|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #025
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Jun 26 2003 - 15:31:22 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 025 (03.25)
Thursday, June 26, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by CMP Media LLC and Cisco Systems.
Get Strategic and Financial Justification for IP Communications.
Learn how to converge your voice and data networks, lower the
total cost of network ownership, increase employee productivity,
and enhance the customer experience. Visit the IP Communications
Pavilion to download the Migration Guide and useful case studies.
http://www.techweb.com/ipc
************************** End Advertisement *************************
In a little bit of irony, Symantec this week indirectly called a
security researcher irresponsible for disclosing a buffer overflow in
a Symantec product without telling Symantec first. The irony is that
Symantec owns SecurityFocus and Bugtraq, the most prominent security
disclosure list in the industry. It makes us wonder what would have
happened if the post was made to Bugtraq. Would SecurityFocus discreetly
withhold the post while informing its parent company? Or would it
release the post without warning and cause Symantec to be unhappy with
a security disclosure list the company itself owns? Maybe Symantec was
just bitter because the vulnerability report showed up on the mailing
list of a Bugtraq rival, the Full-Disclosure list.
http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1689.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0185.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.25.013} Win - IE JavaScript buffer overflow
{03.25.016} Win - Symantec Security Check ActiveX overflow
{03.25.017} Win - WebAdmin long user name logon overflow
{03.25.018} Win - Kerio MailServer Webmail multiple overflows
{03.25.019} Win - SurfControl Web Filter Report Server Web root escaping
{03.25.001} Linux - Updated patches for previous vulnerabilities
{03.25.012} Linux - orville-write multiple overflows
{03.25.015} Linux - tcptraceroute doesn't drop root privs
{03.25.009} HP-UX - Updated patches for previous vulnerabilities
{03.25.002} SGI - MIPSPro compiler insecure temp file handling
{03.25.021} SGI - Various IPv6 bugs and vulnerabilities
{03.25.007} NetDev - Cajun switch port 4000 DoS
{03.25.003} Cross - Various PDF viewers URL link command line exec
{03.25.004} Cross - Vulnerable PHP applications, 06/24
{03.25.005} Cross - eldav insecure temp file handling
{03.25.006} Cross - webfs server long URL overflow
{03.25.008} Cross - RSA SecurID ACE agent XSS vuln
{03.25.010} Cross - More Unix game vulns (xbl and lbreakout)
{03.25.011} Cross - osh restricted shell multiple overflows
{03.25.014} Cross - GNATS multiple overflows
{03.25.020} Cross - Compaq Web agent SSI tag vuln
- --- Windows News -------------------------------------------------------
*** {03.25.013} Win - IE JavaScript buffer overflow
A post this week indicates that Internet Explorer versions 5.0 and later
contain a buffer overflow in the handling of particular JavaScript. A
few reports confirm buffer overflow symptoms, although exploitability
is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0173.html
*** {03.25.016} Win - Symantec Security Check ActiveX overflow
Symantec's Security Check ActiveX component contains a buffer overflow
that would allow a malicious Web site to execute arbitrary code on the
user's system.
The vendor confirmed this vulnerability and released an updated version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0185.html
*** {03.25.017} Win - WebAdmin long user name logon overflow
Alt-N's WebAdmin server contains a buffer overflow in the handling of
long user names that allows a remote attacker to execute arbitrary code
under local system privileges.
This vulnerability is confirmed. An update is available at:
ftp://ftp.altn.com/WebAdmin/Release/wa205_en.exe
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0118.html
*** {03.25.018} Win - Kerio MailServer Webmail multiple overflows
Kerio MailServer version 5.6.3 contains multiple buffer overflows in
various locations of the Webmail component that allow a remote attacker
(with a valid Webmail account) to potentially execute arbitrary code on
the system. Cross-site scripting problems were also found.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0146.html
*** {03.25.019} Win - SurfControl Web Filter Report Server Web root
escaping
The SurfControl plugin for Microsoft ISA server does not properly handle
requests containing parent directory references. This allows a remote
attacker to arbitrary access files outside the Web root.
The advisory indicates confirmation by the vendor, which recommends
shutting down the Web Filter Report Service.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0148.html
- --- Linux News ---------------------------------------------------------
*** {03.25.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:026-01: Netscape
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0073.html
- --- Mandrake:
MDKSA-2003:070: ethereal
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0193.html
- --- Debian:
DSA-316-3: jnethack
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1007.html
DSA-324-1: ethereal
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1010.html
- --- Slackware:
SSA:2003-168-01: kernel
http://archives.neohapsis.com/archives/bugtraq/2003-06/0131.html
Source: Red Hat, Mandrake, Debian, Slackware (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0073.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0193.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1007.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1010.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0131.html
*** {03.25.012} Linux - orville-write multiple overflows
The orville-write write(1) replacement utility contains multiple buffer
overflows that could allow a local attacker to execute arbitrary with
elevated privileges.
This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1023.html
*** {03.25.015} Linux - tcptraceroute doesn't drop root privs
Debian released an advisory indicating that the tcptraceroute utility
doesn't correctly drop root privileges, potentially allowing a local
attacker to exploit a buffer overflow and regain root privileges.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1068.html
- --- HP-UX News ---------------------------------------------------------
*** {03.25.009} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
HPSBUX0306-266: tftpd
http://archives.neohapsis.com/archives/hp/2003-q2/0069.html
HPSBUX0104-149: pcltotiff
http://archives.neohapsis.com/archives/bugtraq/2003-06/0156.html
HPSBUX0302-242: rpc.yppasswdd
http://archives.neohapsis.com/archives/hp/2003-q2/0074.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0069.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0156.html
http://archives.neohapsis.com/archives/hp/2003-q2/0074.html
- --- SGI News -----------------------------------------------------------
*** {03.25.002} SGI - MIPSPro compiler insecure temp file handling
The MIPSPro compiler insecurely creates temporary files, thereby
allowing a local attacker to perform a symlink attack.
SGI confirmed this vulnerability.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0087.html
*** {03.25.021} SGI - Various IPv6 bugs and vulnerabilities
SGI released patches that fix various bugs and vulnerabilities
introduced with the new IPv6 code.
Patch information is available at the reference URL below.
Source: SGI (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-06/0197.html
- --- Network Devices News -----------------------------------------------
*** {03.25.007} NetDev - Cajun switch port 4000 DoS
Lucent/Avaya Cajun P330, P333 and P133 switches temporarily become
nonoperational and then reboot after particular malformed data is sent
to the service listening on port 4000. This leads to a remote denial of
service attack.
The advisory indicates confirmation by the vendor, which released
updated firmware versions at:
http://support.avaya.com
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0128.html
- --- Cross-Platform News ------------------------------------------------
*** {03.25.003} Cross - Various PDF viewers URL link command line exec
Various PDF viewers, including Xpdf and Adobe Acrobat, potentially allow
a malicious PDF document to execute arbitrary command-line commands if
a user clicks a particularly formed URL link contained in the PDF.
This vulnerability is confirmed.
Updated Red Hat Xpdf RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0072.html
Source: Full Disclosure List, Red Hat
http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/1395.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0072.html
*** {03.25.004} Cross - Vulnerable PHP applications, 06/24
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
phpMyAdmin 2.x: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2003-06/0129.html
phpBB: SQL injection, cross-site scripting
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0113.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0192.html
Tutos 1.1: cross-site scripting, file uploading
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0117.html
Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-06/0129.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0113.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0117.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0192.html
*** {03.25.005} Cross - eldav insecure temp file handling
The eldav Emacs WebDAV client insecurely handles temporary files,
thereby allowing a local attacker to perform a symlink attack.
This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1024.html
*** {03.25.006} Cross - webfs server long URL overflow
The webfs HTTP server contains a buffer overflow in the handling of
large URL requests that allows a remote attacker to execute arbitrary
code.
This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1026.html
*** {03.25.008} Cross - RSA SecurID ACE agent XSS vuln
The 5.x versions of the RSA SecurID ACE agents are vulnerable to
cross-site scripting.
This vulnerability is confirmed and fixed in RSA ACE/Agent for Windows
version 5.0.1 and RSA ACE/Agent for Web version 5.1.1.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0112.html
*** {03.25.010} Cross - More Unix game vulns (xbl and lbreakout)
In the past few weeks we've detailed buffer overflows in slashem and
nethack that allow a local attacker to gain gid 'games' on some systems.
This week, xbl was found to contain a similar local buffer overflow,
and lbreakout2server was found to contain a remote format string buffer
overflow.
Updated Debian xbl DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1025.html
Source: Debian, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1025.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0182.html
*** {03.25.011} Cross - osh restricted shell multiple overflows
The osh restricted user shell contains buffer overflows in the handling
of various environment variables and file redirection that allow local
users to bypass any restrictions placed by the shell.
This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/1027.html
*** {03.25.014} Cross - GNATS multiple overflows
The GNATS bug tracking system versions 3.113.1 and prior contain various
buffer overflows that could allow a local attacker to execute arbitrary
code with elevated privileges. It may also grant remote access via one
of the various Web-based CGI front-ends.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0115.html
*** {03.25.020} Cross - Compaq Web agent SSI tag vuln
The Compaq Insight Web agents accept user-supplied operation tags that
are similar to server-side includes in function. The various tags can
cause a denial of service situation, expose path information or possibly
trigger a buffer overflow.
This vulnerability is not confirmed.
Source: Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2003-q2/0293.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE++06a+LUG5KFpTkYRAnLYAJ9qbQg/I1xcAUCSS+dKcxOokS8KXACZAeFv
guQpqSwiHuB6heFP0pNZKWY=
=qcqp
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by CMP Media LLC and Cisco Systems.
Get Strategic and Financial Justification for IP Communications.
Learn how to converge your voice and data networks, lower the
total cost of network ownership, increase employee productivity,
and enhance the customer experience. Visit the IP Communications
Pavilion to download the Migration Guide and useful case studies.
http://www.techweb.com/ipc
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]