OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ39321938441343775_at_sans.org)
Date: Thu Oct 10 2002 - 13:45:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 040 (02.40)
                      Thursday, October 10, 2002
                           Created for you by
                Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ************************* Begin Advertisement ************************

    This issue sponsored by SPI Dynamics

    ALERT! -Cross-Site Scripting Attacks on Web Applications Cross-site
    scripting vulnerabilities in web applications allow hackers to
    compromise confidential information, manipulate or steal cookies, and
    create requests that can be mistaken for those of a valid user!! All
    undetectable by IDS! Download this *FREE* white paper from SPI Dynamics
    for a complete guide to protection!
    http://www.spidynamics.com/mktg/xss11

    ************************** End Advertisement *************************

    Between Sept. 28 and Oct. 6 the official Sendmail FTP site
    (ftp.sendmail.org) was found to be hosting trojaned copies of the
    sendmail.8.12.6.tar.(gz/Z) files. The trojan is only triggered during
    the compilation process. If you downloaded Sendmail source code during
    that time frame, you should verify you are not using a trojan copy.
    http://archives.neohapsis.com/archives/cc/2002-q4/0000.html

    In an attempt to decrease the amount of "unrelated" alerts most
    people receive, we are now going to avoid reporting cross-site
    scripting vulnerabilities in anything but the major software packages.
    Cross-site scripting vulnerabilities are a class of bugs where an
    unwary CGI application or Web server will print HTML/JavaScript
    parameters it receives. The exploitation involves tricking a user
    into clicking a link on a Web site or in an e-mail, which will then
    go to your site and feed your CGI malicious JavaScript, causing
    the JavaScript to execute in the user's browser in the context of
    your site. The vulnerability preys on unsuspecting users and does
    not affect the overall security of the server (unless you run CGI
    apps that toss around administrative HTTP cookies).

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.40.014} Win - MS02-054: Compressed folders filename buffer overflow
    {02.40.015} Win - MS02-055: Windows help control buffer overflow
    {02.40.016} Win - MS02-056: SQL Server cumulative patch
    {02.40.017} Win - MS02-057: Services for Unix Interix SDK vulns
    {02.40.020} Win - PowerFTP USER overflow
    {02.40.025} Win - MySQL my.ini datadir overflow
    {02.40.026} Win - SuperScout Web Reports server multiple vulns
    {02.40.027} Win - Jetty CGIServlet arbitrary command exec
    {02.40.001} Linux - Update {02.37.002}: Multiple Postgres function
                buffer overflows
    {02.40.002} Linux - Update {02.39.006}: Fetchmail multiple vulns
    {02.40.003} Linux - Update {02.31.009}: RPC XDR array decoding overflow
    {02.40.004} Linux - Update {02.38.003}: xfree86 libX11.so LD_PRELOAD
                vuln
    {02.40.005} Linux - Update {02.21.023}: pam_ldap logging function
                format string vuln
    {02.40.006} Linux - Update {02.38.025}: Tomcat JSP disclosure via
                DefaultServlet
    {02.40.007} Linux - Update {02.39.013}: gv sscanf() overflow
    {02.40.008} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
    {02.40.009} Linux - Update {02.37.005}: PHP mail() command may bypass
                safe_mode
    {02.40.021} Linux - tkmail insecure temp file handling
    {02.40.010} BSD - talkd message overflow
    {02.40.011} BSD - rogue saved game file overflow
    {02.40.012} BSD - Update {01.33.006}: groff/pic format vulnerability
                circumvents -S
    {02.40.018} HPUX - Update {02.30.001}: OpenSSL multiple overflows and
                ASN1 parse vulns
    {02.40.019} Other - Cisco Unity does not restrict international operator
    {02.40.022} Other - WASD OpenVMS Webserver multiple vulns
    {02.40.023} Other - OpenVMS POP server file access
    {02.40.013} Cross - Apache hostname CSS, ab overflow, and shared mem
                vulns
    {02.40.024} Cross - Sendmail smrsh exec restriction bypass
    {02.40.028} Cross - CoolForum CGI avatar.php img param file read
    {02.40.029} Cross - Bugzilla multiple vulns
    {02.40.030} Cross - Multiple vendor long ZIP filename vuln

    - --- Windows News -------------------------------------------------------

    *** {02.40.014} Win - MS02-054: Compressed folders filename buffer
                    overflow

    Microsoft has released MS02-054 ("Compressed folders filename buffer
    overflow"). The "compressed folders" feature included with Windows
    ME and XP, as well as with the Win 98 Plus! Pack, has been found to
    contain a buffer overflow in the handling of malicious .ZIP files,
    letting the .ZIP file execute arbitrary code on the user's system.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-054.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0000.html

    *** {02.40.015} Win - MS02-055: Windows help control buffer overflow

    Microsoft has released MS02-055 ("Windows help control buffer
    overflow"). An ActiveX control included with the HTML Help suite
    packaged with Windows (98 through XP) contains a buffer overflow in
    the handling of a parameter that would let a malicious e-mail or Web
    site execute arbitrary code on the user's system.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-055.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0002.html

    *** {02.40.016} Win - MS02-056: SQL Server cumulative patch

    Microsoft has released MS02-056 ("SQL Server cumulative patch"). This
    cumulative patch contains all prior SQL Server patches as well as
    fixes for new vulnerabilities: a buffer overflow in the handling of
    authentication, a buffer overflow in the DBCCs, and the ability for a
    nonprivileged user to use scheduled SQL jobs to overwrite system files.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-056.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0001.html

    *** {02.40.017} Win - MS02-057: Services for Unix Interix SDK vulns

    Microsoft has released MS02-057 ("Services for Unix Interix SDK
    vulns"). Services for Unix version 3.0 included the Interix SDK for
    developing RPC services. These libraries have been found to contain
    various buffer overflows and denial of service attack vectors.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-057.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0003.html

    *** {02.40.020} Win - PowerFTP USER overflow

    PowerFTP server has been reported to contain a buffer overflow in the
    handling of large USER strings. It is unknown at this time whether
    arbitrary code execution is possible.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0075.html

    *** {02.40.025} Win - MySQL my.ini datadir overflow

    The Windows version of MySQL 3.23.49 has been found to contain a buffer
    overflow in handling the datadir variable contained in the my.ini file.
    The permissions on this file allow local users to modify the contents,
    so local users may be able to execute arbitrary code with local
    system privileges.

    The advisory indicates confirmation by the vendor, which has released
    updated versions.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0004.html

    *** {02.40.026} Win - SuperScout Web Reports server multiple vulns

    SuperScout Web Reports server has been reported to contain multiple
    vulnerabilities: recovery of application usernames and passwords,
    access to files outside the Webroot, weak password encryption, denial
    of service attack vectors, and SQL injection.

    The advisory indicates vendor confirmation. No patches have been
    made available.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0005.html

    *** {02.40.027} Win - Jetty CGIServlet arbitrary command exec

    The Jetty HTTP server prior to version 4.1.0 has been reported to
    contain a bug in the CGIServlet handler that lets a remote attacker
    execute arbitrary commandline commands on the system.

    The advisory indicates confirmation by the vendor, which has released
    version 4.1.0.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0006.html

    - --- Linux News ---------------------------------------------------------

    *** {02.40.001} Linux - Update {02.37.002}: Multiple Postgres function
                    buffer overflows

    Mandrake and Conectiva have released updated postgresql packages,
    which fix the vulnerability discussed in {02.37.002} ("Multiple
    Postgres function buffer overflows").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0000.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0000.html

    Source: Mandrake, Conectiva
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0000.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0000.html

    *** {02.40.002} Linux - Update {02.39.006}: Fetchmail multiple vulns

    Mandrake and EnGarde have released updated fetchmail packages,
    which fix the vulnerability discussed in {02.39.006} ("Fetchmail
    multiple vulns").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0001.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0001.html

    Source: Mandrake, EnGarde
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0001.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0001.html

    *** {02.40.003} Linux - Update {02.31.009}: RPC XDR array decoding
                    overflow

    EnGarde has released updated glibc packages, which fix the
    vulnerability discussed in {02.31.009} ("RPC XDR array decoding
    overflow").

    Upated RPMs are listed at the reference URL below.

    Source: EnGarde
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0000.html

    *** {02.40.004} Linux - Update {02.38.003}: xfree86 libX11.so
                    LD_PRELOAD vuln

    Conectiva has released updated Xfree86 packages, which fix the
    vulnerability discussed in {02.38.003} ("xfree86 libX11.so LD_PRELOAD
    vuln").

    Updated RPMs are listed at the reference URL below.

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0001.html

    *** {02.40.005} Linux - Update {02.21.023}: pam_ldap logging function
                    format string vuln

    Red Hat has re-released updated pam_ldap packages, which fix the
    vulnerability discussed in {02.21.023} ("pam_ldap logging function
    format string vuln").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0004.html

    *** {02.40.006} Linux - Update {02.38.025}: Tomcat JSP disclosure via
                    DefaultServlet

    Debian has released updated Apache Tomcat packages, which fix the
    vulnerability discussed in {02.38.025} ("Tomcat JSP disclosure via
    DefaultServlet").

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0068.html

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0068.html

    *** {02.40.007} Linux - Update {02.39.013}: gv sscanf() overflow

    Red Hat has released updated ggv packages, which fix the vulnerability
    discussed in {02.39.013} ("gv sscanf() overflow").

    Updated RPMs are listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0011.html

    *** {02.40.008} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS

    SuSE has released updated hylafax packages, which fix the vulnerability
    discussed in {02.30.031} ("HylaFAX faxgetty TSI DoS").

    Updated RPMs are listed at the reference URL below.

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0054.html

    *** {02.40.009} Linux - Update {02.37.005}: PHP mail() command may
                    bypass safe_mode

    SuSE has released updated php packages, which fix the vulnerability
    discussed in {02.37.005} ("PHP mail() command may bypass safe_mode").

    Updated RPMs are listed at the reference URL below.

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/0055.html

    *** {02.40.021} Linux - tkmail insecure temp file handling

    Debian has released an advisory that indicates the tkmail application
    has been found to insecurely handle temporary files, letting a local
    attacker perform a symlink attack.

    Updated Debian DEBs are listed at the URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0110.html

    - --- BSD News -----------------------------------------------------------

    *** {02.40.010} BSD - talkd message overflow

    NetBSD has released an advisory indicating that the talkd daemon has
    a buffer overflow in the handling of incoming messages, which could
    result in the execution of arbitrary code.

    NetBSD-current and -1.5 as of Sept. 20, 2002, and -1.6 as of Oct. 3,
    2002, contain the fixes.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q4/0027.html

    *** {02.40.011} BSD - rogue saved game file overflow

    NetBSD has released an advisory indicating that the rogue game does
    not properly handle saved game files, letting a malicious saved
    game file overflow a buffer and execute arbitrary code under group
    "games" privileges.

    NetBSD-current, -1.5, and -1.6 as of Oct. 3, 2002, contain a fix.
    FreeBSD is also reported as vulnerable.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q4/0028.html

    *** {02.40.012} BSD - Update {01.33.006}: groff/pic format
                    vulnerability circumvents -S

    NetBSD has released updates, which fix the vulnerability discussed
    in {01.33.006} ("groff/pic format vulnerability circumvents -S").

    NetBSD-current and -1.5 as of Sept. 28, 2002, and -1.6 as of Oct. 3,
    2002, contain the fixes.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q4/0029.html

    - --- HP-UX News ---------------------------------------------------------

    *** {02.40.018} HPUX - Update {02.30.001}: OpenSSL multiple overflows
                    and ASN1 parse vulns

    HP has released patches for VVOS, which fix the vulnerability discussed
    in {02.30.001} ("OpenSSL multiple overflows and ASN1 parse vulns").

    A full listing of patches for VVOS and WebProxy are listed at the
    reference URL below.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q4/0000.html

    - --- Other News ---------------------------------------------------------

    *** {02.40.019} Other - Cisco Unity does not restrict international
                    operator

    Cisco has released an advisory indicating its Unity call-management
    suite does not properly restrict access to international operators
    under the predefined restriction tables. Unity versions 2.x and 3.x
    are affected.

    The official fix involves a configuration change; details are at the
    URL below.

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q4/0000.html

    *** {02.40.022} Other - WASD OpenVMS Webserver multiple vulns

    WASD version 8.0 has been reported to contain multiple vulnerabilities
    that allow a remote attacker to access files outside the Webroot or
    recover system configuration information.

    These vulnerabilities have been confirmed by the vendor, which has
    released versions 8.0.1 and 7.2.4.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0323.html

    *** {02.40.023} Other - OpenVMS POP server file access

    HP/Compaq has released an advisory indicating that the POP server
    including the TCP/IP services for OpenVMW version 5.3 and prior may
    allow an authorized POP user to access files normally inaccessible.

    This vulnerability has been confirmed; fix information is at the
    URL below.

    Source: HP/Compaq
    http://archives.neohapsis.com/archives/compaq/2002-q4/0000.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.40.013} Cross - Apache hostname CSS, ab overflow, and shared
                    mem vulns

    Apache versions 1.3.27 and 2.0.43 have been released. They both fix a
    cross-site scripting problem in the handling of error messages under
    certain configurations. They also fix a buffer overflow in the ab
    (apache bench) utility program. Apache version 1.3.27 also fixes a
    bug that lets any Apache child (including CGIs) send SIGUSR1 signals
    to root processes because of improper handling of the shared memory
    scoreboard.

    New source tarballs can be downloaded from:
    http://httpd.apache.org/

    Updated EnGarde RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0002.html

    Updated Conectiva RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0002.html

    Source: Apache, EnGarde, Conectiva
    http://archives.neohapsis.com/archives/apache/2002/0019.html
    http://archives.neohapsis.com/archives/apache/2002/0020.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0002.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0002.html

    *** {02.40.024} Cross - Sendmail smrsh exec restriction bypass

    The Sendmail restricted shell (smrsh) has been found to contain
    a parsing vulnerability that allows a local attacker to execute
    arbitrary commands. The vulnerability requires malformed entries in
    the user's .forward file.

    This vulnerability has been confirmed by the vendor, which has released
    a patch available at:
    http://www.sendmail.org/patches/smrsh-20020924.patch

    NetBSD-current, -1.5, and -1.6 as of Oct. 4, 2002, contain the fix.

    Source: VulnWatch, NetBSD
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0000.html
    http://archives.neohapsis.com/archives/netbsd/2002-q4/0035.html

    *** {02.40.028} Cross - CoolForum CGI avatar.php img param file read

    The CoolForum CGI suite version 0.5 beta has been reported to contain
    a bug in the avatar.php page, allowing a remote attacker to view
    arbitrary files readable by the Webserver by manipulating the 'img'
    URL parameter.

    The advisory indicates confirmation by the vendor, which has released
    version 0.5.1, available at:
    http://www.coolforum.net/index.php?p=dlcoolforum

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0001.html

    *** {02.40.029} Cross - Bugzilla multiple vulns

    The Bugzilla CGI suite prior to version 2.16.1 has been reported to
    contain three vulnerabilities: improper group permission enforcing,
    SQL injection during account creation and bugzilla_e-mail_append.pl,
    which may allow command execution.

    These vulnerabilities have been confirmed by the vendor, which has
    released version 2.16.1, available at:
    http://www.bugzilla.org/download.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-10/0008.html

    *** {02.40.030} Cross - Multiple vendor long ZIP filename vuln

    Various .ZIP handling applications have been found to crash or
    otherwise exhibit buffer overflow conditions when attempting to unzip
    a malicious .ZIP file containing long filenames. Affected programs
    reported include Lotus Notes, Alladin System Stuffit Expander and
    Verity Keyview SDK. WinRAR, Winzip, and the zlib library are said
    to be not vulnerable. Microsoft Windows versions are vulnerable,
    but they are reported separately in this issue.

    The appropriate vendor should be contacted for a fix.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0009.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9pcjt+LUG5KFpTkYRAk2UAJ9JP1TNu32RhWjXYhmeBVypalHEmwCfRQ8/
    qAaOhIfdBkPFRQMdZftN060=
    =3ens
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ************************* Begin Advertisement ************************

    This issue sponsored by SPI Dynamics

    ALERT! -Cross-Site Scripting Attacks on Web Applications Cross-site
    scripting vulnerabilities in web applications allow hackers to
    compromise confidential information, manipulate or steal cookies, and
    create requests that can be mistaken for those of a valid user!! All
    undetectable by IDS! Download this *FREE* white paper from SPI Dynamics
    for a complete guide to protection!
    http://www.spidynamics.com/mktg/xss11

    ************************** End Advertisement *************************

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).