|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ05790209463523322
sans.org)Date: Thu Jun 06 2002 - 14:09:57 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 022 (02.22)
Thursday, June 6, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
*** Sponsored by Rainbow Technologies ***
Five-Minute Workout: Authentication
If you find yourself suddenly thrust into the role of security manager,
don't worry. Use our streaming media workout to learn the ins and outs
of securing access to your network resources. Along the way, you'll
learn some techniques for effectively managing differing identities,
such as user name/password, security tokens and, of course, biometric
measurements.
http://www.nwc.com/out/fivemin/03june02fmw.html
----------------------------------------------------------------------
There has been a lot of activity this week. BIND (9.x), Sendmail,
and Exchange 2000 have been updated because of denial of service
vulnerabilities. Both SCO and Tru64 had a cluster of security
patches released. But the worst bug is a buffer overflow in Internet
Explorer's handling of gopher URLs (item {02.22.041}). Microsoft is
still working on a patch, so hopefully it will be ready by next
week's issue.
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.22.011} Win - CMailServer home dir overflow
{02.22.029} Win - BadBlue Web server unicode % dir browsing
{02.22.033} Win - MS02-025: Malformed mail attribute Exchange 2000 DoS
{02.22.034} Win - JRun ISAPI Host header overflow
{02.22.037} Win - Yahoo instant messenger multiple vulns
{02.22.038} Win - Shambala Web/ftp server dir browsing/file retrieval
{02.22.041} Win - IE gopher support buffer overflow
{02.22.042} Win - Hawk-I/Logisense CGI login form SQL tampering
{02.22.047} Win - CFXImage showtemp.cfm file reading
{02.22.002} Linux - Update {02.09.020}: Bad SNMP packet crashes ethereal
{02.22.003} Linux - Update {02.19.005}: ISC DHCPD nsupdate format
string vuln
{02.22.009} Linux - Update {02.19.012}: (uw-)imapd BODY command overflow
{02.22.017} Linux - Debian netstd utilities DNS response overflows
{02.22.026} Linux - Update {02.18.023}: Mozilla XMLHttpRequest file
disclosure
{02.22.030} Linux - Volution Manager stores password in clear
{02.22.035} Linux - Update {01.30.001}: tcpdump AFS parsing overflow (2)
{02.22.036} Linux - Debian in.uucp input string overflow
{02.22.044} Linux - Ghostscript arbitrary command exec
{02.22.048} Linux - Xandros linux autorun -c displays file contents
{02.22.022} BSD - FreeBSD accept filter DoS
{02.22.024} BSD - FreeBSD /etc/rc insecure file deletion
{02.22.050} Sol - smnpdx/mibiisa vulnerabilities
{02.22.007} HP-UX - swinstall local file viewing
{02.22.051} SGI - rpc.passwd vulnerability
{02.22.005} SCO - Update {01.05.025}: sort insecure temp file handling
{02.22.006} SCO - scoadmin insecure temp file use
{02.22.008} SCO - FTP PASV connection hijacking
{02.22.016} SCO - popper large string DoS
{02.22.045} SCO - crontab command-line param format string vuln
{02.22.018} NApps - Netscreen Web interface large username DoS
{02.22.027} NApps - Quantum SnapServer TCP vulnerabilities
{02.22.012} Other - Tru64 libc LANG and LOCPATH env varb overflow
{02.22.013} Other - Tru64 ypbind dumps core during portscan
{02.22.014} Other - Tru64 multiple CDE overflows
{02.22.015} Other - Tru64 NFS packet flood DoS
{02.22.046} Other - QNX4 suid app file overwriting vuln
{02.22.001} Cross - xchat dns query command exec
{02.22.004} Cross - BIND 9 internal consistency check DoS
{02.22.010} Cross - Swatch throttle code can 'lose' events
{02.22.019} Cross - wbbboard new user registration hijacking
{02.22.020} Cross - Ethereal multiple vulnerabilities
{02.22.021} Cross - kismet saytext() command exec and overflow
{02.22.023} Cross - Apache Tomcat source.jsp directory browsing
{02.22.025} Cross - sqlexec INFORMIXDIR env varb overflow
{02.22.028} Cross - Sendmail 8.12.4 released, with security fix
{02.22.031} Cross - Shoutcast server DJ login overflow
{02.22.032} Cross - Cisco IDS device manager HTTP file reading
{02.22.039} Cross - mnews multiple overflows
{02.22.040} Cross - Squid msntauth module multiple vulnerabilities
{02.22.043} Cross - slurp log_doit() format string vuln
{02.22.049} Cross - courier e-mail client year DoS
- --- Windows News -------------------------------------------------------
*** {02.22.011} Win - CMailServer home dir overflow
CMailServer version 3.30 contains a bug in the formation of the user's
home directory string, which could lead to a buffer overflow.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0191.html
*** {02.22.029} Win - BadBlue Web server unicode % dir browsing
BadBlue Web server versions 1.7.0 and prior have been reported to
contain a bug that lets remote attackers browse directories within
the Webroot by appending a unicode encoded '%' character to the
URL request.
The advisory indicates confirmation by the vendor, which has released
version 1.7.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0003.html
*** {02.22.033} Win - MS02-025: Malformed mail attribute Exchange 2000
DoS
Microsoft has released MS02-025 ("Malformed mail attribute Exchange
2000 DoS"). A remote attacker can send a malformed mail message to
the target Exchange 2000 server, which would result in a temporary
CPU usage of 100%. Repeatedly sending malformed messages can result
in a denial of service attack.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-025.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0039.html
*** {02.22.034} Win - JRun ISAPI Host header overflow
The IIS ISAPI application shipped with Macromedia JRun versions 3.0
and 3.1 has been found to contain a buffer overflow in the handling of
large HTTP Host headers, letting a remote attacker execute arbitrary
code on the system.
This vulnerability has been confirmed by Macromedia, which has released
a patch available at:
http://download.allaire.com/publicdl/en/jrun/31/jrun-31-win-upgrade-us_26414.exe
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0085.html
*** {02.22.037} Win - Yahoo instant messenger multiple vulns
Yahoo instant messenger version 5.0.0.1061 has been found to contain
multiple vulnerabilities: buffer overflows in the various functions
called by 'ymsgr' URLs, and the capability to execute arbitrary
javascript/vbscript on the user's system.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0228.html
*** {02.22.038} Win - Shambala Web/ftp server dir browsing/file
retrieval
Shambala Web/ftp server version 4.5 has been found to contain a bug
in the FTP service that lets a remote attacker (capable of logging in,
including as anonymous) access files outside the FTP root directory.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0282.html
*** {02.22.041} Win - IE gopher support buffer overflow
A report was released indicating that Internet Explorer versions 5.5
and 6.0 are vulnerable to a buffer overflow in the handling of gopher
URLs, letting a malicious Web site or e-mail execute arbitrary code
on the user's system.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0008.html
*** {02.22.042} Win - Hawk-I/Logisense CGI login form SQL tampering
Various Hawk-I/Logisense CGI applications have been found to be
vulnerable to SQL tampering in the Web login forms. The affected
applications include Hawk-i Billing, Hawk-i ASP and DNS Manager.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0010.html
*** {02.22.047} Win - CFXImage showtemp.cfm file reading
The showtemp.cfm file shipped with Gafware's CFXImage ColdFusion tag
version 1.6.6 has been found to let a remote attacker view arbitrary
files on the system by specifying the absolute file location in the
FILE URL parameter.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0256.html
- --- Linux News ---------------------------------------------------------
*** {02.22.002} Linux - Update {02.09.020}: Bad SNMP packet crashes
ethereal
Debian has released updated ethereal packages that fix the
vulnerability discussed in {02.09.020} ("Bad SNMP packet crashes
ethereal").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q2/0043.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q2/0043.html
*** {02.22.003} Linux - Update {02.19.005}: ISC DHCPD nsupdate format
string vuln
Mandrake has released updated dhcpd packages that fix the vulnerability
discussed in {02.19.005} ("ISC DHCPD nsupdate format string vuln").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0280.html
Source: Mandrake
http://archives.neohapsis.com/archives/bugtraq/2002-05/0280.html
*** {02.22.009} Linux - Update {02.19.012}: (uw-)imapd BODY command
overflow
Mandrake has released updated imap packages that fix the vulnerability
discussed in {02.19.012} ("(uw-)imapd BODY command overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0275.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0275.html
*** {02.22.017} Linux - Debian netstd utilities DNS response overflows
An advisory was released indicating the utilities included in the
Debian netstd package are vulnerable to buffer overflows in the
handling of malicious DNS responses.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0207.html
*** {02.22.026} Linux - Update {02.18.023}: Mozilla XMLHttpRequest file
disclosure
Conectiva has released updated mozilla packages that fix the
vulnerability discussed in {02.18.023} ("Mozilla XMLHttpRequest
file disclosure").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0021.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0021.html
*** {02.22.030} Linux - Volution Manager stores password in clear
Caldera has released an advisory indicating the Volution Manager
stores the directory administrator's password in cleartext in
/etc/ldap/slapd.conf.
This vulnerability has been confirmed and will be fixed in the next
Volution Manager release.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0021.html
*** {02.22.035} Linux - Update {01.30.001}: tcpdump AFS parsing
overflow (2)
SuSE and Red Hat have released updated tcpdump packages that fix the
vulnerability discussed in {01.30.001} ("tcpdump AFS parsing overflow
(2)").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0818.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0274.html
Source: SuSE, Red Hat
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0818.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0274.html
*** {02.22.036} Linux - Debian in.uucp input string overflow
Debian has released an advisory indicating that the in.uucp
authentication agent contains a buffer overflow in the handling of
large input strings.
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q2/0042.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q2/0042.html
*** {02.22.044} Linux - Ghostscript arbitrary command exec
Red Hat has released an advisory that indicates it's possible for an
untrusted postscript file to cause ghostscript to execute arbitrary
command-line commands under user 'lp' privileges.
Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0018.html
Source: Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-06/0018.html
*** {02.22.048} Linux - Xandros linux autorun -c displays file contents
The autorun application shipped with various Xandros-based Linux
distributions has been found to display the first line of any file
passed to the '-c' commandline parameter. This could let a local
attacker read the (encrypted) root password from /etc/shadow.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0260.html
- --- BSD News -----------------------------------------------------------
*** {02.22.022} BSD - FreeBSD accept filter DoS
FreeBSD has released an advisory indicating that a bug in the accept
filter code lets a remote attacker open a small amount (approx. 190)
of connections to the filtered service, which causes it to reject
any additional incoming connections.
RELENG_4 and RELENG_4_5 as of May 28, 2002, contain the fixes.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-05/0349.html
*** {02.22.024} BSD - FreeBSD /etc/rc insecure file deletion
FreeBSD has released an advisory that indicates the /etc/rc script
insecurely deletes files in /tmp/, potentially letting a local attacker
perform a symlink attack and remove files from an arbitrary directory
the next time the system is rebooted.
The 4, 4.4, and 4.5 RELENG branches as of May 9, 2002, contain the
fixed code.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-05/0350.html
- --- Solaris News -------------------------------------------------------
*** {02.22.050} Sol - smnpdx/mibiisa vulnerabilities
Sun has released an advisory indicating that the snmpdx service
contains a remotely exploitable format string vulnerability, and that
the mibiisa agent contains a remotely exploitable buffer overflow.
A full list of patches is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0020.html
Source: Sun (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-06/0020.html
- --- HP-UX News ---------------------------------------------------------
*** {02.22.007} HP-UX - swinstall local file viewing
HP has released a security advisory indicating that the swinstall
utility lets local users view files they normally do not have
permission to read. This vulnerability is limited to HP-UX 11.00
and 11.11.
Available patches:
HP-UX 11.00: PHCO_25875
HP-UX 11.11: PHCO_25887
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q2/0059.html
- --- SGI News -----------------------------------------------------------
*** {02.22.051} SGI - rpc.passwd vulnerability
SGI has released an advisory that indicates a vulnerability exists
in the rpc.passwd application, letting a user gain root access.
Further details have not been released. IRIX versions 6.5.0 through
6.5.15 are vulnerable if the optional nfs.sw.nis package is installed.
The solution is to upgrade to IRIX 6.5.16 or install one of the
patches listed at:
http://archives.neohapsis.com/archives/vendor/2002-q2/0044.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0044.html
- --- SCO News -----------------------------------------------------------
*** {02.22.005} SCO - Update {01.05.025}: sort insecure temp file
handling
Caldera has released updated sort packages that fix the vulnerability
discussed in {01.05.025} ("sort insecure temp file handling").
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.21
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html
*** {02.22.006} SCO - scoadmin insecure temp file use
Caldera/SCO has released an advisory indicating that the scoadmin
utility insecurely uses temporary files, letting a local attacker
perform a symlink attack.
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0019.html
*** {02.22.008} SCO - FTP PASV connection hijacking
Caldera/SCO has released an updated FTP daemon that contains a fix to
prevent a remote attacker from hijacking a passive FTP data connection
before the user is able to connect to the connection.
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.23
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0020.html
*** {02.22.016} SCO - popper large string DoS
Caldera/SCO has released an advisory that indicates the popper service
will enter into a loop if it is sent a large (2,048+ characters)
string, causing a denial of service.
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0017.html
*** {02.22.045} SCO - crontab command-line param format string vuln
An advisory was released that indicates the crontab utility shipped
with OpenServer version 5.0.6 is vulnerable to a format string
vulnerability in the handling of any command-line parameters. This
lets a local attacker execute arbitrary code with elevated privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0019.html
- --- Network Appliances News --------------------------------------------
*** {02.22.018} NApps - Netscreen Web interface large username DoS
An advisory was released that indicates the Netscreen 25 (other models
may be affected as well) prior to ScreenOS version 3.0.1r2 contains
a denial of service whereby a large username submitted to the login
of the Web interface causes the device to reboot.
This vulnerability has been confirmed and fixed in ScreenOS version
3.0.1r2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0231.html
*** {02.22.027} NApps - Quantum SnapServer TCP vulnerabilities
An advisory has surfaced indicating that the Quantum SnapServer
contains two vulnerabilities in the TCP/IP stack: predictable TCP
sequence numbers (allowing for request hijacking) and a denial of
service caused by sending packet fragments.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0268.html
- --- Other News ---------------------------------------------------------
*** {02.22.012} Other - Tru64 libc LANG and LOCPATH env varb overflow
Compaq has released SSRT0771U, which details buffer overflows in
the libc library's handling of the LANG and LOCPATH environment
variables, letting a local attacker execute arbitrary code with
elevated privileges.
Patches and download locations are listed at:
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
Source: Compaq
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
*** {02.22.013} Other - Tru64 ypbind dumps core during portscan
Compaq has released an advisory that indicates the ypbind service will
core dump when portscanned, resulting in a denial of service attack.
Patches and download locations are listed at:
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
Source: Compaq
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
*** {02.22.014} Other - Tru64 multiple CDE overflows
Compaq has released an advisory that indicates buffer overflows exist
in the following CDE components: dtaction, ttsesion, dtprintinfo
and dtspcd. These overflows allow the execution of arbitrary code
with elevated privileges.
Patches and download locations are listed at:
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
Source: Compaq
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
*** {02.22.015} Other - Tru64 NFS packet flood DoS
Compaq has released SSRT1-26, which indicates a denial of service
exists in the NFS/portmap daemon, letting a remote attacker affect
the availability of NFS services.
Patches and download locations are listed at:
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
Source: Compaq
http://archives.neohapsis.com/archives/tru64/2002-q2/0039.html
*** {02.22.046} Other - QNX4 suid app file overwriting vuln
An advisory has surfaced that details a particular bug in QNX4 systems
whereby a local attacker can use setuid applications to overwrite and
gain control of arbitrary files on the system. This would allow for
a local root compromise.
The confirmation of this vulnerability indicates that it is fixed in
the QNX6 series, and also that the QNX4 series is retired.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0292.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0293.html
- --- Cross-Platform News ------------------------------------------------
*** {02.22.001} Cross - xchat dns query command exec
Xchat prior to version 1.8.9 has been found to let a malicious IRC
server execute arbitrary command-line commands when a user submits
a DNS query to the server.
This vulnerability has been confirmed. Updated Red Hat RPMs are
listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0078.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0078.html
*** {02.22.004} Cross - BIND 9 internal consistency check DoS
BIND 9 prior to version 9.2.1 contains a denial of service attack
whereby a remote attacker sends a malformed DNS packet, which
causes BIND to fail an internal consistency check and stop serving
DNS requests.
Version 9.2.1 fixes the problem. It is available at:
http://www.isc.org/products/BIND/bind9.html
Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0017.html
Source: CERT, Red Hat
http://archives.neohapsis.com/archives/cc/2002-q2/0007.html
http://archives.neohapsis.com/archives/bugtraq/2002-06/0017.html
*** {02.22.010} Cross - Swatch throttle code can 'lose' events
The swatch log file watching utility has been found to contain bugs
in the throttling code which, under certain conditions, could result
in swatch ignoring some events indefinitely.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0119.html
*** {02.22.019} Cross - wbbboard new user registration hijacking
wbbboard version 1.1.1 has been reported to contain a bug in the
generation of unique new user registration tokens, letting an attacker
brute-force all possible values in a short period of time and thus
take control of newly registered accounts.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0236.html
*** {02.22.020} Cross - Ethereal multiple vulnerabilities
Ethereal prior to version 0.9.4 has been found to contain multiple
vulnerabilities: denial of service attacks in the DNS, GIOP and SMB
dissectors; a buffer overflow in the X11 dissector.
These vulnerabilities have been confirmed by the vendor, which has
released version 0.9.4.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0250.html
*** {02.22.021} Cross - kismet saytext() command exec and overflow
Kismet versions 2.2.1 and prior contain two vulnerabilities: a
command-line overflow in kismet_server that lets local attackers
execute arbitrary code with elevated; and a bug in saytext() that
lets a malicious ESSID be passed to the command line, potentially
causing arbitrary commands to be executed.
These vulnerabilities have been confirmed and fixed in version 2.2.2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0259.html
*** {02.22.023} Cross - Apache Tomcat source.jsp directory browsing
Apache Tomcat versions 3.24 and prior include the sample source.jsp
CGI, which has been found to let a remote attacker browse directories
on the target server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0265.html
*** {02.22.025} Cross - sqlexec INFORMIXDIR env varb overflow
Informix version SE-7.25 has been found to contain a buffer overflow in
sqlexec's handling of the INFORMIXDIR environment variable, letting
a local attacker execute arbitrary code with root privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0270.html
*** {02.22.028} Cross - Sendmail 8.12.4 released, with security fix
Sendmail version 8.12.4 has been released. Besides the usual bug
fixes, it includes a security fix that prevents local users from
performing a denial of service attack against sendmail by exclusively
locking various sendmail data files.
The latest sendmail source code is located at:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.4.tar.Z
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2002-q2/0002.html
*** {02.22.031} Cross - Shoutcast server DJ login overflow
Shoutcast server version 1.8.9 has been reported to contain a buffer
overflow in the handling of data sent to the DJ service, letting a
malicious attacker (who has the proper DJ password) execute arbitrary
code on the system.
The advisory indicates confirmation by the vendor, which has fixed
the bug in the upcoming 1.8.12 version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0016.html
*** {02.22.032} Cross - Cisco IDS device manager HTTP file reading
Cisco IDS device manager prior to version 3.1.2 has been reported
to let a remote attacker read arbitrary files on the sensor
system by making a HTTP request using reverse directory traversal
('..') notation.
The advisory indicates confirmation by the vendor, which has fixed
the problem in version 3.1.2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0214.html
*** {02.22.039} Cross - mnews multiple overflows
Mnews version 1.22 has been found to contain many buffer overflows.
A large handful of the command-line parameters are vulnerable to
overflowing and may let local attackers execute code with elevated
privileges. There is also one vulnerability that lets a malicious
news server execute arbitrary code on the client's system.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0287.html
*** {02.22.040} Cross - Squid msntauth module multiple vulnerabilities
The msntauth squid add-on authentication module has been reported to
contain multiple buffer overflows and format string vulnerabilities
that would let a remote attacker execute arbitrary code on the
squid system.
These vulnerabilities have not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0087.html
*** {02.22.043} Cross - slurp log_doit() format string vuln
The slurp NNTP news readers have been found to contain a remotely
exploitable format string vulnerability in the log_doit() function,
letting a malicious news server execute arbitrary code on the client
system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0014.html
*** {02.22.049} Cross - courier e-mail client year DoS
The courier e-mail client version 0.38.1 has been found to contain a
denial of service in the handling of large dates, which could let a
malicious e-mail consume abnormal amounts of CPU processing time on
the client's system.
The advisory indicates confirmation by the vendor, which has committed
a fix to CVS.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0295.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8/7Fo+LUG5KFpTkYRAsTRAJ4yiSrXfPgCmvSrk6X76VyxLggQMACfR1wV
Kd2saeRY+syCYHhxToyD31I=
=ChPp
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by Rainbow Technologies ***
Five-Minute Workout: Authentication
If you find yourself suddenly thrust into the role of security manager,
don't worry. Use our streaming media workout to learn the ins and outs
of securing access to your network resources. Along the way, you'll
learn some techniques for effectively managing differing identities,
such as user name/password, security tokens and, of course, biometric
measurements.
http://www.nwc.com/out/fivemin/03june02fmw.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]