ALERT! "Outsmart Web Application Attackers"- Learn why 70% of today's
successful hacks involve Web Application attacks such as: SQL Injection,
XSS and Cookie Manipulation. All undetectable by Firewalls and IDS! FREE
15 Day Product Trial, which delivers a Comprehensive Vulnerability Report
http://www.spidynamics.com/mktg/freewebinspect19
I. FRONT AND CENTER
1. SQL Injection and Oracle
2. Complete Snort-based IDS Architecture, Part Two
3. Caught in a BIND
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. BUGTRAQ SUMMARY
1. Courier SqWebMail File Disclosure Vulnerability
2. Lonerunner Zeroo HTTP Server Remote Buffer Overflow Vulnerability
3. NeoSoft NeoBook 4 ActiveX Control Arbitrary File Type Inclusion...
4. Perception LiteServe Malformed GET Request Buffer Overflow...
5. Nullmailer Invalid User Denial Of Service Vulnerability
6. AOL Instant Messenger Screen Name Buffer Overflow Vulnerability
7. PHPBB2 ViewTopic.PHP Cross Site Scripting Vulnerability
8. Macromedia Flash SWRemote Heap Corruption Vulnerability
9. MailEnable Email Server Buffer Overflow Vulnerability
10. TFTPD32 Arbitrary File Download/Upload Vulnerability
11. TFTPD32 Long Filename Buffer Overflow Vulnerability
12. DHCPCD Character Expansion Remote Command Execution Vulnerability
13. Linksys Router Unauthorized Management Access Vulnerability
14. iPlanet Admin Server Cross Site Scripting Vulnerability
15. iPlanet Admin Server Insecure Open Call Vulnerability
16. Microsoft Internet Explorer IFRAME dialogArguments Cross-Zone...
17. QNX Multiple Program Insecure Default Permissions Vulnerability
18. Mhonarc Mail Header HTML Injection Vulnerability
19. QNX Photon MicroGUI Clipboard Insecure Data Storage Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Comdex's Secure Side
2. Lawyers Fear Misuse of Cyber Murder Law
3. On the Microsoft FTP server leak
4. Internet Provisions in Homeland Security Bill
5. Sex, Text, Revenge, Hacking and Friends Reunited
IV. SECURITYFOCUS TOP 6 TOOLS
1. guard bash v1.0
2. Paketto Keiretsu v1.0
3. mod_authenticache v2.0.6
4. SNMP Trap Translator v0.4
5. slurm v0.0.7
6. irclog-xml v0.07a
V. SECURITYJOBS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 11.25.02
VI. INCIDENTS LIST SUMMARY
1. Port 1080 (Thread)
2. Compromised FBSD/Apache (Thread)
3. FTP and Win2K changed security policy (Thread)
4. Proxy server hit... Any ideas? (Thread)
5. More info about found Win2K "rootkit" (Thread)
6. New scanner? (Thread)
7. Fraudulent use of ebay's name (Thread)
8. DeepSight Analyzer 4.0 Announcement (Thread)
9. Strange apache logs: CONNECT maila.microsoft.com:25 (Thread)
10. Help - a possible bot (Thread)
11. 030 igetnet ignkeywords (Thread)
12. Spoofed RFC1918 Network Source Addresses... (Thread)
13. Unicode Attack (Thread)
14. Strange Apache logs - maybe DDOS? (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. PHP (Thread)
2. shell script cgi (summary?) (Thread)
3. Remote service shutdown in mailenable (newest) Follow up (Thread)
4. Remote service shutdown in mailenable (newest) (Thread)
5. Paketto Keiretsu 1.0 Released (Thread)
6. shell script cgi (Thread)
7. ColdFusion Heap Overflow -continued (Thread)
8. [Division 7 Security Systems]-Multiple Vulnerabilities Found in...
VIII. MICROSOFT FOCUS LIST SUMMARY
1. outlook 2000 vs latest outlook express deployment (Thread)
2. How to secure Internet Explorer (Thread)
3. SecurityFocus Microsoft Newsletter #113 (Thread)
4. re: Unknown Workgroup in Network Neighborhood (Thread)
5. Active Directory network security (Thread)
IX. SUN FOCUS LIST SUMMARY
1. Anti Virus on Sun Solaris (Thread)
2. Anti Virus on Sun Solaris (Pre-summary) (Thread)
X. LINUX FOCUS LIST SUMMARY
1. iptables REJECT types for UDP (if any) (Thread)
2. DeepSight Analyzer 4.0 Announcement (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. SQL Injection and Oracle
By Pete Finnigan
This is the first article in a two-part series that will examine SQL
injection attacks against Oracle databases. The objective of this series
is to introduce Oracle users to some of the dangers of SQL injection and
to suggest some simple ways of protecting against these types of attack.
http://online.securityfocus.com/infocus/1644
2. Complete Snort-based IDS Architecture, Part Two
by Anton Chuvakin, Ph.D. and Vladislav V. Myasnyankin
Many companies find it hard to justify acquiring the IDS systems due to
their perceived high cost of ownership. However, not all IDS systems are
prohibitively expensive. This is second part of a two-part article that
will provide a set of detailed directions to build an affordable intrusion
detection architecture from hardware and freely available software. In
this installment we shall discuss Web interface configuration, summaries
and daily reporting, automated attack response, sensor installation,
installation of the central station, and big distributed IDS systems.
http://online.securityfocus.com/infocus/1643
3. Caught in a BIND
By Jon Lasser
How did one of the Internet's most ubiquitous software packages grow up to
be chronically insecure? History offers a lesson.
http://online.securityfocus.com/columnists/125
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Courier SqWebMail File Disclosure Vulnerability
BugTraq ID: 6189
Remote: Yes
Date Published: Nov 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6189
Summary:
Courier SqWebMail is a CGI application used to send and receive email
using 'Maildir' mailboxes.
An information disclosure vulnerability has been reported for SqWebMail.
In some circumstances, it has been reported that SqWebMail does not drop
privileges fast enough upon startup.
An attacker can exploit this vulnerability to execute SqWebMail and obtain
access to potentially sensitive files.
Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.
2. Lonerunner Zeroo HTTP Server Remote Buffer Overflow Vulnerability
BugTraq ID: 6190
Remote: Yes
Date Published: Nov 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6190
Summary:
Zeroo HTTP server is a freely available, open source web server. It is
available for the Linux and Microsoft Windows platforms.
A problem with Zeroo HTTP server could lead to remote code execution.
It has been reported that Zeroo HTTP server does not sufficiently check
bounds on some requests. This occurs when a string of excessive length is
received by the server. This can result in the overwriting of stack
memory, and potential code execution.
It is not required that this data be sent in HTTP request format.
Sending a string of 1024 bytes or greater to the server without structure
has been reported to reproduce this issue.
Previous versions of the software may also be affected.
3. NeoSoft NeoBook 4 ActiveX Control Arbitrary File Type Inclusion Vulnerability
BugTraq ID: 6191
Remote: Yes
Date Published: Nov 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6191
Summary:
NeoBook is a commercially available multimedia authoring software package.
It is available for Microsoft Windows.
A problem with NeoBook 4 could lead to arbitrary file inclusion, and
command execution.
It has been reported that the ActiveX control used by NeoBook does not
sufficiently filter types of files that are included in NeoBook content.
This may allow the packaging of malicious files in NeoBook content. When
interpretted by the ActiveX control, the placement and execution of files
could occur.
This vulnerability requires the NeoBook ActiveX control. This control is
not distributed with default implementations of web browsers.
4. Perception LiteServe Malformed GET Request Buffer Overflow Vulnerability
BugTraq ID: 6192
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6192
Summary:
Perception LiteServe provides web, email, and ftp server functionality. It
is available for the Microsoft Windows operating system.
A buffer overflow vulnerability has been reported for Perception LiteServe
HTTP server. The vulnerability occurs when the web server attempts to
process malformed GET requests. Reportedly, when processing overly long
GET requests consisting of illegal '%' sequences, the web server will
crash.
An attacker can exploit this vulnerability by issuing a long, malformed
GET request consisting of at least 290,759 '%' characters. This will cause
the LiteServe HTTP server to crash.
Although unconfirmed, it may be possible to cause the web server to
execute malicious attacker-supplied code.
5. Nullmailer Invalid User Denial Of Service Vulnerability
BugTraq ID: 6193
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6193
Summary:
Nullmailer is a simple relay-only mail transport agent. It is available
for the Unix and Linux operating systems.
A denial of service vulnerability has been discovered in nullmailer.
When attempting to deliver an email message to a non-existent user, an
unknown user error will occur. Upon processing this error nullmailer will
cease to deliver any pending mail in the mail queue.
By crafting a malicious email to a non-existent user on a vulnerable
system, it is possible for an attacker to exploit this issue. This will
result in a denial of service as nullmailer will fail to deliver any
email.
This issue was reported in v1.00RC5 of nullmailer. It is not yet known
whether earlier versions are affected.
6. AOL Instant Messenger Screen Name Buffer Overflow Vulnerability
BugTraq ID: 6194
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6194
Summary:
AOL Instant Messenger (AIM) is an instant messenging client for Microsoft
Windows, MacOS, and other platforms.
AIM contains an unchecked buffer which could result in a denial of service
or arbitrary code execution.
When viewing the information for a user with a screen name containing 88
characters or more, a buffer in AIM will be overrun, causing the client to
terminate with an error reading memory. Although not yet confirmed,
arbitrary code execution may be possible.
This vulnerability was discovered in AIM v5.1.3036. It is not yet known
whether other versions are affected.
** There have been conflicting reports as to the existence of this
vulnerability. See the Reference section for details.
7. PHPBB2 ViewTopic.PHP Cross Site Scripting Vulnerability
BugTraq ID: 6195
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6195
Summary:
phpBB2 is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered in the
'viewtopic.php' script included with phpBB2.
An attacker may exploit this vulnerability by enticing a victim user to
follow a malicious link. Attacker-supplied HTML and script code may be
executed on a web client in the context of the site hosting the web forum.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported for phpBB 2.0.3. Other versions may also
be affected.
Macromedia Flash is a modular package designed to enhance web browsing and
enables users to view various multimedia web content.
Macromedia Flash is prone to a buffer overrun condition. The issue exists
in the SWRemote parameter, used by Flash objects. By entering an excessive
amount of data into the SWRemote parameter, it is possible to overrun a
buffer in a vulnerable flash player.
By exploiting this issue to modify sensitive heap values, it may be
possible to execute arbitrary attacker supplied code, with the privileges
of the vulnerable browser.
This vulnerability was discovered in Macromedia Flash ActiveX 6.0.47. It
is not yet known if earlier versions are affected.
9. MailEnable Email Server Buffer Overflow Vulnerability
BugTraq ID: 6197
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6197
Summary:
MailEnable is a commercially available POP3 and SMTP server available for
the Microsoft Windows operating systems.
A buffer overflow vulnerability has been reported for MailEnable's POP3
server. The vulnerability is due to insufficent bounds checking of the
USER login field.
An attacker can exploit this vulnerability by connecting to a vulnerable
MailEnable server and sending an overly long string, consisting of more
than 512 characters, as the value for the USER login prompt. This will
trigger the buffer overflow condition.
Although unconfirmed, an attacker may be able to exploit this
vulnerability to cause MailEnable to execute malicious attacker-supplied
code.
Tftpd32 is a freely available TFTP (Trivial FTP) server designed for use
with Microsoft Windows operating systems.
A vulnerability has been discovered in Tftpd32, which allows a remote
attacker to download and/or upload files. By exploiting this vulnerability
it is possible for an attacker to disclose arbitrary system files, by
using the GET command, which may contain sensitive user credentials. It
may also be possible for an attacker to replace key system files with
trojaned copies, using the PUT command, which could be used to open
backdoors into a target system.
This vulnerability affects Tftpd32 2.50.2 and earlier.
11. TFTPD32 Long Filename Buffer Overflow Vulnerability
BugTraq ID: 6199
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6199
Summary:
Tftpd32 is a freely available TFTP (Trivial FTP) server available for use
on Microsoft Windows operating systems.
A buffer overflow vulnerability has been reported for Tftpd32. The
vulnerability is due to insufficient checks on user supplied input.
Specifically, proper bounds checking is not implemented on requested
filenames.
A remote attacker is able to exploit this vulnerability by supplying a
long string, consisting of at least 116 characters, as a name of the file
to retrieve. This will trigger the buffer overflow condition. Successful
exploitation of this issue will result in the execution of
attacker-supplied code, with the privileges of the Tftpd32 process.
This vulnerability affects Tftpd32 2.50.2 and earlier.
12. DHCPCD Character Expansion Remote Command Execution Vulnerability
BugTraq ID: 6200
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6200
Summary:
dhcpcd is an RFC2131 and RFC1541 compliant DHCP client daemon. It is
available for the Linux operating system. dhcpcd must be run with root
privileges.
When assigning an IP address to a network interface, dhcpcd may execute an
external script, '/sbin/dhcpd-<interface>.exe'. This is an optional
configuration that must be setup manually on Conectiva systems (others are
not confirmed) by copying the script into /sbin/.
The script 'dhcpcd-<interface>.exe' uses values from
'/var/lib/dhcpcd/dhcpcd-<interface>.info', which originate from the DHCP
server. A lack of input validation on this data may make it possible for
commands injected by a malicious DHCP server to be executed through the
use of shell metacharacters such as ';' and '|'. These commands may run
with root privileges.
Linksys DSL routers are high-speed internet access solutions distributed
by the Linksys Group. Linksys DSL routers offer features such as
high-speed internet access, switching built into some routers, and
Voice-over-IP.
A vulnerability has been reported in various Linksys routers, during the
initial negotiation stage. It has been reported that the vulnerable
routers fail to handle XML-related data transmitted by clients during
initialization of a session with the management server (on TCP port 8080
of the internal interface). According to the report, authentication is
bypassed completely when the browser Lynx is used to connect to the
management interface and a mailcap entry exists for "application/foo.xml".
It is not clear why or how this occurs and the details have not been
verified by Linksys.
It should be noted that this issue must be exploited within an internal
network, unless the remote management feature is enabled on the router.
14. iPlanet Admin Server Cross Site Scripting Vulnerability
BugTraq ID: 6202
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6202
Summary:
A cross-site scripting vulnerability has been discovered in iPlanet web
servers.
The vulnerability exists when an administrator views error logs in the
iPlanet Admin Server.
An attacker may exploit this vulnerability by enticing a victim user to
follow a malicious link. Attacker-supplied HTML and script code may be
executed on a web client in the context of the Admin Server site.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability, when used in conjunction with the vulnerability
described in BID 6203, may be used to execute malicious attacker-supplied
commands with elevated privileges on a vulnerable system.
This vulnerability affects iPlanet Web Server 4.1 SP11 and earlier.
15. iPlanet Admin Server Insecure Open Call Vulnerability
BugTraq ID: 6203
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6203
Summary:
iPlanet web server is prone to command execution vulnerability due to
insecure calls to the open() function.
The vulnerability exists in the Admin Server's PERL pages used for
administrative tasks. Specifically, the 'importInfo' script is vulnerable
to this issue. It is possible to manipulate the value for the 'dir'
parameter to include malicious system commands.
This vulnerability may be exploited to execute arbitrary commands on the
vulnerable system with, potentially, elevated privileges.
This vulnerability has been reported for iPlanet Web Server 4.1 SP11 and
earlier.
16. Microsoft Internet Explorer IFRAME dialogArguments Cross-Zone Access Vulnerability
BugTraq ID: 6205
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6205
Summary:
Microsoft Internet Explorer includes support for dialog windows through
script calls to the two functions showModalDialog and showModelessDialog.
These functions accept a URL location for the dialog content, and an
option argument parameter to allow data to be passed to the dialog from
the calling page.
A vulnerability has been reported in Explorer that may allow for script
code to be executed in the Local Zone. When an IFRAME in a dialog changes
its location or Zone, the dialogArguments object provided by the calling
content should not be accessible. It has been reported that this is not
the case. The dialogArguments object is accessible despite the fact that
its originating location/Zone is different from the parent.
In some circumstances, this may result in code being executed in the Local
Zone. One method of accomplishing this is by exploiting the local
"res://shdoclc.dll/privacypolicy.dlg", which happens to write the
dialogArguments property "cookieUrl" to the document body. If the value
of this property is set to script code, the code will execute when the
document is rendered. This technique is demonstrated by the discoverer of
this vulnerability.
Using the method developed by Andreas Sandblad, attackers may also exploit
this vulnerability to execute commands on victim hosts.
17. QNX Multiple Program Insecure Default Permissions Vulnerability
BugTraq ID: 6206
Remote: No
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6206
Summary:
QNX is a real-time operating system available both freely and for
commercial use. It is distributed and maintained by QNX Software Systems
Limited.
A problem with some versions of QNX could allow a local user to perform
unauthorized local actions.
QNX is distributed with several programs that have insecure default
permissions. These programs may be written to by any user of the system
in a typical implementation.
Some of these programs may not be insecure by default, but affected after
patches to resolve other security issues are applied. Information on
these issues is unconfirmed, but reports indicate the io-audio, shutdown,
fs-pkg, and phshutdown programs are affected.
18. Mhonarc Mail Header HTML Injection Vulnerability
BugTraq ID: 6204
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6204
Summary:
MHonArc is a Perl program designed to automatically parse email into a
HTML based archive format.
A vulnerability has been discovered in MHonArc when configured to display
full message headers in HTML format.
It may be possible for an attacker to trigger this vulnerability by
constructing a malicious email containing malicious HTML code in a message
header. When messages are converted, by MHonArc, to HTML and displayed via
the web, arbitrary attacker-supplied HTML code will be executed within the
context of the displayed web page.
19. QNX Photon MicroGUI Clipboard Insecure Data Storage Vulnerability
BugTraq ID: 6207
Remote: No
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6207
Summary:
QNX Photon microGUI is a graphical interface for real-time operating
system (RTOS), as well as other operating systems. It is distributed and
maintained by QNX Software Systems Limited.
A problem with microGUI could make it possible for local users to gain
access to potentially sensitive information.
Photon does not securely store data when it is copied to the clipboard.
When data is copied to the clipboard, it is insecurely stored on the local
file system. This could allow local users to view the contents of another
user's clipboard.
When data is copied to the clipboard while using the microGUI system, this
data is stored in the file /var/clipboard/localhost/0/1.TEXT where the
number zero represents the executing user's userid in hex. The problem is
due to directory permissions, and may be resolved by changing the default
directory permissions for the respective user.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Comdex's Secure Side
By Michael Fitzgerald
A sampling of the information security products on the menu at Comdex.
http://online.securityfocus.com/news/1713
2. Lawyers Fear Misuse of Cyber Murder Law
By Kevin Poulsen
Defense attorneys say the new threat of life imprisonment for hackers who
try to "cause death" by computer will be used to squeeze quick guilty
pleas from even non-lethal cyberpunks.
http://online.securityfocus.com/news/1702
3. On the Microsoft FTP server leak
By John Leyden, The Register
Microsoft made customer details - along with numerous confidential
internal documents - freely available from a deeply insecure FTP server
earlier this month.
http://online.securityfocus.com/news/1714
4. Internet Provisions in Homeland Security Bill
By Ted Bridis, The Associated Press
Internet providers such as America Online could give the government more
information about subscribers and police would gain new Internet wiretap
powers under legislation creating the new Department of Homeland Security.
http://online.securityfocus.com/news/1701
5. Sex, Text, Revenge, Hacking and Friends Reunited
By Drew Cullen, The Register
Sometimes, you come across a court case that is simply perfect. And this
one, a tale of two-timing, intercepted text messages, computer hacking,
and publication of sex pictures on Friends Reunited, scores a big fat nine
out of 10.
http://online.securityfocus.com/news/1700
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. guard bash v1.0
by Alboaie Sînicã
Relevant URL:
http://www.iprogrammers.ro/guard/
Platforms: Linux, POSIX
Summary:
guard bash is a shell wrapper that will execute an authentication phase
before any command is executed. It uses a secret (user owned) algorithm
method, and has a per user customizable procedure. If you need to connect
to your computer from outside of your safe environment, even if you use
SSH, you are vulnerable to simple attacks like key sniffing or to more
complex attacks against SSH. If you have more than just one authentication
method, you can more safely log in your account from an insecure Internet
host.
The Paketto Keiretsu is a collection of tools that use new and unusual
strategies for manipulating TCP/IP networks. They tap functionality within
existing infrastructure and stretch protocols beyond what they were
originally intended for. It includes Scanrand, an unusually fast network
service and topology discovery system, Minewt, a user space NAT/MAT
router, linkcat, which presents a Ethernet link to stdio, Paratrace, which
traces network paths without spawning new connections, and Phentropy,
which uses OpenQVIS to render arbitrary amounts of entropy from data
sources in three dimensional phase space.
mod_authenticache provides a simple and generic method for caching
authentication information on the client side in order to enhance
performance. It has been tested with several Basic HTTP authentication
modules, and has an Apache 2.0.x optional function exporter for caching
credentials from any custom authentication module.
4. SNMP Trap Translator v0.4
by Alex Burger
Relevant URL:
http://snmptt.sourceforge.net
Platforms: Os Independent
Summary:
SNMPTT is an SNMP trap handler written in Perl for use with the
NET-SNMP/UCD-SNMP snmptrapd program. Received traps are translated into
friendly messages using variable substitution. Output can be to STDOUT,
text log file, syslog, MySQL (Linux/Windows), or a Windows ODBC database.
User defined programs can also be executed.
5. slurm v0.0.7
by Hendrik Scholz
Relevant URL:
http://www.raisdorf.net/slurm/
Platforms: FreeBSD
Summary:
slurm started as a port of pppstatus to FreeBSD and now is a generic
network load monitor. It features three different modes with real-time
ASCII graphs and interface statistics for all kinds of network interfaces
on FreeBSD, NetBSD, OpenBSD, and Linux.
6. irclog-xml v0.07a
by Ruf
Relevant URL:
http://sourceforge.net/projects/irclog-xml/
Platforms: Os Independent
Summary:
irclog-xml parses IRC logs, and converts those logs into XML and HTML.
Currently supported formats include BitchX, mIRC, XChat, and Eggdrop (via
Mel).
V. SECURITY JOBS SUMMARY
------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 11.25.02
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Port 1080 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300693
2. Compromised FBSD/Apache (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300700
3. FTP and Win2K changed security policy (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300667
4. Proxy server hit... Any ideas? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300651
5. More info about found Win2K "rootkit" (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300711
6. New scanner? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300662
7. Fraudulent use of ebay's name (Thread)
Relevant URL:
XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SPI Dynamics
ALERT! "Outsmart Web Application Attackers"- Learn why 70% of today's
successful hacks involve Web Application attacks such as: SQL Injection,
XSS and Cookie Manipulation. All undetectable by Firewalls and IDS! FREE
15 Day Product Trial, which delivers a Comprehensive Vulnerability Report
http://www.spidynamics.com/mktg/freewebinspect19
SecurityFocus Newsletter #172
-----------------------------
This Issue is Sponsored by: SPI Dynamics
ALERT! "Outsmart Web Application Attackers"- Learn why 70% of today's
successful hacks involve Web Application attacks such as: SQL Injection,
XSS and Cookie Manipulation. All undetectable by Firewalls and IDS! FREE
15 Day Product Trial, which delivers a Comprehensive Vulnerability Report
http://www.spidynamics.com/mktg/freewebinspect19
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. SQL Injection and Oracle
2. Complete Snort-based IDS Architecture, Part Two
3. Caught in a BIND
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. BUGTRAQ SUMMARY
1. Courier SqWebMail File Disclosure Vulnerability
2. Lonerunner Zeroo HTTP Server Remote Buffer Overflow Vulnerability
3. NeoSoft NeoBook 4 ActiveX Control Arbitrary File Type Inclusion...
4. Perception LiteServe Malformed GET Request Buffer Overflow...
5. Nullmailer Invalid User Denial Of Service Vulnerability
6. AOL Instant Messenger Screen Name Buffer Overflow Vulnerability
7. PHPBB2 ViewTopic.PHP Cross Site Scripting Vulnerability
8. Macromedia Flash SWRemote Heap Corruption Vulnerability
9. MailEnable Email Server Buffer Overflow Vulnerability
10. TFTPD32 Arbitrary File Download/Upload Vulnerability
11. TFTPD32 Long Filename Buffer Overflow Vulnerability
12. DHCPCD Character Expansion Remote Command Execution Vulnerability
13. Linksys Router Unauthorized Management Access Vulnerability
14. iPlanet Admin Server Cross Site Scripting Vulnerability
15. iPlanet Admin Server Insecure Open Call Vulnerability
16. Microsoft Internet Explorer IFRAME dialogArguments Cross-Zone...
17. QNX Multiple Program Insecure Default Permissions Vulnerability
18. Mhonarc Mail Header HTML Injection Vulnerability
19. QNX Photon MicroGUI Clipboard Insecure Data Storage Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Comdex's Secure Side
2. Lawyers Fear Misuse of Cyber Murder Law
3. On the Microsoft FTP server leak
4. Internet Provisions in Homeland Security Bill
5. Sex, Text, Revenge, Hacking and Friends Reunited
IV. SECURITYFOCUS TOP 6 TOOLS
1. guard bash v1.0
2. Paketto Keiretsu v1.0
3. mod_authenticache v2.0.6
4. SNMP Trap Translator v0.4
5. slurm v0.0.7
6. irclog-xml v0.07a
V. SECURITYJOBS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 11.25.02
VI. INCIDENTS LIST SUMMARY
1. Port 1080 (Thread)
2. Compromised FBSD/Apache (Thread)
3. FTP and Win2K changed security policy (Thread)
4. Proxy server hit... Any ideas? (Thread)
5. More info about found Win2K "rootkit" (Thread)
6. New scanner? (Thread)
7. Fraudulent use of ebay's name (Thread)
8. DeepSight Analyzer 4.0 Announcement (Thread)
9. Strange apache logs: CONNECT maila.microsoft.com:25 (Thread)
10. Help - a possible bot (Thread)
11. 030 igetnet ignkeywords (Thread)
12. Spoofed RFC1918 Network Source Addresses... (Thread)
13. Unicode Attack (Thread)
14. Strange Apache logs - maybe DDOS? (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. PHP (Thread)
2. shell script cgi (summary?) (Thread)
3. Remote service shutdown in mailenable (newest) Follow up (Thread)
4. Remote service shutdown in mailenable (newest) (Thread)
5. Paketto Keiretsu 1.0 Released (Thread)
6. shell script cgi (Thread)
7. ColdFusion Heap Overflow -continued (Thread)
8. [Division 7 Security Systems]-Multiple Vulnerabilities Found in...
VIII. MICROSOFT FOCUS LIST SUMMARY
1. outlook 2000 vs latest outlook express deployment (Thread)
2. How to secure Internet Explorer (Thread)
3. SecurityFocus Microsoft Newsletter #113 (Thread)
4. re: Unknown Workgroup in Network Neighborhood (Thread)
5. Active Directory network security (Thread)
IX. SUN FOCUS LIST SUMMARY
1. Anti Virus on Sun Solaris (Thread)
2. Anti Virus on Sun Solaris (Pre-summary) (Thread)
X. LINUX FOCUS LIST SUMMARY
1. iptables REJECT types for UDP (if any) (Thread)
2. DeepSight Analyzer 4.0 Announcement (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. SQL Injection and Oracle
By Pete Finnigan
This is the first article in a two-part series that will examine SQL
injection attacks against Oracle databases. The objective of this series
is to introduce Oracle users to some of the dangers of SQL injection and
to suggest some simple ways of protecting against these types of attack.
http://online.securityfocus.com/infocus/1644
2. Complete Snort-based IDS Architecture, Part Two
by Anton Chuvakin, Ph.D. and Vladislav V. Myasnyankin
Many companies find it hard to justify acquiring the IDS systems due to
their perceived high cost of ownership. However, not all IDS systems are
prohibitively expensive. This is second part of a two-part article that
will provide a set of detailed directions to build an affordable intrusion
detection architecture from hardware and freely available software. In
this installment we shall discuss Web interface configuration, summaries
and daily reporting, automated attack response, sensor installation,
installation of the central station, and big distributed IDS systems.
http://online.securityfocus.com/infocus/1643
3. Caught in a BIND
By Jon Lasser
How did one of the Internet's most ubiquitous software packages grow up to
be chronically insecure? History offers a lesson.
http://online.securityfocus.com/columnists/125
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Courier SqWebMail File Disclosure Vulnerability
BugTraq ID: 6189
Remote: Yes
Date Published: Nov 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6189
Summary:
Courier SqWebMail is a CGI application used to send and receive email
using 'Maildir' mailboxes.
An information disclosure vulnerability has been reported for SqWebMail.
In some circumstances, it has been reported that SqWebMail does not drop
privileges fast enough upon startup.
An attacker can exploit this vulnerability to execute SqWebMail and obtain
access to potentially sensitive files.
Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.
2. Lonerunner Zeroo HTTP Server Remote Buffer Overflow Vulnerability
BugTraq ID: 6190
Remote: Yes
Date Published: Nov 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6190
Summary:
Zeroo HTTP server is a freely available, open source web server. It is
available for the Linux and Microsoft Windows platforms.
A problem with Zeroo HTTP server could lead to remote code execution.
It has been reported that Zeroo HTTP server does not sufficiently check
bounds on some requests. This occurs when a string of excessive length is
received by the server. This can result in the overwriting of stack
memory, and potential code execution.
It is not required that this data be sent in HTTP request format.
Sending a string of 1024 bytes or greater to the server without structure
has been reported to reproduce this issue.
Previous versions of the software may also be affected.
3. NeoSoft NeoBook 4 ActiveX Control Arbitrary File Type Inclusion Vulnerability
BugTraq ID: 6191
Remote: Yes
Date Published: Nov 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6191
Summary:
NeoBook is a commercially available multimedia authoring software package.
It is available for Microsoft Windows.
A problem with NeoBook 4 could lead to arbitrary file inclusion, and
command execution.
It has been reported that the ActiveX control used by NeoBook does not
sufficiently filter types of files that are included in NeoBook content.
This may allow the packaging of malicious files in NeoBook content. When
interpretted by the ActiveX control, the placement and execution of files
could occur.
This vulnerability requires the NeoBook ActiveX control. This control is
not distributed with default implementations of web browsers.
4. Perception LiteServe Malformed GET Request Buffer Overflow Vulnerability
BugTraq ID: 6192
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6192
Summary:
Perception LiteServe provides web, email, and ftp server functionality. It
is available for the Microsoft Windows operating system.
A buffer overflow vulnerability has been reported for Perception LiteServe
HTTP server. The vulnerability occurs when the web server attempts to
process malformed GET requests. Reportedly, when processing overly long
GET requests consisting of illegal '%' sequences, the web server will
crash.
An attacker can exploit this vulnerability by issuing a long, malformed
GET request consisting of at least 290,759 '%' characters. This will cause
the LiteServe HTTP server to crash.
Although unconfirmed, it may be possible to cause the web server to
execute malicious attacker-supplied code.
5. Nullmailer Invalid User Denial Of Service Vulnerability
BugTraq ID: 6193
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6193
Summary:
Nullmailer is a simple relay-only mail transport agent. It is available
for the Unix and Linux operating systems.
A denial of service vulnerability has been discovered in nullmailer.
When attempting to deliver an email message to a non-existent user, an
unknown user error will occur. Upon processing this error nullmailer will
cease to deliver any pending mail in the mail queue.
By crafting a malicious email to a non-existent user on a vulnerable
system, it is possible for an attacker to exploit this issue. This will
result in a denial of service as nullmailer will fail to deliver any
email.
This issue was reported in v1.00RC5 of nullmailer. It is not yet known
whether earlier versions are affected.
6. AOL Instant Messenger Screen Name Buffer Overflow Vulnerability
BugTraq ID: 6194
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6194
Summary:
AOL Instant Messenger (AIM) is an instant messenging client for Microsoft
Windows, MacOS, and other platforms.
AIM contains an unchecked buffer which could result in a denial of service
or arbitrary code execution.
When viewing the information for a user with a screen name containing 88
characters or more, a buffer in AIM will be overrun, causing the client to
terminate with an error reading memory. Although not yet confirmed,
arbitrary code execution may be possible.
This vulnerability was discovered in AIM v5.1.3036. It is not yet known
whether other versions are affected.
** There have been conflicting reports as to the existence of this
vulnerability. See the Reference section for details.
7. PHPBB2 ViewTopic.PHP Cross Site Scripting Vulnerability
BugTraq ID: 6195
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6195
Summary:
phpBB2 is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered in the
'viewtopic.php' script included with phpBB2.
An attacker may exploit this vulnerability by enticing a victim user to
follow a malicious link. Attacker-supplied HTML and script code may be
executed on a web client in the context of the site hosting the web forum.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported for phpBB 2.0.3. Other versions may also
be affected.
8. Macromedia Flash SWRemote Heap Corruption Vulnerability
BugTraq ID: 6196
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6196
Summary:
Macromedia Flash is a modular package designed to enhance web browsing and
enables users to view various multimedia web content.
Macromedia Flash is prone to a buffer overrun condition. The issue exists
in the SWRemote parameter, used by Flash objects. By entering an excessive
amount of data into the SWRemote parameter, it is possible to overrun a
buffer in a vulnerable flash player.
By exploiting this issue to modify sensitive heap values, it may be
possible to execute arbitrary attacker supplied code, with the privileges
of the vulnerable browser.
This vulnerability was discovered in Macromedia Flash ActiveX 6.0.47. It
is not yet known if earlier versions are affected.
9. MailEnable Email Server Buffer Overflow Vulnerability
BugTraq ID: 6197
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6197
Summary:
MailEnable is a commercially available POP3 and SMTP server available for
the Microsoft Windows operating systems.
A buffer overflow vulnerability has been reported for MailEnable's POP3
server. The vulnerability is due to insufficent bounds checking of the
USER login field.
An attacker can exploit this vulnerability by connecting to a vulnerable
MailEnable server and sending an overly long string, consisting of more
than 512 characters, as the value for the USER login prompt. This will
trigger the buffer overflow condition.
Although unconfirmed, an attacker may be able to exploit this
vulnerability to cause MailEnable to execute malicious attacker-supplied
code.
10. TFTPD32 Arbitrary File Download/Upload Vulnerability
BugTraq ID: 6198
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6198
Summary:
Tftpd32 is a freely available TFTP (Trivial FTP) server designed for use
with Microsoft Windows operating systems.
A vulnerability has been discovered in Tftpd32, which allows a remote
attacker to download and/or upload files. By exploiting this vulnerability
it is possible for an attacker to disclose arbitrary system files, by
using the GET command, which may contain sensitive user credentials. It
may also be possible for an attacker to replace key system files with
trojaned copies, using the PUT command, which could be used to open
backdoors into a target system.
This vulnerability affects Tftpd32 2.50.2 and earlier.
11. TFTPD32 Long Filename Buffer Overflow Vulnerability
BugTraq ID: 6199
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6199
Summary:
Tftpd32 is a freely available TFTP (Trivial FTP) server available for use
on Microsoft Windows operating systems.
A buffer overflow vulnerability has been reported for Tftpd32. The
vulnerability is due to insufficient checks on user supplied input.
Specifically, proper bounds checking is not implemented on requested
filenames.
A remote attacker is able to exploit this vulnerability by supplying a
long string, consisting of at least 116 characters, as a name of the file
to retrieve. This will trigger the buffer overflow condition. Successful
exploitation of this issue will result in the execution of
attacker-supplied code, with the privileges of the Tftpd32 process.
This vulnerability affects Tftpd32 2.50.2 and earlier.
12. DHCPCD Character Expansion Remote Command Execution Vulnerability
BugTraq ID: 6200
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6200
Summary:
dhcpcd is an RFC2131 and RFC1541 compliant DHCP client daemon. It is
available for the Linux operating system. dhcpcd must be run with root
privileges.
When assigning an IP address to a network interface, dhcpcd may execute an
external script, '/sbin/dhcpd-<interface>.exe'. This is an optional
configuration that must be setup manually on Conectiva systems (others are
not confirmed) by copying the script into /sbin/.
The script 'dhcpcd-<interface>.exe' uses values from
'/var/lib/dhcpcd/dhcpcd-<interface>.info', which originate from the DHCP
server. A lack of input validation on this data may make it possible for
commands injected by a malicious DHCP server to be executed through the
use of shell metacharacters such as ';' and '|'. These commands may run
with root privileges.
This issue was discovered in dhcpd-1.3.22-pl1.
13. Linksys Router Unauthorized Management Access Vulnerability
BugTraq ID: 6201
Remote: Yes
Date Published: Nov 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6201
Summary:
Linksys DSL routers are high-speed internet access solutions distributed
by the Linksys Group. Linksys DSL routers offer features such as
high-speed internet access, switching built into some routers, and
Voice-over-IP.
A vulnerability has been reported in various Linksys routers, during the
initial negotiation stage. It has been reported that the vulnerable
routers fail to handle XML-related data transmitted by clients during
initialization of a session with the management server (on TCP port 8080
of the internal interface). According to the report, authentication is
bypassed completely when the browser Lynx is used to connect to the
management interface and a mailcap entry exists for "application/foo.xml".
It is not clear why or how this occurs and the details have not been
verified by Linksys.
It should be noted that this issue must be exploited within an internal
network, unless the remote management feature is enabled on the router.
14. iPlanet Admin Server Cross Site Scripting Vulnerability
BugTraq ID: 6202
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6202
Summary:
A cross-site scripting vulnerability has been discovered in iPlanet web
servers.
The vulnerability exists when an administrator views error logs in the
iPlanet Admin Server.
An attacker may exploit this vulnerability by enticing a victim user to
follow a malicious link. Attacker-supplied HTML and script code may be
executed on a web client in the context of the Admin Server site.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability, when used in conjunction with the vulnerability
described in BID 6203, may be used to execute malicious attacker-supplied
commands with elevated privileges on a vulnerable system.
This vulnerability affects iPlanet Web Server 4.1 SP11 and earlier.
15. iPlanet Admin Server Insecure Open Call Vulnerability
BugTraq ID: 6203
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6203
Summary:
iPlanet web server is prone to command execution vulnerability due to
insecure calls to the open() function.
The vulnerability exists in the Admin Server's PERL pages used for
administrative tasks. Specifically, the 'importInfo' script is vulnerable
to this issue. It is possible to manipulate the value for the 'dir'
parameter to include malicious system commands.
This vulnerability may be exploited to execute arbitrary commands on the
vulnerable system with, potentially, elevated privileges.
This vulnerability has been reported for iPlanet Web Server 4.1 SP11 and
earlier.
16. Microsoft Internet Explorer IFRAME dialogArguments Cross-Zone Access Vulnerability
BugTraq ID: 6205
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6205
Summary:
Microsoft Internet Explorer includes support for dialog windows through
script calls to the two functions showModalDialog and showModelessDialog.
These functions accept a URL location for the dialog content, and an
option argument parameter to allow data to be passed to the dialog from
the calling page.
A vulnerability has been reported in Explorer that may allow for script
code to be executed in the Local Zone. When an IFRAME in a dialog changes
its location or Zone, the dialogArguments object provided by the calling
content should not be accessible. It has been reported that this is not
the case. The dialogArguments object is accessible despite the fact that
its originating location/Zone is different from the parent.
In some circumstances, this may result in code being executed in the Local
Zone. One method of accomplishing this is by exploiting the local
"res://shdoclc.dll/privacypolicy.dlg", which happens to write the
dialogArguments property "cookieUrl" to the document body. If the value
of this property is set to script code, the code will execute when the
document is rendered. This technique is demonstrated by the discoverer of
this vulnerability.
Using the method developed by Andreas Sandblad, attackers may also exploit
this vulnerability to execute commands on victim hosts.
17. QNX Multiple Program Insecure Default Permissions Vulnerability
BugTraq ID: 6206
Remote: No
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6206
Summary:
QNX is a real-time operating system available both freely and for
commercial use. It is distributed and maintained by QNX Software Systems
Limited.
A problem with some versions of QNX could allow a local user to perform
unauthorized local actions.
QNX is distributed with several programs that have insecure default
permissions. These programs may be written to by any user of the system
in a typical implementation.
/sbin/io-audio
/bin/shutdown
/sbin/fs-pkg
/usr/photon/bin/phshutdown
/usr/photon/bin/cpim
/usr/photon/bin/vpim
/usr/photon/bin/phrelaycfg
/usr/photon/bin/columns
/usr/photon/bin/othello
/usr/photon/bin/peg
/usr/photon/bin/solitaire
/usr/photon/bin/vpoker
Some of these programs may not be insecure by default, but affected after
patches to resolve other security issues are applied. Information on
these issues is unconfirmed, but reports indicate the io-audio, shutdown,
fs-pkg, and phshutdown programs are affected.
18. Mhonarc Mail Header HTML Injection Vulnerability
BugTraq ID: 6204
Remote: Yes
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6204
Summary:
MHonArc is a Perl program designed to automatically parse email into a
HTML based archive format.
A vulnerability has been discovered in MHonArc when configured to display
full message headers in HTML format.
It may be possible for an attacker to trigger this vulnerability by
constructing a malicious email containing malicious HTML code in a message
header. When messages are converted, by MHonArc, to HTML and displayed via
the web, arbitrary attacker-supplied HTML code will be executed within the
context of the displayed web page.
19. QNX Photon MicroGUI Clipboard Insecure Data Storage Vulnerability
BugTraq ID: 6207
Remote: No
Date Published: Nov 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6207
Summary:
QNX Photon microGUI is a graphical interface for real-time operating
system (RTOS), as well as other operating systems. It is distributed and
maintained by QNX Software Systems Limited.
A problem with microGUI could make it possible for local users to gain
access to potentially sensitive information.
Photon does not securely store data when it is copied to the clipboard.
When data is copied to the clipboard, it is insecurely stored on the local
file system. This could allow local users to view the contents of another
user's clipboard.
When data is copied to the clipboard while using the microGUI system, this
data is stored in the file /var/clipboard/localhost/0/1.TEXT where the
number zero represents the executing user's userid in hex. The problem is
due to directory permissions, and may be resolved by changing the default
directory permissions for the respective user.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Comdex's Secure Side
By Michael Fitzgerald
A sampling of the information security products on the menu at Comdex.
http://online.securityfocus.com/news/1713
2. Lawyers Fear Misuse of Cyber Murder Law
By Kevin Poulsen
Defense attorneys say the new threat of life imprisonment for hackers who
try to "cause death" by computer will be used to squeeze quick guilty
pleas from even non-lethal cyberpunks.
http://online.securityfocus.com/news/1702
3. On the Microsoft FTP server leak
By John Leyden, The Register
Microsoft made customer details - along with numerous confidential
internal documents - freely available from a deeply insecure FTP server
earlier this month.
http://online.securityfocus.com/news/1714
4. Internet Provisions in Homeland Security Bill
By Ted Bridis, The Associated Press
Internet providers such as America Online could give the government more
information about subscribers and police would gain new Internet wiretap
powers under legislation creating the new Department of Homeland Security.
http://online.securityfocus.com/news/1701
5. Sex, Text, Revenge, Hacking and Friends Reunited
By Drew Cullen, The Register
Sometimes, you come across a court case that is simply perfect. And this
one, a tale of two-timing, intercepted text messages, computer hacking,
and publication of sex pictures on Friends Reunited, scores a big fat nine
out of 10.
http://online.securityfocus.com/news/1700
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. guard bash v1.0
by Alboaie Sînicã
Relevant URL:
http://www.iprogrammers.ro/guard/
Platforms: Linux, POSIX
Summary:
guard bash is a shell wrapper that will execute an authentication phase
before any command is executed. It uses a secret (user owned) algorithm
method, and has a per user customizable procedure. If you need to connect
to your computer from outside of your safe environment, even if you use
SSH, you are vulnerable to simple attacks like key sniffing or to more
complex attacks against SSH. If you have more than just one authentication
method, you can more safely log in your account from an insecure Internet
host.
2. Paketto Keiretsu v1.0
by Effugas
Relevant URL:
http://www.doxpara.com
Platforms: POSIX
Summary:
The Paketto Keiretsu is a collection of tools that use new and unusual
strategies for manipulating TCP/IP networks. They tap functionality within
existing infrastructure and stretch protocols beyond what they were
originally intended for. It includes Scanrand, an unusually fast network
service and topology discovery system, Minewt, a user space NAT/MAT
router, linkcat, which presents a Ethernet link to stdio, Paratrace, which
traces network paths without spawning new connections, and Phentropy,
which uses OpenQVIS to render arbitrary amounts of entropy from data
sources in three dimensional phase space.
3. mod_authenticache v2.0.6
by anthonyu
Relevant URL:
http://original.killa.net/infosec/mod_authenticache/
Platforms: UNIX
Summary:
mod_authenticache provides a simple and generic method for caching
authentication information on the client side in order to enhance
performance. It has been tested with several Basic HTTP authentication
modules, and has an Apache 2.0.x optional function exporter for caching
credentials from any custom authentication module.
4. SNMP Trap Translator v0.4
by Alex Burger
Relevant URL:
http://snmptt.sourceforge.net
Platforms: Os Independent
Summary:
SNMPTT is an SNMP trap handler written in Perl for use with the
NET-SNMP/UCD-SNMP snmptrapd program. Received traps are translated into
friendly messages using variable substitution. Output can be to STDOUT,
text log file, syslog, MySQL (Linux/Windows), or a Windows ODBC database.
User defined programs can also be executed.
5. slurm v0.0.7
by Hendrik Scholz
Relevant URL:
http://www.raisdorf.net/slurm/
Platforms: FreeBSD
Summary:
slurm started as a port of pppstatus to FreeBSD and now is a generic
network load monitor. It features three different modes with real-time
ASCII graphs and interface statistics for all kinds of network interfaces
on FreeBSD, NetBSD, OpenBSD, and Linux.
6. irclog-xml v0.07a
by Ruf
Relevant URL:
http://sourceforge.net/projects/irclog-xml/
Platforms: Os Independent
Summary:
irclog-xml parses IRC logs, and converts those logs into XML and HTML.
Currently supported formats include BitchX, mIRC, XChat, and Eggdrop (via
Mel).
V. SECURITY JOBS SUMMARY
------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 11.25.02
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Port 1080 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300693
2. Compromised FBSD/Apache (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300700
3. FTP and Win2K changed security policy (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300667
4. Proxy server hit... Any ideas? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300651
5. More info about found Win2K "rootkit" (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300711
6. New scanner? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300662
7. Fraudulent use of ebay's name (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300527
8. DeepSight Analyzer 4.0 Announcement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300517
9. Strange apache logs: CONNECT maila.microsoft.com:25 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300593
10. Help - a possible bot (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300484
11. 030 igetnet ignkeywords (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300201
12. Spoofed RFC1918 Network Source Addresses... (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300035
13. Unicode Attack (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/299977
14. Strange Apache logs - maybe DDOS? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/300149
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. PHP (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300598
2. shell script cgi (summary?) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300487
3. Remote service shutdown in mailenable (newest) Follow up (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300481
4. Remote service shutdown in mailenable (newest) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300330
5. Paketto Keiretsu 1.0 Released (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300292
6. shell script cgi (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300298
7. ColdFusion Heap Overflow -continued (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300264
8. [Division 7 Security Systems]-Multiple Vulnerabilities Found in Redhat 8.0 and FreeBSD 4.7-Stable (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/300170
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. outlook 2000 vs latest outlook express deployment (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/300601
2. How to secure Internet Explorer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/300604
3. SecurityFocus Microsoft Newsletter #113 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/300590
4. re: Unknown Workgroup in Network Neighborhood (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/300406
5. Active Directory network security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/300357
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. Anti Virus on Sun Solaris (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/300694
2. Anti Virus on Sun Solaris (Pre-summary) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/92/300675
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. iptables REJECT types for UDP (if any) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/300664
2. DeepSight Analyzer 4.0 Announcement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/300492
XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SPI Dynamics
ALERT! "Outsmart Web Application Attackers"- Learn why 70% of today's
successful hacks involve Web Application attacks such as: SQL Injection,
XSS and Cookie Manipulation. All undetectable by Firewalls and IDS! FREE
15 Day Product Trial, which delivers a Comprehensive Vulnerability Report
http://www.spidynamics.com/mktg/freewebinspect19
------------------------------------------------------------------------
-------
[ reply ]