OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ73747511099734077_at_sans.org)
Date: Thu Jul 25 2002 - 15:01:02 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                      -- Security Alert Consensus --
                            Number 029 (02.29)
                        Thursday, July 25, 2002
                           Created for you by
                  Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    This issue sponsored by SPI Dynamics

    Aberdeen Alert! Using ports 80 and 443 as expressways through network
    firewalls, hackers are free to probe and breach Web applications! How
    can you combat this problem? Get the latest recommendations from
    Aberdeen in this FREE Research Report!
    http://www.spidynamics.com/mktg/aberdeen1

    ----------------------------------------------------------------------

    The security industry was left shaking in its boots last week after
    Symantec announced three notable acquisitions: Recourse Technologies,
    Riptech and SecurityFocus. We are told the information lists hosted
    by SecurityFocus (many of which are used to compose this newsletter)
    will not be affected, so the information flow in the security industry
    hopefully will remain uninterrupted.

    An interesting post surfaced this week detailing the shortcomings of
    Adobe's eBook products. Essentially, a user can override the copy,
    print and lending limitations built into the reader. You have to
    wonder if attempting to control users' interaction with a document is a
    lesson in futility in an environment where users have complete control.
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0228.html

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.29.001} Win - Jigsaw DOS dev request path exposure/DoS
    {02.29.002} Win - Macromedia Sitespring et parameter CSS
    {02.29.003} Win - Resin DOS device physical path disclosure
    {02.29.007} Win - MERCUR Mailserver password field overflow
    {02.29.015} Win - SecureCRT server version string overflow
    {02.29.017} Win - Pablo FTP server file root escape
    {02.29.005} Linux - Update {02.27.004}: Squid 2.4.STABLE7 released,
                with security fixes
    {02.29.009} Linux - Update {02.26.003}: Apache mod_ssl off by one
                configuration directive overflow
    {02.29.006} HPUX - ISEE allows access to restricted files
    {02.29.010} HPUX - Update {02.22.004}: BIND 9 internal consistency
                check DoS
    {02.29.013} SCO - Update {02.22.045}: crontab command-line parameter
                format string vulnerability
    {02.29.004} Cross - libpng progressive image loading overflows
    {02.29.008} Cross - Oracle reports rwcgi60 CGI information disclosure
    {02.29.011} Cross - PHP multipart POST request DoS/overflow
    {02.29.012} Cross - Update {02.23.019}: TrACESroute -T parameter format
                string vulnerability
    {02.29.014} Cross - phpwiki CGI page name parameter CSS vulnerability
    {02.29.016} Cross - wwwoffle negative content len field overflow
    {02.29.018} Cross - MailMax popmax USER arg overflow

    - --- Windows News -------------------------------------------------------

    *** {02.29.001} Win - Jigsaw DOS dev request path exposure/DoS

    Jigsaw Webserver prior to version 2.2.1 Dev/2.2/20020711 discloses
    the physical path when a remote attacker makes multiple requests for
    /aux. Multiple requests for /servlet/con also will result in a denial
    of service situation.

    The vendor confirmed this vulnerability and released an update,
    which is available at:
    http://jigsaw.w3.org/Devel/classes-2.2/20020711/

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0028.html
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0031.html

    *** {02.29.002} Win - Macromedia Sitespring et parameter CSS

    Macromedia Sitespring version 1.2.0(277.1) contains a cross-site
    scripting vulnerability in the handling of the 'et' URL parameter
    passed to the 500error.jsp script.

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0029.html

    *** {02.29.003} Win - Resin DOS device physical path disclosure

    Resin Webserver version 2.1.2 displays the physical path of the
    Webroot in error messages generated from URL requests for DOS device
    file names.

    The vendor confirmed this vulnerability and released version
    2.1.s020711.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0030.html

    *** {02.29.007} Win - MERCUR Mailserver password field overflow

    The control service shipped with MERCUR Mailserver version 4.2 contains
    a buffer overflow in the handling of large passwords, which allows
    a remote attacker to execute arbitrary code on the system.

    This vulnerability is not confirmed. An exploit was published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0195.html

    *** {02.29.015} Win - SecureCRT server version string overflow

    The SecureCRT SSH client contains a buffer overflow in the handling of
    large SSH server version strings, which allows a malicious SSH server
    to execute arbitrary code on the SecureCRT user's system. Versions
    3.4 and 4.0beta are reportedly vulnerable.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0247.html

    *** {02.29.017} Win - Pablo FTP server file root escape

    Pablo FTP server build 9 and prior allow a remote attacker capable of
    logging into the FTP service to browse directories outside the FTP root
    by using reverse directory traversal ('..') notation in FTP commands.

    The advisory indicates confirmation by the vendor, which released
    build 10, available at:
    http://www.pablovandermeer.nl/ftp_server.html

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0035.html

    - --- Linux News ---------------------------------------------------------

    *** {02.29.005} Linux - Update {02.27.004}: Squid 2.4.STABLE7 released,
                    with security fixes

    Mandrake released updated squid packages, which fix the vulnerability
    discussed in {02.27.004} ("Squid 2.4.STABLE7 released, with security
    fixes").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0192.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0192.html

    *** {02.29.009} Linux - Update {02.26.003}: Apache mod_ssl off by one
                    configuration directive overflow

    HP released updated mod_ssl packages, which fix the vulnerability
    discussed in {02.26.003} ("Apache mod_ssl off by one configuration
    directive overflow"). The updates apply to HP's Secure OS software
    for Linux.

    Apply patch HPTL_00024.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0018.html

    - --- HP-UX News ---------------------------------------------------------

    *** {02.29.006} HPUX - ISEE allows access to restricted files

    HP released an advisory indicating that the ISEE (Instant Support
    Enterprise Edition) package allows local users to gain access to
    restricted files. HPUX 11.00 and 11.11 are vulnerable.

    HP released patch PHSS27411, which fixes the problem.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0023.html

    *** {02.29.010} HPUX - Update {02.22.004}: BIND 9 internal consistency
                    check DoS

    HP released updated BIND packages, which fix the vulnerability
    discussed in {02.22.004} ("BIND 9 internal consistency check DoS").

    HP released file set BIND920v2. For more information, please see the
    reference URL below.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0022.html

    - --- SCO News -----------------------------------------------------------

    *** {02.29.013} SCO - Update {02.22.045}: crontab command-line
                    parameter format string vulnerability

    Caldera/SCO released updated cron packages, which fix the vulnerability
    discussed in {02.22.045} ("crontab command-line parameter format
    string vulnerability").

    Updated binaries are available at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0006.html

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0006.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.29.004} Cross - libpng progressive image loading overflows

    Conectiva released an advisory indicating that the libpng libraries
    contain a buffer overflow in the functions used to handle progressive
    image loading, potentially allowing a malformed PNG graphic to execute
    arbitrary code on the user's system. Other platforms/distributions
    may be vulnerable, too.

    Updated Conectiva RPMs are listed (in Spanish) at:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0009.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0009.html

    *** {02.29.008} Cross - Oracle reports rwcgi60 CGI information
                    disclosure

    The rwcgi60 CGI shipped with Oracle reports that the server discloses
    various configuration values, including physical paths and environment
    information to a remote attacker.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0203.html

    *** {02.29.011} Cross - PHP multipart POST request DoS/overflow

    PHP 4.2.x versions prior to 4.2.2 contain a buffer overflow in the
    handling of multipart POST requests, which results in either a denial
    of service or the potential execution of arbitrary code.

    The vendor confirmed this vulnerability and released version 4.2.2.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0034.html

    *** {02.29.012} Cross - Update {02.23.019}: TrACESroute -T parameter
                    format string vulnerability

    The vendor released an updated version of tracesroute/NANOG traceroute,
    which fixes the vulnerability discussed in {02.23.019} ("TrACESroute
    - -T parameter format string vulnerability").

    The updated code is available at:
    ftp://ftp.login.com/pub/software/traceroute/beta/traceroute.c

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0254.html

    *** {02.29.014} Cross - phpwiki CGI page name parameter CSS
                    vulnerability

    The PostNuke phpwiki CGI module contains a cross-site scripting
    vulnerability in the handling of the page name URL parameter.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0190.html

    *** {02.29.016} Cross - wwwoffle negative content len field overflow

    Version 2.7b of the wwwoffle (WWW Offline Explorer) application
    incorrectly handles negative content-length HTTP headers, which
    results in a denial of service and a potential overflow that would
    allow a malicious HTTP server to execute arbitrary code.

    This vulnerability is not confirmed. A third-party patch is available
    at the reference URL below.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0194.html

    *** {02.29.018} Cross - MailMax popmax USER arg overflow

    The popmax POP server included with MailMax version 4.8 contains a
    buffer overflow in the handling of the USER command, which allows a
    remote attacker to execute arbitrary code on the system.

    This vulnerability is not confirmed. An exploit was published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0245.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9QFbz+LUG5KFpTkYRAlk5AJ0QcRPa+yP7mAor2k3NZlFQYvY10gCfd0GS
    cSJqlXslurAXmbX0f97tMiU=
    =0rag
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    This issue sponsored by SPI Dynamics

    Aberdeen Alert! Using ports 80 and 443 as expressways through network
    firewalls, hackers are free to probe and breach Web applications! How
    can you combat this problem? Get the latest recommendations from
    Aberdeen in this FREE Research Report!
    http://www.spidynamics.com/mktg/aberdeen1

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).