|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #027
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Jul 10 2003 - 18:22:41 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 027 (03.27)
Thursday, July 10, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by Sygate.
Focus on... Network Vulnerability
Want to learn more about Network Vulnerability?
Check out these sponsored links from Sygate.
Sygate in leader quadrant of new Gartner Personal Firewall MQ:
http://sygate.com/solutions/request/gartner_firewall_mq.htm
Download FREE Enterprise Personal Firewall Technology Guide:
http://www.sygate.com/products/ms/cmpwkout.htm
************************** End Advertisement *************************
This past weekend's Web site defacement challenge, toting the goal of
defacing 6,000 Web sites on July 6th, created a lot of hype. A handful
of security companies felt it urgent enough to issue alerts and press
releases, which caused not only a little confusion but also scrambling
by many to ensure their systems were updated.
Folks, Web site defacements are an ongoing thing. The threat is just as
real today as it was on July 6th. Your security program should be
vigilant enough to counter Web defacement attacks without needing prior
warning of 'coordinated hacking contests.' Whatever you did to increase
your security posture for the supposed July 6th attack should be done
regardless. Only then will you have a security defense that isn't merely
a last minute reaction to the latest security alert that comes across
the newswire.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.27.007} Win - QShop CGI file uploading/script exec
{03.27.009} Win - VPASP CGI SQL tampering
{03.27.010} Win - IglooFTP client buffer overflows
{03.27.011} Win - Billing Explorer multiple vulns
{03.27.012} Win - ICQ 2003a password login bypass
{03.27.013} Win - MS03-023: HTML converter clipboard buffer overflow
{03.27.014} Win - MS03-024: SMB packet overflow
{03.27.015} Win - MS03-025: Utility Manager callback privilege exec
{03.27.003} Linux - x-face-el insecure temp file handling
{03.27.005} Linux - mozart insecure Oz program exec
{03.27.006} Linux - liece insecure temp file handling
{03.27.008} Linux - Updated patches for previous vulnerabilities
{03.27.020} Linux - skk/ddskk insecure temp file handling
{03.27.019} HP-UX - Updated patches for previous vulnerabilities
{03.27.021} NetDev - Cisco CatOS TCP services eight packet DoS
{03.27.002} Cross - wemi/semi insecure temp file handling
{03.27.004} Cross - ProductCart CGI multiple vulns
{03.27.016} Cross - Apache 2.0.47 released, with security fixes
{03.27.017} Cross - ColdFusion/JRun Apache source code disclosure
{03.27.018} Cross - Mailsite Express CGI attachment retrieval
{03.27.022} Cross - Vulnerable PHP applications, 07/10
{03.27.023} Cross - teapop user name SQL tampering
{03.27.024} Cross - TerminatorX env var overflows
{03.27.025} Cross - Coda lib various RPC2 DoS
{03.27.001} MacOS - MacOS X secure screen saver bypass
- --- Windows News -------------------------------------------------------
*** {03.27.007} Win - QShop CGI file uploading/script exec
The QShop ASP CGI suite version 2.5 does not require authentication on
the /qshop/admin/upload.htm page, thereby allowing a remote attacker to
upload arbitrary ASP pages.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0103.html
*** {03.27.009} Win - VPASP CGI SQL tampering
The VPASP ASP CGI suite is vulnerable to SQL tampering in the
shopexd.asp page, thereby allowing a remote attacker to manipulate the
backend database.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0031.html
*** {03.27.010} Win - IglooFTP client buffer overflows
The IglooFTP PRO client version 3.8 reportedly contains various buffer
overflows in the handling of large strings, thereby allowing a malicious
FTP server to execute arbitrary code on the user's system.
The advisory indicates confirmation by the vendor, which released
version 3.9.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0010.html
*** {03.27.011} Win - Billing Explorer multiple vulns
The Billing Explorer application allows a remote attacker to spoof
administrative packets, thereby allowing various manipulations of the
Billing Explorer application and accounting functionality.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0049.html
*** {03.27.012} Win - ICQ 2003a password login bypass
The ICQ 2003a client potentially allows a local attacker to log in under
a user's saved user name without needing the appropriate password.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0058.html
*** {03.27.013} Win - MS03-023: HTML converter clipboard buffer overflow
Microsoft released MS03-023 ("HTML converter clipboard buffer
overflow"). The native HTML converter functionality (used by Internet
Explorer, Outlook and other applications) contains a buffer overflow in
the handling of cut-and-paste operations, potentially allowing a
malicious Web site or e-mail to execute arbitrary code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-023.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0001.html
*** {03.27.014} Win - MS03-024: SMB packet overflow
Microsoft released MS03-024 ("SMB packet overflow"). Windows NT, 2000
and XP contain a buffer overflow in the handling of a certain malicious
SMB packet, thereby allowing a remote authenticated attacker to
potentially execute arbitrary code or cause the SMB/RPC service to fail.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-024.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0003.html
*** {03.27.015} Win - MS03-025: Utility Manager callback privilege exec
Microsoft released MS03-025 ("Utility Manager callback privilege exec").
The Utility Manager service, which is a part of the Windows 2000
Accessibility suite, allows a local desktop user to send a particular
Windows message containing a callback address, which is then executed
with local system privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-025.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0002.html
- --- Linux News ---------------------------------------------------------
*** {03.27.003} Linux - x-face-el insecure temp file handling
Debian released an advisory indicating the x-face-el application
insecurely uses temporary files, thereby allowing a local attacker to
perform a symlink attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0066.html
*** {03.27.005} Linux - mozart insecure Oz program exec
The MIME entries configured with the mozart package insecurely cause
the program interpreter to be called, potentially allowing
malicious/trojaned Oz programs (viewed/downloaded by MIME-aware
applications) to execute arbitrary commands.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0077.html
*** {03.27.006} Linux - liece insecure temp file handling
The liece IRC client insecure handles temporary files, thereby allowing
a local attacker to perform a symlink attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0076.html
*** {03.27.008} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:203-01: Ethereal
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0004.html
- --- Mandrake:
MDKSA-2003:073: unzip
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0008.html
- --- Conectiva:
CLA-2003:674: xpdf
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0004.html
CLA-2003:675: ml85p
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0005.html
CLA-2003:685: openldap
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0008.html
CLA-2003:690: imp
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0010.html
CLA-2003:691: php4
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0011.html
- -- Immunix:
IMNX-2003-7+-017-01: unzip
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0001.html
- -- Debian:
DSA-344-1: unzip
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0083.html
DSA-345-1: xbl
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0084.html
Source: Red Hat, Mandrake, Conectiva, Immunix, Debian
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0004.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0008.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0004.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0005.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0008.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0010.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0011.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0001.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0083.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0084.html
*** {03.27.020} Linux - skk/ddskk insecure temp file handling
The skk and ddskk utilities insecurely handle temporary files, thereby
allowing a local attacker to perform a symlink attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0082.html
- --- HP-UX News ---------------------------------------------------------
*** {03.27.019} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
HPSBUX0305-261: network drivers
http://archives.neohapsis.com/archives/hp/2003-q3/0006.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q3/0006.html
- --- Network Devices News -----------------------------------------------
*** {03.27.021} NetDev - Cisco CatOS TCP services eight packet DoS
Cisco released an advisory indicating that certain versions of the CatOS
software used on Catalyst switches contain a denial of service attack
whereby eight particularly malformed packets sent to a CatOS TCP service
will cause the service to fail until the switch is rebooted.
The URL referenced below contains fix information.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q3/0001.html
- --- Cross-Platform News ------------------------------------------------
*** {03.27.002} Cross - wemi/semi insecure temp file handling
The wemi and semi MIME libraries insecurely handle temporary files,
thereby allowing a local attacker to potentially perform a symlink
attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0064.html
*** {03.27.004} Cross - ProductCart CGI multiple vulns
The ProductCart ASP CGI suite versions 2.0 and prior contain multiple
vulnerabilities: remote download of the configuration database;
cross-site scripting; and SQL tampering on the admin login page.
The vendor confirmed these vulnerabilities. Fix information is available
at:
http://archives.neohapsis.com/archives/bugtraq/2003-07/0057.html
Source: Full Disclosure, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/0081.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0030.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0064.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0057.html
*** {03.27.016} Cross - Apache 2.0.47 released, with security fixes
Apache version 2.0.47 was released. This version fixes multiple
vulnerabilities: weak ciphersuite algorithm chosen during some
renegotiations; accept() error return DoS; IPv6 FTP server proxy DoS;
and local infinite loop DoS.
Source: Apache (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-07/0098.html
*** {03.27.017} Cross - ColdFusion/JRun Apache source code disclosure
Macromedia released a security bulletin indicating that both ColdFusion
MX and JRun running on Apache 1.x and 2.0 could potentially display the
source code to JSP or CFM files if a remote attacker appends an encoded
space character to the URL.
Source: Macromedia/Allaire
http://archives.neohapsis.com/archives/vendor/2003-q3/0008.html
*** {03.27.018} Cross - Mailsite Express CGI attachment retrieval
Rockliffe Mailsite Express version 5.3.4 reportedly allows remote
attackers to retrieve e-mail attachments via the Web interface.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0073.html
*** {03.27.022} Cross - Vulnerable PHP applications, 07/10
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.
board51/news51/forum51 v2.0: password file retrieval
http://archives.neohapsis.com/archives/bugtraq/2003-07/0078.html
bitboard2: password file retrieval
http://archives.neohapsis.com/archives/bugtraq/2003-07/0114.html
phpsysinfo: local file reading, script execution
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0085.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2003-07/0078.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0114.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0085.html
*** {03.27.023} Cross - teapop user name SQL tampering
The teapop POP3 server does not properly filter user names before
passing them into a SQL query, thereby allowing a remote attacker to
perform a SQL tampering attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0086.html
*** {03.27.024} Cross - TerminatorX env var overflows
TerminatorX version 3.80 reportedly does not properly handle large
environment variable strings, resulting in a buffer overflow that could
allow local attackers to execute arbitrary code with elevated
privileges.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0093.html
*** {03.27.025} Cross - Coda lib various RPC2 DoS
The Coda RPC2 library contains various places where a malformed RPC2
packet can cause the application using the library to crash.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0099.html
- --- Mac OS News --------------------------------------------------------
*** {03.27.001} MacOS - MacOS X secure screen saver bypass
An advisory released last week indicates the possibility of bypassing
the password-protected screen saver in MacOS X simply by holding down
a key for a long length of time and then pressing Enter.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0009.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE/DdKy+LUG5KFpTkYRAobAAKCIRIl05FH+py3S/Z+BY+/jYhBJBACfQRNX
+7o/wJHalVor7BWI9v/fKg0=
=yYvR
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by Sygate.
Focus on... Network Vulnerability
Want to learn more about Network Vulnerability?
Check out these sponsored links from Sygate.
Sygate in leader quadrant of new Gartner Personal Firewall MQ:
http://sygate.com/solutions/request/gartner_firewall_mq.htm
Download FREE Enterprise Personal Firewall Technology Guide:
http://www.sygate.com/products/ms/cmpwkout.htm
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]