|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ71846533217653926_at_sans.org)
Date: Thu Aug 22 2002 - 15:23:47 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 033 (02.33)
Thursday, August 22, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
----------------------------------------------------------------------
This issue sponsored by SPI Dynamics
ALERT: Cyber-Warfare's Weapon of Choice- Web App Attacks Firewalls, IDS
and Access Controls don't stop these attacks because hackers using the
Web application layer are NOT seen as intruders. Learn why 75% of
today's successful system hacks involve Web App vulnerabilities, not
network security flaws. Download this *FREE* white paper from SPI
Dynamics.
http://www.spidynamics.com/mktg/webappsecurity20
----------------------------------------------------------------------
Many applications, both clients and servers, are not properly checking
the constraints of SSL certificates. Attackers can use their normally
signed certificate to sign other certificates, basically acting like a
'quasi-certificate authority,' even though their original certificates
are constrained as end-user/host certificates. The end result is that
attackers can sign arbitrary certificates and vulnerable applications
will believe them valid. Vulnerable applications reported in this issue
include the Tinyssl library ({02.33.005}), KDE Konqueror ({02.33.043})
and Microsoft IIS ({02.33.041}).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.33.004} Win - Midicart CGI database exposure
{02.33.019} Win - MS02-042: Network Connection Manager callback code
execution
{02.33.020} Win - MS02-043: SQL Server cumulative patch
{02.33.029} Win - WebEasyMail SMTP and POP vulnerabilities
{02.33.038} Win - IE Help and Support Center protocol file deletion
{02.33.039} Win - NTFS hard links obfuscate file auditing logs
{02.33.041} Win - IIS 5.0 ignores SSL cert basic constraints
{02.33.042} Win - MS SQL Agent file modification
{02.33.045} Win - Kerio Mail Server multiple DoS and CSS vulnerabilities
{02.33.047} Win - Trillian IRC module multiple vulnerabilities
{02.33.050} Win - MyWebServer multiple vulnerabilities
{02.33.051} Win - IE File Transfer Manager control vulnerabilties
{02.33.011} Linux - Update {02.32.017}: xinetd signal pipe descriptor
DoS
{02.33.013} Linux - Update {02.22.004}: BIND 9 internal consistency
check DoS
{02.33.015} Linux - Update {02.22.001}: xchat dns query command
execution
{02.33.016} Linux - Update {02.19.017}: uudecode insecure output file
handling
{02.33.022} Linux - Update {02.29.004}: libpng progressive image
loading overflows
{02.33.030} Linux - Update {01.27.039}: PHP mail() command may bypass
safe_mode
{02.33.033} Linux - Update {02.26.002}: DNS libresolve/resolver buffer
overflow
{02.33.040} BSD - FreeBSD system call signed parameter vulnerabilities
{02.33.026} NW - NetBasic CGI handler multiple vulnerabilities
{02.33.027} NW - Perl CGI handler multiple vulnerabilities
{02.33.001} HPUX - HPUX 11.x ptrace() kernel panic
{02.33.003} HPUX - Update {02.29.011}: PHP multipart POST request
DoS/overflow
{02.33.006} HPUX - HPUX 11.04 passwd vulnerability
{02.33.010} HPUX - TGA daemon buffer overflow
{02.33.012} SGI - Update {01.35.012}: Adobe Acrobat/libCoolType creates
world-writable AdobeFnt.lst file
{02.33.037} SGI - IRIX on Origin 3000 changes MAC
{02.33.049} SGI - IRIX ftpd minor vulnerabilities
{02.33.034} NApps - Gateway GS-400 NAS default password
{02.33.002} Cross - HP EMANATE exposes SNMP community string
{02.33.005} Cross - Tinyssl ignores SSL certificate basic constraints
{02.33.007} Cross - L-Forum CGI search.php SQL injection
{02.33.008} Cross - Update {02.32.029}: rpc.ttdbserverd
_TT_CREATE_FILE() heap overflow
{02.33.009} Cross - Oracle listener control format string vulnerability
{02.33.014} Cross - Web Shop Manager CGI search command execution
{02.33.017} Cross - Update {02.31.009}: RPC XDR array decoding overflow
{02.33.018} Cross - PHP-affiliate CGI details2.php arbitrary user
editing
{02.33.021} Cross - FUDForum CGI file manipulation
{02.33.023} Cross - Steelarrow cookie and chunked overflows
{02.33.024} Cross - Multiple Postgres function buffer overflows
{02.33.025} Cross - Mantis CGI suite multiple vulns
{02.33.028} Cross - Jigsaw proxy server query CSS vulnerability
{02.33.031} Cross - CERN HTTP server query CSS vulnerability
{02.33.032} Cross - l2tpd weak randomness
{02.33.035} Cross - Perl 5.6.x glob() overflows
{02.33.036} Cross - Oracle 9i SQL*NET DoS
{02.33.043} Cross - KDE Konqueror ignores SSL certificate basic
constraints
{02.33.044} Cross - nCipher C_Verify function always returns valid
{02.33.046} Cross - scponly environment circumvents restrictions
{02.33.048} Cross - Shoutcast server administrative password log
retrieval
- --- Windows News -------------------------------------------------------
*** {02.33.004} Win - Midicart CGI database exposure
The Midicart shopping cart CGI suite reportedly uses a database located
in the remotely accessible Web root that allows a remote attacker to
download the database of orders.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0074.html
*** {02.33.019} Win - MS02-042: Network Connection Manager callback
code execution
Microsoft released MS02-042 ("Network Connection Manager callback code
execution"). The Network Connection Manager shipped with Windows 2000
allows the user to specify the execution of a callback function when
a network connection is established. Unfortunately, this function is
executed with local system privileges, thus allowing a local attacker
to gain administrative/system access.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-042.asp
Source: Microsoft
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0086.html
*** {02.33.020} Win - MS02-043: SQL Server cumulative patch
Microsoft released MS02-043 ("SQL Server cumulative patch"). This
cumulative patch fixes all known problems to date in MS SQL Server
7.0 and 2000 as well as in MSDE 1.0 and 2000. It also fixes a new bug,
whereby an attacker capable of running stored procedures can execute
arbitrary SQL with administrative privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-043.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0087.html
*** {02.33.029} Win - WebEasyMail SMTP and POP vulnerabilities
The WebEasyMail suite version 3.4.2.2 contains a format string
vulnerability in the handling of SMTP commands. It also contains an
information disclosure bug in the POP service that allows a remote
attacker to brute force valid user names.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0197.html
*** {02.33.038} Win - IE Help and Support Center protocol file deletion
Windows XP running Internet Explorer 6.x comes with a 'Help and
Support Center' software feature that is a suite of help-related
files and functions used both internally by Windows XP and external
by Web sites. However, a bug allows a malicious Web site (or e-mail)
to delete arbitrary files on the user's system by tricking the user's
browser into making a particular request.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0129.html
*** {02.33.039} Win - NTFS hard links obfuscate file auditing logs
A released advisory indicates it's possible for a local attacker to
use NTFS hard links to obfuscate file audint logs. Basically, the
logs will contain entries for an arbitrary file name rather than the
actual file name, so it may not be apparent which file is the target
of the various audited events.
The advisory indicates confirmation by the vendor, which released a
fix in Windows 2000 SP3.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0080.html
*** {02.33.041} Win - IIS 5.0 ignores SSL cert basic constraints
IIS 5.0 prior to Windows 2000 SP3 ignores the basic constraints
on client certificates, potentially allowing a remote attacker to
present what appear to be valid, trusted SSL certificates to IIS
for authentication.
The advisory indicates confirmation by the vendor, which included a
fix in Windows 2000 SP3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0167.html
*** {02.33.042} Win - MS SQL Agent file modification
MS SQL Server versions 7 and 2000 reportedly contain a bug in the way
users can submit jobs to the SQL agent. Basically, they can specify
a file for the output that will overwrite any existing file already
on the file system.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0084.html
*** {02.33.045} Win - Kerio Mail Server multiple DoS and CSS
vulnerabilities
Kerio Mail Server version 5.0 reportedly contains multiple cross-site
scripting and denial of service vulnerabilities. Sending SYNs to all
listening Kerio Mail services triggers the DoS. Multiple Webmail URLs
are vulnerable to the CSS vulnerabilities.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0183.html
*** {02.33.047} Win - Trillian IRC module multiple vulnerabilities
An advisory indicates that Trillian version 0.73 has a buffer
overflow in the handling of the PING response by the IRC module as
well as format string handling errors in IRC invite responses. These
bugs may allow a malicious server to execute arbitrary code on the
user's system.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0479.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0489.html
*** {02.33.050} Win - MyWebServer multiple vulnerabilities
MyWebServer version 1.0.2 reportedly contains three vulnerabilities:
a buffer overflow in the search functionality, which may allow remote
execution of arbitrary code; a cross-site scripting bug in the handling
of nonexistent URL requests; and disclosure of the physical path.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0077.html
*** {02.33.051} Win - IE File Transfer Manager control vulnerabilties
The Microsoft File Transfer Manager ActiveX control is a
Microsoft-signed control used for handling file downloads from premium
Microsoft sites. The control contains a buffer overflow that could
lead to the execution of arbitrary code. It also allows a remote Web
site to schedule file uploads and downloads without user intervention.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0189.html
- --- Linux News ---------------------------------------------------------
*** {02.33.011} Linux - Update {02.32.017}: xinetd signal pipe
descriptor DoS
Gentoo released updated makefiles to fix the vulnerability discussed
in {02.32.017} ("xinetd signal pipe descriptor DoS").
Gentoo users should rebuild the xinetd package ('emerge xinetd').
Source: Gentoo (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0120.html
*** {02.33.013} Linux - Update {02.22.004}: BIND 9 internal consistency
check DoS
Mandrake released updated bind packages to fix the vulnerability
discussed in {02.22.004} ("BIND 9 internal consistency check DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0128.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0128.html
*** {02.33.015} Linux - Update {02.22.001}: xchat dns query command
execution
Mandrake released updated xchat packages to fix the vulnerability
discussed in {02.22.001} ("xchat dns query command execution").
Updated RPMs are listed at the reference URL below.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0136.html
*** {02.33.016} Linux - Update {02.19.017}: uudecode insecure output
file handling
Mandrake released updated shar-util packages to fix the vulnerability
discussed in {02.19.017} ("uudecode insecure output file handling").
Updated RPMs are listed at the reference URL below.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0137.html
*** {02.33.022} Linux - Update {02.29.004}: libpng progressive image
loading overflows
Red Hat and Mandrake released updated libpng packages to fix the
vulnerability discussed in {02.29.004} ("libpng progressive image
loading overflows").
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0052.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0118.html
Source: Red Hat, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0052.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0118.html
*** {02.33.030} Linux - Update {01.27.039}: PHP mail() command may
bypass safe_mode
Red Hat rereleased updated PHP packages to fix the vulnerability
discussed in {01.27.039} ("PHP mail() command may bypass safe_mode").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/bugtraq/2002-08/0198.html
*** {02.33.033} Linux - Update {02.26.002}: DNS libresolve/resolver
buffer overflow
Mandrake and Trustix released updated glibc packages to fix the
vulnerability discussed in {02.26.002} ("DNS libresolve/resolver
buffer overflow").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0116.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0117.html
Source: Mandrake, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0116.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0117.html
- --- BSD News -----------------------------------------------------------
*** {02.33.040} BSD - FreeBSD system call signed parameter
vulnerabilities
A FreeBSD advisory indicates various system calls, including accept(),
getsockname(), getpeername() and a particular ioctl(), do not properly
handle signed parameters, potentially exposing kernel memory.
CVS branches as of Aug. 13, 2002, contain the fixes.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-08/0094.html
- --- NetWare News -------------------------------------------------------
*** {02.33.026} NW - NetBasic CGI handler multiple vulnerabilities
A Novell advisory indicates the NetBasic handler shipped with various
Web services included with Netware 5.1 and 6.0 contains multiple
vulnerabilities, including a buffer overflow and the ability to
execute arbitrary NSN scripts on the SYS volume.
Patch information is available at:
http://support.novell.com/servlet/tidfinder/2963297
Source: Novell (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0199.html
*** {02.33.027} NW - Perl CGI handler multiple vulnerabilities
A Novell advisory indicates the Perl handler shipped with various
Web services included with Netware 5.1 and 6.0 contains multiple
vulnerabilities, including the ability to execute arbitrary Perl
scripts via an HTTP POST request and to execute Perl scripts outside
the Web root.
A patch is available at:
http://support.novell.com/servlet/tidfinder/2963307
Source: Novell (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html
- --- HP-UX News ---------------------------------------------------------
*** {02.33.001} HPUX - HPUX 11.x ptrace() kernel panic
HP released patches to fix a vulnerability that allows a local attacker
to use ptrace() to cause a system panic, thereby leaving the system
in an unusable state.
Apply the appropriate patch:
HPUX 11.00: PHKL_27180
HPUX 11.04: PHKL_27536
HPUX 11.11: PHKL_27179
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/0041.html
*** {02.33.003} HPUX - Update {02.29.011}: PHP multipart POST request
DoS/overflow
HP released updated Apache packages for HPUX 11.x to fix the
vulnerability discussed in {02.29.011} ("PHP multipart POST request
DoS/overflow").
Updated packages are available at:
http://www.software.hp.com/ISS_products_list.html
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/0041.html
*** {02.33.006} HPUX - HPUX 11.04 passwd vulnerability
HP released a security patch for HPUX 11.04 to fix a security
vulnerability in the passwd utility. Details were not provided.
HPUX 11.04 users need to apply patch PHCO_27373.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/0049.html
*** {02.33.010} HPUX - TGA daemon buffer overflow
An HP advisory indicates the TGA daemon shipped with HPUX 11.04
contains a buffer overflow that allows an attacker to access system
files. Further details were not provided.
HP released various patches, depending on the installed version of
the VirtualVault package:
VirtualVault A.04.00: PHSS_27499
VirtualVault A.04.50: PHSS_27500
VirtualVault A.04.60: PHSS_27501
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/
- --- SGI News -----------------------------------------------------------
*** {02.33.012} SGI - Update {01.35.012}: Adobe Acrobat/libCoolType
creates world-writable AdobeFnt.lst file
SGI released updates to fix the vulnerability discussed in {01.35.012}
("Adobe Acrobat/libCoolType creates world-writable AdobeFnt.lst file
").
The proper solution is to update to IRIX version 6.5.19. However, the
reference URL below also has a workaround for earlier IRIX versions.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q3/0040.html
*** {02.33.037} SGI - IRIX on Origin 3000 changes MAC
When a version of IRIX prior to 6.5.13 is upgraded to 6.5.13 or after,
the Ethernet MAC address on Origin 3000 system changes. This may
affect sites that do filtering/firewalling based on MAC addresses.
SGI confirmed this problem, which is fixed in IRIX 6.5.17.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q3/0039.html
*** {02.33.049} SGI - IRIX ftpd minor vulnerabilities
A SGI advisory indicates the FTP daemon shipped with IRIX prior to
6.5.17 contains two previously reported minor security bugs.
To fix the bugs, SGI recommends upgrading to 6.5.17. Patches for
earlier IRIX versions will not be released.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q3/0037.html
- --- Network Appliances News --------------------------------------------
*** {02.33.034} NApps - Gateway GS-400 NAS default password
The Gateway GS-400 NAS server comes preinstalled with a default
root password and does not offer any method to change it. Thus,
remote attackers can potentially telnet to the device (on port 1023)
and compromise the system.
The advisory indicates the vendor does not support the product; thus,
a fix will not be released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0126.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0132.html
- --- Cross-Platform News ------------------------------------------------
*** {02.33.002} Cross - HP EMANATE exposes SNMP community string
An HP advisory indicates EMANATE version 14.2 contains a vulnerability
that allows a remote attacker to recover the SNMP community string,
potentially exposing sensitive information.
HP released patches:
Win NT/2k: NNM_00936
HPUX 10.20: PHSS_27569
HPUX 11.X: PHSS_27570
Solaris 2.6,7,8: PSOV_03193
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/0041.html
*** {02.33.005} Cross - Tinyssl ignores SSL certificate basic
constraints
The Tinyssl library prior to version 1.03 ignores the basic constraints
on client certificates, potentially allowing a remote attacker to
present what appears to be valid, trusted SSL certificates to the
application using Tinyssl.
This vulnerability is confirmed and fixed in version 1.03, available
at:
http://www.xwt.org/tinyssl/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0096.html
*** {02.33.007} Cross - L-Forum CGI search.php SQL injection
The L-Forum CGI suite is vulnerable to SQL tampering in the handling
of the search parameter passed to the search.php script. Multiple
cross-site scripting vulnerabilities also are reported.
The vendor confirmed this vulnerability and released an update.
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0074.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0115.html
*** {02.33.008} Cross - Update {02.32.029}: rpc.ttdbserverd
_TT_CREATE_FILE() heap overflow
IBM and Caldera/SCO released updates to fix the vulnerability discussed
in {02.32.029} ("rpc.ttdbserverd _TT_CREATE_FILE() heap overflow").
AIX users need to apply the appropriate APAR:
AIX 4.3.3: IY32792
AIX 5.1.0: IY32793
SCO UnixWare and OpenUnix updates are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0011.html
Source: IBM, Caldera/SCO
http://archives.neohapsis.com/archives/aix/2002-q3/0010.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0011.html
*** {02.33.009} Cross - Oracle listener control format string
vulnerability
The Oracle listener control utility is vulnerable to a format string
vulnerability, potentially allowing an attacker to execute arbitrary
code on the administrator's system, which runs the remote listener
control utility.
The vendor confirmed this vulnerability and released more information,
available at:
http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0076.html
*** {02.33.014} Cross - Web Shop Manager CGI search command execution
The Web Shop Manager CGI suite version 1.1 reportedly contains a
vulnerability in the handling of the search parameters that allows
a remote attacker to execute arbitrary command-line commands under
the privileges of the Web server.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0130.html
*** {02.33.017} Cross - Update {02.31.009}: RPC XDR array decoding
overflow
Multiple vendors released updates to fix the vulnerability discussed
in {02.31.009} ("RPC XDR array decoding overflow").
Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0050.html
SGI IRIX patches are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q3/0042.html
Source: Red Hat, SGI
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0050.html
http://archives.neohapsis.com/archives/vendor/2002-q3/0042.html
*** {02.33.018} Cross - PHP-affiliate CGI details2.php arbitrary user
editing
The PHP-affiliate CGI suite version 1.0 reportedly does not correctly
verify hidden parameters passed to the details2.php script. This
allows a remote attacker to edit the arbitrary users' information.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0141.html
*** {02.33.021} Cross - FUDForum CGI file manipulation
The FUDForum CGI suite prior to version 2.2.0 contains vulnerabilities
in the tmp_view.php and admbrowse.php scripts that allow a remote
attacker to read and potentially manipulate files outside the Web root.
The vendor confirmed these vulnerabilities and released version 2.2.0.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0082.html
*** {02.33.023} Cross - Steelarrow cookie and chunked overflows
Tomahawk's Steelarrow contains two buffer overflows (one in the
handling of cookies and one in the handling of chunked client
requests) that could allow a remote attacker to execute arbitrary
code on the system.
The advisory indicates vendor confirmation. Fixes are available at:
http://www.steelarrow.com/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0085.html
*** {02.33.024} Cross - Multiple Postgres function buffer overflows
Multiple advisories indicate that various buffer overflows exist in
the Postgres database version 7.2. The overflows exist in the lpad(),
rpad(), repeat() and cash_words() functions.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0169.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0204.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0205.html
*** {02.33.025} Cross - Mantis CGI suite multiple vulns
Advisories from the Mantis developers detail many security
vulnerabilities in the Mantis PHP CGI suite, including: SQL tampering;
limit_reporters option bypassing of; private projects viewing;
arbitrary PHP code execution; and arbitrary file reading. Versions
prior to 0.17.4 are vulnerable.
The solution is to update to version 0.17.4.
Debian released updated DEBs, listed at:
http://archives.neohapsis.com/archives/vendor/2002-q3/0043.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2002-08/0184.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0186.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0177.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0187.html
http://archives.neohapsis.com/archives/bugtraq/2002-08/0176.html
http://archives.neohapsis.com/archives/vendor/2002-q3/0043.html
*** {02.33.028} Cross - Jigsaw proxy server query CSS vulnerability
The W3C Jigsaw HTTP proxy server prior to version 2.2.1 is vulnerable
to cross-site scripting in the handling of nonexistent URL requests.
This vulnerability is fixed in version 2.2.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0190.html
*** {02.33.031} Cross - CERN HTTP server query CSS vulnerability
The CERN HTTP server version 3.0A is vulnerable to cross-site scripting
in the handling of nonexistent URL requests.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0097.html
*** {02.33.032} Cross - l2tpd weak randomness
The l2tpd daemon prior to version 0.68 does not properly generate
random data, thereby causing the randomness to be predictable. This
decreases the security of various cryptographic components, including
the generation of the authentication challenge.
The vendor confirmed this vulnerability and released version
0.68. Updates are available at:
http://www.l2tpd.org/
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q3/0036.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2002-08/0102.html
http://archives.neohapsis.com/archives/vendor/2002-q3/0036.html
*** {02.33.035} Cross - Perl 5.6.x glob() overflows
Perl 5.6.0 and 5.6.1 reportedly use a glob() function that is
vulnerable to a buffer overflow. This overflow is similar to the
multivendor FTP glob overflow reported in years past.
This vulnerability is not confirmed. The post indicates the glob()
functionality in version 5.8.0 is corrected.
Source: LSAP
http://archives.neohapsis.com/archives/linux/lsap/2002-q3/0014.html
*** {02.33.036} Cross - Oracle 9i SQL*NET DoS
An ISS advisory indicates it's possible to crash the SQL*NET listener
service by remotely sending a malformed request. Oracle 9.0.x and
9.2 are reported as vulnerable.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0072.html
*** {02.33.043} Cross - KDE Konqueror ignores SSL certificate basic
constraints
The KDE Konqueror prior to version 3.0.3 ignores the basic constraints
on client certificates, potentially allowing a remote attacker to
present what appear to be valid, trusted SSL certificates to the
user's browser.
This vulnerability is confirmed and fixed in version 3.0.3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0170.html
*** {02.33.044} Cross - nCipher C_Verify function always returns valid
The C_Verify function shipped in the nCipher cryptographic library
always indicates that a symmetric signature is valid, even if it is
invalid. Products based on this library using the affected function
are vulnerable.
The vendor confirmed this vulnerability. Updates are available by
contacting nCipher.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0172.html
*** {02.33.046} Cross - scponly environment circumvents restrictions
The scponly utility, used to limit users to only using scp/sftp,
contains a bug that potentially allows a user to upload an environment
file to their .ssh directory and to circumvent the restrictions
scponly is supposed to enforce.
This vulnerability is not confirmed. Third-party workarounds are
explained in the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0200.html
*** {02.33.048} Cross - Shoutcast server administrative password log
retrieval
Nullsoft Shoutcast server version 1.8.9 reportedly logs the
administrative password in clear text in the shoutcast logs. This
may allow a local user to recover the password.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-08/0017.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9ZUZO+LUG5KFpTkYRAhNtAJ9RRFjHNAI3FxoJJFXDb9dDhEQ2NQCdH7zn
zCT6+tIXn/ZeiKMVOgZwm98=
=DGOB
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by SPI Dynamics
ALERT: Cyber-Warfare's Weapon of Choice- Web App Attacks Firewalls, IDS
and Access Controls don't stop these attacks because hackers using the
Web application layer are NOT seen as intruders. Learn why 75% of
today's successful system hacks involve Web App vulnerabilities, not
network security flaws. Download this *FREE* white paper from SPI
Dynamics.
http://www.spidynamics.com/mktg/webappsecurity20
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]