|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ25477673999235587
sans.org)Date: Thu Apr 25 2002 - 14:11:10 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 016 (02.16)
Thursday, April 25, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
Rate Your Application Performance Needs
Together with Greenwich Technology Partners, we've constructed an
interactive Decision Tree to help you assess your application
performance needs. Fill out our 22-point questionnaire, and we'll tell
you whether your company is a thought-leader or a laggard when it comes
to building scalable applications. Along the way, learn a thing or two
on forecasting, monitoring and integrating a performance framework.
http://www.nwc.com/go/dtree-apps.html
----------------------------------------------------------------------
It wasn't until one subscriber wrote in to us that we realized last
week's SAC issue didn't have any items in the Windows category. No,
this was not an error, there just weren't any Windows-exclusive bugs
reported last week. However, there were items in the Cross-Platform
section that did effect Windows users. If you're not subscribed to
the Cross-Platform category, we strongly suggest you add it to your
subscription options. Information on how to change your subscription
options is at the bottom of this e-mail.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.16.006} Win - AIM direct connection file creation
{02.16.010} Win - ColdFusion DOS device path disclosure
{02.16.013} Win - WebTrends Reporting Center long URL overflow
{02.16.014} Win - Back Office Web administrator auth bypass
{02.16.015} Win - Talentsoft Webplus CGI cookie overflow
{02.16.016} Win - MS02-020: SQL extended procedure overflows
{02.16.017} Win - Microsoft-ds service malformed packet stream DoS
{02.16.018} Win - Sambar Web server CGI script source disclosure
{02.16.019} Win - Foundstone FScan server banner format string
vulnerability
{02.16.020} Win - IE img/onload can detect presence of files
{02.16.024} Win - Xpede CGIs multiple vulnerabilities
{02.16.025} Win - Snitz forums CGI SQL injection
{02.16.029} Win - codebrws.asp et al CGI source code disclosure via
unicode URL
{02.16.036} Win - Matu FTP client long server response overflow
{02.16.011} BSD - FreeBSD routing table memory leak via ICMP echo
packets
{02.16.023} NApps - Update {02.15.015}: Nortel CVX 1800 exposes user
names/passwords via SNMP
{02.16.030} Other - MPE/iX malformed packet DoS
{02.16.001} Cross - Fileseek.cgi CGI command execution and file viewing
{02.16.002} Cross - xpilot server buffer overflow
{02.16.003} Cross - Update {02.15.017}: Demarc CGI user login bypass
{02.16.004} Cross - PostBoard CGI CSS and DoS vulnerabilities
{02.16.005} Cross - AOLServer DB Proxy Daemon format string
vulnerability
{02.16.007} Cross - thttpd 404 URL error CSS vulnerability
{02.16.008} Cross - Update {02.15.006}: Tivoli TSM long URL overflow
{02.16.009} Cross - Update {02.15.016}: Raptor firewall allows FTP
bouncing
{02.16.012} Cross - Oracle9i 'outer join' query can access restricted
data
{02.16.021} Cross - PVote CGI multiple vulnerabilities
{02.16.022} Cross - IcrediBB CGI title/body CSS vulnerabilities
{02.16.026} Cross - Stdin/stdout/stderr closed file descriptor
vulnerability
{02.16.027} Cross - OpenSSH AFS/Kerberos support overflow
{02.16.028} Cross - Update {02.15.013}: Webalizer reverse DNS lookup
overflow
{02.16.031} Cross - MHonArc multiple CSS vulnerabilities
{02.16.032} Cross - Faq-O-Matic fom.cgi CGI file parameter CSS
{02.16.033} Cross - PostCalendar CGI suite entry CSS vuln
{02.16.034} Cross - slrnpull -d parameter overflow
{02.16.035} Cross - psyBNC long password connection DoS
{02.16.037} Cross - LabView Web server malformed HTTP request DoS
{02.16.038} Cross - csMailto CGI multiple vulnerabilities
- --- Windows News -------------------------------------------------------
*** {02.16.006} Win - AIM direct connection file creation
AOL Instant Messenger version 4.8 beta has a direct connection feature
that is used to transfer multimedia files directly between users. It's
possible for a malicious AIM user to send a particular wave file that
could be written to arbitrary locations on the receiver's computer
and potentially execute shell or VBS scripts. The receiver would have
to confirm the direct connection first, however.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0203.html
*** {02.16.010} Win - ColdFusion DOS device path disclosure
ColdFusion version 5.0 displays the physical Web root paths when a
remote attacker submits a URL request that contains a DOS device name
such as 'nul.'
Macromedia/Allaire confirmed this problem and suggested a workaround
of enabling "Check if file exists" for both the .cfm and .dbm IIS
file handlers.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0028.html
*** {02.16.013} Win - WebTrends Reporting Center long URL overflow
WebTrends Reporting Center version 4.0d includes a built-in Web server
to serve reports to users. Users who are allowed to view reports can
submit a long URL request, which results in a buffer overflow as well
as the potential to execute arbitrary code.
The advisory indicates confirmation by the vendor, which will fix
the bug in a future version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0207.html
*** {02.16.014} Win - Back Office Web administrator auth bypass
The administrative ASP pages for the BackOffice server do not properly
check to see if users have authenticated themselves, thus allowing
remote attackers to access the administrative pages.
Microsoft confirmed this vulnerability and released an update, which
is available at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316838
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0208.html
*** {02.16.015} Win - Talentsoft Webplus CGI cookie overflow
Talentsoft's Webplus CGI addon version 5.0 contains a buffer overflow
in the handling of large HTTP cookies, thereby allowing a remote
attacker to execute arbitrary code.
The vendor confirmed his vulnerability and released a patch, which
is available at:
http://www.talentsoft.com/download/download.en.wml
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0210.html
*** {02.16.016} Win - MS02-020: SQL extended procedure overflows
Microsoft released MS02-020 ("SQL extended procedure overflows"). SQL
server 7.0 and 2000 contain buffer overflows in various extended
procedures, thereby allowing an attacker who can submit queries to
the database to execute arbitrary code on the SQL server.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-020.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0013.html
*** {02.16.017} Win - Microsoft-ds service malformed packet stream DoS
Windows 2000 is vulnerable to a denial of service attack against the
Microsoft-ds service listing on port 445. A remote attacker can send
a particular malformed stream of data to the service, thereby causing
it to consume all available CPU time and kernel memory and eventually
resulting in a system crash.
Microsoft confirmed this problem and issued a workaround, which is
available at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320751
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0025.html
*** {02.16.018} Win - Sambar Web server CGI script source disclosure
Sambar Web server version 5.1p discloses the source code of server-side
scripts rather than executing the scripts when an attacker appends
particular characters to the URL request.
The vendor confirmed this vulnerability and released a patch, which
is available at:
http://sambar.dnsalias.org/win32-preview.tar.gz
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0026.html
*** {02.16.019} Win - Foundstone FScan server banner format string
vulnerability
Foundstone's FScan network scanner version 1.12 contains a format
string vulnerability in the handling of server banners that could allow
a malicious server to execute arbitrary code on the user's system.
The vendor confirmed this vulnerability and released an update,
which is available at:
http://www.foundstone.com/knowledge/proddesc/fscan.html
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0030.html
*** {02.16.020} Win - IE img/onload can detect presence of files
A report surfaced indicating that Internet Explorer 6.0 contains a bug
which lets a malicious Web site use the onload() JavaScript function
on the IMG tag to determine if files exist on the client computer.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0032.html
*** {02.16.024} Win - Xpede CGIs multiple vulnerabilities
Intellisol Xpede version 4.1 contains multiple vulnerabilities:
configuration information exposure; SQL injection; unrestricted
administrative access; and sensitive data exposure.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0273.html
*** {02.16.025} Win - Snitz forums CGI SQL injection
Snitz forums versions 3.3.03 and prior allow a remote attacker to
inject arbitrary SQL commands into the logic processing, thereby
allowing the attacker to read and potentially modify data within the
database. This is done via the M_NAME parameter to the members.asp
page.
This vulnerability is not confirmed.
Source: SecurtiyFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0279.html
*** {02.16.029} Win - codebrws.asp et al CGI source code disclosure via
unicode URL
The various codebrws.asp/viewcode.asp sample CGI scripts included
with IIS and various Microsoft products allow a remote attacker
to view the source of arbitrary ASP pages if the URL query uses
unicode/utf-8 encoding.
This vulnerability is not confirmed. An appropriate fix would be to
remove the sample scripts, which is a standard security best practice.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0024.html
*** {02.16.036} Win - Matu FTP client long server response overflow
The Matu FTP client version 1.74 contains a buffer overflow in the
handling of large server responses. This allows a malicious FTP server
to execute arbitrary code on the client system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0310.html
- --- BSD News -----------------------------------------------------------
*** {02.16.011} BSD - FreeBSD routing table memory leak via ICMP echo
packets
FreeBSD released an advisory indicating that a denial of service
via ICMP echo packets could cause the routing table to consume all
available memory.
FreeBSD 4.5-STABLE as of April 15, 2002, contains a fix.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-04/0230.html
- --- Network Appliances News --------------------------------------------
*** {02.16.023} NApps - Update {02.15.015}: Nortel CVX 1800 exposes
user names/passwords via SNMP
Nortel released patch DB022002-1, which fixes the vulnerability
discussed in {02.15.015} ("Nortel CVX 1800 exposes user names/passwords
via SNMP").
The patch is available via Nortel.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0272.html
- --- Other News ---------------------------------------------------------
*** {02.16.030} Other - MPE/iX malformed packet DoS
HP released patch NSTGDB2 to fix a denial of service in the handling
of malformed IP packets by MPE/iX.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q2/0016.html
- --- Cross-Platform News ------------------------------------------------
*** {02.16.001} Cross - Fileseek.cgi CGI command execution and file
viewing
The fileseek.cgi CGI script by Craig Patchett allows remote attackers
to execute arbitrary command-line commands and to view files readable
by the Web server.
These vulnerabilities are not confirmed.
Source: SecurityFocus VulnDev
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0132.html
*** {02.16.002} Cross - xpilot server buffer overflow
Debian released an advisory indicating that a buffer overflow in the
xpilot server could allow a remote attacker to execute arbitrary code
on the system.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q2/0011.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q2/0011.html
*** {02.16.003} Cross - Update {02.15.017}: Demarc CGI user login bypass
Demarc released updated Demarc packages, which fix the vulnerability
discussed in {02.15.017} ("Demarc CGI user login bypass").
Version 1.6 fixes the bug and is available from the vendor.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0187.html
*** {02.16.004} Cross - PostBoard CGI CSS and DoS vulnerabilities
The PostBoard CGI version 2.0.1, which is an add-on for the PostNuke
CGI suite, contains multiple vulnerabilities: cross-site scripting
in the handling of IMG tags and topic titles, and a denial of service
in handling nested bbcode tags.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0194.html
*** {02.16.005} Cross - AOLServer DB Proxy Daemon format string
vulnerability
The DB Proxy Daemon API included with AOLServer versions 3.4.2 and
prior contains a format string vulnerability that could allow a remote
attacker to execute arbitrary code on particular DB Proxy Daemons.
This vulnerability is confirmed, and a fix has been committed to CVS.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0195.html
*** {02.16.007} Cross - thttpd 404 URL error CSS vulnerability
thttpd Web server version 2.20b is vulnerable to cross-site scripting
in the handling of nonexistent page requests.
The SAC staff confirmed this vulnerability.
Source: SecurityFocus VulnDev
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html
*** {02.16.008} Cross - Update {02.15.006}: Tivoli TSM long URL overflow
IBM released updated packages, which fix the vulnerability discussed
in {02.15.006} ("Tivoli TSM long URL overflow").
The fix is available as IBM Tivoli Policy Director WebSEAL 3.8
Fixpack 1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0223.html
*** {02.16.009} Cross - Update {02.15.016}: Raptor firewall allows FTP
bouncing
Symantec released a hotfix for the vulnerability discussed in
{02.15.016} ("Raptor firewall allows FTP bouncing").
The hotfix is available via the Symantec support site.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0224.html
*** {02.16.012} Cross - Oracle9i 'outer join' query can access
restricted data
Oracle9i version 9.0.1.x allows a user with minimal privileges to
access restricted/privileges data by using outer join queries.
Oracle confirmed this problem. More information is available at:
http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0175.html
*** {02.16.021} Cross - PVote CGI multiple vulnerabilities
The PVote CGI voting suite allows remote attackers to add and
delete polls, as well as change the administrative password, without
authentication.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0230.html
*** {02.16.022} Cross - IcrediBB CGI title/body CSS vulnerabilities
The IcrediBB CGI suite version 1.1 is vulnerable to cross-site
scripting in the handling of text submitted in the title and body
of posts.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0263.html
*** {02.16.026} Cross - Stdin/stdout/stderr closed file descriptor
vulnerability
FreeBSD is vulnerable to a file pointer manipulation attack whereby a
local attacker can potentially gain root access by closing the 'assumed
to be open' file descriptors of stdin, stdout and stderr. It's possible
that other Unix vendors are vulnerable to this problem, as well.
FreeBSD as of April 21, 2002, contains the proper fixes.
Source: VulnWatch, FreeBSD
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0033.html
http://archives.neohapsis.com/archives/freebsd/2002-04/0350.html
*** {02.16.027} Cross - OpenSSH AFS/Kerberos support overflow
OpenSSH versions prior to 3.3 and 2.9.9 contain a buffer overflow
in the handling of Kerberos ticket passing and AFS token passing
routines. The 2.x branch allows remote execution of arbitrary code,
and the 3.x branch only allows local execution of arbitrary code.
Update/patch instructions are listed in the reference URL below.
Source: OpenSSH/OpenBSD
http://archives.neohapsis.com/archives/bugtraq/2002-04/0298.html
*** {02.16.028} Cross - Update {02.15.013}: Webalizer reverse DNS
lookup overflow
EnGarde released updated webalizer packages, which fix the
vulnerability discussed in {02.15.013} ("Webalizer reverse DNS lookup
overflow"). The vendor also released version 2.01-10, which fixes
the bug. It is available from: http://www.webalizer.org/
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0000.html
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0000.html
*** {02.16.031} Cross - MHonArc multiple CSS vulnerabilities
MHonArc version 2.5.2 does not filter out certain particular embedded
JavaScript from e-mail messages, thus allowing an e-mail containing
malicious JavaScript to be archived.
This vulnerability is confirmed and fixed in version 2.5.3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0260.html
*** {02.16.032} Cross - Faq-O-Matic fom.cgi CGI file parameter CSS
The Faq-O-Matic fom.cgi version 2.712 is vulnerable to cross-site
scripting in the handling of the 'file' URL parameter.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0287.html
*** {02.16.033} Cross - PostCalendar CGI suite entry CSS vuln
The PostCalendar CGI addon for PostNuke version 3.02 is vulnerable
to cross-site scripting in the handling of calendar entries.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0288.html
*** {02.16.034} Cross - slrnpull -d parameter overflow
The slrnpull application contains a locally exploitable buffer overflow
in the handling of the '-d' command-line parameter, which lets an
attacker execute arbitrary code. Installations that have setuid/setgid
permissions on slrnpull are vulnerable to a privilege elevation attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0302.html
*** {02.16.035} Cross - psyBNC long password connection DoS
psyBNC version 2.3 contains a denial of service whereby a remote
attacker can cause the service to stop accepting connections by
sending long passwords and immediately closing the connection.
The vendor confirmed this problem and fixed it in the upcoming 2.3.1
version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0303.html
http://archives.neohapsis.com/archives/bugtraq/2002-04/0322.html
*** {02.16.037} Cross - LabView Web server malformed HTTP request DoS
The LabView Web server versions 6.5 and prior crash when logging
is enabled and a remote attacker submits a particular malformed URL
request. This results in a denial of service.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0323.html
*** {02.16.038} Cross - csMailto CGI multiple vulnerabilities
Cgiscript.net's csMailto CGI contains multiple vulnerabilities that
allow a remote attacker to execute command-line commands, read and
e-mail off-file contents, and access configuration information via
URL parameter tampering.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0326.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8yFLi+LUG5KFpTkYRAltyAJ4+KKWVEFdq8JrYLOJUwkVzbpmMngCfXGa9
WviIYxqaN7KO4/fPp3b5M2g=
=qkgI
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Rate Your Application Performance Needs
Together with Greenwich Technology Partners, we've constructed an
interactive Decision Tree to help you assess your application
performance needs. Fill out our 22-point questionnaire, and we'll tell
you whether your company is a thought-leader or a laggard when it comes
to building scalable applications. Along the way, learn a thing or two
on forecasting, monitoring and integrating a performance framework.
http://www.nwc.com/go/dtree-apps.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]