|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ39321938441343775_at_sans.org)
Date: Thu Oct 10 2002 - 13:45:50 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 040 (02.40)
Thursday, October 10, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics
ALERT! -Cross-Site Scripting Attacks on Web Applications Cross-site
scripting vulnerabilities in web applications allow hackers to
compromise confidential information, manipulate or steal cookies, and
create requests that can be mistaken for those of a valid user!! All
undetectable by IDS! Download this *FREE* white paper from SPI Dynamics
for a complete guide to protection!
http://www.spidynamics.com/mktg/xss11
************************** End Advertisement *************************
Between Sept. 28 and Oct. 6 the official Sendmail FTP site
(ftp.sendmail.org) was found to be hosting trojaned copies of the
sendmail.8.12.6.tar.(gz/Z) files. The trojan is only triggered during
the compilation process. If you downloaded Sendmail source code during
that time frame, you should verify you are not using a trojan copy.
http://archives.neohapsis.com/archives/cc/2002-q4/0000.html
In an attempt to decrease the amount of "unrelated" alerts most
people receive, we are now going to avoid reporting cross-site
scripting vulnerabilities in anything but the major software packages.
Cross-site scripting vulnerabilities are a class of bugs where an
unwary CGI application or Web server will print HTML/JavaScript
parameters it receives. The exploitation involves tricking a user
into clicking a link on a Web site or in an e-mail, which will then
go to your site and feed your CGI malicious JavaScript, causing
the JavaScript to execute in the user's browser in the context of
your site. The vulnerability preys on unsuspecting users and does
not affect the overall security of the server (unless you run CGI
apps that toss around administrative HTTP cookies).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.40.014} Win - MS02-054: Compressed folders filename buffer overflow
{02.40.015} Win - MS02-055: Windows help control buffer overflow
{02.40.016} Win - MS02-056: SQL Server cumulative patch
{02.40.017} Win - MS02-057: Services for Unix Interix SDK vulns
{02.40.020} Win - PowerFTP USER overflow
{02.40.025} Win - MySQL my.ini datadir overflow
{02.40.026} Win - SuperScout Web Reports server multiple vulns
{02.40.027} Win - Jetty CGIServlet arbitrary command exec
{02.40.001} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows
{02.40.002} Linux - Update {02.39.006}: Fetchmail multiple vulns
{02.40.003} Linux - Update {02.31.009}: RPC XDR array decoding overflow
{02.40.004} Linux - Update {02.38.003}: xfree86 libX11.so LD_PRELOAD
vuln
{02.40.005} Linux - Update {02.21.023}: pam_ldap logging function
format string vuln
{02.40.006} Linux - Update {02.38.025}: Tomcat JSP disclosure via
DefaultServlet
{02.40.007} Linux - Update {02.39.013}: gv sscanf() overflow
{02.40.008} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
{02.40.009} Linux - Update {02.37.005}: PHP mail() command may bypass
safe_mode
{02.40.021} Linux - tkmail insecure temp file handling
{02.40.010} BSD - talkd message overflow
{02.40.011} BSD - rogue saved game file overflow
{02.40.012} BSD - Update {01.33.006}: groff/pic format vulnerability
circumvents -S
{02.40.018} HPUX - Update {02.30.001}: OpenSSL multiple overflows and
ASN1 parse vulns
{02.40.019} Other - Cisco Unity does not restrict international operator
{02.40.022} Other - WASD OpenVMS Webserver multiple vulns
{02.40.023} Other - OpenVMS POP server file access
{02.40.013} Cross - Apache hostname CSS, ab overflow, and shared mem
vulns
{02.40.024} Cross - Sendmail smrsh exec restriction bypass
{02.40.028} Cross - CoolForum CGI avatar.php img param file read
{02.40.029} Cross - Bugzilla multiple vulns
{02.40.030} Cross - Multiple vendor long ZIP filename vuln
- --- Windows News -------------------------------------------------------
*** {02.40.014} Win - MS02-054: Compressed folders filename buffer
overflow
Microsoft has released MS02-054 ("Compressed folders filename buffer
overflow"). The "compressed folders" feature included with Windows
ME and XP, as well as with the Win 98 Plus! Pack, has been found to
contain a buffer overflow in the handling of malicious .ZIP files,
letting the .ZIP file execute arbitrary code on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-054.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0000.html
*** {02.40.015} Win - MS02-055: Windows help control buffer overflow
Microsoft has released MS02-055 ("Windows help control buffer
overflow"). An ActiveX control included with the HTML Help suite
packaged with Windows (98 through XP) contains a buffer overflow in
the handling of a parameter that would let a malicious e-mail or Web
site execute arbitrary code on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-055.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0002.html
*** {02.40.016} Win - MS02-056: SQL Server cumulative patch
Microsoft has released MS02-056 ("SQL Server cumulative patch"). This
cumulative patch contains all prior SQL Server patches as well as
fixes for new vulnerabilities: a buffer overflow in the handling of
authentication, a buffer overflow in the DBCCs, and the ability for a
nonprivileged user to use scheduled SQL jobs to overwrite system files.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0001.html
*** {02.40.017} Win - MS02-057: Services for Unix Interix SDK vulns
Microsoft has released MS02-057 ("Services for Unix Interix SDK
vulns"). Services for Unix version 3.0 included the Interix SDK for
developing RPC services. These libraries have been found to contain
various buffer overflows and denial of service attack vectors.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-057.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0003.html
*** {02.40.020} Win - PowerFTP USER overflow
PowerFTP server has been reported to contain a buffer overflow in the
handling of large USER strings. It is unknown at this time whether
arbitrary code execution is possible.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0075.html
*** {02.40.025} Win - MySQL my.ini datadir overflow
The Windows version of MySQL 3.23.49 has been found to contain a buffer
overflow in handling the datadir variable contained in the my.ini file.
The permissions on this file allow local users to modify the contents,
so local users may be able to execute arbitrary code with local
system privileges.
The advisory indicates confirmation by the vendor, which has released
updated versions.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0004.html
*** {02.40.026} Win - SuperScout Web Reports server multiple vulns
SuperScout Web Reports server has been reported to contain multiple
vulnerabilities: recovery of application usernames and passwords,
access to files outside the Webroot, weak password encryption, denial
of service attack vectors, and SQL injection.
The advisory indicates vendor confirmation. No patches have been
made available.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0005.html
*** {02.40.027} Win - Jetty CGIServlet arbitrary command exec
The Jetty HTTP server prior to version 4.1.0 has been reported to
contain a bug in the CGIServlet handler that lets a remote attacker
execute arbitrary commandline commands on the system.
The advisory indicates confirmation by the vendor, which has released
version 4.1.0.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0006.html
- --- Linux News ---------------------------------------------------------
*** {02.40.001} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows
Mandrake and Conectiva have released updated postgresql packages,
which fix the vulnerability discussed in {02.37.002} ("Multiple
Postgres function buffer overflows").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0000.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0000.html
Source: Mandrake, Conectiva
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0000.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0000.html
*** {02.40.002} Linux - Update {02.39.006}: Fetchmail multiple vulns
Mandrake and EnGarde have released updated fetchmail packages,
which fix the vulnerability discussed in {02.39.006} ("Fetchmail
multiple vulns").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0001.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0001.html
Source: Mandrake, EnGarde
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0001.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0001.html
*** {02.40.003} Linux - Update {02.31.009}: RPC XDR array decoding
overflow
EnGarde has released updated glibc packages, which fix the
vulnerability discussed in {02.31.009} ("RPC XDR array decoding
overflow").
Upated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0000.html
*** {02.40.004} Linux - Update {02.38.003}: xfree86 libX11.so
LD_PRELOAD vuln
Conectiva has released updated Xfree86 packages, which fix the
vulnerability discussed in {02.38.003} ("xfree86 libX11.so LD_PRELOAD
vuln").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0001.html
*** {02.40.005} Linux - Update {02.21.023}: pam_ldap logging function
format string vuln
Red Hat has re-released updated pam_ldap packages, which fix the
vulnerability discussed in {02.21.023} ("pam_ldap logging function
format string vuln").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0004.html
*** {02.40.006} Linux - Update {02.38.025}: Tomcat JSP disclosure via
DefaultServlet
Debian has released updated Apache Tomcat packages, which fix the
vulnerability discussed in {02.38.025} ("Tomcat JSP disclosure via
DefaultServlet").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0068.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0068.html
*** {02.40.007} Linux - Update {02.39.013}: gv sscanf() overflow
Red Hat has released updated ggv packages, which fix the vulnerability
discussed in {02.39.013} ("gv sscanf() overflow").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0011.html
*** {02.40.008} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
SuSE has released updated hylafax packages, which fix the vulnerability
discussed in {02.30.031} ("HylaFAX faxgetty TSI DoS").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0054.html
*** {02.40.009} Linux - Update {02.37.005}: PHP mail() command may
bypass safe_mode
SuSE has released updated php packages, which fix the vulnerability
discussed in {02.37.005} ("PHP mail() command may bypass safe_mode").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0055.html
*** {02.40.021} Linux - tkmail insecure temp file handling
Debian has released an advisory that indicates the tkmail application
has been found to insecurely handle temporary files, letting a local
attacker perform a symlink attack.
Updated Debian DEBs are listed at the URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0110.html
- --- BSD News -----------------------------------------------------------
*** {02.40.010} BSD - talkd message overflow
NetBSD has released an advisory indicating that the talkd daemon has
a buffer overflow in the handling of incoming messages, which could
result in the execution of arbitrary code.
NetBSD-current and -1.5 as of Sept. 20, 2002, and -1.6 as of Oct. 3,
2002, contain the fixes.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q4/0027.html
*** {02.40.011} BSD - rogue saved game file overflow
NetBSD has released an advisory indicating that the rogue game does
not properly handle saved game files, letting a malicious saved
game file overflow a buffer and execute arbitrary code under group
"games" privileges.
NetBSD-current, -1.5, and -1.6 as of Oct. 3, 2002, contain a fix.
FreeBSD is also reported as vulnerable.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q4/0028.html
*** {02.40.012} BSD - Update {01.33.006}: groff/pic format
vulnerability circumvents -S
NetBSD has released updates, which fix the vulnerability discussed
in {01.33.006} ("groff/pic format vulnerability circumvents -S").
NetBSD-current and -1.5 as of Sept. 28, 2002, and -1.6 as of Oct. 3,
2002, contain the fixes.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q4/0029.html
- --- HP-UX News ---------------------------------------------------------
*** {02.40.018} HPUX - Update {02.30.001}: OpenSSL multiple overflows
and ASN1 parse vulns
HP has released patches for VVOS, which fix the vulnerability discussed
in {02.30.001} ("OpenSSL multiple overflows and ASN1 parse vulns").
A full listing of patches for VVOS and WebProxy are listed at the
reference URL below.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q4/0000.html
- --- Other News ---------------------------------------------------------
*** {02.40.019} Other - Cisco Unity does not restrict international
operator
Cisco has released an advisory indicating its Unity call-management
suite does not properly restrict access to international operators
under the predefined restriction tables. Unity versions 2.x and 3.x
are affected.
The official fix involves a configuration change; details are at the
URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q4/0000.html
*** {02.40.022} Other - WASD OpenVMS Webserver multiple vulns
WASD version 8.0 has been reported to contain multiple vulnerabilities
that allow a remote attacker to access files outside the Webroot or
recover system configuration information.
These vulnerabilities have been confirmed by the vendor, which has
released versions 8.0.1 and 7.2.4.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0323.html
*** {02.40.023} Other - OpenVMS POP server file access
HP/Compaq has released an advisory indicating that the POP server
including the TCP/IP services for OpenVMW version 5.3 and prior may
allow an authorized POP user to access files normally inaccessible.
This vulnerability has been confirmed; fix information is at the
URL below.
Source: HP/Compaq
http://archives.neohapsis.com/archives/compaq/2002-q4/0000.html
- --- Cross-Platform News ------------------------------------------------
*** {02.40.013} Cross - Apache hostname CSS, ab overflow, and shared
mem vulns
Apache versions 1.3.27 and 2.0.43 have been released. They both fix a
cross-site scripting problem in the handling of error messages under
certain configurations. They also fix a buffer overflow in the ab
(apache bench) utility program. Apache version 1.3.27 also fixes a
bug that lets any Apache child (including CGIs) send SIGUSR1 signals
to root processes because of improper handling of the shared memory
scoreboard.
New source tarballs can be downloaded from:
http://httpd.apache.org/
Updated EnGarde RPMs are listed at:
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0002.html
Updated Conectiva RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0002.html
Source: Apache, EnGarde, Conectiva
http://archives.neohapsis.com/archives/apache/2002/0019.html
http://archives.neohapsis.com/archives/apache/2002/0020.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0002.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0002.html
*** {02.40.024} Cross - Sendmail smrsh exec restriction bypass
The Sendmail restricted shell (smrsh) has been found to contain
a parsing vulnerability that allows a local attacker to execute
arbitrary commands. The vulnerability requires malformed entries in
the user's .forward file.
This vulnerability has been confirmed by the vendor, which has released
a patch available at:
http://www.sendmail.org/patches/smrsh-20020924.patch
NetBSD-current, -1.5, and -1.6 as of Oct. 4, 2002, contain the fix.
Source: VulnWatch, NetBSD
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0000.html
http://archives.neohapsis.com/archives/netbsd/2002-q4/0035.html
*** {02.40.028} Cross - CoolForum CGI avatar.php img param file read
The CoolForum CGI suite version 0.5 beta has been reported to contain
a bug in the avatar.php page, allowing a remote attacker to view
arbitrary files readable by the Webserver by manipulating the 'img'
URL parameter.
The advisory indicates confirmation by the vendor, which has released
version 0.5.1, available at:
http://www.coolforum.net/index.php?p=dlcoolforum
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0001.html
*** {02.40.029} Cross - Bugzilla multiple vulns
The Bugzilla CGI suite prior to version 2.16.1 has been reported to
contain three vulnerabilities: improper group permission enforcing,
SQL injection during account creation and bugzilla_e-mail_append.pl,
which may allow command execution.
These vulnerabilities have been confirmed by the vendor, which has
released version 2.16.1, available at:
http://www.bugzilla.org/download.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0008.html
*** {02.40.030} Cross - Multiple vendor long ZIP filename vuln
Various .ZIP handling applications have been found to crash or
otherwise exhibit buffer overflow conditions when attempting to unzip
a malicious .ZIP file containing long filenames. Affected programs
reported include Lotus Notes, Alladin System Stuffit Expander and
Verity Keyview SDK. WinRAR, Winzip, and the zlib library are said
to be not vulnerable. Microsoft Windows versions are vulnerable,
but they are reported separately in this issue.
The appropriate vendor should be contacted for a fix.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0009.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9pcjt+LUG5KFpTkYRAk2UAJ9JP1TNu32RhWjXYhmeBVypalHEmwCfRQ8/
qAaOhIfdBkPFRQMdZftN060=
=3ens
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics
ALERT! -Cross-Site Scripting Attacks on Web Applications Cross-site
scripting vulnerabilities in web applications allow hackers to
compromise confidential information, manipulate or steal cookies, and
create requests that can be mistaken for those of a valid user!! All
undetectable by IDS! Download this *FREE* white paper from SPI Dynamics
for a complete guide to protection!
http://www.spidynamics.com/mktg/xss11
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]