Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
I. FRONT AND CENTER
1. Securing Outlook, Part One: Initial Configuration
2. Rooting Out Corrupted Code
3. Drop that E-Book or I'll Shoot!
4. A Year-end Mailbag
5. SecurityFocus DPP Program
6. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. BUGTRAQ SUMMARY
1. Sapio WebReflex Directory Traversal Vulnerability
2. OpenLDAP Multiple Buffer Overflow Vulnerabilities
3. SuSE GNUPlot French Documentation Buffer Overflow Vulnerability
4. APBoard Unauthorized Thread Reading Vulnerability
5. Apple Mac OS X Directory Kernel Panic Denial Of Service...
6. Ultimate PHP Board Add.PHP Path Disclosure Vulnerability
7. Ultimate PHP Board ViewTopic.PHP Directory Contents Browsing...
8. Ultimate PHP Board ViewTopic.PHP Cross Site Scripting...
9. vBulletin HTML Injection Vulnerability
10. Mollensoft Software Enceladus Server Suite Directory Traversal...
11. apt-www-proxy NULL HTTP Request Denial Of Service Vulnerability
12. apt-www-proxy Format String Vulnerability
13. ProFTPD STAT Command Denial Of Service Vulnerability
14. Ikonboard User Profile Photo URI HTML Injection Vulnerability
15. Ikonboard X-Forwarded-For: Proxy Header Field HTML Injection...
16. Xoops Private Message System Font Attributes HTML Injection...
17. Mollensoft Software Enceladus Server Suite CD Buffer Overflow...
18. Cyrus SASL Library Username Heap Corruption Vulnerability
19. Cyrus SASL Library LDAP Heap Corruption Vulnerability
20. Cyrus SASL Library Logging Memory Corruption Vulnerability
21. Trend Micro PC-cillin Mail Scanner Buffer Overflow Vulnerability
22. Canna Server Local Buffer Overflow Vulnerability
23. Canna Server Denial Of Service Vulnerability
24. WGet NLST Client Side File Overwriting Vulnerability
25. Kunani FTP File Disclosure Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Senate Closes Accidental Anonymizer
2. Fences go up as Net outgrows its innocence
3. All bugs are created equal
4. Trend Micro squashes buffer overflow bug
IV.SECURITYFOCUS TOP 6 TOOLS
1. ssh-keyinstall v1.0.0
2. Smart Card ToolKit v0.3.2
3. xferlogDB v0.3.3
4. Pixilate v0.1
5. Iptables Script Generator v0.1
6. Java Log analyzer 1.0 v1.0
V. SECURITYJOBS LIST SUMMARY
1. Senor Sales Engineer (Thread)
2. Seeking security opportunities (Thread)
3. Chief Technology Officer (Thread)
4. Network Security Analyst - Mechanicsburg, PA (Thread)
5. Information Security Manager, HIPAA - Reno/NV (Thread)
6. Penetration Testers / Team Leader- UK, South East - CHECK...
7. Security Engineer - NY Metro (Thread)
8. Software Engineers - Calgary AB, Canada (Thread)
9. Security Compliance and Reporting Lead-Cleveland, Ohio (Thread)
10. Senior Security Project Manager (Thread)
11. Need Security Consultants in Boston Area (Thread)
12. Australian Security Businesses (Thread)
13. Stop me before I consult again (Thread)
14. Seeking Indianapolis-based Ethical Hacker (NOT an oxymoron)...
VI. INCIDENTS LIST SUMMARY
1. DNS help (Thread)
2. Odd entries in my Security Router logs (Thread)
3. EBay Fraud Attempt (Thread)
4. strange attractors or weaknesses in Nimda's prng (Thread)
5. what else you can do with worm networks...fun, profit, etc...
6. Spam via proxy (Thread)
7. netbios vuln (Thread)
8. A small quandary (Thread)
9. Fwd: EBay Fraud Attempt (Thread)
10. Does W2k issue an NBNS query automatically following each...
11. high activity on port 3061 udp/tcp (Thread)
12. Incident tracking database (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Web single sign-on (Thread)
2. Homeland Def. Trng Conference - Jan 14-16, 2003 - New Speakers...
3. RES: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]...
VIII. MICROSOFT FOCUS LIST SUMMARY
1. IIS 4 Security (Thread)
2. ISM Permissions? (Thread)
3. FW: /Rpc virtual directory in IIS - How did it get there? (Thread)
4. SecurityFocus Microsoft Newsletter #116 (Thread)
5. /Rpc virtual directory in IIS - How did it get there? (Thread)
6. issues with syskey in NT 4.0 (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
X. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Securing Outlook, Part One: Initial Configuration
By Scott Granneman
Millions of Outlook users around the world, in homes, organizations, and
businesses, have had to face the insecurities inherent in their email
program, sometimes painfully. This article is the first of a two-part
article that will examine ways that Outlook users can secure their email
client.
http://online.securityfocus.com/infocus/1648
2. Rooting Out Corrupted Code
By Jon Lasser
Is there a backdoor on your system? A flawed but timely project from the
Shmoo Group could help network administrators spot altered programs.
http://online.securityfocus.com/columnists/129
3. Drop that E-Book or I'll Shoot!
By Mark Rasch
Last Thursday federal prosecutors wrapped up their direct case against
Russian software company ElcomSoft for creating and distributing software
that would "crack" Adobe's proprietary software designed to prevent
copying of electronic books - the defense will argue their side this week.
http://online.securityfocus.com/columnists/128
4. A Year-end Mailbag
By George Smith
"Why are you rambling?," and other feedback received by your anti-virus
columnist.
http://online.securityfocus.com/columnists/130
5. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
6. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Sapio WebReflex Directory Traversal Vulnerability
BugTraq ID: 6327
Remote: Yes
Date Published: Dec 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6327
Summary:
WebReflex is a software package designed to operate a HTTP server off a
cdrom, providing web hosting on Microsoft Windows systems. This webserver
is intended for use on such systems as Windows 95 and Windows 98. It is
written and maintained by Sapio Design Ltd.
It has been reported that WebReflex fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability was reported for WebReflex 1.53. It is not known
whether other versions are affected.
OpenLDAP is an open-source implementation of the LDAP protocol.
Several buffer overflow vulnerabilities have been reported for OpenLDAP.
Precise technical details about the nature of the vulnerabilities are
currently unknown. This BID will be updated as more information becomes
available.
An attacker may be able to exploit these vulnerabilities to gain control
over the execution of the vulnerable OpenLDAP process. Although
unconfirmed, an attacker may be able to execute malicious
attacker-supplied code with the privileges of the OpenLDAP process.
3. SuSE GNUPlot French Documentation Buffer Overflow Vulnerability
BugTraq ID: 6329
Remote: No
Date Published: Dec 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6329
Summary:
GNUPlot is an interactive function plotting program. It is used to plot
data and functions in a graphical format.
A buffer overflow vulnerability has been reported for GNUPlot shipped with
SuSE Linux. Reportedly, the vulnerability exists in the French
documentation and may allow an attacker to gain control over the execution
of the gnuplot process.
This vulnerability is exacerbated by the fact that gnuplot is typically
installed setuid root on some SuSE distributions.
Precise technical details about the nature of the vulnerability are
currently unknown. This BID will be updated as more information becomes
available.
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
A vulnerability has been reported for APBoard that may allow unauthorized
users to read postings in internal forums. The vulnerability is a result
of the 'useraction.php' script failing to properly check user credentials.
An attacker can exploit this vulnerability to subscribe to a thread in an
internal forum. This may expose sensitive information not intended to be
viewed by the attacker.
This vulnerability was reported for APBoard 2.02. It is not known whether
other versions are affected.
5. Apple Mac OS X Directory Kernel Panic Denial Of Service Vulnerability
BugTraq ID: 6331
Remote: No
Date Published: Dec 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6331
Summary:
Mac OS X is the BSD-derived operating system distributed and maintained by
Apple Sofware.
A problem with Mac OS X may make possible a local denial of service
attack.
It has been reported that OS X may crash under some conditions. When a
user creates a directory, descends it, creates another directory of the
same name, then attempts to move the directory up one level in the
hierarchy, the system reacts unpredictably. It has been reported that
this can cause a crash of the system.
This vulnerability could be exploited by a local user to deny service to
legitimate users of the host. This vulnerability requires that an
attacker have the ability to execute the command in a Terminal
application.
Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.
A problem has been discovered in UPB that could lead to the disclosure of
potentially sensitive information.
Under some circumstances, it may be possible to gain access to sensitive
information, such as the installation path of UPB. By passing an
erroneous request to the add.php script, UPB may return the full path to
the installation. This could lead to the disclosure of sensitive
information, and potentially lead to further attack.
Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.
A problem has been discovered in UPB that could lead to the disclosure of
the contents of directoires.
Under some circumstances, it may be possible to disclose the contents of
directories. By passing a malicious request to the viewtopic.php script,
UPB may return a listing of the directory. This could be futher refined
to disclose the contents of selected files.
This could lead to the disclosure of sensitive information, and
potentially lead to further attack. It should be noted that the ability
of the attacker to read information is limited to the privileges of the
web server. Additionally, it is thought that an attacker may not read
directories above the data_dir directory used by UPB.
8. Ultimate PHP Board ViewTopic.PHP Cross Site Scripting Vulnerability
BugTraq ID: 6335
Remote: Yes
Date Published: Dec 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6335
Summary:
Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.
A problem has been discovered in UPB that could lead to cross site
scripting attacks.
By passing a malicious script code to the viewtopic.php script, UPB may
return the script code to the browser of the user visiting the malicious
URL. This could lead to the execution of HTML and script code in the
security context of the UPB site.
9. vBulletin HTML Injection Vulnerability
BugTraq ID: 6337
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6337
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
Problems with vBulletin could make it possible for an attacker to inject
arbitrary HTML in vBulletin forum messages.
vBulletin does not sufficiently filter potentially malicious HTML code
from posted messages. As a result, when a user chooses to view a message
posting that contains malicious HTML code, the code contained in the
message would be executed in the browser of the vulnerable user. This will
occur in the context of the site hosting the vBulletin forum software.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
This vulnerability was reported for vBulletin 2.2.7 and 2.2.8. It is not
known whether other versions are affected.
10. Mollensoft Software Enceladus Server Suite Directory Traversal Vulnerability
BugTraq ID: 6338
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6338
Summary:
Enceladus Server Suite is a Web and FTP server designed for use with
Microsoft Windows operating systems.
It has been reported that Enceladus fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to view and download sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability was reported for Enceladus Server Suite 2.6.1. It is
not known whether other versions are affected.
11. apt-www-proxy NULL HTTP Request Denial Of Service Vulnerability
BugTraq ID: 6339
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6339
Summary:
apt-www-proxy is a proxy server designed for use with web-based apt-get
repositories.
A denial of service vulnerability has been reported for apt-www-proxy. The
'parse_get()' function in 'utils.c' will fail when attempting to parse
HTTP requests. This will cause the process to crash thus resulting in a
denial of service condition.
To restore functionality, the apt-www-proxy service must be restarted.
This vulnerability has been reported for apt-www-proxy 0.1.
12. apt-www-proxy Format String Vulnerability
BugTraq ID: 6340
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6340
Summary:
apt-www-proxy is a proxy server designed for use with web-based apt-get
repositories.
apt-www-proxy is prone to a format string vulnerability. This problem is
due to incorrect use of the 'syslog()' function to log error messages. It
is possible to corrupt memory by passing format strings through the
vulnerable logging function. This may potentially be exploited to
overwrite arbitrary locations in memory with attacker-specified values.
The vulnerability exists due to inadequate checks performed in the
'awp_log()' function in the 'utils.c' source file.
Successful exploitation of this issue may allow the attacker to execute
arbitrary instructions with the privileges of the vulnerable process.
This vulnerability has been reported for apt-www-proxy 0.1.
13. ProFTPD STAT Command Denial Of Service Vulnerability
BugTraq ID: 6341
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6341
Summary:
ProFTPD is a popular FTP server that ships with numerous Unix and Linux
variants.
A denial of service vulnerability has been reported for ProFTPD. It is
possible to cause ProFTPD from responding to legitimate requests for
service by issuing specially crafted STAT commands. This will result in a
denial of service condition.
An attacker can exploit this vulnerability by logging on to a vulnerable
FTP server and issuing a STAT command composed of several '/*' characters.
When the FTP server receives this command, it will result in a denial of
service condition.
This vulnerability has been reported to affect ProFTPD 1.2.7rc3 and
earlier.
** This issue is closely related to the vulnerability described in BID
2496.
14. Ikonboard User Profile Photo URI HTML Injection Vulnerability
BugTraq ID: 6342
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6342
Summary:
Ikonboard is a web-based bulletin board system implemented in Perl. It may
be installed under Linux, Windows, or many Unix platforms.
Ikonboard is prone to a vulnerability which may enable an attacker to
cause arbitrary HTML and script code to be interpreted by the web client
of other Ikonboard users.
Ikonboard allows users to post a link in their user profile to an external
picture. Ikonboard does not sufficiently sanitize HTML from these photo
URIs in user profiles. An attacker may take advantage of this issue to
embed malicious script code into their user profile. When the profile is
viewed by other users, the attacker-supplied script code will execute in
the security context of the site hosting the Ikonboard software.
Exploitation may allow an attacker to steal cookie-based authentication
credentials or to manipulate web content.
This issue was reported in Ikonboard 3.1.1. Other versions may also be
affected.
15. Ikonboard X-Forwarded-For: Proxy Header Field HTML Injection Vulnerability
BugTraq ID: 6343
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6343
Summary:
Ikonboard is a web-based bulletin board system implemented in Perl. It may
be installed under Linux, Windows, or many Unix platforms.
Ikonboard is prone to HTML injection attacks via X-Forwarded-For: HTTP
header fields for proxies. The HTTP X-Forwarded-For: header field is used
by many proxy server implementations to indicate the original source of a
request that has been forwarded by the proxy. When Ikonboard is accessed
via a proxy, it will log the user's IP address as the address that appears
in the X-Forwarded-For: HTTP header field. HTML will not be sanitized
when this information in the HTTP header field is logged. When an
administrator views the logged IP address, script code supplied via a
malicious X-Forwarded-For: HTTP header field will be executed in the web
client of the administrator.
While the data in the header field is limited to 16 characters, it may be
possible to embed malicious script code or HTML over multiple requests.
Successful exploitation may enable a remote attacker to steal cookie-based
authentication credentials from an administrative user.
This issue was reported in Ikonboard 3.1.1. Other versions may also be
affected.
16. Xoops Private Message System Font Attributes HTML Injection Vulnerability
BugTraq ID: 6344
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6344
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
Xoops includes a Private Message System for users, so that they may send
messages to one another. HTML tags used for font attributes, including
bold, italic and underline tags, are not sufficiently filtered of HTML
code. This makes it possible for an attacker to supply malicious input in
the HTML font tags that contain arbitrary script code. When another user
receives the attacker's private message, the malicious script code will be
executed on that user in the context of the site running Xoops.
This issue may be exploited by an attacker to steal a legitimate user's
cookie-based authentication credentials, potentially making it possible to
hijack the users session.
This vulnerability has been reported for Xoops 1.3.5.
17. Mollensoft Software Enceladus Server Suite CD Buffer Overflow Vulnerability
BugTraq ID: 6345
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6345
Summary:
Enceladus Server Suite is a Web and FTP server designed for use with
Microsoft Windows operating systems.
Enceladus Server Suite is prone to a remotely exploitable buffer overflow
vulnerability. It is possible to trigger this condition by supplying an
overly long value for the FTP change directory (CD) command. The issue is
due to insufficient bounds checking of the vulnerable FTP command. By
triggering this condition an attacker may corrupt process memory,
including stack variables such as the return address, with
attacker-supplied data. Given the ability to corrupt memory with
attacker-supplied data, it is possible for an attacker to cause the
execution of arbitrary code.
To exploit this issue, the attacker must be able to authenticate to the
FTP server included in Enceladus and issue a maliciously crafted CD
command.
Successful exploitation will enable a remote attacker to execute arbitrary
code with the privileges of the Enceladus Server Suite software, which
will most likely run with SYSTEM (or equivalent) privileges. This
vulnerability may also be used to cause a denial of service.
This issue has been reported for Enceladus Server Suite 3.9. Other
versions may also be affected.
18. Cyrus SASL Library Username Heap Corruption Vulnerability
BugTraq ID: 6347
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6347
Summary:
SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.
A heap corruption vulnerability has been discovered in Cyrus SASL library.
The overflow occurs in the 'user_buf' and 'authid_buf' buffers while
sanitizing usernames. It is possible to trigger this condition by passing
an overly long string as the 'myhostname' parameter.
Exploiting this vulnerability will give an attacker the ability to
overflow a sensitive buffer in heap memory by 19 bytes. This may allow the
corruption of malloc headers, which could later result in an arbitrary
location in memory being overwritten.
It should be noted that this issue only exists if the default realm is
set.
It should also be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.
19. Cyrus SASL Library LDAP Heap Corruption Vulnerability
BugTraq ID: 6348
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6348
Summary:
SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.
A heap corruption vulnerability has been discovered in Cyrus SASL library.
It has been discovered that saslauthd utility fails to allocate sufficient
memory when required to escape various characters, including '*', '(',
')', '\' and '\0'. By passing a malicious string as a 'username' or
'realm' value, it may be possible for an attacker to cause insufficient
memory to be allocated for user-supplied input.
Exploiting this issue may allow an attacker to corrupt malloc headers,
which could later result in an arbitrary location in memory being
overwritten. Successful exploitation of this vulnerability would result in
the execution of arbitrary code with the privileges of the vulnerable
application.
It should be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.
20. Cyrus SASL Library Logging Memory Corruption Vulnerability
BugTraq ID: 6349
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6349
Summary:
SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.
A memory corruption vulnerability has been discovered in SASL when
generating logs files. It has been reported that under some circumstances
SASL fails to allocate sufficient memory for the '\0' character for a
string used in log entries. By causing Cyrus to generate a malicious log
it may be possible for an attacker to write the '\0' character to a
sensitive location in memory.
This could potentially be exploited to overwrite the LSB of a sensitive
variable or possibly cause inaccurate logs to be created.
It should be noted that under rare circumstances a string that is not NULL
terminated can cause a situation that may be exploited to execute
arbitrary code. It is not known whether this situation occurs in the SASL
library.
It should also be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.
21. Trend Micro PC-cillin Mail Scanner Buffer Overflow Vulnerability
BugTraq ID: 6350
Remote: No
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6350
Summary:
Trend Micro is a provider of desktop and network antivirus products.
A buffer overflow vulnerability has been reported for PC-cillin's mail
scanning utility. The mail scanning utility is a service that acts as a
proxy to mail clients and runs as 'pop3trap.exe'.
An attacker can exploit this vulnerability by connecting to a vulnerable
pop3trap.exe service and sending an overly long string, consisting of at
least 1100 characters. This will result in the process crashing and
allowing the attacker to gain control over the execution of the process.
Any code to be executed will run with the privileges of the pop3trap.exe
process.
This vulnerability affects PC-cillin 2000, 2002, 2003 and OfficeScan
Corporate Edition 5.02.
22. Canna Server Local Buffer Overflow Vulnerability
BugTraq ID: 6351
Remote: No
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6351
Summary:
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input. It is available for the Linux operating system.
A buffer overflow vulnerability has been discovered in Canna. Exploiting
this issue may allow an attacker to overwrite sensitive locations in
memory. It may be possible to run arbitrary system commands, with 'bin'
level privileges, by redirecting program flow to execute attacker-supplied
instructions.
It should be noted that Canna is typically installed only when Japanese
language support is enabled.
Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.
23. Canna Server Denial Of Service Vulnerability
BugTraq ID: 6354
Remote: Yes
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6354
Summary:
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input. It is available for the Linux operating system.
A vulnerability has been discovered in Canna. It has been reported that
due to insufficient request validation it is possible for a remote
attacker to crash the Canna server. Under some circumstances it may also
be possible to cause information leakage.
It should be noted that Canna is typically installed only when Japanese
language support is enabled.
Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.
24. WGet NLST Client Side File Overwriting Vulnerability
BugTraq ID: 6352
Remote: Yes
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6352
Summary:
wget is a freely available, open source FTP utility. It is included with
many Unix and Linux operating systems.
A problem with wget may result in the overwriting of arbitrary files.
wget does not properly handle some types of server responses. When a NLST
response is received from an FTP server, RFC specifications require that
clients check the input to see if it contains directory information.
wget does not properly check this information, which may allow a remote
FTP server to overwrite files on the client system.
It should be noted that this vulnerability requires an FTP server to know
the path to the file to be overwritten. Additionally, this vulnerability
may be exploited to overwrite only those files which are write-permissible
by the FTP client user.
Kunani FTP is a publically available server which uses any ODBC compatible
datasource to authenticate users/passwords. It is available for the
Microsoft Windows Operating system.
A vulnerability has been discovered in Kunani FTP server. By passing a
malicious request containing dot-dot-slash (../) directory traversal
sequences, it is possible for a remote attacker to access arbitrary system
files outside of FTP directories. Information gathered through successful
exploitation of this vulnerability may aid an attacker in launching
further attacks against a target system.
This issue was discovered in Kunani FTP server 1.0.10. It is not known
whether other versions are affected.
III. SECURITYFOCUS NEWS AND COMMENTARY
--------------------------------------
1. Senate Closes Accidental Anonymizer
By Kevin Poulsen Dec 10 2002
Misconfigured servers spawn an undocumented feature at Senate.gov.
http://online.securityfocus.com/news/1780
2. Fences go up as Net outgrows its innocence
By Anick Jesdanun, The Associated Press
On the Internet, you can learn about virtually anything. You can seek
comfort from others similarly afflicted by a rare disease or explore such
sensitive topics as birth control.
http://online.securityfocus.com/news/1803
3. All bugs are created equal
By John Leyden, The Register
Security tools vendor ISS has promised to handle security vulnerabilities
affecting open source and Windows platforms the same way following
criticism of its premature disclosure of open source security problems.
http://online.securityfocus.com/news/1800
4. Trend Micro squashes buffer overflow bug
By John Leyden, The Register
Trend Micro has issued a fix to address buffer overflow vulnerabilities
within popular versions of its anti-virus software packages.
http://online.securityfocus.com/news/1799
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. ssh-keyinstall v1.0.0
by William Stearns
Relevant URL:
http://www.stearns.org/ssh-keyinstall/
Platforms: Linux, POSIX
Summary:
ssh-keyinstall is a script that helps an ssh user set up the keys at both
ends of an ssh connection. It creates an rsa or dsa key if needed and
copies the public half to the server. Once the process is done, you'll be
able to log in with the passphrase and key instead of a password.
Smart Card ToolKit provides a library and associated tools for smart
cards. Phoenix and Smartmouse protocols are supported for ISO7816
asynchronous smart card access and debugging. JDM is supported for
programming PIC-based smart cards like piccard, goldwafer (goldcard), and
silvercard. SPI is supported for programming AVR based smart cards
(funcard). PIC and AVR loaders provide access to external i2c EEPROM. I2c
memory smart cards are also supported. All tools use Intel hex file format
to store data. An Intel hex to binary and vice-versa converting tool is
also provided.
3. xferlogDB v0.3.3
by Brian Christensen brian (at) jordhulen (dot) dk [email concealed]
Relevant URL:
http://www.jordhulen.dk/xferlogDB
Platforms: Os Independent
Summary:
xferlogDB is a tool for analyzing xferlogs from glFTPd.
Pixilate is a packet generation tool based off of Libnet 1.1.0 (Older
Libnet 1.0.x versions will not work). Pixilate generates packets by
parsing a file that contains ACLs in either Cisco IOS format (using the -r
option) or in Cisco PIX 6.2x format. Currently TCP, UDP, IGMP, and various
types of ICMP packets are built with the appropriate source and
destination for each rule. "any" as a source generates a random source
address and "any" as a destination will send the packet to the user
supplied destination (-d option). For more information, see the pixilate
manpage.
The iptables Script Generator is a set of PHP scripts that makes in easy
to generate a custom iptables script for router and/or firewall use. It
also makes it possible for computers on your LAN to surf on the Internet
6. Java Log analyzer 1.0 v1.0
by Antonio Da Silva
Relevant URL:
http://jxla.novadeck.org/en/index.xml
Platforms: Java
Summary:
JXLA is a http log analyzer written in Java. Reports are created in XML.
You can fully configure the output by using your own XSL stylesheet.
V. SECURITY JOBS SUMMARY
------------------------
1. Senor Sales Engineer (Thread)
Relevant URL:
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IIS 4 Security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/303276
2. ISM Permissions? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302989
3. FW: /Rpc virtual directory in IIS - How did it get there? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302613
4. SecurityFocus Microsoft Newsletter #116 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302608
5. /Rpc virtual directory in IIS - How did it get there? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302565
6. issues with syskey in NT 4.0 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302385
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
XI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
SecurityFocus Newsletter #175
-----------------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Securing Outlook, Part One: Initial Configuration
2. Rooting Out Corrupted Code
3. Drop that E-Book or I'll Shoot!
4. A Year-end Mailbag
5. SecurityFocus DPP Program
6. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. BUGTRAQ SUMMARY
1. Sapio WebReflex Directory Traversal Vulnerability
2. OpenLDAP Multiple Buffer Overflow Vulnerabilities
3. SuSE GNUPlot French Documentation Buffer Overflow Vulnerability
4. APBoard Unauthorized Thread Reading Vulnerability
5. Apple Mac OS X Directory Kernel Panic Denial Of Service...
6. Ultimate PHP Board Add.PHP Path Disclosure Vulnerability
7. Ultimate PHP Board ViewTopic.PHP Directory Contents Browsing...
8. Ultimate PHP Board ViewTopic.PHP Cross Site Scripting...
9. vBulletin HTML Injection Vulnerability
10. Mollensoft Software Enceladus Server Suite Directory Traversal...
11. apt-www-proxy NULL HTTP Request Denial Of Service Vulnerability
12. apt-www-proxy Format String Vulnerability
13. ProFTPD STAT Command Denial Of Service Vulnerability
14. Ikonboard User Profile Photo URI HTML Injection Vulnerability
15. Ikonboard X-Forwarded-For: Proxy Header Field HTML Injection...
16. Xoops Private Message System Font Attributes HTML Injection...
17. Mollensoft Software Enceladus Server Suite CD Buffer Overflow...
18. Cyrus SASL Library Username Heap Corruption Vulnerability
19. Cyrus SASL Library LDAP Heap Corruption Vulnerability
20. Cyrus SASL Library Logging Memory Corruption Vulnerability
21. Trend Micro PC-cillin Mail Scanner Buffer Overflow Vulnerability
22. Canna Server Local Buffer Overflow Vulnerability
23. Canna Server Denial Of Service Vulnerability
24. WGet NLST Client Side File Overwriting Vulnerability
25. Kunani FTP File Disclosure Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Senate Closes Accidental Anonymizer
2. Fences go up as Net outgrows its innocence
3. All bugs are created equal
4. Trend Micro squashes buffer overflow bug
IV.SECURITYFOCUS TOP 6 TOOLS
1. ssh-keyinstall v1.0.0
2. Smart Card ToolKit v0.3.2
3. xferlogDB v0.3.3
4. Pixilate v0.1
5. Iptables Script Generator v0.1
6. Java Log analyzer 1.0 v1.0
V. SECURITYJOBS LIST SUMMARY
1. Senor Sales Engineer (Thread)
2. Seeking security opportunities (Thread)
3. Chief Technology Officer (Thread)
4. Network Security Analyst - Mechanicsburg, PA (Thread)
5. Information Security Manager, HIPAA - Reno/NV (Thread)
6. Penetration Testers / Team Leader- UK, South East - CHECK...
7. Security Engineer - NY Metro (Thread)
8. Software Engineers - Calgary AB, Canada (Thread)
9. Security Compliance and Reporting Lead-Cleveland, Ohio (Thread)
10. Senior Security Project Manager (Thread)
11. Need Security Consultants in Boston Area (Thread)
12. Australian Security Businesses (Thread)
13. Stop me before I consult again (Thread)
14. Seeking Indianapolis-based Ethical Hacker (NOT an oxymoron)...
VI. INCIDENTS LIST SUMMARY
1. DNS help (Thread)
2. Odd entries in my Security Router logs (Thread)
3. EBay Fraud Attempt (Thread)
4. strange attractors or weaknesses in Nimda's prng (Thread)
5. what else you can do with worm networks...fun, profit, etc...
6. Spam via proxy (Thread)
7. netbios vuln (Thread)
8. A small quandary (Thread)
9. Fwd: EBay Fraud Attempt (Thread)
10. Does W2k issue an NBNS query automatically following each...
11. high activity on port 3061 udp/tcp (Thread)
12. Incident tracking database (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Web single sign-on (Thread)
2. Homeland Def. Trng Conference - Jan 14-16, 2003 - New Speakers...
3. RES: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]...
VIII. MICROSOFT FOCUS LIST SUMMARY
1. IIS 4 Security (Thread)
2. ISM Permissions? (Thread)
3. FW: /Rpc virtual directory in IIS - How did it get there? (Thread)
4. SecurityFocus Microsoft Newsletter #116 (Thread)
5. /Rpc virtual directory in IIS - How did it get there? (Thread)
6. issues with syskey in NT 4.0 (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
X. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Securing Outlook, Part One: Initial Configuration
By Scott Granneman
Millions of Outlook users around the world, in homes, organizations, and
businesses, have had to face the insecurities inherent in their email
program, sometimes painfully. This article is the first of a two-part
article that will examine ways that Outlook users can secure their email
client.
http://online.securityfocus.com/infocus/1648
2. Rooting Out Corrupted Code
By Jon Lasser
Is there a backdoor on your system? A flawed but timely project from the
Shmoo Group could help network administrators spot altered programs.
http://online.securityfocus.com/columnists/129
3. Drop that E-Book or I'll Shoot!
By Mark Rasch
Last Thursday federal prosecutors wrapped up their direct case against
Russian software company ElcomSoft for creating and distributing software
that would "crack" Adobe's proprietary software designed to prevent
copying of electronic books - the defense will argue their side this week.
http://online.securityfocus.com/columnists/128
4. A Year-end Mailbag
By George Smith
"Why are you rambling?," and other feedback received by your anti-virus
columnist.
http://online.securityfocus.com/columnists/130
5. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
6. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Sapio WebReflex Directory Traversal Vulnerability
BugTraq ID: 6327
Remote: Yes
Date Published: Dec 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6327
Summary:
WebReflex is a software package designed to operate a HTTP server off a
cdrom, providing web hosting on Microsoft Windows systems. This webserver
is intended for use on such systems as Windows 95 and Windows 98. It is
written and maintained by Sapio Design Ltd.
It has been reported that WebReflex fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability was reported for WebReflex 1.53. It is not known
whether other versions are affected.
2. OpenLDAP Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 6328
Remote: Yes
Date Published: Dec 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6328
Summary:
OpenLDAP is an open-source implementation of the LDAP protocol.
Several buffer overflow vulnerabilities have been reported for OpenLDAP.
Precise technical details about the nature of the vulnerabilities are
currently unknown. This BID will be updated as more information becomes
available.
An attacker may be able to exploit these vulnerabilities to gain control
over the execution of the vulnerable OpenLDAP process. Although
unconfirmed, an attacker may be able to execute malicious
attacker-supplied code with the privileges of the OpenLDAP process.
3. SuSE GNUPlot French Documentation Buffer Overflow Vulnerability
BugTraq ID: 6329
Remote: No
Date Published: Dec 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6329
Summary:
GNUPlot is an interactive function plotting program. It is used to plot
data and functions in a graphical format.
A buffer overflow vulnerability has been reported for GNUPlot shipped with
SuSE Linux. Reportedly, the vulnerability exists in the French
documentation and may allow an attacker to gain control over the execution
of the gnuplot process.
This vulnerability is exacerbated by the fact that gnuplot is typically
installed setuid root on some SuSE distributions.
Precise technical details about the nature of the vulnerability are
currently unknown. This BID will be updated as more information becomes
available.
4. APBoard Unauthorized Thread Reading Vulnerability
BugTraq ID: 6330
Remote: Yes
Date Published: Dec 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6330
Summary:
APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.
A vulnerability has been reported for APBoard that may allow unauthorized
users to read postings in internal forums. The vulnerability is a result
of the 'useraction.php' script failing to properly check user credentials.
An attacker can exploit this vulnerability to subscribe to a thread in an
internal forum. This may expose sensitive information not intended to be
viewed by the attacker.
This vulnerability was reported for APBoard 2.02. It is not known whether
other versions are affected.
5. Apple Mac OS X Directory Kernel Panic Denial Of Service Vulnerability
BugTraq ID: 6331
Remote: No
Date Published: Dec 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6331
Summary:
Mac OS X is the BSD-derived operating system distributed and maintained by
Apple Sofware.
A problem with Mac OS X may make possible a local denial of service
attack.
It has been reported that OS X may crash under some conditions. When a
user creates a directory, descends it, creates another directory of the
same name, then attempts to move the directory up one level in the
hierarchy, the system reacts unpredictably. It has been reported that
this can cause a crash of the system.
This vulnerability could be exploited by a local user to deny service to
legitimate users of the host. This vulnerability requires that an
attacker have the ability to execute the command in a Terminal
application.
6. Ultimate PHP Board Add.PHP Path Disclosure Vulnerability
BugTraq ID: 6333
Remote: Yes
Date Published: Dec 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6333
Summary:
Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.
A problem has been discovered in UPB that could lead to the disclosure of
potentially sensitive information.
Under some circumstances, it may be possible to gain access to sensitive
information, such as the installation path of UPB. By passing an
erroneous request to the add.php script, UPB may return the full path to
the installation. This could lead to the disclosure of sensitive
information, and potentially lead to further attack.
7. Ultimate PHP Board ViewTopic.PHP Directory Contents Browsing Vulnerability
BugTraq ID: 6334
Remote: Yes
Date Published: Dec 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6334
Summary:
Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.
A problem has been discovered in UPB that could lead to the disclosure of
the contents of directoires.
Under some circumstances, it may be possible to disclose the contents of
directories. By passing a malicious request to the viewtopic.php script,
UPB may return a listing of the directory. This could be futher refined
to disclose the contents of selected files.
This could lead to the disclosure of sensitive information, and
potentially lead to further attack. It should be noted that the ability
of the attacker to read information is limited to the privileges of the
web server. Additionally, it is thought that an attacker may not read
directories above the data_dir directory used by UPB.
8. Ultimate PHP Board ViewTopic.PHP Cross Site Scripting Vulnerability
BugTraq ID: 6335
Remote: Yes
Date Published: Dec 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6335
Summary:
Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.
A problem has been discovered in UPB that could lead to cross site
scripting attacks.
By passing a malicious script code to the viewtopic.php script, UPB may
return the script code to the browser of the user visiting the malicious
URL. This could lead to the execution of HTML and script code in the
security context of the UPB site.
9. vBulletin HTML Injection Vulnerability
BugTraq ID: 6337
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6337
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
Problems with vBulletin could make it possible for an attacker to inject
arbitrary HTML in vBulletin forum messages.
vBulletin does not sufficiently filter potentially malicious HTML code
from posted messages. As a result, when a user chooses to view a message
posting that contains malicious HTML code, the code contained in the
message would be executed in the browser of the vulnerable user. This will
occur in the context of the site hosting the vBulletin forum software.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
This vulnerability was reported for vBulletin 2.2.7 and 2.2.8. It is not
known whether other versions are affected.
10. Mollensoft Software Enceladus Server Suite Directory Traversal Vulnerability
BugTraq ID: 6338
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6338
Summary:
Enceladus Server Suite is a Web and FTP server designed for use with
Microsoft Windows operating systems.
It has been reported that Enceladus fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to view and download sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability was reported for Enceladus Server Suite 2.6.1. It is
not known whether other versions are affected.
11. apt-www-proxy NULL HTTP Request Denial Of Service Vulnerability
BugTraq ID: 6339
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6339
Summary:
apt-www-proxy is a proxy server designed for use with web-based apt-get
repositories.
A denial of service vulnerability has been reported for apt-www-proxy. The
'parse_get()' function in 'utils.c' will fail when attempting to parse
HTTP requests. This will cause the process to crash thus resulting in a
denial of service condition.
To restore functionality, the apt-www-proxy service must be restarted.
This vulnerability has been reported for apt-www-proxy 0.1.
12. apt-www-proxy Format String Vulnerability
BugTraq ID: 6340
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6340
Summary:
apt-www-proxy is a proxy server designed for use with web-based apt-get
repositories.
apt-www-proxy is prone to a format string vulnerability. This problem is
due to incorrect use of the 'syslog()' function to log error messages. It
is possible to corrupt memory by passing format strings through the
vulnerable logging function. This may potentially be exploited to
overwrite arbitrary locations in memory with attacker-specified values.
The vulnerability exists due to inadequate checks performed in the
'awp_log()' function in the 'utils.c' source file.
Successful exploitation of this issue may allow the attacker to execute
arbitrary instructions with the privileges of the vulnerable process.
This vulnerability has been reported for apt-www-proxy 0.1.
13. ProFTPD STAT Command Denial Of Service Vulnerability
BugTraq ID: 6341
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6341
Summary:
ProFTPD is a popular FTP server that ships with numerous Unix and Linux
variants.
A denial of service vulnerability has been reported for ProFTPD. It is
possible to cause ProFTPD from responding to legitimate requests for
service by issuing specially crafted STAT commands. This will result in a
denial of service condition.
An attacker can exploit this vulnerability by logging on to a vulnerable
FTP server and issuing a STAT command composed of several '/*' characters.
When the FTP server receives this command, it will result in a denial of
service condition.
This vulnerability has been reported to affect ProFTPD 1.2.7rc3 and
earlier.
** This issue is closely related to the vulnerability described in BID
2496.
14. Ikonboard User Profile Photo URI HTML Injection Vulnerability
BugTraq ID: 6342
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6342
Summary:
Ikonboard is a web-based bulletin board system implemented in Perl. It may
be installed under Linux, Windows, or many Unix platforms.
Ikonboard is prone to a vulnerability which may enable an attacker to
cause arbitrary HTML and script code to be interpreted by the web client
of other Ikonboard users.
Ikonboard allows users to post a link in their user profile to an external
picture. Ikonboard does not sufficiently sanitize HTML from these photo
URIs in user profiles. An attacker may take advantage of this issue to
embed malicious script code into their user profile. When the profile is
viewed by other users, the attacker-supplied script code will execute in
the security context of the site hosting the Ikonboard software.
Exploitation may allow an attacker to steal cookie-based authentication
credentials or to manipulate web content.
This issue was reported in Ikonboard 3.1.1. Other versions may also be
affected.
15. Ikonboard X-Forwarded-For: Proxy Header Field HTML Injection Vulnerability
BugTraq ID: 6343
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6343
Summary:
Ikonboard is a web-based bulletin board system implemented in Perl. It may
be installed under Linux, Windows, or many Unix platforms.
Ikonboard is prone to HTML injection attacks via X-Forwarded-For: HTTP
header fields for proxies. The HTTP X-Forwarded-For: header field is used
by many proxy server implementations to indicate the original source of a
request that has been forwarded by the proxy. When Ikonboard is accessed
via a proxy, it will log the user's IP address as the address that appears
in the X-Forwarded-For: HTTP header field. HTML will not be sanitized
when this information in the HTTP header field is logged. When an
administrator views the logged IP address, script code supplied via a
malicious X-Forwarded-For: HTTP header field will be executed in the web
client of the administrator.
While the data in the header field is limited to 16 characters, it may be
possible to embed malicious script code or HTML over multiple requests.
Successful exploitation may enable a remote attacker to steal cookie-based
authentication credentials from an administrative user.
This issue was reported in Ikonboard 3.1.1. Other versions may also be
affected.
16. Xoops Private Message System Font Attributes HTML Injection Vulnerability
BugTraq ID: 6344
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6344
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
Xoops includes a Private Message System for users, so that they may send
messages to one another. HTML tags used for font attributes, including
bold, italic and underline tags, are not sufficiently filtered of HTML
code. This makes it possible for an attacker to supply malicious input in
the HTML font tags that contain arbitrary script code. When another user
receives the attacker's private message, the malicious script code will be
executed on that user in the context of the site running Xoops.
This issue may be exploited by an attacker to steal a legitimate user's
cookie-based authentication credentials, potentially making it possible to
hijack the users session.
This vulnerability has been reported for Xoops 1.3.5.
17. Mollensoft Software Enceladus Server Suite CD Buffer Overflow Vulnerability
BugTraq ID: 6345
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6345
Summary:
Enceladus Server Suite is a Web and FTP server designed for use with
Microsoft Windows operating systems.
Enceladus Server Suite is prone to a remotely exploitable buffer overflow
vulnerability. It is possible to trigger this condition by supplying an
overly long value for the FTP change directory (CD) command. The issue is
due to insufficient bounds checking of the vulnerable FTP command. By
triggering this condition an attacker may corrupt process memory,
including stack variables such as the return address, with
attacker-supplied data. Given the ability to corrupt memory with
attacker-supplied data, it is possible for an attacker to cause the
execution of arbitrary code.
To exploit this issue, the attacker must be able to authenticate to the
FTP server included in Enceladus and issue a maliciously crafted CD
command.
Successful exploitation will enable a remote attacker to execute arbitrary
code with the privileges of the Enceladus Server Suite software, which
will most likely run with SYSTEM (or equivalent) privileges. This
vulnerability may also be used to cause a denial of service.
This issue has been reported for Enceladus Server Suite 3.9. Other
versions may also be affected.
18. Cyrus SASL Library Username Heap Corruption Vulnerability
BugTraq ID: 6347
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6347
Summary:
SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.
A heap corruption vulnerability has been discovered in Cyrus SASL library.
The overflow occurs in the 'user_buf' and 'authid_buf' buffers while
sanitizing usernames. It is possible to trigger this condition by passing
an overly long string as the 'myhostname' parameter.
Exploiting this vulnerability will give an attacker the ability to
overflow a sensitive buffer in heap memory by 19 bytes. This may allow the
corruption of malloc headers, which could later result in an arbitrary
location in memory being overwritten.
It should be noted that this issue only exists if the default realm is
set.
It should also be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.
19. Cyrus SASL Library LDAP Heap Corruption Vulnerability
BugTraq ID: 6348
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6348
Summary:
SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.
A heap corruption vulnerability has been discovered in Cyrus SASL library.
It has been discovered that saslauthd utility fails to allocate sufficient
memory when required to escape various characters, including '*', '(',
')', '\' and '\0'. By passing a malicious string as a 'username' or
'realm' value, it may be possible for an attacker to cause insufficient
memory to be allocated for user-supplied input.
Exploiting this issue may allow an attacker to corrupt malloc headers,
which could later result in an arbitrary location in memory being
overwritten. Successful exploitation of this vulnerability would result in
the execution of arbitrary code with the privileges of the vulnerable
application.
It should be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.
20. Cyrus SASL Library Logging Memory Corruption Vulnerability
BugTraq ID: 6349
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6349
Summary:
SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.
A memory corruption vulnerability has been discovered in SASL when
generating logs files. It has been reported that under some circumstances
SASL fails to allocate sufficient memory for the '\0' character for a
string used in log entries. By causing Cyrus to generate a malicious log
it may be possible for an attacker to write the '\0' character to a
sensitive location in memory.
This could potentially be exploited to overwrite the LSB of a sensitive
variable or possibly cause inaccurate logs to be created.
It should be noted that under rare circumstances a string that is not NULL
terminated can cause a situation that may be exploited to execute
arbitrary code. It is not known whether this situation occurs in the SASL
library.
It should also be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.
21. Trend Micro PC-cillin Mail Scanner Buffer Overflow Vulnerability
BugTraq ID: 6350
Remote: No
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6350
Summary:
Trend Micro is a provider of desktop and network antivirus products.
A buffer overflow vulnerability has been reported for PC-cillin's mail
scanning utility. The mail scanning utility is a service that acts as a
proxy to mail clients and runs as 'pop3trap.exe'.
An attacker can exploit this vulnerability by connecting to a vulnerable
pop3trap.exe service and sending an overly long string, consisting of at
least 1100 characters. This will result in the process crashing and
allowing the attacker to gain control over the execution of the process.
Any code to be executed will run with the privileges of the pop3trap.exe
process.
This vulnerability affects PC-cillin 2000, 2002, 2003 and OfficeScan
Corporate Edition 5.02.
22. Canna Server Local Buffer Overflow Vulnerability
BugTraq ID: 6351
Remote: No
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6351
Summary:
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input. It is available for the Linux operating system.
A buffer overflow vulnerability has been discovered in Canna. Exploiting
this issue may allow an attacker to overwrite sensitive locations in
memory. It may be possible to run arbitrary system commands, with 'bin'
level privileges, by redirecting program flow to execute attacker-supplied
instructions.
It should be noted that Canna is typically installed only when Japanese
language support is enabled.
Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.
23. Canna Server Denial Of Service Vulnerability
BugTraq ID: 6354
Remote: Yes
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6354
Summary:
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input. It is available for the Linux operating system.
A vulnerability has been discovered in Canna. It has been reported that
due to insufficient request validation it is possible for a remote
attacker to crash the Canna server. Under some circumstances it may also
be possible to cause information leakage.
It should be noted that Canna is typically installed only when Japanese
language support is enabled.
Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.
24. WGet NLST Client Side File Overwriting Vulnerability
BugTraq ID: 6352
Remote: Yes
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6352
Summary:
wget is a freely available, open source FTP utility. It is included with
many Unix and Linux operating systems.
A problem with wget may result in the overwriting of arbitrary files.
wget does not properly handle some types of server responses. When a NLST
response is received from an FTP server, RFC specifications require that
clients check the input to see if it contains directory information.
wget does not properly check this information, which may allow a remote
FTP server to overwrite files on the client system.
It should be noted that this vulnerability requires an FTP server to know
the path to the file to be overwritten. Additionally, this vulnerability
may be exploited to overwrite only those files which are write-permissible
by the FTP client user.
25. Kunani FTP File Disclosure Vulnerability
BugTraq ID: 6355
Remote: Yes
Date Published: Dec 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6355
Summary:
Kunani FTP is a publically available server which uses any ODBC compatible
datasource to authenticate users/passwords. It is available for the
Microsoft Windows Operating system.
A vulnerability has been discovered in Kunani FTP server. By passing a
malicious request containing dot-dot-slash (../) directory traversal
sequences, it is possible for a remote attacker to access arbitrary system
files outside of FTP directories. Information gathered through successful
exploitation of this vulnerability may aid an attacker in launching
further attacks against a target system.
This issue was discovered in Kunani FTP server 1.0.10. It is not known
whether other versions are affected.
III. SECURITYFOCUS NEWS AND COMMENTARY
--------------------------------------
1. Senate Closes Accidental Anonymizer
By Kevin Poulsen Dec 10 2002
Misconfigured servers spawn an undocumented feature at Senate.gov.
http://online.securityfocus.com/news/1780
2. Fences go up as Net outgrows its innocence
By Anick Jesdanun, The Associated Press
On the Internet, you can learn about virtually anything. You can seek
comfort from others similarly afflicted by a rare disease or explore such
sensitive topics as birth control.
http://online.securityfocus.com/news/1803
3. All bugs are created equal
By John Leyden, The Register
Security tools vendor ISS has promised to handle security vulnerabilities
affecting open source and Windows platforms the same way following
criticism of its premature disclosure of open source security problems.
http://online.securityfocus.com/news/1800
4. Trend Micro squashes buffer overflow bug
By John Leyden, The Register
Trend Micro has issued a fix to address buffer overflow vulnerabilities
within popular versions of its anti-virus software packages.
http://online.securityfocus.com/news/1799
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. ssh-keyinstall v1.0.0
by William Stearns
Relevant URL:
http://www.stearns.org/ssh-keyinstall/
Platforms: Linux, POSIX
Summary:
ssh-keyinstall is a script that helps an ssh user set up the keys at both
ends of an ssh connection. It creates an rsa or dsa key if needed and
copies the public half to the server. Once the process is done, you'll be
able to log in with the passphrase and key instead of a password.
2. Smart Card ToolKit v0.3.2
by Alexandre Becoulet
Relevant URL:
http://etud.epita.fr/~becoul_a/sctk
Platforms: Linux, POSIX
Summary:
Smart Card ToolKit provides a library and associated tools for smart
cards. Phoenix and Smartmouse protocols are supported for ISO7816
asynchronous smart card access and debugging. JDM is supported for
programming PIC-based smart cards like piccard, goldwafer (goldcard), and
silvercard. SPI is supported for programming AVR based smart cards
(funcard). PIC and AVR loaders provide access to external i2c EEPROM. I2c
memory smart cards are also supported. All tools use Intel hex file format
to store data. An Intel hex to binary and vice-versa converting tool is
also provided.
3. xferlogDB v0.3.3
by Brian Christensen brian (at) jordhulen (dot) dk [email concealed]
Relevant URL:
http://www.jordhulen.dk/xferlogDB
Platforms: Os Independent
Summary:
xferlogDB is a tool for analyzing xferlogs from glFTPd.
4. Pixilate v0.1
by Kirby Kuehl vacuum (at) users.sourceforge (dot) net [email concealed]
Relevant URL:
http://winfingerprint.sourceforge.net/pixilate.php
Platforms: FreeBSD, Linux, NetBSD, OpenBSD
Summary:
Pixilate is a packet generation tool based off of Libnet 1.1.0 (Older
Libnet 1.0.x versions will not work). Pixilate generates packets by
parsing a file that contains ACLs in either Cisco IOS format (using the -r
option) or in Cisco PIX 6.2x format. Currently TCP, UDP, IGMP, and various
types of ICMP packets are built with the appropriate source and
destination for each rule. "any" as a source generates a random source
address and "any" as a destination will send the packet to the user
supplied destination (-d option). For more information, see the pixilate
manpage.
5. Iptables Script Generator v0.1
by zac
Relevant URL:
http://iptables.linux.dk/
Platforms: N/A
Summary:
The iptables Script Generator is a set of PHP scripts that makes in easy
to generate a custom iptables script for router and/or firewall use. It
also makes it possible for computers on your LAN to surf on the Internet
6. Java Log analyzer 1.0 v1.0
by Antonio Da Silva
Relevant URL:
http://jxla.novadeck.org/en/index.xml
Platforms: Java
Summary:
JXLA is a http log analyzer written in Java. Reports are created in XML.
You can fully configure the output by using your own XSL stylesheet.
V. SECURITY JOBS SUMMARY
------------------------
1. Senor Sales Engineer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303160
2. Seeking security opportunities (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303204
3. Chief Technology Officer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303203
4. Network Security Analyst - Mechanicsburg, PA (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303175
5. Information Security Manager, HIPAA - Reno/NV (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303197
6. Penetration Testers / Team Leader- UK, South East - CHECK Certified... (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303191
7. Security Engineer - NY Metro (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303192
8. Software Engineers - Calgary AB, Canada (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303010
9. Security Compliance and Reporting Lead-Cleveland, Ohio (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303009
10. Senior Security Project Manager (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/303018
11. Need Security Consultants in Boston Area (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/302943
12. Australian Security Businesses (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/302766
13. Stop me before I consult again (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/302775
14. Seeking Indianapolis-based Ethical Hacker (NOT an oxymoron) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/302781
VI. INCIDENTS LIST SUMMARY
-------------------------
1. DNS help (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/303217
2. Odd entries in my Security Router logs (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/303199
3. EBay Fraud Attempt (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302971
4. strange attractors or weaknesses in Nimda's prng (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302982
5. what else you can do with worm networks...fun, profit, etc (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302691
6. Spam via proxy (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302681
7. netbios vuln (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302682
8. A small quandary (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302697
9. Fwd: EBay Fraud Attempt (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302687
10. Does W2k issue an NBNS query automatically following each unsuccessful reverse DNS query? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302499
11. high activity on port 3061 udp/tcp (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302501
12. Incident tracking database (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/302494
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Web single sign-on (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/302802
2. Homeland Def. Trng Conference - Jan 14-16, 2003 - New Speakers Added-Colo Sprngs (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/302436
3. RES: RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3] (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/302381
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IIS 4 Security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/303276
2. ISM Permissions? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302989
3. FW: /Rpc virtual directory in IIS - How did it get there? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302613
4. SecurityFocus Microsoft Newsletter #116 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302608
5. /Rpc virtual directory in IIS - How did it get there? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302565
6. issues with syskey in NT 4.0 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302385
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 12.13.02
XI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
[ reply ]