|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ19534265656674077_at_sans.org)
Date: Thu Sep 26 2002 - 15:34:22 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 038 (02.38)
Thursday, September 26, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
----------------------------------------------------------------------
This issue sponsored by SPI Dynamics
ALERT! - Cross-site scripting vulnerabilities in Web applications allow
hackers to compromise confidential information, manipulate or steal
cookies, and create requests that can be mistaken for those of a valid
user!! All via port 80 and 443! Download this *FREE* white paper from
SPI Dynamics for a complete guide to protection!
http://www.spidynamics.com/mktg/xss6
----------------------------------------------------------------------
The Linux OpenSSL 'slapper' is continuing to make its rounds,
and new variants have been reported. Please keep in mind that
while some variants of the worm check the HTTP server banner,
other scanner tools can identify a server as vulnerable even
if the HTTP server banner is modified/obfuscated to defeat the
worm. For those of you hoping for a quick workaround, be forewarned.
http://archives.neohapsis.com/archives/bugtraq/2002-09/0287.html
Among this week's top vulnerabilities are multiple problems in the
Trillian chat client (item {02.38.001} in the Windows category),
a library loading vulnerability in setuid/setgid X applications
(item {02.38.003} in the cross-platform category) and Microsoft
Java VM vulnerabilities in all versions of Windows (item {02.38.019}
in the Windows category).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.38.001} Win - Multiple Trillian vulnerabilities
{02.38.005} Win - Dino's Web server Web root escaping
{02.38.008} Win - MS02-051: RDP protocol information disclosure
{02.38.010} Win - ISS Scanner HTTP response overflow
{02.38.018} Win - IBM WebSphere large header DoS
{02.38.019} Win - MS02-052: Multiple Java VM JDBC vulnerabilities
{02.38.002} Linux - Update {02.37.007}: Cross - Konqueror subframe CSS
and insecure cookie vulnerabilities
{02.38.004} Linux - Update {02.22.001}: xchat DNS query command
execution
{02.38.007} Linux - Update {02.37.002}: Linux - Update {02.33.024}:
Multiple Postgres function buffer overflows
{02.38.011} Linux - Update {02.37.005}: Linux - Update {01.27.039}: PHP
mail() command may bypass safe_mode
{02.38.015} SGI - Root umask leaves readable core files
{02.38.017} NApps - HP printer/print server/digital sender DNS
vulnerability
{02.38.003} Cross - xfree86 libX11.so LD_PRELOAD vulnerability
{02.38.006} Cross - Squirrel mail CGI multiple CSS vulnerabilities
{02.38.009} Cross - Apache 2.0.42 released, mod_dav DoS
{02.38.012} Cross - Multiple Cisco VPN 5000 client vulnerabilities
{02.38.013} Cross - Multiple Mozilla 1.0 vulnerabilities
{02.38.014} Cross - DB4Web db4Web_c CGI file download
{02.38.016} Cross - Lycos HTMLGear guestbook address CSS
{02.38.020} Cross - Compaq WebES file access
{02.38.021} Cross - JAWmail CGI multiple CSS vulnerabilities
{02.38.022} Cross - phpWeb site CGI inc_prefix code execution
{02.38.023} Cross - Null HTTP server content-length overflow
{02.38.024} Cross - Xoops CGI img tag CSS
{02.38.025} Cross - Tomcat JSP disclosure via DefaultServlet
- --- Windows News -------------------------------------------------------
*** {02.38.001} Win - Multiple Trillian vulnerabilities
Trillian versions .74 and prior reportedly contain multiple
vulnerabilities: a PRIVMSG nick buffer overflow; an embedded ident
service buffer overflow; a JOIN channel topic buffer overflow; a
'raw 221' packet buffer overflow; IRC raw message buffer overflows;
and malformed HTML causes Trillian to crash. The buffer overflow may
allow remote execution of arbitrary code.
These vulnerabilities are not confirmed.
Source: NTBugtraq, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0140.html
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0139.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0258.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0266.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0268.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0282.html
*** {02.38.005} Win - Dino's Web server Web root escaping
Dino's Web server version 1.2 is vulnerable to an encoded directory
traversal attack, thereby allowing remote attackers to access files
outside the Web root.
The advisory indicates confirmation by the vendor, which discontinued
the software.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0127.html
*** {02.38.008} Win - MS02-051: RDP protocol information disclosure
Microsoft released MS02-051 ("RDP protocol information
disclosure"). The patch addresses two remote desktop/terminal services
bugs: improper encryption of packets in Windows XP and 2000 could
allow an attacker to recover encrypted data and certain malformed
RDP packets will crash the Windows XP remote desktop service.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-051.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q3/0001.html
*** {02.38.010} Win - ISS Scanner HTTP response overflow
ISS Scanner version 6.2.1 contains a buffer overflow in the handling
of a particular HTTP response. This potentially allows a malicious
Web server to execute arbitrary code on the system running the scanner.
The vendor confirmed this vulnerability and included a patch in
X-Press update 6.17.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0119.html
*** {02.38.018} Win - IBM WebSphere large header DoS
IBM WebSphere version 4.0.3 reportedly crashes when a request for
a .jsp file containing a large Host header is received. Whether
this denial of service can lead to the execution of arbitrary code
is uncertain.
The advisory indicates confirmation by the vendor, which released
a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0123.html
*** {02.38.019} Win - MS02-052: Multiple Java VM JDBC vulnerabilities
Microsoft released MS02-052 ("Multiple Java VM JDBC
vulnerabilities"). The Microsoft Java VM (virtual machine) shipped
with virtually all versions of Windows and Internet Explorer contains
three different vulnerabilities in the JDBC and other classes that
potentially let a malicious e-mail or Web site execute arbitrary code
on the user's system or crash the browser/VM.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-052.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q3/0002.html
- --- Linux News ---------------------------------------------------------
*** {02.38.002} Linux - Update {02.37.007}: Cross - Konqueror subframe
CSS and insecure cookie vulnerabilities
Debian and Conectiva released updated kdelibs packages that fix the
vulnerability discussed in {02.37.007} ("Cross - Konqueror subframe
CSS and insecure cookie vulnerabilities").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q3/0105.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0022.html
Source: Debian, Conectiva
http://archives.neohapsis.com/archives/linux/debian/2002-q3/0105.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0022.html
*** {02.38.004} Linux - Update {02.22.001}: xchat DNS query command
execution
Conectiva released updated xchat packages that fix the vulnerability
discussed in {02.22.001} ("xchat DNS query command execution").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0023.html
*** {02.38.007} Linux - Update {02.37.002}: Linux - Update {02.33.024}:
Multiple Postgres function buffer overflows
Conectiva released updated postgresql packages that fix the
vulnerability discussed in {02.37.002} ("Linux - Update {02.33.024}:
Multiple Postgres function buffer overflows").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0021.html
*** {02.38.011} Linux - Update {02.37.005}: Linux - Update {01.27.039}:
PHP mail() command may bypass safe_mode
Debian released updated PHP packages that fix the vulnerability
discussed in {02.37.005} ("Linux - Update {01.27.039}: PHP mail()
command may bypass safe_mode").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q3/0163.html
- --- SGI News -----------------------------------------------------------
*** {02.38.015} SGI - Root umask leaves readable core files
An SGI advisory indicates the default root umask of 022 may result in
the generation of world-readable core files. These core files could
contain sensitive information.
Patches and workarounds are detailed in the reference advisory
listed below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q3/0068.html
- --- Network Appliances News --------------------------------------------
*** {02.38.017} NApps - HP printer/print server/digital sender DNS
vulnerability
An HP advisory indicates that various printer, print server and
digital sender network devices are vulnerable to the DNS resolver
library overflow previously reported in SAC.
These vulnerabilities are confirmed. For a complete list of solutions,
please see the reference URL below.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/0087.html
- --- Cross-Platform News ------------------------------------------------
*** {02.38.003} Cross - xfree86 libX11.so LD_PRELOAD vulnerability
The libX11 library included with xfree86 honors the LD_PRELOAD
environment variable, thereby allowing a local attacker to potentially
execute arbitrary code with elevated privileges via available
setuid/setgid X-based applications.
This vulnerability is confirmed. Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q3/1116.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q3/1116.html
*** {02.38.006} Cross - Squirrel mail CGI multiple CSS vulnerabilities
Squirrel mail version 1.2.7 reportedly contains multiple cross-site
scripting problems in the various PHP pages.
The vendor confirmed these vulnerabilities and indicated they are
fixed in version 1.2.8.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0246.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0248.html
*** {02.38.009} Cross - Apache 2.0.42 released, mod_dav DoS
Apache version 2.0.42 was released. In addition to the usual bug fixes,
this version fixes a denial of service attack possible in mod_dav.
The latest source code can be downloaded from:
http://httpd.apache.org/
Source: Apache
http://archives.neohapsis.com/archives/apache/2002/0017.html
*** {02.38.012} Cross - Multiple Cisco VPN 5000 client vulnerabilities
A Cisco advisory indicates the VPN 5000 clients on MacOS, Solaris
and Linux contain various security vulnerabilities: the MacOS client
incorrectly saves the login password in plain text and the Solaris
and Linux clients contain buffer overflows in various included setuid
applications that let a local attacker gain root privileges.
The vendor confirmed these vulnerabilities and released updates.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q3/0009.html
*** {02.38.013} Cross - Multiple Mozilla 1.0 vulnerabilities
This is a general entry to point out that the various security bugs
in Mozilla 1.0 were fixed in version 1.0.1. The vulnerabilities were a
mix between local and remote, and some were previously reported. This
item is really just to raise awareness of the various problems that
exist in Mozilla 1.0.
These vulnerabilities were fixed in Mozilla version 1.0.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0228.html
*** {02.38.014} Cross - DB4Web db4Web_c CGI file download
The db4Web_c CGI included with the DB4Web server allows remote
attackers to download arbitrary files outside the Web root by
submitting a particular URL request. Another bug in DB4Web allows a
remote attacker to proxy port scans through the db4Web_c CGI.
The vendor confirmed this vulnerability and released a patch, which
is available at:
http://www.db4Web.de/DB4Web/home/DB4Web/hotfix_e.html
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0124.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0125.html
*** {02.38.016} Cross - Lycos HTMLGear guestbook address CSS
The Lycos HTMLGear guestbook application contains a cross-site
scripting vulnerability in the handling of the e-mail or Web addresses.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0198.html
*** {02.38.020} Cross - Compaq WebES file access
An HP/Compaq advisory indicates that the WebES Compaq Analyze service
suite on all platforms contains a vulnerability that allows local
and remote attackers to access arbitrary files on the system.
The vendor confirmed this vulnerability and is currently working on
a patch.
Source: HP/Compaq
http://archives.neohapsis.com/archives/compaq/2002-q3/0013.html
*** {02.38.021} Cross - JAWmail CGI multiple CSS vulnerabilities
The JAWmail CGI suite version 1.0-rc1 reportedly contains multiple
cross-site scripting errors in the displaying of various e-mail
elements.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0270.html
*** {02.38.022} Cross - phpWeb site CGI inc_prefix code execution
phpWeb site version 0.8.2 reportedly does not properly handle the
inc_prefix URL parameter. This allows a remote attacker to trick the
application into executing arbitrary PHP code located on a malicious
Web server.
The advisory indicates confirmation by the vendor, which released
version 0.8.3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0275.html
*** {02.38.023} Cross - Null HTTP server content-length overflow
The Null HTTP Server version 0.5.0 incorrectly handles negative
content-length HTTP header values. This causes a heap buffer overflow
to occur and allows a remote attacker to execute arbitrary code.
The vendor confirmed this vulnerability and released version 0.5.1,
which is available at:
http://prdownloads.sourceforge.net/nullhttpd/nullhttpd-0.5.1.tar.gz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0284.html
*** {02.38.024} Cross - Xoops CGI img tag CSS
The Xoops CGI suite version RC3.0.4 does not properly handle image
tags, thereby leading to a cross-site scripting vulnerability.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0286.html
*** {02.38.025} Cross - Tomcat JSP disclosure via DefaultServlet
Apache Tomcat versions 4.0.4 and 4.1.10 display the source code to JSP
pages when invoked via the org.apache.catalina.servlets.DefaultServlet
servlet included by default with Tomcat.
The vendor confirmed this vulnerability and released versions 4.0.5
and 4.1.12.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0288.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9k21a+LUG5KFpTkYRAk7TAJ9HUsuzW3wRyR23QtBOW9Va5FjVTACglyG/
sSYehrVfNsSPKtUMZpiVIrw=
=T1ur
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by SPI Dynamics
ALERT! - Cross-site scripting vulnerabilities in Web applications allow
hackers to compromise confidential information, manipulate or steal
cookies, and create requests that can be mistaken for those of a valid
user!! All via port 80 and 443! Download this *FREE* white paper from
SPI Dynamics for a complete guide to protection!
http://www.spidynamics.com/mktg/xss6
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]