|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ31461565651524379
sans.org)Date: Thu Mar 28 2002 - 15:07:22 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 012 (02.12)
Thursday, March 28, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
This issue sponsored by Vericept Corporation. Are you able to IDENTIFY
a pending ATTACK? Can you STOP corporate secrets from LEAKING through
IM or Chat? Keep HACKERS out and CONFIDENTIAL info in with Vericept
VIEW, The Network Computing Editor's Choice for Content Monitoring.
http://www.vericept.com/special/confidence_NL1
----------------------------------------------------------------------
An interesting and controversial research paper released a few weeks
ago discusses a new way to potentially factor 1024-bit RSA and DH
keys. At first, much of the security community was skeptical. But
lately, many notable researchers have agreed that the theory is
sound. While the reality of implementing the hardware discussed
in the paper in a typical commercial environment is limited (costs
can range upward of $1 billion), the potential for large government
organizations (local and foreign) isn't. The security implications
are that key sizes of 1024 bits and less can be considered weak and
inappropriate for extremely sensitive data; the down side is that many
SSL certificates and commercial applications use 1024-bit keys. In
general, our recommendation is to have all future-generated keys
be larger than 1024 bits and to look at updating current keys when
time and resources permit. A PostScript copy of the original paper
is available at: http://cr.yp.to/papers/nfscircuit.ps
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.12.001} Win - Update {02.08.020}: LilHTTP server protected file
access
{02.12.012} Win - Xpede password exposures
{02.12.014} Win - Gravity Storm SP manager SPM2000c$ share
{02.12.015} Win - PCI NetSupport Manger HTTP server file retrieval
{02.12.025} Win - Update {02.08.012}: Squid multiple vulnerabilities
{02.12.027} Win - SouthWest telnet BBS HTTP DoS
{02.12.010} Linux - Mandrake kdm configuration allows XDMCP connections
{02.12.021} Linux - Update {02.10.012}: mtr MTR_OPTIONS environment
variable overflow
{02.12.024} Linux - Linux kernel d_path file path truncation
{02.12.011} HPUX - HP Web proxy forwards unauthorized requests
{02.12.004} SCO - Update {99.03.007}: Patches released for rpc.cmsd
{02.12.003} NApps - Nokia ISS RealSecure KeyManager default
user/machine names
{02.12.002} Cross - libsafe printf token and argument bypass
{02.12.005} Cross - Webmin local privilege escalation
{02.12.006} Cross - Ikonboard IMG tag CSS vulnerability
{02.12.007} Cross - vBulletin IMG tag CSS vulnerability
{02.12.008} Cross - imlib library multiple overflows
{02.12.009} Cross - Apache 1.3.24 available (with security fixes)
{02.12.013} Cross - Progress sqlcpp argument overflow
{02.12.016} Cross - vBulletin memberlist.php letterbits CSS
vulnerability
{02.12.017} Cross - PostNuke multiple CSS vulnerabilities
{02.12.018} Cross - DCShop CGI .setup file deletion
{02.12.019} Cross - Alguest CGI arbitrary administrator access
{02.12.020} Cross - WebSight CGI CSS vulnerability in link submission
{02.12.022} Cross - Instant Web Mail CGI embedded CRLF vulnerabilities
{02.12.023} Cross - Etnus Totalview incorrect file uid/gid
{02.12.026} Cross - csSearch.cgi arbitrary Perl execution/setup.cgi
overwrite
{02.12.028} Cross - Logwatch tmp file race condition
- --- Windows News -------------------------------------------------------
*** {02.12.001} Win - Update {02.08.020}: LilHTTP server protected file
access
The vendor released updated LilHTTP packages, which fix the
vulnerability discussed in {02.08.020} ("LilHTTP server protected
file access").
Version 2.2 is available at:
http://www.summitcn.com/downloads/lilhtv22.zip
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0069.html
*** {02.12.012} Win - Xpede password exposures
Intellisol Xpede version 4.1 reportedly embeds a user's password
using a weak, reversible obfuscation technique inside a cookie sent
to the user. The password is also embedded in plain text within HTML
returned to the user during reauthentication.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0281.html
*** {02.12.014} Win - Gravity Storm SP manager SPM2000c$ share
The Gravity Storm service pack manager 2000 creates a Windows file
share named 'SPM2000c$' that allows direct access to the C drive by
everyone. This could allow a remote attacker to read and write files.
The advisory indicates vendor confirmation and a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0284.html
*** {02.12.015} Win - PCI NetSupport Manger HTTP server file retrieval
PCI's NetSupport Manager prior to version 7 ships with an internal
Web server that, when enabled, allows remote attackers to download
arbitrary files by using '..' notation in URL requests.
The vendor confirmed this problem and fixed it in version 7.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0285.html
*** {02.12.025} Win - Update {02.08.012}: Squid multiple vulnerabilities
FreeBSD updated the squid port, which fixes the vulnerability discussed
in {02.08.012} ("Squid multiple vulnerabilities").
The ports collection as of Mar. 22, 2002, contains the corrected
version.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-03/0354.html
*** {02.12.027} Win - SouthWest telnet BBS HTTP DoS
Scott Lloyd's SouthWest telnet BBS version 1.0.0 is vulnerable to a
denial of service whereby a remote attacker submits a malformed URL
to the included Web service, causing the entire application to crash.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0326.html
- --- Linux News ---------------------------------------------------------
*** {02.12.010} Linux - Mandrake kdm configuration allows XDMCP
connections
Mandrake released an advisory indicating that the configuration of
kdm shipped with Mandrake Linux versions 7.1, 7.2 and 8.0 allows
remote attackers to use XDMCP to gain a list of local user names and,
potentially, circumvent configured access restrictions.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0271.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-03/0271.html
*** {02.12.021} Linux - Update {02.10.012}: mtr MTR_OPTIONS environment
variable overflow
Debian released updated mtr packages, which fix the vulnerability
discussed in {02.10.012} ("mtr MTR_OPTIONS environment variable
overflow").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0070.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0070.html
*** {02.12.024} Linux - Linux kernel d_path file path truncation
In certain situations, it is possible for the d_path() function of
Linux kernels prior to 2.2.20 and 2.4.18 to return only a partial path,
thus potentially allowing a local attacker to trick the (privileged)
application into working with an unsafe file path.
This vulnerability is confirmed and fixed in Linux kernels 2.2.20
and 2.4.18.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0074.html
- --- HP-UX News ---------------------------------------------------------
*** {02.12.011} HPUX - HP Web proxy forwards unauthorized requests
The Web proxy software shipped with HP-UX version 11.04 (VVOS) contains
a bug that could allow malformed HTTP requests received from outside
networks to be forwarded to internal networks.
HP released patch PHSS_26478 to fix this problem.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0092.html
- --- SCO News -----------------------------------------------------------
*** {02.12.004} SCO - Update {99.03.007}: Patches released for rpc.cmsd
Caldera/SCO released updated rpc.cmsd packages, which fix the
vulnerability discussed in {99.03.007} ("Patches released for
rpc.cmsd").
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0020.html
- --- Network Appliances News --------------------------------------------
*** {02.12.003} NApps - Nokia ISS RealSecure KeyManager default
user/machine names
There is some debate about potential default machine and user names
included with the RealSecure version 6.0 build 6.0.2001.141 for Nokia
IPSO. The report indicates that an attacker with the machine name
starscream can log in as user skank and administer keys.
The advisory states vendor confirmation of a default account left
in prior to IPSO build 6.0.2001.141d, but other vendor reports
acknowledge the vulnerability as using a 'first time connection'
feature, which is meant to ease administration.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0071.html
- --- Cross-Platform News ------------------------------------------------
*** {02.12.002} Cross - libsafe printf token and argument bypass
The libsafe security library 2.0-11 and prior contain bugs that could
still allow an attacker to bypass libsafe handling, leading to a
false sense of security. Libsafe does not implement all the printf
format tokens, nor does it properly count supplied arguments.
These bugs are confirmed and fixed in version 2.0-12.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0070.html
*** {02.12.005} Cross - Webmin local privilege escalation
The Webmin administrative CGI suite version 0.92-1 distributed in
various RPMs incorrectly sets permissions on the /var/webmin directory,
thereby allowing a local attacker to recover session IDs and log in
with root status.
This vulnerability is confirmed and fixed in version 0.93.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0245.html
*** {02.12.006} Cross - Ikonboard IMG tag CSS vulnerability
The Ikonboard CGI suite versions 3.0.3 and prior allow cross-site
scripting embedded in IMG tags of posts.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0255.html
*** {02.12.007} Cross - vBulletin IMG tag CSS vulnerability
The vBulletin CGI suite versions 2.2.2 and prior allow cross-site
scripting embedded in IMG tags of posts.
The vendor confirmed this vulnerability and released version 2.2.4.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0261.html
*** {02.12.008} Cross - imlib library multiple overflows
The imlib library prior to version 1.9.13 contains multiple
vulnerabilities. Programs using the imlib library to read untrusted
graphics could be exploited to execute arbitrary code.
Updated RedHat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0125.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0125.html
*** {02.12.009} Cross - Apache 1.3.24 available (with security fixes)
Apache 1.3.24 was released. This version includes a security fix that
allows attackers to trick Apache on Windows platforms into executing
arbitrary command-line commands via batch file (.bat) CGIs.
Updated versions are available at:
http://www.apache.org/
Source: Apache
http://archives.neohapsis.com/archives/apache/2002/0004.html
*** {02.12.013} Cross - Progress sqlcpp argument overflow
Progress Software's Progress suite version 9.1C is reportedly
vulnerable to a buffer overflow in the handling of large command-line
arguments, thereby allowing a local attacker to execute arbitrary
code with root privileges.
This vulnerability is not confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/1017.html
*** {02.12.016} Cross - vBulletin memberlist.php letterbits CSS
vulnerability
The vBulletin CGI suite is vulnerable to cross-site scripting in the
handling of the 'letterbits' URL parameter.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0287.html
*** {02.12.017} Cross - PostNuke multiple CSS vulnerabilities
A released advisory indicates that many cross-site scripting bugs
exist in PostNuke's handling of various URL parameters. Versions
7.0.3 and prior are indicated as vulnerable.
These bugs are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0288.html
*** {02.12.018} Cross - DCShop CGI .setup file deletion
The DCShop CGI suite does not properly filter the database URL
parameter, potentially allowing a remote attacker to delete arbitrary
*.setup files.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0302.html
*** {02.12.019} Cross - Alguest CGI arbitrary administrator access
The Alguest guestbook CGI insecurely checks for administrative
privileges, thereby allowing a remote attacker to create a fake cookie
and become an administrator to the CGI.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0303.html
*** {02.12.020} Cross - WebSight CGI CSS vulnerability in link
submission
WebSight directory/portal CGI version 0.1 does not filter submitted
links for HTML characters, thereby allowing an attacker to embed
cross-site scripting in a link submission.
This vulnerability is confirmed and fixed in version 0.1.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0304.html
*** {02.12.022} Cross - Instant Web Mail CGI embedded CRLF
vulnerabilities
The Instant Web Mail CGI suite version 0.59 allows an attacker to
insert various CRLF characters in the user input, thereby allowing
the attacker to send additional POP commands to the server or include
extra arbitrary headers in outgoing e-mail.
These vulnerabilities are confirmed and fixed in version 0.60.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0316.html
*** {02.12.023} Cross - Etnus Totalview incorrect file uid/gid
Etnus's Totalview suite version 5.0.0-4 reportedly installs files and
directories and makes them owned by uid 5039 and gid 59. Attackers
who can access this uid or gid can potentially trojan the files.
The advisory indicates vendor confirmation and an available fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0319.html
*** {02.12.026} Cross - csSearch.cgi arbitrary Perl execution/setup.cgi
overwrite
The csSearch.cgi CGI search engine version 2.3 allows a remote attacker
to overwrite the contents of the setup.cgi file, which can then be
executed in order to run arbitrary Perl code on the Web server.
The vendor confirmed this vulnerability and released version 2.5.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0323.html
*** {02.12.028} Cross - Logwatch tmp file race condition
The logwatch application version 2.1.1 insecurely handles temporary
files, thereby allowing a local attacker to perform a symlink attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/1088.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8o4Qz+LUG5KFpTkYRAvxeAKCaTm38+Blv2bMstFn68qW1gSliwwCePuzL
7W3ZdoD/0CcXnTK2HfBRbTo=
=HzHl
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by Vericept Corporation. Are you able to IDENTIFY
a pending ATTACK? Can you STOP corporate secrets from LEAKING through
IM or Chat? Keep HACKERS out and CONFIDENTIAL info in with Vericept
VIEW, The Network Computing Editor's Choice for Content Monitoring.
http://www.vericept.com/special/confidence_NL1
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]