|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ46804860396475436
sans.org)Date: Thu Mar 21 2002 - 13:51:43 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 011 (02.11)
Thursday, March 21, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
This issue is sponsored by Crossbeam Systems, developers of the
Crossbeam(TM) X40(TM)S, the first "open security" appliance, built for
today's most challenging network security needs. The X40S runs
complementary best-of-breed security applications, slashing your cost
of ownership. Visit our special Web site at
http://www.crossbeamsystems.com/reply/nwkcompnl.asp today!
----------------------------------------------------------------------
More vulnerabilities in third-party PHP-based applications were
reported this week. Among the wide range of applications affected
is the popular PHP-based forums package, PHPNuke. Details are in the
cross-platform section.
In other news, the team working on the Internet-Draft for a
"Responsible Vulnerability Disclosure Process" withdrew its document
from IETF consideration citing criticism received for not dealing
with a technical protocol. Whether the IETF is a proper forum for
this effort is debatable. However, we hope that this document finds
a suitable home and receives the attention it deserves. Responsible
disclosure practices are sorely needed in our industry, and without
a consensus amongst information security community members, we run
the risk of falling victim to misguided lawmakers.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.11.008} Win - BitVise WinSSH connection exhaustion DoS
{02.11.020} Win - Update {02.10.010}: JavaScript.nu Xerver file
browsing and DoS
{02.11.022} Win - MS SQL Server stored procedure overflows
{02.11.019} Linux - Update {02.08.035}: mod_ssl session serializing
overflow
{02.11.021} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
{02.11.014} BSD - Update {02.10.007}: mod_frontpage fpexec overflow
{02.11.015} BSD - Update {02.09.010}: Cyrus SASL logging format string
vulnerability
{02.11.016} BSD - Update {02.02.041}: Gzip long file name potential
overflow
{02.11.017} BSD - Update {02.09.028}: KAME IPSEC IPv4 forwarding SPD
bypass
{02.11.018} SCO - Update {02.10.001}: OpenSSH channels off-by-one
vulnerability
{02.11.001} NApps - ZyWall10 spoofed ARP DoS
{02.11.002} Cross - Directory.php CGI command execution
{02.11.003} Cross - Phprojekt CGI filemanager module lib_path tampering
{02.11.004} Cross - rsync inherits group privileges in daemon mode
{02.11.005} Cross - Oblix NetPoint account lockout bypass
{02.11.006} Cross - phpBB2 CGI phpbb_root_path command execution
{02.11.007} Cross - PHPNuke/PostNuke account hijacking
{02.11.009} Cross - PHP Net Toolpack CGI command execution
{02.11.010} Cross - News-TNK and Board-TNK CGI CSS vulnerabilities
{02.11.011} Cross - BG Guestbook CGI CSS vulnerability
{02.11.012} Cross - Java Web Start JNLP access to restricted resources
{02.11.013} Cross - Update {02.10.014}: zlib double free decompression
bug
- --- Windows News -------------------------------------------------------
*** {02.11.008} Win - BitVise WinSSH connection exhaustion DoS
BitVise WinSSH versions prior to build 2002-03-16 are vulnerable to
a denial of service attack whereby a remote attacker can make many
incomplete connections to the SSH service and cause it to not accept
any other incoming connections.
This vulnerability is confirmed and fixed in build 2002-03-16.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0068.html
*** {02.11.020} Win - Update {02.10.010}: JavaScript.nu Xerver file
browsing and DoS
The vendor released an updated Xerver version, which fixes the
vulnerability discussed in {02.10.010} ("JavaScript.nu Xerver file
browsing and DoS").
Updates are available at:
http://www.JavaScript.nu/xerver/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html
*** {02.11.022} Win - MS SQL Server stored procedure overflows
A released advisory indicates that several stored procedures included
with MS SQL Server versions 7 and 2000 contain buffer overflows that
could allow a malicious SQL query to execute arbitrary code on the
local SQL server system.
These vulnerabilities are not confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0839.html
- --- Linux News ---------------------------------------------------------
*** {02.11.019} Linux - Update {02.08.035}: mod_ssl session serializing
overflow
RedHat released updated secureWeb packages, which fix the vulnerability
discussed in {02.08.035} ("mod_ssl session serializing overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0116.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0116.html
*** {02.11.021} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
RedHat released updated CUPS packages, which fix the vulnerability
discussed in {02.07.004} ("CUPS attribute name buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0114.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0114.html
- --- BSD News -----------------------------------------------------------
*** {02.11.014} BSD - Update {02.10.007}: mod_frontpage fpexec overflow
FreeBSD committed changes for the mod_frontpage port, which fix
the vulnerability discussed in {02.10.007} ("mod_frontpage fpexec
overflow").
The ports collection as of Feb. 5, 2002, contains the update.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-03/0148.html
*** {02.11.015} BSD - Update {02.09.010}: Cyrus SASL logging format
string vulnerability
FreeBSD committed updated Cyrus/SASL ports, which fix the
vulnerability discussed in {02.09.010} ("Cyrus SASL logging format
string vulnerability").
The ports collection as of Dec. 9, 2001, contains the update.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-03/0146.html
*** {02.11.016} BSD - Update {02.02.041}: Gzip long file name potential
overflow
NetBSD committed updated gzip binaries, which fix the vulnerability
discussed in {02.02.041} ("Gzip long file name potential overflow").
NetBSD-1.4, -1.5 and -current as of Jan. 16, 2002, contain the fixes.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q1/0169.html
*** {02.11.017} BSD - Update {02.09.028}: KAME IPSEC IPv4 forwarding
SPD bypass
NetBSD committed updates, which fix the vulnerability discussed in
{02.09.028} ("KAME IPSEC IPv4 forwarding SPD bypass").
NetBSD-current as of Feb. 26, 2002, contains the fix.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q1/0169.html
- --- SCO News -----------------------------------------------------------
*** {02.11.018} SCO - Update {02.10.001}: OpenSSH channels off-by-one
vulnerability
Caldera/SCO released updated SSH packages, which fix the vulnerability
discussed in {02.10.001} ("OpenSSH channels off-by-one vulnerability").
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.11/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0018.html
- --- Network Appliances News --------------------------------------------
*** {02.11.001} NApps - ZyWall10 spoofed ARP DoS
ZyXEL's ZyWall10 home firewall device stops forwarding packets when
a particular malformed ARP request is received on the firewall
interface. The device requires a reboot and a reconfiguration to
restore it to working order.
The advisory indicates vendor confirmation; firmware released on
Jan. 10, 2002, fixes the problem.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0067.html
- --- Cross-Platform News ------------------------------------------------
*** {02.11.002} Cross - Directory.php CGI command execution
The directory.php CGI script by Marcus S. Xenakis allows a remote
attacker to execute arbitrary command-line commands by modifying the
'dir' URL parameter.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0131.html
*** {02.11.003} Cross - Phprojekt CGI filemanager module lib_path
tampering
PHProjekt version 3.1a contains a bug in the filemanger_forms.php
script that would allow an attacker to redefine the lib_path variable
and thus include arbitrary PHP scripts for execution.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0146.html
*** {02.11.004} Cross - rsync inherits group privileges in daemon mode
The rsync application does not properly drop group privileges when
it's run in daemon mode. Since rsync is typically started by root,
this could allow unauthorized file access.
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0168.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-03/0168.html
*** {02.11.005} Cross - Oblix NetPoint account lockout bypass
Oblix NetPoint versions prior to 5.2 do not properly lock out
an account after the account has gone through an initial lockout
period. This allows an attacker to mount a brute-force attack against
the account in an attempt to find the correct password even if lockout
is enabled.
This vulnerability is confirmed and fixed in version 5.2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0176.html
*** {02.11.006} Cross - phpBB2 CGI phpbb_root_path command execution
The phpBB2 CGI version 2.0 allows a remote attacker to execute
arbitrary commands by tampering with the phpbb_root_path URL parameter.
This vulnerability is confirmed. A fix is available at:
http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9105
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0229.html
http://archives.neohapsis.com/archives/bugtraq/2002-03/0221.html
*** {02.11.007} Cross - PHPNuke/PostNuke account hijacking
The PHPNuke and PostNuke CGI suites allow remote attackers to hijack
accounts by submitting a particular malformed cookie to the article.php
script. This results in SQL tampering.
This vulnerability is confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0199.html
*** {02.11.009} Cross - PHP Net Toolpack CGI command execution
The PHP Net Toolpack CGI suite version 0.1 does not properly filter
incoming user data before passing it to a command shell, thereby
allowing a remote attacker to execute arbitrary command-line commands
under the Web server's privileges.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0200.html
*** {02.11.010} Cross - News-TNK and Board-TNK CGI CSS vulnerabilities
The News-TNK CGI suite version 1.2.1 and the Board-TNK CGI suite
version 1.3.0 are vulnerable to cross-site scripting in the 'Web'
parameter. This could allow an attacker to embed malicious JavaScript
into news items.
These vulnerabilities are confirmed and fixed in News-TNK version
1.2.2 and Board-TNK version 1.3.1
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0206.html
http://archives.neohapsis.com/archives/bugtraq/2002-03/0209.html
*** {02.11.011} Cross - BG Guestbook CGI CSS vulnerability
BG Guestbook CGI version 1.0 is vulnerable to cross-site scripting
attacks in most of the URL parameters.
This vulnerability is confirmed and fixed in version 1.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0207.html
*** {02.11.012} Cross - Java Web Start JNLP access to restricted
resources
A bug in versions of Java Web Start suite prior to 1.0.1_02 allows
an unsigned applet to use JNLP to access restricted resources.
This vulnerability is confirmed.
Updated Sun Solaris package is available at:
http://java.sun.com/products/javawebstart/index.html
Updated HP, HP-UX packages are available at:
http://www.hp.com/go/java
Source: HP, Sun (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-03/0217.html
http://archives.neohapsis.com/archives/hp/2002-q1/0084.html
*** {02.11.013} Cross - Update {02.10.014}: zlib double free
decompression bug
Multiple vendors released updated zlib libraries, which fix the
vulnerability discussed in {02.10.014} ("zlib double free decompression
bug").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0127.html
http://archives.neohapsis.com/archives/bugtraq/2002-03/0157.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0115.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0024.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0203.html
FreeBSD branches as of Feb. 22, 2002, contain an updated version.
Source: RedHat, Conectiva, Trustix, FreeBSD, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-03/0127.html
http://archives.neohapsis.com/archives/bugtraq/2002-03/0157.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0115.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0024.html
http://archives.neohapsis.com/archives/bugtraq/2002-03/0203.html
http://archives.neohapsis.com/archives/freebsd/2002-03/0248.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8mjgb+LUG5KFpTkYRAjA+AKCcmLvn68KKcxNHCOe7V4HvLea+RACfdbis
rm792PchY4aH8yH9UyZ5u4c=
=mict
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue is sponsored by Crossbeam Systems, developers of the
Crossbeam(TM) X40(TM)S, the first "open security" appliance, built for
today's most challenging network security needs. The X40S runs
complementary best-of-breed security applications, slashing your cost
of ownership. Visit our special Web site at
http://www.crossbeamsystems.com/reply/nwkcompnl.asp today!
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]