|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ90303768192504379
sans.org)Date: Thu Feb 28 2002 - 14:20:24 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 008 (02.08)
Thursday, February 28, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
RSA Conference 2002 Report: On-Site Report
What's bad about the RSA security conference this year? So many
interesting sessions are packed into such a short amount of time that
it's hard to decide which one to attend.
Day One: http://www.nwc.com/1304/1304colfratto_rsa.html
Day Two: http://www.nwc.com/1304/1304colfratto_rsa2.html
----------------------------------------------------------------------
This week has definitely been 'rumor central' on the Vuln-Dev
mailing list. While we don't normally like to perpetuate rumors,
there are enough of them that their validity could potentially be
true. Because of this possibility, we decided we should at least
alert you to potential problems so you can be on the lookout.
First, there was the rumor of a vulnerability in PHP's handling of
file uploads, which has been confirmed (and reported in this issue as
{02.08.034}). Then there was the rumor of a bug in the processing of
client certificates in mod_ssl prior to 2.8.7, which also has been
confirmed (and reported in this issue as {02.08.035}. And finally,
there was a claim of problems in qmail, bind9, Apache and various
SSH agents.
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0660.html
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0665.html
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0678.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.08.007} Win - Update {02.07.025}: MS SQL Server
OpenRowSet/OpenQuery() overflow
{02.08.008} Win - MS02-008: XMLHTTP control local file reading
{02.08.009} Win - MS02-009: Another IE cross-frame VBScript problem
{02.08.010} Win - MS02-010: Commerce Server 2000 AuthFilter ISAPI
buffer overflow
{02.08.011} Win - Essentia Web server file retrieval and DoS
{02.08.016} Win - AdMentor CGI authentication SQL tampering
{02.08.019} Win - Netwin WebNews CGI backdoor accounts
{02.08.020} Win - LilHTTP server protected file access
{02.08.021} Win - Gator GAIN installer remote setup.ex_ execution
{02.08.025} Win - Norton AV LiveUpdate authentication information in
registry
{02.08.026} Win - BadBlue file sharing CSS and file retrieval
{02.08.032} Win - CNet catchup RVP template trojan execution
{02.08.006} Linux - Update {02.06.011}: Multiple vendor SNMP problems
{02.08.018} Linux - Update {02.07.031}: ncurses large window overflow
{02.08.024} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
{02.08.001} AIX - diagnostics library DIAGNOSTICS environment variable
overflow
{02.08.002} AIX - Obscure cu overflow
{02.08.003} AIX - Obscure lscfg overflow
{02.08.004} AIX - Login cannot handle 100+ environment variables
{02.08.005} AIX - vague AIX 'security issue'
{02.08.033} NW - Groupwise authentication bypass
{02.08.013} SCO - Webtop CGIs allow root access
{02.08.030} Other - OpenVMS ACMS process privilege vulnerability
{02.08.012} Cross - Squid multiple vulnerabilities
{02.08.014} Cross - ScriptEase MiniWeb server multiple DoS
vulnerabilities
{02.08.015} Cross - Update {02.07.026}: GNUJSP servlet multiple
vulnerabilities
{02.08.017} Cross - Avenger's News System CGI command execution
{02.08.022} Cross - pforum CGI user name CSS
{02.08.023} Cross - OpenBB CGI img tag CSS vulnerability
{02.08.027} Cross - XMB CGI img tag CSS vulnerability
{02.08.028} Cross - CHAP weaknesses
{02.08.029} Cross - Greymatter CGI authentication information exposure
{02.08.031} Cross - ScriptEase comment2.jse file reading
{02.08.034} Cross - PHP file upload vulnerabilities
{02.08.035} Cross - mod_ssl session serializing overflow
- --- Windows News -------------------------------------------------------
*** {02.08.007} Win - Update {02.07.025}: MS SQL Server
OpenRowSet/OpenQuery() overflow
Microsoft released patches, which fix the vulnerability discussed in
{02.07.025} ("MS SQL Server OpenRowSet/OpenQuery() overflow").
The full MS advisory can be seen at:
http://www.microsoft.com/technet/security/bulletin/MS02-007.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0036.html
*** {02.08.008} Win - MS02-008: XMLHTTP control local file reading
Microsoft released MS02-008 ("XMLHTTP control local file reading"). The
MSXML IE ActiveX control allows a malicious Web site to read the
contents of local files and potentially send them back to the Web site.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-008.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0038.html
*** {02.08.009} Win - MS02-009: Another IE cross-frame VBScript problem
Microsoft released MS02-009 ("Another IE cross-frame VBScript
problem"). Normally, VBScript from one site in a frame is disallowed
from interacting with frames in other sites. However, a bug allows
a malicious Web site to tamper with other framed content, thereby
allowing a malicious Web site to read the contents of local files.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-009.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0040.html
*** {02.08.010} Win - MS02-010: Commerce Server 2000 AuthFilter ISAPI
buffer overflow
Microsoft released MS02-010 ("Commerce Server 2000 AuthFilter ISAPI
buffer overflow"). The AuthFilter ISAPI contains a remotely exploitable
buffer in certain authentication information, which could lead to
the execution of arbitrary code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-010.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0039.html
*** {02.08.011} Win - Essentia Web server file retrieval and DoS
The Essentia Web server from www.essencomp.com contains two
vulnerabilities: access to files outside the Web root by using '..' URL
requests and a denial of service in handling large URL requests.
The vendor confirmed both these vulnerabilities and released an update,
which is available at:
http://www.essencomp.com/Products/Essentia/Essentia.exe
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0051.html
*** {02.08.016} Win - AdMentor CGI authentication SQL tampering
The AdMentor ASP CGI is vulnerable to SQL tampering while handling
user authentication information, thereby allowing a remote attacker
to gain administrative access to the CGI suite.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0227.html
*** {02.08.019} Win - Netwin WebNews CGI backdoor accounts
Netwin WebNews CGI suite version 1.1k has four hard-coded accounts
embedded into the application. This would allow an attacker to access
the application without proper authentication information.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0234.html
*** {02.08.020} Win - LilHTTP server protected file access
Sumitcn.com's LilHTTP Web server version 2.1 allows a remote attacker
to bypass any configuration file/folder protection.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0051.html
*** {02.08.021} Win - Gator GAIN installer remote setup.ex_ execution
The Gator GAIN plugin for Internet Explorer allows a remote Web site
to execute arbitrary applications downloaded from the Web that bear
the name 'setup.ex_'.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0050.html
*** {02.08.025} Win - Norton AV LiveUpdate authentication information
in registry
The LiveUpdate application shipped with Norton AntiVirus stores the
user's user name and password in the registry in clear text, which
allows for easy recovery by an attacker who has access to the machine
(either local or remote access to the registry).
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0276.html
*** {02.08.026} Win - BadBlue file sharing CSS and file retrieval
The BadBlue file sharing engine prior to version 1.6.1, which is
reused in various products (like Deerfield's D2Gfx) is vulnerable
to cross-site scripting as well as a file retrieval via the usual
'..' URL request notation.
The vendor confirmed these vulnerabilities and released version 1.6.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0287.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0286.html
*** {02.08.032} Win - CNet catchup RVP template trojan execution
CNet's catchup application prior to version 1.3.1 allows trojan RVP
files to execute arbitrary programs on the user's system.
The vendor confirmed this vulnerability and released version 1.3.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0243.html
- --- Linux News ---------------------------------------------------------
*** {02.08.006} Linux - Update {02.06.011}: Multiple vendor SNMP
problems
Caldera released updated ucd-smnp packages, which fix the vulnerability
discussed in {02.06.011} ("Multiple vendor SNMP problems").
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0012.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0012.html
*** {02.08.018} Linux - Update {02.07.031}: ncurses large window
overflow
RedHat released updated ncurses packages, which fix the vulnerability
discussed in {02.07.031} ("ncurses large window overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0077.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0077.html
*** {02.08.024} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
SuSE released updated cups packages, which fix the vulnerability
discussed in {02.07.004} ("CUPS attribute name buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1320.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1320.html
- --- AIX News -----------------------------------------------------------
*** {02.08.001} AIX - diagnostics library DIAGNOSTICS environment
variable overflow
IBM released APAR IY27740, which fixes a buffer overflow in the
handling of the DIAGNOSTICS environment variable used by various
diagnostic libraries. It appears that a local attacker could execute
arbitrary code with elevated privileges.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q1/0005.html
*** {02.08.002} AIX - Obscure cu overflow
IBM released APAR IY27773, which fixes an overflow in the /usr/bin/cu
utility. Further details were not given, but it was flagged as a
security problem.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q1/0005.html
*** {02.08.003} AIX - Obscure lscfg overflow
IBM released APAR IY27855, which indicates a buffer overflow in lscfg's
handling of input strings. More details were not made available.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q1/0005.html
*** {02.08.004} AIX - Login cannot handle 100+ environment variables
IBM released APAR IY27778, which fixes a bug in the login program
that causes it to crash when a remote user provides more than 99
environment variables. The fix has been flagged as a security problem,
but actual security implications (beyond a possible denial of service)
were not specified.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q1/0005.html
*** {02.08.005} AIX - vague AIX 'security issue'
IBM released APAR IY28225, which fixes a 'security issue.' If you're
wondering what that entails, then join the club.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q1/0005.html
- --- NetWare News -------------------------------------------------------
*** {02.08.033} NW - Groupwise authentication bypass
A configuration bug surfaced in how GroupWise 6 authenticates users
against the LDAP database. Basically, under certain configurations,
a user can log in without supplying a password (the LDAP server sees
this as an anonymous LDAP connection and GroupWise mistakes it for
a successful user authentication).
Novell confirmed this problem and released both workarounds and field
patches. More information is available at the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0223.html
- --- SCO News -----------------------------------------------------------
*** {02.08.013} SCO - Webtop CGIs allow root access
The setuid Webtop CGIs included with UnixWare 7.1.1 and Open Unix
8.0 allow an attacker to execute commands with root privileges.
Caldera/SCO confirmed this problem and released updated binaries,
which are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.6/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0013.html
- --- Other News ---------------------------------------------------------
*** {02.08.030} Other - OpenVMS ACMS process privilege vulnerability
Compaq released a patch for ACMS versions 4.3 and 4.4 running on
OpenVMS Alpha versions 7.2 or 7.3. Beyond stating that OpenVMS
insecurely utilizes ACMS' process privileges, specific details of
the problem were not included.
Full patch information is available at the reference URL below.
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2002-q1/0078.html
- --- Cross-Platform News ------------------------------------------------
*** {02.08.012} Cross - Squid multiple vulnerabilities
The squid caching proxy contains three vulnerabilities: a memory leak
in the SNMP code, which can lead to a denial of service; a buffer
overflow in the handling of FTP URLs, which can lead to a denial
of service; and even if HTCP is disabled in the configuration file,
it still runs.
Updated source tarballs:
http://www.squid-cache.org/Versions/v2/2.4/
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0080.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0301.html
Updated Trustix RPMs:
Source: Mandrake, Redhat, Trustix, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0080.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0301.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0251.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0257.html
*** {02.08.014} Cross - ScriptEase MiniWeb server multiple DoS
vulnerabilities
The ScriptEase MiniWeb server version 0.95 is vulnerable to four
separate DoS attacks, all of which involve different malformed URL
requests sent to the server.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0216.html
*** {02.08.015} Cross - Update {02.07.026}: GNUJSP servlet multiple
vulnerabilities
Debian released updated gnujsp packages, which fix the vulnerability
discussed in {02.07.026} ("GNUJSP servlet multiple vulnerabilities").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0037.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0037.html
*** {02.08.017} Cross - Avenger's News System CGI command execution
Avenger's News System CGI does not properly filter the 'p' URL
parameter, thereby allowing a remote attacker to execute arbitrary
command line commands under the Web server's privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0229.html
*** {02.08.022} Cross - pforum CGI user name CSS
The pforum CGI suite version 1.14 does not properly filter the user
name URL parameter, thereby allowing for a cross-site scripting attack.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0260.html
*** {02.08.023} Cross - OpenBB CGI img tag CSS vulnerability
The OpenBB CGI suite version 1.0 allows a user to embed arbitrary
JavaScript in an img tag, which makes it possible to perform a
cross-site scripting attack against users who view the particular
trojaned message.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0272.html
*** {02.08.027} Cross - XMB CGI img tag CSS vulnerability
The XMB CGI forum suite version 1.6 allows a user to embed arbitrary
JavaScript in an img tag, which makes it possible to perform a
cross-site scripting attack against users who view the particular
trojaned message.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0266.html
*** {02.08.028} Cross - CHAP weaknesses
A published analysis paper indicates various weaknesses in the CHAP
authentication protocol typically used in PPP/PPTP connections.
The paper is available at:
http://stealth.7350.org/chap.pdf
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0052.html
*** {02.08.029} Cross - Greymatter CGI authentication information
exposure
Greymatter CGI suite versions 1.21c and prior allow a remote
attacker to recover user authentication information that is stored
in HTTP-accessible temporary files.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0053.html
*** {02.08.031} Cross - ScriptEase comment2.jse file reading
The comment2.jse sample script shipped with Nombas ScriptEase allows
a remote attacker to read arbitrary files on the system by using
'..' notation in URL parameters.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0270.html
*** {02.08.034} Cross - PHP file upload vulnerabilities
PHP versions 3.x and 4.x prior to version 4.1.2 contain various
remotely exploitable buffer overflows in the file uploading functions.
These vulnerabilities have been confirmed, and version 4.1.2 has
been released.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0054.html
*** {02.08.035} Cross - mod_ssl session serializing overflow
The Apache mod_ssl module prior to version 2.8.7 contains a buffer
overflow in the handling of SSL session data.
Version 2.8.7 has been released, which is available at:
http://www.modssl.org/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8fo8Y+LUG5KFpTkYRAgkOAJ0VP8T/xqeNodmSocp+sBz9l8OSfwCfe5Hi
Vw4tR77ORr1n9zaQDpAR0Bc=
=sNrf
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
RSA Conference 2002 Report: On-Site Report
What's bad about the RSA security conference this year? So many
interesting sessions are packed into such a short amount of time that
it's hard to decide which one to attend.
Day One: http://www.nwc.com/1304/1304colfratto_rsa.html
Day Two: http://www.nwc.com/1304/1304colfratto_rsa2.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]