SecurityFocus Linux Newsletter #132
-----------------------------------
This Issue is Sponsored By: SpiDynamics
FREE White Paper: "How A Hacker Launches A Web App Attack!" Learn why 70%
of today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity103
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Security Tools: From Mermaids to Suckling Pigs
2. Malware Myths and Misinformation, Part One
3. Securing Apache: Step-by-Step
4. U.S. Information Security Law, Part 3
5. Relax, It Was a Honeypot
II. LINUX VULNERABILITY SUMMARY
1. Lgames LTris Local Memory Corruption Vulnerability
2. BitchX Mode Change Denial Of Service Vulnerability
3. PHPNuke Web_Links Module Remote SQL Injection Vulnerability
4. Boa Webserver File Disclosure Vulnerability
5. KDE Kopete GPG Plugin Remote Command Execution Vulnerability
6. Firebird GDS_Inet_Server Interbase Environment Variable Buffe...
7. Best Practical Solutions RT HTML Injection Vulnerability
8. PHP-Nuke Modules.PHP Username URI Parameter Cross Site...
9. PHP-Nuke Multiple Downloads Module SQL Injection Vulnerabilities
10. AIX Sendmail Open Relay Default Configuration Weakness...
11. Netscape Navigator False URL Information Vulnerability
12. vBulletin Private Message HTML Injection Vulnerability
13. Inktomi Traffic Server Cross-Site Scripting Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. AW: IPChains Question (compatibility mode on kernel 2.4.x)...
2. IPChains Question (compatibility mode on kernel 2.4.x) (Thread)
3. how to check current backlog queue size(against synflood)...
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. EncrLib ECC Cryptographic Library
2. SelectAccess
3. SSP XBoard-440
V. NEW TOOLS FOR LINUX PLATFORMS
1. WifiScanner v0.9.0
2. Ginsu Chat Client v0.4.7
3. phpBandwidth Monitor v1.5
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Security Tools: From Mermaids to Suckling Pigs
By Scott Granneman
The recent Nmap-hackers survey provides a glimpse of what security
professionals are packing in their tool-belts these days.
2. Malware Myths and Misinformation, Part One
By David Harley
This article is the first of a three-part series looking at some of the
myths and misconceptions that undermine anti-virus protection. The
fallacies we address here tend to begin with the words "I'm safe from
viruses because..."
http://www.securityfocus.com/infocus/1695
3. Securing Apache: Step-by-Step
By Artur Maj
This article shows in a step-by-step fashion, how to install and configure
the Apache 1.3.x Web server in order to mitigate or avoid successful
break-in when new vulnerabilities in this software are found.
4. U.S. Information Security Law, Part 3
By Steven Robinson
This is the third part of a four-part series looking at U.S. information
security laws and the way those laws affect security professionals. In
this installment, we will look at the basics of the criminal information
security law.
http://www.securityfocus.com/infocus/1693
5. Relax, It Was a Honeypot
By Tim Mullen
A security company cleverly tricks hackers into compromising one of its
distribution sites. Really.
http://www.securityfocus.com/columnists/162
II. BUGTRAQ SUMMARY
-------------------
1. Lgames LTris Local Memory Corruption Vulnerability
BugTraq ID: 7537
Remote: No
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7537
Summary:
LTris is a Tetris clone written for Linux variant and BSD operating
systems. It is maintained by LGames.
A memory corruption vulnerability has been reported for LTris that may
result in a local attacker obtaining elevated privileges.
An attacker can exploit this vulnerability by creating an overly long
$HOME environment variable, consisting of at least 520 bytes. The attacker
then invokes /usr/local/share/ltris and the vulnerability is triggered
resulting in the corruption of sensitive memory and the execution of
attacker-supplied code. Any code to be executed will be executed with
group 'games' privileges.
This vulnerability was reported to affect LTris installed on FreeBSD
systems. It is likely that other systems are also affected.
2. BitchX Mode Change Denial Of Service Vulnerability
BugTraq ID: 7551
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7551
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A denial of service vulnerability has been reported for BitchX. It is
possible to cause BitchX to crash when certain mode changes are made.
The vulnerability exists in the names.c source file where a check is not
made for any arguments provided with a mode change.
The precise details of this vulnerability are currently unknown. This BID
will be updated as more information becomes available.
This vulnerability affects BitchX cvs versions prior to 05/09/2003.
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
It has been reported that multiple input validation bugs exist in the
Web_Links module used by PHPNuke.
The problem is in the sanitizing of data passed to construct database
queries. Insufficient sanity checks are performed by the Web_Links
module, making it possible to inject SQL code into the database behind
PHPNuke. This issue could be exploited to gain access to potentially
sensitive information contained in the database with the privileges of the
web application. Compromise of the web forums may also be possible.
Consequences could vary depending on the the queries involved and the
capabilities of the underlying database implementation.
These issues could be especially dangerous for databases that support the
UNION function, allowing for execution of multiple queries. It should
also be noted that an additional 20 instances of SQL injection
vulnerabilities exist in this module.
Boa is a single-tasking a high performance web server for Unix based
systems.
Boa webserver has been reported prone to a file disclosure vulnerability.
The issue presents itself due to a lack of sufficient sanitization
performed on user supplied HTTP requests.
Reportedly an attacker may exploit this vulnerability by submitting a HTTP
request that contains dot-dot (../..) directory traversal sequences
designed to break out of the web root and access a webserver readable file
on the vulnerable system. Reportedly the file contents will be displayed
in the attacker's browser.
It should be noted that Boa webserver version '0.92r' on the 'PowerLinkT
WAN Aggregator' appliance has been reported vulnerable. It is not yet
confirmed if other platforms are vulnerable; this issue was not
reproducible on Boa webserver version '0.92r' compiled and installed on
Red Hat Linux 6.2.
This issue may be related to the vulnerability reported in BID 1770.
5. KDE Kopete GPG Plugin Remote Command Execution Vulnerability
BugTraq ID: 7536
Remote: Yes
Date Published: May 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7536
Summary:
Kopete is a freely available, open source instant messaging client. It is
available for the Linux Operating Systems.
A problem with kopete may make unauthorized command execution possible.
It has been reported that kopete does not properly sanitize input from
remote users under some circumstances. Because of this, an attacker may
be able to execute arbitrary commands on a vulnerable version of the
client.
The problem is in the handling of GPG signed messages. When the kopete
client is used with the GPG plugin, the plugin does not properly sanitize
messages from remote users. This input will be passed as command line
parameters to the GPG program. This could result in the execution of
commands with the privileges of the kopete user.
It should be noted that the kopete plugin is not enabled by default.
6. Firebird GDS_Inet_Server Interbase Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 7546
Remote: No
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7546
Summary:
Interbase is a database distributed and maintained by Borland. It is
available for Unix and Linux operating systems. As Firebird is based on
Borland/Inprise Interbase source code, it is very likely that Interbase is
prone to this issue also.
A problem with Firebird could make it possible for a local user to gain
elevated privileges.
A buffer overflow has been discovered in the setuid root program
gds_inet_server, packaged with Firebird. This problem could allow a local
user to execute the program with strings of arbitrary length. By using a
custom crafted string, the attacker could overwrite stack memory,
including the return address of a function, and potentially execute
arbitrary code as root.
The vulnerability occurs in the INTERBASE environment variable. When the
gds_inet_server program is executed with a string of arbitrary length
(typically 500 or more bytes) in the INTERBASE environment variable, the
result in an exploitable buffer overflow.
This could make it possible for a local user to gain administrative
access.
7. Best Practical Solutions RT HTML Injection Vulnerability
BugTraq ID: 7509
Remote: Yes
Date Published: May 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7509
Summary:
RT (Request Tracker) is a ticketing system implemented in Perl. It is
distributed by Best Practical Solutions and is available for a variety of
platforms including Microsoft Windows and Linux variant systems.
A vulnerability has been discovered in RT which may make it prone to HTML
injection attacks.
The vulnerability exists due to insufficient sanitization of user-supplied
values. Specifically, the content included in message bodies is not
properly sanitized of malicious HTML code.
This lack of sanitization provides an opportunity for an attacker to
launch HTML injection attacks against the vulnerable site hosting RT. It
is possible for a remote attacker to create a malicious ticket containing
script code that will be executed in the browser of a legitimate user.
Any attacker-supplied code will be executed within the context of the
website running RT.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.
This vulnerability was reported for RT 1.0.7 and earlier.
8. PHP-Nuke Modules.PHP Username URI Parameter Cross Site Scripting Vulnerability
BugTraq ID: 7570
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7570
Summary:
PHP-Nuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A cross site scripting vulnerability has been reported for PHP-Nuke.
Specifically, PHP-Nuke does not sufficiently sanitize user-supplied input
for the 'username' URI parameter to the modules.php script.
As a result of this deficiency, it is possible for a remote attacker to
create a malicious link containing script code that will be executed in
the browser of a legitimate user. Specifically the attacker can pass
malicious HTML code as a value for the 'username' URI parameter supplied
to the 'modules.php' page. All code will be executed within the context of
the website running PHP-Nuke.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported to affect PHP-Nuke version 6.5.
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
PHP-Nuke is reportedly prone to multiple SQL injection vulnerabilities in
the Downloads. User-supplied input is included in SQL queries made by the
module without being sanitized.
Exploitation could allow for injection of malicious SQL syntax, resulting
in modification of SQL query logic or other attacks. Consequences will
vary depending on the specific queries and the capabilities of the
underlying database implementation. At the very minimum it may be
possible to gain access to sensitive information that is stored in the
database.
10. AIX Sendmail Open Relay Default Configuration Weakness
BugTraq ID: 7580
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7580
Summary:
Sendmail is a freely available, open source mail transport agent. It is
available for various UNIX and Linux operating systems.
A problem with the default sendmail implementation on AIX systems may lead
to violations in security policy.
It has been reported that the default sendmail configuration on AIX
systems enables promiscuous e-mail relaying options. Because of this, a
remote attacker may be able to use the e-mail server to obscure the
origins of e-mail.
The problem is in the default sendmail.cf deployed with AIX. The
sendmail.cf enables options that can allow anonymous remote users to relay
e-mail through AIX systems. This could be used for spam, e-mail attacks,
or other nefarious purposes.
11. Netscape Navigator False URL Information Vulnerability
BugTraq ID: 7564
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7564
Summary:
Netscape is a web browser that is available for a number of platforms,
including Microsoft Windows and Unix and Linux variants.
An issue has been reported for Netscape Navigator that may result in a
false sense of security for a user.
Due to the way Netscape handles the history.back() function, the URL
displayed on the 'location bar' will not correspond to the actual URL of
the site displayed in the browser window. As a result, a malicious
attacker can exploit this issue to entice a user to visit a web site and
make them believe they are at known or trusted page.
This vulnerability was reported for Netscape Navigator 7.02 for Windows
operating systems.
12. vBulletin Private Message HTML Injection Vulnerability
BugTraq ID: 7594
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7594
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
A vulnerability has been reported for vBulletin 3.0.0. beta 2 which may
make it prone to HTML injection attacks. The problem is said to occur
while previewing private messages.
Specifically, private messages may not be sufficiently sanitized of
malicious content. This may make it possible for an attacker to place HTML
or script code within a private message for another user. When the
legitimate forum user attempts to preview the message the malicious code
will be interpreted by their browser.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
13. Inktomi Traffic Server Cross-Site Scripting Vulnerability
BugTraq ID: 7596
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7596
Summary:
Inktomi Traffic Server is a transparent web caching application. It is
designed for use with Unix and Linux variants as well as Microsoft Windows
operating environments.
Inktomi Traffic Server is prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of input passed to the proxy,
which will be echoed back in error pages under some circumstances.
It has been reported that Inktomi Traffic Server will generate errors when
an open port other than 80/http is requested. The connection will time
out when the request port on the remote system is closed, which will not
generate an error. There is one reported exception to this. The proxy
server will generate an error for requests to port 443/https regardless of
whether the port is open or whether the requested host exists.
A malicious attacker could exploit this issue by creating a link which
contains hostile HTML and script code and then enticing users of the proxy
to visit the link. When the link is visited via the proxy,
attacker-supplied script may be interpreted in the user's browser.
Exploitation could permit HTML and script code to access properties of the
domain that is requested through the proxy. This could permit theft of
cookie-based authentication credentials from arbitrary domains or other
attacks.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. AW: IPChains Question (compatibility mode on kernel 2.4.x) (Thread)
Relevant URL:
3. how to check current backlog queue size(against synflood) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/321212
IV. NEW PRODUCTS FOR LINUX PLATFORMS
-------------------------------------
1. EncrLib ECC Cryptographic Library
by Encryption Software
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.encrsoft.com/products/encrlib.html
Summary:
EncrLib ECC Cryptographic Library is a C++, secure, powerful, portable,
easy-to-use, and extremely fast public-key encryption and digital
signature solution, based on the most exciting public-key development in
the cryptographic community of the last decade -- Elliptic Curve
Cryptography (ECC).
2. SelectAccess
by Baltimore Technologies
Platforms: Linux, Solaris, SunOS, UNIX, Windows 2000, Windows NT
Relevant URL:
http://www.baltimoretechnologies.com/selectaccess/index.asp
Summary:
SelectAccess enables businesses to capitalize on the potential of
extranets, intranets and portals by providing web-based single sign-on for
a seamless user experience. SelectAccess greatly reduces administration
cost and complexity by providing a unified approach to defining
authorization policies and securely managing role-based access to on-line
resources.
3. SSP XBoard-440
by SSP Solutions
Platforms: Linux, Windows 2000
Relevant URL:
http://www.sspsolutions.com/products/sspxboard440/
Summary:
The SSP XBoard-440 is a 32-bit PCI bus interface board designed to
maximize the performance of secure webservers by eliminating the processor
bottlenecks incurred by SSL. As a direct result, the customer enjoys a
faster connection, experiences immediate server response, and receives the
full security benefits of the encryption process, from fewer servers. The
SSP XBoard-440 eliminates the need to purchase additional servers to
handle the increased burden of secure connections. The SSP XBoard-440
provides the speed and security needed to authenticate and securely pass
information between client and server. By consolidating server resources,
organizations can reduce operating, maintenance, and acquisition costs.
V. NEW TOOLS FOR LINUX PLATFORMS
---------------------------------
1. WifiScanner v0.9.0
by Jerome Poggi jerome.poggi (at) hsc-labs (dot) fr [email concealed]
Relevant URL:
http://wifiscanner.sourceforge.net/
Platforms: Linux, POSIX
Summary:
WifiScanner is an analyzer and detector of 802.11b stations and access
points. It can listen alternatively on all the 14 channels, write packet
information in real time, can search access points and associated client
stations, and can generate a graphic of the architecture using GraphViz.
All network traffic can be saved in the libpcap format for post analysis.
It works under Linux with a PrismII card and with the linux-wlan driver.
2. Ginsu Chat Client v0.4.7
by John Meacham
Relevant URL:
http://repetae.net/john/computer/ginsu/
Platforms: POSIX
Summary:
Ginsu is a client for the Gale chat system. It is designed to be powerful
and above all stable, as well as having a quick learning curve.
3. phpBandwidth Monitor v1.5
by Eric Binger
Relevant URL:
http://www.phpBandwidth.com
Platforms: Linux
Summary:
phpBandwidth monitors a particular network interface (eth0, eth1, ppp0,
etc.) and provides a realtime graph showing bandwidth consumption on a
server.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SpiDynamics
FREE White Paper: "How A Hacker Launches A Web App Attack!" Learn why 70%
of today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity103
------------------------------------------------------------------------
-------
-----------------------------------
This Issue is Sponsored By: SpiDynamics
FREE White Paper: "How A Hacker Launches A Web App Attack!" Learn why 70%
of today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity103
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Security Tools: From Mermaids to Suckling Pigs
2. Malware Myths and Misinformation, Part One
3. Securing Apache: Step-by-Step
4. U.S. Information Security Law, Part 3
5. Relax, It Was a Honeypot
II. LINUX VULNERABILITY SUMMARY
1. Lgames LTris Local Memory Corruption Vulnerability
2. BitchX Mode Change Denial Of Service Vulnerability
3. PHPNuke Web_Links Module Remote SQL Injection Vulnerability
4. Boa Webserver File Disclosure Vulnerability
5. KDE Kopete GPG Plugin Remote Command Execution Vulnerability
6. Firebird GDS_Inet_Server Interbase Environment Variable Buffe...
7. Best Practical Solutions RT HTML Injection Vulnerability
8. PHP-Nuke Modules.PHP Username URI Parameter Cross Site...
9. PHP-Nuke Multiple Downloads Module SQL Injection Vulnerabilities
10. AIX Sendmail Open Relay Default Configuration Weakness...
11. Netscape Navigator False URL Information Vulnerability
12. vBulletin Private Message HTML Injection Vulnerability
13. Inktomi Traffic Server Cross-Site Scripting Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. AW: IPChains Question (compatibility mode on kernel 2.4.x)...
2. IPChains Question (compatibility mode on kernel 2.4.x) (Thread)
3. how to check current backlog queue size(against synflood)...
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. EncrLib ECC Cryptographic Library
2. SelectAccess
3. SSP XBoard-440
V. NEW TOOLS FOR LINUX PLATFORMS
1. WifiScanner v0.9.0
2. Ginsu Chat Client v0.4.7
3. phpBandwidth Monitor v1.5
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Security Tools: From Mermaids to Suckling Pigs
By Scott Granneman
The recent Nmap-hackers survey provides a glimpse of what security
professionals are packing in their tool-belts these days.
2. Malware Myths and Misinformation, Part One
By David Harley
This article is the first of a three-part series looking at some of the
myths and misconceptions that undermine anti-virus protection. The
fallacies we address here tend to begin with the words "I'm safe from
viruses because..."
http://www.securityfocus.com/infocus/1695
3. Securing Apache: Step-by-Step
By Artur Maj
This article shows in a step-by-step fashion, how to install and configure
the Apache 1.3.x Web server in order to mitigate or avoid successful
break-in when new vulnerabilities in this software are found.
4. U.S. Information Security Law, Part 3
By Steven Robinson
This is the third part of a four-part series looking at U.S. information
security laws and the way those laws affect security professionals. In
this installment, we will look at the basics of the criminal information
security law.
http://www.securityfocus.com/infocus/1693
5. Relax, It Was a Honeypot
By Tim Mullen
A security company cleverly tricks hackers into compromising one of its
distribution sites. Really.
http://www.securityfocus.com/columnists/162
II. BUGTRAQ SUMMARY
-------------------
1. Lgames LTris Local Memory Corruption Vulnerability
BugTraq ID: 7537
Remote: No
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7537
Summary:
LTris is a Tetris clone written for Linux variant and BSD operating
systems. It is maintained by LGames.
A memory corruption vulnerability has been reported for LTris that may
result in a local attacker obtaining elevated privileges.
An attacker can exploit this vulnerability by creating an overly long
$HOME environment variable, consisting of at least 520 bytes. The attacker
then invokes /usr/local/share/ltris and the vulnerability is triggered
resulting in the corruption of sensitive memory and the execution of
attacker-supplied code. Any code to be executed will be executed with
group 'games' privileges.
This vulnerability was reported to affect LTris installed on FreeBSD
systems. It is likely that other systems are also affected.
2. BitchX Mode Change Denial Of Service Vulnerability
BugTraq ID: 7551
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7551
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A denial of service vulnerability has been reported for BitchX. It is
possible to cause BitchX to crash when certain mode changes are made.
The vulnerability exists in the names.c source file where a check is not
made for any arguments provided with a mode change.
The precise details of this vulnerability are currently unknown. This BID
will be updated as more information becomes available.
This vulnerability affects BitchX cvs versions prior to 05/09/2003.
3. PHPNuke Web_Links Module Remote SQL Injection Vulnerability
BugTraq ID: 7558
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7558
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
It has been reported that multiple input validation bugs exist in the
Web_Links module used by PHPNuke.
The problem is in the sanitizing of data passed to construct database
queries. Insufficient sanity checks are performed by the Web_Links
module, making it possible to inject SQL code into the database behind
PHPNuke. This issue could be exploited to gain access to potentially
sensitive information contained in the database with the privileges of the
web application. Compromise of the web forums may also be possible.
Consequences could vary depending on the the queries involved and the
capabilities of the underlying database implementation.
These issues could be especially dangerous for databases that support the
UNION function, allowing for execution of multiple queries. It should
also be noted that an additional 20 instances of SQL injection
vulnerabilities exist in this module.
4. Boa Webserver File Disclosure Vulnerability
BugTraq ID: 7544
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7544
Summary:
Boa is a single-tasking a high performance web server for Unix based
systems.
Boa webserver has been reported prone to a file disclosure vulnerability.
The issue presents itself due to a lack of sufficient sanitization
performed on user supplied HTTP requests.
Reportedly an attacker may exploit this vulnerability by submitting a HTTP
request that contains dot-dot (../..) directory traversal sequences
designed to break out of the web root and access a webserver readable file
on the vulnerable system. Reportedly the file contents will be displayed
in the attacker's browser.
It should be noted that Boa webserver version '0.92r' on the 'PowerLinkT
WAN Aggregator' appliance has been reported vulnerable. It is not yet
confirmed if other platforms are vulnerable; this issue was not
reproducible on Boa webserver version '0.92r' compiled and installed on
Red Hat Linux 6.2.
This issue may be related to the vulnerability reported in BID 1770.
5. KDE Kopete GPG Plugin Remote Command Execution Vulnerability
BugTraq ID: 7536
Remote: Yes
Date Published: May 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7536
Summary:
Kopete is a freely available, open source instant messaging client. It is
available for the Linux Operating Systems.
A problem with kopete may make unauthorized command execution possible.
It has been reported that kopete does not properly sanitize input from
remote users under some circumstances. Because of this, an attacker may
be able to execute arbitrary commands on a vulnerable version of the
client.
The problem is in the handling of GPG signed messages. When the kopete
client is used with the GPG plugin, the plugin does not properly sanitize
messages from remote users. This input will be passed as command line
parameters to the GPG program. This could result in the execution of
commands with the privileges of the kopete user.
It should be noted that the kopete plugin is not enabled by default.
6. Firebird GDS_Inet_Server Interbase Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 7546
Remote: No
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7546
Summary:
Interbase is a database distributed and maintained by Borland. It is
available for Unix and Linux operating systems. As Firebird is based on
Borland/Inprise Interbase source code, it is very likely that Interbase is
prone to this issue also.
A problem with Firebird could make it possible for a local user to gain
elevated privileges.
A buffer overflow has been discovered in the setuid root program
gds_inet_server, packaged with Firebird. This problem could allow a local
user to execute the program with strings of arbitrary length. By using a
custom crafted string, the attacker could overwrite stack memory,
including the return address of a function, and potentially execute
arbitrary code as root.
The vulnerability occurs in the INTERBASE environment variable. When the
gds_inet_server program is executed with a string of arbitrary length
(typically 500 or more bytes) in the INTERBASE environment variable, the
result in an exploitable buffer overflow.
This could make it possible for a local user to gain administrative
access.
7. Best Practical Solutions RT HTML Injection Vulnerability
BugTraq ID: 7509
Remote: Yes
Date Published: May 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7509
Summary:
RT (Request Tracker) is a ticketing system implemented in Perl. It is
distributed by Best Practical Solutions and is available for a variety of
platforms including Microsoft Windows and Linux variant systems.
A vulnerability has been discovered in RT which may make it prone to HTML
injection attacks.
The vulnerability exists due to insufficient sanitization of user-supplied
values. Specifically, the content included in message bodies is not
properly sanitized of malicious HTML code.
This lack of sanitization provides an opportunity for an attacker to
launch HTML injection attacks against the vulnerable site hosting RT. It
is possible for a remote attacker to create a malicious ticket containing
script code that will be executed in the browser of a legitimate user.
Any attacker-supplied code will be executed within the context of the
website running RT.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.
This vulnerability was reported for RT 1.0.7 and earlier.
8. PHP-Nuke Modules.PHP Username URI Parameter Cross Site Scripting Vulnerability
BugTraq ID: 7570
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7570
Summary:
PHP-Nuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A cross site scripting vulnerability has been reported for PHP-Nuke.
Specifically, PHP-Nuke does not sufficiently sanitize user-supplied input
for the 'username' URI parameter to the modules.php script.
As a result of this deficiency, it is possible for a remote attacker to
create a malicious link containing script code that will be executed in
the browser of a legitimate user. Specifically the attacker can pass
malicious HTML code as a value for the 'username' URI parameter supplied
to the 'modules.php' page. All code will be executed within the context of
the website running PHP-Nuke.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported to affect PHP-Nuke version 6.5.
9. PHP-Nuke Multiple Downloads Module SQL Injection Vulnerabilities
BugTraq ID: 7588
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7588
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
PHP-Nuke is reportedly prone to multiple SQL injection vulnerabilities in
the Downloads. User-supplied input is included in SQL queries made by the
module without being sanitized.
Exploitation could allow for injection of malicious SQL syntax, resulting
in modification of SQL query logic or other attacks. Consequences will
vary depending on the specific queries and the capabilities of the
underlying database implementation. At the very minimum it may be
possible to gain access to sensitive information that is stored in the
database.
10. AIX Sendmail Open Relay Default Configuration Weakness
BugTraq ID: 7580
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7580
Summary:
Sendmail is a freely available, open source mail transport agent. It is
available for various UNIX and Linux operating systems.
A problem with the default sendmail implementation on AIX systems may lead
to violations in security policy.
It has been reported that the default sendmail configuration on AIX
systems enables promiscuous e-mail relaying options. Because of this, a
remote attacker may be able to use the e-mail server to obscure the
origins of e-mail.
The problem is in the default sendmail.cf deployed with AIX. The
sendmail.cf enables options that can allow anonymous remote users to relay
e-mail through AIX systems. This could be used for spam, e-mail attacks,
or other nefarious purposes.
11. Netscape Navigator False URL Information Vulnerability
BugTraq ID: 7564
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7564
Summary:
Netscape is a web browser that is available for a number of platforms,
including Microsoft Windows and Unix and Linux variants.
An issue has been reported for Netscape Navigator that may result in a
false sense of security for a user.
Due to the way Netscape handles the history.back() function, the URL
displayed on the 'location bar' will not correspond to the actual URL of
the site displayed in the browser window. As a result, a malicious
attacker can exploit this issue to entice a user to visit a web site and
make them believe they are at known or trusted page.
This vulnerability was reported for Netscape Navigator 7.02 for Windows
operating systems.
12. vBulletin Private Message HTML Injection Vulnerability
BugTraq ID: 7594
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7594
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
A vulnerability has been reported for vBulletin 3.0.0. beta 2 which may
make it prone to HTML injection attacks. The problem is said to occur
while previewing private messages.
Specifically, private messages may not be sufficiently sanitized of
malicious content. This may make it possible for an attacker to place HTML
or script code within a private message for another user. When the
legitimate forum user attempts to preview the message the malicious code
will be interpreted by their browser.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
13. Inktomi Traffic Server Cross-Site Scripting Vulnerability
BugTraq ID: 7596
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7596
Summary:
Inktomi Traffic Server is a transparent web caching application. It is
designed for use with Unix and Linux variants as well as Microsoft Windows
operating environments.
Inktomi Traffic Server is prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of input passed to the proxy,
which will be echoed back in error pages under some circumstances.
It has been reported that Inktomi Traffic Server will generate errors when
an open port other than 80/http is requested. The connection will time
out when the request port on the remote system is closed, which will not
generate an error. There is one reported exception to this. The proxy
server will generate an error for requests to port 443/https regardless of
whether the port is open or whether the requested host exists.
A malicious attacker could exploit this issue by creating a link which
contains hostile HTML and script code and then enticing users of the proxy
to visit the link. When the link is visited via the proxy,
attacker-supplied script may be interpreted in the user's browser.
Exploitation could permit HTML and script code to access properties of the
domain that is requested through the proxy. This could permit theft of
cookie-based authentication credentials from arbitrary domains or other
attacks.
III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. AW: IPChains Question (compatibility mode on kernel 2.4.x) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/321455
2. IPChains Question (compatibility mode on kernel 2.4.x) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/321453
3. how to check current backlog queue size(against synflood) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/321212
IV. NEW PRODUCTS FOR LINUX PLATFORMS
-------------------------------------
1. EncrLib ECC Cryptographic Library
by Encryption Software
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.encrsoft.com/products/encrlib.html
Summary:
EncrLib ECC Cryptographic Library is a C++, secure, powerful, portable,
easy-to-use, and extremely fast public-key encryption and digital
signature solution, based on the most exciting public-key development in
the cryptographic community of the last decade -- Elliptic Curve
Cryptography (ECC).
2. SelectAccess
by Baltimore Technologies
Platforms: Linux, Solaris, SunOS, UNIX, Windows 2000, Windows NT
Relevant URL:
http://www.baltimoretechnologies.com/selectaccess/index.asp
Summary:
SelectAccess enables businesses to capitalize on the potential of
extranets, intranets and portals by providing web-based single sign-on for
a seamless user experience. SelectAccess greatly reduces administration
cost and complexity by providing a unified approach to defining
authorization policies and securely managing role-based access to on-line
resources.
3. SSP XBoard-440
by SSP Solutions
Platforms: Linux, Windows 2000
Relevant URL:
http://www.sspsolutions.com/products/sspxboard440/
Summary:
The SSP XBoard-440 is a 32-bit PCI bus interface board designed to
maximize the performance of secure webservers by eliminating the processor
bottlenecks incurred by SSL. As a direct result, the customer enjoys a
faster connection, experiences immediate server response, and receives the
full security benefits of the encryption process, from fewer servers. The
SSP XBoard-440 eliminates the need to purchase additional servers to
handle the increased burden of secure connections. The SSP XBoard-440
provides the speed and security needed to authenticate and securely pass
information between client and server. By consolidating server resources,
organizations can reduce operating, maintenance, and acquisition costs.
V. NEW TOOLS FOR LINUX PLATFORMS
---------------------------------
1. WifiScanner v0.9.0
by Jerome Poggi jerome.poggi (at) hsc-labs (dot) fr [email concealed]
Relevant URL:
http://wifiscanner.sourceforge.net/
Platforms: Linux, POSIX
Summary:
WifiScanner is an analyzer and detector of 802.11b stations and access
points. It can listen alternatively on all the 14 channels, write packet
information in real time, can search access points and associated client
stations, and can generate a graphic of the architecture using GraphViz.
All network traffic can be saved in the libpcap format for post analysis.
It works under Linux with a PrismII card and with the linux-wlan driver.
2. Ginsu Chat Client v0.4.7
by John Meacham
Relevant URL:
http://repetae.net/john/computer/ginsu/
Platforms: POSIX
Summary:
Ginsu is a client for the Gale chat system. It is designed to be powerful
and above all stable, as well as having a quick learning curve.
3. phpBandwidth Monitor v1.5
by Eric Binger
Relevant URL:
http://www.phpBandwidth.com
Platforms: Linux
Summary:
phpBandwidth monitors a particular network interface (eth0, eth1, ppp0,
etc.) and provides a realtime graph showing bandwidth consumption on a
server.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SpiDynamics
FREE White Paper: "How A Hacker Launches A Web App Attack!" Learn why 70%
of today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity103
------------------------------------------------------------------------
-------
[ reply ]