NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2003

From: Network Computing and The SANS Institute (sans+ZZ93131681247185285_at_sans.org)
Date: Thu Feb 27 2003 - 14:44:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 008 (03.08)
                  Thursday, February 27, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue sponsored by SPI Dynamics.

ALERT: How a Hacker Launches a Web Application Attack Step-by-Step
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation, Session
Hijacking and Parameter Manipulation.
All undetectable by Firewalls and IDS!
Download a *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.spidynamics.com/mktg/webappsecurity55

************************** End Advertisement *************************

A small report surfaced this week detailing how various
online game servers can be used to amplify denial of service
attacks. Basically, a single, small, spoofed UDP packet to a master
server results in a larger list of server IPs being returned
to the victim. This list can be quite big for some of the more
popular games (like Quake III). More information is online at:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0230.html

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.08.020} Win - Platinum FTP server ftproot escaping
{03.08.022} Win - nCipher utilities generate keyfile copies
{03.08.003} Linux - Update {03.04.013}: slocate -r/-c parameter overflow
{03.08.004} Linux - Update {03.05.008}: Kerberos FTP client shell
            execution
{03.08.005} Linux - Update {03.01.029}: PHP 4.3.0 released, with
            security fixes
{03.08.008} Linux - Update {03.02.020}: KDE parameter mishandling on
            shell commands
{03.08.013} Linux - Update {03.01.009}: Lynx CRLF header injection
{03.08.015} Linux - Red Hat useradd incorrect mail spool permissions
{03.08.024} Linux - ClarkConnect daemon information exposure
{03.08.010} BSD - FreeBSD weak SYN cookie generation
{03.08.001} Cross - OpenSSL timing attack information leak
{03.08.002} Cross - Vulnerable PHP applications 02/25
{03.08.007} Cross - VNC insecure X cookies
{03.08.009} Cross - webmin/usermin session ID spoofing
{03.08.012} Cross - moxftp server banner overflow
{03.08.014} Cross - SIP (VoIP) vulnerabilities in multiple products
{03.08.016} Cross - MySQL mysql_change_user() double free vulnerability
{03.08.017} Cross - Terminal escape sequence vulnerabilities
{03.08.019} Cross - glftpd multiple vulnerabilities
{03.08.021} Cross - sircd DNS lookup host name overflow
{03.08.023} Cross - QuickTime/Darwin streaming admin server multiple
            vulnerabilities
{03.08.025} Cross - CPanel CGI multiple vulnerabilities
{03.08.006} Tools - Nessus 2.0 released
{03.08.011} Tru64 - Update {02.45.007}: BIND SIG cached RR overflow + 2
            DoS
{03.08.018} Mobile - Nokia 6210 malformed SMS DoS

- --- Windows News -------------------------------------------------------

*** {03.08.020} Win - Platinum FTP server ftproot escaping

The Platinum FTP server version 1.0.11 allows anonymous attackers to
access and replace files outside the Web root.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0299.html

*** {03.08.022} Win - nCipher utilities generate keyfile copies

The generatekey and KeySafe utilities shipped with the nCipher support
software CD prior to version 7.00 leave copies of imported keys in
temporary files on the system. This could potentially expose the keys
to recovery.

nCipher released appropriate workaround procedures, detailed at the
reference URL below.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0321.html

- --- Linux News ---------------------------------------------------------

*** {03.08.003} Linux - Update {03.04.013}: slocate -r/-c parameter
overflow

Debian released updated slocate packages, which fix the vulnerability
discussed in {03.04.013} ("slocate -r/-c parameter overflow").

Updated DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0433.html

*** {03.08.004} Linux - Update {03.05.008}: Kerberos FTP client shell
execution

Mandrake released updated krb5 packages, which fix the vulnerability
discussed in {03.05.008} ("Kerberos FTP client shell execution").

Updated RPMs are listed at the reference URL below.

Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0207.html

*** {03.08.005} Linux - Update {03.01.029}: PHP 4.3.0 released, with
security fixes

EnGarde and Mandrake released updated PHP packages, which fix the
vulnerability discussed in {03.01.029} ("PHP 4.3.0 released, with
security fixes").

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0003.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0206.html

Source: EnGarde, Mandrake
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0003.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0206.html

*** {03.08.008} Linux - Update {03.02.020}: KDE parameter mishandling
on shell commands

Conectiva released updated KDE packages, which fix the vulnerability
discussed in {03.02.020} ("KDE parameter mishandling on shell
commands").

Updated RPMs are listed at the reference URL below.

Source: Conectiva (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-02/0247.html

*** {03.08.013} Linux - Update {03.01.009}: Lynx CRLF header injection

Mandrake released updated Lynx packages, which fix the vulnerability
discussed in {03.01.009} ("Lynx CRLF header injection").

Updated RPMs are listed at the reference URL below.

Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0208.html

*** {03.08.015} Linux - Red Hat useradd incorrect mail spool permissions

A Red Hat advisory indicates the useradd utility included in the
shadow-utils package of Red Hat 7.2, 7.3 and 8.0 incorrectly sets the
group permissions of a user's mail spool file. This may allow other
users in the same primary group to read a user's e-mail.

Updated RPMs are listed at the reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0048.html

*** {03.08.024} Linux - ClarkConnect daemon information exposure

The clarkconnectd service included with the ClarkConnect Linux
distribution version 1.2 provides potentially sensitive log files to
remote attackers.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0318.html

- --- BSD News -----------------------------------------------------------

*** {03.08.010} BSD - FreeBSD weak SYN cookie generation

A FreeBSD advisory indicates the possibility for a remote attacker
to brute-force the secret key used to generate SYN cookies.

This vulnerability is confirmed and fixed in the RELENG branches of
4.6, 4.7 and 5.0 as of Feb. 24, 2003.

Source: FreeBSD (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-02/0287.html

- --- Cross-Platform News ------------------------------------------------

*** {03.08.001} Cross - OpenSSL timing attack information leak

OpenSSL versions prior to 0.9.6i and 0.9.7a are susceptible to a
man-in-the-middle timing attack in the ssl3_get_record function that
could help an attacker recover encrypted data.

OpenSSL versions 0.9.6i and 0.9.7a were released.

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0006.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0259.html

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0261.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0458.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0312.html

Source: SecurityFocus Butraq, EnGarde, Mandrake, Trustix, Debian,
Conectiva
http://archives.neohapsis.com/archives/bugtraq/2003-02/0226.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0006.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0259.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0261.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0458.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0312.html

*** {03.08.002} Cross - Vulnerable PHP applications 02/25

The following third-party PHP CGI applications are reportedly
vulnerable. These vulnerabilities are not confirmed.

WWWBoard 2.1: XSS
http://archives.neohapsis.com/archives/bugtraq/2003-02/0274.html

Nuked-Klan 1.3beta: XSS and phpinfo() exposures
http://archives.neohapsis.com/archives/bugtraq/2003-02/0276.html

WihPhoto 0.86-dev: local file access via e-mail attachments
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0092.html

Cutenews 0.88: remote file include code execution
http://archives.neohapsis.com/archives/bugtraq/2003-02/0320.html

Myguestbook 3.0: XSS and possible admin access
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0089.html

Sage 1.0b3: XSS and path disclosure
http://archives.neohapsis.com/archives/bugtraq/2003-02/0236.html

Myphpnuke: XSS in links.php
http://archives.neohapsis.com/archives/bugtraq/2003-02/0231.html

phpBB 2.02 and prior: SQL tampering, password retrieval and file
viewing
http://archives.neohapsis.com/archives/bugtraq/2003-02/0245.html

PHPNuke 6.0 and 5.6: SQL tampering in search module
http://archives.neohapsis.com/archives/bugtraq/2003-02/0246.html

Mambo Siteserver 4.0.12 RC: admin login bypass
http://archives.neohapsis.com/archives/bugtraq/2003-02/0302.html

*** {03.08.007} Cross - VNC insecure X cookies

The VNC server generates weak random X authentication cookies,
possibly allowing an attacker to hijack an X session.

This vulnerability is confirmed.

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0209.html

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0255.html

Source: Mandrake, Red Hat
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0209.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0255.html

*** {03.08.009} Cross - webmin/usermin session ID spoofing

The Web server (minserv.pl) included with webmin and usermin is
susceptible to session ID spoofing. As a result, a user who has a
valid webmin/usermin login can gain admin login privileges. This
typically can result in a root compromise.

These vulnerabilities are confirmed and fixed in webmin version 1.070
and usermin version 1.000. An exploit was published.

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0008.html

Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0008.html

*** {03.08.012} Cross - moxftp server banner overflow

The moxftp FTP client version 2.2 contains a buffer overflow in the
handling of large server banners, potentially allowing a malicious
FTP server to execute arbitrary code on the user's system.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0285.html

*** {03.08.014} Cross - SIP (VoIP) vulnerabilities in multiple products

Multiple vulnerabilities were found in various vendor implementations
of the SIP protocol commonly used in VoIP applications. Nortel,
IPtel and Cisco products are vulnerable.

We suggest reviewing the reference URLs below to determine risk and
mitigation procedures.

Source: CERT, Cisco
http://archives.neohapsis.com/archives/cc/2003-q1/0005.html
http://archives.neohapsis.com/archives/cisco/2003-q1/0003.html

*** {03.08.016} Cross - MySQL mysql_change_user() double free
vulnerability

MySQL prior to version 3.23.55 contains a double-free vulnerability
in the mysql_change_user() function, which lets a user capable of
running SQL queries crash the MySQL service.

This vulnerability is confirmed and fixed in version 3.23.55.

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0007.html

Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0007.html

*** {03.08.017} Cross - Terminal escape sequence vulnerabilities

A released paper indicates how the use of escape sequences in terminal
emulators (like rxvt, eterm, vte, etc.) could possibly be used to trick
a user into executing arbitrary commands supplied by an attacker. For
full details, please review the VulnWatch posting referenced below.

Red Hat also has released updated RPMs for vte:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0319.html

Source: VulnWatch, Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0319.html

*** {03.08.019} Cross - glftpd multiple vulnerabilities

The glftpd FTP daemon allows valid FTP users to append data to
arbitrary files and potentially execute arbitrary code with root
privileges.

These vulnerabilities are not confirmed. An exploit was published.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0297.html

*** {03.08.021} Cross - sircd DNS lookup host name overflow

The sircd IRC server version 0.4.4 is vulnerable to a buffer overflow
in the handling of long DNS lookup host names. This allows a remote
attacker to execute arbitrary code.

The advisory indicates confirmation by the vendor, which committed
a patch into CVS on Feb. 4, 2003.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0293.html

*** {03.08.023} Cross - QuickTime/Darwin streaming admin server
multiple vulnerabilities

Version 4.1.2 of the Apple QuickTime and Darwin streaming media
administration servers contains multiple vulnerabilities: arbitrary
code execution via buffer overflow; cross-site scripting; access to
files outside the Web root; and local system configuration information
exposure.

The vendor confirmed these vulnerabilities and released update
instructions, available at:
http://www.info.apple.com/kbnum/n70171
http://www.info.apple.com/kbnum/n70172

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0094.html

*** {03.08.025} Cross - CPanel CGI multiple vulnerabilities

The CPanel CGI suite version 5 contains two vulnerabilities: remote
command execution via guestbook.cgi and local root privilege elevation
via the oom openwebmail script.

These vulnerabilities are not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0087.html

- --- Tool Announcements News --------------------------------------------

*** {03.08.006} Tools - Nessus 2.0 released

Nessus 2.0 was officially released. For those of you not familiar with
Nessus, it is an open-source vulnerability scanning tool. The new
version boasts speed improvements, lots of plugin/NASL enhancements
and better HTML reporting.

The latest version can be downloaded from:
http://www.nessus.org/

Source: Nessus
http://archives.neohapsis.com/archives/apps/nessus/2003-q1/0288.html

- --- Tru64 News ---------------------------------------------------------

*** {03.08.011} Tru64 - Update {02.45.007}: BIND SIG cached RR overflow
+ 2 DoS

Compaq/HP released ERPs for BIND, which fix the vulnerabilities
discussed in {02.45.007} ("BIND SIG cached RR overflow + 2 DoS").

ERP download locations are listed at the reference URL below.

Source: Compaq/HP
http://archives.neohapsis.com/archives/tru64/2003-q1/0000.html

- --- Mobile Devices News ------------------------------------------------

*** {03.08.018} Mobile - Nokia 6210 malformed SMS DoS

The Nokia 6210 phone crashes or otherwise become unusable when it
receives a particular SMS message that has a malformed, multipart
vcard attachment.

Nokia's official solution is to remove the battery from the phone to
reset it.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0095.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE+XniX+LUG5KFpTkYRAmjOAJ4z2NhOc/hESUjoJl5euemzG+kBuACfbCZX
Ub4iGEma90SOLIQLOnDu5jk=
=Dqxh
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by SPI Dynamics.

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]