OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ46804860396475436sans.org)
Date: Thu Mar 21 2002 - 13:51:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                      -- Security Alert Consensus --
                            Number 011 (02.11)
                         Thursday, March 21, 2002
                            Created for you by
                 Network Computing and the SANS Institute
                            Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    This issue is sponsored by Crossbeam Systems, developers of the
    Crossbeam(TM) X40(TM)S, the first "open security" appliance, built for
    today's most challenging network security needs. The X40S runs
    complementary best-of-breed security applications, slashing your cost
    of ownership. Visit our special Web site at
    http://www.crossbeamsystems.com/reply/nwkcompnl.asp today!

    ----------------------------------------------------------------------

    More vulnerabilities in third-party PHP-based applications were
    reported this week. Among the wide range of applications affected
    is the popular PHP-based forums package, PHPNuke. Details are in the
    cross-platform section.

    In other news, the team working on the Internet-Draft for a
    "Responsible Vulnerability Disclosure Process" withdrew its document
    from IETF consideration citing criticism received for not dealing
    with a technical protocol. Whether the IETF is a proper forum for
    this effort is debatable. However, we hope that this document finds
    a suitable home and receives the attention it deserves. Responsible
    disclosure practices are sorely needed in our industry, and without
    a consensus amongst information security community members, we run
    the risk of falling victim to misguided lawmakers.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.11.008} Win - BitVise WinSSH connection exhaustion DoS
    {02.11.020} Win - Update {02.10.010}: JavaScript.nu Xerver file
                browsing and DoS
    {02.11.022} Win - MS SQL Server stored procedure overflows
    {02.11.019} Linux - Update {02.08.035}: mod_ssl session serializing
                overflow
    {02.11.021} Linux - Update {02.07.004}: CUPS attribute name buffer
                overflow
    {02.11.014} BSD - Update {02.10.007}: mod_frontpage fpexec overflow
    {02.11.015} BSD - Update {02.09.010}: Cyrus SASL logging format string
                vulnerability
    {02.11.016} BSD - Update {02.02.041}: Gzip long file name potential
                overflow
    {02.11.017} BSD - Update {02.09.028}: KAME IPSEC IPv4 forwarding SPD
                bypass
    {02.11.018} SCO - Update {02.10.001}: OpenSSH channels off-by-one
                vulnerability
    {02.11.001} NApps - ZyWall10 spoofed ARP DoS
    {02.11.002} Cross - Directory.php CGI command execution
    {02.11.003} Cross - Phprojekt CGI filemanager module lib_path tampering
    {02.11.004} Cross - rsync inherits group privileges in daemon mode
    {02.11.005} Cross - Oblix NetPoint account lockout bypass
    {02.11.006} Cross - phpBB2 CGI phpbb_root_path command execution
    {02.11.007} Cross - PHPNuke/PostNuke account hijacking
    {02.11.009} Cross - PHP Net Toolpack CGI command execution
    {02.11.010} Cross - News-TNK and Board-TNK CGI CSS vulnerabilities
    {02.11.011} Cross - BG Guestbook CGI CSS vulnerability
    {02.11.012} Cross - Java Web Start JNLP access to restricted resources
    {02.11.013} Cross - Update {02.10.014}: zlib double free decompression
                bug

    - --- Windows News -------------------------------------------------------

    *** {02.11.008} Win - BitVise WinSSH connection exhaustion DoS

    BitVise WinSSH versions prior to build 2002-03-16 are vulnerable to
    a denial of service attack whereby a remote attacker can make many
    incomplete connections to the SSH service and cause it to not accept
    any other incoming connections.

    This vulnerability is confirmed and fixed in build 2002-03-16.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0068.html

    *** {02.11.020} Win - Update {02.10.010}: JavaScript.nu Xerver file
                    browsing and DoS

    The vendor released an updated Xerver version, which fixes the
    vulnerability discussed in {02.10.010} ("JavaScript.nu Xerver file
    browsing and DoS").

    Updates are available at:
    http://www.JavaScript.nu/xerver/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html

    *** {02.11.022} Win - MS SQL Server stored procedure overflows

    A released advisory indicates that several stored procedures included
    with MS SQL Server versions 7 and 2000 contain buffer overflows that
    could allow a malicious SQL query to execute arbitrary code on the
    local SQL server system.

    These vulnerabilities are not confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0839.html

    - --- Linux News ---------------------------------------------------------

    *** {02.11.019} Linux - Update {02.08.035}: mod_ssl session serializing
                    overflow

    RedHat released updated secureWeb packages, which fix the vulnerability
    discussed in {02.08.035} ("mod_ssl session serializing overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0116.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0116.html

    *** {02.11.021} Linux - Update {02.07.004}: CUPS attribute name buffer
                    overflow

    RedHat released updated CUPS packages, which fix the vulnerability
    discussed in {02.07.004} ("CUPS attribute name buffer overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0114.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0114.html

    - --- BSD News -----------------------------------------------------------

    *** {02.11.014} BSD - Update {02.10.007}: mod_frontpage fpexec overflow

    FreeBSD committed changes for the mod_frontpage port, which fix
    the vulnerability discussed in {02.10.007} ("mod_frontpage fpexec
    overflow").

    The ports collection as of Feb. 5, 2002, contains the update.

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2002-03/0148.html

    *** {02.11.015} BSD - Update {02.09.010}: Cyrus SASL logging format
                    string vulnerability

    FreeBSD committed updated Cyrus/SASL ports, which fix the
    vulnerability discussed in {02.09.010} ("Cyrus SASL logging format
    string vulnerability").

    The ports collection as of Dec. 9, 2001, contains the update.

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2002-03/0146.html

    *** {02.11.016} BSD - Update {02.02.041}: Gzip long file name potential
                    overflow

    NetBSD committed updated gzip binaries, which fix the vulnerability
    discussed in {02.02.041} ("Gzip long file name potential overflow").

    NetBSD-1.4, -1.5 and -current as of Jan. 16, 2002, contain the fixes.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q1/0169.html

    *** {02.11.017} BSD - Update {02.09.028}: KAME IPSEC IPv4 forwarding
                    SPD bypass

    NetBSD committed updates, which fix the vulnerability discussed in
    {02.09.028} ("KAME IPSEC IPv4 forwarding SPD bypass").

    NetBSD-current as of Feb. 26, 2002, contains the fix.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q1/0169.html

    - --- SCO News -----------------------------------------------------------

    *** {02.11.018} SCO - Update {02.10.001}: OpenSSH channels off-by-one
                    vulnerability

    Caldera/SCO released updated SSH packages, which fix the vulnerability
    discussed in {02.10.001} ("OpenSSH channels off-by-one vulnerability").

    Updated binaries are available at:
    ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/
    ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.11/

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0018.html

    - --- Network Appliances News --------------------------------------------

    *** {02.11.001} NApps - ZyWall10 spoofed ARP DoS

    ZyXEL's ZyWall10 home firewall device stops forwarding packets when
    a particular malformed ARP request is received on the firewall
    interface. The device requires a reboot and a reconfiguration to
    restore it to working order.

    The advisory indicates vendor confirmation; firmware released on
    Jan. 10, 2002, fixes the problem.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0067.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.11.002} Cross - Directory.php CGI command execution

    The directory.php CGI script by Marcus S. Xenakis allows a remote
    attacker to execute arbitrary command-line commands by modifying the
    'dir' URL parameter.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0131.html

    *** {02.11.003} Cross - Phprojekt CGI filemanager module lib_path
                    tampering

    PHProjekt version 3.1a contains a bug in the filemanger_forms.php
    script that would allow an attacker to redefine the lib_path variable
    and thus include arbitrary PHP scripts for execution.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0146.html

    *** {02.11.004} Cross - rsync inherits group privileges in daemon mode

    The rsync application does not properly drop group privileges when
    it's run in daemon mode. Since rsync is typically started by root,
    this could allow unauthorized file access.

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0168.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0168.html

    *** {02.11.005} Cross - Oblix NetPoint account lockout bypass

    Oblix NetPoint versions prior to 5.2 do not properly lock out
    an account after the account has gone through an initial lockout
    period. This allows an attacker to mount a brute-force attack against
    the account in an attempt to find the correct password even if lockout
    is enabled.

    This vulnerability is confirmed and fixed in version 5.2.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0176.html

    *** {02.11.006} Cross - phpBB2 CGI phpbb_root_path command execution

    The phpBB2 CGI version 2.0 allows a remote attacker to execute
    arbitrary commands by tampering with the phpbb_root_path URL parameter.

    This vulnerability is confirmed. A fix is available at:
    http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9105

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0229.html
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0221.html

    *** {02.11.007} Cross - PHPNuke/PostNuke account hijacking

    The PHPNuke and PostNuke CGI suites allow remote attackers to hijack
    accounts by submitting a particular malformed cookie to the article.php
    script. This results in SQL tampering.

    This vulnerability is confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0199.html

    *** {02.11.009} Cross - PHP Net Toolpack CGI command execution

    The PHP Net Toolpack CGI suite version 0.1 does not properly filter
    incoming user data before passing it to a command shell, thereby
    allowing a remote attacker to execute arbitrary command-line commands
    under the Web server's privileges.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0200.html

    *** {02.11.010} Cross - News-TNK and Board-TNK CGI CSS vulnerabilities

    The News-TNK CGI suite version 1.2.1 and the Board-TNK CGI suite
    version 1.3.0 are vulnerable to cross-site scripting in the 'Web'
    parameter. This could allow an attacker to embed malicious JavaScript
    into news items.

    These vulnerabilities are confirmed and fixed in News-TNK version
    1.2.2 and Board-TNK version 1.3.1

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0206.html
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0209.html

    *** {02.11.011} Cross - BG Guestbook CGI CSS vulnerability

    BG Guestbook CGI version 1.0 is vulnerable to cross-site scripting
    attacks in most of the URL parameters.

    This vulnerability is confirmed and fixed in version 1.1.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0207.html

    *** {02.11.012} Cross - Java Web Start JNLP access to restricted
                    resources

    A bug in versions of Java Web Start suite prior to 1.0.1_02 allows
    an unsigned applet to use JNLP to access restricted resources.

    This vulnerability is confirmed.

    Updated Sun Solaris package is available at:
    http://java.sun.com/products/javawebstart/index.html

    Updated HP, HP-UX packages are available at:
    http://www.hp.com/go/java

    Source: HP, Sun (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0217.html
    http://archives.neohapsis.com/archives/hp/2002-q1/0084.html

    *** {02.11.013} Cross - Update {02.10.014}: zlib double free
                    decompression bug

    Multiple vendors released updated zlib libraries, which fix the
    vulnerability discussed in {02.10.014} ("zlib double free decompression
    bug").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0127.html
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0157.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0115.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0024.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0203.html

    FreeBSD branches as of Feb. 22, 2002, contain an updated version.

    Source: RedHat, Conectiva, Trustix, FreeBSD, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0127.html
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0157.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0115.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0024.html
    http://archives.neohapsis.com/archives/bugtraq/2002-03/0203.html
    http://archives.neohapsis.com/archives/freebsd/2002-03/0248.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8mjgb+LUG5KFpTkYRAjA+AKCcmLvn68KKcxNHCOe7V4HvLea+RACfdbis
    rm792PchY4aH8yH9UyZ5u4c=
    =mict
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    This issue is sponsored by Crossbeam Systems, developers of the
    Crossbeam(TM) X40(TM)S, the first "open security" appliance, built for
    today's most challenging network security needs. The X40S runs
    complementary best-of-breed security applications, slashing your cost
    of ownership. Visit our special Web site at
    http://www.crossbeamsystems.com/reply/nwkcompnl.asp today!

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).