OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ71846533217653926_at_sans.org)
Date: Thu Aug 22 2002 - 15:23:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                      -- Security Alert Consensus --
                           Number 033 (02.33)
                        Thursday, August 22, 2002
                           Created for you by
                  Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    This issue sponsored by SPI Dynamics

    ALERT: Cyber-Warfare's Weapon of Choice- Web App Attacks Firewalls, IDS
    and Access Controls don't stop these attacks because hackers using the
    Web application layer are NOT seen as intruders. Learn why 75% of
    today's successful system hacks involve Web App vulnerabilities, not
    network security flaws. Download this *FREE* white paper from SPI
    Dynamics.

    http://www.spidynamics.com/mktg/webappsecurity20

    ----------------------------------------------------------------------

    Many applications, both clients and servers, are not properly checking
    the constraints of SSL certificates. Attackers can use their normally
    signed certificate to sign other certificates, basically acting like a
    'quasi-certificate authority,' even though their original certificates
    are constrained as end-user/host certificates. The end result is that
    attackers can sign arbitrary certificates and vulnerable applications
    will believe them valid. Vulnerable applications reported in this issue
    include the Tinyssl library ({02.33.005}), KDE Konqueror ({02.33.043})
    and Microsoft IIS ({02.33.041}).

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.33.004} Win - Midicart CGI database exposure
    {02.33.019} Win - MS02-042: Network Connection Manager callback code
                execution
    {02.33.020} Win - MS02-043: SQL Server cumulative patch
    {02.33.029} Win - WebEasyMail SMTP and POP vulnerabilities
    {02.33.038} Win - IE Help and Support Center protocol file deletion
    {02.33.039} Win - NTFS hard links obfuscate file auditing logs
    {02.33.041} Win - IIS 5.0 ignores SSL cert basic constraints
    {02.33.042} Win - MS SQL Agent file modification
    {02.33.045} Win - Kerio Mail Server multiple DoS and CSS vulnerabilities
    {02.33.047} Win - Trillian IRC module multiple vulnerabilities
    {02.33.050} Win - MyWebServer multiple vulnerabilities
    {02.33.051} Win - IE File Transfer Manager control vulnerabilties
    {02.33.011} Linux - Update {02.32.017}: xinetd signal pipe descriptor
                DoS
    {02.33.013} Linux - Update {02.22.004}: BIND 9 internal consistency
                check DoS
    {02.33.015} Linux - Update {02.22.001}: xchat dns query command
                execution
    {02.33.016} Linux - Update {02.19.017}: uudecode insecure output file
                handling
    {02.33.022} Linux - Update {02.29.004}: libpng progressive image
                loading overflows
    {02.33.030} Linux - Update {01.27.039}: PHP mail() command may bypass
                safe_mode
    {02.33.033} Linux - Update {02.26.002}: DNS libresolve/resolver buffer
                overflow
    {02.33.040} BSD - FreeBSD system call signed parameter vulnerabilities
    {02.33.026} NW - NetBasic CGI handler multiple vulnerabilities
    {02.33.027} NW - Perl CGI handler multiple vulnerabilities
    {02.33.001} HPUX - HPUX 11.x ptrace() kernel panic
    {02.33.003} HPUX - Update {02.29.011}: PHP multipart POST request
                DoS/overflow
    {02.33.006} HPUX - HPUX 11.04 passwd vulnerability
    {02.33.010} HPUX - TGA daemon buffer overflow
    {02.33.012} SGI - Update {01.35.012}: Adobe Acrobat/libCoolType creates
                world-writable AdobeFnt.lst file
    {02.33.037} SGI - IRIX on Origin 3000 changes MAC
    {02.33.049} SGI - IRIX ftpd minor vulnerabilities
    {02.33.034} NApps - Gateway GS-400 NAS default password
    {02.33.002} Cross - HP EMANATE exposes SNMP community string
    {02.33.005} Cross - Tinyssl ignores SSL certificate basic constraints
    {02.33.007} Cross - L-Forum CGI search.php SQL injection
    {02.33.008} Cross - Update {02.32.029}: rpc.ttdbserverd
                _TT_CREATE_FILE() heap overflow
    {02.33.009} Cross - Oracle listener control format string vulnerability
    {02.33.014} Cross - Web Shop Manager CGI search command execution
    {02.33.017} Cross - Update {02.31.009}: RPC XDR array decoding overflow
    {02.33.018} Cross - PHP-affiliate CGI details2.php arbitrary user
                editing
    {02.33.021} Cross - FUDForum CGI file manipulation
    {02.33.023} Cross - Steelarrow cookie and chunked overflows
    {02.33.024} Cross - Multiple Postgres function buffer overflows
    {02.33.025} Cross - Mantis CGI suite multiple vulns
    {02.33.028} Cross - Jigsaw proxy server query CSS vulnerability
    {02.33.031} Cross - CERN HTTP server query CSS vulnerability
    {02.33.032} Cross - l2tpd weak randomness
    {02.33.035} Cross - Perl 5.6.x glob() overflows
    {02.33.036} Cross - Oracle 9i SQL*NET DoS
    {02.33.043} Cross - KDE Konqueror ignores SSL certificate basic
                constraints
    {02.33.044} Cross - nCipher C_Verify function always returns valid
    {02.33.046} Cross - scponly environment circumvents restrictions
    {02.33.048} Cross - Shoutcast server administrative password log
                retrieval

    - --- Windows News -------------------------------------------------------

    *** {02.33.004} Win - Midicart CGI database exposure

    The Midicart shopping cart CGI suite reportedly uses a database located
    in the remotely accessible Web root that allows a remote attacker to
    download the database of orders.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0074.html

    *** {02.33.019} Win - MS02-042: Network Connection Manager callback
                    code execution

    Microsoft released MS02-042 ("Network Connection Manager callback code
    execution"). The Network Connection Manager shipped with Windows 2000
    allows the user to specify the execution of a callback function when
    a network connection is established. Unfortunately, this function is
    executed with local system privileges, thus allowing a local attacker
    to gain administrative/system access.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-042.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0086.html

    *** {02.33.020} Win - MS02-043: SQL Server cumulative patch

    Microsoft released MS02-043 ("SQL Server cumulative patch"). This
    cumulative patch fixes all known problems to date in MS SQL Server
    7.0 and 2000 as well as in MSDE 1.0 and 2000. It also fixes a new bug,
    whereby an attacker capable of running stored procedures can execute
    arbitrary SQL with administrative privileges.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-043.asp

    Source: Microsoft (NTBugtraq)
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0087.html

    *** {02.33.029} Win - WebEasyMail SMTP and POP vulnerabilities

    The WebEasyMail suite version 3.4.2.2 contains a format string
    vulnerability in the handling of SMTP commands. It also contains an
    information disclosure bug in the POP service that allows a remote
    attacker to brute force valid user names.

    These vulnerabilities are not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0197.html

    *** {02.33.038} Win - IE Help and Support Center protocol file deletion

    Windows XP running Internet Explorer 6.x comes with a 'Help and
    Support Center' software feature that is a suite of help-related
    files and functions used both internally by Windows XP and external
    by Web sites. However, a bug allows a malicious Web site (or e-mail)
    to delete arbitrary files on the user's system by tricking the user's
    browser into making a particular request.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0129.html

    *** {02.33.039} Win - NTFS hard links obfuscate file auditing logs

    A released advisory indicates it's possible for a local attacker to
    use NTFS hard links to obfuscate file audint logs. Basically, the
    logs will contain entries for an arbitrary file name rather than the
    actual file name, so it may not be apparent which file is the target
    of the various audited events.

    The advisory indicates confirmation by the vendor, which released a
    fix in Windows 2000 SP3.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0080.html

    *** {02.33.041} Win - IIS 5.0 ignores SSL cert basic constraints

    IIS 5.0 prior to Windows 2000 SP3 ignores the basic constraints
    on client certificates, potentially allowing a remote attacker to
    present what appear to be valid, trusted SSL certificates to IIS
    for authentication.

    The advisory indicates confirmation by the vendor, which included a
    fix in Windows 2000 SP3.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0167.html

    *** {02.33.042} Win - MS SQL Agent file modification

    MS SQL Server versions 7 and 2000 reportedly contain a bug in the way
    users can submit jobs to the SQL agent. Basically, they can specify
    a file for the output that will overwrite any existing file already
    on the file system.

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0084.html

    *** {02.33.045} Win - Kerio Mail Server multiple DoS and CSS
                    vulnerabilities

    Kerio Mail Server version 5.0 reportedly contains multiple cross-site
    scripting and denial of service vulnerabilities. Sending SYNs to all
    listening Kerio Mail services triggers the DoS. Multiple Webmail URLs
    are vulnerable to the CSS vulnerabilities.

    These vulnerabilities are not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0183.html

    *** {02.33.047} Win - Trillian IRC module multiple vulnerabilities

    An advisory indicates that Trillian version 0.73 has a buffer
    overflow in the handling of the PING response by the IRC module as
    well as format string handling errors in IRC invite responses. These
    bugs may allow a malicious server to execute arbitrary code on the
    user's system.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0479.html
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0489.html

    *** {02.33.050} Win - MyWebServer multiple vulnerabilities

    MyWebServer version 1.0.2 reportedly contains three vulnerabilities:
    a buffer overflow in the search functionality, which may allow remote
    execution of arbitrary code; a cross-site scripting bug in the handling
    of nonexistent URL requests; and disclosure of the physical path.

    These vulnerabilities are not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0077.html

    *** {02.33.051} Win - IE File Transfer Manager control vulnerabilties

    The Microsoft File Transfer Manager ActiveX control is a
    Microsoft-signed control used for handling file downloads from premium
    Microsoft sites. The control contains a buffer overflow that could
    lead to the execution of arbitrary code. It also allows a remote Web
    site to schedule file uploads and downloads without user intervention.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0189.html

    - --- Linux News ---------------------------------------------------------

    *** {02.33.011} Linux - Update {02.32.017}: xinetd signal pipe
                    descriptor DoS

    Gentoo released updated makefiles to fix the vulnerability discussed
    in {02.32.017} ("xinetd signal pipe descriptor DoS").

    Gentoo users should rebuild the xinetd package ('emerge xinetd').

    Source: Gentoo (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0120.html

    *** {02.33.013} Linux - Update {02.22.004}: BIND 9 internal consistency
                    check DoS

    Mandrake released updated bind packages to fix the vulnerability
    discussed in {02.22.004} ("BIND 9 internal consistency check DoS").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0128.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0128.html

    *** {02.33.015} Linux - Update {02.22.001}: xchat dns query command
                    execution

    Mandrake released updated xchat packages to fix the vulnerability
    discussed in {02.22.001} ("xchat dns query command execution").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0136.html

    *** {02.33.016} Linux - Update {02.19.017}: uudecode insecure output
                    file handling

    Mandrake released updated shar-util packages to fix the vulnerability
    discussed in {02.19.017} ("uudecode insecure output file handling").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0137.html

    *** {02.33.022} Linux - Update {02.29.004}: libpng progressive image
                    loading overflows

    Red Hat and Mandrake released updated libpng packages to fix the
    vulnerability discussed in {02.29.004} ("libpng progressive image
    loading overflows").

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0052.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0118.html

    Source: Red Hat, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0052.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0118.html

    *** {02.33.030} Linux - Update {01.27.039}: PHP mail() command may
                    bypass safe_mode

    Red Hat rereleased updated PHP packages to fix the vulnerability
    discussed in {01.27.039} ("PHP mail() command may bypass safe_mode").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0198.html

    *** {02.33.033} Linux - Update {02.26.002}: DNS libresolve/resolver
                    buffer overflow

    Mandrake and Trustix released updated glibc packages to fix the
    vulnerability discussed in {02.26.002} ("DNS libresolve/resolver
    buffer overflow").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0116.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0117.html

    Source: Mandrake, Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0116.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0117.html

    - --- BSD News -----------------------------------------------------------

    *** {02.33.040} BSD - FreeBSD system call signed parameter
                    vulnerabilities

    A FreeBSD advisory indicates various system calls, including accept(),
    getsockname(), getpeername() and a particular ioctl(), do not properly
    handle signed parameters, potentially exposing kernel memory.

    CVS branches as of Aug. 13, 2002, contain the fixes.

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2002-08/0094.html

    - --- NetWare News -------------------------------------------------------

    *** {02.33.026} NW - NetBasic CGI handler multiple vulnerabilities

    A Novell advisory indicates the NetBasic handler shipped with various
    Web services included with Netware 5.1 and 6.0 contains multiple
    vulnerabilities, including a buffer overflow and the ability to
    execute arbitrary NSN scripts on the SYS volume.

    Patch information is available at:
    http://support.novell.com/servlet/tidfinder/2963297

    Source: Novell (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0199.html

    *** {02.33.027} NW - Perl CGI handler multiple vulnerabilities

    A Novell advisory indicates the Perl handler shipped with various
    Web services included with Netware 5.1 and 6.0 contains multiple
    vulnerabilities, including the ability to execute arbitrary Perl
    scripts via an HTTP POST request and to execute Perl scripts outside
    the Web root.

    A patch is available at:
    http://support.novell.com/servlet/tidfinder/2963307

    Source: Novell (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html

    - --- HP-UX News ---------------------------------------------------------

    *** {02.33.001} HPUX - HPUX 11.x ptrace() kernel panic

    HP released patches to fix a vulnerability that allows a local attacker
    to use ptrace() to cause a system panic, thereby leaving the system
    in an unusable state.

    Apply the appropriate patch:
    HPUX 11.00: PHKL_27180
    HPUX 11.04: PHKL_27536
    HPUX 11.11: PHKL_27179

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0041.html

    *** {02.33.003} HPUX - Update {02.29.011}: PHP multipart POST request
                    DoS/overflow

    HP released updated Apache packages for HPUX 11.x to fix the
    vulnerability discussed in {02.29.011} ("PHP multipart POST request
    DoS/overflow").

    Updated packages are available at:
    http://www.software.hp.com/ISS_products_list.html

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0041.html

    *** {02.33.006} HPUX - HPUX 11.04 passwd vulnerability

    HP released a security patch for HPUX 11.04 to fix a security
    vulnerability in the passwd utility. Details were not provided.

    HPUX 11.04 users need to apply patch PHCO_27373.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0049.html

    *** {02.33.010} HPUX - TGA daemon buffer overflow

    An HP advisory indicates the TGA daemon shipped with HPUX 11.04
    contains a buffer overflow that allows an attacker to access system
    files. Further details were not provided.

    HP released various patches, depending on the installed version of
    the VirtualVault package:
    VirtualVault A.04.00: PHSS_27499
    VirtualVault A.04.50: PHSS_27500
    VirtualVault A.04.60: PHSS_27501

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/

    - --- SGI News -----------------------------------------------------------

    *** {02.33.012} SGI - Update {01.35.012}: Adobe Acrobat/libCoolType
                    creates world-writable AdobeFnt.lst file

    SGI released updates to fix the vulnerability discussed in {01.35.012}
    ("Adobe Acrobat/libCoolType creates world-writable AdobeFnt.lst file
    ").

    The proper solution is to update to IRIX version 6.5.19. However, the
    reference URL below also has a workaround for earlier IRIX versions.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q3/0040.html

    *** {02.33.037} SGI - IRIX on Origin 3000 changes MAC

    When a version of IRIX prior to 6.5.13 is upgraded to 6.5.13 or after,
    the Ethernet MAC address on Origin 3000 system changes. This may
    affect sites that do filtering/firewalling based on MAC addresses.

    SGI confirmed this problem, which is fixed in IRIX 6.5.17.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q3/0039.html

    *** {02.33.049} SGI - IRIX ftpd minor vulnerabilities

    A SGI advisory indicates the FTP daemon shipped with IRIX prior to
    6.5.17 contains two previously reported minor security bugs.

    To fix the bugs, SGI recommends upgrading to 6.5.17. Patches for
    earlier IRIX versions will not be released.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q3/0037.html

    - --- Network Appliances News --------------------------------------------

    *** {02.33.034} NApps - Gateway GS-400 NAS default password

    The Gateway GS-400 NAS server comes preinstalled with a default
    root password and does not offer any method to change it. Thus,
    remote attackers can potentially telnet to the device (on port 1023)
    and compromise the system.

    The advisory indicates the vendor does not support the product; thus,
    a fix will not be released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0126.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0132.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.33.002} Cross - HP EMANATE exposes SNMP community string

    An HP advisory indicates EMANATE version 14.2 contains a vulnerability
    that allows a remote attacker to recover the SNMP community string,
    potentially exposing sensitive information.

    HP released patches:
    Win NT/2k: NNM_00936
    HPUX 10.20: PHSS_27569
    HPUX 11.X: PHSS_27570
    Solaris 2.6,7,8: PSOV_03193

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0041.html

    *** {02.33.005} Cross - Tinyssl ignores SSL certificate basic
                    constraints

    The Tinyssl library prior to version 1.03 ignores the basic constraints
    on client certificates, potentially allowing a remote attacker to
    present what appears to be valid, trusted SSL certificates to the
    application using Tinyssl.

    This vulnerability is confirmed and fixed in version 1.03, available
    at:
    http://www.xwt.org/tinyssl/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0096.html

    *** {02.33.007} Cross - L-Forum CGI search.php SQL injection

    The L-Forum CGI suite is vulnerable to SQL tampering in the handling
    of the search parameter passed to the search.php script. Multiple
    cross-site scripting vulnerabilities also are reported.

    The vendor confirmed this vulnerability and released an update.

    Source: VulnWatch, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0074.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0115.html

    *** {02.33.008} Cross - Update {02.32.029}: rpc.ttdbserverd
                    _TT_CREATE_FILE() heap overflow

    IBM and Caldera/SCO released updates to fix the vulnerability discussed
    in {02.32.029} ("rpc.ttdbserverd _TT_CREATE_FILE() heap overflow").

    AIX users need to apply the appropriate APAR:
    AIX 4.3.3: IY32792
    AIX 5.1.0: IY32793

    SCO UnixWare and OpenUnix updates are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0011.html

    Source: IBM, Caldera/SCO
    http://archives.neohapsis.com/archives/aix/2002-q3/0010.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0011.html

    *** {02.33.009} Cross - Oracle listener control format string
                    vulnerability

    The Oracle listener control utility is vulnerable to a format string
    vulnerability, potentially allowing an attacker to execute arbitrary
    code on the administrator's system, which runs the remote listener
    control utility.

    The vendor confirmed this vulnerability and released more information,
    available at:
    http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0076.html

    *** {02.33.014} Cross - Web Shop Manager CGI search command execution

    The Web Shop Manager CGI suite version 1.1 reportedly contains a
    vulnerability in the handling of the search parameters that allows
    a remote attacker to execute arbitrary command-line commands under
    the privileges of the Web server.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0130.html

    *** {02.33.017} Cross - Update {02.31.009}: RPC XDR array decoding
                    overflow

    Multiple vendors released updates to fix the vulnerability discussed
    in {02.31.009} ("RPC XDR array decoding overflow").

    Updated Red Hat RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0050.html

    SGI IRIX patches are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0042.html

    Source: Red Hat, SGI
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0050.html
    http://archives.neohapsis.com/archives/vendor/2002-q3/0042.html

    *** {02.33.018} Cross - PHP-affiliate CGI details2.php arbitrary user
                    editing

    The PHP-affiliate CGI suite version 1.0 reportedly does not correctly
    verify hidden parameters passed to the details2.php script. This
    allows a remote attacker to edit the arbitrary users' information.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0141.html

    *** {02.33.021} Cross - FUDForum CGI file manipulation

    The FUDForum CGI suite prior to version 2.2.0 contains vulnerabilities
    in the tmp_view.php and admbrowse.php scripts that allow a remote
    attacker to read and potentially manipulate files outside the Web root.

    The vendor confirmed these vulnerabilities and released version 2.2.0.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0082.html

    *** {02.33.023} Cross - Steelarrow cookie and chunked overflows

    Tomahawk's Steelarrow contains two buffer overflows (one in the
    handling of cookies and one in the handling of chunked client
    requests) that could allow a remote attacker to execute arbitrary
    code on the system.

    The advisory indicates vendor confirmation. Fixes are available at:
    http://www.steelarrow.com/

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0085.html

    *** {02.33.024} Cross - Multiple Postgres function buffer overflows

    Multiple advisories indicate that various buffer overflows exist in
    the Postgres database version 7.2. The overflows exist in the lpad(),
    rpad(), repeat() and cash_words() functions.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0169.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0204.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0205.html

    *** {02.33.025} Cross - Mantis CGI suite multiple vulns

    Advisories from the Mantis developers detail many security
    vulnerabilities in the Mantis PHP CGI suite, including: SQL tampering;
    limit_reporters option bypassing of; private projects viewing;
    arbitrary PHP code execution; and arbitrary file reading. Versions
    prior to 0.17.4 are vulnerable.

    The solution is to update to version 0.17.4.

    Debian released updated DEBs, listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0043.html

    Source: SecurityFocus Bugtraq, Debian
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0184.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0186.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0177.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0187.html
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0176.html
    http://archives.neohapsis.com/archives/vendor/2002-q3/0043.html

    *** {02.33.028} Cross - Jigsaw proxy server query CSS vulnerability

    The W3C Jigsaw HTTP proxy server prior to version 2.2.1 is vulnerable
    to cross-site scripting in the handling of nonexistent URL requests.

    This vulnerability is fixed in version 2.2.1.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0190.html

    *** {02.33.031} Cross - CERN HTTP server query CSS vulnerability

    The CERN HTTP server version 3.0A is vulnerable to cross-site scripting
    in the handling of nonexistent URL requests.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0097.html

    *** {02.33.032} Cross - l2tpd weak randomness

    The l2tpd daemon prior to version 0.68 does not properly generate
    random data, thereby causing the randomness to be predictable. This
    decreases the security of various cryptographic components, including
    the generation of the authentication challenge.

    The vendor confirmed this vulnerability and released version
    0.68. Updates are available at:
    http://www.l2tpd.org/

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0036.html

    Source: SecurityFocus Bugtraq, Debian
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0102.html
    http://archives.neohapsis.com/archives/vendor/2002-q3/0036.html

    *** {02.33.035} Cross - Perl 5.6.x glob() overflows

    Perl 5.6.0 and 5.6.1 reportedly use a glob() function that is
    vulnerable to a buffer overflow. This overflow is similar to the
    multivendor FTP glob overflow reported in years past.

    This vulnerability is not confirmed. The post indicates the glob()
    functionality in version 5.8.0 is corrected.

    Source: LSAP
    http://archives.neohapsis.com/archives/linux/lsap/2002-q3/0014.html

    *** {02.33.036} Cross - Oracle 9i SQL*NET DoS

    An ISS advisory indicates it's possible to crash the SQL*NET listener
    service by remotely sending a malformed request. Oracle 9.0.x and
    9.2 are reported as vulnerable.

    These vulnerabilities are not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0072.html

    *** {02.33.043} Cross - KDE Konqueror ignores SSL certificate basic
                    constraints

    The KDE Konqueror prior to version 3.0.3 ignores the basic constraints
    on client certificates, potentially allowing a remote attacker to
    present what appear to be valid, trusted SSL certificates to the
    user's browser.

    This vulnerability is confirmed and fixed in version 3.0.3.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0170.html

    *** {02.33.044} Cross - nCipher C_Verify function always returns valid

    The C_Verify function shipped in the nCipher cryptographic library
    always indicates that a symmetric signature is valid, even if it is
    invalid. Products based on this library using the affected function
    are vulnerable.

    The vendor confirmed this vulnerability. Updates are available by
    contacting nCipher.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0172.html

    *** {02.33.046} Cross - scponly environment circumvents restrictions

    The scponly utility, used to limit users to only using scp/sftp,
    contains a bug that potentially allows a user to upload an environment
    file to their .ssh directory and to circumvent the restrictions
    scponly is supposed to enforce.

    This vulnerability is not confirmed. Third-party workarounds are
    explained in the reference URL below.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0200.html

    *** {02.33.048} Cross - Shoutcast server administrative password log
                    retrieval

    Nullsoft Shoutcast server version 1.8.9 reportedly logs the
    administrative password in clear text in the shoutcast logs. This
    may allow a local user to recover the password.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0017.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9ZUZO+LUG5KFpTkYRAhNtAJ9RRFjHNAI3FxoJJFXDb9dDhEQ2NQCdH7zn
    zCT6+tIXn/ZeiKMVOgZwm98=
    =DGOB
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    This issue sponsored by SPI Dynamics

    ALERT: Cyber-Warfare's Weapon of Choice- Web App Attacks Firewalls, IDS
    and Access Controls don't stop these attacks because hackers using the
    Web application layer are NOT seen as intruders. Learn why 75% of
    today's successful system hacks involve Web App vulnerabilities, not
    network security flaws. Download this *FREE* white paper from SPI
    Dynamics.

    http://www.spidynamics.com/mktg/webappsecurity20

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).