From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu May 29 2003 - 17:38:11 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 021 (03.21)
                  Thursday, May 29, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue sponsored by SPI Dynamics.

FREE White Paper: "Outsmart the Top 10 Web Application Attacks!"
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation,
Session Hijacking and Parameter Manipulation.
All undetectable by Firewalls and IDS! Download *FREE*
white paper from SPI Dynamics for a guide to protection!
http://www.spidynamics.com/mktg/webappsecurity106

************************** End Advertisement *************************

This week brought a large number of Vignette server vulnerabilities,
all of which are consolidated into item {03.21.002} in the
Cross-Platform category.

Those of you looking for some insecure code examples to use as a basis
for auditing code and writing exploits should check out the
SecurityFocus Vuln-Dev Challenges. Every so often, the moderators are
going to post a snippet of insecure code, and it's up to everyone on
the list to discuss the where, why and how of the vulnerability and its
exploitation.
http://archives.neohapsis.com/archives/vuln-dev/2003-q2/

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.21.006} Win - Compaq Insight agent allows FTP proxying
{03.21.007} Win - iisProtect auth bypass and SQL tampering
{03.21.008} Win - BRS WebWeaver large request overflow/DoS
{03.21.012} Win - Update {03.20.016}: Cisco VPN client automatic exec
            logon bypass
{03.21.015} Win - AnalogX HTTP proxy URL overflow
{03.21.001} Linux - Updated patches for previous vulnerabilities
{03.21.011} Linux - Slackware rc.M quotacheck remount vuln
{03.21.005} HP-UX - Updated patches for previous vulnerabilities
{03.21.009} SCO - Updated patches for previous vulnerabilities
{03.21.014} NetDev - Axis network camera admin auth bypass
{03.21.002} Cross - Vignette server multiple vulns
{03.21.003} Cross - Vulnerable PHP applications, 5/27
{03.21.004} Cross - WsMP3d Web root escaping and overflow
{03.21.010} Cross - LSF lsadmin allows override of LSF_SERVERDIR
{03.21.013} Cross - CUPS IPP seized connection DoS
{03.21.016} Cross - Nessus libnasl malicious plugin vuln
{03.21.017} Cross - Sun ONE app server multiple vulns

- --- Windows News -------------------------------------------------------

*** {03.21.006} Win - Compaq Insight agent allows FTP proxying

A recent report indicates the Compaq Insight Manager agent may act as
a proxy for FTP requests. This is separate from the previous
vulnerability, which allows the agent to proxy HTTP requests (the HTTP
proxy vulnerability was fixed).

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0247.html

*** {03.21.007} Win - iisProtect auth bypass and SQL tampering

The iisProtect application prior to version 2.2.0.9 allows remote
attackers to bypass any authentication requirements by submitting a
partially encoded URL for a protected resource. The administrative Web
interface also allows for SQL tampering.

These vulnerabilities were fixed in version 2.2.0.9.

Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0080.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0252.html

*** {03.21.008} Win - BRS WebWeaver large request overflow/DoS

BRS WebWeaver version 1.04 reportedly crashes because of a buffer
overflow in the handling of large request URLs.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0286.html

*** {03.21.012} Win - Update {03.20.016}: Cisco VPN client automatic
                exec logon bypass

The fix for the vulnerability discussed in {03.20.016} ("Cisco VPN
client automatic exec logon bypass") does not completely remove the
vulnerability. Cisco is currently working on a new fix.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0095.html
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0096.html

*** {03.21.015} Win - AnalogX HTTP proxy URL overflow

AnalogX version 4.13 contains a buffer overflow in the handling of large
HTTP URLs, thereby allowing a remote attacker to execute arbitrary code
on the system.

This vulnerability is confirmed and fixed in version 4.14.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0082.html

- --- Linux News ---------------------------------------------------------

*** {03.21.001} Linux - Updated patches for previous vulnerabilities

The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

- --- Red Hat:

RHSA-2003:175-01: gnupg
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0059.html

- --- Mandrake:

MDKSA-2003:058-1: cdrecord
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0136.html

MDKSA-2003:059: lpr
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0137.html

MDKSA-2003:060: LPRng
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0138.html

MDKSA-2003:061: gnupg
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0142.html

- --- Conectiva:

CLA-2003:653: bugzilla
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0037.html

CLA-2003:655: BitchX
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0038.html

CLA-2003:656: netpbm
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0039.html

- --- Slackware:

SSA:2003-141-01: Epic
http://archives.neohapsis.com/archives/bugtraq/2003-05/0237.html

SSA:2003-141-02: BitchX
http://archives.neohapsis.com/archives/bugtraq/2003-05/0236.html

SSA:2003-141-03: glibc
http://archives.neohapsis.com/archives/bugtraq/2003-05/0238.html

SSA:2003-141-04: gnupg
http://archives.neohapsis.com/archives/bugtraq/2003-05/0239.html

SSA:2003-141-05: mod_ssl
http://archives.neohapsis.com/archives/bugtraq/2003-05/0235.html

- --- SuSE:

SuSE-SA:2003:027: glibc
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0570.html

Source: Red Hat, Mandrake, Conectiva, Slackware, SuSE
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0059.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0136.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0137.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0138.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0142.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0037.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0038.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0237.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0236.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0238.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0239.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0235.html
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0570.html

*** {03.21.011} Linux - Slackware rc.M quotacheck remount vuln

The rc.M startup script passes incorrect command-line parameters to
quotacheck, potentially causing quotacheck to remount partitions and
discard security-related mount options (such as nosuid, noexec, etc.).

Update information is available at the reference URL below.

Source: Slackware (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-05/0249.html

- --- HP-UX News ---------------------------------------------------------

*** {03.21.005} HP-UX - Updated patches for previous vulnerabilities

The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

SSRT2439: libc
http://archives.neohapsis.com/archives/hp/2003-q2/0046.html

SSRT3451: network drivers
http://archives.neohapsis.com/archives/hp/2003-q2/0053.html

SSRT3531: sendmail
http://archives.neohapsis.com/archives/hp/2003-q2/0045.html

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0045.html
http://archives.neohapsis.com/archives/hp/2003-q2/0046.html
http://archives.neohapsis.com/archives/hp/2003-q2/0053.html

- --- SCO News -----------------------------------------------------------

*** {03.21.009} SCO - Updated patches for previous vulnerabilities

The following is a list of SCO vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

CSSA-2003-SCO.9: Squid
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0007.html

Source: SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0007.html

- --- Network Devices News -----------------------------------------------

*** {03.21.014} NetDev - Axis network camera admin auth bypass

Various Axis network camera platforms allow a remote attacker to bypass
the need for administrator authentication information.

This vulnerability is confirmed. Update information is available at the
reference URL below.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0086.html

- --- Cross-Platform News ------------------------------------------------

*** {03.21.002} Cross - Vignette server multiple vulns

Various versions of the Vignette server suite contain multiple
vulnerabilities: potential SSI script execution; SQL tampering; memory
leak denial of service; sample applications disclose server
configuration information; user name enumeration; public access to
license key information; cross-site scripting; and potential TCL script
execution.

These vulnerabilities are not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0083.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0084.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0085.html

*** {03.21.003} Cross - Vulnerable PHP applications, 5/27

The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.

XMBforum 1.8.x: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-05/0242.html

BLNews 2.1.3: remote include code execution
http://archives.neohapsis.com/archives/bugtraq/2003-05/0264.html

Ultimate PHP Board 1.9: PHP code execution
http://archives.neohapsis.com/archives/bugtraq/2003-05/0266.html

P-News 1.16: admin privilege elevation
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0081.html

Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-05/0242.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0264.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0266.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0081.html

*** {03.21.004} Cross - WsMP3d Web root escaping and overflow

The WsMP3d daemon version 0.0.10 contains multiple vulnerabilities:
attackers can access files outside the Web root; remote execution of
arbitrary commands; and various remote overflows.

These vulnerabilities are not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0077.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0078.html

*** {03.21.010} Cross - LSF lsadmin allows override of LSF_SERVERDIR

The Load Sharing Facility (LSF) version 5.1 allows local attackers to
specify a malicious lsf.conf file, thereby allowing them to specify an
arbitrary LSF_SERVERDIR configuration value and thus execute arbitrary
programs with root privileges.

This vulnerability is confirmed and fixed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0233.html

*** {03.21.013} Cross - CUPS IPP seized connection DoS

The IPP functionality in the CUPS printing suite is vulnerable to a
denial of service whereby remote attackers can hold open their IPP
connections, preventing the handling of any other IPP requests.

This vulnerability is confirmed. Updated Red Hat RPMs are listed at the
reference URL below.

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0062.html

*** {03.21.016} Cross - Nessus libnasl malicious plugin vuln

Nessus versions prior to 2.0.6 contain a vulnerability in the NASL
language library that could allow malicious plugins to execute arbitrary
commands on a nessusd host.

This vulnerability is confirmed and fixed in version 2.0.6.

Source: Nessus
http://archives.neohapsis.com/archives/apps/nessus/2003-q2/0037.html

*** {03.21.017} Cross - Sun ONE app server multiple vulns

Sun ONE application server version 7.0 contains multiple
vulnerabilities: exposure of JSP source code; HTTP log evasion; and
cross-site scripting.

These vulnerabilities are not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0087.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE+1m3o+LUG5KFpTkYRAurzAKCBsobRpyJXO8oSRoYninonpN5vwACdEFow
Siui7TU2V/3aeQTn7giboig=
=7zkY
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by SPI Dynamics.

FREE White Paper: "Outsmart the Top 10 Web Application Attacks!"
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation,
Session Hijacking and Parameter Manipulation.
All undetectable by Firewalls and IDS! Download *FREE*
white paper from SPI Dynamics for a guide to protection!
http://www.spidynamics.com/mktg/webappsecurity106

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org/

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org/

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]