From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Sep 25 2003 - 17:30:51 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 038 (03.38)
                  Thursday, September 25, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue is sponsored by Microsoft Winserver.
What are the top considerations when determining the best of
breed servers for your need? Our server resource center houses
industry news articles and reviews, spotlighting the latest and
most reputable servers and server-related news in today's market.
http://www.techweb.com/cha/serverresources

************************** End Advertisement *************************

A lot of vendors scrambled this week to release patches for the recent
OpenSSH and Sendmail bugs. Another bug was found in the OpenSSH versions
released last week, so if you recently upgraded, you'll need to upgrade
again (more information is in item {03.38.005}). A buffer overflow also
was found in LSH, an alternative to OpenSSH (reported in item
{03.38.002}). NetBSD has a few local problems with sysctl() (reported
as item {03.38.008}), and the Arkeia back-up daemon contains a buffer
overflow (reported as item {03.38.025}).

And as a reminder, all the items mentioned above are reported in this
issue. If you're missing one of these items from your newsletter, it is
because it was reported in an OS platform category to which you are not
subscribed. Follow the directions at the bottom of the e-mail to update
your subscription preferences.

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.38.006} Win - Plug and Play Web Server Web root escaping and DoS
{03.38.010} Win - Powerslave URL rewriting vulns
{03.38.011} Win - Community Wizard CGI suite SQL tampering
{03.38.021} Win - BizTalk Server Web dirs allow write
{03.38.001} Linux - Updated patches for previous vulnerabilities
{03.38.012} Linux - ipmasq generates insecure filter rules
{03.38.008} BSD - NetBSD sysctl() vulns
{03.38.009} BSD - Updated patches for previous vulnerabilities
{03.38.022} HP-UX - Updated patches for previous vulnerabilities
{03.38.020} NetDev - Cisco product SSH updates
{03.38.002} Cross - LSH heap overflow
{03.38.003} Cross - mpg123 network stream overflow #2
{03.38.004} Cross - Netup UTM CGI multiple vulns
{03.38.005} Cross - OpenSSH PAM vulnerabilities
{03.38.007} Cross - ProFTPD ASCII mode file transfer overflow
{03.38.013} Cross - Vulnerable PHP applications, 09/23
{03.38.014} Cross - Xitami SHTML handler large header DoS
{03.38.015} Cross - Perl Mail::Mailer insecure use of external programs
{03.38.016} Cross - wu_ftpd status e-mail overflow
{03.38.017} Cross - ColdFusion MX error/missing page XSS
{03.38.018} Cross - SpeakFreely multiple DoS vulns
{03.38.019} Cross - IBM DB2 support utilities various overflows
{03.38.023} Cross - IkonBoard CGI arbitrary Perl code exec
{03.38.024} Cross - hztty multiple overflows
{03.38.025} Cross - Arkeia daemon overflow

- --- Windows News -------------------------------------------------------

*** {03.38.006} Win - Plug and Play Web Server Web root escaping and DoS

The Plug and Play Web Server version 1.0002c reportedly contains two
vulnerabilities: the ability for a remote attacker to access files
outside the Web root via parent directory references in the URL request
and a denial of service vulnerability caused by long parameters given
to various FTP commands.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0275.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0297.html

*** {03.38.010} Win - Powerslave URL rewriting vulns

Powerslave prior to version 4.4.3pl3 allows an attacker to gain access
to configuration information and potentially execute a SQL tampering
attack by manipulating various URL parameters.

The advisory indicates confirmation by the vendor, which released
version 4.4.3pl3.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0324.html

*** {03.38.011} Win - Community Wizard CGI suite SQL tampering

The Community Wizard ASP CGI suite version 5.1 is reportedly vulnerable
to SQL tampering in the handling of the password sent to the login.asp
page.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0325.html

*** {03.38.021} Win - BizTalk Server Web dirs allow write

Microsoft BizTalk Server versions 2000 and 2002 create two IIS virtual
directories with write permissions that allow remote attackers to upload
arbitrary content to the server and possibly manipulate existing content
already in those directories.

The advisory indicates vendor confirmation.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0288.html

- --- Linux News ---------------------------------------------------------

*** {03.38.001} Linux - Updated patches for previous vulnerabilities

The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

- --- Red Hat:

RHSA-2003:243-01: Apache
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0039.html

RHSA-2003:256-01: Perl
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0040.html

RHSA-2003:279-02: OpenSSH
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0037.html

RHSA-2003:283-01: Sendmail
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0038.html

- --- Conectiva:

CLA-2003:741: OpenSSH
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0043.html

CLA-2003:742: Sendmail
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0044.html

CLA-2003:743: MySQL
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0045.html

CLA-2003:747: kde
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0046.html

CLA-2003:748: wu-ftpd
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0047.html

- --- Debian:

DSA-382-3: OpenSSH
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0660.html

DSA-384-1: Sendmail
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0577.html

DSA-387-1: gopherd
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0616.html

DSA-388-1: kdebase
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0637.html

- --- Mandrake:

MDKSA-2003:090-1: OpenSSH
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0170.html

MDKSA-2003:091: kdebase
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0165.html

MDKSA-2003:092: Sendmail
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0173.html

MDKSA-2003:093: gtkhtml
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0188.html

MDKSA-2003:094: MySQL
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0189.html

- --- Trustix:

TSLSA-2003-0033: OpenSSH
http://archives.neohapsis.com/archives/bugtraq/2003-09/0262.html

TSLSA-2003-0034: MySQL
http://archives.neohapsis.com/archives/bugtraq/2003-09/0263.html

- --- Slackware:

SSA:2003-260-01: OpenSSH
http://archives.neohapsis.com/archives/bugtraq/2003-09/0270.html

SSA:2003-260-02: Sendmail
http://archives.neohapsis.com/archives/bugtraq/2003-09/0271.html

- --- EnGarde:

ESA-20030918-024: OpenSSH
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0007.html

ESA-20030918-025: MySQL
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0008.html

- --- Immunix:

IMNX-2003-7+-020-01: OpenSSH
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0019.html

IMNX-2003-7+-021-01: Sendmail
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0033.html

- --- SuSE:

SuSE-SA:2003:039: OpenSSH
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0800.html

SuSE-SA:2003:040: Sendmail
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0826.html

Source: Red Hat, Conectiva, Debian, Mandrake, Trustix, Slackware,
EnGarde, Immunix, SuSE
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0039.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0040.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0037.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0038.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0043.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0044.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0046.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0047.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0660.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0616.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0637.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0170.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0165.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0173.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0188.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0189.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0262.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0263.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0270.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0271.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0007.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0008.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0019.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0033.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0800.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0826.html

*** {03.38.012} Linux - ipmasq generates insecure filter rules

The ipmasq utility generates insecure filtering rules, which allows an
external attacker to possibly forward traffic through the firewall.

Debian confirmed this vulnerability and released updated DEBs, included
at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0649.html

- --- BSD News -----------------------------------------------------------

*** {03.38.008} BSD - NetBSD sysctl() vulns

A NetBSD advisory indicates that the sysctl() function does not properly
validate parameters, potentially allowing a local attacker to panic the
kernel or read arbitrary portions of memory.

This vulnerability is confirmed and fixed in CVS as of Aug. 28, 2003.

Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2003-q3/0273.html

*** {03.38.009} BSD - Updated patches for previous vulnerabilities

The following is a list of BSD vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

- --- OpenBSD:

Sendmail:
http://archives.neohapsis.com/archives/openbsd/2003-09/1386.html

- --- FreeBSD:

FreeBSD-SA-03:12: OpenSSH
http://archives.neohapsis.com/archives/freebsd/2003-09/0068.html

FreeBSD-SA-03:13: Sendmail
http://archives.neohapsis.com/archives/freebsd/2003-09/0120.html

- --- NetBSD:

2003-012: OpenSSH
http://archives.neohapsis.com/archives/netbsd/2003-q3/0274.html

2003-013: ibcs
http://archives.neohapsis.com/archives/netbsd/2003-q3/0271.html

Source: OpenBSD, FreeBSD, NetBSD
http://archives.neohapsis.com/archives/openbsd/2003-09/1386.html
http://archives.neohapsis.com/archives/freebsd/2003-09/0068.html
http://archives.neohapsis.com/archives/freebsd/2003-09/0120.html
http://archives.neohapsis.com/archives/netbsd/2003-q3/0274.html
http://archives.neohapsis.com/archives/netbsd/2003-q3/0271.html

- --- HP-UX News ---------------------------------------------------------

*** {03.38.022} HP-UX - Updated patches for previous vulnerabilities

The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

HPSBUX0309-282: HP-UX secure shell
http://archives.neohapsis.com/archives/hp/2003-q3/0060.html

HPSBUX0309-281: Sendmail
http://archives.neohapsis.com/archives/hp/2003-q3/0060.html

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q3/0060.html

- --- Network Devices News -----------------------------------------------

*** {03.38.020} NetDev - Cisco product SSH updates

Cisco released updates for various Cisco network devices that contain
vulnerabilities related to the recent OpenSSH buffer management
overflow.

Further information is available at the reference URL below.

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q3/0012.html

- --- Cross-Platform News ------------------------------------------------

*** {03.38.002} Cross - LSH heap overflow

The LSH SSH daemon prior to version 1.5.3 contains a heap-based buffer
overflow that allows a remote attacker to execute arbitrary code with
root privileges.

The vendor confirmed this vulnerability and released fixed versions
1.5.3 and 1.4.3. An exploit was published.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0326.html

*** {03.38.003} Cross - mpg123 network stream overflow #2

The mpg123 MP3 player versions 0.59s and prior contain a buffer overflow
in the handling of HTTP music streams that could allow a malicious
server to execute arbitrary code on the user's system.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0357.html

*** {03.38.004} Cross - Netup UTM CGI multiple vulns

The Netup UserTraffManager suite version 4.0 reportedly contains
multiple vulnerabilities that allow a remote attacker to perform SQL
tampering attacks as well as execute arbitrary commands with root
privileges.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0345.html

*** {03.38.005} Cross - OpenSSH PAM vulnerabilities

OpenSSH portable versions 3.7 and 3.7.1 contain vulnerabilities in the
PAM handling code that could be remotely exploitable under certain
configurations.

Version 3.7.1p2 was released.

Source: OpenSSH
http://archives.neohapsis.com/archives/openbsd/2003-09/1820.html

*** {03.38.007} Cross - ProFTPD ASCII mode file transfer overflow

ProFTPD versions 1.2.9rc2 and prior contain a buffer overflow in the
handling of ASCII mode file transfers that allow a remote attacker to
execute arbitrary code on the target system.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0367.html

*** {03.38.013} Cross - Vulnerable PHP applications, 09/23

The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.

myPHPNuke 1.8.8: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-09/0327.html

Mambo 4.0.14: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-09/0303.html

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0327.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0303.html

*** {03.38.014} Cross - Xitami SHTML handler large header DoS

The Xitami Web server versions 2.5B4 and prior crash when a request for
an .SHTML document contains a large header name.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0336.html

*** {03.38.015} Cross - Perl Mail::Mailer insecure use of external
                programs

The Mail::Mailer Perl module insecurely invokes and uses external
applications such as mailx, which could allow malicious user data to
trick the Mail::Mailer module into executing command-line commands or
performing other undesirable operations.

Debian confirmed this vulnerability and released updated DEBs, listed
at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0615.html

*** {03.38.016} Cross - wu_ftpd status e-mail overflow

Wu_ftpd contains a feature that can send a notification e-mail for all
uploaded files. The functions handling this notification contain a
buffer overflow that could allow remote attackers with upload privileges
to execute arbitrary code on the system.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0348.html

*** {03.38.017} Cross - ColdFusion MX error/missing page XSS

The site-wide error and missing template pages included with ColdFusion
MX contain a cross-site scripting vulnerability.

The vendor confirmed these vulnerabilities and released an update.

Source: Macromedia
http://archives.neohapsis.com/archives/vendor/2003-q3/0089.html

*** {03.38.018} Cross - SpeakFreely multiple DoS vulns

SpeakFreely versions 7.6a and prior reportedly crash when receiving
either spoofed UDP traffic or a malformed GIF/BMP file.

These vulnerabilities are not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0346.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0350.html

*** {03.38.019} Cross - IBM DB2 support utilities various overflows

The db2licm and db2dart utilities shipped with IBM DB2 version 7.2
contain buffer overflows that allow local users of the db2iadm1 and
db2asgrp groups to execute arbitrary code with root privileges.

These vulnerabilities are confirmed and fixed in Fixpak 10a.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0114.html

*** {03.38.023} Cross - IkonBoard CGI arbitrary Perl code exec

IkonBoard CGI versions 3.1.2a and prior allow a remote attacker to
execute arbitrary Perl code embedded in the 'lang' cookie value.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0102.html

*** {03.38.024} Cross - hztty multiple overflows

Debian reported that the hztty program contains multiple buffer
overflows that allow a local attacker to execute arbitrary code with
root privileges.

This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0614.html

*** {03.38.025} Cross - Arkeia daemon overflow

The Knox Arkeia daemon version 5.1.12 reportedly contains a remotely
exploitable buffer overflow that allows an attacker to execute arbitrary
code with root privileges.

This vulnerability is not confirmed. An exploit was published.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-09/0318.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/cz/L+LUG5KFpTkYRAvbRAJ9YoQZE/eZQ8x3imzKIII91/ZZQlgCeOjJR
Jj/Gw/TJtHXJdMYmP2zkIcM=
=ha03
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue is sponsored by Microsoft Winserver.
What are the top considerations when determining the best of
breed servers for your need? Our server resource center houses
industry news articles and reviews, spotlighting the latest and
most reputable servers and server-related news in today's market.
http://www.techweb.com/cha/serverresources

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]