Microsoft Security News
Back to list
|
Post reply
SecurityFocus Microsoft Newsletter #143
Jun 30 2003 04:22PM
jboletta securityfocus com
SecurityFocus Microsoft Newsletter #143
---------------------------------------
This Issue is Sponsored by: Tenable
Tenable Network Security offers a Vulnerability Management Product.
"Lightning 1.1 is a next-generation security software solution that
thoughtfully combines relevant security data from vulnerability scans and
intrusion detection devices to help enterprises reduce network exposure.
Its design is definitely unique and highly scalable when compared to
others in our industry," says Ron Gula, President and CTO of Tenable.
Please visit: http://www.securityfocus.com/TenableSecurity-ms-secnews
------------------------------------------------------------------------
--
I. FRONT AND CENTER
1. IDS Correlation of VA Data and IDS Alerts
2. RFID Chips Are Here
3. The SecurityFocus 4th Anniversary Contest
II. MICROSOFT VULNERABILITY SUMMARY
1. Tutos File_Select.PHP Cross-Site Scripting Vulnerability
2. Power Server FTP Addon Remote USER/PASS Command Denial of...
3. phpBB Viewtopic.PHP SQL Injection Vulnerability
4. Power Server Remote GET Request Denial of Service Vulnerability
5. Power Server FTP Addon Plaintext Password Storage Weakness
6. Power Server FTP Addon Failure To Authenticate Vulnerability
7. MyServer Remote Denial Of Service Vulnerability
8. Tutos File_New Arbitrary File Upload Vulnerability
9. SurfControl Web Filter File Disclosure Vulnerability
10. Compaq Web-Based Management Agent Remote Stack Overflow Denia...
11. Compaq Web-Based Management Agent Access Violation Denial of...
12. Microsoft Internet Explorer HR Align Buffer Overflow...
13. Zope Invalid Query Information Disclosure Vulnerability
14. WebJeff Filemanager File Disclosure Vulnerability
15. WebJeff Filemanager Plain Text Password Storage Vulnerability
16. Zope Empty Upload Information DisclosureVulnerability
17. Power Server FTP Addon Directory Traversal Vulnerability
18. Zope addItems Script Information Disclosure Vulnerability
19. Armida Databased Web Server Remote GET Request Denial Of...
20. Compaq Web-Based Management Agent Remote File Verification...
21. Zope ExampledbBrowseReport Description Field HMTL Injection...
22. Microsoft Media Player 9 Unauthorized Media Library Access...
23. IndigoSTAR Software PerlEdit Denial Of Service Vulnerability
24. Compaq Web-Based Management Agent Multiple Remote Vulnerabilities
25. Microsoft Windows Media Services NSIISlog.DLL Remote Buffer...
III. MICROSOFT FOCUS LIST SUMMARY
1. How to block users from installing other apps (Thread)
2. SP4 instalation failure (Thread)
3. Xp Home (Thread)
4. security auditing under windows 2000 server (Thread)
5. Windows NLB (Thread)
6. AW: Question about windows service (Thread)
7. Question about windows service (Thread)
8. Please read. Post containing BugBear.B (Thread)
9. Search for files and folders fails (Thread)
10. additional Windows 2000 password policy questions (Thread)
11. Windows 2000 password policy (Thread)
12. Managing Windows Event Logs (Thread)
13. Filtering DHCP Assignments by MAC Address (Thread)
14. Microsoft Baseline Security Analyzer (Thread)
15. SecurityFocus Microsoft Newsletter #142 (Thread)
16. adding new service to system services list (Thread)
17. Netreg for Windows (Thread)
18. Windows Event Logs (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AbsoluteShield Internet Eraser Pro
2. Akonix L7 Enterprise
3. Online Recorder 5.3
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Securepoint Firewall and VPN Server v3.13 (S3)
2. Enigmail v0.80.0
3. beecrypt v3.0.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. IDS Correlation of VA Data and IDS Alerts
By Neil Desai
This article discusses the correlation of VA data and IDS alerts to help
prioritize events and reduce the time it takes to sift through events.
http://wwwdev.securityfocus.com/infocus/1708
2. RFID Chips Are Here
By Scott Granneman
RFID chips are being embedded in everything from jeans to paper money, and
your privacy is at stake.
http://www.securityfocus.com/columnists/169
3. The SecurityFocus 4th Anniversary Contest
Enter to win two passes to the Black Hat Briefings.
Please visit the contest page here:
http://www.securityfocus.com/contest
II. BUGTRAQ SUMMARY
-------------------
1. Tutos File_Select.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 8011
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8011
Summary:
Tutos is a freely available, open source team organization software
package. It is available for the Unix, Linux, and Microsoft Windows
platforms.
A problem in the software may make the execution of arbitrary code
possible.
It has been reported that Tutos does not properly handle input to the
file_select script. Because of this, an attacker may be able to execute
code in the browser of another user with the privileges of the vulnerable
site.
The problem is in the rendering of arbitrary HTML and script code by
Tutos. An attacker may supply code as an argument to the file_select
script that, when loaded in the browser of another user, is executed in
the security context of the site hosting Tutos. This could permit the
theft of cookie authentication credentials, Other attacks may also be
possible.
2. Power Server FTP Addon Remote USER/PASS Command Denial of Service
Vulnerability
BugTraq ID: 7976
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7976
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
Power Server FTP Addon is reportedly prone to a remote denial of service
when process malformed USER and PASS commands. The problem occurs when
processing command parameters containing approximately 50,000 characters.
Exploitation of this vulnerability would result in a target system's CPU
usage rising to approximately 88 to 95 percent. This could result in other
services becoming unusable or potentially cause the system to behave
unpredictably.
Although unconfirmed, the affected server may be required to be manually
rebooted to restore expected functionality.
3. phpBB Viewtopic.PHP SQL Injection Vulnerability
BugTraq ID: 7979
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7979
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
A SQL injection vulnerability has been reported for phpBB systems that may
result in the disclosure of user password hashes; other attacks may also
be possible.
phpBB, in some cases, does not sufficiently sanitize user-supplied input,
which is used when constructing SQL queries to execute on the underlying
database. As a result, it is possible to manipulate SQL queries. This may
allow a remote attacker to modify query logic or potentially corrupt the
database.
This vulnerability was reported to exist in the viewtopic.php script file.
A remote attacker can exploit this vulnerability by manipulating the
$topic_id URI parameter to modify SQL query logic.
SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.
4. Power Server Remote GET Request Denial of Service Vulnerability
BugTraq ID: 7983
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7983
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system.
Power Server is reportedly prone to a remote denial of service when
process malformed GET requests. The problem occurs when processing
requests containing approximately 500,000 forward-slash '/' characters.
Exploitation of this vulnerability would result in a target system's CPU
usage rising to approximately 88 to 95 percent. This could result in other
services becoming unusable or potentially cause the system to behave
unpredictably.
Although unconfirmed, the affected server may be required to be manually
rebooted to restore expected functionality.
5. Power Server FTP Addon Plaintext Password Storage Weakness
BugTraq ID: 7984
Remote: No
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7984
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
Power Server FTP Addon stores usernames and associated passwords using
plaintext format, in the 'FTPUsers' directory. As a result, these
credentials could be exposed to other local users who have the permissions
to access and read that file.
It should be noted that although this issue has been reported to affect
Power Server 1.0, other versions are likely to be affected.
6. Power Server FTP Addon Failure To Authenticate Vulnerability
BugTraq ID: 7986
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7986
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
A vulnerability has been reported in Power Server FTP Addon that could
allow an attacker to gain unauthorized access. Specifically, Power Server
will accept an arbitrary password when a valid username has been supplied.
Although unconfirmed, this may be as a result of a design error while
carrying out string matching of legitimate passwords.
This will effectively grant an unauthorized attacker access to a target
FTP server.
7. MyServer Remote Denial Of Service Vulnerability
BugTraq ID: 8010
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8010
Summary:
MyServer is an application and web server for Microsoft Windows and Linux
operating systems.
MyServer HTTP server has been reported prone to a remote denial of service
attack.
The issue presents itself, likely due to a lack of sufficient bounds
checking, performed on arguments that are supplied via malicious HTTP GET
requests. It has been reported that a remote attacker may invoke a HTTP
GET request containing 100 '/' characters, this action will supposedly
trigger a segmentation fault in the server executable and the software
will fail. It has been reported that no details of this attack are logged.
Due to the nature of this vulnerability it has been conjectured that this
issue may be exploited to execute arbitrary code. This however has not
been confirmed.
It should be noted that although this issue has been reported to affect
MyServer version 0.4.1 other versions might also be affected.
8. Tutos File_New Arbitrary File Upload Vulnerability
BugTraq ID: 8012
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8012
Summary:
Tutos is a freely available, open source team organization software
package. It is available for the Unix, Linux, and Microsoft Windows
platforms.
A problem in the software may make the uploading of arbitrary files
possible.
It has been reported that Tutos does not properly handle input to the
file_new script. Because of this, an attacker may be able to upload
arbitrary files to a vulnerable site.
It is not clear where the specific vulnerable component of Tutos lies.
However, because of the problem, it may be possible for an attacker to
upload and overwrite files with the privileges of the web server process.
This could result in data corruption, or other potentially malicious
activities.
9. SurfControl Web Filter File Disclosure Vulnerability
BugTraq ID: 7978
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7978
Summary:
SurfControl is a series of products designed to filter out harmful or
questionable Internet content. Web Filter is available as a plugin for
Microsoft ISA Server.
A problem with Web Filter may allow attackers to obtain access to
sensitive files. The vulnerability occurs due to insufficent sanitization
of '.../' directory traversal sequences.
A determined attacker is able to obtain access to files on the host server
with the privileges of the web server process.
This vulnerability was reported for Web Filter 4.2.0.1. It is likely that
earlier versions are affected.
10. Compaq Web-Based Management Agent Remote Stack Overflow Denial of
Service Vulnerability
BugTraq ID: 8014
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8014
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
Compaq Web-Based Management Agent has been reported prone to a remote
denial of service vulnerability. The problem occurs when making malformed
requests to the service. Specifically, requests which contain an
exclamation mark within angle brackets (<!>), optionally followed by an
argument.
The following requests are reported to trigger the exception:
http://www.example.com:2301/survey/<!>
http://www.example.com:2301/<!.StringRedirecturl>
http://www.example.com:2301/<!.StringHttpRequest=Url>
http://www.example.com:2301/survey/<!.StringHttpRequest=Url>
http://www.example.com:2301/<!.ObjectIsapiECB>
http://www.example.com:2301/<!.StringIsapiECB=lpszPathInfo>
The root of this problem may be due to the agent failing to handle
unexpected or unsupported protocol behavior, such as these requests. This
however has not been confirmed.
The returned error from such a request reports that a stack overflow
occurred, however it has not been confirmed whether this issue is
exploitable to corrupt memory. The problem may in fact be the result of a
NULL pointer dereference.
It should be noted that this BID was previously part of BID 8009, which
addressed multiple issues.
11. Compaq Web-Based Management Agent Access Violation Denial of Service
Vulnerability
BugTraq ID: 8015
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8015
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
Compaq Web-Based Management Agent has been reported prone to a remote
denial of service vulnerability. The problem occurs when handling
malformed GET requests to the service. Specifically, requests which
contain "<!.FunctionContentType=" followed by approximately 250 bytes of
data and appended with a ">".
The returned error from such a request reports that an access violation.
The problem likely occurs due to the program attempting to write to an
invalid memory page, causing the service to crash.
It should be noted that this BID was previously part of BID 8009, which
addressed multiple issues.
12. Microsoft Internet Explorer HR Align Buffer Overflow Vulnerability
BugTraq ID: 8016
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8016
Summary:
Internet Explorer is reportedly prone to a boundary condition error.
This problem exists due to insufficient bounds checking on the 'Align'
attribute of the 'HR' (horizontal rule) HTML tag.
If the 'Align' attribute is given an unusually large value, a buffer
within the iexplore process will be overrun, causing Internet Explorer to
fail. It may also be possible to cause arbitrary code to be executed,
though this has not been confirmed. The overflow occurs in 'HTML32.cnv',
which is an HTML converter used by Internet Explorer.
This vulnerability was reported for Internet Explorer version 5 and above.
Earlier versions may also be vulnerable.
13. Zope Invalid Query Information Disclosure Vulnerability
BugTraq ID: 8000
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8000
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Reportedly, Zope will disclose path information if a user invokes an
invalid query operation using Shopping cart example scripts. An error will
be triggered and traceback information containing possible sensitive path
information will be returned to the browser of the attacker.
If an attacker can gain information about the details of the filesystem,
this information may be useful in further attacks against the host.
14. WebJeff Filemanager File Disclosure Vulnerability
BugTraq ID: 7995
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7995
Summary:
WebJeff Filemanager is a file management system implemented in PHP. It is
available for a variety of platforms including Microsoft Windows and Linux
and Unix variant operating environments.
A vulnerability has been reported for Filemanager that may result in the
disclosure of arbitrary files. The vulnerability exists due to
insufficient sanitization of user-supplied values for URI parameters.
Specifically, the 'ficher' URI parameter of the index.php3 script file is
not properly sanitized.
A malicious attacker can specify arbitrary absolute paths as the value of
the 'ficher' URI parameter. This will result in the requested file being
disclosed to the attacker.
This vulnerability affects Filemanager 1.6.
15. WebJeff Filemanager Plain Text Password Storage Vulnerability
BugTraq ID: 7996
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7996
Summary:
WebJeff Filemanager is a file management system implemented in PHP. It is
available for a variety of platforms including Microsoft Windows and Linux
and Unix variant operating environments.
A vulnerability has been reported for Filemanager that may result in an
attacker obtaining authentication credentials. The vulnerability exists
due to the way usernames and passwords are stored. Specifically,
authentication credentials are stored in plain text format in the
'prive/users.txt' file.
An attacker can exploit this vulnerability by making a request for the
desired resource.
Any information obtained in this manner may be used to launch further
attacks against a vulnerable system.
This vulnerability was reported for Filemanager 1.6.
16. Zope Empty Upload Information DisclosureVulnerability
BugTraq ID: 7998
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7998
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Reportedly, Zope will disclose path information if a user invokes an
upload operation via the 'addFile' script when a target file does not
exist as a URI parameter. An error will be triggered and traceback
information containing possible sensitive path information will be
returned to the browser of the attacker.
If an attacker can gain information about the details of the filesystem,
this information may be useful in further attacks against the host.
17. Power Server FTP Addon Directory Traversal Vulnerability
BugTraq ID: 7985
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7985
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
A problem with the server may make it possible to gain unauthorized access
to system resources.
It has been reported that Power Server FTP Addon does not properly handle
some types of requests. This may make it possible for a remote user to
gain access to resources outside of the FTP root directory.
Access to this information could potentially aid an attacker in launching
further attacks against the target system or it's users.
18. Zope addItems Script Information Disclosure Vulnerability
BugTraq ID: 7999
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7999
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
A vulnerability has been discovered in Zope which may result in the
disclosure of sensitive information to a remote attacker. The problem
occurs when a value greater then 11 is passed as the records URI parameter
to the addItems script. When this occurs, an exception will be triggered
causing the server to return an error page containing sensitive system
information.
Information disclosed may include session identification, the script
installation paths, the application installation path, etc.
Access to this information could potentially aid an attacker in launching
further attacks against the system.
19. Armida Databased Web Server Remote GET Request Denial Of Service
Vulnerability
BugTraq ID: 8017
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8017
Summary:
Armida Databased Web Server is a web server available for the Microsoft
Windows operating systems.
Armida Databased Web Server is reportedly prone to a remote denial of
service when process malicious GET requests. The problem occurs when
processing requests containing approximately 5000 bytes of data.
Exploitation of this vulnerability would result in the remote service
crashing. Although unconfirmed, due to the nature of this vulnerability
it may be possible to supply and execute arbitrary code.
This vulnerability has been reported to affect Armida Web Server version
1.0.
20. Compaq Web-Based Management Agent Remote File Verification
Vulnerability
BugTraq ID: 8019
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8019
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
Compaq Web-Based Management Agent has been reported vulnerable to a remote
file verification vulnerability. This information leak could be exploited
by an attacker to verify the existence of sensitive files on a vulnerable
system.
The problem is in the handling of input when passed via the following
means:
http://www.example.com:2301/<!.DebugSearchPaths>?Url=%2F..%2F..%2F..%2F.
.%
2Fboot.ini
As can be ascertained from the above URL, passing directory traversal
strings in the dot-dot-slash form (../) with encoded slashes can permit
the attacker to access a file on the vulnerable system. If the file
exists, the Web-Based Management Agent returns a response that validates
the existence of the file.
It should be noted that this BID was previously part of BID 8009, which
addressed multiple issues.
21. Zope ExampledbBrowseReport Description Field HMTL Injection
Vulnerability
BugTraq ID: 8001
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8001
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
It has been reported that Zope ExampledbBrowseReport example script
suffers from an HTML injection vulnerability. The problem is said to occur
due to insufficient input validation of user-supplied form data.
Specifically, it is possible to embed HTML code within the 'Description'
field of the Zope ExampledbBrowseReport example script.
All script code will be interpreted by the browsers of other Zope users,
who view the affected page, within the context of the site hosting the
affected script.
The successful exploitation of this issue could ultimately result in the
attacker obtaining cookie-based authentication credentials or other
sensitive information, which, could be used to impersonate the other user.
22. Microsoft Media Player 9 Unauthorized Media Library Access
Vulnerability
BugTraq ID: 8034
Remote: Yes
Date Published: Jun 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8034
Summary:
Windows Media Player 9 Series is prone to an issue that may result in an
attacker obtaining unauthorized access to a compromised user's media
library.
Windows Media Player 9 uses an ActiveX control to control access to a
user's Media Library. The ActiveX control is a scriptable component and
can be invoked through the use of script code. The vulnerability exists
due to insufficent validation of requests made to the ActiveX control to
access the Media Library.
An attacker can exploit this vulnerability by enticing a victim user to
visit a site that hosts malicious script code to invoke the Media Player
ActiveX control. Successful exploitation will result in the attacker
obtaining access to a user's Media Library.
Information obtained in this manner may be used by an attacker to launch
other attacks against a vulnerable system, such as modifying contents of
Media Library entries.
23. IndigoSTAR Software PerlEdit Denial Of Service Vulnerability
BugTraq ID: 8006
Remote: Yes
Date Published: Jun 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8006
Summary:
PerlEdit is a IDE (Integrated Development Environment) for developing Perl
scripts. It is maintained and distributed by IndigoSTAR Software. It is
available for Linux variant and Microsoft Windows operating systems.
A denial of service vulnerability has been reported for PerlEdit. The
vulnerability exists when an connection is made to TCP port 1956.
When PerlEdit is executed, it will bind to TCP port 1956. If an attempt is
made to connect to that port while PerlEdit is running, it will cause
PerlEdit to crash.
An attacker can exploit this vulnerability to connect to a vulnerable host
on port 1956. This will cause the vulnerable PerlEdit application to
crash.
This vulnerability was reported to affect PerlEdit 1.07.
24. Compaq Web-Based Management Agent Multiple Remote Vulnerabilities
BugTraq ID: 8009
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8009
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
It may be possible for a remote attacker to gain unauthorized access to a
host using the vulnerable software.
The Compaq Web-Based Management Agent may permit an attacker to create one
of the following scenarios:
Numerous stack overflows are reported to exist in the management agent.
By passing one of several combinations of tags to the web server for
server-side command interpreting, it is possible for an attacker to crash
the agent, resulting in a denial of service. It is not clear whether or
not these issues may be exploited to execute code with the privileges of
the web server process.
Another reported issue appears to be a boundary condition error that may
be exploitable. By supplying a request with a length of at least 250
bytes to the FunctionContentType function, it is possible to cause an
"Access violation," which may be a memory corruption issue.
A final reported issue is the ability of a remote user to validate files
on a system. By passing a maliciously crafted request to the
DebugSearchPaths function, an attacker may be able to validate the
existence of certain files on the system, potentially resulting in
information disclosure.
This vulnerability alert is a preliminary analysis. These vulnerabilities
will be broken into specific entries as more detailed analysis is
performed.
25. Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow
Vulnerability
BugTraq ID: 8035
Remote: Yes
Date Published: Jun 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8035
Summary:
Microsoft Media Services provides functionality for providing streaming
media content to clients from IIS. It ships with a number of Microsoft
Windows 2000 server releases and is also available for download for
Windows NT.
Microsoft has reported a buffer overflow vulnerability in Windows Media
Services. This is due to a problem with how the logging ISAPI extension
(nsiislog.dll) handles incoming client requests. The logging facility may
attempt to write excessive data to an undersized buffer when handling a
malformed HTTP client request. This could trigger a denial of service or
remote arbitrary code execution in IIS, which is exploitable through Media
Services. The issue would occur in servers that are configured to provide
logging of media requests.
It is possible to exploit this issue by sending an overly long HTTP POST
request to the vulnerable component. This may permit a remote attacker to
corrupt sensitive stack variables with attacker-supplied values, allowing
the attacker to control process execution flow and execute malicious
instructions. Any attacker-supplied code will be executed in the security
context of the underlying IIS server.
It has been reported that Windows Media Services is not installed by
default on Windows 2000.
It should be noted that this vulnerability is similar to the issue
described in BID 7727. This issue was reported independently from BID 7727
and was not addressed in the vendor fixes associated with that BID.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. How to block users from installing other apps (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326971
2. SP4 instalation failure (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326977
3. Xp Home (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326976
4. security auditing under windows 2000 server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326899
5. Windows NLB (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326900
6. AW: Question about windows service (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326898
7. Question about windows service (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326890
8. Please read. Post containing BugBear.B (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326715
9. Search for files and folders fails (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326671
10. additional Windows 2000 password policy questions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326673
11. Windows 2000 password policy (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326524
12. Managing Windows Event Logs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326522
13. Filtering DHCP Assignments by MAC Address (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326479
14. Microsoft Baseline Security Analyzer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326418
15. SecurityFocus Microsoft Newsletter #142 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326385
16. adding new service to system services list (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326386
17. Netreg for Windows (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326294
18. Windows Event Logs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326289
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AbsoluteShield Internet Eraser Pro
by SysShield Consulting, Inc
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.internet-track-eraser.com/
Summary:
AbsoluteShield Internet Eraser protects your privacy by cleaning up all
the tracks of your Internet and computer activities. The tool is
integrated with IE and it can erase the browser cache, history, cookies,
typed URLs, autocomplete list and so on in one click. You can also set the
tool to automatically erase those tracks when you quit IE or quit Windows.
The tool is also featured to erase the disk free space and has the open
plugin support. With the plugin support, AbsoluteShield Internet Eraser
now supports to erase the tracks left by any applications. We currently
offer more than 20 plugins which supports the most popular programs such
as MS Office, WinZip, UltraEdit, RealPlayer, Media Player... Beside the
ability to erase the tracks of your Internet and computer activities, the
tool also has an integrated, small, configurable and intelligent Ad window
and popup blocker.
2. Akonix L7 Enterprise v2.0
by Akonix Systems, Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.akonix.com/products/l7.asp
Summary:
Akonix L7 Enterprise v2.0 allows organizations to secure their networks
from the threats of unmanaged Public Instant Messaging, while continuing
to gain its benefits. Akonix L7 Enterprise v2.0 addresses critical
business drivers such as Security, Control and Management, Compliance and
Liability, and Reporting.
3. Online Recorder 5.3
by Spy Software Solutions
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.spysoftware.net/onlinerecorder/
Summary:
Are you worried about what your spouse or children are doing on the
Internet? Do they hide windows when you look over their shoulder? If you
want to know exactly what they're typing and where they're going, this
program is for you. The Online Recorder secretly runs under windows when
your computer starts up and extracts text from Internet applications. It
also records every keystroke on your computer without slowing it down or
changing it's performance. Complete satisfaction is guaranteed.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Securepoint Firewall and VPN Server v3.13 (S3)
by Lutz Hausmann
Relevant URL:
http://www.securepoint.cc/
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
Securepoint Firewall and VPN Server is a high-performance application
designed to offer full protection for network assets. The Security Manager
offers a graphical user interface with many features, different
configurations, and advanced reporting functions. The Securepoint server
is a complete firewall and VPN software system with an operating system
based on a secure Linux. VPN operation supports PPTP and IPSec (X.509
certificates, preshared, RSA signature). You can use the firewall on a
standard PC with 2 to 16 network cards (including Ethernet, ADSL, ISDN).
It is very easy to install and administer. The Securepoint Security
Manager is available in English, German, and Spanish, and works in online
and offline mode.
2. Enigmail v0.80.0
by Patrick
Relevant URL:
http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
3. beecrypt v3.0.0
by Bob Deblier, bob.deblier (at) pandora (dot) be [email concealed]
Relevant URL:
http://sourceforge.net/projects/beecrypt/
Platforms: Linux, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:
BeeCrypt is an ongoing project to provide strong and fast cryptography in
the form of a toolkit usable by commercial and open source projects.
Included in the library are entropy sources, random generators, block
ciphers, hash functions, message authentication codes, multiprecision
integer routines, and public key primitives.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: Tenable
Tenable Network Security offers a Vulnerability Management Product.
"Lightning 1.1 is a next-generation security software solution that
thoughtfully combines relevant security data from vulnerability scans and
intrusion detection devices to help enterprises reduce network exposure.
Its design is definitely unique and highly scalable when compared to
others in our industry," says Ron Gula, President and CTO of Tenable.
Please visit: http://www.securityfocus.com/TenableSecurity-ms-secnews
------------------------------------------------------------------------
--
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
SecurityFocus Microsoft Newsletter #143
---------------------------------------
This Issue is Sponsored by: Tenable
Tenable Network Security offers a Vulnerability Management Product.
"Lightning 1.1 is a next-generation security software solution that
thoughtfully combines relevant security data from vulnerability scans and
intrusion detection devices to help enterprises reduce network exposure.
Its design is definitely unique and highly scalable when compared to
others in our industry," says Ron Gula, President and CTO of Tenable.
Please visit: http://www.securityfocus.com/TenableSecurity-ms-secnews
------------------------------------------------------------------------
--
I. FRONT AND CENTER
1. IDS Correlation of VA Data and IDS Alerts
2. RFID Chips Are Here
3. The SecurityFocus 4th Anniversary Contest
II. MICROSOFT VULNERABILITY SUMMARY
1. Tutos File_Select.PHP Cross-Site Scripting Vulnerability
2. Power Server FTP Addon Remote USER/PASS Command Denial of...
3. phpBB Viewtopic.PHP SQL Injection Vulnerability
4. Power Server Remote GET Request Denial of Service Vulnerability
5. Power Server FTP Addon Plaintext Password Storage Weakness
6. Power Server FTP Addon Failure To Authenticate Vulnerability
7. MyServer Remote Denial Of Service Vulnerability
8. Tutos File_New Arbitrary File Upload Vulnerability
9. SurfControl Web Filter File Disclosure Vulnerability
10. Compaq Web-Based Management Agent Remote Stack Overflow Denia...
11. Compaq Web-Based Management Agent Access Violation Denial of...
12. Microsoft Internet Explorer HR Align Buffer Overflow...
13. Zope Invalid Query Information Disclosure Vulnerability
14. WebJeff Filemanager File Disclosure Vulnerability
15. WebJeff Filemanager Plain Text Password Storage Vulnerability
16. Zope Empty Upload Information DisclosureVulnerability
17. Power Server FTP Addon Directory Traversal Vulnerability
18. Zope addItems Script Information Disclosure Vulnerability
19. Armida Databased Web Server Remote GET Request Denial Of...
20. Compaq Web-Based Management Agent Remote File Verification...
21. Zope ExampledbBrowseReport Description Field HMTL Injection...
22. Microsoft Media Player 9 Unauthorized Media Library Access...
23. IndigoSTAR Software PerlEdit Denial Of Service Vulnerability
24. Compaq Web-Based Management Agent Multiple Remote Vulnerabilities
25. Microsoft Windows Media Services NSIISlog.DLL Remote Buffer...
III. MICROSOFT FOCUS LIST SUMMARY
1. How to block users from installing other apps (Thread)
2. SP4 instalation failure (Thread)
3. Xp Home (Thread)
4. security auditing under windows 2000 server (Thread)
5. Windows NLB (Thread)
6. AW: Question about windows service (Thread)
7. Question about windows service (Thread)
8. Please read. Post containing BugBear.B (Thread)
9. Search for files and folders fails (Thread)
10. additional Windows 2000 password policy questions (Thread)
11. Windows 2000 password policy (Thread)
12. Managing Windows Event Logs (Thread)
13. Filtering DHCP Assignments by MAC Address (Thread)
14. Microsoft Baseline Security Analyzer (Thread)
15. SecurityFocus Microsoft Newsletter #142 (Thread)
16. adding new service to system services list (Thread)
17. Netreg for Windows (Thread)
18. Windows Event Logs (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AbsoluteShield Internet Eraser Pro
2. Akonix L7 Enterprise
3. Online Recorder 5.3
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Securepoint Firewall and VPN Server v3.13 (S3)
2. Enigmail v0.80.0
3. beecrypt v3.0.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. IDS Correlation of VA Data and IDS Alerts
By Neil Desai
This article discusses the correlation of VA data and IDS alerts to help
prioritize events and reduce the time it takes to sift through events.
http://wwwdev.securityfocus.com/infocus/1708
2. RFID Chips Are Here
By Scott Granneman
RFID chips are being embedded in everything from jeans to paper money, and
your privacy is at stake.
http://www.securityfocus.com/columnists/169
3. The SecurityFocus 4th Anniversary Contest
Enter to win two passes to the Black Hat Briefings.
Please visit the contest page here:
http://www.securityfocus.com/contest
II. BUGTRAQ SUMMARY
-------------------
1. Tutos File_Select.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 8011
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8011
Summary:
Tutos is a freely available, open source team organization software
package. It is available for the Unix, Linux, and Microsoft Windows
platforms.
A problem in the software may make the execution of arbitrary code
possible.
It has been reported that Tutos does not properly handle input to the
file_select script. Because of this, an attacker may be able to execute
code in the browser of another user with the privileges of the vulnerable
site.
The problem is in the rendering of arbitrary HTML and script code by
Tutos. An attacker may supply code as an argument to the file_select
script that, when loaded in the browser of another user, is executed in
the security context of the site hosting Tutos. This could permit the
theft of cookie authentication credentials, Other attacks may also be
possible.
2. Power Server FTP Addon Remote USER/PASS Command Denial of Service
Vulnerability
BugTraq ID: 7976
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7976
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
Power Server FTP Addon is reportedly prone to a remote denial of service
when process malformed USER and PASS commands. The problem occurs when
processing command parameters containing approximately 50,000 characters.
Exploitation of this vulnerability would result in a target system's CPU
usage rising to approximately 88 to 95 percent. This could result in other
services becoming unusable or potentially cause the system to behave
unpredictably.
Although unconfirmed, the affected server may be required to be manually
rebooted to restore expected functionality.
3. phpBB Viewtopic.PHP SQL Injection Vulnerability
BugTraq ID: 7979
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7979
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
A SQL injection vulnerability has been reported for phpBB systems that may
result in the disclosure of user password hashes; other attacks may also
be possible.
phpBB, in some cases, does not sufficiently sanitize user-supplied input,
which is used when constructing SQL queries to execute on the underlying
database. As a result, it is possible to manipulate SQL queries. This may
allow a remote attacker to modify query logic or potentially corrupt the
database.
This vulnerability was reported to exist in the viewtopic.php script file.
A remote attacker can exploit this vulnerability by manipulating the
$topic_id URI parameter to modify SQL query logic.
SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.
4. Power Server Remote GET Request Denial of Service Vulnerability
BugTraq ID: 7983
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7983
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system.
Power Server is reportedly prone to a remote denial of service when
process malformed GET requests. The problem occurs when processing
requests containing approximately 500,000 forward-slash '/' characters.
Exploitation of this vulnerability would result in a target system's CPU
usage rising to approximately 88 to 95 percent. This could result in other
services becoming unusable or potentially cause the system to behave
unpredictably.
Although unconfirmed, the affected server may be required to be manually
rebooted to restore expected functionality.
5. Power Server FTP Addon Plaintext Password Storage Weakness
BugTraq ID: 7984
Remote: No
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7984
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
Power Server FTP Addon stores usernames and associated passwords using
plaintext format, in the 'FTPUsers' directory. As a result, these
credentials could be exposed to other local users who have the permissions
to access and read that file.
It should be noted that although this issue has been reported to affect
Power Server 1.0, other versions are likely to be affected.
6. Power Server FTP Addon Failure To Authenticate Vulnerability
BugTraq ID: 7986
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7986
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
A vulnerability has been reported in Power Server FTP Addon that could
allow an attacker to gain unauthorized access. Specifically, Power Server
will accept an arbitrary password when a valid username has been supplied.
Although unconfirmed, this may be as a result of a design error while
carrying out string matching of legitimate passwords.
This will effectively grant an unauthorized attacker access to a target
FTP server.
7. MyServer Remote Denial Of Service Vulnerability
BugTraq ID: 8010
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8010
Summary:
MyServer is an application and web server for Microsoft Windows and Linux
operating systems.
MyServer HTTP server has been reported prone to a remote denial of service
attack.
The issue presents itself, likely due to a lack of sufficient bounds
checking, performed on arguments that are supplied via malicious HTTP GET
requests. It has been reported that a remote attacker may invoke a HTTP
GET request containing 100 '/' characters, this action will supposedly
trigger a segmentation fault in the server executable and the software
will fail. It has been reported that no details of this attack are logged.
Due to the nature of this vulnerability it has been conjectured that this
issue may be exploited to execute arbitrary code. This however has not
been confirmed.
It should be noted that although this issue has been reported to affect
MyServer version 0.4.1 other versions might also be affected.
8. Tutos File_New Arbitrary File Upload Vulnerability
BugTraq ID: 8012
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8012
Summary:
Tutos is a freely available, open source team organization software
package. It is available for the Unix, Linux, and Microsoft Windows
platforms.
A problem in the software may make the uploading of arbitrary files
possible.
It has been reported that Tutos does not properly handle input to the
file_new script. Because of this, an attacker may be able to upload
arbitrary files to a vulnerable site.
It is not clear where the specific vulnerable component of Tutos lies.
However, because of the problem, it may be possible for an attacker to
upload and overwrite files with the privileges of the web server process.
This could result in data corruption, or other potentially malicious
activities.
9. SurfControl Web Filter File Disclosure Vulnerability
BugTraq ID: 7978
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7978
Summary:
SurfControl is a series of products designed to filter out harmful or
questionable Internet content. Web Filter is available as a plugin for
Microsoft ISA Server.
A problem with Web Filter may allow attackers to obtain access to
sensitive files. The vulnerability occurs due to insufficent sanitization
of '.../' directory traversal sequences.
A determined attacker is able to obtain access to files on the host server
with the privileges of the web server process.
This vulnerability was reported for Web Filter 4.2.0.1. It is likely that
earlier versions are affected.
10. Compaq Web-Based Management Agent Remote Stack Overflow Denial of
Service Vulnerability
BugTraq ID: 8014
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8014
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
Compaq Web-Based Management Agent has been reported prone to a remote
denial of service vulnerability. The problem occurs when making malformed
requests to the service. Specifically, requests which contain an
exclamation mark within angle brackets (<!>), optionally followed by an
argument.
The following requests are reported to trigger the exception:
http://www.example.com:2301/survey/<!>
http://www.example.com:2301/<!.StringRedirecturl>
http://www.example.com:2301/<!.StringHttpRequest=Url>
http://www.example.com:2301/survey/<!.StringHttpRequest=Url>
http://www.example.com:2301/<!.ObjectIsapiECB>
http://www.example.com:2301/<!.StringIsapiECB=lpszPathInfo>
The root of this problem may be due to the agent failing to handle
unexpected or unsupported protocol behavior, such as these requests. This
however has not been confirmed.
The returned error from such a request reports that a stack overflow
occurred, however it has not been confirmed whether this issue is
exploitable to corrupt memory. The problem may in fact be the result of a
NULL pointer dereference.
It should be noted that this BID was previously part of BID 8009, which
addressed multiple issues.
11. Compaq Web-Based Management Agent Access Violation Denial of Service
Vulnerability
BugTraq ID: 8015
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8015
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
Compaq Web-Based Management Agent has been reported prone to a remote
denial of service vulnerability. The problem occurs when handling
malformed GET requests to the service. Specifically, requests which
contain "<!.FunctionContentType=" followed by approximately 250 bytes of
data and appended with a ">".
The returned error from such a request reports that an access violation.
The problem likely occurs due to the program attempting to write to an
invalid memory page, causing the service to crash.
It should be noted that this BID was previously part of BID 8009, which
addressed multiple issues.
12. Microsoft Internet Explorer HR Align Buffer Overflow Vulnerability
BugTraq ID: 8016
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8016
Summary:
Internet Explorer is reportedly prone to a boundary condition error.
This problem exists due to insufficient bounds checking on the 'Align'
attribute of the 'HR' (horizontal rule) HTML tag.
If the 'Align' attribute is given an unusually large value, a buffer
within the iexplore process will be overrun, causing Internet Explorer to
fail. It may also be possible to cause arbitrary code to be executed,
though this has not been confirmed. The overflow occurs in 'HTML32.cnv',
which is an HTML converter used by Internet Explorer.
This vulnerability was reported for Internet Explorer version 5 and above.
Earlier versions may also be vulnerable.
13. Zope Invalid Query Information Disclosure Vulnerability
BugTraq ID: 8000
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8000
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Reportedly, Zope will disclose path information if a user invokes an
invalid query operation using Shopping cart example scripts. An error will
be triggered and traceback information containing possible sensitive path
information will be returned to the browser of the attacker.
If an attacker can gain information about the details of the filesystem,
this information may be useful in further attacks against the host.
14. WebJeff Filemanager File Disclosure Vulnerability
BugTraq ID: 7995
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7995
Summary:
WebJeff Filemanager is a file management system implemented in PHP. It is
available for a variety of platforms including Microsoft Windows and Linux
and Unix variant operating environments.
A vulnerability has been reported for Filemanager that may result in the
disclosure of arbitrary files. The vulnerability exists due to
insufficient sanitization of user-supplied values for URI parameters.
Specifically, the 'ficher' URI parameter of the index.php3 script file is
not properly sanitized.
A malicious attacker can specify arbitrary absolute paths as the value of
the 'ficher' URI parameter. This will result in the requested file being
disclosed to the attacker.
This vulnerability affects Filemanager 1.6.
15. WebJeff Filemanager Plain Text Password Storage Vulnerability
BugTraq ID: 7996
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7996
Summary:
WebJeff Filemanager is a file management system implemented in PHP. It is
available for a variety of platforms including Microsoft Windows and Linux
and Unix variant operating environments.
A vulnerability has been reported for Filemanager that may result in an
attacker obtaining authentication credentials. The vulnerability exists
due to the way usernames and passwords are stored. Specifically,
authentication credentials are stored in plain text format in the
'prive/users.txt' file.
An attacker can exploit this vulnerability by making a request for the
desired resource.
Any information obtained in this manner may be used to launch further
attacks against a vulnerable system.
This vulnerability was reported for Filemanager 1.6.
16. Zope Empty Upload Information DisclosureVulnerability
BugTraq ID: 7998
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7998
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Reportedly, Zope will disclose path information if a user invokes an
upload operation via the 'addFile' script when a target file does not
exist as a URI parameter. An error will be triggered and traceback
information containing possible sensitive path information will be
returned to the browser of the attacker.
If an attacker can gain information about the details of the filesystem,
this information may be useful in further attacks against the host.
17. Power Server FTP Addon Directory Traversal Vulnerability
BugTraq ID: 7985
Remote: Yes
Date Published: Jun 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7985
Summary:
Power Server is an open source web server available for the Microsoft
Windows operating system. Power Server supports various addon programs
designed to extend the functionality of the server, such as the FTP Addon.
A problem with the server may make it possible to gain unauthorized access
to system resources.
It has been reported that Power Server FTP Addon does not properly handle
some types of requests. This may make it possible for a remote user to
gain access to resources outside of the FTP root directory.
Access to this information could potentially aid an attacker in launching
further attacks against the target system or it's users.
18. Zope addItems Script Information Disclosure Vulnerability
BugTraq ID: 7999
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7999
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
A vulnerability has been discovered in Zope which may result in the
disclosure of sensitive information to a remote attacker. The problem
occurs when a value greater then 11 is passed as the records URI parameter
to the addItems script. When this occurs, an exception will be triggered
causing the server to return an error page containing sensitive system
information.
Information disclosed may include session identification, the script
installation paths, the application installation path, etc.
Access to this information could potentially aid an attacker in launching
further attacks against the system.
19. Armida Databased Web Server Remote GET Request Denial Of Service
Vulnerability
BugTraq ID: 8017
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8017
Summary:
Armida Databased Web Server is a web server available for the Microsoft
Windows operating systems.
Armida Databased Web Server is reportedly prone to a remote denial of
service when process malicious GET requests. The problem occurs when
processing requests containing approximately 5000 bytes of data.
Exploitation of this vulnerability would result in the remote service
crashing. Although unconfirmed, due to the nature of this vulnerability
it may be possible to supply and execute arbitrary code.
This vulnerability has been reported to affect Armida Web Server version
1.0.
20. Compaq Web-Based Management Agent Remote File Verification
Vulnerability
BugTraq ID: 8019
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8019
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
Compaq Web-Based Management Agent has been reported vulnerable to a remote
file verification vulnerability. This information leak could be exploited
by an attacker to verify the existence of sensitive files on a vulnerable
system.
The problem is in the handling of input when passed via the following
means:
http://www.example.com:2301/<!.DebugSearchPaths>?Url=%2F..%2F..%2F..%2F.
.%
2Fboot.ini
As can be ascertained from the above URL, passing directory traversal
strings in the dot-dot-slash form (../) with encoded slashes can permit
the attacker to access a file on the vulnerable system. If the file
exists, the Web-Based Management Agent returns a response that validates
the existence of the file.
It should be noted that this BID was previously part of BID 8009, which
addressed multiple issues.
21. Zope ExampledbBrowseReport Description Field HMTL Injection
Vulnerability
BugTraq ID: 8001
Remote: Yes
Date Published: Jun 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8001
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
It has been reported that Zope ExampledbBrowseReport example script
suffers from an HTML injection vulnerability. The problem is said to occur
due to insufficient input validation of user-supplied form data.
Specifically, it is possible to embed HTML code within the 'Description'
field of the Zope ExampledbBrowseReport example script.
All script code will be interpreted by the browsers of other Zope users,
who view the affected page, within the context of the site hosting the
affected script.
The successful exploitation of this issue could ultimately result in the
attacker obtaining cookie-based authentication credentials or other
sensitive information, which, could be used to impersonate the other user.
22. Microsoft Media Player 9 Unauthorized Media Library Access
Vulnerability
BugTraq ID: 8034
Remote: Yes
Date Published: Jun 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8034
Summary:
Windows Media Player 9 Series is prone to an issue that may result in an
attacker obtaining unauthorized access to a compromised user's media
library.
Windows Media Player 9 uses an ActiveX control to control access to a
user's Media Library. The ActiveX control is a scriptable component and
can be invoked through the use of script code. The vulnerability exists
due to insufficent validation of requests made to the ActiveX control to
access the Media Library.
An attacker can exploit this vulnerability by enticing a victim user to
visit a site that hosts malicious script code to invoke the Media Player
ActiveX control. Successful exploitation will result in the attacker
obtaining access to a user's Media Library.
Information obtained in this manner may be used by an attacker to launch
other attacks against a vulnerable system, such as modifying contents of
Media Library entries.
23. IndigoSTAR Software PerlEdit Denial Of Service Vulnerability
BugTraq ID: 8006
Remote: Yes
Date Published: Jun 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8006
Summary:
PerlEdit is a IDE (Integrated Development Environment) for developing Perl
scripts. It is maintained and distributed by IndigoSTAR Software. It is
available for Linux variant and Microsoft Windows operating systems.
A denial of service vulnerability has been reported for PerlEdit. The
vulnerability exists when an connection is made to TCP port 1956.
When PerlEdit is executed, it will bind to TCP port 1956. If an attempt is
made to connect to that port while PerlEdit is running, it will cause
PerlEdit to crash.
An attacker can exploit this vulnerability to connect to a vulnerable host
on port 1956. This will cause the vulnerable PerlEdit application to
crash.
This vulnerability was reported to affect PerlEdit 1.07.
24. Compaq Web-Based Management Agent Multiple Remote Vulnerabilities
BugTraq ID: 8009
Remote: Yes
Date Published: Jun 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8009
Summary:
Web-Based Management Agent is the remote system management software
package distributed by Compaq. It is available for the Microsoft Windows
platform.
It may be possible for a remote attacker to gain unauthorized access to a
host using the vulnerable software.
The Compaq Web-Based Management Agent may permit an attacker to create one
of the following scenarios:
Numerous stack overflows are reported to exist in the management agent.
By passing one of several combinations of tags to the web server for
server-side command interpreting, it is possible for an attacker to crash
the agent, resulting in a denial of service. It is not clear whether or
not these issues may be exploited to execute code with the privileges of
the web server process.
Another reported issue appears to be a boundary condition error that may
be exploitable. By supplying a request with a length of at least 250
bytes to the FunctionContentType function, it is possible to cause an
"Access violation," which may be a memory corruption issue.
A final reported issue is the ability of a remote user to validate files
on a system. By passing a maliciously crafted request to the
DebugSearchPaths function, an attacker may be able to validate the
existence of certain files on the system, potentially resulting in
information disclosure.
This vulnerability alert is a preliminary analysis. These vulnerabilities
will be broken into specific entries as more detailed analysis is
performed.
25. Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow
Vulnerability
BugTraq ID: 8035
Remote: Yes
Date Published: Jun 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8035
Summary:
Microsoft Media Services provides functionality for providing streaming
media content to clients from IIS. It ships with a number of Microsoft
Windows 2000 server releases and is also available for download for
Windows NT.
Microsoft has reported a buffer overflow vulnerability in Windows Media
Services. This is due to a problem with how the logging ISAPI extension
(nsiislog.dll) handles incoming client requests. The logging facility may
attempt to write excessive data to an undersized buffer when handling a
malformed HTTP client request. This could trigger a denial of service or
remote arbitrary code execution in IIS, which is exploitable through Media
Services. The issue would occur in servers that are configured to provide
logging of media requests.
It is possible to exploit this issue by sending an overly long HTTP POST
request to the vulnerable component. This may permit a remote attacker to
corrupt sensitive stack variables with attacker-supplied values, allowing
the attacker to control process execution flow and execute malicious
instructions. Any attacker-supplied code will be executed in the security
context of the underlying IIS server.
It has been reported that Windows Media Services is not installed by
default on Windows 2000.
It should be noted that this vulnerability is similar to the issue
described in BID 7727. This issue was reported independently from BID 7727
and was not addressed in the vendor fixes associated with that BID.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. How to block users from installing other apps (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326971
2. SP4 instalation failure (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326977
3. Xp Home (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326976
4. security auditing under windows 2000 server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326899
5. Windows NLB (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326900
6. AW: Question about windows service (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326898
7. Question about windows service (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326890
8. Please read. Post containing BugBear.B (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326715
9. Search for files and folders fails (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326671
10. additional Windows 2000 password policy questions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326673
11. Windows 2000 password policy (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326524
12. Managing Windows Event Logs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326522
13. Filtering DHCP Assignments by MAC Address (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326479
14. Microsoft Baseline Security Analyzer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326418
15. SecurityFocus Microsoft Newsletter #142 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326385
16. adding new service to system services list (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326386
17. Netreg for Windows (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326294
18. Windows Event Logs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/326289
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AbsoluteShield Internet Eraser Pro
by SysShield Consulting, Inc
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.internet-track-eraser.com/
Summary:
AbsoluteShield Internet Eraser protects your privacy by cleaning up all
the tracks of your Internet and computer activities. The tool is
integrated with IE and it can erase the browser cache, history, cookies,
typed URLs, autocomplete list and so on in one click. You can also set the
tool to automatically erase those tracks when you quit IE or quit Windows.
The tool is also featured to erase the disk free space and has the open
plugin support. With the plugin support, AbsoluteShield Internet Eraser
now supports to erase the tracks left by any applications. We currently
offer more than 20 plugins which supports the most popular programs such
as MS Office, WinZip, UltraEdit, RealPlayer, Media Player... Beside the
ability to erase the tracks of your Internet and computer activities, the
tool also has an integrated, small, configurable and intelligent Ad window
and popup blocker.
2. Akonix L7 Enterprise v2.0
by Akonix Systems, Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.akonix.com/products/l7.asp
Summary:
Akonix L7 Enterprise v2.0 allows organizations to secure their networks
from the threats of unmanaged Public Instant Messaging, while continuing
to gain its benefits. Akonix L7 Enterprise v2.0 addresses critical
business drivers such as Security, Control and Management, Compliance and
Liability, and Reporting.
3. Online Recorder 5.3
by Spy Software Solutions
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.spysoftware.net/onlinerecorder/
Summary:
Are you worried about what your spouse or children are doing on the
Internet? Do they hide windows when you look over their shoulder? If you
want to know exactly what they're typing and where they're going, this
program is for you. The Online Recorder secretly runs under windows when
your computer starts up and extracts text from Internet applications. It
also records every keystroke on your computer without slowing it down or
changing it's performance. Complete satisfaction is guaranteed.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Securepoint Firewall and VPN Server v3.13 (S3)
by Lutz Hausmann
Relevant URL:
http://www.securepoint.cc/
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
Securepoint Firewall and VPN Server is a high-performance application
designed to offer full protection for network assets. The Security Manager
offers a graphical user interface with many features, different
configurations, and advanced reporting functions. The Securepoint server
is a complete firewall and VPN software system with an operating system
based on a secure Linux. VPN operation supports PPTP and IPSec (X.509
certificates, preshared, RSA signature). You can use the firewall on a
standard PC with 2 to 16 network cards (including Ethernet, ADSL, ISDN).
It is very easy to install and administer. The Securepoint Security
Manager is available in English, German, and Spanish, and works in online
and offline mode.
2. Enigmail v0.80.0
by Patrick
Relevant URL:
http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
3. beecrypt v3.0.0
by Bob Deblier, bob.deblier (at) pandora (dot) be [email concealed]
Relevant URL:
http://sourceforge.net/projects/beecrypt/
Platforms: Linux, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:
BeeCrypt is an ongoing project to provide strong and fast cryptography in
the form of a toolkit usable by commercial and open source projects.
Included in the library are entropy sources, random generators, block
ciphers, hash functions, message authentication codes, multiprecision
integer routines, and public key primitives.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: Tenable
Tenable Network Security offers a Vulnerability Management Product.
"Lightning 1.1 is a next-generation security software solution that
thoughtfully combines relevant security data from vulnerability scans and
intrusion detection devices to help enterprises reduce network exposure.
Its design is definitely unique and highly scalable when compared to
others in our industry," says Ron Gula, President and CTO of Tenable.
Please visit: http://www.securityfocus.com/TenableSecurity-ms-secnews
------------------------------------------------------------------------
--
[ reply ]