SecurityFocus News
SecurityFocus Newsletter #190 Mar 31 2003 04:39PM
John Boletta (jboletta securityfocus com)

SecurityFocus Newsletter #190
-----------------------------

This Issue is Sponsored by: CipherTrust

CHOKING ON SPAM?

Stop spam! -- Learn the TOP 10 Techniques To Control Spam.

Reclaim your mail server(s).  PROTECT YOUR EMAIL SYSTEM against spam and
other threats before they reach the mail infrastructure.  White Paper
shows you how!

http://www.ciphertrust.com/article/securityfocus_0331_01.htm
------------------------------------------------------------------------
-------

I. FRONT AND CENTER
1. Incident Response Tools For Unix, Part One: System Tools
2. Virus Hoaxes and the Real Dangers They Pose
3. Too Cool For Secure Code
4. Uncle Roger's Folly
5. SecurityFocus DPP Program
II. BUGTRAQ SUMMARY
1. Check Point FW-1 Syslog Daemon Unfiltered Escape Sequence...
2. Mozilla Bonsai Parameters Page Unauthenticated Access Weakness
3. Mozilla Bonsai Remote Command Execution Vulnerability
4. eDonkey Clients Multiple Chat Dialog Resource Consumption...
5. Netgear ProSafe VPN Firewall Web Interface Login Denial Of...
6. Planetmoon Guestbook Clear Text Password Retrieval Vulnerability
7. ProtWare HTML Guardian Encryption Weakness
8. Simple Chat User Information Disclosure Vulnerability
9. PHPNuke Banners.PHP Banner Manager Password Disclosure...
10. Advanced Poll Remote Information Disclosure Vulnerability
11. PHPNuke News Module Article.PHP SQL Injection Vulnerability
12. PHPNuke News Module Index.PHP SQL Injection Vulnerability
13. Adobe Acrobat Plug-In Forged Digital Signature Vulnerability
14. 3Com SuperStack II RAS 1500 Malicious IP Header Denial of...
15. 3Com SuperStack II RAS 1500 Unauthorized Access Vulnerability
16. PAFileDB PAFileDB.PHP SQL Injection Vulnerability
17. PHP socket_iovec_alloc() Integer Overflow Vulnerability
18. Emule Empty Nickname Chat Request Denial Of Service...
19. Web Chat Manager HTML Code Injection Vulnerability
20. VChat Message Disclosure Vulnerability
21. VChat Long Message Denial Of Service Vulnerability
22. PHPNuke Viewpage.PHP File Disclosure Vulnerability
23. Joel Palmius Mod_Survey Data Injection Vulnerability
24. PHPNuke Forum Module Viewtopic.php SQL Injection Vulnerability
25. PHPNuke Forum Module Viewforum.PHP SQL Injection Vulnerability
26. Symantec Enterprise Firewall HTTP Pattern Matching Evasion...
27. PHP socket_recv() Signed Integer Memory Corruption Vulnerability
28. PHP socket_recvfrom() Signed Integer Memory Corruption...
29. PHP emalloc() Unspecified Integer Overflow Memory Corruption...
III. SECURITYFOCUS NEWS ARTICLES
1. FBI seeks Internet telephony surveillance
2. States Seen As Lax on Database Security
3. Wartime Internet Security Is 'Business as Usual'
4. Hackers replace Al-Jazeera Web site with American flag
IV. SECURITYFOCUS TOP 6 TOOLS
1. Web of Trust Statistics and Pathfinder v0.5
2. FTimes v3.2.1
3. Glub Tech Secure FTP v2.0.3
4. screen-scraper v0.8.6b
5. qmail-masq v0.6
6. ShoStats v1.1.1
V. SECURITYJOBS LIST SUMMARY
1. Senior Software/Security Engineer (White Hat Hacker) Redwood...
2. Security Infrastructure/ Architect needed in Northern, VA...
3. AEs and SEs needed in DC and Chicago (Thread)
4. Senior Software/Security Engineer (Redwood City, California)...
5. U.S. Navy Network Analyst with Focas on Security - looking for...
6. V.P of Engineering needed for netForensics (Thread)
7. Computer Forensics Investigation Manager, Hamburg, Germany...
8. Information Security Analyst (Thread)
9. Tivoli Access Manager Expert needed for contract in Florida...
10. IT Auditor: Atlanta, GA (Thread)
11. Pre-Sales Enterprise Management/Security Consultant for...
12. Sunny Florida - Software Security Architect (Thread)
13. Senior Fraud Investigation Consultant, London UK (Thread)
14. IT Auditor - Perm Post in Toronto w/ Travel (Thread)
15. Sr. Security Compliance and Reporting Consultant - Cleveland...
16. Information Security Manager - Cleveland, Ohio (Thread)
17. Resume to work as Network Security Analyst (Brazil) (Thread)
18. 20 Year Global Veteran Seeks Leadership Role (Thread)
19. Administrator skilled in Tivoli Access Manager (Thread)
20. Risk Assessment Professional - 1yr contract in Chicago (Thread)
21. Secure Network Operations, Inc. Seeking Sales Rep (Thread)
22. Business Development Manager - New York, NY (Thread)
23. Business Practice, Business Development Manager-UK (Thread)
24. Sr Security Engineer (Thread)
25. PKI Systems Engineer San Antonio Texas (Thread)
26. Intermediate-Senior Security Consultant, Southern California...
27. Bloomington, IL Unix Security Analyst opportunity (Thread)
28. IT Security Lead Consultant, London, UK (Thread)
VI. INCIDENTS LIST SUMMARY
1. SecurityFocus Article Announcement: Incident Response Tools...
2. strange DNS behavior over the last 2 days (Thread)
3. FTimes 3.2.1 Release (Includes Dig, HashDig, and Map Tools)...
4. Dead Thread: California State Bill SB1386 (Thread)
5. [Fwd: FW: California State Bill SB1386] (Thread)
6. California State Bill SB1386 (Thread)
7. AW: Chinese source: some web attack tool (Thread)
8. Trojan attacking our switches (Thread)
9. Chinese source: some web attack tool (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. TLS timing attack on OpenSSL [can-2003-78] [bid 6884] exploit...
2. Entercept - detection of return-to-libc (Thread)
3. Automatic discovery of shellcode address (Thread)
4. Backup Agents (Thread)
5. ptrace in linux kernel (Thread)
6. Article Announcement: Why the Dogs of Cyberwar Stay Leashed...
7. library/executable image (Thread)
8. Detecting abnormal behaviour (Thread)
9. NSLOOKUP.EXE (Thread)
10. Vulnerability (critical): Digital signature for Adobe...
11. mpg123 segfault (Thread)
12. RES: NSLOOKUP.EXE (Thread)
13. DEF CON Announcement: CFP, Media now on line! (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. USB Tokens (Thread)
2. Expire accounts from Active Directory after a period of...
3. SMB Brute Force (Thread)
4. MS03-007 Round-up (Thread)
5. SecurityFocus Microsoft Newsletter #130 (Thread)
6. Article Announcement: Why the Dogs of Cyberwar Stay Leashed...
7. Anyone have hard evidence of problems with Windows Automatic...
8. Anyone have hard evidence of problems with WindowsAutomatic...
9. Anyone have hard evidence of problems with Windows Automatic...
10. Anyone have hard evidence of problems with Windows Automatic...
IX. SUN FOCUS LIST SUMMARY
1. SecurityFocus Article Announcement (Thread)
2. Better Syslog server (Thread)
3. PAM authentication problem (Thread)
X. LINUX FOCUS LIST SUMMARY
1. SecurityFocus Article Announcement (Thread)
2. Live Upgrade for Linux (Thread)
3. Seeing who has su-ed (Thread)
4. latest ptrace hole patch? (Thread)
5. How to custom sulog? (Thread)
XI. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Incident Response Tools For Unix, Part One: System Tools
By Holt Sorenson

This article is the first in a three-part series on tools that are useful
during incident response and investigation after a compromise has occurred
on a OpenBSD, Linux, or Solaris system. This installment will focus on
system tools, the second part will discuss file-system tools, and the
concluding article will look at network tools.

http://www.securityfocus.com/infocus/1679

2. Virus Hoaxes and the Real Dangers They Pose
by Scott Granneman

Jerry Bryan immediately knew there was something wrong at his church. He
knew it the second he opened up the email from the pastor. As a highly
respected member of his church and a known technophile, Jerry was often
consulted by the pastor concerning technical matters. In this case,
however, the pastor was passing along a serious warning.

http://www.securityfocus.com/infocus/1678

3. Too Cool For Secure Code
By Jon Lasser

Until Unix and Linux programmers get over their macho love for low-level
programming languages, the security holes will continue to flow freely.

http://www.securityfocus.com/columnists/150

4. Uncle Roger's Folly
By George Smith

The Ganda virus shows why the Internet isn't the best source for reliable
war news, and malicious code isn't a good medium for anything.

http://www.securityfocus.com/columnists/151

5. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

II. BUGTRAQ SUMMARY
-------------------
1. Check Point FW-1 Syslog Daemon Unfiltered Escape Sequence Vulnerability
BugTraq ID: 7161
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7161
Summary:

Check Point Firewall-1 is a popular firewall package available from
Checkpoint Software Technologies.

An issue has been discovered in Check Point FW-1 syslog daemon when
attempting to process a malicious, remotely supplied, syslog message.
Specifically, the syslog service does not properly filter out messages
that include escape sequences.

This issue may be exploitable by a remote attacker to cause the Check
Point syslog service to behave in an unpredictable manner. As well,
exploitation of this vulnerability will result in a remote attacker being
able to arbitrarily add syslog entries. This will ensure that any Check
Point syslog entries on the firewall host would be suspect.

It should be noted that this issue exists only when an administrator
attempts to view Check Point syslog messages via the console.

The technical details regarding this issue are currently unknown. This BID
will be updated when further information becomes available.

2. Mozilla Bonsai Parameters Page Unauthenticated Access Weakness
BugTraq ID: 7163
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7163
Summary:

Mozilla Bonsai is a tool that allows a user to perform queries on the
contents of a CVS archive.

A weakness has been reported for Bonsai that may allow remote attackers to
obtain unauthorized access to the parameters page. This page is accessed
through the editparams.cgi.

The parameters page is used by Bonsai to set several options for the tool.
Users by default are able to view this page but are unable to change any
parameters unless a password is entered.

Any information obtained in this manner may be used by an attacker to
launch further attacks against a system using Bonsai.

This vulnerability has been reported for Mozilla Bonsai 1.3 (including all
current and CVS versions).

3. Mozilla Bonsai Remote Command Execution Vulnerability
BugTraq ID: 7162
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7162
Summary:

Mozilla Bonsai is a tool that allows a user to perform queries on the
contents of a CVS archive.

A vulnerability has been discovered in Mozilla Bonsai. This issue is
reported to affect all current and CVS versions of the utility.

Exploitation of this issue may allow an attacker to remotely execute
arbitrary commands with 'www-data' privileges.

The details regarding this vulnerability are currently unknown. This BID
will be updated as further information becomes available.

4. eDonkey Clients Multiple Chat Dialog Resource Consumption Vulnerability
BugTraq ID: 7164
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7164
Summary:

eDonkey 2000 is a peer to peer file sharing network. It is similar to
KaZaa and Morpheus. Clients of eDonkey 2000 are built for Windows, Mac and
Linux operating systems.

A vulnerability has been reported for eDonkey clients for Windows that
will result in a denial of service condition.

The vulnerability occurs when numerous chat dialog boxes are opened by the
eDonkey or Overnet clients. Every open chat dialog box will consume a
small amount of memory and CPU cycles.

An attacker can exploit this vulnerability by connecting to a vulnerable
eDonkey user and issuing numerous chat requests. This will cause the
victim user's system to consume all available memory and CPU cycles thus
resulting in a denial of service condition.

This vulnerability was reported for eDonkey and Overnet clients prior to
0.46.

5. Netgear ProSafe VPN Firewall Web Interface Login Denial Of Service Vulnerability
BugTraq ID: 7166
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7166
Summary:

The ProSafe VPN Firewall is a home and small office firewall and virtual
private network device distributed by Netgear.

A problem with the device could make it possible for a remote user to deny
service.

It has been reported that some ProSafe VPN Firewall devices do not
properly handle some types of input. Because of this, a remote user could
potentially send malicious input to the device that would result in a
crash, and potential denial of service.

The problem is in the handling of authentication information of excessive
length. When a user passes both a username and password to the web
administration interface of the device, the system can be caused to crash.

It is likely that this issue is a memory corruption vulnerability, and
potentially an exploitable boundary condition error. There is no
confirmation of this. However, if this issue does prove to be an
exploitable boundary condition error, an attacker could potentially
execute arbitrary code on the vulnerable device with the privileges of the
web interface.

It should also be noted that this vulnerability is likely only exploitable
via the internal interface of the device, though this also is not
confirmed.

6. Planetmoon Guestbook Clear Text Password Retrieval Vulnerability
BugTraq ID: 7167
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7167
Summary:

A vulnerability has been reported in Planetmoon Guestbook. It has been
reported that remote users may be able to retrieve clear text password
lists. The file can be obtained by making a request for the 'passwd.txt'
file located in the 'files' directory.

Access to this data may allow an attacker to carry out further attacks
against a target user.

7. ProtWare HTML Guardian Encryption Weakness
BugTraq ID: 7169
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7169
Summary:

ProtWare HTML Guardian is an application designed to encrypt sensitive
HTML and script code. It's functionality also includes image protection
and various other web based security procedures. It is available for the
Microsoft Windows operating system.

A weakness has been reported in the encryption scheme used by ProtWare
HTML Guardian.

Specifically, the encryption scheme merely obfuscates data using a simple
bit shifting technique. This may make it trivial for attackers to reverse
the protected data. As an example, supplying HTML Guardian with "abcdefgh"
will return "acegbdfh" as the encrypted text.

Administrators may be relying on a false sense of security by implementing
the protection supplied by HTML Guardian.

Although it has not been confirmed, it is possible that this issue affects
the latest release of HTML Guardian. Earlier versions may also be
affected.

8. Simple Chat User Information Disclosure Vulnerability
BugTraq ID: 7168
Remote: Yes
Date Published: Mar 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7168
Summary:

Simple Chat! is a freely available, open source chat board written in PHP.

A problem with the script could make it possible for a remote user to gain
access to sensitive information.

Simple Chat! does not restrict access to sensitive information by default.
An attacker could use this information to launch attacks against other
users.

The problem is in the configuration of the data directory. A remote user
can gain access to the directory via the web, which may reveal sensitive
details about chat users.

9. PHPNuke Banners.PHP Banner Manager Password Disclosure Vulnerability
BugTraq ID: 7170
Remote: Yes
Date Published: Mar 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7170
Summary:

PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.

A problem with the software could allow a remote user to gain access to
sensitive information.

It has been reported that an input validation error exists in the
banners.php file included with PHPNuke. Because of this, an attacker
could send a malicious string through PHPNuke that would allow the
attacker to manipulate the database, and potentially access sensitive
information, then download it via the web.

This problem requires that the configuration variable magic_quotes_gpc be
turned off. Once this has been done, an attacker can inject limited SQL
statements into the database through the banners.php file. Doing so
permits the attacker to gain access to credentials for the banner manager.

10. Advanced Poll Remote Information Disclosure Vulnerability
BugTraq ID: 7171
Remote: Yes
Date Published: Mar 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7171
Summary:

Advanced Poll is a freely available, open source PHP script. It is
available for the UNIX, Linux, and Microsoft Operating Systems.

A problem with the program could reveal sensitive information.

It has been reported that an information disclosure vulnerability exists
in Advanced Poll. Because of this, a remote user to potentially access
privileged information that could lead to further attack against the host
and it's users.

The problem is in the default installation. By installing the program
according to specifications, it is possible for a remote user to traverse
the installation directory, and potentially gain access to sensitive
information about the Advanced Poll implementation.

11. PHPNuke News Module Article.PHP SQL Injection Vulnerability
BugTraq ID: 7172
Remote: Yes
Date Published: Mar 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7172
Summary:

PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.

A problem with the software could allow a remote user to change user
credentials.

It has been reported that an input validation error exists in the
article.php file included with PHPNuke as part of the News module. Because
of this, an attacker could send a malicious string through PHPNuke that
would allow the attacker to manipulate the database, and gain unauthorized
access to user accounts.

This problem requires that the configuration variable magic_quotes_gpc be
turned off. Once this has been done, an attacker can inject limited SQL
statements into the database through the article.php file. Doing so
permits the attacker to submit information into the nuke_users table which
could be used to gain unauthorized access to the PHPNuke board.

An attacker could use this attack to modify a user's password or user
level.

12. PHPNuke News Module Index.PHP SQL Injection Vulnerability
BugTraq ID: 7173
Remote: Yes
Date Published: Mar 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7173
Summary:

PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.

A problem with the software could allow a remote user to change article
information.

It has been reported that an input validation error exists in the
index.php file included with PHPNuke as part of the News module. Because
of this, an attacker could send a malicious string through PHPNuke that
would allow the attacker to manipulate the database and alter information
on articles posted on the site.

This problem requires that the configuration variable magic_quotes_gpc be
turned off, although it may also be present with limited impact when the
variable is turned on. Once this has been done, an attacker can inject
limited SQL statements into the database through the index.php file. Doing
so permits the attacker to submit information into the nuke_stories table,
which could be used to alter the title, intro, article, and author
information.

13. Adobe Acrobat Plug-In Forged Digital Signature Vulnerability
BugTraq ID: 7174
Remote: No
Date Published: Mar 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7174
Summary:

Adobe Acrobat and Acrobat Reader are applications that allow .pdf
documents to be viewed.

Both Acrobat and Acrobat Reader allow the installation of various plug-in
modules to extend functionality. Plug-ins can only be loaded if they are
signed with the "Reader Integration Key", or, in some cases, only if they
are certified as trusted. In order to be certified as trusted, the
plug-in must be signed by Adobe.

The certificate validating algorithm used by Acrobat only verifies
information contained within the portable executable header of the
plug-in. This could allow changes to be made to the plug-in that do not
affect the PE header to retain a valid signature.

This could allow blocks of code within the plug-in to be modified to
perform malicious actions, or the plug-in could be modified to call
another untrusted plug-in and pass control to it.

14. 3Com SuperStack II RAS 1500 Malicious IP Header Denial of Service Vulnerability
BugTraq ID: 7175
Remote: Yes
Date Published: Mar 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7175
Summary:

3com SuperStack II Remote Access System (RAS) 1500 is a routing device
designed to service dialup users.

It has been reported that RAS 1500 routers are prone to a vulnerability
that may cause a denial of service. The problem occurs when processing
packets with malformed IP headers. Specifically, an IP header with a 'len'
field of 0 may crash an affected device, causing it to reboot.

An attacker effectively denying service to legitimate users of the device
could exploit this vulnerability.

15. 3Com SuperStack II RAS 1500 Unauthorized Access Vulnerability
BugTraq ID: 7176
Remote: Yes
Date Published: Mar 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7176
Summary:

3com SuperStack II Remote Access System (RAS) 1500 is a routing device
designed to service dialup users.

A vulnerability has been reported in 3Com RAS 1500 router that may allow
attackers to access sensitive data. Specifically, RAS 1500 devices do not
carry out sufficient authentication of users requesting files via the web
interface.

Successful exploitation of this vulnerability may allow an attacker to
obtain sensitive configuration files. Access to this information may make
it possible for an attacker to carry out further attacks on a target
system or device.

16. PAFileDB PAFileDB.PHP SQL Injection Vulnerability
BugTraq ID: 7183
Remote: Yes
Date Published: Mar 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7183
Summary:

PHP Arena paFileDB is a web-based application implemented using PHP and
designed to allow webmasters to have a database of files for download on
their site.

PHP Arenas' paFileDB has been reported prone to an SQL injection
vulnerability.

This vulnerability is reportedly caused by a lack of sufficient
sanitization of user-supplied data contained in URI parameters supplied to
paFileDB. Specifically an attacker may inject SQL database commands by
embedding malicious SQL commands within either the 'id' or 'rating' URI
parameters, supplied to the paFileDB.php script.

Successful exploitation may allow for modification of the structure of SQL
queries, resulting in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.

17. PHP socket_iovec_alloc() Integer Overflow Vulnerability
BugTraq ID: 7187
Remote: No
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7187
Summary:

PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.

A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the socket_iovec_alloc() and may allow an attacker to
corrupt memory.

The affected function fails to carry out sanity checks on values passed as
the 'sockets' argument. As a result, an attacker capable of passing a
large integer as an argument, causing an integer used in a later
calculation to overflow.

If this integer overflows and is later used for memory allocation or data
writing, the procedure could occur at an unanticipated location. This
could be exploited to corrupt sensitive locations in process memory.

This may make it possible for an attacker to trigger a denial of service.
Although it has not been confirmed, it may also be possible to exploit
this issue to execute arbitrary code.

It should be noted that socket functionality is only included in PHP if
compiled with the "--enable-sockets" option.

18. Emule Empty Nickname Chat Request Denial Of Service Vulnerability
BugTraq ID: 7189
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7189
Summary:

Emule is a freely available open source peer-to-peer file sharing
application. Emule uses the eDonkey file sharing protocol.

A denial of service vulnerability has been reported for Emule. The
vulnerability occurs when a Emule client recieves a chat request without a
nickname. This will cause the vulnerable Emule client to crash when it
attempts to reference a NULL nickname.

This vulnerability was reported for Emule clients prior to 0.27c.

19. Web Chat Manager HTML Code Injection Vulnerability
BugTraq ID: 7190
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7190
Summary:

The PHP Web Chat Manager is a web-based chat system implemented in PHP.

It has been reported that Web Chat Manager is prone to HTML injection
attacks. This problem occurs due to insufficient sanitization of
user-supplied input.

An attacker may inject HTML code using the 'email' form field or URI
parameter of the Web Chat Manager user registration page 'register.php'.

The HTML code will get executed whenever a page containing the malicious
e-mail address is displayed. Specifically when the user profile is viewed
'profile.php', or when password retrieval is attempted 'login.php'. When
another user views one of these pages, the attacker-supplied code will be
interpreted in their web browser in the security context of the site
hosting the software.

It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks are also possible.

This vulnerability was reported for Web Chat 2.0. It is not known whether
other versions are affected.

20. VChat Message Disclosure Vulnerability
BugTraq ID: 7186
Remote: Yes
Date Published: Mar 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7186
Summary:

VChat is a web-based chat system. It is implemented in PHP.

VChat fails to protect chat session logs from being disclosed to remote
users. A remote web-based attacker may request the chat session logs,
which are stored in an ordinary text file in a web-accessible directory in
the default installation.

This could lead to disclosure of private or confidential information
contained in chat session logs.

21. VChat Long Message Denial Of Service Vulnerability
BugTraq ID: 7188
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7188
Summary:

VChat is a web-based chat system. It is implemented in PHP.

VChat will fail to reload if a message of 326 kilobytes or more is sent.
This may be exploited to deny availability of the chat service to chat
users. The message will be logged to 'msg.txt', and if it is too large,
VChat will not be able to reload the chat window.

22. PHPNuke Viewpage.PHP File Disclosure Vulnerability
BugTraq ID: 7191
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7191
Summary:

PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.

PHPNuke has been reported prone to a file disclosure vulnerability.

It has been reported that PHPNuke may disclose arbitrary web server
readable files if the requested file is supplied as the 'file' URI
parameter to the 'viewpage.php' script.

This may allow an attacker to obtain sensitive system information which
may aid in launching future attacks.

It should be noted that this issue reportedly affects PHPNuke version 6.5
when running a specific configuration, however other versions may also be
affected.

23. Joel Palmius Mod_Survey Data Injection Vulnerability
BugTraq ID: 7192
Remote: Yes
Date Published: Mar 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7192
Summary:

Mod_Survey is a mod_perl module for Apache which allows web users to
create online questionaires. It is maintained by Joel Palmius and will
run on Linux and Unix variants as well as Microsoft Windows.

Mod_Survey does not sufficiently sanitize data supplied via ENV tags.
ENV tags are a feature included with Mod_Survey to import values supplied
from environment variables into the data repository.

It has been reported by the vendor that this may allow for injection of
malicious data, including delimiter characters, into the data repository.
Exploitation may allow for manipulation of environment variables or the
possibility of executing database commands through injection of SQL
syntax. Other attacks may also be possible.

This is only an issue with surveys that use ENV tags. This issues occurs
with ENV tags which import data from environment variables that may be
potentially specified or influenced by a remote user (such as
'HTTP_USER_AGENT').

The consequences of exploitation could depend on the underlying database
implementation and configuration or other factors.

24. PHPNuke Forum Module Viewtopic.php SQL Injection Vulnerability
BugTraq ID: 7193
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7193
Summary:

PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.

A problem with PHPNuke could allow a remote user to change article
information.

It has been reported that an input validation error exists in the
'viewtopic.php' file included with PHPNuke as part of the Forum module.
Because of this, an attacker could send a malicious string through PHPNuke
that would allow the attacker to inject SQL commands and queries into the
SQL database used by PHPNuke.

Successful exploitation may allow for modification of the structure of SQL
queries, resulting in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.

25. PHPNuke Forum Module Viewforum.PHP SQL Injection Vulnerability
BugTraq ID: 7194
Remote: Yes
Date Published: Mar 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7194
Summary:

PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.

A problem with PHPNuke could allow a remote user to change article
information.

It has been reported that an input validation error exists in the
'viewforum.php' file included with PHPNuke as part of the Forum module.
Because of this, an attacker could send a malicious string through PHPNuke
that would allow the attacker to inject SQL commands and queries into the
SQL database used by PHPNuke.

Successful exploitation may allow for modification of the structure of SQL
queries, resulting in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.

26. Symantec Enterprise Firewall HTTP Pattern Matching Evasion Weakness
BugTraq ID: 7196
Remote: Yes
Date Published: Mar 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7196
Summary:

Raptor Firewall is an enterprise level firewall originally developed by
Axent Technologies and is maintained and distributed by Symantec. Symantec
Enterprise Firewall is formerly known as Raptor firewall. It is available
for Microsoft Windows and Unix operating systems.

The Symantec Enterprise Firewall allows the blocking of HTTP requests with
URLs containing certain patterns. When a user inside the network
protected by the Enterprise Firewall makes an HTTP request containing a
pattern matching a 'urlpattern' rule, it will be blocked and the user will
receive a "403 Forbidden" error.

An internal user can bypass the URL pattern blocking by simply encoding
the blocked pattern using escaped characters, Unicode, or UTF-8 encoding.
Thus an HTTP request that normally would have been blocked by the
Enterprise Firewall's pattern blocking will pass through successfully.

27. PHP socket_recv() Signed Integer Memory Corruption Vulnerability
BugTraq ID: 7197
Remote: No
Date Published: Mar 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7197
Summary:

PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.

A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the socket_recv() and may allow an attacker to corrupt
memory.

The affected function fails to carry out sanity checks on values passed as
the 'len' argument. As a result, an attacker capable of passing a negative
integer as an argument, causing an integer used in a later calculation to
overflow.

If this integer overflows and is later used for memory allocation or data
writing, the procedure could occur at an unanticipated location. This
could be exploited to corrupt sensitive locations in process memory.

This may make it possible for an attacker to trigger a denial of service.
Although it has not been confirmed, it may also be possible to exploit
this issue to execute arbitrary code.

It should be noted that socket functionality is only included in PHP if
compiled with the "--enable-sockets" option.

28. PHP socket_recvfrom() Signed Integer Memory Corruption Vulnerability
BugTraq ID: 7198
Remote: No
Date Published: Mar 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7198
Summary:

PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.

A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the socket_recvfrom() and may allow an attacker to
corrupt memory.

The affected function fails to carry out sanity checks on values passed as
the 'len' argument. As a result, an attacker capable of passing a negative
integer as an argument, causing an integer used in a later calculation to
overflow.

If this integer overflows and is later used for memory allocation or data
writing, the procedure could occur at an unanticipated location. This
could be exploited to corrupt sensitive locations in process memory.

This may make it possible for an attacker to trigger a denial of service.
Although it has not been confirmed, it may also be possible to exploit
this issue to execute arbitrary code.

It should be noted that socket functionality is only included in PHP if
compiled with the "--enable-sockets" option.

29. PHP emalloc() Unspecified Integer Overflow Memory Corruption Vulnerability
BugTraq ID: 7199
Remote: No
Date Published: Mar 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7199
Summary:

PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.

A vulnerability has been reported in PHP version 4.3.1 and earlier. The
problem occurs in the emalloc() function and may allow an attacker to
corrupt memory.

The affected function reportedly fails to ensure that proper boundary
checks are performed on values supplied by a malicious user. This may
result in an integer overflow when emalloc() attempts to allocate memory.

This may make it possible for an attacker to trigger a condition which
could cause the PHP interpreter to crash.

Further details of this vulnerability are currently unknown. This BID will
be updated as more information becomes available.

III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. FBI seeks Internet telephony surveillance
By Kevin Poulsen

The Justice Department and the FBI ask regulators for expanded technical
capabilities to intercept Voice Over IP communications... and anything
else that uses broadband.

http://www.securityfocus.com/news/3466

2. States Seen As Lax on Database Security
By Jonathan Krim, Washington Post

An overwhelming majority of states have failed to require insurance
companies to protect their computerized data from hacking and other
attacks, according to a study that raises questions about how aggressively
states are tackling cybersecurity overall.

http://www.securityfocus.com/news/3512

3. Wartime Internet Security Is 'Business as Usual'
By Robert MacMillan, Washington Post

Federal officials last week warned that the Iraq war may prompt hackers to
attack data systems and critical networks. But for the most part, Internet
security firms aren't changing their standard procedures to accommodate
the higher threat level -- because for them, vigilance is par for the
course.

http://www.securityfocus.com/news/3511

4. Hackers replace Al-Jazeera Web site with American flag
By Ted Bridis, The Associated Press

Hackers on Thursday replaced the English-language Web site for Arab
satellite television network Al-Jazeera with a U.S. flag and the message
"Let Freedom Ring."

http://www.securityfocus.com/news/3487

IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. Web of Trust Statistics and Pathfinder v0.5
by Jörgen Cederlöf
Relevant URL:
http://www.lysator.liu.se/~jc/wotsap/
Platforms: Python
Summary:

Web of Trust Statistics and Pathfinder (Wotsap) is a program for graphing
all the shortest paths between two keys in the OpenPGP Web of Trust. These
paths can be presented as text or as PNG images. Additionally, it can
generate statistics about keys and the whole strongly-connected set.

2. FTimes v3.2.1
by Klayton Monroe
Relevant URL:
http://ftimes.sourceforge.net/FTimes/
Platforms: AIX, FreeBSD, Linux, MacOS, POSIX, Solaris, SunOS, Windows
2000, Windows NT
Summary:

FTimes is a system baselining and evidence collection tool. Its primary
purpose is to gather and/or develop information about specified
directories and files in a manner conducive to intrusion analysis. It was
designed to support the following initiatives: content integrity
monitoring, incident response, intrusion analysis, and computer forensics.

3. Glub Tech Secure FTP v2.0.3
by glub
Relevant URL:
http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:

Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.

4. screen-scraper v0.8.6b
by ekiwi
Relevant URL:
http://www.screen-scraper.com/screen-scraper/
Platforms: Os Independent
Summary:

screen-scraper is a tool for extracting data from Web sites. It consists
of a proxy server that allows the contents of HTTP and HTTPS requests to
be viewed, and an engine that can be configured to extract information
from Web sites using special patterns and regular expressions. It handes
authentication, redirects, and cookies, and contains an embedded scripting
engine that allows extracted data to be manipulated, written out to a
file, or inserted into a database. It can be used with PHP, Java, or any
COM-friendly language such as Visual Basic or Active Server Pages.

5. qmail-masq v0.6
by Davide Giunchi
Relevant URL:
http://www.folug.linux.it/qmail-masq.html
Platforms: UNIX
Summary:

qmail-masq is a Perl program that works with qmail. It masquerades the
internal mail user's address as an external one when sending email from
local users to the outside world.

6. ShoStats v1.1.1
by yikiru
Relevant URL:
http://www.gnodde.org/projects/shostats.php
Platforms: Linux, OpenBSD, POSIX
Summary:

ShoStats is a reimplementation of phpSysInfo in Perl, useful for running
from crontab and outputting the stats to a PHP include file, which can
then be displayed on a hosting account. It is also more modular and
configurable, including modules to support both Linux and OpenBSD, an
output module for PHP include files, and transfer modules for output to
stdout (which can be redirected or piped) and uploading to an FTP server.

V. SECURITY JOBS SUMMARY
------------------------
1. Senior Software/Security Engineer (White Hat Hacker) Redwood City, California (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316570

2. Security Infrastructure/ Architect needed in Northern, VA (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316569

3. AEs and SEs needed in DC and Chicago (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316548

4. Senior Software/Security Engineer (Redwood City, California) (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316544

5. U.S. Navy Network Analyst with Focas on Security - looking for full time position. (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316543

6. V.P of Engineering needed for netForensics (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316503

7. Computer Forensics Investigation Manager, Hamburg, Germany. (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316505

8. Information Security Analyst (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316412

9. Tivoli Access Manager Expert needed for contract in Florida (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316400

10. IT Auditor: Atlanta, GA (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316352

11. Pre-Sales Enterprise Management/Security Consultant for Dublin , Ireland (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316315

12. Sunny Florida - Software Security Architect (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316322

13. Senior Fraud Investigation Consultant, London UK (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316313

14. IT Auditor - Perm Post in Toronto w/ Travel (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316314

15. Sr. Security Compliance and Reporting Consultant - Cleveland, Ohio (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316238

16. Information Security Manager - Cleveland, Ohio (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316239

17. Resume to work as Network Security Analyst (Brazil) (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316188

18. 20 Year Global Veteran Seeks Leadership Role (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316132

19. Administrator skilled in Tivoli Access Manager (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316046

20. Risk Assessment Professional - 1yr contract in Chicago (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316045

21. Secure Network Operations, Inc. Seeking Sales Rep (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316039

22. Business Development Manager - New York, NY (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/316042

23. Business Practice, Business Development Manager-UK (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/315977

24. Sr Security Engineer (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/315970

25. PKI Systems Engineer San Antonio Texas (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/315969

26. Intermediate-Senior Security Consultant, Southern California (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/315930

27. Bloomington, IL Unix Security Analyst opportunity (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/315929

28. IT Security Lead Consultant, London, UK (Thread)
Relevant URL:

http://online.securityfocus.com/archive/77/315837

VI. INCIDENTS LIST SUMMARY
-------------------------
1. SecurityFocus Article Announcement: Incident Response Tools For Unix, Part One: System Tools (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/316598

2. strange DNS behavior over the last 2 days (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/316597

3. FTimes 3.2.1 Release (Includes Dig, HashDig, and Map Tools) (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/316599

4. Dead Thread: California State Bill SB1386 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/316435

5. [Fwd: FW: California State Bill SB1386] (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/316434

6. California State Bill SB1386 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/316423

7. AW: Chinese source: some web attack tool (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/315984

8. Trojan attacking our switches (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/315973

9. Chinese source: some web attack tool (Thread)
Relevant URL:

http://online.securityfocus.com/archive/75/315976

VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. TLS timing attack on OpenSSL [can-2003-78] [bid 6884] exploit (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316310

2. Entercept - detection of return-to-libc (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316264

3. Automatic discovery of shellcode address (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316155

4. Backup Agents (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316265

5. ptrace in linux kernel (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316134

6. Article Announcement: Why the Dogs of Cyberwar Stay Leashed (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316118

7. library/executable image (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316069

8. Detecting abnormal behaviour (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316068

9. NSLOOKUP.EXE (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316073

10. Vulnerability (critical): Digital signature for Adobe Acrobat/Reader plug-in can be forged (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/316075

11. mpg123 segfault (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/315902

12. RES: NSLOOKUP.EXE (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/315942

13. DEF CON Announcement: CFP, Media now on line! (Thread)
Relevant URL:

http://online.securityfocus.com/archive/82/315896

VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. USB Tokens (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/316522

2. Expire accounts from Active Directory after a period of inactivity (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/316377

3. SMB Brute Force (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/316373

4. MS03-007 Round-up (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/316197

5. SecurityFocus Microsoft Newsletter #130 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/316129

6. Article Announcement: Why the Dogs of Cyberwar Stay Leashed (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/316126

7. Anyone have hard evidence of problems with Windows Automatic Upda tes? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/316025

8. Anyone have hard evidence of problems with WindowsAutomatic Upda tes? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/315933

9. Anyone have hard evidence of problems with Windows Automatic Upda tes? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/315917

10. Anyone have hard evidence of problems with Windows Automatic Updates? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/315916

IX. SUN FOCUS LIST SUMMARY
----------------------------
1. SecurityFocus Article Announcement (Thread)
Relevant URL:

http://online.securityfocus.com/archive/92/316520

2. Better Syslog server (Thread)
Relevant URL:

http://online.securityfocus.com/archive/92/316177

3. PAM authentication problem (Thread)
Relevant URL:

http://online.securityfocus.com/archive/92/316143

X. LINUX FOCUS LIST SUMMARY
---------------------------
1. SecurityFocus Article Announcement (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/316564

2. Live Upgrade for Linux (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/316563

3. Seeing who has su-ed (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/316220

4. latest ptrace hole patch? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/316217

5. How to custom sulog? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/91/315843

XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: CipherTrust

CHOKING ON SPAM?

Stop spam! -- Learn the TOP 10 Techniques To Control Spam.

Reclaim your mail server(s).  PROTECT YOUR EMAIL SYSTEM against spam and
other threats before they reach the mail infrastructure.  White Paper
shows you how!

http://www.ciphertrust.com/article/securityfocus_0331_01.htm
------------------------------------------------------------------------
-------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus