NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2002

From: Network Computing and The SANS Institute (sans+ZZ96805574218843624sans.org)
Date: Thu Jun 13 2002 - 13:52:26 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                  -- Security Alert Consensus --
                        Number 023 (02.23)
                     Thursday, June 13, 2002
                        Created for you by
             Network Computing and the SANS Institute
                       Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.

----------------------------------------------------------------------

Sponsored by Symantec

TechQuiz: Intrusion Detection
Test your expertise when it comes to tracking down crafty hackers by
taking our TechQuiz. This is your last chance to outsmart our technical
editors on this topic, so don't delay! By answering all the questions
correctly, you could win a color Palm handheld from our sponsor,
Symantec.
http://www.nwc.com/techquiz/

----------------------------------------------------------------------

This week's issue leaves a lot of vendors catching up from the large
barrage of problems that surfaced last week. What's interesting is
that this week Windows camps will see their very first .NET security
patch from Microsoft (item {02.23.012}).

We also wanted to take this opportuntity to elaborate on last
week's Sendmail DoS attack vulnerability (item {02.22.028}).
Basically a general class of denial of service attack has been
pointed out which involves local users exclusively locking
critical service files. Any applications which use the standard
file locking APIs are potentially subjectiable to this DoS attack.
At this point in time it's impossible to enumerate every possible
vulnerable application, so we will instead just report them as
they are discovered and patched, much like other vulnerabilities.
Those curious for the technical details can read the following post:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0212.html

Until next week,
- Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{02.23.012} Win - MS02-026: ASP.NET worker process overflow DoS
{02.23.015} Win - BlackICE does not reactivate after suspend on laptops
{02.23.016} Win - eDonkey 2000 client large URL overflow
{02.23.023} Win - Seanox DevWex HTTP server '..' file retrieval
{02.23.001} Linux - Update {02.22.020}: Ethereal multiple
            vulnerabilities
{02.23.003} Linux - Update {02.22.001}: xchat dns query command exec
{02.23.004} Linux - Update {02.22.044}: Ghostscript arbitrary command
            exec
{02.23.005} Linux - Update {02.19.012}: (uw-)imapd BODY command overflow
{02.23.006} Linux - Update {01.30.001}: tcpdump AFS parsing overflow (2)
{02.23.007} Linux - Update {02.21.013}: Mailman multiple CSS vulns
{02.23.008} Linux - Red Hat 7.x accepts remote print jobs by default
{02.23.019} Linux - TrACESroute -T parameter format string vuln
{02.23.010} SGI - IRIX talkd format string vuln
{02.23.011} SGI - Update {02.04.022}: xkas icon file symlink exposure
{02.23.020} SGI - MediaMail can be forced to core dump
{02.23.009} SCO - Update {02.06.011}: Multi-vendor SNMP problems
{02.23.013} NApps - Multiple Red-M 1050 bluetooth AP vulns
{02.23.014} NApps - Telindus 11xx router provides plaintext password
{02.23.002} Cross - Update {02.22.004}: BIND 9 internal consistency
            check DoS
{02.23.017} Cross - PHPReactor browse.php CGI CSS vuln
{02.23.018} Cross - Splatt forum CGI IMG tag CSS vuln
{02.23.021} Cross - Voxel CBMS CGI multiple CSS and SQL injection vulns
{02.23.022} Cross - Bugzilla 2.14.1 multiple vulnerabilities
{02.23.024} Cross - MyHelpdesk CGI multiple CSS and SQL injection vulns
{02.23.025} Cross - GeekLog CGI multiple CSS and SQL injection vulns
{02.23.026} Cross - Datalex BookIt! stores passwords in cookies
{02.23.027} Cross - AlienForm2 CGI template path filtering vuln

- --- Windows News -------------------------------------------------------

*** {02.23.012} Win - MS02-026: ASP.NET worker process overflow DoS

Microsoft has released MS02-026 ("ASP.NET worker process overflow
DoS"). The ASP.NET StateServer service contains a buffer overflow
which allows a malicious cookie to cause it to restart, leading to
all currently-active sessions (and associated data) to be discarded.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-026.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0046.html

*** {02.23.015} Win - BlackICE does not reactivate after suspend on
laptops

BlackICE version 3.1 EAL has been found to not properly reactivate
itself after coming out of suspend mode on laptops, thus leaving the
system unprotected.

This vulnerability has been confirmed and corrected in version 3.1 EBH,
available from the vendor.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0090.html

*** {02.23.016} Win - eDonkey 2000 client large URL overflow

eDonkey 2000 file sharing application prior to version 35.16.61 has
been found to contain a buffer overflow in the handling of URLs
contained in malicious websites/emails. The buffer overflow may
allow the execution of arbitrary code.

This vulnerability has been confirmed by the vendor, who has released
version 35.16.61.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0032.html

*** {02.23.023} Win - Seanox DevWex HTTP server '..' file retrieval

Seanox DevWex versions prior to 1.2002.0601 have been found to be
vulnerable to URL requests containing '..' notation, allowing a remote
attacker to access files outside the webroot. A denial of service
was also reported.

The advisory indicates vendor confirmation, who has released version
1.2002.0601.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html

- --- Linux News ---------------------------------------------------------

*** {02.23.001} Linux - Update {02.22.020}: Ethereal multiple
vulnerabilities

Red Hat has released updated ethereal packages, which fix the
vulnerability discussed in {02.22.020} ("Ethereal multiple
vulnerabilities").

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0091.html

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0091.html

*** {02.23.003} Linux - Update {02.22.001}: xchat dns query command exec

Red Hat has released updated xchat packages, which fix the
vulnerability discussed in {02.22.001} ("xchat dns query command
exec").

Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0086.html

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0086.html

*** {02.23.004} Linux - Update {02.22.044}: Ghostscript arbitrary
command exec

Red Hat has released updated ghostscript packages, which fix the
vulnerability discussed in {02.22.044} ("Ghostscript arbitrary
command exec").

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0087.html

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0087.html

*** {02.23.005} Linux - Update {02.19.012}: (uw-)imapd BODY command
overflow

EnGarde has released updated imapd packages, which fix the
vulnerability discussed in {02.19.012} ("(uw-)imapd BODY command
overflow").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0007.html

Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0007.html

*** {02.23.006} Linux - Update {01.30.001}: tcpdump AFS parsing
overflow (2)

Multiple vendors have released updated tcpdump packages, which fix the
vulnerability discussed in {01.30.001} ("tcpdump AFS parsing overflow
(2)").

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0038.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0022.html

Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0022.html

Source: Caldera, Conectiva, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-06/0038.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0022.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0022.html

*** {02.23.007} Linux - Update {02.21.013}: Mailman multiple CSS vulns

Red Hat has released updated mailman packages, which fix the
vulnerability discussed in {02.21.013} ("Mailman multiple CSS vulns").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0093.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0094.html

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0093.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0094.html

*** {02.23.008} Linux - Red Hat 7.x accepts remote print jobs by default

Red Hat has released an advisory which indicates the default
configuration of LPRng shipped with Red Hat 7.x distributions allow
remote users to submit print jobs to the system.

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0095.html

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0095.html

*** {02.23.019} Linux - TrACESroute -T parameter format string vuln

TrACESroute version 6.0 GOLD has been reported to contain a format
string vulnerability in the handling of the -T command line parameter,
potentially allowing a local attacker to execute arbitrary code with
elevated privileges.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0040.html

- --- SGI News -----------------------------------------------------------

*** {02.23.010} SGI - IRIX talkd format string vuln

SGI has released an advisory which indicates the talkd daemon shipped
with IRIX 6.5.0 through 6.5.9 contains a remotely-exploitable format
string vulnerability.

The correct solution is to update to IRIX 6.5.10 or later.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0049.html

*** {02.23.011} SGI - Update {02.04.022}: xkas icon file symlink
exposure

SGI has released a solution, which fixes the vulnerability discussed
in {02.04.022} ("xkas icon file symlink exposure").

SGI recommends manually removing the world write permission from
/var/adm/appletalk/icons.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0050.html

*** {02.23.020} SGI - MediaMail can be forced to core dump

SGI has released an advisory which indicates the MediaMail application
can be forced by a local attacker to core dump, and this action could
have potential security implications (probably via a symlink attack).

MediaMail is a retired product, so SGI's solution is to remove it
from the system.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0047.html

- --- SCO News -----------------------------------------------------------

*** {02.23.009} SCO - Update {02.06.011}: Multi-vendor SNMP problems

Caldera/SCO has released updated snmp packages, which fix the
vulnerability discussed in {02.06.011} ("Multi-vendor SNMP problems").

Updated binaries are located at:
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.25

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0024.html

- --- Network Appliances News --------------------------------------------

*** {02.23.013} NApps - Multiple Red-M 1050 bluetooth AP vulns

An advisory was released that indicates multiple vulnerabilities exist
in the Red-M 1050 bluetooth access point: management web server DoS,
password weaknesses, PPP DoS, session storage weakness, and device
broadcast identification. For details please see the reference
URL below.

The advisory indicates vendor confirmation, who is currently working on
updated firmware.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0089.html

*** {02.23.014} NApps - Telindus 11xx router provides plaintext password

The Telindus 11xx series of routers has been found to send the
plaintext administrative password in a UDP response to a generic
router probe, potentially allowing attackers to recover the password
and gain access to the router.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0028.html

- --- Cross-Platform News ------------------------------------------------

*** {02.23.002} Cross - Update {02.22.004}: BIND 9 internal consistency
check DoS

Multiple vendors have released updated bind9 packages, which fix the
vulnerability discussed in {02.22.004} ("BIND 9 internal consistency
check DoS").

Updated Caldera/SCO binaries located at:
ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.24

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0085.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0025.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0905.html

Source: Caldera/SCO, Red Hat, Conectiva, SuSE
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0023.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0085.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0025.html
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0905.html

*** {02.23.017} Cross - PHPReactor browse.php CGI CSS vuln

The PHPReactor CGI suite version 1.2.7 has been found to contain a
cross-site scripting vulnerability in the browse.php script's handling
of the 'comments' form field.

This vulnerability has been confirmed by the vendor, who has released
version 1.2.7pl1.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0034.html

*** {02.23.018} Cross - Splatt forum CGI IMG tag CSS vuln

Splatt forum CGI suite version 3.0 has been found to contain a
cross-site scripting vulnerability in the handling of the IMG tag.

This vulnerability has been confirmed by the vendor, who has released
version 3.1.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0091.html

*** {02.23.021} Cross - Voxel CBMS CGI multiple CSS and SQL injection
vulns

An advisory was released that indicates Voxel's CBMS CGI suite
contains multiple cross-site scripting and SQL injection holes.
The details of the vulnerabilities were not released.

These vulnerabilities have not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0043.html

*** {02.23.022} Cross - Bugzilla 2.14.1 multiple vulnerabilities

Bugzilla prior to 2.14.2 and 2.16rc2 contain multiple vulnerabilities,
which include cross-site scripting, potential SQL tampering, and
sensitive data disclosure.

Versions 2.14.2 and 2.16rc2 fix the problems.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html

*** {02.23.024} Cross - MyHelpdesk CGI multiple CSS and SQL injection
vulns

The MyHelpdesk CGI suite has been found to be vulnerable to multiple
cross-site scripting and SQL tampering vulnerabilities. For details
please see the reference URL below.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0057.html

*** {02.23.025} Cross - GeekLog CGI multiple CSS and SQL injection vulns

The GeekLog CGI suite version 1.3.5 and prior has been found to contain
multiple cross-site scripting and SQL injection vulnerabilities.
For details please see the reference URL below.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0058.html

*** {02.23.026} Cross - Datalex BookIt! stores passwords in cookies

Datalex BookIt! prior to version 2.2 has been found to insecurely
store user credentials (username and password) in plaintext cookies
transmitted over normal HTTP. This could potentially allow for the
information to be sniffed/recovered.

The advisory indicates vendor confirmation, who has released version
2.2.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0063.html

*** {02.23.027} Cross - AlienForm2 CGI template path filtering vuln

The AlienForm2 CGI version 1.5 has been found to incorrectly filter
out bad characters from the template path URL parameter, potentially
allowing a remote attacker to view arbitrary files on the system
(readable by the webserver), and write data out to local files.

These vulnerabilities have not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0068.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE9COfo+LUG5KFpTkYRAhEsAJwNaVskTGQgLB2R/uRscYqUuXbFhwCcDf3J
BlS+bv2Qsw28aOwIlxdGUlA=
=8mfa
-----END PGP SIGNATURE-----
------------------------------------------------------------------------