NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2003

From: Network Computing and The SANS Institute (sans+ZZ39768773208024832_at_sans.org)
Date: Thu Jan 16 2003 - 14:13:38 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 002 (03.02)
                  Thursday, January 16, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue sponsored by Internet Security Systems.

Are IM and P2P Technologies Undermining Your Security?
Instant Messaging and peer-to-peer (P2P) technologies are great
communication tools. But do you know who, or what, these clients might
be letting into your network? And why they are popular targets for
attacks against corporate networks?
Download this Internet Security Systems white paper and learn how to
balance the benefits of instant messaging and P2P against the risk of
attack. Click here:
http://www.iss.net/ad/p2p_cmpnetcompsans011603

************************** End Advertisement *************************

An interesting, recently released advisory details how, on some
operating systems using certain network card drivers, very small
Ethernet packets may 'leak' data from prior packets. The bug stems
from the way the driver reuses internal data buffers and the way it
may send a larger packet to meet a minimum packet size. Those of you
interested in this phenomenon can read more at:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0008.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.02.022} Win - CuteFTP large banner overflow
{03.02.001} Linux - Update {02.35.003}: Ethereal ISIS decode overflow
{03.02.002} Linux - Update {02.29.004}: libpng progressive image
            loading overflows
{03.02.003} Linux - Update {03.01.010}: CUPS multiple vulnerabilities
{03.02.004} Linux - Update {02.49.008}: OpenLDAP2 multiple
            vulnerabilities
{03.02.005} Linux - Update {03.01.028}: libmcrypt buffer overflows and
            memory leak
{03.02.006} Linux - Update {03.01.033}: xpdf/pdftops integer overflow
{03.02.007} Linux - Update {02.46.014}: dhcpcd response command
            execution
{03.02.008} Linux - Update {02.49.013}: Canna two local vulnerabilities
{03.02.010} Linux - Update {02.50.024}: Fetchmail local address
            creation vulnerability
{03.02.013} SCO - ps command-line overflow
{03.02.018} NetDev - Efficient Networks 5861 DSL router portscan DoS
{03.02.009} Cross - GeneWeb HTTP server arbitrary file reading
{03.02.011} Cross - Multiple Half-Life client/server vulnerabilities
{03.02.012} Cross - mpg123 large frame overflow
{03.02.014} Cross - IMP CGI various SQL injection
{03.02.015} Cross - ColdFusion MX file includes sandbox bypass
{03.02.016} Cross - Bugzilla backup configuration password disclosure
{03.02.017} Cross - Multiple PHP script vulnerabilities 01/15
{03.02.019} Cross - BitKeeper daemon remote command execution
{03.02.020} Cross - KDE parameter mishandling on shell commands
{03.02.021} Cross - leafnode message cross-posting DoS
{03.02.023} Cross - HSphere WebShell boundary overflow
{03.02.024} Cross - Tomcat direct invoker request reveals source

- --- Windows News -------------------------------------------------------

*** {03.02.022} Win - CuteFTP large banner overflow

The CuteFTP client version 1.4.x crashes when handling a large server
FTP banner. It's unclear at this time if the execution of arbitrary
code is possible.

This vulnerability is not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0001.html

- --- Linux News ---------------------------------------------------------

*** {03.02.001} Linux - Update {02.35.003}: Ethereal ISIS decode
overflow

Red Hat released updated Ethereal packages, which fix the vulnerability
discussed in {02.35.003} ("Ethereal ISIS decode overflow").

Updated RPMs are listed at the reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0004.html

*** {03.02.002} Linux - Update {02.29.004}: libpng progressive image
loading overflows

Multiple vendors released updated libpng packages, which fix the
vulnerability discussed in {02.29.004} ("libpng progressive image
loading overflows").

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0006.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0096.html

Source: Red Hat, SuSE
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0006.html
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0096.html

*** {03.02.003} Linux - Update {03.01.010}: CUPS multiple
vulnerabilities

Multiple vendors released updated CUPS packages, which fix
the vulnerability discussed in {03.01.010} ("CUPS multiple
vulnerabilities").

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0008.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0016.html

Source: Red Hat, Mandrake
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0008.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0016.html

*** {03.02.004} Linux - Update {02.49.008}: OpenLDAP2 multiple
vulnerabilities

Multiple vendors released updated OpenLDAP packages, which fix
the vulnerabilities discussed in {02.49.008} ("OpenLDAP2 multiple
vulnerabilities").

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2003-q1/0014.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0027.html

Source: Debian, Mandrake
http://archives.neohapsis.com/archives/vendor/2003-q1/0014.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0027.html

*** {03.02.005} Linux - Update {03.01.028}: libmcrypt buffer overflows
and memory leak

Debian released updated libmcrypt packages, which fix the vulnerability
discussed in {03.01.028} ("libmcrypt buffer overflows and memory
leak").

Updated DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0016.html

*** {03.02.006} Linux - Update {03.01.033}: xpdf/pdftops integer
overflow

Multiple vendors released updated xpdf packages, which fix the
vulnerability discussed in {03.01.033} ("xpdf/pdftops integer
overflow").

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0017.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2003-q1/0012.html

Source: Mandrake, Debian
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0017.html
http://archives.neohapsis.com/archives/vendor/2003-q1/0012.html

*** {03.02.007} Linux - Update {02.46.014}: dhcpcd response command
execution

Mandrake released updated dhcpcd packages, which fix the vulnerability
discussed in {02.46.014} ("dhcpcd response command execution").

Updated RPMs are listed at the reference URL below.

Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0018.html

*** {03.02.008} Linux - Update {02.49.013}: Canna two local
vulnerabilities

Debian released updated Canna packages, which fix the vulnerabilities
discussed in {02.49.013} ("Canna two local vulnerabilities").

Updated DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0010.html

*** {03.02.010} Linux - Update {02.50.024}: Fetchmail local address
creation vulnerability

Caldera released updated Fetchmail packages, which fix the
vulnerability discussed in {02.50.024} ("Fetchmail local address
creation vulnerability").

Updated RPMs are listed at the reference URL below.

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0000.html

- --- SCO News -----------------------------------------------------------

*** {03.02.013} SCO - ps command-line overflow

A SCO advisory indicates the 'ps' command-line utility contains a
buffer overflow in the handling of command-line arguments. Exploitation
allows the running of arbitrary code with elevated privileges.

Updated binaries are available at:
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2003-SCO.1

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0002.html

- --- Network Devices News -----------------------------------------------

*** {03.02.018} NetDev - Efficient Networks 5861 DSL router portscan DoS

The Efficient Networks 5861 DSL router becomes unresponsive
after receiving a portscan. This bug only manifests under certain
configurations.

This vulnerability is not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0015.html

- --- Cross-Platform News ------------------------------------------------

*** {03.02.009} Cross - GeneWeb HTTP server arbitrary file reading

The GeneWeb genealogical package contains a vulnerability in the
included HTTP server that allows a remote attacker to access files
outside the Web root.

Debian confirmed this vulnerability and released updated DEBs,
listed below.

Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0008.html

*** {03.02.011} Cross - Multiple Half-Life client/server vulnerabilities

Multiple advisories detail various vulnerabilities in many Half-Life
client and server add-on modules. The list of vulnerabilities includes:

Clanmod: format string vulnerability
Adminmod: format string vulnerability
HLTV: denial of service
Statsme: buffer overflow and format string vulnerability
Amx: format string vulnerability

Another post indicates some of the format string vulnerabilities are
within the Half-Life client itself and affect all modules loaded.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0072.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0073.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0074.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0076.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0077.html

*** {03.02.012} Cross - mpg123 large frame overflow

The mpg123 MP3 player version 0.59s contains a buffer overflow in
the handling of malicious MP3 files, which allows the execution of
arbitrary code.

This vulnerability is not confirmed. Prior versions do not appear to
be vulnerable.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0019.html

*** {03.02.014} Cross - IMP CGI various SQL injection

The IMP PHP CGI suite version 2.x is reportedly vulnerable to SQL
injection in various areas, thereby allowing a remote attacker to
manipulate the database and login to IMP without proper credentials.

These vulnerabilities are not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0012.html

*** {03.02.015} Cross - ColdFusion MX file includes sandbox bypass

A Macromedia/Allaire advisory indicates that it's possible for
ColdFusion MX CFM templates to bypass sandbox security restrictions
by including other arbitrary files.

The vendor confirmed this vulnerability.

Source: Macromedia/Allaire
http://archives.neohapsis.com/archives/vendor/2003-q1/0013.html

*** {03.02.016} Cross - Bugzilla backup configuration password
disclosure

New versions of Bugzilla were released. These fix a file system
permissions problem and contain changes to the .htaccess file to keep
remote attackers from downloading backup configuration files produced
by various text editors.

Versions 2.14.5 and 2.16.2 fix the problem.

Source: Bugzilla (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-01/0009.html

*** {03.02.017} Cross - Multiple PHP script vulnerabilities 01/15

Various PHP scripts reportedly contain vulnerabilities. Rather than
make individual entries for each, we are grouping them as one entry. If
your site uses third-party PHP scripts, then you should review the
list below.

N/X 2000pre1: remote file include/code execution
http://archives.neohapsis.com/archives/bugtraq/2003-01/0005.html

S8 Forum 3.0: remote code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0004.html

E-theni: remote file include/code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0009.html

Bookmark4U 1.8.3: remote file include/code execution
http://archives.neohapsis.com/archives/bugtraq/2003-01/0049.html

Active PHP Bookmarks 1.1.01: remote file include/code execution
http://archives.neohapsis.com/archives/bugtraq/2003-01/0049.html

Versatile BulletinBoard 0.9.6: privilege elevation
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0017.html

SPGpartenaires 3.0.1: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2002-12/0214.html

W-Agora forum: remote file include/code execution, XSS
http://archives.neohapsis.com/archives/bugtraq/2002-12/0225.html

Gallery 1.3.2: remote file include/code execution
http://archives.neohapsis.com/archives/bugtraq/2002-12/0260.html

Mambo Site Server 4.0.12: file upload/code execution, XSS
http://archives.neohapsis.com/archives/bugtraq/2003-01/0075.html

*** {03.02.019} Cross - BitKeeper daemon remote command execution

When running in daemon mode, the BitKeeper project management suite
version 3.0.x contains a vulnerability that allows a remote attacker
to execute arbitrary command-line commands.

The advisory indicates vendor confirmation.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0018.html

*** {03.02.020} Cross - KDE parameter mishandling on shell commands

KDE versions 2.x and 3.0.x up to 3.0.5 do not properly quote shell
metacharaters before passing data to a local shell, thereby allowing
certain instances of command-line command execution.

KDE confirmed this vulnerability. Version 3.0.5a and after contain
the fixes.

Mandrake also released updated RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0025.html

Source: SecurityFocus Bugtraq, Mandrake
http://archives.neohapsis.com/archives/bugtraq/2002-12/0226.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0025.html

*** {03.02.021} Cross - leafnode message cross-posting DoS

The leafnode NNTP proxy versions 1.9.20 through 1.9.29 go into an
infinite loop when handling a particular set of cross-posted messages,
which leads to a denial of service.

This vulnerability is confirmed and fixed in version 1.9.30.

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0028.html

Source: VulnWatch, Mandrake
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0123.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0028.html

*** {03.02.023} Cross - HSphere WebShell boundary overflow

HSphere WebShell version 20020224 contains a remotely exploitable
buffer overflow in the handling of large boundary strings, thereby
allowing the execution of arbitrary code.

The advisory indicates vendor confirmation and the release of an
update, available at:
http://www.hsphere.com/WebShell-2.4.tar.gz

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0028.html

*** {03.02.024} Cross - Tomcat direct invoker request reveals source

Apache Tomcat versions 4.x contain a vulnerability that allows a remote
attacker to gain access to JSP source and otherwise protected static
files by directly requesting the Apache static file handling servlet.

This vulnerability is confirmed and fixed in the latest Tomcat version.

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2003-q1/0011.html

Source: Debian
http://archives.neohapsis.com/archives/vendor/2003-q1/0011.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE+JxB0+LUG5KFpTkYRAseiAJ9isqXTpkwYe1d75RJttGNrwnyhrwCeONsL
EPgaceBeQrAuhR+E4h2ia54=
=J5ls
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by Internet Security Systems.

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]