SecurityFocus Linux Newsletter #114
-----------------------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Instant Insecurity: Security Issues of Instant Messaging
2. Intelligence Gathering: Watching a Honeypot at Work
3. Closing the Floodgates: DDoS Mitigation Techniques
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
1. DCP-Portal Remote File Include Vulnerability
2. CGIHTML Form Data File Corruption Vulnerability
3. Horde IMP Database Files SQL Injection Vulnerabilities
4. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities
5. myPHPNuke Information Disclosure Vulnerability
6. CommuniGate Pro Webmail File Disclosure Vulnerability
7. CGIHTML Insecure Form-Data Temporary File Vulnerability
8. H-Sphere Webshell Remote Buffer Overrun Vulnerability
9. AJ's Internet Cafe World-Writeable Files Vulnerability
10. Half-Life HLTV Remote Denial Of Service Vulnerability
11. Active PHP Bookmarks Multiple File Include Vulnerabilities
12. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
13. Mambo Site Server Arbitrary File Upload Vulnerability
14. Multiple Vendor Network Device Driver Frame Padding...
15. H-Sphere Webshell Command.C Mode URI Parameter Command...
16. H-Sphere Webshell diskusage.cc Buffer Overflow Vulnerability
17. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
18. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox...
19. S8Forum Remote Command Execution Vulnerability
20. FormMail Cross-Site Scripting Vulnerability
21. Middleman net_dns() Frame Pointer Overwrite Vulnerability
22. Bea Systems WebLogic ResourceAllocationException System...
23. DCP-Portal Unauthorized Account Access Vulnerability
24. H-Sphere Webshell flist() Buffer Overflow Vulnerability
25. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command...
26. GeneWeb File Disclosure Vulnerability
27. cgihtml Signed Integer Content-Length Memory Corruption...
28. TANne Session Manager SysLog Format String Vulnerability
29. cgihtml Denial Of Service Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 01.10.03
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. FireWall Suite
2. NetVigil
3. P-Synch Total Password Management Solution
V. NEW TOOLS FOR LINUX PLATFORMS
1. RSA implementation in Octave v0.01
2. e2undel v0.81
3. RSA encrypting tool v0.11
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Instant Insecurity: Security Issues of Instant Messaging
By Neal Hindocha
Instant messaging services are becoming an increasingly popular form of
communication, both in the personal and the professional spheres. This
paper will describe instant messaging and offer a brief overview of some
of the security threats associated with the service.
http://online.securityfocus.com/infocus/1657
2. Intelligence Gathering: Watching a Honeypot at Work
By Toby Miller
The purpose of this article is share with the security community the data
the author collected from his honeypot. This discussion will include the
attacker's recon, the attack, the attempted cover-up, and the reason for
the attack on the honeypot.
http://online.securityfocus.com/infocus/1656
3. Closing the Floodgates: DDoS Mitigation Techniques
by Matthew Tanase
To be on the receiving end of a distributed denial of service (DDoS)
attack is a nightmare scenario for any network administrator, security
specialist or access provider. It begins instantly, without warning, and
continues relentlessly: machines down, jammed bandwidth, overloaded
routers. An effective, immediate response is often difficult and may
depend on third parties, such as ISPs. With these challenges in mind, this
article will explore some techniques that systems administrators and
security professionals can employ should they ever find themselves in this
rather undesirable situation.
http://online.securityfocus.com/infocus/1655
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. DCP-Portal Remote File Include Vulnerability
BugTraq ID: 6525
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6525
Summary:
DCP-Portal is a freely available content management system implemented in
PHP. It is available for a variety of platforms including Microsoft
Windows and Linux variants.
DCP-Portal is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the 'library/editor/editor.php' and 'library/lib.php' scripts included
with DCP-Portal.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$root'
parameter.
If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for DCP-Portal 5.0.1. It is not known
whether earlier versions are affected.
2. CGIHTML Form Data File Corruption Vulnerability
BugTraq ID: 6550
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6550
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
When handling uploaded form-data, cgihtml creates a temporary file to
store this data in /tmp or another user-specified directory. The software
uses the client supplied filename when creating the temporary file. If
the attacker supplies a malicious filename, such as one pre-pended with
dot-dot-slash (../) directory traversal sequences, it may be possible to
corrupt files outside of the specified temporary directory.
The cause of this issue trust in user-supplied input. The routines use a
client-supplied filenames when creating temporary file. The routines then
do not sufficiently validate that the filename does not contain directory
traversal sequences or has a name that may conflict with existing system
files.
For this attack to be successful, the targetted files must be writeable by
a server process that utilizes the vulnerable cgihtml routines.
IMP is a web-based mail interface/client developed by members of the Horde
project. It is implemented in PHP and runs on a number of operating
systems, including Unix and Linux variants and Microsoft Windows operating
systems.
It has been reported that IMP is prone to multiple SQL injection
vulnerabilities.
IMP, in some cases, does not sufficiently sanitize user-supplied input
which is used when constructing SQL queries to execute on the underlying
database. As a result, it is possible to manipulate SQL queries. This
may allow a remote attacker to modify query logic or potentially corrupt
the database. Consequences will vary depending on the queries used and
the capabilities of the underlying database implementation.
These issues occur throughout the database command files for different
database implementations, for example 'lib/db.pgsql'. These files contain
syntax for constructing queries with using database implementations.
SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.
HTTP Fetcher is a small library used for downloading files via HTTP using
the GET method. It is available for various platforms including the Linux
and Unix operating systems.
Multiple buffer overflows have been discovered in HTTP Fetcher. The
vulnerabilities occur in the http_fetch() function which is used to gather
various HTTP header information. These buffer overflow occurs due to
insufficient bounds checking of user-supplied parameters.
It is possible to trigger these conditions by supplying excessive data as
the 'host', 'referer', or 'userAgent' parameters. By exploiting one of
these issues to overrun 'requestBuf', it may be possible for a remote
attacker to overwrite sensitive memory.
Successful exploitation of one of these vulnerabilities may allow an
attacker to seize control of an application linked to the library. By
overwriting the function's instruction pointer it may be possible to
execute arbitrary commands.
The exploitability of this issue may be an issue only if the client
application were accessible remotely through a proxy server. For instance,
a server which allowed a client to make GET requests from other servers.
5. myPHPNuke Information Disclosure Vulnerability
BugTraq ID: 6541
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6541
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operatining system.
An information disclosure vulnerability has been reported for myPHPNuke.
The vulnerability exists due to insufficient checks performed in the
system_footer.php script file. Specifically, the system_footer.php script,
found in the 'admin/' subdirectory, calls the phpinfo() function without
checking who the user is.
An attacker can exploit this vulnerability by making a request for the
system_footer.php script. The system will respond by disclosing
information to a remote attacker.
Information obtained in this manner may be used by an attacker to launch
attacks against a vulnerable system.
6. CommuniGate Pro Webmail File Disclosure Vulnerability
BugTraq ID: 6542
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6542
Summary:
CommuniGate Pro is an internet messaging server. CommuniGate Pro includes
a webmail service to allow access to mailboxes via HTTP. It is available
for a number of platforms including Unix and Linux variants and Microsoft
Windows operating systems.
A file disclosure vulnerability has been reported in the CommuniGate Pro
webmail component.
A specially crafted web request containing dot-dot-slash (../) directory
traversal sequences may break out of the document root and disclose
arbitrary web server readable files that exist on the underlying host.
Exploitation of this vulnerability may lead to disclosure of sensitive
information that may be useful in mounting further attacks on the host
system. The impact of this vulnerability is compounded by the fact that
CommuniGate Pro runs as root by default, though may be configured to drop
privileges. This issue was reported for CommuniGate Pro on FreeBSD. It
is likely that the software is affected on other platforms as well.
7. CGIHTML Insecure Form-Data Temporary File Vulnerability
BugTraq ID: 6552
Remote: No
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6552
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
When handling uploaded form-data, cgihtml creates a temporary file to
store this data in /tmp or another user-specified directory. A client
supplied filename is used when the temporary file is created. This
presents a security vulnerability since the name of the temporary file can
be anticipated by the attacker.
A local attacker may take advantage of this condition to create a symbolic
link in place of the temporary file, which points to another file on the
system which is writeable by a server process which utilizes the
vulnerable routines. The vulnerable routines will follow any symbolic
links provided in place of a temporary file. The attacker may then submit
a malicious form-data upload, using the attacker-supplied filename, and
cause local files to be corrupted.
If custom data can be written to files, it is possible to gain elevated
privileges.
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
A vulnerability has been discovered in H-Sphere Webshell. The problem
occurs during the pre-authentication phase. Due to insufficient bounds
checking on user-supplied HTTP parameters, it is possible for a remote
attacker to cause a buffer to be overrun
The vulnerability occurs in the CGI::readFile() function and can be
triggered by passing the target server an HTTP Content-Type 'boundary'
parameter of excessive length.
Successful exploitation of this issue would allow an attacker to overwrite
the vulnerable functions instruction pointer. By causing the program to
return to attacker-supplied instructions, it may be possible to execute
arbitrary code with the privileges of the target process.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
9. AJ's Internet Cafe World-Writeable Files Vulnerability
BugTraq ID: 6560
Remote: No
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6560
Summary:
AJ's Internet Cafe is a freely available internet cafe software package
for use with the Linux Thin Client Project software. A problem with AJ's
Internet Cafe may allow unauthorized write access to files.
It has been reported that AJ's Internet Cafe installs with insecure
permissions. By default, many files installed with the package are
world-writeable. This may allow users to modify the contents to gain free
time on the host, or perform other malicious activities.
10. Half-Life HLTV Remote Denial Of Service Vulnerability
BugTraq ID: 6579
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6579
Summary:
Half-Life is commercially available game which may be played over a
network. HLTV is the Half-Life TV component of the Half-Life Dedicated
Server (hlds). It is available for the Linux operating system.
A problem with HLTV could make it possible for a remote user to deny
service to legitimate users.
It has been reported that under some circumstances, a remote user may
cause the service to crash. By sending a specially crafted packet to the
host, the service becomes unstable. The service must be manually
restarted to resume normal operation.
The problem is in the handling of specific types of requests from clients.
When an HLTV server receives a request of the string '\xff\xff\xff\xff\0'
the server crashes. It is not know what impact this has on the operation
of the game server.
Versions other than hlds 3.1.1.0 may also be affected.
11. Active PHP Bookmarks Multiple File Include Vulnerabilities
BugTraq ID: 6545
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6545
Summary:
Active PHP Bookmarks (APB) is a web-based application for managing a
collection of bookmarks. APB is available for Unix and Linux variants as
well as Microsoft Windows operating systems.
APB is prone to multiple issues which may allow a remote attacker to cause
a malicious external file to be included and interpreted.
Attackers may influence include paths for a number of APB scripts. By
specifying a path to a resource (such as a malicious PHP script) on a
remote attacker-controlled server, it is possible to cause arbitrary
commands to be executed with the privileges of the webserver process.
This issue is known to exist in the following scripts:
head.php
apb_common.php
apb_view_class.php
12. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 6571
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6571
Summary:
Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.
Mambo Site Server does not adequately filter HTML code thus making it
prone to cross-site scripting attacks. It is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user. All code will be executed
within the context of the website running Mambo Site Server.
The following files were reported to be prone to cross site scripting attacks:
administrator/popups/sectionswindow.php
administrator/gallery/gallery.php
administrator/gallery/navigation.php
administrator/gallery/uploadimage.php
administrator/gallery/view.php
administrator/upload.php
themes/mambosimple.php
upload.php
emailfriend/emailarticle.php
emailfriend/emailfaq.php
emailfriend/emailnews.php
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.
This vulnerability was reported for Mambo Site Server 4.0.12 BETA and
earlier.
13. Mambo Site Server Arbitrary File Upload Vulnerability
BugTraq ID: 6572
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6572
Summary:
Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.
A problem with Mambo Site Server may make it possible for remote attackers
to upload files to a vulnerable system.
Due to inadequate security checks performed by some PHP scripts, an attacker is able to upload arbitrary files to the system. The following scripts have been reported to be vulnerable to this issue:
administrator/gallery/uploadimage.php
administrator/upload.php
upload.php
Specifically, the scripts only check to see whether certain image
extensions, such as '.jpg' and '.gif', exist in the filename. As such any
file that includes the allowed extensions may be uploaded. Any uploaded
files will be stored in the 'images/stories' directory on the system.
Given the ability to upload arbitrary files to the host, an attacker can
exploit this vulnerability to upload malicious applications to the
vulnerable system or use the system for the storage of files.
This vulnerability was reported for Mambo Site Server 4.0.12 BETA and
earlier.
14. Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability
BugTraq ID: 6535
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6535
Summary:
Network device drivers for several vendors have been reported to disclose
potentially sensitive information to attackers.
Frames that are smaller than the minimum frame size should have the unused
portion of the frame buffer padded with null (or other) bytes. Some
device drivers do not do this adequately, leaving the data that was stored
in the memory comprising the buffer prior to its use intact.
Consequently, this data may be transmitted within frames across ethernet
segments. As the ethernet frame buffer is allocated in kernel memory
space, sensitive data may be leaked.
An attacker can exploit this vulnerability by sending a simple ICMP packet
to a vulnerable machine. A response to such a query will involve a packet
that has been padded to a sufficient length. It may be that the
information that is padded is of a sensitive nature. An attacker may use
the information obtained in this manner to launch other attacks against a
vulnerable system.
This vulnerability has been reported to affect the atp.c, axnet_cs.c,
xirc2ps_cs.c and the rtl8139.c network device drivers for Linux variant
systems. Older NetApp systems using the 'Gigabit Ethernet Controller I'
are vulnerable to this issue.
Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.
15. H-Sphere Webshell Command.C Mode URI Parameter Command Execution Vulnerability
BugTraq ID: 6537
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6537
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
The H-Sphere Webshell component is prone to a remote command execution
vulnerability.
This issue exists in the 'command.C' source file and is due to
insufficient validation of input supplied via the 'mode' URI parameter.
It is possible for a remote attacker to supply shell commands via this URI
parameter, which will be executed with the privileges of Webshell.
Exploitation of this vulnerability will allow the attacker to gain
interactive and possibly privileged access to the underlying host.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
A vulnerability has been discovered in H-Sphere Webshell. The problem
occurs due to insufficient bounds checking on user-supplied values.
The vulnerability occurs in the diskusage.cc file and can be triggered by
passing the target server an value of excessive length, of greater than
1024 characters, for the 'path' variable.
Successful exploitation of this issue may allow an attacker to overwrite
the vulnerable functions instruction pointer. By causing the program to
return to attacker-supplied instructions, it may be possible to execute
arbitrary code with the privileges of the target process.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
17. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
BugTraq ID: 6544
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6544
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operating systems.
Reportedly, myPHPNuke does not adequately filter HTML code thus making it
prone to cross-site scripting attacks. It is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user. All code will be executed
within the context of the website running myPHPNuke.
The vulnerability exists in the chatheader.php and partner.php script
files included with myPHPNuke. Specifically, malicious HTML code is not
properly sanitized from the value for the 'Default_Theme' URI parameter.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.
This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier.
18. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox Escaping Vulnerability
BugTraq ID: 6566
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6566
Summary:
ColdFusion MX Enterprise Edition is the application server developing and
hosting infrastructure distributed by Macromedia. It is available as a
standalone product for Unix, Linux, and Microsoft Operating Systems.
A problem with ColdFusion MX Enterprise Edition may allow users to access
restricted files.
A vulnerability in the use of the cfinclude and cfmodule Tags exists in
ColdFusion MX. In environments that are sandboxed, it may be possible for
a script to access files outside of the sandboxed directory. This could
lead to unauthorized access to files on the host.
The problem is in the handling of relative paths. Due to insufficient
checking of input in custom tags, it is possible to upload a file using
custom tags and containing relative paths that will access files outside
of a sandboxed directory. This could allow an attacker to access
unauthorized and potentially sensitive information.
It should be noted that this vulnerability will only reveal the contents
of files to which the ColdFusion server has read access to.
S8Forum is web forum software. It employs a local flat-file database for
storing user information. It is available for Unix and Linux variants as
well as Microsoft Windows operating systems.
S8Forum is prone to a remote command execution vulnerability.
When a user registers with the forum, a file is created locally with the
specified username. The contents of this file will be the data entered by
the user. As a result, a malicious user could create a file with an
arbitrary name and PHP (.php) extension that contains valid PHP code.
The attacker may then cause this file to be executed by requesting it via
HTTP.
This may result in execution of arbitrary commands with the privileges of
the webserver process. An attacker may exploit this condition to gain
local, interactive access to the system hosting the vulnerable software.
20. FormMail Cross-Site Scripting Vulnerability
BugTraq ID: 6570
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6570
Summary:
FormMail is a web-based e-mail gateway, which allows form-based input to
be emailed to a specified user. It is written in Perl and will run on most
Linux and Unix variants, in addition to Microsoft Windows operating
systems.
FormMail is allegedly prone to cross-site scripting attacks.
The FormMail script does not sufficiently sanitize HTML tags and script
code from query strings, which in turn are output into pages generated by
the software. As a result, a remote attacker may construct a malicious
link to the script which contains arbitrary script code. If this link is
visited by a web user, the attacker-supplied script code may be
interpreted by their browser in the context of the site hosting the
software.
This may allow an attacker to steal cookie-based authentication
credentials or manipulate web content. Other attacks are also possible.
This issue was reported in FormMail 1.92. Other versions may also be
affected.
Middleman is an HTTP/1.1 proxy server. It is available for the Linux and
Unix operating systems.
A vulnerability has been discovered in Middleman. The problem occurs when
the net_dns() function calls s_strncpy() during a DNS lookup of the
request server hostname. The s_strncpy() function is a wrapper for
strncpy(), designed to NULL terminate all copied strings. When the
s_strncpy() function is called on the requested host name of 128 bytes, a
NULL byte may be written to the least significant byte (LSB) of the
functions frame pointer (EBP). This issue occurs due to an incorrect
length parameter passed to s_strncpy().
Overwriting the least significant bit of EBP with a NULL byte may allow an
attacker to point the variable into user-supplied data. As EBP is copied
to the frames stack pointer (ESP), an attacker may trick the program into
referencing a malicious address as an instruction pointer. This will allow
an attacker to execute arbitrary commands with the privileges of the
vulnerable server, possibly root.
It should be noted that this issue may not occur on all systems. The
existance of this vulnerability may be highly dependant on compiler
optimization.
22. Bea Systems WebLogic ResourceAllocationException System Password Disclosure Vulnerability
BugTraq ID: 6586
Remote: Yes
Date Published: Jan 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6586
Summary:
BEA Systems WebLogic Server is an enterprise level web and wireless
application server for Microsoft Windows and most Unix and Linux
distributions.
A vulnerability in BEA Systems WebLogic Server may, under some
circumstances, result in the disclosure of system passwords if exceptions
are output.
BEA Systems has reported that WebLogic Server will throw an exception when
an application attempts to route a JMS message across a bridge and an
error occurs. This exception will include the supplied system password,
in plaintext.
Applications that output exceptions may inadvertently disclose password
values. This may ultimately result in a remote party gaining access to
affected systems.
DCP-Portal is a freely available content management system implemented in
PHP. It is available for a variety of platforms including Microsoft
Windows and Linux variants.
DCP-Portal does not sufficiently sanitize user-supplied input for URI
parameters.
An attacker can exploit this vulnerability by supplying values for the
'dcp5_member_admin' or 'dcp5_member_id' parameters with the appropriate
values. This will allow an attacker to obtain access to user accounts on
the vulnerable site hosting DCP-Portal.
This vulnerability was reported for DCP-Portal 5.0.1. It is not known
whether earlier versions are affected.
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
A remotely exploitable vulnerability has been discovered in H-Sphere. The
problem occurs in the flist() function used by the WebShell component. By
making a request for a directory name of excessive length, it may be
possible to overrun a buffer.
By exploiting this issue to overwrite sensitive locations in memory a
remote attacker would be able to control the program and possibly execute
arbitrary instructions.
25. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command Execution Vulnerability
BugTraq ID: 6539
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6539
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
The H-Sphere Webshell component is prone to a remote command execution
vulnerability.
This issue exists in the 'command2.CC' source file and is due to
insufficient validation of input supplied via the 'zipfile' URI parameter.
It is possible for a remote attacker to supply shell commands via this URI
parameter, which will be executed with the privileges of Webshell.
Exploitation of this vulnerability will allow the attacker to gain
interactive and possibly privileged access to the underlying host.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
26. GeneWeb File Disclosure Vulnerability
BugTraq ID: 6549
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6549
Summary:
GeneWeb is Web based genealogy software. It is available for a variety of
platforms including Linux variant operating systems.
A file disclosure vulnerability has been reported for GeneWeb. Reportedly,
GeneWeb does not adequately sanitize some input.
An attacker can exploit this vulnerability to craft a specially formed URL
that can cause geneweb to disclose the contents of arbitrary files on the
vulnerable system.
Although unconfirmed, it is likely that an attacker can construct a URL
consisting of dot-dot-slash (../) character sequences to obtain access to
files outside of the document root. It should be noted that only files
accessible by the geneweb server will be disclosed to the attacker.
Exploitation of this vulnerability may lead to disclosure of sensitive
information that may be useful in mounting further attacks on the host
system.
This vulnerability affects GeneWeb versions 4.0.8 and earlier.
27. cgihtml Signed Integer Content-Length Memory Corruption Vulnerability
BugTraq ID: 6551
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6551
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
A vulnerability has been discovered in cgihtml which may result in memory
corruption. The problem occurs when reading a user-supplied Content-Length
value for POST data.
An attacker is able to create a situation where memory may be overwritten
by passing a negative length as the Content-Length value in a POST
request. By passing excessive POST data it is possible for the attacker to
overrun the allocated buffer, effectively overwriting heap memory. This
may cause the affected program to crash.
Although not yet confirmed, it may be possible to exploit this
vulnerability to execute arbitrary code. Placing a malicious malloc header
in heap memory may potentially allow an attacker to overwrite a GOT
address to point to shellcode.
28. TANne Session Manager SysLog Format String Vulnerability
BugTraq ID: 6553
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6553
Summary:
TANne is a freely available, open source session management package. It
is available for Unix and Linux operating systems.
A problem with TANne may make it possible to execute arbitrary code.
Due to programming error, it may be possible to exploit a format string
vulnerability. A logging function in the TANne program contains insecure
syslog() calls. This could result in the execution of attacker-supplied
code.
The problem is the in two syslog() calls in the netzio.c source file.
When the program is invoked using the vulnerable function, it may be
possible to exploit a format string vulnerability through the generation
of a malicious log event which contains attacker-supplied format strings.
In the event that this vulnerability is exploited, an attacker could cause
arbitrary locations in memory to be corrupted with attacker-specified data
and execute code with the privileges of the TANne user.
29. cgihtml Denial Of Service Vulnerability
BugTraq ID: 6555
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6555
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
A vulnerability has been discovered in cgihtml when processing Multipart
HTTP headers. It has been reported that, when processing a multipart
header, cgihtml fails to sufficiently verify the sanity of the header
structure. This may result in an affected application reading invalid
values supplied 38 bytes within a malicious header.
If this situation were to occur it may be possible for the attacker to
cause the application to crash. Although it has not yet been confirmed, it
is speculated that cgihtml contains other vulnerabilities similar to this
issue.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 01.10.03
IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. FireWall Suite
by Cybernet Systems
Platforms: FreeBSD, Linux, MacOS, Windows NT
http://www.netmax.com/products/secure_prods.html
Summary:
The NetMAX FireWall, FireWall Suite, and FireWall ProSuite simplify Linux
servers by installing a ready-to-configure firewall and router, along with
the Linux operating system.
2. NetVigil
by Fidelia
Platforms: Linux, Solaris, Windows NT
http://www.fidelia.com/products/index.phtml
Summary:
Fidelia NetVigil is a real-time integrated fault and performance
management tool that provides end-to-end business visibility of your
company's IT infrastructure. Fidelia NetVigil's unique architecture will
scale with your organization and allow you to view and correlate data
across your servers, applications and network devices. Fidelia NetVigil's
instant configuration capabilities and multi-level views combine to
expedite isolation and repair of IT problems, minimize downtime and reduce
the cost of labor and implementation. This translates into savings for
your bottom line.
3. P-Synch Total Password Management Solution
by M-TECH
Platforms: AIX, DG-UX, HP-UX, IRIX, Linux, MVS, Netware, Solaris, SunOS,
VMS, Windows NT
http://www.p-synch.com/
Summary:
P-Synch is a total password management solution. It is intended to reduce
the cost of ownership of password systems, and simultaneously improve the
security of password protected systems. This is done through: -Password
Synchronization. -Enforcing an enterprise wide password strength policy.
-Allowing authenticated users to reset their own forgotten passwords and
enable their locked out accounts. -Streamlining help desk call resolution
for password resets. P-Synch is available for both internal use, on the
corporate Intranet, as well as for the Internet deployment in B2B and B2C
applications.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. RSA implementation in Octave v0.01
by xilun
Relevant URL:
http://xilun666.free.fr/rsa.m
Platforms: Os Independent
Summary:
RSA implementation in Octave is a short, dirty, and very slow
implementation of the cryptographic primitives of the RSA public key
algorithm, using GNU Octave. It includes functions to work on big numbers,
modular exponentiation, modular inversion, probabilistic prime numbers
generators, key pair generators, and functions to encrypt and decrypt
files using a rather insecure scheme.
2. e2undel v0.81
by Oliver Diedrich e2undel (at) users.sourceforge (dot) net [email concealed]
Relevant URL:
http://e2undel.sourceforge.net
Platforms: Linux, POSIX
Summary:
e2undel is an interactive console tool that recovers the data of deleted
files on an ext2 file system under Linux. A library that allows you to
recover deleted files by name is included. e2undel does not manipulate any
internal ext2 structures, and it does not require any additional tools. It
should be useable without knowledge of the ext2 interna.
3. RSA encrypting tool v0.11
by Tomasz Pyra
Relevant URL:
http://sedez.iq.pl/~hellfire/rsa/
Platforms: Linux, POSIX
Summary:
This is a simple RSA algorithm implementation.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
SecurityFocus Linux Newsletter #114
-----------------------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Instant Insecurity: Security Issues of Instant Messaging
2. Intelligence Gathering: Watching a Honeypot at Work
3. Closing the Floodgates: DDoS Mitigation Techniques
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
1. DCP-Portal Remote File Include Vulnerability
2. CGIHTML Form Data File Corruption Vulnerability
3. Horde IMP Database Files SQL Injection Vulnerabilities
4. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities
5. myPHPNuke Information Disclosure Vulnerability
6. CommuniGate Pro Webmail File Disclosure Vulnerability
7. CGIHTML Insecure Form-Data Temporary File Vulnerability
8. H-Sphere Webshell Remote Buffer Overrun Vulnerability
9. AJ's Internet Cafe World-Writeable Files Vulnerability
10. Half-Life HLTV Remote Denial Of Service Vulnerability
11. Active PHP Bookmarks Multiple File Include Vulnerabilities
12. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
13. Mambo Site Server Arbitrary File Upload Vulnerability
14. Multiple Vendor Network Device Driver Frame Padding...
15. H-Sphere Webshell Command.C Mode URI Parameter Command...
16. H-Sphere Webshell diskusage.cc Buffer Overflow Vulnerability
17. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
18. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox...
19. S8Forum Remote Command Execution Vulnerability
20. FormMail Cross-Site Scripting Vulnerability
21. Middleman net_dns() Frame Pointer Overwrite Vulnerability
22. Bea Systems WebLogic ResourceAllocationException System...
23. DCP-Portal Unauthorized Account Access Vulnerability
24. H-Sphere Webshell flist() Buffer Overflow Vulnerability
25. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command...
26. GeneWeb File Disclosure Vulnerability
27. cgihtml Signed Integer Content-Length Memory Corruption...
28. TANne Session Manager SysLog Format String Vulnerability
29. cgihtml Denial Of Service Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 01.10.03
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. FireWall Suite
2. NetVigil
3. P-Synch Total Password Management Solution
V. NEW TOOLS FOR LINUX PLATFORMS
1. RSA implementation in Octave v0.01
2. e2undel v0.81
3. RSA encrypting tool v0.11
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Instant Insecurity: Security Issues of Instant Messaging
By Neal Hindocha
Instant messaging services are becoming an increasingly popular form of
communication, both in the personal and the professional spheres. This
paper will describe instant messaging and offer a brief overview of some
of the security threats associated with the service.
http://online.securityfocus.com/infocus/1657
2. Intelligence Gathering: Watching a Honeypot at Work
By Toby Miller
The purpose of this article is share with the security community the data
the author collected from his honeypot. This discussion will include the
attacker's recon, the attack, the attempted cover-up, and the reason for
the attack on the honeypot.
http://online.securityfocus.com/infocus/1656
3. Closing the Floodgates: DDoS Mitigation Techniques
by Matthew Tanase
To be on the receiving end of a distributed denial of service (DDoS)
attack is a nightmare scenario for any network administrator, security
specialist or access provider. It begins instantly, without warning, and
continues relentlessly: machines down, jammed bandwidth, overloaded
routers. An effective, immediate response is often difficult and may
depend on third parties, such as ISPs. With these challenges in mind, this
article will explore some techniques that systems administrators and
security professionals can employ should they ever find themselves in this
rather undesirable situation.
http://online.securityfocus.com/infocus/1655
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. DCP-Portal Remote File Include Vulnerability
BugTraq ID: 6525
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6525
Summary:
DCP-Portal is a freely available content management system implemented in
PHP. It is available for a variety of platforms including Microsoft
Windows and Linux variants.
DCP-Portal is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the 'library/editor/editor.php' and 'library/lib.php' scripts included
with DCP-Portal.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$root'
parameter.
If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for DCP-Portal 5.0.1. It is not known
whether earlier versions are affected.
2. CGIHTML Form Data File Corruption Vulnerability
BugTraq ID: 6550
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6550
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
When handling uploaded form-data, cgihtml creates a temporary file to
store this data in /tmp or another user-specified directory. The software
uses the client supplied filename when creating the temporary file. If
the attacker supplies a malicious filename, such as one pre-pended with
dot-dot-slash (../) directory traversal sequences, it may be possible to
corrupt files outside of the specified temporary directory.
The cause of this issue trust in user-supplied input. The routines use a
client-supplied filenames when creating temporary file. The routines then
do not sufficiently validate that the filename does not contain directory
traversal sequences or has a name that may conflict with existing system
files.
For this attack to be successful, the targetted files must be writeable by
a server process that utilizes the vulnerable cgihtml routines.
3. Horde IMP Database Files SQL Injection Vulnerabilities
BugTraq ID: 6559
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6559
Summary:
IMP is a web-based mail interface/client developed by members of the Horde
project. It is implemented in PHP and runs on a number of operating
systems, including Unix and Linux variants and Microsoft Windows operating
systems.
It has been reported that IMP is prone to multiple SQL injection
vulnerabilities.
IMP, in some cases, does not sufficiently sanitize user-supplied input
which is used when constructing SQL queries to execute on the underlying
database. As a result, it is possible to manipulate SQL queries. This
may allow a remote attacker to modify query logic or potentially corrupt
the database. Consequences will vary depending on the queries used and
the capabilities of the underlying database implementation.
These issues occur throughout the database command files for different
database implementations, for example 'lib/db.pgsql'. These files contain
syntax for constructing queries with using database implementations.
SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.
4. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 6531
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6531
Summary:
HTTP Fetcher is a small library used for downloading files via HTTP using
the GET method. It is available for various platforms including the Linux
and Unix operating systems.
Multiple buffer overflows have been discovered in HTTP Fetcher. The
vulnerabilities occur in the http_fetch() function which is used to gather
various HTTP header information. These buffer overflow occurs due to
insufficient bounds checking of user-supplied parameters.
It is possible to trigger these conditions by supplying excessive data as
the 'host', 'referer', or 'userAgent' parameters. By exploiting one of
these issues to overrun 'requestBuf', it may be possible for a remote
attacker to overwrite sensitive memory.
Successful exploitation of one of these vulnerabilities may allow an
attacker to seize control of an application linked to the library. By
overwriting the function's instruction pointer it may be possible to
execute arbitrary commands.
The exploitability of this issue may be an issue only if the client
application were accessible remotely through a proxy server. For instance,
a server which allowed a client to make GET requests from other servers.
5. myPHPNuke Information Disclosure Vulnerability
BugTraq ID: 6541
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6541
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operatining system.
An information disclosure vulnerability has been reported for myPHPNuke.
The vulnerability exists due to insufficient checks performed in the
system_footer.php script file. Specifically, the system_footer.php script,
found in the 'admin/' subdirectory, calls the phpinfo() function without
checking who the user is.
An attacker can exploit this vulnerability by making a request for the
system_footer.php script. The system will respond by disclosing
information to a remote attacker.
Information obtained in this manner may be used by an attacker to launch
attacks against a vulnerable system.
6. CommuniGate Pro Webmail File Disclosure Vulnerability
BugTraq ID: 6542
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6542
Summary:
CommuniGate Pro is an internet messaging server. CommuniGate Pro includes
a webmail service to allow access to mailboxes via HTTP. It is available
for a number of platforms including Unix and Linux variants and Microsoft
Windows operating systems.
A file disclosure vulnerability has been reported in the CommuniGate Pro
webmail component.
A specially crafted web request containing dot-dot-slash (../) directory
traversal sequences may break out of the document root and disclose
arbitrary web server readable files that exist on the underlying host.
Exploitation of this vulnerability may lead to disclosure of sensitive
information that may be useful in mounting further attacks on the host
system. The impact of this vulnerability is compounded by the fact that
CommuniGate Pro runs as root by default, though may be configured to drop
privileges. This issue was reported for CommuniGate Pro on FreeBSD. It
is likely that the software is affected on other platforms as well.
7. CGIHTML Insecure Form-Data Temporary File Vulnerability
BugTraq ID: 6552
Remote: No
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6552
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
When handling uploaded form-data, cgihtml creates a temporary file to
store this data in /tmp or another user-specified directory. A client
supplied filename is used when the temporary file is created. This
presents a security vulnerability since the name of the temporary file can
be anticipated by the attacker.
A local attacker may take advantage of this condition to create a symbolic
link in place of the temporary file, which points to another file on the
system which is writeable by a server process which utilizes the
vulnerable routines. The vulnerable routines will follow any symbolic
links provided in place of a temporary file. The attacker may then submit
a malicious form-data upload, using the attacker-supplied filename, and
cause local files to be corrupted.
If custom data can be written to files, it is possible to gain elevated
privileges.
8. H-Sphere Webshell Remote Buffer Overrun Vulnerability
BugTraq ID: 6527
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6527
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
A vulnerability has been discovered in H-Sphere Webshell. The problem
occurs during the pre-authentication phase. Due to insufficient bounds
checking on user-supplied HTTP parameters, it is possible for a remote
attacker to cause a buffer to be overrun
The vulnerability occurs in the CGI::readFile() function and can be
triggered by passing the target server an HTTP Content-Type 'boundary'
parameter of excessive length.
Successful exploitation of this issue would allow an attacker to overwrite
the vulnerable functions instruction pointer. By causing the program to
return to attacker-supplied instructions, it may be possible to execute
arbitrary code with the privileges of the target process.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
9. AJ's Internet Cafe World-Writeable Files Vulnerability
BugTraq ID: 6560
Remote: No
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6560
Summary:
AJ's Internet Cafe is a freely available internet cafe software package
for use with the Linux Thin Client Project software. A problem with AJ's
Internet Cafe may allow unauthorized write access to files.
It has been reported that AJ's Internet Cafe installs with insecure
permissions. By default, many files installed with the package are
world-writeable. This may allow users to modify the contents to gain free
time on the host, or perform other malicious activities.
10. Half-Life HLTV Remote Denial Of Service Vulnerability
BugTraq ID: 6579
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6579
Summary:
Half-Life is commercially available game which may be played over a
network. HLTV is the Half-Life TV component of the Half-Life Dedicated
Server (hlds). It is available for the Linux operating system.
A problem with HLTV could make it possible for a remote user to deny
service to legitimate users.
It has been reported that under some circumstances, a remote user may
cause the service to crash. By sending a specially crafted packet to the
host, the service becomes unstable. The service must be manually
restarted to resume normal operation.
The problem is in the handling of specific types of requests from clients.
When an HLTV server receives a request of the string '\xff\xff\xff\xff\0'
the server crashes. It is not know what impact this has on the operation
of the game server.
Versions other than hlds 3.1.1.0 may also be affected.
11. Active PHP Bookmarks Multiple File Include Vulnerabilities
BugTraq ID: 6545
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6545
Summary:
Active PHP Bookmarks (APB) is a web-based application for managing a
collection of bookmarks. APB is available for Unix and Linux variants as
well as Microsoft Windows operating systems.
APB is prone to multiple issues which may allow a remote attacker to cause
a malicious external file to be included and interpreted.
Attackers may influence include paths for a number of APB scripts. By
specifying a path to a resource (such as a malicious PHP script) on a
remote attacker-controlled server, it is possible to cause arbitrary
commands to be executed with the privileges of the webserver process.
This issue is known to exist in the following scripts:
head.php
apb_common.php
apb_view_class.php
12. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 6571
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6571
Summary:
Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.
Mambo Site Server does not adequately filter HTML code thus making it
prone to cross-site scripting attacks. It is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user. All code will be executed
within the context of the website running Mambo Site Server.
The following files were reported to be prone to cross site scripting attacks:
administrator/popups/sectionswindow.php
administrator/gallery/gallery.php
administrator/gallery/navigation.php
administrator/gallery/uploadimage.php
administrator/gallery/view.php
administrator/upload.php
themes/mambosimple.php
upload.php
emailfriend/emailarticle.php
emailfriend/emailfaq.php
emailfriend/emailnews.php
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.
This vulnerability was reported for Mambo Site Server 4.0.12 BETA and
earlier.
13. Mambo Site Server Arbitrary File Upload Vulnerability
BugTraq ID: 6572
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6572
Summary:
Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.
A problem with Mambo Site Server may make it possible for remote attackers
to upload files to a vulnerable system.
Due to inadequate security checks performed by some PHP scripts, an attacker is able to upload arbitrary files to the system. The following scripts have been reported to be vulnerable to this issue:
administrator/gallery/uploadimage.php
administrator/upload.php
upload.php
Specifically, the scripts only check to see whether certain image
extensions, such as '.jpg' and '.gif', exist in the filename. As such any
file that includes the allowed extensions may be uploaded. Any uploaded
files will be stored in the 'images/stories' directory on the system.
Given the ability to upload arbitrary files to the host, an attacker can
exploit this vulnerability to upload malicious applications to the
vulnerable system or use the system for the storage of files.
This vulnerability was reported for Mambo Site Server 4.0.12 BETA and
earlier.
14. Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability
BugTraq ID: 6535
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6535
Summary:
Network device drivers for several vendors have been reported to disclose
potentially sensitive information to attackers.
Frames that are smaller than the minimum frame size should have the unused
portion of the frame buffer padded with null (or other) bytes. Some
device drivers do not do this adequately, leaving the data that was stored
in the memory comprising the buffer prior to its use intact.
Consequently, this data may be transmitted within frames across ethernet
segments. As the ethernet frame buffer is allocated in kernel memory
space, sensitive data may be leaked.
An attacker can exploit this vulnerability by sending a simple ICMP packet
to a vulnerable machine. A response to such a query will involve a packet
that has been padded to a sufficient length. It may be that the
information that is padded is of a sensitive nature. An attacker may use
the information obtained in this manner to launch other attacks against a
vulnerable system.
This vulnerability has been reported to affect the atp.c, axnet_cs.c,
xirc2ps_cs.c and the rtl8139.c network device drivers for Linux variant
systems. Older NetApp systems using the 'Gigabit Ethernet Controller I'
are vulnerable to this issue.
Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.
15. H-Sphere Webshell Command.C Mode URI Parameter Command Execution Vulnerability
BugTraq ID: 6537
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6537
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
The H-Sphere Webshell component is prone to a remote command execution
vulnerability.
This issue exists in the 'command.C' source file and is due to
insufficient validation of input supplied via the 'mode' URI parameter.
It is possible for a remote attacker to supply shell commands via this URI
parameter, which will be executed with the privileges of Webshell.
Exploitation of this vulnerability will allow the attacker to gain
interactive and possibly privileged access to the underlying host.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
16. H-Sphere Webshell diskusage.cc Buffer Overflow Vulnerability
BugTraq ID: 6540
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6540
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
A vulnerability has been discovered in H-Sphere Webshell. The problem
occurs due to insufficient bounds checking on user-supplied values.
The vulnerability occurs in the diskusage.cc file and can be triggered by
passing the target server an value of excessive length, of greater than
1024 characters, for the 'path' variable.
Successful exploitation of this issue may allow an attacker to overwrite
the vulnerable functions instruction pointer. By causing the program to
return to attacker-supplied instructions, it may be possible to execute
arbitrary code with the privileges of the target process.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
17. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
BugTraq ID: 6544
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6544
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operating systems.
Reportedly, myPHPNuke does not adequately filter HTML code thus making it
prone to cross-site scripting attacks. It is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user. All code will be executed
within the context of the website running myPHPNuke.
The vulnerability exists in the chatheader.php and partner.php script
files included with myPHPNuke. Specifically, malicious HTML code is not
properly sanitized from the value for the 'Default_Theme' URI parameter.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.
This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier.
18. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox Escaping Vulnerability
BugTraq ID: 6566
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6566
Summary:
ColdFusion MX Enterprise Edition is the application server developing and
hosting infrastructure distributed by Macromedia. It is available as a
standalone product for Unix, Linux, and Microsoft Operating Systems.
A problem with ColdFusion MX Enterprise Edition may allow users to access
restricted files.
A vulnerability in the use of the cfinclude and cfmodule Tags exists in
ColdFusion MX. In environments that are sandboxed, it may be possible for
a script to access files outside of the sandboxed directory. This could
lead to unauthorized access to files on the host.
The problem is in the handling of relative paths. Due to insufficient
checking of input in custom tags, it is possible to upload a file using
custom tags and containing relative paths that will access files outside
of a sandboxed directory. This could allow an attacker to access
unauthorized and potentially sensitive information.
It should be noted that this vulnerability will only reveal the contents
of files to which the ColdFusion server has read access to.
19. S8Forum Remote Command Execution Vulnerability
BugTraq ID: 6547
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6547
Summary:
S8Forum is web forum software. It employs a local flat-file database for
storing user information. It is available for Unix and Linux variants as
well as Microsoft Windows operating systems.
S8Forum is prone to a remote command execution vulnerability.
When a user registers with the forum, a file is created locally with the
specified username. The contents of this file will be the data entered by
the user. As a result, a malicious user could create a file with an
arbitrary name and PHP (.php) extension that contains valid PHP code.
The attacker may then cause this file to be executed by requesting it via
HTTP.
This may result in execution of arbitrary commands with the privileges of
the webserver process. An attacker may exploit this condition to gain
local, interactive access to the system hosting the vulnerable software.
20. FormMail Cross-Site Scripting Vulnerability
BugTraq ID: 6570
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6570
Summary:
FormMail is a web-based e-mail gateway, which allows form-based input to
be emailed to a specified user. It is written in Perl and will run on most
Linux and Unix variants, in addition to Microsoft Windows operating
systems.
FormMail is allegedly prone to cross-site scripting attacks.
The FormMail script does not sufficiently sanitize HTML tags and script
code from query strings, which in turn are output into pages generated by
the software. As a result, a remote attacker may construct a malicious
link to the script which contains arbitrary script code. If this link is
visited by a web user, the attacker-supplied script code may be
interpreted by their browser in the context of the site hosting the
software.
This may allow an attacker to steal cookie-based authentication
credentials or manipulate web content. Other attacks are also possible.
This issue was reported in FormMail 1.92. Other versions may also be
affected.
21. Middleman net_dns() Frame Pointer Overwrite Vulnerability
BugTraq ID: 6584
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6584
Summary:
Middleman is an HTTP/1.1 proxy server. It is available for the Linux and
Unix operating systems.
A vulnerability has been discovered in Middleman. The problem occurs when
the net_dns() function calls s_strncpy() during a DNS lookup of the
request server hostname. The s_strncpy() function is a wrapper for
strncpy(), designed to NULL terminate all copied strings. When the
s_strncpy() function is called on the requested host name of 128 bytes, a
NULL byte may be written to the least significant byte (LSB) of the
functions frame pointer (EBP). This issue occurs due to an incorrect
length parameter passed to s_strncpy().
Overwriting the least significant bit of EBP with a NULL byte may allow an
attacker to point the variable into user-supplied data. As EBP is copied
to the frames stack pointer (ESP), an attacker may trick the program into
referencing a malicious address as an instruction pointer. This will allow
an attacker to execute arbitrary commands with the privileges of the
vulnerable server, possibly root.
It should be noted that this issue may not occur on all systems. The
existance of this vulnerability may be highly dependant on compiler
optimization.
22. Bea Systems WebLogic ResourceAllocationException System Password Disclosure Vulnerability
BugTraq ID: 6586
Remote: Yes
Date Published: Jan 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6586
Summary:
BEA Systems WebLogic Server is an enterprise level web and wireless
application server for Microsoft Windows and most Unix and Linux
distributions.
A vulnerability in BEA Systems WebLogic Server may, under some
circumstances, result in the disclosure of system passwords if exceptions
are output.
BEA Systems has reported that WebLogic Server will throw an exception when
an application attempts to route a JMS message across a bridge and an
error occurs. This exception will include the supplied system password,
in plaintext.
Applications that output exceptions may inadvertently disclose password
values. This may ultimately result in a remote party gaining access to
affected systems.
23. DCP-Portal Unauthorized Account Access Vulnerability
BugTraq ID: 6526
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6526
Summary:
DCP-Portal is a freely available content management system implemented in
PHP. It is available for a variety of platforms including Microsoft
Windows and Linux variants.
DCP-Portal does not sufficiently sanitize user-supplied input for URI
parameters.
An attacker can exploit this vulnerability by supplying values for the
'dcp5_member_admin' or 'dcp5_member_id' parameters with the appropriate
values. This will allow an attacker to obtain access to user accounts on
the vulnerable site hosting DCP-Portal.
This vulnerability was reported for DCP-Portal 5.0.1. It is not known
whether earlier versions are affected.
24. H-Sphere Webshell flist() Buffer Overflow Vulnerability
BugTraq ID: 6538
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6538
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
A remotely exploitable vulnerability has been discovered in H-Sphere. The
problem occurs in the flist() function used by the WebShell component. By
making a request for a directory name of excessive length, it may be
possible to overrun a buffer.
By exploiting this issue to overwrite sensitive locations in memory a
remote attacker would be able to control the program and possibly execute
arbitrary instructions.
25. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command Execution Vulnerability
BugTraq ID: 6539
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6539
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere ships with
WebShell, a component designed to be a file manager for uploading
downloading files via FTP. H-Sphere is available for the Windows, Linux,
and Unix operating systems.
The H-Sphere Webshell component is prone to a remote command execution
vulnerability.
This issue exists in the 'command2.CC' source file and is due to
insufficient validation of input supplied via the 'zipfile' URI parameter.
It is possible for a remote attacker to supply shell commands via this URI
parameter, which will be executed with the privileges of Webshell.
Exploitation of this vulnerability will allow the attacker to gain
interactive and possibly privileged access to the underlying host.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It
is not yet known whether earlier versions are also vulnerable.
26. GeneWeb File Disclosure Vulnerability
BugTraq ID: 6549
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6549
Summary:
GeneWeb is Web based genealogy software. It is available for a variety of
platforms including Linux variant operating systems.
A file disclosure vulnerability has been reported for GeneWeb. Reportedly,
GeneWeb does not adequately sanitize some input.
An attacker can exploit this vulnerability to craft a specially formed URL
that can cause geneweb to disclose the contents of arbitrary files on the
vulnerable system.
Although unconfirmed, it is likely that an attacker can construct a URL
consisting of dot-dot-slash (../) character sequences to obtain access to
files outside of the document root. It should be noted that only files
accessible by the geneweb server will be disclosed to the attacker.
Exploitation of this vulnerability may lead to disclosure of sensitive
information that may be useful in mounting further attacks on the host
system.
This vulnerability affects GeneWeb versions 4.0.8 and earlier.
27. cgihtml Signed Integer Content-Length Memory Corruption Vulnerability
BugTraq ID: 6551
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6551
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
A vulnerability has been discovered in cgihtml which may result in memory
corruption. The problem occurs when reading a user-supplied Content-Length
value for POST data.
An attacker is able to create a situation where memory may be overwritten
by passing a negative length as the Content-Length value in a POST
request. By passing excessive POST data it is possible for the attacker to
overrun the allocated buffer, effectively overwriting heap memory. This
may cause the affected program to crash.
Although not yet confirmed, it may be possible to exploit this
vulnerability to execute arbitrary code. Placing a malicious malloc header
in heap memory may potentially allow an attacker to overwrite a GOT
address to point to shellcode.
28. TANne Session Manager SysLog Format String Vulnerability
BugTraq ID: 6553
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6553
Summary:
TANne is a freely available, open source session management package. It
is available for Unix and Linux operating systems.
A problem with TANne may make it possible to execute arbitrary code.
Due to programming error, it may be possible to exploit a format string
vulnerability. A logging function in the TANne program contains insecure
syslog() calls. This could result in the execution of attacker-supplied
code.
The problem is the in two syslog() calls in the netzio.c source file.
When the program is invoked using the vulnerable function, it may be
possible to exploit a format string vulnerability through the generation
of a malicious log event which contains attacker-supplied format strings.
In the event that this vulnerability is exploited, an attacker could cause
arbitrary locations in memory to be corrupted with attacker-specified data
and execute code with the privileges of the TANne user.
29. cgihtml Denial Of Service Vulnerability
BugTraq ID: 6555
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6555
Summary:
cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.
A vulnerability has been discovered in cgihtml when processing Multipart
HTTP headers. It has been reported that, when processing a multipart
header, cgihtml fails to sufficiently verify the sanity of the header
structure. This may result in an affected application reading invalid
values supplied 38 bytes within a malicious header.
If this situation were to occur it may be possible for the attacker to
cause the application to crash. Although it has not yet been confirmed, it
is speculated that cgihtml contains other vulnerabilities similar to this
issue.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 01.10.03
IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. FireWall Suite
by Cybernet Systems
Platforms: FreeBSD, Linux, MacOS, Windows NT
http://www.netmax.com/products/secure_prods.html
Summary:
The NetMAX FireWall, FireWall Suite, and FireWall ProSuite simplify Linux
servers by installing a ready-to-configure firewall and router, along with
the Linux operating system.
2. NetVigil
by Fidelia
Platforms: Linux, Solaris, Windows NT
http://www.fidelia.com/products/index.phtml
Summary:
Fidelia NetVigil is a real-time integrated fault and performance
management tool that provides end-to-end business visibility of your
company's IT infrastructure. Fidelia NetVigil's unique architecture will
scale with your organization and allow you to view and correlate data
across your servers, applications and network devices. Fidelia NetVigil's
instant configuration capabilities and multi-level views combine to
expedite isolation and repair of IT problems, minimize downtime and reduce
the cost of labor and implementation. This translates into savings for
your bottom line.
3. P-Synch Total Password Management Solution
by M-TECH
Platforms: AIX, DG-UX, HP-UX, IRIX, Linux, MVS, Netware, Solaris, SunOS,
VMS, Windows NT
http://www.p-synch.com/
Summary:
P-Synch is a total password management solution. It is intended to reduce
the cost of ownership of password systems, and simultaneously improve the
security of password protected systems. This is done through: -Password
Synchronization. -Enforcing an enterprise wide password strength policy.
-Allowing authenticated users to reset their own forgotten passwords and
enable their locked out accounts. -Streamlining help desk call resolution
for password resets. P-Synch is available for both internal use, on the
corporate Intranet, as well as for the Internet deployment in B2B and B2C
applications.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. RSA implementation in Octave v0.01
by xilun
Relevant URL:
http://xilun666.free.fr/rsa.m
Platforms: Os Independent
Summary:
RSA implementation in Octave is a short, dirty, and very slow
implementation of the cryptographic primitives of the RSA public key
algorithm, using GNU Octave. It includes functions to work on big numbers,
modular exponentiation, modular inversion, probabilistic prime numbers
generators, key pair generators, and functions to encrypt and decrypt
files using a rather insecure scheme.
2. e2undel v0.81
by Oliver Diedrich e2undel (at) users.sourceforge (dot) net [email concealed]
Relevant URL:
http://e2undel.sourceforge.net
Platforms: Linux, POSIX
Summary:
e2undel is an interactive console tool that recovers the data of deleted
files on an ext2 file system under Linux. A library that allows you to
recover deleted files by name is included. e2undel does not manipulate any
internal ext2 structures, and it does not require any additional tools. It
should be useable without knowledge of the ext2 interna.
3. RSA encrypting tool v0.11
by Tomasz Pyra
Relevant URL:
http://sedez.iq.pl/~hellfire/rsa/
Platforms: Linux, POSIX
Summary:
This is a simple RSA algorithm implementation.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
[ reply ]