|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #016
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Apr 24 2003 - 17:26:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 016 (03.16)
Thursday, April 24, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Citadel Security Software - Hercules AVR
*ALERT* * Automated Vulnerability Remediation (AVR) gives IT
administrators new control. The vulnerabilities on your network
extend beyond what patches alone will resolve. Download a *FREE*
Hercules eval & experience how AVR quickly reduces your exposure!
http://www.networkcomputing.com/sans/citadel/042403
************************** End Advertisement *************************
The largest vulnerability this week is a Windows kernel overflow in
debug message handling, which allows users with an interactive logon
to gain administrative privileges. This poses a significant threat
to MS Terminal Servers and workstations. Full information is reported
in this issue as item {03.16.004}.
Nessus 2.0.4 was released last week. The new version fixes a bug
when scanning a large number of hosts and adds support for Red Hat
9. If you haven't yet used this open-source vulnerability scanner,
you should definitely give it a try. It can be downloaded for free at:
http://ftp.nessus.org/nessus/nessus-2.0.4/
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.16.004} Win - MS03-013: Kernel debug message handler overflow
{03.16.005} Win - EZ Server Web root escaping
{03.16.006} Win - Web Wiz Forums CGI password recovery
{03.16.012} Win - BadBlue server ext.dll file name vuln
{03.16.014} Win - MPCSoftWeb GuestBook CGI password recovery
{03.16.016} Win - ANHTTPd count.pl file overwriting
{03.16.001} Linux - Updated patches for previous vulnerabilities
{03.16.013} Linux - Monkey HTTPd POST body overflow
{03.16.002} Cross - rinetd connection list overflow
{03.16.003} Cross - mime-support utilities multiple vulns
{03.16.007} Cross - WebC CGI multiple vulns
{03.16.008} Cross - xinetd denied connection mem leak DoS
{03.16.009} Cross - Apache mod_ntlm log() vulns
{03.16.011} Cross - Vulnerable PHP applications, 04/22
{03.16.015} Cross - SAPDB devtools INSTPATH utility vulns
{03.16.010} Tru64 - Updated patches for previous vulnerabilities
- --- Windows News -------------------------------------------------------
*** {03.16.004} Win - MS03-013: Kernel debug message handler overflow
Microsoft released MS03-013 ("Kernel debug message handler
overflow"). The Windows kernel contains a buffer overflow in
the handling of error messages destined for a debugger, which
allows a local attacker to execute arbitrary code with local system
privileges. Windows NT, 2000 and XP are affected (including Terminal
Services).
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0004.html
*** {03.16.005} Win - EZ Server Web root escaping
EZ Server version 1.0 allows a remote attacker to access files outside
the Web root using '..' type HTTP requests.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0224.html
*** {03.16.006} Win - Web Wiz Forums CGI password recovery
The Web Wiz Forums ASP CGI suite stores all passwords in the
wwforum.mdb within the Web root, possibly allowing remote recovery.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0234.html
*** {03.16.012} Win - BadBlue server ext.dll file name vuln
The ext.dll ISAPI component included with BadBlue server version 2.15
does not properly parse file names with extra characters, which allows
a remote attacker to invoke arbitrary .HTS files and leads to server
administrative access.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0247.html
*** {03.16.014} Win - MPCSoftWeb GuestBook CGI password recovery
MPCSoftWeb GuestBook CGI suite stores the administrative password
in the mpcsoftweb_guestdata.mdb file located within the Web root,
which allows for possible remote recovery.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0250.html
*** {03.16.016} Win - ANHTTPd count.pl file overwriting
The ANHTTPd Web server version 1.42h comes with various sample scripts,
one of which--count.pl--allows the overwriting of arbitrary files on
the system by using '..' notation in the file name parameter.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0255.html
- --- Linux News ---------------------------------------------------------
*** {03.16.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:089-00: glibc
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0029.html
- --- Debian:
DSA 288-1: OpenSSL
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0199.html
DSA 290-1: sendmail-wide
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0202.html
DSA 291-1: ircII
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0235.html
- --- Mandrake:
MDKSA-2003:048: eog
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0055.html
MDKSA-2003:049: kde3
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0057.html
MDKSA-2003:030-1: file
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0058.html
MDKSA-2003:047: xfsdump
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0054.html
- --- Conectiva:
CLA-2003:627: ethereal
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0013.html
CLA-2003:628: vixie-cron
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0014.html
CLA-2003:629: tcpdump
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0015.html
CLA-2003:630: balsa
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0016.html
Source: Red Hat, Debian, Mandrake, Conectiva
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0029.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0199.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0202.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0235.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0055.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0057.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0058.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0054.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0013.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0014.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0015.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0016.html
*** {03.16.013} Linux - Monkey HTTPd POST body overflow
The Monkey HTTP server contains a buffer overflow in the handling of
large POST body content, which allows a remote attacker to execute
arbitrary code on the system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0248.html
- --- Cross-Platform News ------------------------------------------------
*** {03.16.002} Cross - rinetd connection list overflow
The rinetd IP redirection server prior to version 0.62 contains
a buffer overflow in the handling of incoming connections, which
causes the service to crash or execute arbitrary code when more than
64 connections are active.
This vulnerability is confirmed and fixed in version 0.62.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0201.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0201.html
*** {03.16.003} Cross - mime-support utilities multiple vulns
The various mime-support utilities used to manipulate the mime.types
and mailcap files contain two vulnerabilities: insecure shell character
escaping and insecure temporary file handling. Both could allow a local
attacker to take advantage of a user using the mail-support utilities.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0241.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0241.html
*** {03.16.007} Cross - WebC CGI multiple vulns
Automated Shops' WebC CGI suite contains multiple vulnerabilities:
remote buffer overflow in the handling of script names; insecure
configuration file loading; local buffer overflow via long environment
variables; and local webc.emf format string overflow.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0051.html
*** {03.16.008} Cross - xinetd denied connection mem leak DoS
xinetd versions prior to 2.3.11 leak memory when a connection is
explicitly denied by configuration. It's possible for a remote attacker
to take advantage of this bug and cause a denial of service situation.
This vulnerability is confirmed and fixed in version 2.3.11.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0241.html
*** {03.16.009} Cross - Apache mod_ntlm log() vulns
The log() function in mod_ntlm contains two vulnerabilities: a
heap-based buffer overflow and a format string vulnerability. These
bugs could allow a remote attacker to execute arbitrary code.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0251.html
*** {03.16.011} Cross - Vulnerable PHP applications, 04/22
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
PTNews 1.7.7: access to administrative functionality
http://archives.neohapsis.com/archives/bugtraq/2003-04/0253.html
XMB 1.8: SQL injection
http://archives.neohapsis.com/archives/bugtraq/2003-04/0264.html
YABB SE 1.5.1: arbitrary script execution
http://archives.neohapsis.com/archives/bugtraq/2003-04/0257.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0253.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0264.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0257.html
*** {03.16.015} Cross - SAPDB devtools INSTPATH utility vulns
The instdbmsrv and instlserver utilities included in the SAP DB
development tools suite insecurely use the INSTPATH environment
variable, which allows a local attacker to grant setuid root privileges
to arbitrary files.
The vendor confirmed this vulnerability and released an update.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0263.html
- --- Tru64 News ---------------------------------------------------------
*** {03.16.010} Tru64 - Updated patches for previous vulnerabilities
The following is a list of Compaq vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
SSRT3533: TruCluster alias/NFS
http://archives.neohapsis.com/archives/tru64/2003-q2/0004.html
SSRT3498: screend
http://archives.neohapsis.com/archives/tru64/2003-q2/0004.html
Source: Compaq/HP
http://archives.neohapsis.com/archives/tru64/2003-q2/0004.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+qEk5+LUG5KFpTkYRAh9qAJsG8uK+BpRchBwNZtgKXuApDLx3XQCfQPZf
MKfVQYq7ta7mRXbcAmtTBd0=
=o43t
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Citadel Security Software - Hercules AVR
*ALERT* * Automated Vulnerability Remediation (AVR) gives IT
administrators new control. The vulnerabilities on your network
extend beyond what patches alone will resolve. Download a *FREE*
Hercules eval & experience how AVR quickly reduces your exposure!
http://www.networkcomputing.com/sans/citadel/042403
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]