SecurityFocus Newsletter #185
-----------------------------
This issue sponsored by Verisign-The Value Of Trust
Secure Your Servers
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your corporate intranets and authenticate
your Web sites. 128-bit SSL is serious security for your online business.
Get it now! Secure your servers with 128-bit SSL encryption! Grab your
copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!
I. FRONT AND CENTER
1. Exchange 2000 in the Enterprise: Tips and Tricks Part Three
2. Secure MySQL Database Design
3. Richard Clarke's Legacy of Miscalculation
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. BUGTRAQ SUMMARY
1. Util-Linux mcookie Cookie Generation Weakness
2. IndyNews delMediaFile() File Deletion Vulnerability
3. IndyNews manageMedia() File Deletion Vulnerability
4. IndyNews HTML Injection Vulnerability
5. Apple MacOS Classic TruBlueEnvironment Environment Variable...
6. Apple File Protocol iDrive Administrator Login Weakness
7. PHP-Board User Password Disclosure Vulnerability
8. Kietu Hit.PHP Remote File Inclusion Vulnerability
9. DotBr PHPInfo Environment Information Disclosure Vulnerability
10. DotBr Config.Inc Information Disclosure Vulnerability
11. DotBr Exec.PHP3 Remote Command Execution Vulnerability
12. DotBr System.PHP3 Remote Command Execution Vulnerability
13. IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
14. IBM Lotus Domino Web Server iNotes s_ViewName/Foldername...
15. IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
16. BisonFTP Long Command Denial of Service Vulnerability
17. BisonFTP Information Disclosure Vulnerability
18. Microsoft Riched20.dll Attribute Buffer Overflow Vulnerability
19. PHP CGI SAPI Code Execution Vulnerability
20. Netcharts Server Chunked Encoding Information Leakage...
21. D-Forum Remote File Include Vulnerability
22. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Airport limo firm allegedly hobbled by revenge hack
2. How to get an ATM PIN number in 15 guesses
3. Crypto attack against SSL outlined
4. States take step toward sharing cyberthreat data
IV. SECURITYFOCUS TOP 6 TOOLS
1. PlexCrypt v3.1
2. Traffik tool Troll v0.7
3. LinuxMagic magic-smtpd v0.7.0
4. snortalog v1.7.0
5. labrea v2.5b1
6. Looper Event / Alert System v0.20
V. SECURITYJOBS LIST SUMMARY
1. Technical security reconciliation (Thread)
2. Internship in São Paulo / Brazil (Thread)
3. Forensic and Information Security Analyst Looking for a home in...
4. Systems Engineer - Application Level Security (Thread)
5. Security Sales Professionals Needed (Thread)
6. Looking for Job in Italy (Thread)
7. Network Security Engineer - NJ (Thread)
8. Needed Penetration Testers (Thread)
9. Senior Security Consultant needed in Washington DC (Thread)
10. looking for Security Professionals in India (Thread)
11. Infrastructure Security Manager- Rhode Island (Thread)
12. Sunny Florida - Application Security Engineer (Thread)
VI. INCIDENTS LIST SUMMARY
1. Scans on TCP port 135 (Thread)
2. Weird Profile in Documents and Settings (Thread)
3. Distributed spam-based DoS in progress (Thread)
4. Dead thread -- Distributed spam-based DoS in progress (Thread)
5. port 17300 probe fingerprint analysis (Thread)
6. Kuang2 strikes again, is it just me? (Thread)
7. www.nopop.net (Thread)
8. Web Defacement (Thread)
9. mIRC Trojan Variant - port 445 worm/Trojan (Thread)
10. ano (at) ano (dot) com [email concealed] ftpd dip.t-dialin.net (Thread)
11. Incidents list administrivia and introductions... (Thread)
12. Spies on Your PC HDrv (Thread)
13. ICMP Destination Unreachable, Administratively Prohibited...
14. S4T4N1C Web Defacement (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Call For Papers Announcement: Black Hat Briefings Amsterdam
2. VisualBasic auditing2 (Thread)
3. VisualBasic auditing (Thread)
4. Is this an off-by-one overflow? (Thread)
5. [argv] BitchX-353 Vulnerability (Thread)
6. A different bash blues (Thread)
7. glibc glob_filename() recurse call stack overflow (Re[2]: Bash...
8. glibc glob_filename() recurse call stack overflow (Re[2]: Bash...
9. Windows 2000 Static arp not static (Thread)
10. Administrivia: Bash Blues (Thread)
11. Bash Blues. (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Windows2000 QuickLaunch (Thread)
2. MS Software Update Service (Thread)
3. AW: MS Software Update Service (Thread)
4. Restricting CmdExec Rights to Sysadmin (Thread)
5. Windows station permissions, remote control programs,lower...
6. AW: Restricting CmdExec Rights to Sysadmin (Thread)
7. [despammed] Defeating password cracking (Thread)
8. Windows station permissions, remote control programs, lower...
9. Defeating password cracking (Thread)
10. Website inside or outside domain (Thread)
11. Ye Olde OWA Topic (Was Website inside or outside domain)...
12. Unhappy face icon on NT 4 workstation (Thread)
13. SecurityFocus Microsoft Newsletter #125 (Thread)
14. website inside or outside the domain? (Thread)
15. Windows 2000 Static arp not static (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 02.21.03
X. LINUX FOCUS LIST SUMMARY
1. entropy + openSSL question (Thread)
2. LKM Trojan installed (Thread)
3. openSSL Key generation (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Exchange 2000 in the Enterprise: Tips and Tricks Part Three
By Timothy M. Mullen
This is the second installment in a two-part series on securing Exchange
2000 in the enterprise. The last segment addressed the security
ramifications of publishing mail content to the Internet via Outlook Web
Access. This installment will discuss configuring IPSec between front-end
and back-end OWA Servers as well as headers.
http://online.securityfocus.com/infocus/1668
2. Secure MySQL Database Design
by Kristy Westphal
When it comes to installing software, secure design is often the last
consideration. The first goal is usually just to get it to work. This is
particularly true of databases. Databases are commonly referred to the
keys to the kingdom: meaning that once they are compromised, all the
valuable data that is stored there could fall into the hands of the
attacker. With this in mind, this article will discuss various methods to
secure databases, specifically one of the most popular freeware databases
in use today, MySQL.
http://online.securityfocus.com/infocus/1667
3. Richard Clarke's Legacy of Miscalculation
By George Smith
The outgoing cybersecurity czar will be remembered for his steadfast
belief in the danger of Internet attacks, even while genuine threats
developed elsewhere.
http://online.securityfocus.com/columnists/143
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Util-Linux mcookie Cookie Generation Weakness
BugTraq ID: 6855
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6855
Summary:
util-linux is a freely available, open source software package that
provides some implementations of standard UNIX utilities, such as login.
Included with util-linux is the mcookie utility that is used to generate
random cookies for use with X authentication.
A weakness has been reported for the mcookie utility where cookies may be
generated in a predictable manner. The weakness occurs because mcookie
uses /dev/urandom to generate cookies.
This may be exploited by an attacker to guess cookie values to steal
credentials of users who use X authentication.
Information obtained in this manner may be used by the attacker to launch
further attacks against vulnerable systems and users.
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the delMediaFile() function and may allow
an unauthorized attacker to delete media files. The susceptible files are
only those that have been included in an approved article. This issue
could be exploited to obstruct a website's ability to distribute various
files.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the manageMedia() function and may allow
an unauthorized attacker to delete or modify various files.
Exploitation of this issue may allow an attacker to influence the upload
location of remote PHP files, potentially making it possible to execute
arbitrary PHP commands.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
4. IndyNews HTML Injection Vulnerability
BugTraq ID: 6858
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6858
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. Due to insufficient sanitization of HTML tags it is possible to
embed HTML code within the 'alt' tags of a news article. When the news
article is viewed by an unsuspecting user the embedded code will be
executed within the context of the site visited.
This issue could be exploited by taking advantage of a bug found in the
editMediaDescr() and editMediaTempDescr() functions. Through the malicious
use of these functions it is possible for an unauthorized user to modify
the 'alt' tags of a proposed or already displayed news article.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
5. Apple MacOS Classic TruBlueEnvironment Environment Variable Privilege Escalation Vulnerability
BugTraq ID: 6859
Remote: No
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6859
Summary:
Apple MacOS X includes a Classic emulator to support applications written
for Classic versions of the operating system.
Apple has released a client security update which details a vulnerability
in the Apple MacOS Classic environment for MacOS X, which may lead to
elevation of privileges. This issue exists in TruBlueEnvironment, which
is included in the emulator.
It has been reported that an environment variable used by
TruBlueEnvironment may be changed to cause arbitrary local files to be
overwritten or created. The environment variable is used to define a
location to output debugging information to a file.
TruBlueEnvironment will create or overwrite the debugging file with
world-writeable privileges, depending on the umask of the process creating
the file. The file will not be executable when it is created. However, a
facility such as cron may potentially run the file through a shell
interpreter. This may cause the file to run with elevated privileges,
resulting in privilege escalation. A denial of service is also possible
if critical system files are corrupted by the attacker.
6. Apple File Protocol iDrive Administrator Login Weakness
BugTraq ID: 6860
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6860
Summary:
Apple File Protocol (AFP) is used with Apple's 'iDisk' feature to allow
systems to store files on Apple's site.
The AFP allows a system administrator to log onto a system as a normal
user using administration credentials. This is the default behaviour. When
authenticating, it is possible for an attacker to obtain the administrator
credentials by intercepting data.
Further details about this issue are not known at this time. This BID will
be updated as further information becomes available.
7. PHP-Board User Password Disclosure Vulnerability
BugTraq ID: 6862
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6862
Summary:
php-board is web forum software.
A vulnerability has been reported in php-board which may disclose
sensitive information to remote attackers. This flaw exists in the
'login.php' script.
php-board user information is stored in flat files on the system hosting
the software. Access to the files via the web is not sufficiently
restricted. Remote attackers may request user files and gain access to
php-board user and administrative passwords. The attacker must know the
name of the user whose file they are requesting.
The attacker may use the disclosed credentials to perform actions on the
php-board system as the user.
Kietu is web-based software to tracking web site usage statistics. It is
implemented in PHP.
A flaw exists in the Kietu 'hit.php' script may permit remote attackers to
include malicious remote files. Remote users may influence the include
path for the 'config.php' configuration file. An attacker may exploit
this to include a malicious PHP script named 'config.php' from a remote
host, resulting in execution of arbitrary commands with the privileges of
the webserver process.
9. DotBr PHPInfo Environment Information Disclosure Vulnerability
BugTraq ID: 6864
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6864
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host a poll.
DotBr may disclose sensitive information to remote attackers about the
environment of the system hosting the software. This is due to the use of
the PHP phpinfo() function in the 'foo.php3' script. This may disclose
version information and path information to the attacker.
This information may be helpful in mounting further attacks against the
system.
10. DotBr Config.Inc Information Disclosure Vulnerability
BugTraq ID: 6865
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6865
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls. DotBr is backended by a MySQL database.
The DotBr configuration file (config.inc) may potentially disclose
sensitive information to remote attackers. This issue occurs because the
configuration file does not have the proper PHP file extension in the
default installation, and may be displayed by the webserver instead of
handled by the PHP interpreter. Database authentication credentials and
other information may be disclosed as a result.
The attacker may use this information in attempts to gain unauthorized
access to other resources.
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'exec.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP passthru() function. If
exploited, the function will invoke the underlying shell with
attacker-supplied parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'system.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP system() function. If exploited,
the function will invoke the underlying shell with attacker-supplied
parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
13. IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
BugTraq ID: 6870
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6870
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
It has been reported that Lotus Domino 6 is affected by a buffer overflow
vulnerability. The condition occurs when the server constructs a HTTP
redirect response.
According to the report, the client-supplied "HOST" HTTP header field is
copied into a local buffer without bounds checking. Consequently, a
buffer overflow occurs if the HOST parameter is of excessive length.
Attackers may exploit this vulnerability by identifying and then
requesting, with a malicious HOST parameter in the request header, a
specific document that causes the server to respond with a redirect.
Successful exploitation of this vulnerability may result in attackers
gaining control of affected servers.
14. IBM Lotus Domino Web Server iNotes s_ViewName/Foldername Buffer Overflow Vulnerability
BugTraq ID: 6871
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6871
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
Lotus Domino iNotes Web Server does not perform adequate bounds checking
on the s_ViewName/Foldername options of the PresetFields parameter. A
buffer overflow condition can occur if excessively long strings are
supplied as values for these fields when requesting web based mail
services. This could result in sensitive areas of memory being
overwritten to allow attacker-supplied code to be executed. This code
would be executed in the security context of the account running the
Domino Web Services.
15. IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 6872
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6872
Summary:
IBM Lotus iNotes is a web based messaging/collaboration application.
Installation of support for iNotes on client systems includes an ActiveX
control, "Lotus Domino Session ActiveX Control".
A buffer overflow vulnerability is reportedly present in this control.
The condition is in the method "InitializeUsingNotesUserName()" and may be
triggered if the method is called with a parameter of excessive length.
Maclious web content may invoke the control and exploit the vulnerability
to execute instructions on target client systems. Furthermore, other
applications which use the MSIE HTML rendering component may also be
vulnerable if ActiveX support is enabled. It should be noted that any
code executed would run with the privileges of the user who started MSIE.
16. BisonFTP Long Command Denial of Service Vulnerability
BugTraq ID: 6869
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6869
Summary:
BisonFTP is an FTP daemon available for Windows based systems.
The BisonFTP daemon is prone to a denial of service condition when issued
certain commands by the remote client.
If the client issues an FTP command such as 'cwd' or 'ls' containing 4300
bytes of data or more, the CPU usage on the system will increase to 100%.
This results in the host being unavailable until the connection is closed
by the client.
17. BisonFTP Information Disclosure Vulnerability
BugTraq ID: 6873
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6873
Summary:
BisonFTP Server is an FTP daemon that is available for Windows based
systems.
The BisonFTP server does not properly sanitize directory traversal
sequences from user input. This allows users to issue an 'ls' command
using the sequence '@../' in order to gain a file listing outside of the
FTP root. Information obtained could be used to mount further attacks
against the system.
18. Microsoft Riched20.dll Attribute Buffer Overflow Vulnerability
BugTraq ID: 6874
Remote: No
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6874
Summary:
Rich Text Format (RTF) files are parsed by the riched20.dll library on
Windows platforms. This library is included in most versions of Windows
and may also be installed by other applications that are required to parse
.rtf files.
Reportedly, it is possible to overrun a buffer in riched20.dll, causing
the calling application (such as Microsoft Outlook or Word) to fail.
This buffer can be overrun by including more than 65536 bytes of data in
an attribute label contained in the .rtf file. Arbitrary code execution
may be possible.
This vulnerability may be related to BID 807.
** Some reports indicate that this vulnerability could not be reproduced
on riched20.dll v.3.0 (5.30.23.1200) running on Windows NT.
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
An unspecified vulnerability has been reported in the CGI SAPI of PHP
version 4.3.0.
Direct access to the CGI binary can be prevented by using the
configuration option '--enable-force-cgi-redirect' and the php.ini option
'cgi.force_redirect'.
The report states that an unspecified bug could render these options
useless, allowing a remote user to directly access the CGI binary. This
could allow an attacker to read any file that is readable by the web
server user, or to potentially execute arbitrary PHP code. The attacker
would have to be able to inject the PHP code into a file accessible by the
CGI binary, such as the web server access logs.
20. Netcharts Server Chunked Encoding Information Leakage Vulnerability
BugTraq ID: 6877
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6877
Summary:
NetCharts Server provides multi-platform data connectivity. Combined
servlet engine, graphics engine and scheduling features.
It has been reported that Netcharts Server is unable to sufficiently
handle invalid chunked encoded HTTP requests.
Although Query-Response communication timing is reportedly difficult to
predict, One scenario may be; An attacker attempting to desynchronize the
Netcharts server in an attempt to lead valid Netcharts Server users to a
specified response. The attacker may achieve this condition by flooding
the Netcharts Server communication channels with an attacker-supplied
response.
This may lead to sensitive information leakage or network performance
degradation as a result of the attackers attempts to exploit this
condition.
21. D-Forum Remote File Include Vulnerability
BugTraq ID: 6879
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6879
Summary:
D-Forum is a freely available discussion forum written in PHP.
D-Forum is prone to an issue which may allow remote attackers to include
files located on remote servers. This issue is present in the header.php3
and footer.php3 pages existing in the /includes folder.
Under some circumstances, it is possible for remote attackers to influence
the include path for these scripts to point to an external file on a
remote server by manipulating the '$my_header' and '$my_footer' URI
parameters.
If the remote file is a malicious file, this may be exploited to execute
arbitrary system commands in the context of the webserver.
22. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
BugTraq ID: 6880
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6880
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A problem with BitchX could make it possible for a malicious IRC server to
crash a vulnerable client.
It has been reported that BitchX does not properly handle some types of
replies contained in the RPL_NAMREPLY numeric. When a malformed reply is
received by the client, the client crashes, resulting in a denial of
service.
The problem occurs through the handling of the 353 IRC numeric. It is
suspected that this vulnerability may also make possible the execution of
arbitrary code. In the event that this is possible, code executed through
this vulnerability would be in the context of the BitchX user. This could
allow a remote attacker access to the system on which the affected client
is running with the privileges of the BitchX user.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Airport limo firm allegedly hobbled by revenge hack
By Kevin Poulsen
Terminated network administrator is charged with a retaliatory strike
against former employer's systems.
http://online.securityfocus.com/news/2567
2. How to get an ATM PIN number in 15 guesses
By John Leyden, The Register
Cambridge researchers have documented a worrying PIN cracking technique
against the hardware security modules commonly used by bank ATMs.
http://online.securityfocus.com/news/2584
3. Crypto attack against SSL outlined
By John Leyden, The Register
Swiss security researchers have discovered an attack against
implementations of the ubiquitous SSL protocol that could potentially
compromise email passwords, though not ecommerce transactions.
http://online.securityfocus.com/news/2583
4. States take step toward sharing cyberthreat data
By William Jackson, TechNews.com
Thirteen states, led by New York, last weekend conducted a communications
exercise that could lead to a new, multistate information sharing and
analysis center.
http://online.securityfocus.com/news/2553
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. PlexCrypt v3.1
by plexobject
Relevant URL:
http://www.plexobject.com/software/plexcrypt/index.html
Platforms: AIX, HP-UX, IRIX, Linux, POSIX, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT
Summary:
PlexCrypt is a GUI that allows a set of files or folders to compress using
the Zip format. In addition, it encrypts and decrypts a set of files or a
set of folders using AES, Blowfish, CAST, DES, ElGamal, IDEA, IES, RC4,
RC6, RSA, Rijndael, Serpent Skipjack, Twofish, etc. It allows users to
create digital signatures and digest and verify them. It also allows users
to create and manage digital certificates for encryption and signatures.
2. Traffik tool Troll v0.7
by Alexander Newald alexander (at) newald (dot) de [email concealed]
Relevant URL:
http://linux.newald.de/
Platforms: N/A
Summary:
The Traffik Tool Troll is a traffic monitoring and managing skript.
Traffic statistics are generated by port, hour, day, month, and year. You
can define a special period for your needs. The script is written in Perl
and uses iptables and MySQL to get and store the traffic.
3. LinuxMagic magic-smtpd v0.7.0
by LinuxMagic Inc. magicsmtpd (at) linuxmagic (dot) com [email concealed]
Relevant URL:
http://www.linuxmagic.com/opensource/magicmail/magic-smtpd/
Platforms: Linux, POSIX
Summary:
MAGIC-SMTPD is a drop-in replacement for Dan Bernstein's qmail-smtpd, and
was originally designed to be part of the LinuxMagic Magic Mail Server.
This opensource version has been released to allow others to benefit from
its anti-spam components, and valid user checking to reduce server loads
and spam volumes. It is designed to support stock qmail installations,
qmail/vpopmail installations, and database connectivity. Designed for ISP
service, this will work for all mail servers large and small.
4. snortalog v1.7.0
by jeremy chartier
Relevant URL:
http://jeremy.chartier.free.fr/snortalog/
Platforms: UNIX
Summary:
Snortalog (formerly known as Snort-ng) is a powerful Perl script that
summarizes Snort logs, making it easy to view any network attacks detected
by Snort. It can generate charts in HTML. It works with all versions of
Snort, and can analyze logs in two formats: syslog alerts and text alerts.
It does not include a database for maximum performance.
5. labrea v2.5b1
by Tom Liston tliston (at) hackbusters (dot) net [email concealed]
Relevant URL:
http://labrea.sourceforge.net/
Platforms: Os Independent
Summary:
labrea is a program that creates a "sticky honeypot" by taking over unused
IP addresses on a network and creating virtual machines that answer to
connection attempts. labrea answers those connection attempts in a way
that causes the machine at the other end to get "stuck", sometimes for a
very long time.
6. Looper Event / Alert System v0.20
by Mohit Muthanna bugs (at) muthanna (dot) com [email concealed]
Relevant URL:
http://looper.sourceforge.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, OpenBSD, Solaris, SunOS
Summary:
Looper is a highly modularized application designed to simplify the event
/ alert model. Primarily used for Network Management, this application can
be used to accomplish a variety of tasks related to logging and alerting
such as listening for SNMP traps and logging to a file or sending
notification to Netcool (a la "trapd probe"), reading a log file for
alerts and sending notification via e-mail, parsing syslogs and sending
notifications to Netcool (a la "syslog probe"), etc. Looper can also be
used as an ad-hoc Netcool probe or Gateway.
V. SECURITY JOBS SUMMARY
------------------------
1. Technical security reconciliation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312642
2. Internship in São Paulo / Brazil (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312601
3. Forensic and Information Security Analyst Looking for a home in NYC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312574
4. Systems Engineer - Application Level Security (Thread)
Relevant URL:
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Call For Papers Announcement: Black Hat Briefings Amsterdam (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312492
2. VisualBasic auditing2 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312496
3. VisualBasic auditing (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312507
4. Is this an off-by-one overflow? (Thread)
Relevant URL:
10. Website inside or outside domain (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312264
11. Ye Olde OWA Topic (Was Website inside or outside domain) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312267
12. Unhappy face icon on NT 4 workstation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312266
13. SecurityFocus Microsoft Newsletter #125 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312265
14. website inside or outside the domain? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312248
15. Windows 2000 Static arp not static (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312241
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 02.21.03
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. entropy + openSSL question (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312405
2. LKM Trojan installed (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312387
3. openSSL Key generation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312270
XI. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Sponsored by Verisign-The Value Of Trust
Secure Your Servers
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your corporate intranets and authenticate
your Web sites. 128-bit SSL is serious security for your online business.
Get it now! Secure your servers with 128-bit SSL encryption! Grab your
copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!
-----------------------------
This issue sponsored by Verisign-The Value Of Trust
Secure Your Servers
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your corporate intranets and authenticate
your Web sites. 128-bit SSL is serious security for your online business.
Get it now! Secure your servers with 128-bit SSL encryption! Grab your
copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n09440117580057000
------------------------------------------------------------------------
---
I. FRONT AND CENTER
1. Exchange 2000 in the Enterprise: Tips and Tricks Part Three
2. Secure MySQL Database Design
3. Richard Clarke's Legacy of Miscalculation
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. BUGTRAQ SUMMARY
1. Util-Linux mcookie Cookie Generation Weakness
2. IndyNews delMediaFile() File Deletion Vulnerability
3. IndyNews manageMedia() File Deletion Vulnerability
4. IndyNews HTML Injection Vulnerability
5. Apple MacOS Classic TruBlueEnvironment Environment Variable...
6. Apple File Protocol iDrive Administrator Login Weakness
7. PHP-Board User Password Disclosure Vulnerability
8. Kietu Hit.PHP Remote File Inclusion Vulnerability
9. DotBr PHPInfo Environment Information Disclosure Vulnerability
10. DotBr Config.Inc Information Disclosure Vulnerability
11. DotBr Exec.PHP3 Remote Command Execution Vulnerability
12. DotBr System.PHP3 Remote Command Execution Vulnerability
13. IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
14. IBM Lotus Domino Web Server iNotes s_ViewName/Foldername...
15. IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
16. BisonFTP Long Command Denial of Service Vulnerability
17. BisonFTP Information Disclosure Vulnerability
18. Microsoft Riched20.dll Attribute Buffer Overflow Vulnerability
19. PHP CGI SAPI Code Execution Vulnerability
20. Netcharts Server Chunked Encoding Information Leakage...
21. D-Forum Remote File Include Vulnerability
22. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Airport limo firm allegedly hobbled by revenge hack
2. How to get an ATM PIN number in 15 guesses
3. Crypto attack against SSL outlined
4. States take step toward sharing cyberthreat data
IV. SECURITYFOCUS TOP 6 TOOLS
1. PlexCrypt v3.1
2. Traffik tool Troll v0.7
3. LinuxMagic magic-smtpd v0.7.0
4. snortalog v1.7.0
5. labrea v2.5b1
6. Looper Event / Alert System v0.20
V. SECURITYJOBS LIST SUMMARY
1. Technical security reconciliation (Thread)
2. Internship in São Paulo / Brazil (Thread)
3. Forensic and Information Security Analyst Looking for a home in...
4. Systems Engineer - Application Level Security (Thread)
5. Security Sales Professionals Needed (Thread)
6. Looking for Job in Italy (Thread)
7. Network Security Engineer - NJ (Thread)
8. Needed Penetration Testers (Thread)
9. Senior Security Consultant needed in Washington DC (Thread)
10. looking for Security Professionals in India (Thread)
11. Infrastructure Security Manager- Rhode Island (Thread)
12. Sunny Florida - Application Security Engineer (Thread)
VI. INCIDENTS LIST SUMMARY
1. Scans on TCP port 135 (Thread)
2. Weird Profile in Documents and Settings (Thread)
3. Distributed spam-based DoS in progress (Thread)
4. Dead thread -- Distributed spam-based DoS in progress (Thread)
5. port 17300 probe fingerprint analysis (Thread)
6. Kuang2 strikes again, is it just me? (Thread)
7. www.nopop.net (Thread)
8. Web Defacement (Thread)
9. mIRC Trojan Variant - port 445 worm/Trojan (Thread)
10. ano (at) ano (dot) com [email concealed] ftpd dip.t-dialin.net (Thread)
11. Incidents list administrivia and introductions... (Thread)
12. Spies on Your PC HDrv (Thread)
13. ICMP Destination Unreachable, Administratively Prohibited...
14. S4T4N1C Web Defacement (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Call For Papers Announcement: Black Hat Briefings Amsterdam
2. VisualBasic auditing2 (Thread)
3. VisualBasic auditing (Thread)
4. Is this an off-by-one overflow? (Thread)
5. [argv] BitchX-353 Vulnerability (Thread)
6. A different bash blues (Thread)
7. glibc glob_filename() recurse call stack overflow (Re[2]: Bash...
8. glibc glob_filename() recurse call stack overflow (Re[2]: Bash...
9. Windows 2000 Static arp not static (Thread)
10. Administrivia: Bash Blues (Thread)
11. Bash Blues. (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Windows2000 QuickLaunch (Thread)
2. MS Software Update Service (Thread)
3. AW: MS Software Update Service (Thread)
4. Restricting CmdExec Rights to Sysadmin (Thread)
5. Windows station permissions, remote control programs,lower...
6. AW: Restricting CmdExec Rights to Sysadmin (Thread)
7. [despammed] Defeating password cracking (Thread)
8. Windows station permissions, remote control programs, lower...
9. Defeating password cracking (Thread)
10. Website inside or outside domain (Thread)
11. Ye Olde OWA Topic (Was Website inside or outside domain)...
12. Unhappy face icon on NT 4 workstation (Thread)
13. SecurityFocus Microsoft Newsletter #125 (Thread)
14. website inside or outside the domain? (Thread)
15. Windows 2000 Static arp not static (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 02.21.03
X. LINUX FOCUS LIST SUMMARY
1. entropy + openSSL question (Thread)
2. LKM Trojan installed (Thread)
3. openSSL Key generation (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Exchange 2000 in the Enterprise: Tips and Tricks Part Three
By Timothy M. Mullen
This is the second installment in a two-part series on securing Exchange
2000 in the enterprise. The last segment addressed the security
ramifications of publishing mail content to the Internet via Outlook Web
Access. This installment will discuss configuring IPSec between front-end
and back-end OWA Servers as well as headers.
http://online.securityfocus.com/infocus/1668
2. Secure MySQL Database Design
by Kristy Westphal
When it comes to installing software, secure design is often the last
consideration. The first goal is usually just to get it to work. This is
particularly true of databases. Databases are commonly referred to the
keys to the kingdom: meaning that once they are compromised, all the
valuable data that is stored there could fall into the hands of the
attacker. With this in mind, this article will discuss various methods to
secure databases, specifically one of the most popular freeware databases
in use today, MySQL.
http://online.securityfocus.com/infocus/1667
3. Richard Clarke's Legacy of Miscalculation
By George Smith
The outgoing cybersecurity czar will be remembered for his steadfast
belief in the danger of Internet attacks, even while genuine threats
developed elsewhere.
http://online.securityfocus.com/columnists/143
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Util-Linux mcookie Cookie Generation Weakness
BugTraq ID: 6855
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6855
Summary:
util-linux is a freely available, open source software package that
provides some implementations of standard UNIX utilities, such as login.
Included with util-linux is the mcookie utility that is used to generate
random cookies for use with X authentication.
A weakness has been reported for the mcookie utility where cookies may be
generated in a predictable manner. The weakness occurs because mcookie
uses /dev/urandom to generate cookies.
This may be exploited by an attacker to guess cookie values to steal
credentials of users who use X authentication.
Information obtained in this manner may be used by the attacker to launch
further attacks against vulnerable systems and users.
2. IndyNews delMediaFile() File Deletion Vulnerability
BugTraq ID: 6856
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6856
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the delMediaFile() function and may allow
an unauthorized attacker to delete media files. The susceptible files are
only those that have been included in an approved article. This issue
could be exploited to obstruct a website's ability to distribute various
files.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
3. IndyNews manageMedia() File Deletion Vulnerability
BugTraq ID: 6857
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6857
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the manageMedia() function and may allow
an unauthorized attacker to delete or modify various files.
Exploitation of this issue may allow an attacker to influence the upload
location of remote PHP files, potentially making it possible to execute
arbitrary PHP commands.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
4. IndyNews HTML Injection Vulnerability
BugTraq ID: 6858
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6858
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. Due to insufficient sanitization of HTML tags it is possible to
embed HTML code within the 'alt' tags of a news article. When the news
article is viewed by an unsuspecting user the embedded code will be
executed within the context of the site visited.
This issue could be exploited by taking advantage of a bug found in the
editMediaDescr() and editMediaTempDescr() functions. Through the malicious
use of these functions it is possible for an unauthorized user to modify
the 'alt' tags of a proposed or already displayed news article.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
5. Apple MacOS Classic TruBlueEnvironment Environment Variable Privilege Escalation Vulnerability
BugTraq ID: 6859
Remote: No
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6859
Summary:
Apple MacOS X includes a Classic emulator to support applications written
for Classic versions of the operating system.
Apple has released a client security update which details a vulnerability
in the Apple MacOS Classic environment for MacOS X, which may lead to
elevation of privileges. This issue exists in TruBlueEnvironment, which
is included in the emulator.
It has been reported that an environment variable used by
TruBlueEnvironment may be changed to cause arbitrary local files to be
overwritten or created. The environment variable is used to define a
location to output debugging information to a file.
TruBlueEnvironment will create or overwrite the debugging file with
world-writeable privileges, depending on the umask of the process creating
the file. The file will not be executable when it is created. However, a
facility such as cron may potentially run the file through a shell
interpreter. This may cause the file to run with elevated privileges,
resulting in privilege escalation. A denial of service is also possible
if critical system files are corrupted by the attacker.
6. Apple File Protocol iDrive Administrator Login Weakness
BugTraq ID: 6860
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6860
Summary:
Apple File Protocol (AFP) is used with Apple's 'iDisk' feature to allow
systems to store files on Apple's site.
The AFP allows a system administrator to log onto a system as a normal
user using administration credentials. This is the default behaviour. When
authenticating, it is possible for an attacker to obtain the administrator
credentials by intercepting data.
Further details about this issue are not known at this time. This BID will
be updated as further information becomes available.
7. PHP-Board User Password Disclosure Vulnerability
BugTraq ID: 6862
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6862
Summary:
php-board is web forum software.
A vulnerability has been reported in php-board which may disclose
sensitive information to remote attackers. This flaw exists in the
'login.php' script.
php-board user information is stored in flat files on the system hosting
the software. Access to the files via the web is not sufficiently
restricted. Remote attackers may request user files and gain access to
php-board user and administrative passwords. The attacker must know the
name of the user whose file they are requesting.
The attacker may use the disclosed credentials to perform actions on the
php-board system as the user.
8. Kietu Hit.PHP Remote File Inclusion Vulnerability
BugTraq ID: 6863
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6863
Summary:
Kietu is web-based software to tracking web site usage statistics. It is
implemented in PHP.
A flaw exists in the Kietu 'hit.php' script may permit remote attackers to
include malicious remote files. Remote users may influence the include
path for the 'config.php' configuration file. An attacker may exploit
this to include a malicious PHP script named 'config.php' from a remote
host, resulting in execution of arbitrary commands with the privileges of
the webserver process.
9. DotBr PHPInfo Environment Information Disclosure Vulnerability
BugTraq ID: 6864
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6864
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host a poll.
DotBr may disclose sensitive information to remote attackers about the
environment of the system hosting the software. This is due to the use of
the PHP phpinfo() function in the 'foo.php3' script. This may disclose
version information and path information to the attacker.
This information may be helpful in mounting further attacks against the
system.
10. DotBr Config.Inc Information Disclosure Vulnerability
BugTraq ID: 6865
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6865
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls. DotBr is backended by a MySQL database.
The DotBr configuration file (config.inc) may potentially disclose
sensitive information to remote attackers. This issue occurs because the
configuration file does not have the proper PHP file extension in the
default installation, and may be displayed by the webserver instead of
handled by the PHP interpreter. Database authentication credentials and
other information may be disclosed as a result.
The attacker may use this information in attempts to gain unauthorized
access to other resources.
11. DotBr Exec.PHP3 Remote Command Execution Vulnerability
BugTraq ID: 6867
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6867
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'exec.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP passthru() function. If
exploited, the function will invoke the underlying shell with
attacker-supplied parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
12. DotBr System.PHP3 Remote Command Execution Vulnerability
BugTraq ID: 6866
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6866
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'system.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP system() function. If exploited,
the function will invoke the underlying shell with attacker-supplied
parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
13. IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
BugTraq ID: 6870
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6870
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
It has been reported that Lotus Domino 6 is affected by a buffer overflow
vulnerability. The condition occurs when the server constructs a HTTP
redirect response.
According to the report, the client-supplied "HOST" HTTP header field is
copied into a local buffer without bounds checking. Consequently, a
buffer overflow occurs if the HOST parameter is of excessive length.
Attackers may exploit this vulnerability by identifying and then
requesting, with a malicious HOST parameter in the request header, a
specific document that causes the server to respond with a redirect.
Successful exploitation of this vulnerability may result in attackers
gaining control of affected servers.
14. IBM Lotus Domino Web Server iNotes s_ViewName/Foldername Buffer Overflow Vulnerability
BugTraq ID: 6871
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6871
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
Lotus Domino iNotes Web Server does not perform adequate bounds checking
on the s_ViewName/Foldername options of the PresetFields parameter. A
buffer overflow condition can occur if excessively long strings are
supplied as values for these fields when requesting web based mail
services. This could result in sensitive areas of memory being
overwritten to allow attacker-supplied code to be executed. This code
would be executed in the security context of the account running the
Domino Web Services.
15. IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 6872
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6872
Summary:
IBM Lotus iNotes is a web based messaging/collaboration application.
Installation of support for iNotes on client systems includes an ActiveX
control, "Lotus Domino Session ActiveX Control".
A buffer overflow vulnerability is reportedly present in this control.
The condition is in the method "InitializeUsingNotesUserName()" and may be
triggered if the method is called with a parameter of excessive length.
Maclious web content may invoke the control and exploit the vulnerability
to execute instructions on target client systems. Furthermore, other
applications which use the MSIE HTML rendering component may also be
vulnerable if ActiveX support is enabled. It should be noted that any
code executed would run with the privileges of the user who started MSIE.
16. BisonFTP Long Command Denial of Service Vulnerability
BugTraq ID: 6869
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6869
Summary:
BisonFTP is an FTP daemon available for Windows based systems.
The BisonFTP daemon is prone to a denial of service condition when issued
certain commands by the remote client.
If the client issues an FTP command such as 'cwd' or 'ls' containing 4300
bytes of data or more, the CPU usage on the system will increase to 100%.
This results in the host being unavailable until the connection is closed
by the client.
17. BisonFTP Information Disclosure Vulnerability
BugTraq ID: 6873
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6873
Summary:
BisonFTP Server is an FTP daemon that is available for Windows based
systems.
The BisonFTP server does not properly sanitize directory traversal
sequences from user input. This allows users to issue an 'ls' command
using the sequence '@../' in order to gain a file listing outside of the
FTP root. Information obtained could be used to mount further attacks
against the system.
18. Microsoft Riched20.dll Attribute Buffer Overflow Vulnerability
BugTraq ID: 6874
Remote: No
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6874
Summary:
Rich Text Format (RTF) files are parsed by the riched20.dll library on
Windows platforms. This library is included in most versions of Windows
and may also be installed by other applications that are required to parse
.rtf files.
Reportedly, it is possible to overrun a buffer in riched20.dll, causing
the calling application (such as Microsoft Outlook or Word) to fail.
This buffer can be overrun by including more than 65536 bytes of data in
an attribute label contained in the .rtf file. Arbitrary code execution
may be possible.
This vulnerability may be related to BID 807.
** Some reports indicate that this vulnerability could not be reproduced
on riched20.dll v.3.0 (5.30.23.1200) running on Windows NT.
19. PHP CGI SAPI Code Execution Vulnerability
BugTraq ID: 6875
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6875
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
An unspecified vulnerability has been reported in the CGI SAPI of PHP
version 4.3.0.
Direct access to the CGI binary can be prevented by using the
configuration option '--enable-force-cgi-redirect' and the php.ini option
'cgi.force_redirect'.
The report states that an unspecified bug could render these options
useless, allowing a remote user to directly access the CGI binary. This
could allow an attacker to read any file that is readable by the web
server user, or to potentially execute arbitrary PHP code. The attacker
would have to be able to inject the PHP code into a file accessible by the
CGI binary, such as the web server access logs.
20. Netcharts Server Chunked Encoding Information Leakage Vulnerability
BugTraq ID: 6877
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6877
Summary:
NetCharts Server provides multi-platform data connectivity. Combined
servlet engine, graphics engine and scheduling features.
It has been reported that Netcharts Server is unable to sufficiently
handle invalid chunked encoded HTTP requests.
Although Query-Response communication timing is reportedly difficult to
predict, One scenario may be; An attacker attempting to desynchronize the
Netcharts server in an attempt to lead valid Netcharts Server users to a
specified response. The attacker may achieve this condition by flooding
the Netcharts Server communication channels with an attacker-supplied
response.
This may lead to sensitive information leakage or network performance
degradation as a result of the attackers attempts to exploit this
condition.
21. D-Forum Remote File Include Vulnerability
BugTraq ID: 6879
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6879
Summary:
D-Forum is a freely available discussion forum written in PHP.
D-Forum is prone to an issue which may allow remote attackers to include
files located on remote servers. This issue is present in the header.php3
and footer.php3 pages existing in the /includes folder.
Under some circumstances, it is possible for remote attackers to influence
the include path for these scripts to point to an external file on a
remote server by manipulating the '$my_header' and '$my_footer' URI
parameters.
If the remote file is a malicious file, this may be exploited to execute
arbitrary system commands in the context of the webserver.
22. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
BugTraq ID: 6880
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6880
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A problem with BitchX could make it possible for a malicious IRC server to
crash a vulnerable client.
It has been reported that BitchX does not properly handle some types of
replies contained in the RPL_NAMREPLY numeric. When a malformed reply is
received by the client, the client crashes, resulting in a denial of
service.
The problem occurs through the handling of the 353 IRC numeric. It is
suspected that this vulnerability may also make possible the execution of
arbitrary code. In the event that this is possible, code executed through
this vulnerability would be in the context of the BitchX user. This could
allow a remote attacker access to the system on which the affected client
is running with the privileges of the BitchX user.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Airport limo firm allegedly hobbled by revenge hack
By Kevin Poulsen
Terminated network administrator is charged with a retaliatory strike
against former employer's systems.
http://online.securityfocus.com/news/2567
2. How to get an ATM PIN number in 15 guesses
By John Leyden, The Register
Cambridge researchers have documented a worrying PIN cracking technique
against the hardware security modules commonly used by bank ATMs.
http://online.securityfocus.com/news/2584
3. Crypto attack against SSL outlined
By John Leyden, The Register
Swiss security researchers have discovered an attack against
implementations of the ubiquitous SSL protocol that could potentially
compromise email passwords, though not ecommerce transactions.
http://online.securityfocus.com/news/2583
4. States take step toward sharing cyberthreat data
By William Jackson, TechNews.com
Thirteen states, led by New York, last weekend conducted a communications
exercise that could lead to a new, multistate information sharing and
analysis center.
http://online.securityfocus.com/news/2553
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. PlexCrypt v3.1
by plexobject
Relevant URL:
http://www.plexobject.com/software/plexcrypt/index.html
Platforms: AIX, HP-UX, IRIX, Linux, POSIX, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT
Summary:
PlexCrypt is a GUI that allows a set of files or folders to compress using
the Zip format. In addition, it encrypts and decrypts a set of files or a
set of folders using AES, Blowfish, CAST, DES, ElGamal, IDEA, IES, RC4,
RC6, RSA, Rijndael, Serpent Skipjack, Twofish, etc. It allows users to
create digital signatures and digest and verify them. It also allows users
to create and manage digital certificates for encryption and signatures.
2. Traffik tool Troll v0.7
by Alexander Newald alexander (at) newald (dot) de [email concealed]
Relevant URL:
http://linux.newald.de/
Platforms: N/A
Summary:
The Traffik Tool Troll is a traffic monitoring and managing skript.
Traffic statistics are generated by port, hour, day, month, and year. You
can define a special period for your needs. The script is written in Perl
and uses iptables and MySQL to get and store the traffic.
3. LinuxMagic magic-smtpd v0.7.0
by LinuxMagic Inc. magicsmtpd (at) linuxmagic (dot) com [email concealed]
Relevant URL:
http://www.linuxmagic.com/opensource/magicmail/magic-smtpd/
Platforms: Linux, POSIX
Summary:
MAGIC-SMTPD is a drop-in replacement for Dan Bernstein's qmail-smtpd, and
was originally designed to be part of the LinuxMagic Magic Mail Server.
This opensource version has been released to allow others to benefit from
its anti-spam components, and valid user checking to reduce server loads
and spam volumes. It is designed to support stock qmail installations,
qmail/vpopmail installations, and database connectivity. Designed for ISP
service, this will work for all mail servers large and small.
4. snortalog v1.7.0
by jeremy chartier
Relevant URL:
http://jeremy.chartier.free.fr/snortalog/
Platforms: UNIX
Summary:
Snortalog (formerly known as Snort-ng) is a powerful Perl script that
summarizes Snort logs, making it easy to view any network attacks detected
by Snort. It can generate charts in HTML. It works with all versions of
Snort, and can analyze logs in two formats: syslog alerts and text alerts.
It does not include a database for maximum performance.
5. labrea v2.5b1
by Tom Liston tliston (at) hackbusters (dot) net [email concealed]
Relevant URL:
http://labrea.sourceforge.net/
Platforms: Os Independent
Summary:
labrea is a program that creates a "sticky honeypot" by taking over unused
IP addresses on a network and creating virtual machines that answer to
connection attempts. labrea answers those connection attempts in a way
that causes the machine at the other end to get "stuck", sometimes for a
very long time.
6. Looper Event / Alert System v0.20
by Mohit Muthanna bugs (at) muthanna (dot) com [email concealed]
Relevant URL:
http://looper.sourceforge.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, OpenBSD, Solaris, SunOS
Summary:
Looper is a highly modularized application designed to simplify the event
/ alert model. Primarily used for Network Management, this application can
be used to accomplish a variety of tasks related to logging and alerting
such as listening for SNMP traps and logging to a file or sending
notification to Netcool (a la "trapd probe"), reading a log file for
alerts and sending notification via e-mail, parsing syslogs and sending
notifications to Netcool (a la "syslog probe"), etc. Looper can also be
used as an ad-hoc Netcool probe or Gateway.
V. SECURITY JOBS SUMMARY
------------------------
1. Technical security reconciliation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312642
2. Internship in São Paulo / Brazil (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312601
3. Forensic and Information Security Analyst Looking for a home in NYC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312574
4. Systems Engineer - Application Level Security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312573
5. Security Sales Professionals Needed (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312478
6. Looking for Job in Italy (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312475
7. Network Security Engineer - NJ (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312418
8. Needed Penetration Testers (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312384
9. Senior Security Consultant needed in Washington DC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312375
10. looking for Security Professionals in India (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312374
11. Infrastructure Security Manager- Rhode Island (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312373
12. Sunny Florida - Application Security Engineer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/311925
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Scans on TCP port 135 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312587
2. Weird Profile in Documents and Settings (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312586
3. Distributed spam-based DoS in progress (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312469
4. Dead thread -- Distributed spam-based DoS in progress (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312422
5. port 17300 probe fingerprint analysis (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312366
6. Kuang2 strikes again, is it just me? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312277
7. www.nopop.net (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312115
8. Web Defacement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312088
9. mIRC Trojan Variant - port 445 worm/Trojan (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312086
10. ano (at) ano (dot) com [email concealed] ftpd dip.t-dialin.net (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312000
11. Incidents list administrivia and introductions... (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/311980
12. Spies on Your PC HDrv (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312181
13. ICMP Destination Unreachable, Administratively Prohibited (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/311955
14. S4T4N1C Web Defacement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/311952
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Call For Papers Announcement: Black Hat Briefings Amsterdam (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312492
2. VisualBasic auditing2 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312496
3. VisualBasic auditing (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312507
4. Is this an off-by-one overflow? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312501
5. [argv] BitchX-353 Vulnerability (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312223
6. A different bash blues (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311992
7. glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311991
8. glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues ) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311990
9. Windows 2000 Static arp not static (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311931
10. Administrivia: Bash Blues (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311892
11. Bash Blues. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311863
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Windows2000 QuickLaunch (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312594
2. MS Software Update Service (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312595
3. AW: MS Software Update Service (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312591
4. Restricting CmdExec Rights to Sysadmin (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312598
5. Windows station permissions, remote control programs,lower priviledge accounts (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312551
6. AW: Restricting CmdExec Rights to Sysadmin (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312547
7. [despammed] Defeating password cracking (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312549
8. Windows station permissions, remote control programs, lower priviledge accounts (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312548
9. Defeating password cracking (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312358
10. Website inside or outside domain (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312264
11. Ye Olde OWA Topic (Was Website inside or outside domain) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312267
12. Unhappy face icon on NT 4 workstation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312266
13. SecurityFocus Microsoft Newsletter #125 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312265
14. website inside or outside the domain? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312248
15. Windows 2000 Static arp not static (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312241
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 02.21.03
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. entropy + openSSL question (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312405
2. LKM Trojan installed (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312387
3. openSSL Key generation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312270
XI. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Sponsored by Verisign-The Value Of Trust
Secure Your Servers
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your corporate intranets and authenticate
your Web sites. 128-bit SSL is serious security for your online business.
Get it now! Secure your servers with 128-bit SSL encryption! Grab your
copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n09440117580057000
[ reply ]