|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ31507018350924832_at_sans.org)
Date: Thu Sep 12 2002 - 13:53:48 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 036 (02.36)
Thursday, September 12, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
----------------------------------------------------------------------
This issue sponsored by SPI Dynamics
ALERT: SQL Injection Attacks via Port 80 and 443! It's as simple as
placing additional SQL commands into a Web Form input box giving hackers
complete access to your backend systems! Firewalls, Access Controls and
IDS don't stop such attacks because SQL Injections are NOT seen as
intruders. Download this *FREE* white paper from SPI Dynamics!
http://www.spidynamics.com/mktg/sqlinjection17
----------------------------------------------------------------------
This week, a security researcher released an updated version of a
report that uses various graphs to analyze the randomness of TCP ISN
numbers. After being warned about problems a year ago, surprisingly,
many vendors still have issues. More information is available at:
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0110.html
Other notable vulnerabilities this week include a buffer overflow in
PGP Corporate Desktop (item {02.36.017}); multiple bugs in the Cisco
3000 series VPN concentrators (item {02.36.010}); and a patch for all
versions of Windows to remove the SSL constraints bug, which affects
Internet Explorer, IIS and other applications using the MS CryptoAPI
SSL functions (item {02.36.013}).
Coverage reminder: If you're missing an item in your issue, it's
because you did not subscribe to the applicable category in which
it's covered. SAC is a customizable newsletter, and you only get the
OS types requested during the subscription process. You can change
your subscription preferences by following the instructions at the
bottom of this (and every) newsletter. Or, you can view the full
issue online at: http://archives.neohapsis.com/archives/sac/
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.36.013} Win - MS02-049: IE can auto-execute Visual FoxPro
applications
{02.36.014} Win - MS02-050: SSL certificate constraint validation patch
{02.36.017} Win - PGP long file name overflow
{02.36.018} Win - WebServer 4 Everyone HTTP server Webroot escaping
{02.36.022} Win - QuickTime control plugins page overflow
{02.36.002} Linux - Update {02.35.003}: Ethereal ISIS decode overflow
{02.36.003} Linux - Update {02.31.018}: GAIM Jabber plugin buffer
overflow
{02.36.005} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
vulnerability
{02.36.006} Linux - Update {02.34.016}: Mantis CGI private bug viewing
{02.36.009} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
certificate basic constraints
{02.36.012} Linux - Update {02.35.017}: Python insecure temporary file
handling
{02.36.010} NApps - Cisco VPN 3000 series multiple vulnerabilities
{02.36.016} Other - Polycom Viewstation multiple vulnerabilities
{02.36.001} Cross - cacti CGI title string command execution
{02.36.004} Cross - MHonarc HTML mail CSS vulnerability
{02.36.007} Cross - wordtrans CGI command execution and CSS
{02.36.008} Cross - Update {02.31.009}: RPC XDR array decoding overflow
{02.36.011} Cross - AFD workdir buffer overflow
{02.36.015} Cross - phpGB CGI multiple vulnerabilities
{02.36.019} Cross - Various PHP CRLF injection
{02.36.020} Cross - ZMerge grants Manager access
{02.36.021} Cross - Woltlab Burning Board CGI SQL tampering
{02.36.023} Cross - Aestiva HTML/OS CSS vulnerabilities
{02.36.024} Cross - Zero-width GIF browser overflow
{02.36.025} Cross - Amavis malformed tar file DoS
- --- Windows News -------------------------------------------------------
*** {02.36.013} Win - MS02-049: IE can auto-execute Visual FoxPro
applications
Microsoft released MS02-049 ("IE can auto-execute Visual FoxPro
applications"). Visual FoxPro 6.0 does not properly register its
various file types with Internet Explorer, potentially allowing
a malicious Web site to automatically execute a Visual FoxPro
application.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-049.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0121.html
*** {02.36.014} Win - MS02-050: SSL certificate constraint validation
patch
Microsoft released MS02-050 ("SSL certificate constraint validation
patch"). The CryptoAPI functions that validate SSL certificates do
not properly account for SSL constraints, which would let an attacker
create arbitrary valid SSL certificates. This vulnerability was
previously reported as item {02.33.041}.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-050.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q3/0000.html
*** {02.36.017} Win - PGP long file name overflow
PGP Corporate Desktop version 7.1.1 contains a buffer overflow in
the handling of long file names within encrypted files. This allows
a malicious encrypted file to execute arbitrary code on the user's
system when the user attempts to decrypt the file.
The vendor confirmed this vulnerability and released a patch, which
is available at:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0106.html
*** {02.36.018} Win - WebServer 4 Everyone HTTP server Webroot escaping
The WebServer 4 Everyone HTTP server version 1.22 reportedly contains
a vulnerability that allows a remote attacker to request files outside
the Webroot by submitting an HTTP request that uses '..' notation in
the URL name.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0045.html
*** {02.36.022} Win - QuickTime control plugins page overflow
The Apple QuickTime ActiveX control used for viewing QuickTime media
within Internet Explorer contains a buffer overflow in the handling
of the plugins page parameter. This allows a malicious Web site or
e-mail to execute arbitrary code on the user's system.
The vendor confirmed this vulnerability and released an update,
which is available at:
http://www.apple.com/quicktime/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0111.html
- --- Linux News ---------------------------------------------------------
*** {02.36.002} Linux - Update {02.35.003}: Ethereal ISIS decode
overflow
Debian released updated ethereal packages that fix the vulnerability
discussed in {02.35.003} ("Ethereal ISIS decode overflow").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0055.html
*** {02.36.003} Linux - Update {02.31.018}: GAIM Jabber plugin buffer
overflow
Mandrake released updated GAIM packages that fix the vulnerability
discussed in {02.31.018} ("GAIM Jabber plugin buffer overflow").
Updated RPMs are listed at the reference URL below.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-09/0058.html
*** {02.36.005} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
vulnerability
Conectiva released updated mailman packages that fix the vulnerability
discussed in {02.30.024} ("Mailman ml-name CGI CSS vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0019.html
*** {02.36.006} Linux - Update {02.34.016}: Mantis CGI private bug
viewing
Debian released updated mantis packages that fix the vulnerability
discussed in {02.34.016} ("Mantis CGI private bug viewing").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0054.html
*** {02.36.009} Linux - Update {02.33.043}: KDE Konqueror ignores SSL
certificate basic constraints
Mandrake released updated kdelibs packages that fix the vulnerability
discussed in {02.33.043} ("KDE Konqueror ignores SSL certificate
basic constraints").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q3/0164.html
*** {02.36.012} Linux - Update {02.35.017}: Python insecure temporary
file handling
Debian rereleased updated python packages that fix the vulnerability
discussed in {02.35.017} ("Python insecure temporary file
handling"). The prior updates introduced an instability.
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0057.html
- --- Network Appliances News --------------------------------------------
*** {02.36.010} NApps - Cisco VPN 3000 series multiple vulnerabilities
A Cisco advisory indicates that the VPN 3000 series concentrators
contain multiple vulnerabilities, including information disclosure and
authentication bypass. Software versions prior to 3.6.1 are vulnerable.
An updated patch matrix is available at the reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q3/0006.html
- --- Other News ---------------------------------------------------------
*** {02.36.016} Other - Polycom Viewstation multiple vulnerabilities
A released advisory indicates that multiple vulnerabilities exist
in the Polycom Viewstation series of products, including: a default
(empty) administrative password; escape from the Webroot by using
unicode encoded HTTP requests; retrieval of the administrative
password; use of the telnet service to mount a password brute force
attack; and various denial of service attacks.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0104.html
- --- Cross-Platform News ------------------------------------------------
*** {02.36.001} Cross - cacti CGI title string command execution
The cacti CGI Web interface prior to version 0.6.8a allows a remote
attacker to execute arbitrary command-line commands because it
does not properly filtering shell metacharacters from the title
string. The attacker will need administrative access to the CGI to
perform the attack.
The vendor confirmed this vulnerability.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q3/0019.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q3/0019.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0028.html
*** {02.36.004} Cross - MHonarc HTML mail CSS vulnerability
The MHonarc e-mail archiver contains a cross-site scripting
vulnerability in the handling of HTML e-mail.
Debian confirmed this vulnerability and released updated DEBs, which
are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0058.html
*** {02.36.007} Cross - wordtrans CGI command execution and CSS
The wordtrans CGI suite version 1.1pre8 does not properly filter out
URL parameters, which allows cross-site scripting attacks as well as
remote execution of arbitrary command-line commands.
This vulnerability is confirmed.
Updated Red Hat RPMS are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0073.html
Source: Red Hat, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0070.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0073.html
*** {02.36.008} Cross - Update {02.31.009}: RPC XDR array decoding
overflow
Mandrake and HP released updated packages that fix the vulnerability
discussed in {02.31.009} ("RPC XDR array decoding overflow").
Updated Mandrake krb5 RPMS are listed at:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q3/0162.html
Updated libraries for HPUX are listed at:
http://archives.neohapsis.com/archives/hp/2002-q3/0077.html
Source: Mandrake, HP
http://archives.neohapsis.com/archives/linux/mandrake/2002-q3/0162.html
http://archives.neohapsis.com/archives/hp/2002-q3/0077.html
*** {02.36.011} Cross - AFD workdir buffer overflow
The Automatic File Distributor version 1.2.14 reportedly contains a
buffer overflow in the handling of the construction of the workdir
variable. This leads to a local buffer overflow, which may let an
attacker execute arbitrary code with elevated privileges.
The advisory indicates vendor confirmation and the release of version
1.2.15, which is available at:
ftp://ftp.dwd.de/pub/afd/src-1.2.15.tar.bz2
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0029.html
*** {02.36.015} Cross - phpGB CGI multiple vulnerabilities
The phpGB CGI suite version 1.20 contains multiple vulnerabilities:
savesettings.php allows arbitrary configuration settings to be changed,
thereby leading to a denial of service or execution of arbitrary
commands; cross-site scripting in the handling of guestbook elements;
and SQL injection via the login interface.
The advisory indicates vendor confirmation and the release of version
1.20, which is available at:
http://www.walzl.net/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0069.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0076.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0084.html
*** {02.36.019} Cross - Various PHP CRLF injection
The header() and fopen() functions within PHP pass additional headers
when issuing Web requests/responses, which could potentially alter the
logic flow. This is not a direct problem, but it may affect specific
applications that are not aware of this 'feature.'
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0109.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0086.html
*** {02.36.020} Cross - ZMerge grants Manager access
Granite Software's ZMerge version 5.x grants Manager access to
anonymous Web users, potentially allowing remote attackers to modify
the Notes import/export scripts, which then could be run by an
unsuspecting administrator.
The advisory indicates vendor confirmation. The suggested workaround
is to restrict the ACLs on the zm50adm.nsf and zmevladm.nsf databases.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0107.html
*** {02.36.021} Cross - Woltlab Burning Board CGI SQL tampering
Woltlab Burning Board CGI suite versions 2.0 RC 1 and prior do not
properly filter user parameters passed to the board.php file. This
allows a remote attacker to execute arbitrary SQL queries.
The advisory indicates confirmation by the vendor, which released
version 2.0 RC 2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0083.html
*** {02.36.023} Cross - Aestiva HTML/OS CSS vulnerabilities
Aestiva's HTML/OS reportedly contains a cross-site scripting bug in
the handling of path info parameters passed to the error page.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0026.html
*** {02.36.024} Cross - Zero-width GIF browser overflow
A released advisory indicates multiple browsers are vulnerable to
a zero-width GIF graphic file overflow, which could lead to the
execution of arbitrary code. Netscape version 6.2.3 was specifically
named as vulnerable. Mozilla and Opera also were mentioned as affected
in some way.
The advisory indicates vendor confirmation; the latest versions of
Netscape and Mozilla are reportedly fixed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0050.html
*** {02.36.025} Cross - Amavis malformed tar file DoS
Amavis versions 0.2.x and prior contain a denial of service
vulnerability when trying to search through a particularly malformed
tar file.
The vendor confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0040.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9gODk+LUG5KFpTkYRAoSxAJ4nwApcCm+8k03spRvSlXBGZraQfgCeKId/
YeDXhYjogC5PA7UK8iMmUNQ=
=P+eL
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by SPI Dynamics
ALERT: SQL Injection Attacks via Port 80 and 443! It's as simple as
placing additional SQL commands into a Web Form input box giving hackers
complete access to your backend systems! Firewalls, Access Controls and
IDS don't stop such attacks because SQL Injections are NOT seen as
intruders. Download this *FREE* white paper from SPI Dynamics!
http://www.spidynamics.com/mktg/sqlinjection17
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]