MS02-008 ("XMLHTTP control local file reading"). The
    MSXML IE ActiveX control allows a malicious Web site to read the
    contents of local files and potentially send them back to the Web site.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-008.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0038.html

    *** {02.08.009} Win - MS02-009: Another IE cross-frame VBScript problem

    Microsoft released MS02-009 ("Another IE cross-frame VBScript
    problem"). Normally, VBScript from one site in a frame is disallowed
    from interacting with frames in other sites. However, a bug allows
    a malicious Web site to tamper with other framed content, thereby
    allowing a malicious Web site to read the contents of local files.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-009.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0040.html

    *** {02.08.010} Win - MS02-010: Commerce Server 2000 AuthFilter ISAPI
                    buffer overflow

    Microsoft released MS02-010 ("Commerce Server 2000 AuthFilter ISAPI
    buffer overflow"). The AuthFilter ISAPI contains a remotely exploitable
    buffer in certain authentication information, which could lead to
    the execution of arbitrary code.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-010.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0039.html

    *** {02.08.011} Win - Essentia Web server file retrieval and DoS

    The Essentia Web server from www.essencomp.com contains two
    vulnerabilities: access to files outside the Web root by using '..' URL
    requests and a denial of service in handling large URL requests.

    The vendor confirmed both these vulnerabilities and released an update,
    which is available at:
    http://www.essencomp.com/Products/Essentia/Essentia.exe

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0051.html

    *** {02.08.016} Win - AdMentor CGI authentication SQL tampering

    The AdMentor ASP CGI is vulnerable to SQL tampering while handling
    user authentication information, thereby allowing a remote attacker
    to gain administrative access to the CGI suite.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0227.html

    *** {02.08.019} Win - Netwin WebNews CGI backdoor accounts

    Netwin WebNews CGI suite version 1.1k has four hard-coded accounts
    embedded into the application. This would allow an attacker to access
    the application without proper authentication information.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0234.html

    *** {02.08.020} Win - LilHTTP server protected file access

    Sumitcn.com's LilHTTP Web server version 2.1 allows a remote attacker
    to bypass any configuration file/folder protection.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0051.html

    *** {02.08.021} Win - Gator GAIN installer remote setup.ex_ execution

    The Gator GAIN plugin for Internet Explorer allows a remote Web site
    to execute arbitrary applications downloaded from the Web that bear
    the name 'setup.ex_'.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0050.html

    *** {02.08.025} Win - Norton AV LiveUpdate authentication information
                    in registry

    The LiveUpdate application shipped with Norton AntiVirus stores the
    user's user name and password in the registry in clear text, which
    allows for easy recovery by an attacker who has access to the machine
    (either local or remote access to the registry).

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0276.html

    *** {02.08.026} Win - BadBlue file sharing CSS and file retrieval

    The BadBlue file sharing engine prior to version 1.6.1, which is
    reused in various products (like Deerfield's D2Gfx) is vulnerable
    to cross-site scripting as well as a file retrieval via the usual
    '..' URL request notation.

    The vendor confirmed these vulnerabilities and released version 1.6.1.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0287.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0286.html

    *** {02.08.032} Win - CNet catchup RVP template trojan execution

    CNet's catchup application prior to version 1.3.1 allows trojan RVP
    files to execute arbitrary programs on the user's system.

    The vendor confirmed this vulnerability and released version 1.3.1.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0243.html

    - --- Linux News ---------------------------------------------------------

    *** {02.08.006} Linux - Update {02.06.011}: Multiple vendor SNMP
                    problems

    Caldera released updated ucd-smnp packages, which fix the vulnerability
    discussed in {02.06.011} ("Multiple vendor SNMP problems").

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0012.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0012.html

    *** {02.08.018} Linux - Update {02.07.031}: ncurses large window
                    overflow

    RedHat released updated ncurses packages, which fix the vulnerability
    discussed in {02.07.031} ("ncurses large window overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0077.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0077.html

    *** {02.08.024} Linux - Update {02.07.004}: CUPS attribute name buffer
                    overflow

    SuSE released updated cups packages, which fix the vulnerability
    discussed in {02.07.004} ("CUPS attribute name buffer overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/1320.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q1/1320.html

    - --- AIX News -----------------------------------------------------------

    *** {02.08.001} AIX - diagnostics library DIAGNOSTICS environment
                    variable overflow

    IBM released APAR IY27740, which fixes a buffer overflow in the
    handling of the DIAGNOSTICS environment variable used by various
    diagnostic libraries. It appears that a local attacker could execute
    arbitrary code with elevated privileges.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q1/0005.html

    *** {02.08.002} AIX - Obscure cu overflow

    IBM released APAR IY27773, which fixes an overflow in the /usr/bin/cu
    utility. Further details were not given, but it was flagged as a
    security problem.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q1/0005.html

    *** {02.08.003} AIX - Obscure lscfg overflow

    IBM released APAR IY27855, which indicates a buffer overflow in lscfg's
    handling of input strings. More details were not made available.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q1/0005.html

    *** {02.08.004} AIX - Login cannot handle 100+ environment variables

    IBM released APAR IY27778, which fixes a bug in the login program
    that causes it to crash when a remote user provides more than 99
    environment variables. The fix has been flagged as a security problem,
    but actual security implications (beyond a possible denial of service)
    were not specified.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q1/0005.html

    *** {02.08.005} AIX - vague AIX 'security issue'

    IBM released APAR IY28225, which fixes a 'security issue.' If you're
    wondering what that entails, then join the club.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q1/0005.html

    - --- NetWare News -------------------------------------------------------

    *** {02.08.033} NW - Groupwise authentication bypass

    A configuration bug surfaced in how GroupWise 6 authenticates users
    against the LDAP database. Basically, under certain configurations,
    a user can log in without supplying a password (the LDAP server sees
    this as an anonymous LDAP connection and GroupWise mistakes it for
    a successful user authentication).

    Novell confirmed this problem and released both workarounds and field
    patches. More information is available at the reference URL below.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0223.html

    - --- SCO News -----------------------------------------------------------

    *** {02.08.013} SCO - Webtop CGIs allow root access

    The setuid Webtop CGIs included with UnixWare 7.1.1 and Open Unix
    8.0 allow an attacker to execute commands with root privileges.

    Caldera/SCO confirmed this problem and released updated binaries,
    which are available at:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.6/

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0013.html

    - --- Other News ---------------------------------------------------------

    *** {02.08.030} Other - OpenVMS ACMS process privilege vulnerability

    Compaq released a patch for ACMS versions 4.3 and 4.4 running on
    OpenVMS Alpha versions 7.2 or 7.3. Beyond stating that OpenVMS
    insecurely utilizes ACMS' process privileges, specific details of
    the problem were not included.

    Full patch information is available at the reference URL below.

    Source: Compaq
    http://archives.neohapsis.com/archives/compaq/2002-q1/0078.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.08.012} Cross - Squid multiple vulnerabilities

    The squid caching proxy contains three vulnerabilities: a memory leak
    in the SNMP code, which can lead to a denial of service; a buffer
    overflow in the handling of FTP URLs, which can lead to a denial
    of service; and even if HTCP is disabled in the configuration file,
    it still runs.

    Updated source tarballs:
    http://www.squid-cache.org/Versions/v2/2.4/

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0080.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0301.html

    Updated Trustix RPMs:

    Source: Mandrake, Redhat, Trustix, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0080.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0301.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0251.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html

    *** {02.08.014} Cross - ScriptEase MiniWeb server multiple DoS
                    vulnerabilities

    The ScriptEase MiniWeb server version 0.95 is vulnerable to four
    separate DoS attacks, all of which involve different malformed URL
    requests sent to the server.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0216.html

    *** {02.08.015} Cross - Update {02.07.026}: GNUJSP servlet multiple
                    vulnerabilities

    Debian released updated gnujsp packages, which fix the vulnerability
    discussed in {02.07.026} ("GNUJSP servlet multiple vulnerabilities").

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0037.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q1/0037.html

    *** {02.08.017} Cross - Avenger's News System CGI command execution

    Avenger's News System CGI does not properly filter the 'p' URL
    parameter, thereby allowing a remote attacker to execute arbitrary
    command line commands under the Web server's privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0229.html

    *** {02.08.022} Cross - pforum CGI user name CSS

    The pforum CGI suite version 1.14 does not properly filter the user
    name URL parameter, thereby allowing for a cross-site scripting attack.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0260.html

    *** {02.08.023} Cross - OpenBB CGI img tag CSS vulnerability

    The OpenBB CGI suite version 1.0 allows a user to embed arbitrary
    JavaScript in an img tag, which makes it possible to perform a
    cross-site scripting attack against users who view the particular
    trojaned message.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0272.html

    *** {02.08.027} Cross - XMB CGI img tag CSS vulnerability

    The XMB CGI forum suite version 1.6 allows a user to embed arbitrary
    JavaScript in an img tag, which makes it possible to perform a
    cross-site scripting attack against users who view the particular
    trojaned message.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0266.html

    *** {02.08.028} Cross - CHAP weaknesses

    A published analysis paper indicates various weaknesses in the CHAP
    authentication protocol typically used in PPP/PPTP connections.

    The paper is available at:
    http://stealth.7350.org/chap.pdf

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0052.html

    *** {02.08.029} Cross - Greymatter CGI authentication information
                    exposure

    Greymatter CGI suite versions 1.21c and prior allow a remote
    attacker to recover user authentication information that is stored
    in HTTP-accessible temporary files.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0053.html

    *** {02.08.031} Cross - ScriptEase comment2.jse file reading

    The comment2.jse sample script shipped with Nombas ScriptEase allows
    a remote attacker to read arbitrary files on the system by using
    '..' notation in URL parameters.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0270.html

    *** {02.08.034} Cross - PHP file upload vulnerabilities

    PHP versions 3.x and 4.x prior to version 4.1.2 contain various
    remotely exploitable buffer overflows in the file uploading functions.

    These vulnerabilities have been confirmed, and version 4.1.2 has
    been released.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0054.html

    *** {02.08.035} Cross - mod_ssl session serializing overflow

    The Apache mod_ssl module prior to version 2.8.7 contains a buffer
    overflow in the handling of SSL session data.

    Version 2.8.7 has been released, which is available at:
    http://www.modssl.org/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8fo8Y+LUG5KFpTkYRAgkOAJ0VP8T/xqeNodmSocp+sBz9l8OSfwCfe5Hi
    Vw4tR77ORr1n9zaQDpAR0Bc=
    =sNrf
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    RSA Conference 2002 Report: On-Site Report
    What's bad about the RSA security conference this year? So many
    interesting sessions are packed into such a short amount of time that
    it's hard to decide which one to attend.
    Day One: http://www.nwc.com/1304/1304colfratto_rsa.html
    Day Two: http://www.nwc.com/1304/1304colfratto_rsa2.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).