NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2003

Security Alert Consensus #010

From: Network Computing and The SANS Institute (sans+ZZ66685723537786795sans.org)
Date: Thu Mar 13 2003 - 15:35:34 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 010 (03.10)
                  Thursday, March 13, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue sponsored by SPI Dynamics.

ALERT! Cross-Site Scripting Attacks on Web Applications Cross-site
scripting vulnerabilities in Web applications allow hackers to
compromise confidential information, steal cookies and create requests
that can be mistaken for those of a valid user!! All undetectable by
IDS! Download a *FREE* white paper from SPI Dynamics for a complete
guide to protection!
http://www.spidynamics.com/mktg/xss25

************************** End Advertisement *************************

A new Code Red variant seems to be worming its way through the
Internet. Don't worry--if you patched against the original Code Red,
then you'll be safe against this one.
http://archives.neohapsis.com/archives/ntbugtraq/2003-q1/0147.html

CERT also released an advisory indicating a rise in the number of
compromises and scans looking for unprotected Windows shares. Part
of this is because of the W32.Deloader worm.
http://archives.neohapsis.com/archives/cc/2003-q1/0007.html

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.10.011} Win - MAILsweeper encapsulated MIME bypass
{03.10.014} Win - Forum Web Server multiple vulnerabilities
{03.10.017} Win - DBTools DBManager insecure configuration information
            storage
{03.10.001} Linux - Update {03.09.018}: file utility local overflow
{03.10.002} Linux - Update {03.09.009}: Snort 1.8 RPC preprocessor
            overflow
{03.10.003} Linux - Update {03.08.001}: OpenSSL timing attack
            information leak
{03.10.008} Linux - Update {03.04.013}: slocate -r/-c parameter overflow
{03.10.015} Linux - IM temporary file handling vulnerability
{03.10.013} BSD - lprm local buffer overflow
{03.10.024} HP-UX - HP-UX VVOS HFS vulnerability
{03.10.007} SCO - Improper permissions on /dev/X
{03.10.022} NetDev - HP JetDirect vulnerability
{03.10.004} Cross - MySQL my.cnf user override
{03.10.005} Cross - Vulnerable PHP applications 03/11
{03.10.006} Cross - Update {03.09.001}: Sendmail address header parsing
            overflow
{03.10.009} Cross - Ethereal SOCKS decoder format string vulnerability
{03.10.010} Cross - PeopleSoft PeopleTools SchedulerTransfer servlet
            vulnerability
{03.10.012} Cross - Shopfactory CGI price manipulation
{03.10.016} Cross - Wordit logbook CGI file parameter command execution
{03.10.018} Cross - Upload Lite CGI script execution
{03.10.019} Cross - LXR CGI v parameter file reading
{03.10.020} Cross - DeleGate robots.txt overflow
{03.10.021} Cross - man 'unsafe' command execution
{03.10.023} Cross - Opera file name download overflow
{03.10.025} Cross - zlib gzprintf overflow

- --- Windows News -------------------------------------------------------

*** {03.10.011} Win - MAILsweeper encapsulated MIME bypass

Clearswift's MAILsweeper version 4.x does not properly filter
particularly malformed encapsulated MIME attachments, thereby allowing
malicious attachments to be passed regardless of the MAILsweeper
policy.

This vulnerability is confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0116.html

*** {03.10.014} Win - Forum Web Server multiple vulnerabilities

Forum Web Server version 1.60 contains multiple vulnerabilities:
cross-site scripting in the subject or message fields; access to files
outside the Web root; and retrieval of forum user names and passwords.

These vulnerabilities are fixed in version 1.61.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0111.html

*** {03.10.017} Win - DBTools DBManager insecure configuration
information storage

DBTools' DBManager suite insecurely stores database authentication
information in an MDB file readable by all local users, potentially
allowing a database compromise.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0128.html

- --- Linux News ---------------------------------------------------------

*** {03.10.001} Linux - Update {03.09.018}: file utility local overflow

Multiple vendors released updated file-utils packages, which fix the
vulnerability discussed in {03.09.018} ("file utility local overflow").

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0065.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0122.html

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0011.html

Source: Red Hat, Mandrake, EnGarde (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0065.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0122.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0011.html

*** {03.10.002} Linux - Update {03.09.009}: Snort 1.8 RPC preprocessor
overflow

Multiple vendors released updated snort packages, which fix the
vulnerability discussed in {03.09.009} ("Snort 1.8 RPC preprocessor
overflow").

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0010.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0149.html

Smoothwall update information:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0139.html

Source: EnGarde, Mandrake, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0010.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0149.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0139.html

*** {03.10.003} Linux - Update {03.08.001}: OpenSSL timing attack
information leak

Red Hat re-released updated OpenSSL packages, which fix the
vulnerability discussed in {03.08.001} ("OpenSSL timing attack
information leak").

Updated RPMs are listed at the reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0063.html

*** {03.10.008} Linux - Update {03.04.013}: slocate -r/-c parameter
overflow

Caldera released updated slocate packages, which fix the vulnerability
discussed in {03.04.013} ("slocate -r/-c parameter overflow").

Updated RPMs are listed at the reference URL below.

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0013.html

*** {03.10.015} Linux - IM temporary file handling vulnerability

Red Hat released an advisory indicating the im utility suite uses
temporary files insecurely, thereby allowing a local attacker to
possibly exploit a race condition and corrupt the local files of
unsuspecting users.

Updated RPMs are listed at the reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0062.html

- --- BSD News -----------------------------------------------------------

*** {03.10.013} BSD - lprm local buffer overflow

OpenBSD 3.2 and prior contain a buffer overflow in the
lprm. Exploitation on OpenBSD 3.1 and prior allows a local attacker
to gain root privileges. Exploitation on OpenBSD 3.2 leads to non-root
privileges.

This bug is confirmed and fixed in OpenBSD -current, 3.1 and 3.2 CVS.

Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2003-03/0411.html

- --- HP-UX News ---------------------------------------------------------

*** {03.10.024} HP-UX - HP-UX VVOS HFS vulnerability

HP released patches that fix a security vulnerability in the VVOS
(HPUX 11.04) HFS file system driver that could allow local attackers to
gain unauthorized access to files. Further details were not released.

Patch PHKL_28401 contains a fix.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0057.html

- --- SCO News -----------------------------------------------------------

*** {03.10.007} SCO - Improper permissions on /dev/X

Caldera/SCO released an advisory indicating the permissions on the
/dev/X directory allow local attackers to perform denial of service
attacks and potentially recover X-related data.

This vulnerability is confirmed. The reference URL below contains
updated binary information.

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0017.html

- --- Network Devices News -----------------------------------------------

*** {03.10.022} NetDev - HP JetDirect vulnerability

HP released an advisory indicating the HP JetDirect firmware versions
prior to version Q.24.09 contain a security vulnerability. Further
details were not provided.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0058.html

- --- Cross-Platform News ------------------------------------------------

*** {03.10.004} Cross - MySQL my.cnf user override

MySQL versions prior to 3.23.56 (which has not yet been released)
potentially allow an attacker capable of running SQL queries to change
the privilege level of the database server to 'root' by creating
a my.cnf file in the data directory. It also may be possible to
overwrite files by using the 'backup table' MySQL command.

These vulnerabilities are confirmed and fixed in the upcoming 3.23.56
version.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0143.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0154.html

*** {03.10.005} Cross - Vulnerable PHP applications 03/11

The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.

PHP Ping 0.1: command execution
http://archives.neohapsis.com/archives/bugtraq/2003-03/0111.html

SimpleBBS 1.0.6: user information/password retrieval
http://archives.neohapsis.com/archives/bugtraq/2003-03/0135.html

PHP-Nuke 6.0, 6.5RC2: SQL tampering
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0120.html

PostNuke 0.723: SQL tampering
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0117.html

Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-03/0111.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0135.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0120.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0117.html

*** {03.10.006} Cross - Update {03.09.001}: Sendmail address header
parsing overflow

Multiple vendors released updated Sendmail packages, which fix the
vulnerability discussed in {03.09.001} ("Sendmail address header
parsing overflow").

Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0015.html

SGI IRIX update information:
http://archives.neohapsis.com/archives/vendor/2003-q1/0071.html

Source: Caldera, SGI
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0015.html
http://archives.neohapsis.com/archives/vendor/2003-q1/0071.html

*** {03.10.009} Cross - Ethereal SOCKS decoder format string
vulnerability

The Ethereal network sniffer prior to version 0.9.10 contains a
format string vulnerability in the SOCKS dissector that allows a
malicious packet to potentially execute arbitrary code on the system
running Ethereal.

The vendor confirmed this vulnerability. Version 0.9.10 contains a fix.

Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0601.html

Source: VulnWatch, Debian
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0115.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0601.html

*** {03.10.010} Cross - PeopleSoft PeopleTools SchedulerTransfer
servlet vulnerability

The SchedulerTransfer servlet included with PeopleSoft's PeopleTools
suite versions 8.41 and prior allows a remote attacker to create
arbitrary files on the server, potentially leading to arbitrary
command-line command execution.

This vulnerability is confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0119.html

*** {03.10.012} Cross - Shopfactory CGI price manipulation

The Shopfactory e-commerce CGI suite version 5.8 allows a remote
attacker to choose arbitrary prices for items purchased via the
Shopfactory-enabled Web site.

The advisory indicates vendor confirmation.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0109.html

*** {03.10.016} Cross - Wordit logbook CGI file parameter command
execution

The Wordit logbook CGI script does not properly handle input to the
'file' URL parameter, thereby allowing a remote attacker to execute
arbitrary command-line commands under the privileges of the Web server.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0123.html

*** {03.10.018} Cross - Upload Lite CGI script execution

PerlScriptsJavaScripts.com's Upload Lite CGI version 3.22 allows a
remote attacker to potentially execute arbitrary uploaded scripts
because the CGI does not properly delete duplicate uploaded files.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0141.html

*** {03.10.019} Cross - LXR CGI v parameter file reading

The Linux Cross-Reference (LXR) CGI suite prior to version 0.9.2 does
not properly filter the 'v' URL parameter, thereby allowing a remote
attacker to read arbitrary files readable by the Web server.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0151.html

*** {03.10.020} Cross - DeleGate robots.txt overflow

DeleGate versions prior to 8.5.0 do not properly handle large robot.txt
files, thereby allowing a malicious Web site to execute arbitrary
code on the DeleGate system.

This vulnerability is confirmed and fixed in version 8.5.0.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0160.html

*** {03.10.021} Cross - man 'unsafe' command execution

The my_xsprintf function found in the man utility prior to version
1.51 returns the string 'unsafe' when it encounters an unsafe
character. However, this string is still executed in the shell. A local
attacker can create a malicious man page and a shell script entitled
'unsafe' and cause man to execute the script with any privileges
granted to the man binary.

This vulnerability is confirmed and fixed in version 1.51.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0164.html

*** {03.10.023} Cross - Opera file name download overflow

The Opera Web browser versions 7.02 and 6.05 contain a buffer overflow
in the handling of large file names by the download dialog box,
thereby allowing a malicious Web site to execute arbitrary code on
the user's system.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0173.html

*** {03.10.025} Cross - zlib gzprintf overflow

The gzprintf function included with zlib version 1.1.4 contains a
buffer overflow, possibly allowing an application that uses gzprintf
to fall prey to exploitation.

This vulnerability is confirmed.

Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0016.html

Source: Caldera, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0016.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0269.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE+cPNk+LUG5KFpTkYRAnCCAJ9ZCe3hM0iyLWac0gGqQo+KMpXeVQCePAKs
h3Gc21S9Ci+UtSAoeZHzCDk=
=Ie+X
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by SPI Dynamics.

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]