Evaluating SSL VPNs? Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.securityfocus.com/Neoteris-sf-news
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. The Enemy Within: Firewalls and Backdoors
2. Adding Security to the Cert
3. Learning to Love Big Brother
3. Welcome to the SecurityFocus Firewalls Focus Area
4. Welcome to the SecurityFocus Pen-Test Focus Area
II. BUGTRAQ SUMMARY
1. cPanel/Formail-Clone E-Mail Restriction Bypass Vulnerability
2. Desktop Orbiter Resource Exhaustion Denial Of Service...
3. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability
4. PHP-Nuke User/Admin Cookie SQL Injection Vulnerability
5. Microsoft Internet Explorer False URL Information Vulnerability
6. PHP Transparent Session ID Cross Site Scripting Vulnerability
7. JBoss Null Byte Request JSP Source Disclosure Vulnerability
8. iisCart2000 Arbitrary File Upload Vulnerability
9. WebCortex WebStores2000 SQL Injection Vulnerability
11. Apache Tomcat Insecure Directory Permissions Vulnerability
12. Multiple Mod_Gzip Debug Mode Vulnerabilities
13. Webfroot Shoutbox Expanded.PHP Remote Command Execution...
14. WinMX Plaintext Password Storage Weakness
15. myServer HTTP GET Argument Buffer Overflow Vulnerability
16. XMame Lang Local Buffer Overflow Vulnerability
17. Webchat Module Path Disclosure Weakness
18. Webfroot Shoutbox Expanded.PHP Remote Directory Traversal...
19. WebChat Users.PHP Database Username Disclosure Weakness
20. WebChat Users.PHP Cross-Site Scripting Vulnerability
21. Gator EWallet Information Encoding Weakness
22. Crob FTP Server Remote Username Format String Vulnerability
23. Sun Management Center Change Manager PamVerifier Buffer...
24. SPChat Module Remote File Include Vulnerability
25. Cafelog b2 B2Functions Script B2INC Variable Include...
26. CafeLog b2 Blog.Header Script SQL Injection Vulnerability
27. Wordpress Posts SQL Injection Vulnerability
28. Cafelog b2 B2MenuTop Script B2INC Variable Include Vulnerability
29. Wordpress Remote PHP File Include Vulnerability
30. Pi3Web SortName Buffer Overflow Vulnerability
31. Microsoft Windows XP Nested Directory Denial of Service...
32. Microsoft Windows 2000/XP/2003 IPV6 ICMP Flood Denial Of...
33. Multiple Vendor kon2 Local Buffer Overflow Vulnerability
34. IRCXpro Server Settings.INI Plaintext Password Storage...
35. Red Hat Linux TTY Layer Kernel Panic Denial Of Service...
36. Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability
37. Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability
38. Sun Solaris Telnet Daemon Remote Denial Of Service Vulnerability
39. HP-UX UUCP Unspecified Buffer Overflow Vulnerability
40. Linux Kernel Fragment Reassembly Remote Denial Of Service...
41. HP-UX UUSUB Unspecified Buffer Overflow Vulnerability
42. Pablo Software Solutions FTP Server Anonymous Users Privileges...
III. SECURITYFOCUS NEWS ARTICLES
1. Group Releases Anti-Disclosure Plan
2. Holy Grail of crypto to arrive in three years, say UK boffins
3. Cisco builds WLAN security framework
4. U.S. reviewing old, secret surveillance files in terrorism...
IV. SECURITYFOCUS TOP 6 TOOLS
1. Passcheck v2.99
2. LibTomCrypt v0.76
3. OpenSSH SecurID patch v3.6.1p2 v1
4. Logdog v2.0-RC3
5. KisMAC v0.05a
6. A Joint Monitoring System (AJMS) v1.8
V. SECURITYJOBS LIST SUMMARY
1. Looking for an infosec position in Calgary, AB (Thread)
2. SR. IT MANAGER WITH SECURITY BACKGROUND LOOKING IN MINNESOTA...
3. PWC - Threat & Vulnerability Management (Senior Associate )...
4. LOOKING FOR A SR. IDS MANAGER - BETHESDA, MD (Thread)
5. Newport News, VA - MS Exchange SW Development Manager (Thread)
6. Networking and Security Engineer Available. Travel OK. (Thread)
7. Recent CISSP seeking in GA or NC. (Thread)
8. Metro DC - junior to midlevel security position sought (Thread)
9. Corporate Security Analyst - San Jose, CA (Thread)
10. Seeking infosec employment (Thread)
11. 20-yr International IT & Internet Security Veteran (Thread)
12. New Focus Areas on SecurityFocus.com X-POST (Thread)
13. Tivoli Security Specialist needed (Thread)
14. Looking for a sales position (Thread)
15. Neoteris is hiring!!! - Regional Sales Manager - Benelux (Thread)
16. Neoteris is hiring!!! - Regional Sales Manager - Japan (Thread)
17. Neoteris is hiring!!! - Federal Sales Manager - VA/MD/DC (Thread)
18. Neoteris is hiring!!! - Senior Technical Support Engineer...
19. CISSP, Looking for assignment in Research Triangle Park, NC...
20. Very Experienced British Expat Returning (Thread)
21. Security professional looking for work. (willing to relocate)...
22. CISSP & CISA Available Nationwide for Contract Consulting...
23. Credit Card Fraud Analyst/Project Manager ? Chicago (Thread)
24. IT PROFESSIONALS WANTED (Thread)
25. Java / Web Developer - Senior - 8 - 12 month contract (Thread)
26. Position In Jacksonville, FL (Thread)
27. Systems Security Engineer, TiVo, Inc., Alviso, CA (Thread)
28. Rocky Mtn. CISSP for hire (Thread)
29. Security Engineer/Santa Monica, CA (Thread)
30. systems administrator looking for work - NW Ohio (Thread)
31. Need Security Evangelist in Dallas (Thread)
32. Verisign - number in the UK (Thread)
33. Security Sales Engineers and Account Executives/Seattle (Thread)
VI. INCIDENTS LIST SUMMARY
1. FW: File Folders Own Changed (Thread)
2. Help with an odd log file... (Thread)
3. strange cmd.exe access (Thread)
4. strange traffic on UDP port 53 (Thread)
5. Dameware Malcode? Is anyone aware of it? (Thread)
6. KazaaLite 2.0.2 Build 1 (Thread)
7. FW: KazaaLite 2.0.2 Build 1 (Thread)
8. Dubious e-mail: [Fwd: Dell.com (Password Request)] (Thread)
9. Hmm....901 (Thread)
10. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas...
11. FW: Hmm....901 (Thread)
12. A question for the list... (Thread)
13. Whois updates, Was: [ Possible Intrusion Attempt?] (Thread)
14. Weird Traffic from www.eyeblaster-bs.com (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Decision (Thread)
2. win32 shellcoding (Thread)
3. Shellcode questions (Thread)
4. win32 command line overflows: (ex: ollydbg.exe) (Thread)
5. strcpy bug (Thread)
6. Exploiting new IE Object Type Overflow (Thread)
7. New Secuity Vulnerabilities (Thread)
8. possible remote buffer overflow in atftpd (Thread)
9. Frame pointer overwriting and FreeBSD (Thread)
10. man[v1.5l]: format string exploit / POC. (Thread)
11. [Vuln-dev Challenge] Challenge #2 (New technique maybe?) (Thread)
12. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas...
13. Windows XP mmc.exe Crash (Thread)
14. Gera's Insecure Programing abo7 (Thread)
15. Windows XP SP1 gethostbyaddr() flow (Re[3]: mirc32 6.0x crash...
16. xmame gain root exploit (Thread)
17. netstrings example vulnerable (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas...
2. SecurityFocus Microsoft Newsletter #139 (Thread)
3. Internet Explorer URL Spoofing Threat (Thread)
IX. SUN FOCUS LIST SUMMARY
1. New Focus Areas on SecurityFocus.com (Thread)
X. LINUX FOCUS LIST SUMMARY
1. deny deleting a file for users (Thread)
2. Linux firewall/IDS/NAT suggestions (Thread)
3. deny deleting a file for users.. trying a solution (Thread)
4. New Focus Areas on SecurityFocus.com (Thread)
5. process accounting (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. The Enemy Within: Firewalls and Backdoors
by Bob Rudis, CISSP, and Phil Kostenbade, CISSP
This article presents an overview of modern backdoor techniques, discusses
how they can be used to bypass the security infrastructure that exists in
most network deployments and issues a wake-up call for those relying on
current technologies to safeguard their systems/networks.
http://www.securityfocus.com/infocus/1701
2. Adding Security to the Cert
By Tim Mullen
Shiftless third-party prep courses have made MCSE certification less
valuable. Is Microsoft's new security cert doomed to the same fate?
http://www.securityfocus.com/columnists/166
3. Learning to Love Big Brother
By Scott Granneman
Microsoft's digital rights management (DRM) may have implications for
security professionals.
http://www.securityfocus.com/columnists/165
4. Welcome to the SecurityFocus Firewalls Focus Area
By Marcus Ranum
SecurityFocus is very pleased to announce the roll-out of the new
Firewalls focus area.
http://www.securityfocus.com/infocus/1700
5. Welcome to the SecurityFocus Pen-Test Focus Area
By Ivan Arce
The new SecurityFocus Pen-Test focus area offers a unique forum for the
exchange of pen-test information.
http://www.securityfocus.com/infocus/1699
II. BUGTRAQ SUMMARY
-------------------
1. cPanel/Formail-Clone E-Mail Restriction Bypass Vulnerability
BugTraq ID: 7758
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7758
Summary:
cPanel is a multi-platform web hosting control panel that allows a user to
manage their hosted account through a web-based interface.
cPanel includes a Formail-clone/scripts.
It has been reported that cPanel is prone to an issue where a remote
attacker may bypass cPanel Formail-clone local domain checks and have
untrusted e-mail delivered in the context of the vulnerable host.
The issue is reportedly due to a lack of input sanitization performed on
the cPanel recipient field, used by the cPanel Formmail-clone.
Reportedly, if an attacker appends a reference to the local domain in
parenthesis, e.g. 'recipient@example.(localdomain)com' as a part of an
e-mail address passed to cPanel. When the cPanel mailer invokes sendmail
to handle this address sendmail will strip out the parenthesis and the
data contained therein and send the e-mail to the attacker-supplied
address.
This issue may be exploited by an attacker to use the vulnerable host as
an open relay.
2. Desktop Orbiter Resource Exhaustion Denial Of Service Vulnerability
BugTraq ID: 7759
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7759
Summary:
Desktop Orbiter is designed to be a desktop security solution. It is
maintained by Anfibia and is available for the Microsoft Windows operating
system.
A denial of service vulnerability has been reported for Desktop Orbiter.
The vulnerability exists due to the way the application handles
connections. Specifically, for every open connection, a snapshot preview
of the desktop is loaded into memory. Thus, numerous connections would
result in a consumption of all available memory resources.
An attacker can exploit this vulnerability by making numerous connections
to a Desktop Orbiter server on TCP port 51054. For every connection, the
vulnerable service creates a snapshot of the desktop that is subsequently
loaded into memory. This will eventually result in the service consuming
all available memory and causing the system to behave unpredictably.
This vulnerability affects Desktop Orbiter 2.01. It is not known whether
earlier versions are affected.
3. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability
BugTraq ID: 7760
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7760
Summary:
The /bin/mail utility is a mail processing system which can be used to
send and receive e-mail messages. It is available for the Unix and Linux
operating systems.
A vulnerability has been discovered in /bin/mail on the Linux operating
system. The problem occurs when processing the 'CC:' field within an
e-mail message. Due to insufficient bounds checking, handling
approximately 8824 bytes of data will trigger a buffer overrun.
Successful exploitation of this issue could allow an attacker to execute
arbitrary commands with the privileges of /bin/mail. It should be noted
that local exploitation of this vulnerability may be inconsequential.
However, a malicious e-mail message referenced by the vulnerability
utility or a remote CGI interface may both be sufficient conduits for
remote exploitation.
PHP-Nuke is a popular web based Portal system. It allows users to create
accounts and contribute content to the site.
PHP-Nuke is reported to be prone to SQL injection attacks during
authentication. This is due to insufficient sanitization of cookie values,
which will be used in database queries. This could permit an attacker to
inject SQL code.
It has been demonstrated that this vulnerability may allow a remote
attacker to modify query logic and disclose administrator and user
password hashes through a sequential brute force method. Although
unconfirmed, it may also be possible, depending on the database
implementation and other factors, to launch attacks against the database.
This may result in the disclosure of sensitive information.
Having the Web_Links module installed and one link active, is a
prerequisite for exploitation of the admin password hash recovery issue.
It should be noted that although this vulnerability has been reported to
affect PHP-Nuke version 5.6 and 6.5 all other versions may potentially be
affected.
5. Microsoft Internet Explorer False URL Information Vulnerability
BugTraq ID: 7763
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7763
Summary:
An issue has been reported for Microsoft Internet Explorer that may result
in a false sense of security for a user.
Due to the way IE handles certain functions, the URL displayed on the
'location bar' will not correspond to the actual URL of the site displayed
in the browser window. As a result, a malicious attacker can exploit this
issue to entice a user to visit a web site and make them believe they are
at known or trusted page.
6. PHP Transparent Session ID Cross Site Scripting Vulnerability
BugTraq ID: 7761
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7761
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
PHP contains an option known as transparent session IDs. This feature
allows session IDs to be embedded with a URL.
A cross-site scripting vulnerability has been discovered in PHP version
4.3.1 and earlier. The problem occurs when the 'session.use_trans_sid'
global parameter has been enabled.
Due to insufficient sanitization of the PHPSESSID URI parameter, it is
possible for an attacker to embed malicious script code within a link. By
embedding malicious code in such a way that an HTML tag will be
prematurely terminated, it may be possible to execute arbitrary script
code.
Successful exploitation of this issue would allow an attacker to execute
arbitrary script code in a victim's browser within the context of the
visited website. This may allow for the theft of sensitive information,
such as session ID's, or possibly other attacks.
It should be noted that PHP versions prior to release 4.2.0 do not support
transparent session IDs by default. Support must be specified during
initial compilation.
JBoss is a freely available, open source Java Application server. It is
distributed and maintained by JBoss Group.
A problem in the software may make it possible to gain unauthorized access
to potentially sensitive information.
A problem has been reported in the handling of unexpected characters by
the JBoss program. Because of this, an attacker may gain access to
potentially sensitive information.
The problem is in the input of null characters with some requests. By
placing a valid request, and appending a null byte to the end of the
request, it is possible to see the source of the Java Server Page (JSP)
requested from JBoss. This could yield potentially sensitive information
such as passwords.
It should be noted that this problem occurs when JBoss is used with Jetty.
It is not known what affect this problem has on JBoss with other servers.
iisCart2000 is web-based shopping cart software implemented in ASP. It is
available for the Microsoft Windows operating system.
A vulnerability has been reported for iisCart2000 that may result in an
attacker uploading arbitrary files to a vulnerable server. The
vulnerability exists in the upload.asp script. Specifically, the script
does not properly verify that a user is authorized to upload files.
An attacker can exploit this vulnerability by issuing a request for the
vulnerable script (residing in 'admin/' or './'). This will allow an
attacker to upload arbitrary files to the vulnerable server. If the
uploaded file is a ASP script file, it may be possible for an attacker to
execute the uploaded script.
Successful exploitation may result in the execution of attacker-supplied
code.
WebCortex WebStores2000 is shopping cart software implemented in ASP. It
is available for Microsoft Windows operating environments.
WebStores2000 has been reported to be prone to SQL injection attacks.
This vulnerability is reportedly caused by a lack of sufficient
sanitization of user-supplied data contained in URI parameters supplied to
WebStores2000. Specifically an attacker may inject SQL database commands
by embedding malicious SQL commands within either the 'Item_ID' URI
parameter, supplied to the browse_item_details.asp script.
Successful exploitation may allow for modification of the structure of SQL
queries, resulting in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.
10. Microsoft URLScan Information Disclosure Weakness
BugTraq ID: 7767
Remote: Yes
Date Published: May 31 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7767
Summary:
Microsoft URLScan is a tool that prevents certain types of specific HTTP
requests from reaching a IIS (Internet Information Services) server.
A weakness has been reported for URLScan that may result in the disclosure
of sensitive information.
The weakness exists because of the way URLScan handles HEAD HTTP requests.
Specifically, when URLScan receives a HEAD request that is subsequently
rejected, it is automatically converted to a GET request and sent to the
underlying IIS server. This is so that the appropriate reject page is
delivered to a requesting client.
The information returned may allow an attacker to identify systems that
incorporate the use of URLScan.
11. Apache Tomcat Insecure Directory Permissions Vulnerability
BugTraq ID: 7768
Remote: No
Date Published: Jun 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7768
Summary:
Tomcat is a web server and JSP/Servlet container that is developed by
Apache as part of the Jakarta project.
Apache Tomcat may be installed with world-readable permissions for the
/opt/tomcat/ directory. Files in this directory may contain sensitive
information, such as authentication credentials. Local users may
potentially gain unauthorized access to these files as a result.
This issue was reported for Apache Tomcat versions prior to 4.1.24 on
Gentoo Linux. It is not known if other distributions are similarly
affected.
Mod_gzip is an Apache web server module that compresses web content before
sending it to the client. Mod_gzip is not a standard module for Apache.
Multiple vulnerabilities were reported in Mod_gzip. The following issues
exist when the software is run in debug mode:
Insufficient bounds checking of request data may lead to a stack overflow.
If a remote user passes an excessive request for a file type (such as
gzip) handled by the module, it may be possible to corrupt stack variables
with specific values. This could lead to execution of malicious
attacker-supplied instructions.
Mod_gzip is prone to a format string vulnerability when Apache logging
facilities are used. This is due to missing format specifiers in the code
responsible for logging requests for file types handled by the module.
Exploitation could permit a remote attacker to overwrite arbitrary
locations in memory with malicious data, potentially allowing for code
execution.
Mod_gzip logs debugging information in files using predictable names.
The following naming scheme is used when log files are created:
/tmp/t<PID>.log
By anticipating the value of the process ID, a local attacker could launch
symlink attacks against other system files. It has been reported that
some debugging information is logged as the superuser. This could allow
for corruption of arbitrary files. If these files can be corrupted with
custom data, then it will be possible to gain elevated privileges.
Exploitation of these issues could result in execution of malicious
instructions or corruption of critical or sensitive files.
This record will be divided into multiple BIDs when further analysis of
these issues is complete.
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.
Shoutbox is prone to an issue that may result in the execution of
attacker-supplied code. The vulnerability exists due to insufficient
sanitization of input into the expanded.php script.
An attacker can exploit this vulnerability to insert malicious PHP code
into the web server logs which can then be executed by the PHP interpreter
when the logs are requested. This will allow an attacker to execute
arbitrary commands on a vulnerable system in the context of the web
server.
This vulnerability was reported to affect Webfroot Shoutbox 2.32 and
earlier.
14. WinMX Plaintext Password Storage Weakness
BugTraq ID: 7771
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7771
Summary:
WinMX is a P2P file sharing application for Microsoft Windows operating
systems. It supports the OpenNap protocol and is compatible with a number
of P2P servers.
WinMX stores P2P passwords in plaintext. As a result, these credentials
could be exposed to other local users. Passwords are stored in the
'nservers.dat' file and are also be accessible to users via the server
editing feature of the WinMX interface.
This issue has been reported in WinMX 2.6. It is thought that the issue
may have been addressed in later versions, though no vendor confirmation
is available.
15. myServer HTTP GET Argument Buffer Overflow Vulnerability
BugTraq ID: 7770
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7770
Summary:
myServer is an application and web server for Microsoft Windows and Linux
operating systems.
myServer has been reported prone to a remote buffer overflow
vulnerability. The vulnerability exists when the web server attempts to
process HTTP requests of excessive length. Specifically, when the web
server processes an argument passed to a malicious HTTP GET request that
consists of more than 4100+ bytes, the web server will crash. This will
result in a denial of service condition.
It is possible that this vulnerability may also allow the execution of
arbitrary instructions. Any instructions carried out through this
vulnerability would be with the privileges of the web server process.
However, the possibility of code execution has not been confirmed.
This vulnerability was reported for myServer version 0.4.1 It is likely
that other versions are also affected.
16. XMame Lang Local Buffer Overflow Vulnerability
BugTraq ID: 7773
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7773
Summary:
Xmame is a port of the MAME arcade emulator. It is available for Linux
and Unix systems.
Xmame is prone to a locally exploitable buffer overflow. The issue exists
in the xmame.x11 executable. This is due to insufficient bounds checking
of the command line parameter used to specify language settings (--lang).
By specifying an excessively long language parameter, it is possible to
corrupt stack memory with attacker-supplied values. This could be
exploited to control execution flow and cause execution of malicious
instructions.
Some builds of Xmame require setuid root privileges to operate properly,
particularly those builds with svgalib/xf86_dga support enabled.
Successful exploitation on some systems could result in execution of
arbitrary code with elevated privileges.
Webchat is a web based chat module designed for use with PHP-Nuke.
Webchat has been reported prone to a path disclosure weakness.
Reportedly an attacker may make a malicious HTTP request for the 'out.php'
script to trigger the condition; alternatively the attacker may pass a
non-numeric 'roomid' URI parameter to the Webchat module. Under some
circumstances either request will trigger an exception, causing Webchat to
display an error message containing the path to an internal PHP include
file embedded in the source of the error.
An attacker may use the information gathered in this manner to aid in
further attacks launched against the host.
This weakness was reported to affect Webchat version 2.0 other versions
may also be affected.
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.
A problem in Shoutbox may result in traversal attacks. The vulnerability
exists due to insufficient sanitization of user-supplied values to the
expanded.php script, and could allow the viewing of potentially sensitive
files by attackers.
An attacker can exploit this vulnerability by manipulating the value of
the 'conf' URI parameter submitted to the expanded.php script to obtain
any files readable by the web server.
Information obtained in this manner may allow an attacker to launch
further, potentially destructive attacks against a vulnerable system.
This vulnerability was reported to affect Webfroot Shoutbox 2.32 and
earlier.
WebChat is a web based chat module designed for use with PHP-Nuke.
WebChat has been reported prone to a database username disclosure
weakness.
The issue presents itself when a malicious request is made for the WebChat
'users.php' page. An attacker may pass a guessed username as the
'username' URI parameter to the affected page. Although unconfirmed, it is
likely that this action will return some indication of whether the
submitted username exists or not. An attacker may exploit this weakness to
enumerate database passwords.
An attacker may use the information gathered in this manner to aid in
further attacks launched against the host.
This weakness was reported to affect Webchat version 2.0 other versions
may also be affected.
WebChat is a web based chat module designed for use with PHP-Nuke.
WebChat has been reported prone to a cross-site scripting vulnerability.
WebChat does not adequately filter script code from URI parameters, making
it prone to cross-site scripting attacks. Attacker-supplied script code
may be included in a malicious link to the WebChat 'users.php' script. The
code contained in the 'username' URI parameter may be executed in the
browser of the web user who visits the link. Code will be executed in the
security context of the system running the WebChat Module.
This may enable a remote attacker to steal cookie-based authentication
credentials from legitimate users. Other attacks are also possible.
This vulnerability was reported to affect WebChat version 2.0 other
versions may also be affected.
21. Gator EWallet Information Encoding Weakness
BugTraq ID: 7778
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7778
Summary:
Gator eWallet is software for managing personal data such as passwords and
credit card information. It is available for Microsoft Windows operating
systems.
Gator eWallet fails to adequately protect sensitive information stored by
users.
Gator eWallet uses Base64 encoding to protect sensitive information.
This information is stored in the following data files in the program
folder:
Local users with access to these files may gain access to a plethora of
personal information. Base64 encoded data may be trivially reversed to
obtain plaintext.
22. Crob FTP Server Remote Username Format String Vulnerability
BugTraq ID: 7776
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7776
Summary:
Crob FTP Server is a typical file transfer server available for the
Windows operating system.
A vulnerability has been reported for Crob FTP Server. The problem occurs
due to the lack of format specifiers supplied to a printf()-like function.
The vulnerability specifically occurs when displaying the 'user' parameter
while prompting for a password. As a result, an attacker may be capable of
exploiting this issue by embedding malicious format specifiers designed to
write to memory, such as %hn.
Successful exploitation of this vulnerability would allow an attacker to
overwrite arbitrary locations in memory, ultimately allowing for the
execution of arbitrary code. All commands executed in this manner would be
run with the privileges of the Crob FTP Server.
This vulnerability was reported for Crob FTP Server 2.50.4, however
earlier versions may also be affected.
23. Sun Management Center Change Manager PamVerifier Buffer Overflow Vulnerability
BugTraq ID: 7781
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7781
Summary:
Sun Management Center Change Manager is a software package available for
the Sun Solaris operating system. It is distributed and maintained by
Sun.
A problem with Sun Management Center Change Manager may give a remote user
unauthorized access to the system.
It has been reported that Sun Management Center (SunMC) Change Manager is
vulnerable to a remote boundary condition error. Because of this, it may
be possible for an attacker to gain administrative access to a system
remotely.
The problem is in the pamverifier program. A buffer overrun in this
program can result in the execution of code with the privileges of the
administrative user. Because of this, an attacker could exploit this
issue to compromise the administrative integrity of a vulnerable system.
It should be noted that SunMC Change Manager is an add-on component of
SunMC, and is not installed with SunMC or on Solaris by default.
24. SPChat Module Remote File Include Vulnerability
BugTraq ID: 7780
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7780
Summary:
SPChat is a web based chat module designed for use with PHP-Nuke.
SPChat has been reported prone to a remote file include vulnerability.
The issue presents itself due to insufficient sanitization performed on
the user-supplied URI variable 'statussess' by the SPChat module. An
attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'statussess' URI parameter.
If the remote file is a malicious script, this may allow for execution of
attacker-supplied code in the context of the affected SPChat module.
This vulnerability was reported to affect SPChat version 0.8 other
versions may also be affected.
25. Cafelog b2 B2Functions Script B2INC Variable Include Vulnerability
BugTraq ID: 7782
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7782
Summary:
CafeLog b2 WebLog Tool allows users to generate news pages and weblogs
dynamically. It is implemented in PHP and is available for the Unix,
Linux, and Microsoft Windows platforms.
A remote file include vulnerability has been reported in Cafelog b2. Due
to insufficient sanitization of user-supplied values by the
b2functions.php script, it is possible for a remote attacker to influence
the location of included files.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$b2inc'
parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the web server.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for Cafelog 0.6.1.
Cafelog b2 WebLog Tool allows users to generate news pages and weblogs
dynamically. It is implemented in PHP and is available for the Unix,
Linux, and Microsoft Windows platforms.
The Cafelog b2 tool does not properly sanitize user input sent to the
blog.header.php script. Because of this, it is possible for an attacker
to pass malicious SQL code to the underlying database.
The problems is in the checking of the $posts variable of the script.
SQL code may be inserted into the variable, and will in turn be executed
by the database server. Requests could include adding, deleting, and
modifying data. Additionally, this may allow a remote attacker to exploit
vulnerabilities that exist in the underlying database.
Wordpress allows users to generate news pages and weblogs dynamically. It
uses PHP and a MySQL database to generate dynamic pages.
Wordpress has been reported prone to an SQL injection vulnerability.
Wordpress does not properly sanitize user input that is passed to the
'posts' variable. Specifically, data contained in the 'posts' variable is
not converted to an integer before it is passed to an SQL query. An
attacker may exploit this vulnerability to insert SQL code into requests
and have the SQL code executed by the underlying database server. These
requests could include adding, deleting, and modifying data. Additionally,
this may allow a remote attacker to exploit vulnerabilities that exist in
the underlying database.
It should be noted that although this vulnerability has been reported to
affect Wordpress version 0.7, other versions might also be affected.
28. Cafelog b2 B2MenuTop Script B2INC Variable Include Vulnerability
BugTraq ID: 7786
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7786
Summary:
CafeLog b2 allows users to generate news pages and weblogs dynamically. It
is implemented in PHP and is available for the Unix, Linux, and Microsoft
Windows platforms.
A remote file include vulnerability has been reported in Cafelog b2. Due
to insufficient sanitization of user-supplied values in the b2menutop.php
script, it is possible for a remote attacker to influence the location of
included files.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$b2inc'
parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the web server.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for Cafelog 0.6.2.
29. Wordpress Remote PHP File Include Vulnerability
BugTraq ID: 7785
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7785
Summary:
Wordpress allows users to generate news pages and weblogs dynamically. It
uses PHP and a MySQL database to generate dynamic pages.
A vulnerability has been reported for Wordpress. The problem is said to
occur due to insufficient sanitization of user-supplied URI parameters.
Specifically the '$abspath' variable, which is used as an argument to the
PHP require() function, is not sufficiently sanitized of malicious input.
As a result, an attacker may be capable of including a malicious
'blog.header.php' from a controlled web server. This may result in the
execution of PHP commands located within the script.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary PHP commands on a target server, with the privileges of
Wordpress.
Pi3Web is a free, multi platform, configurable HTTP server and development
environment. It is available for Unix/Linux variants and Microsoft
Windows operating systems.
Pi3Web is prone to a buffer overflow vulnerability. This is due to
insufficient bounds checking of URI parameters. It is possible to trigger
this condition by specifying a 'SortName' URI parameter of excessive
length. Excess data will overrun adjacent regions of memory. This
condition could be exploited to cause a denial of service or possibly to
execute malicious instructions in the context of the server.
This issue was reported for Pi3Web 2.0.2 Beta 1 on Windows platforms.
It was originally believed that this condition only existed with certain
indexing configurations but additional reports indicate that this is not
the case.
31. Microsoft Windows XP Nested Directory Denial of Service Vulnerability
BugTraq ID: 7789
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7789
Summary:
A vulnerability has been reported for all versions of Microsoft Windows
XP. The problem occurs while handling the options menu of the last folder
within 122 nested directories. The next directories must all use a naming
scheme of strictly one character, such as 'a' or 'b'.
By moving the cursor over the menu for the 122nd folder it may be possible
for an unprivileged local user to crash a target system.
32. Microsoft Windows 2000/XP/2003 IPV6 ICMP Flood Denial Of Service Vulnerability
BugTraq ID: 7788
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7788
Summary:
Microsoft Windows 2000/XP/2003 has been reported prone to a remote denial
of service vulnerability.
Reportedly, an attacker may trigger this vulnerability, under certain
configurations. Specifically IPV6 must be enabled on the target server.
Under these conditions an attacker may launch an ICMP flood attack, (An
ICMP flood attack, by nature, is designed to send a greater number of ICMP
echo request packets than the vulnerable protocol implementation can
handle.), that could effectively deny network services to valid users.
Reportedly this issue is further exaggerated by bid 7666.
33. Multiple Vendor kon2 Local Buffer Overflow Vulnerability
BugTraq ID: 7790
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7790
Summary:
kon2 is a Kanji emulator for the Linux console.
A buffer overflow vulnerability has been reported for the kon2 utility
shipped with various Linux distributions. Exploitation of this
vulnerability may result in a local attacker obtaining elevated privileges
on a vulnerable system.
The vulnerability exists due to insufficient bounds checking performed on
some commandline options passed to the vulnerable utility.
A local attacker can exploit this vulnerability by invoking kon2 with
overly long commandline options. This will trigger the overflow condition
and may result in an attacker obtaining root privileges.
This vulnerability was reported for kon2 0.3.9b and earlier.
34. IRCXpro Server Settings.INI Plaintext Password Storage Vulnerability
BugTraq ID: 7792
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7792
Summary:
IRCXpro Server is a IRC server that is designed for use with Microsoft
Windows operating systems.
A problem with the IRCXpro Server could make unauthorized access to
credentials possible.
It has been reported that a problem exists in the method used for the
storage of passwords by IRCXpro. This could lead to local users gaining
unauthorized access to passwords, and potentially unauthorized access to
the vulnerable IRC server.
Specifically, IRCXpro Server stores user credentials in the "settings.ini"
configuration file, using plain text format by default. A local user with
sufficient privileges to read this file may obtain the usernames and
passwords contained within.
Information gathered in this way may be used to aid in further attacks
launched against the vulnerable system.
This vulnerability was reported for IRCXpro Server 1.0.
35. Red Hat Linux TTY Layer Kernel Panic Denial Of Service Vulnerability
BugTraq ID: 7791
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7791
Summary:
The TTY layer is used to process input and output supplied to and from the
console.
A vulnerability has been reported in the TTY layer that may result in a
kernel panic.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
36. Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability
BugTraq ID: 7793
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7793
Summary:
The Intel MXCSR register contains control/status information for the SSE
registers.
The Red Hat Linux Kernel MXCSR handler code has been reported prone to an
unspecified vulnerability.
The issue presents itself when low-level MXCSR kernel code encounters a
malformed address. It has been reported that the MXCSR code fails to
sufficiently handle malformed address data and will leave garbage in the
CPU state registers.
Although speculative, it has been conjectured that this issue may allow an
attacker to corrupt CPU state registers and trigger a denial of service
condition if the kernel relies on current register contents. Although
unconfirmed other attacks may also be possible.
It should be noted that this vulnerability will only affect systems
running on the Intel architectures.
This BID will be updated as further technical details are released.
37. Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability
BugTraq ID: 7795
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7795
Summary:
A potential data corruption vulnerability has been identified in the Red
Hat Linux kernel.
The potential issue may be exploitable under very restrictive
circumstances. In an ext3 file-system environment where the system is
processing heavy complex memory mapped file I/O loads, if the mapped
writes are to a partial page at the end of a file, a file may be
simultaneously unlinked and the corresponding mapped file blocks
reallocated. This action may potentially cause the corruption of arbitrary
files.
If an attacker can recreate the necessary environment, it may be possible
to create a condition where arbitrary files are corrupted.
38. Sun Solaris Telnet Daemon Remote Denial Of Service Vulnerability
BugTraq ID: 7794
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7794
Summary:
Solaris is the UNIX variant operating system distributed and maintained by
Sun Microsystems.
A problem with Solaris may make it possible for a remote user to deny
service to legitimate users of the system.
It has been reported that a vulnerability exists in the telnet daemon of
Solaris systems. An attacker may be able to exploit this issue to consume
system resources, making the system unusable by legitimate users.
Specific technical details of the vulnerability are not known. However,
it is known that the vulnerable daemon can be forced into a loop in
execution. When the daemon enters the loop, considerable resources are
consumed by the process. Multiple instances of the software entering a
loop can cause excessive consumption of system resources, leading to
denial of service.
UUCP is the Unix-to-Unix Copy Protocol infrastructure, implemented with
numerous Unix and Unix clone operating systems.
A vulnerability has been discovered in the HP-UX implementation of UUCP.
The problem is likely due to insufficient bounds checking of user-supplied
data. By passing excessive data to uucp in a sufficient manner it is
possible to trigger a buffer overflow. An attacker may exploit this issue
to overwrite sensitive locations in memory; it may be possible for an
attacker to execute arbitrary code.
As UUCP is installed setuid root this would result in the execution of
attacker-supplied commands with the privileges of the superuser.
40. Linux Kernel Fragment Reassembly Remote Denial Of Service Vulnerability
BugTraq ID: 7797
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7797
Summary:
The Linux kernel is the core of all Linux operating systems. It is
community-maintained.
A problem in the kernel network code could make a remote denial of service
possible.
It has been reported that the Linux kernel does not properly handle some
specific types of network traffic. Because of this, an attacker may be
able to cause excessive consumption of resources with malicious TCP/IP
packets, resulting in a denial of service.
The problem is in the handling packet reassembly. By sending maliciously
crafted packet fragments to a system using the vulnerable kernel, it would
be possible to consume an excessive amount of resources during the packet
reassembly phase. This could cause the system to become unstable.
This vulnerability has been reported to be similar to the issue described
in 7601.
UUSUB is an application that is designed to define a UUCP subnetwork and
subsequently monitor connections and traffic among the members of the
subnetwork.
A vulnerability has been discovered in the HP-UX implementation of UUSUB.
The problem is likely due to insufficient bounds checking of user-supplied
data. By passing excessive data to UUSUB in a sufficient manner it is
possible to trigger a buffer overflow. An attacker may exploit this issue
to overwrite sensitive locations in memory; it may be possible for an
attacker to execute arbitrary code.
42. Pablo Software Solutions FTP Server Anonymous Users Privileges Vulnerability
BugTraq ID: 7799
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7799
Summary:
Pablo Software Solutions FTP Server is freely available software for
Microsoft Windows operating systems.
An issue in Pablo FTP Service may make it possible for remote users to
perform unauthorized actions.
It has been reported that Pablo FTP Service does not sufficiently restrict
the anonymous user account, which is active by default. Because of this, a
default configuration may provide a conduit for the disclosure of
potentially sensitive information.
The problem is in the permission scheme implemented with a default
installation. Reports indicate that the default anonymous account does not
restrict the user from downloading files from any FTP server readable
location on the affected system. By default the drive on which the
software is installed is mapped readable from the root directory eg 'C:\'.
An attacker may exploit this vulnerability to access arbitrary files on
the underlying system and potentially disclose sensitive information.
Information gathered in this way may be harness in further attacks
launched against the affected system.
It should be noted that while this vulnerability has been reported to
affect Pablo FTP service version 1.2, other versions might also be
affected.
43. Pablo Software Solutions FTP Server Plaintext Password Weakness
BugTraq ID: 7801
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7801
Summary:
Pablo Software Solutions FTP Server is freely available software for
Microsoft Windows operating systems.
An issue in Pablo FTP Service may make it possible for a user to access
FTP account credentials.
It has been reported that Pablo FTP Service stores FTP User account
passwords in plaintext format. As a result, these credentials could be
exposed to other users. Passwords are stored in the 'users.dat' file. Any
user who has read access to this file may retrieve Pablo FTP Service user
account credentials.
This issue may be further exaggerated by BID 7799.
It should be noted that while this weakness has been reported to affect
Pablo FTP service version 1.2, other versions might also be affected.
III. SECURITYFOCUS NEWS AND COMMENTARY
--------------------------------------
1. Group Releases Anti-Disclosure Plan
By Kevin Poulsen
Security companies and software-makers want your opinion on a proposal to
voluntarily limit discussion of security holes.
http://www.securityfocus.com/news/5458
2. Holy Grail of crypto to arrive in three years, say UK boffins
By John Leyden, The Register
UK boffins have demonstrated unbreakable quantum cryptography over fibre
links longer than 100km for the first time.
http://www.securityfocus.com/news/5519
3. Cisco builds WLAN security framework
By John Leyden, The Register
Cisco Systems this week introduced an architecture designed to make
wireless LANs easier to manage and more secure.
http://www.securityfocus.com/news/5480
4. U.S. reviewing old, secret surveillance files in terrorism
investigations
By Ted Bridis, The Associated Press
Government prosecutors are reviewing years worth of sensitive telephone
and e-mail wiretaps and results from secret searches to decide whether
they can file criminal charges against suspected terrorists in the United
States.
http://www.securityfocus.com/news/5452
IV. SECURITYFOCUS TOP 6 TOOLS
------------------------------
1. Passcheck v2.99
by merlin262
Relevant URL:
http://savannah.nongnu.org/projects/passcheck/
Platforms: Linux
Summary:
Passcheck is a drop-in replacement or rewrite of the original cracklib,
and shares no code with the original. It features an enhanced dictionary
check, and the ability to use the standard system wordlist.
2. LibTomCrypt v0.76
by Tom St Denis tomstdenis (at) iahu (dot) ca [email concealed]
Relevant URL:
http://www.libtomcrypt.org
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
LibTomCrypt is a comprehensive, modular, and portable cryptographic
toolkit that provides developers with a vast array of well known published
block ciphers, one-way hash functions, chaining modes, pseudo- random
number generators, public key cryptography, and a plethora of other
routines. It has been designed from the ground up to be very simple to
use. It has a modular and standard API that allows new ciphers, hashes,
and PRNGs to be added or removed without change to the overall end
application. It features easy to use functions and a complete user manual
which has many source snippet examples.
3. OpenSSH SecurID patch v3.6.1p2 v1
by Theo Schlossnagle
Relevant URL:
http://www.omniti.com/~jesus/projects/
Platforms: N/A
Summary:
This patch integrates SecurID authentication services directly into the
OpenSSH daemon, allowing users to use SecurID tokens directly as their
passwords instead of relying on the clunky sdshell.
4. Logdog v2.0-RC3
by Brandon Zehm
Relevant URL:
http://caspian.dotconf.net/menu/Software/LogDog/
Platforms: Linux
Summary:
LogDog monitors messages passing through syslogd and takes actions based
on key words and phrases (which can be regular expressions). It has a
configuration file which allows you to specify a list of key words or
phrases to alert on and a list of commands that can be run when those
words are encountered.
KisMAC is a stumbler application for Mac OS X that puts your card into
monitor mode. Unlike most other applications for OS X, it is completely
invisible and sends no probe requests.
6. A Joint Monitoring System (AJMS) v1.8
by Andrew Gray
Relevant URL:
http://www.argray.org/ams/
Platforms: Java, Perl (any system supporting perl)
Summary:
AJMS (AKA "AMS") displays syslog messages in realtime via a browser or
standalone Java client. It also supports searches of any SQL database. It
offers straightforward configuration and integrates easily into any
existing syslog environment.
V. SECURITY JOBS SUMMARY
------------------------
1. Looking for an infosec position in Calgary, AB (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323916
2. SR. IT MANAGER WITH SECURITY BACKGROUND LOOKING IN MINNESOTA (Thread)
Relevant URL:
-----------------------------
This Issue is Sponsored by: Neoteris
Evaluating SSL VPNs? Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.securityfocus.com/Neoteris-sf-news
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. The Enemy Within: Firewalls and Backdoors
2. Adding Security to the Cert
3. Learning to Love Big Brother
3. Welcome to the SecurityFocus Firewalls Focus Area
4. Welcome to the SecurityFocus Pen-Test Focus Area
II. BUGTRAQ SUMMARY
1. cPanel/Formail-Clone E-Mail Restriction Bypass Vulnerability
2. Desktop Orbiter Resource Exhaustion Denial Of Service...
3. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability
4. PHP-Nuke User/Admin Cookie SQL Injection Vulnerability
5. Microsoft Internet Explorer False URL Information Vulnerability
6. PHP Transparent Session ID Cross Site Scripting Vulnerability
7. JBoss Null Byte Request JSP Source Disclosure Vulnerability
8. iisCart2000 Arbitrary File Upload Vulnerability
9. WebCortex WebStores2000 SQL Injection Vulnerability
11. Apache Tomcat Insecure Directory Permissions Vulnerability
12. Multiple Mod_Gzip Debug Mode Vulnerabilities
13. Webfroot Shoutbox Expanded.PHP Remote Command Execution...
14. WinMX Plaintext Password Storage Weakness
15. myServer HTTP GET Argument Buffer Overflow Vulnerability
16. XMame Lang Local Buffer Overflow Vulnerability
17. Webchat Module Path Disclosure Weakness
18. Webfroot Shoutbox Expanded.PHP Remote Directory Traversal...
19. WebChat Users.PHP Database Username Disclosure Weakness
20. WebChat Users.PHP Cross-Site Scripting Vulnerability
21. Gator EWallet Information Encoding Weakness
22. Crob FTP Server Remote Username Format String Vulnerability
23. Sun Management Center Change Manager PamVerifier Buffer...
24. SPChat Module Remote File Include Vulnerability
25. Cafelog b2 B2Functions Script B2INC Variable Include...
26. CafeLog b2 Blog.Header Script SQL Injection Vulnerability
27. Wordpress Posts SQL Injection Vulnerability
28. Cafelog b2 B2MenuTop Script B2INC Variable Include Vulnerability
29. Wordpress Remote PHP File Include Vulnerability
30. Pi3Web SortName Buffer Overflow Vulnerability
31. Microsoft Windows XP Nested Directory Denial of Service...
32. Microsoft Windows 2000/XP/2003 IPV6 ICMP Flood Denial Of...
33. Multiple Vendor kon2 Local Buffer Overflow Vulnerability
34. IRCXpro Server Settings.INI Plaintext Password Storage...
35. Red Hat Linux TTY Layer Kernel Panic Denial Of Service...
36. Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability
37. Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability
38. Sun Solaris Telnet Daemon Remote Denial Of Service Vulnerability
39. HP-UX UUCP Unspecified Buffer Overflow Vulnerability
40. Linux Kernel Fragment Reassembly Remote Denial Of Service...
41. HP-UX UUSUB Unspecified Buffer Overflow Vulnerability
42. Pablo Software Solutions FTP Server Anonymous Users Privileges...
III. SECURITYFOCUS NEWS ARTICLES
1. Group Releases Anti-Disclosure Plan
2. Holy Grail of crypto to arrive in three years, say UK boffins
3. Cisco builds WLAN security framework
4. U.S. reviewing old, secret surveillance files in terrorism...
IV. SECURITYFOCUS TOP 6 TOOLS
1. Passcheck v2.99
2. LibTomCrypt v0.76
3. OpenSSH SecurID patch v3.6.1p2 v1
4. Logdog v2.0-RC3
5. KisMAC v0.05a
6. A Joint Monitoring System (AJMS) v1.8
V. SECURITYJOBS LIST SUMMARY
1. Looking for an infosec position in Calgary, AB (Thread)
2. SR. IT MANAGER WITH SECURITY BACKGROUND LOOKING IN MINNESOTA...
3. PWC - Threat & Vulnerability Management (Senior Associate )...
4. LOOKING FOR A SR. IDS MANAGER - BETHESDA, MD (Thread)
5. Newport News, VA - MS Exchange SW Development Manager (Thread)
6. Networking and Security Engineer Available. Travel OK. (Thread)
7. Recent CISSP seeking in GA or NC. (Thread)
8. Metro DC - junior to midlevel security position sought (Thread)
9. Corporate Security Analyst - San Jose, CA (Thread)
10. Seeking infosec employment (Thread)
11. 20-yr International IT & Internet Security Veteran (Thread)
12. New Focus Areas on SecurityFocus.com X-POST (Thread)
13. Tivoli Security Specialist needed (Thread)
14. Looking for a sales position (Thread)
15. Neoteris is hiring!!! - Regional Sales Manager - Benelux (Thread)
16. Neoteris is hiring!!! - Regional Sales Manager - Japan (Thread)
17. Neoteris is hiring!!! - Federal Sales Manager - VA/MD/DC (Thread)
18. Neoteris is hiring!!! - Senior Technical Support Engineer...
19. CISSP, Looking for assignment in Research Triangle Park, NC...
20. Very Experienced British Expat Returning (Thread)
21. Security professional looking for work. (willing to relocate)...
22. CISSP & CISA Available Nationwide for Contract Consulting...
23. Credit Card Fraud Analyst/Project Manager ? Chicago (Thread)
24. IT PROFESSIONALS WANTED (Thread)
25. Java / Web Developer - Senior - 8 - 12 month contract (Thread)
26. Position In Jacksonville, FL (Thread)
27. Systems Security Engineer, TiVo, Inc., Alviso, CA (Thread)
28. Rocky Mtn. CISSP for hire (Thread)
29. Security Engineer/Santa Monica, CA (Thread)
30. systems administrator looking for work - NW Ohio (Thread)
31. Need Security Evangelist in Dallas (Thread)
32. Verisign - number in the UK (Thread)
33. Security Sales Engineers and Account Executives/Seattle (Thread)
VI. INCIDENTS LIST SUMMARY
1. FW: File Folders Own Changed (Thread)
2. Help with an odd log file... (Thread)
3. strange cmd.exe access (Thread)
4. strange traffic on UDP port 53 (Thread)
5. Dameware Malcode? Is anyone aware of it? (Thread)
6. KazaaLite 2.0.2 Build 1 (Thread)
7. FW: KazaaLite 2.0.2 Build 1 (Thread)
8. Dubious e-mail: [Fwd: Dell.com (Password Request)] (Thread)
9. Hmm....901 (Thread)
10. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas...
11. FW: Hmm....901 (Thread)
12. A question for the list... (Thread)
13. Whois updates, Was: [ Possible Intrusion Attempt?] (Thread)
14. Weird Traffic from www.eyeblaster-bs.com (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Decision (Thread)
2. win32 shellcoding (Thread)
3. Shellcode questions (Thread)
4. win32 command line overflows: (ex: ollydbg.exe) (Thread)
5. strcpy bug (Thread)
6. Exploiting new IE Object Type Overflow (Thread)
7. New Secuity Vulnerabilities (Thread)
8. possible remote buffer overflow in atftpd (Thread)
9. Frame pointer overwriting and FreeBSD (Thread)
10. man[v1.5l]: format string exploit / POC. (Thread)
11. [Vuln-dev Challenge] Challenge #2 (New technique maybe?) (Thread)
12. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas...
13. Windows XP mmc.exe Crash (Thread)
14. Gera's Insecure Programing abo7 (Thread)
15. Windows XP SP1 gethostbyaddr() flow (Re[3]: mirc32 6.0x crash...
16. xmame gain root exploit (Thread)
17. netstrings example vulnerable (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas...
2. SecurityFocus Microsoft Newsletter #139 (Thread)
3. Internet Explorer URL Spoofing Threat (Thread)
IX. SUN FOCUS LIST SUMMARY
1. New Focus Areas on SecurityFocus.com (Thread)
X. LINUX FOCUS LIST SUMMARY
1. deny deleting a file for users (Thread)
2. Linux firewall/IDS/NAT suggestions (Thread)
3. deny deleting a file for users.. trying a solution (Thread)
4. New Focus Areas on SecurityFocus.com (Thread)
5. process accounting (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. The Enemy Within: Firewalls and Backdoors
by Bob Rudis, CISSP, and Phil Kostenbade, CISSP
This article presents an overview of modern backdoor techniques, discusses
how they can be used to bypass the security infrastructure that exists in
most network deployments and issues a wake-up call for those relying on
current technologies to safeguard their systems/networks.
http://www.securityfocus.com/infocus/1701
2. Adding Security to the Cert
By Tim Mullen
Shiftless third-party prep courses have made MCSE certification less
valuable. Is Microsoft's new security cert doomed to the same fate?
http://www.securityfocus.com/columnists/166
3. Learning to Love Big Brother
By Scott Granneman
Microsoft's digital rights management (DRM) may have implications for
security professionals.
http://www.securityfocus.com/columnists/165
4. Welcome to the SecurityFocus Firewalls Focus Area
By Marcus Ranum
SecurityFocus is very pleased to announce the roll-out of the new
Firewalls focus area.
http://www.securityfocus.com/infocus/1700
5. Welcome to the SecurityFocus Pen-Test Focus Area
By Ivan Arce
The new SecurityFocus Pen-Test focus area offers a unique forum for the
exchange of pen-test information.
http://www.securityfocus.com/infocus/1699
II. BUGTRAQ SUMMARY
-------------------
1. cPanel/Formail-Clone E-Mail Restriction Bypass Vulnerability
BugTraq ID: 7758
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7758
Summary:
cPanel is a multi-platform web hosting control panel that allows a user to
manage their hosted account through a web-based interface.
cPanel includes a Formail-clone/scripts.
It has been reported that cPanel is prone to an issue where a remote
attacker may bypass cPanel Formail-clone local domain checks and have
untrusted e-mail delivered in the context of the vulnerable host.
The issue is reportedly due to a lack of input sanitization performed on
the cPanel recipient field, used by the cPanel Formmail-clone.
Reportedly, if an attacker appends a reference to the local domain in
parenthesis, e.g. 'recipient@example.(localdomain)com' as a part of an
e-mail address passed to cPanel. When the cPanel mailer invokes sendmail
to handle this address sendmail will strip out the parenthesis and the
data contained therein and send the e-mail to the attacker-supplied
address.
This issue may be exploited by an attacker to use the vulnerable host as
an open relay.
2. Desktop Orbiter Resource Exhaustion Denial Of Service Vulnerability
BugTraq ID: 7759
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7759
Summary:
Desktop Orbiter is designed to be a desktop security solution. It is
maintained by Anfibia and is available for the Microsoft Windows operating
system.
A denial of service vulnerability has been reported for Desktop Orbiter.
The vulnerability exists due to the way the application handles
connections. Specifically, for every open connection, a snapshot preview
of the desktop is loaded into memory. Thus, numerous connections would
result in a consumption of all available memory resources.
An attacker can exploit this vulnerability by making numerous connections
to a Desktop Orbiter server on TCP port 51054. For every connection, the
vulnerable service creates a snapshot of the desktop that is subsequently
loaded into memory. This will eventually result in the service consuming
all available memory and causing the system to behave unpredictably.
This vulnerability affects Desktop Orbiter 2.01. It is not known whether
earlier versions are affected.
3. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability
BugTraq ID: 7760
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7760
Summary:
The /bin/mail utility is a mail processing system which can be used to
send and receive e-mail messages. It is available for the Unix and Linux
operating systems.
A vulnerability has been discovered in /bin/mail on the Linux operating
system. The problem occurs when processing the 'CC:' field within an
e-mail message. Due to insufficient bounds checking, handling
approximately 8824 bytes of data will trigger a buffer overrun.
Successful exploitation of this issue could allow an attacker to execute
arbitrary commands with the privileges of /bin/mail. It should be noted
that local exploitation of this vulnerability may be inconsequential.
However, a malicious e-mail message referenced by the vulnerability
utility or a remote CGI interface may both be sufficient conduits for
remote exploitation.
4. PHP-Nuke User/Admin Cookie SQL Injection Vulnerability
BugTraq ID: 7762
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7762
Summary:
PHP-Nuke is a popular web based Portal system. It allows users to create
accounts and contribute content to the site.
PHP-Nuke is reported to be prone to SQL injection attacks during
authentication. This is due to insufficient sanitization of cookie values,
which will be used in database queries. This could permit an attacker to
inject SQL code.
It has been demonstrated that this vulnerability may allow a remote
attacker to modify query logic and disclose administrator and user
password hashes through a sequential brute force method. Although
unconfirmed, it may also be possible, depending on the database
implementation and other factors, to launch attacks against the database.
This may result in the disclosure of sensitive information.
Having the Web_Links module installed and one link active, is a
prerequisite for exploitation of the admin password hash recovery issue.
It should be noted that although this vulnerability has been reported to
affect PHP-Nuke version 5.6 and 6.5 all other versions may potentially be
affected.
5. Microsoft Internet Explorer False URL Information Vulnerability
BugTraq ID: 7763
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7763
Summary:
An issue has been reported for Microsoft Internet Explorer that may result
in a false sense of security for a user.
Due to the way IE handles certain functions, the URL displayed on the
'location bar' will not correspond to the actual URL of the site displayed
in the browser window. As a result, a malicious attacker can exploit this
issue to entice a user to visit a web site and make them believe they are
at known or trusted page.
6. PHP Transparent Session ID Cross Site Scripting Vulnerability
BugTraq ID: 7761
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7761
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
PHP contains an option known as transparent session IDs. This feature
allows session IDs to be embedded with a URL.
A cross-site scripting vulnerability has been discovered in PHP version
4.3.1 and earlier. The problem occurs when the 'session.use_trans_sid'
global parameter has been enabled.
Due to insufficient sanitization of the PHPSESSID URI parameter, it is
possible for an attacker to embed malicious script code within a link. By
embedding malicious code in such a way that an HTML tag will be
prematurely terminated, it may be possible to execute arbitrary script
code.
Successful exploitation of this issue would allow an attacker to execute
arbitrary script code in a victim's browser within the context of the
visited website. This may allow for the theft of sensitive information,
such as session ID's, or possibly other attacks.
It should be noted that PHP versions prior to release 4.2.0 do not support
transparent session IDs by default. Support must be specified during
initial compilation.
7. JBoss Null Byte Request JSP Source Disclosure Vulnerability
BugTraq ID: 7764
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7764
Summary:
JBoss is a freely available, open source Java Application server. It is
distributed and maintained by JBoss Group.
A problem in the software may make it possible to gain unauthorized access
to potentially sensitive information.
A problem has been reported in the handling of unexpected characters by
the JBoss program. Because of this, an attacker may gain access to
potentially sensitive information.
The problem is in the input of null characters with some requests. By
placing a valid request, and appending a null byte to the end of the
request, it is possible to see the source of the Java Server Page (JSP)
requested from JBoss. This could yield potentially sensitive information
such as passwords.
It should be noted that this problem occurs when JBoss is used with Jetty.
It is not known what affect this problem has on JBoss with other servers.
8. iisCart2000 Arbitrary File Upload Vulnerability
BugTraq ID: 7765
Remote: Yes
Date Published: May 31 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7765
Summary:
iisCart2000 is web-based shopping cart software implemented in ASP. It is
available for the Microsoft Windows operating system.
A vulnerability has been reported for iisCart2000 that may result in an
attacker uploading arbitrary files to a vulnerable server. The
vulnerability exists in the upload.asp script. Specifically, the script
does not properly verify that a user is authorized to upload files.
An attacker can exploit this vulnerability by issuing a request for the
vulnerable script (residing in 'admin/' or './'). This will allow an
attacker to upload arbitrary files to the vulnerable server. If the
uploaded file is a ASP script file, it may be possible for an attacker to
execute the uploaded script.
Successful exploitation may result in the execution of attacker-supplied
code.
9. WebCortex WebStores2000 SQL Injection Vulnerability
BugTraq ID: 7766
Remote: Yes
Date Published: May 31 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7766
Summary:
WebCortex WebStores2000 is shopping cart software implemented in ASP. It
is available for Microsoft Windows operating environments.
WebStores2000 has been reported to be prone to SQL injection attacks.
This vulnerability is reportedly caused by a lack of sufficient
sanitization of user-supplied data contained in URI parameters supplied to
WebStores2000. Specifically an attacker may inject SQL database commands
by embedding malicious SQL commands within either the 'Item_ID' URI
parameter, supplied to the browse_item_details.asp script.
Successful exploitation may allow for modification of the structure of SQL
queries, resulting in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.
10. Microsoft URLScan Information Disclosure Weakness
BugTraq ID: 7767
Remote: Yes
Date Published: May 31 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7767
Summary:
Microsoft URLScan is a tool that prevents certain types of specific HTTP
requests from reaching a IIS (Internet Information Services) server.
A weakness has been reported for URLScan that may result in the disclosure
of sensitive information.
The weakness exists because of the way URLScan handles HEAD HTTP requests.
Specifically, when URLScan receives a HEAD request that is subsequently
rejected, it is automatically converted to a GET request and sent to the
underlying IIS server. This is so that the appropriate reject page is
delivered to a requesting client.
The information returned may allow an attacker to identify systems that
incorporate the use of URLScan.
11. Apache Tomcat Insecure Directory Permissions Vulnerability
BugTraq ID: 7768
Remote: No
Date Published: Jun 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7768
Summary:
Tomcat is a web server and JSP/Servlet container that is developed by
Apache as part of the Jakarta project.
Apache Tomcat may be installed with world-readable permissions for the
/opt/tomcat/ directory. Files in this directory may contain sensitive
information, such as authentication credentials. Local users may
potentially gain unauthorized access to these files as a result.
This issue was reported for Apache Tomcat versions prior to 4.1.24 on
Gentoo Linux. It is not known if other distributions are similarly
affected.
12. Multiple Mod_Gzip Debug Mode Vulnerabilities
BugTraq ID: 7769
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7769
Summary:
Mod_gzip is an Apache web server module that compresses web content before
sending it to the client. Mod_gzip is not a standard module for Apache.
Multiple vulnerabilities were reported in Mod_gzip. The following issues
exist when the software is run in debug mode:
Insufficient bounds checking of request data may lead to a stack overflow.
If a remote user passes an excessive request for a file type (such as
gzip) handled by the module, it may be possible to corrupt stack variables
with specific values. This could lead to execution of malicious
attacker-supplied instructions.
Mod_gzip is prone to a format string vulnerability when Apache logging
facilities are used. This is due to missing format specifiers in the code
responsible for logging requests for file types handled by the module.
Exploitation could permit a remote attacker to overwrite arbitrary
locations in memory with malicious data, potentially allowing for code
execution.
Mod_gzip logs debugging information in files using predictable names.
The following naming scheme is used when log files are created:
/tmp/t<PID>.log
By anticipating the value of the process ID, a local attacker could launch
symlink attacks against other system files. It has been reported that
some debugging information is logged as the superuser. This could allow
for corruption of arbitrary files. If these files can be corrupted with
custom data, then it will be possible to gain elevated privileges.
Exploitation of these issues could result in execution of malicious
instructions or corruption of critical or sensitive files.
This record will be divided into multiple BIDs when further analysis of
these issues is complete.
13. Webfroot Shoutbox Expanded.PHP Remote Command Execution Vulnerability
BugTraq ID: 7772
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7772
Summary:
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.
Shoutbox is prone to an issue that may result in the execution of
attacker-supplied code. The vulnerability exists due to insufficient
sanitization of input into the expanded.php script.
An attacker can exploit this vulnerability to insert malicious PHP code
into the web server logs which can then be executed by the PHP interpreter
when the logs are requested. This will allow an attacker to execute
arbitrary commands on a vulnerable system in the context of the web
server.
This vulnerability was reported to affect Webfroot Shoutbox 2.32 and
earlier.
14. WinMX Plaintext Password Storage Weakness
BugTraq ID: 7771
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7771
Summary:
WinMX is a P2P file sharing application for Microsoft Windows operating
systems. It supports the OpenNap protocol and is compatible with a number
of P2P servers.
WinMX stores P2P passwords in plaintext. As a result, these credentials
could be exposed to other local users. Passwords are stored in the
'nservers.dat' file and are also be accessible to users via the server
editing feature of the WinMX interface.
This issue has been reported in WinMX 2.6. It is thought that the issue
may have been addressed in later versions, though no vendor confirmation
is available.
15. myServer HTTP GET Argument Buffer Overflow Vulnerability
BugTraq ID: 7770
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7770
Summary:
myServer is an application and web server for Microsoft Windows and Linux
operating systems.
myServer has been reported prone to a remote buffer overflow
vulnerability. The vulnerability exists when the web server attempts to
process HTTP requests of excessive length. Specifically, when the web
server processes an argument passed to a malicious HTTP GET request that
consists of more than 4100+ bytes, the web server will crash. This will
result in a denial of service condition.
It is possible that this vulnerability may also allow the execution of
arbitrary instructions. Any instructions carried out through this
vulnerability would be with the privileges of the web server process.
However, the possibility of code execution has not been confirmed.
This vulnerability was reported for myServer version 0.4.1 It is likely
that other versions are also affected.
16. XMame Lang Local Buffer Overflow Vulnerability
BugTraq ID: 7773
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7773
Summary:
Xmame is a port of the MAME arcade emulator. It is available for Linux
and Unix systems.
Xmame is prone to a locally exploitable buffer overflow. The issue exists
in the xmame.x11 executable. This is due to insufficient bounds checking
of the command line parameter used to specify language settings (--lang).
By specifying an excessively long language parameter, it is possible to
corrupt stack memory with attacker-supplied values. This could be
exploited to control execution flow and cause execution of malicious
instructions.
Some builds of Xmame require setuid root privileges to operate properly,
particularly those builds with svgalib/xf86_dga support enabled.
Successful exploitation on some systems could result in execution of
arbitrary code with elevated privileges.
17. Webchat Module Path Disclosure Weakness
BugTraq ID: 7774
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7774
Summary:
Webchat is a web based chat module designed for use with PHP-Nuke.
Webchat has been reported prone to a path disclosure weakness.
Reportedly an attacker may make a malicious HTTP request for the 'out.php'
script to trigger the condition; alternatively the attacker may pass a
non-numeric 'roomid' URI parameter to the Webchat module. Under some
circumstances either request will trigger an exception, causing Webchat to
display an error message containing the path to an internal PHP include
file embedded in the source of the error.
An attacker may use the information gathered in this manner to aid in
further attacks launched against the host.
This weakness was reported to affect Webchat version 2.0 other versions
may also be affected.
18. Webfroot Shoutbox Expanded.PHP Remote Directory Traversal Vulnerability
BugTraq ID: 7775
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7775
Summary:
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.
A problem in Shoutbox may result in traversal attacks. The vulnerability
exists due to insufficient sanitization of user-supplied values to the
expanded.php script, and could allow the viewing of potentially sensitive
files by attackers.
An attacker can exploit this vulnerability by manipulating the value of
the 'conf' URI parameter submitted to the expanded.php script to obtain
any files readable by the web server.
Information obtained in this manner may allow an attacker to launch
further, potentially destructive attacks against a vulnerable system.
This vulnerability was reported to affect Webfroot Shoutbox 2.32 and
earlier.
19. WebChat Users.PHP Database Username Disclosure Weakness
BugTraq ID: 7777
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7777
Summary:
WebChat is a web based chat module designed for use with PHP-Nuke.
WebChat has been reported prone to a database username disclosure
weakness.
The issue presents itself when a malicious request is made for the WebChat
'users.php' page. An attacker may pass a guessed username as the
'username' URI parameter to the affected page. Although unconfirmed, it is
likely that this action will return some indication of whether the
submitted username exists or not. An attacker may exploit this weakness to
enumerate database passwords.
An attacker may use the information gathered in this manner to aid in
further attacks launched against the host.
This weakness was reported to affect Webchat version 2.0 other versions
may also be affected.
20. WebChat Users.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 7779
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7779
Summary:
WebChat is a web based chat module designed for use with PHP-Nuke.
WebChat has been reported prone to a cross-site scripting vulnerability.
WebChat does not adequately filter script code from URI parameters, making
it prone to cross-site scripting attacks. Attacker-supplied script code
may be included in a malicious link to the WebChat 'users.php' script. The
code contained in the 'username' URI parameter may be executed in the
browser of the web user who visits the link. Code will be executed in the
security context of the system running the WebChat Module.
This may enable a remote attacker to steal cookie-based authentication
credentials from legitimate users. Other attacks are also possible.
This vulnerability was reported to affect WebChat version 2.0 other
versions may also be affected.
21. Gator EWallet Information Encoding Weakness
BugTraq ID: 7778
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7778
Summary:
Gator eWallet is software for managing personal data such as passwords and
credit card information. It is available for Microsoft Windows operating
systems.
Gator eWallet fails to adequately protect sensitive information stored by
users.
Gator eWallet uses Base64 encoding to protect sensitive information.
This information is stored in the following data files in the program
folder:
mepgh.dat
mepcme.dat
meprca.dat
mepcmeft.dat
GMT.exe.manifest
meperr.dat
mepgus.dat
mepoem.dat
mepsnd-gs.dat
mepsnd-ksa.dat
mepcat.dat
sitehash4.dat
Local users with access to these files may gain access to a plethora of
personal information. Base64 encoded data may be trivially reversed to
obtain plaintext.
22. Crob FTP Server Remote Username Format String Vulnerability
BugTraq ID: 7776
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7776
Summary:
Crob FTP Server is a typical file transfer server available for the
Windows operating system.
A vulnerability has been reported for Crob FTP Server. The problem occurs
due to the lack of format specifiers supplied to a printf()-like function.
The vulnerability specifically occurs when displaying the 'user' parameter
while prompting for a password. As a result, an attacker may be capable of
exploiting this issue by embedding malicious format specifiers designed to
write to memory, such as %hn.
Successful exploitation of this vulnerability would allow an attacker to
overwrite arbitrary locations in memory, ultimately allowing for the
execution of arbitrary code. All commands executed in this manner would be
run with the privileges of the Crob FTP Server.
This vulnerability was reported for Crob FTP Server 2.50.4, however
earlier versions may also be affected.
23. Sun Management Center Change Manager PamVerifier Buffer Overflow Vulnerability
BugTraq ID: 7781
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7781
Summary:
Sun Management Center Change Manager is a software package available for
the Sun Solaris operating system. It is distributed and maintained by
Sun.
A problem with Sun Management Center Change Manager may give a remote user
unauthorized access to the system.
It has been reported that Sun Management Center (SunMC) Change Manager is
vulnerable to a remote boundary condition error. Because of this, it may
be possible for an attacker to gain administrative access to a system
remotely.
The problem is in the pamverifier program. A buffer overrun in this
program can result in the execution of code with the privileges of the
administrative user. Because of this, an attacker could exploit this
issue to compromise the administrative integrity of a vulnerable system.
It should be noted that SunMC Change Manager is an add-on component of
SunMC, and is not installed with SunMC or on Solaris by default.
24. SPChat Module Remote File Include Vulnerability
BugTraq ID: 7780
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7780
Summary:
SPChat is a web based chat module designed for use with PHP-Nuke.
SPChat has been reported prone to a remote file include vulnerability.
The issue presents itself due to insufficient sanitization performed on
the user-supplied URI variable 'statussess' by the SPChat module. An
attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'statussess' URI parameter.
If the remote file is a malicious script, this may allow for execution of
attacker-supplied code in the context of the affected SPChat module.
This vulnerability was reported to affect SPChat version 0.8 other
versions may also be affected.
25. Cafelog b2 B2Functions Script B2INC Variable Include Vulnerability
BugTraq ID: 7782
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7782
Summary:
CafeLog b2 WebLog Tool allows users to generate news pages and weblogs
dynamically. It is implemented in PHP and is available for the Unix,
Linux, and Microsoft Windows platforms.
A remote file include vulnerability has been reported in Cafelog b2. Due
to insufficient sanitization of user-supplied values by the
b2functions.php script, it is possible for a remote attacker to influence
the location of included files.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$b2inc'
parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the web server.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for Cafelog 0.6.1.
26. CafeLog b2 Blog.Header Script SQL Injection Vulnerability
BugTraq ID: 7783
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7783
Summary:
Cafelog b2 WebLog Tool allows users to generate news pages and weblogs
dynamically. It is implemented in PHP and is available for the Unix,
Linux, and Microsoft Windows platforms.
The Cafelog b2 tool does not properly sanitize user input sent to the
blog.header.php script. Because of this, it is possible for an attacker
to pass malicious SQL code to the underlying database.
The problems is in the checking of the $posts variable of the script.
SQL code may be inserted into the variable, and will in turn be executed
by the database server. Requests could include adding, deleting, and
modifying data. Additionally, this may allow a remote attacker to exploit
vulnerabilities that exist in the underlying database.
27. Wordpress Posts SQL Injection Vulnerability
BugTraq ID: 7784
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7784
Summary:
Wordpress allows users to generate news pages and weblogs dynamically. It
uses PHP and a MySQL database to generate dynamic pages.
Wordpress has been reported prone to an SQL injection vulnerability.
Wordpress does not properly sanitize user input that is passed to the
'posts' variable. Specifically, data contained in the 'posts' variable is
not converted to an integer before it is passed to an SQL query. An
attacker may exploit this vulnerability to insert SQL code into requests
and have the SQL code executed by the underlying database server. These
requests could include adding, deleting, and modifying data. Additionally,
this may allow a remote attacker to exploit vulnerabilities that exist in
the underlying database.
It should be noted that although this vulnerability has been reported to
affect Wordpress version 0.7, other versions might also be affected.
28. Cafelog b2 B2MenuTop Script B2INC Variable Include Vulnerability
BugTraq ID: 7786
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7786
Summary:
CafeLog b2 allows users to generate news pages and weblogs dynamically. It
is implemented in PHP and is available for the Unix, Linux, and Microsoft
Windows platforms.
A remote file include vulnerability has been reported in Cafelog b2. Due
to insufficient sanitization of user-supplied values in the b2menutop.php
script, it is possible for a remote attacker to influence the location of
included files.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$b2inc'
parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the web server.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for Cafelog 0.6.2.
29. Wordpress Remote PHP File Include Vulnerability
BugTraq ID: 7785
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7785
Summary:
Wordpress allows users to generate news pages and weblogs dynamically. It
uses PHP and a MySQL database to generate dynamic pages.
A vulnerability has been reported for Wordpress. The problem is said to
occur due to insufficient sanitization of user-supplied URI parameters.
Specifically the '$abspath' variable, which is used as an argument to the
PHP require() function, is not sufficiently sanitized of malicious input.
As a result, an attacker may be capable of including a malicious
'blog.header.php' from a controlled web server. This may result in the
execution of PHP commands located within the script.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary PHP commands on a target server, with the privileges of
Wordpress.
30. Pi3Web SortName Buffer Overflow Vulnerability
BugTraq ID: 7787
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7787
Summary:
Pi3Web is a free, multi platform, configurable HTTP server and development
environment. It is available for Unix/Linux variants and Microsoft
Windows operating systems.
Pi3Web is prone to a buffer overflow vulnerability. This is due to
insufficient bounds checking of URI parameters. It is possible to trigger
this condition by specifying a 'SortName' URI parameter of excessive
length. Excess data will overrun adjacent regions of memory. This
condition could be exploited to cause a denial of service or possibly to
execute malicious instructions in the context of the server.
This issue was reported for Pi3Web 2.0.2 Beta 1 on Windows platforms.
It was originally believed that this condition only existed with certain
indexing configurations but additional reports indicate that this is not
the case.
31. Microsoft Windows XP Nested Directory Denial of Service Vulnerability
BugTraq ID: 7789
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7789
Summary:
A vulnerability has been reported for all versions of Microsoft Windows
XP. The problem occurs while handling the options menu of the last folder
within 122 nested directories. The next directories must all use a naming
scheme of strictly one character, such as 'a' or 'b'.
By moving the cursor over the menu for the 122nd folder it may be possible
for an unprivileged local user to crash a target system.
32. Microsoft Windows 2000/XP/2003 IPV6 ICMP Flood Denial Of Service Vulnerability
BugTraq ID: 7788
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7788
Summary:
Microsoft Windows 2000/XP/2003 has been reported prone to a remote denial
of service vulnerability.
Reportedly, an attacker may trigger this vulnerability, under certain
configurations. Specifically IPV6 must be enabled on the target server.
Under these conditions an attacker may launch an ICMP flood attack, (An
ICMP flood attack, by nature, is designed to send a greater number of ICMP
echo request packets than the vulnerable protocol implementation can
handle.), that could effectively deny network services to valid users.
Reportedly this issue is further exaggerated by bid 7666.
33. Multiple Vendor kon2 Local Buffer Overflow Vulnerability
BugTraq ID: 7790
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7790
Summary:
kon2 is a Kanji emulator for the Linux console.
A buffer overflow vulnerability has been reported for the kon2 utility
shipped with various Linux distributions. Exploitation of this
vulnerability may result in a local attacker obtaining elevated privileges
on a vulnerable system.
The vulnerability exists due to insufficient bounds checking performed on
some commandline options passed to the vulnerable utility.
A local attacker can exploit this vulnerability by invoking kon2 with
overly long commandline options. This will trigger the overflow condition
and may result in an attacker obtaining root privileges.
This vulnerability was reported for kon2 0.3.9b and earlier.
34. IRCXpro Server Settings.INI Plaintext Password Storage Vulnerability
BugTraq ID: 7792
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7792
Summary:
IRCXpro Server is a IRC server that is designed for use with Microsoft
Windows operating systems.
A problem with the IRCXpro Server could make unauthorized access to
credentials possible.
It has been reported that a problem exists in the method used for the
storage of passwords by IRCXpro. This could lead to local users gaining
unauthorized access to passwords, and potentially unauthorized access to
the vulnerable IRC server.
Specifically, IRCXpro Server stores user credentials in the "settings.ini"
configuration file, using plain text format by default. A local user with
sufficient privileges to read this file may obtain the usernames and
passwords contained within.
Information gathered in this way may be used to aid in further attacks
launched against the vulnerable system.
This vulnerability was reported for IRCXpro Server 1.0.
35. Red Hat Linux TTY Layer Kernel Panic Denial Of Service Vulnerability
BugTraq ID: 7791
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7791
Summary:
The TTY layer is used to process input and output supplied to and from the
console.
A vulnerability has been reported in the TTY layer that may result in a
kernel panic.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
36. Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability
BugTraq ID: 7793
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7793
Summary:
The Intel MXCSR register contains control/status information for the SSE
registers.
The Red Hat Linux Kernel MXCSR handler code has been reported prone to an
unspecified vulnerability.
The issue presents itself when low-level MXCSR kernel code encounters a
malformed address. It has been reported that the MXCSR code fails to
sufficiently handle malformed address data and will leave garbage in the
CPU state registers.
Although speculative, it has been conjectured that this issue may allow an
attacker to corrupt CPU state registers and trigger a denial of service
condition if the kernel relies on current register contents. Although
unconfirmed other attacks may also be possible.
It should be noted that this vulnerability will only affect systems
running on the Intel architectures.
This BID will be updated as further technical details are released.
37. Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability
BugTraq ID: 7795
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7795
Summary:
A potential data corruption vulnerability has been identified in the Red
Hat Linux kernel.
The potential issue may be exploitable under very restrictive
circumstances. In an ext3 file-system environment where the system is
processing heavy complex memory mapped file I/O loads, if the mapped
writes are to a partial page at the end of a file, a file may be
simultaneously unlinked and the corresponding mapped file blocks
reallocated. This action may potentially cause the corruption of arbitrary
files.
If an attacker can recreate the necessary environment, it may be possible
to create a condition where arbitrary files are corrupted.
38. Sun Solaris Telnet Daemon Remote Denial Of Service Vulnerability
BugTraq ID: 7794
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7794
Summary:
Solaris is the UNIX variant operating system distributed and maintained by
Sun Microsystems.
A problem with Solaris may make it possible for a remote user to deny
service to legitimate users of the system.
It has been reported that a vulnerability exists in the telnet daemon of
Solaris systems. An attacker may be able to exploit this issue to consume
system resources, making the system unusable by legitimate users.
Specific technical details of the vulnerability are not known. However,
it is known that the vulnerable daemon can be forced into a loop in
execution. When the daemon enters the loop, considerable resources are
consumed by the process. Multiple instances of the software entering a
loop can cause excessive consumption of system resources, leading to
denial of service.
39. HP-UX UUCP Unspecified Buffer Overflow Vulnerability
BugTraq ID: 7796
Remote: Unknown
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7796
Summary:
UUCP is the Unix-to-Unix Copy Protocol infrastructure, implemented with
numerous Unix and Unix clone operating systems.
A vulnerability has been discovered in the HP-UX implementation of UUCP.
The problem is likely due to insufficient bounds checking of user-supplied
data. By passing excessive data to uucp in a sufficient manner it is
possible to trigger a buffer overflow. An attacker may exploit this issue
to overwrite sensitive locations in memory; it may be possible for an
attacker to execute arbitrary code.
As UUCP is installed setuid root this would result in the execution of
attacker-supplied commands with the privileges of the superuser.
40. Linux Kernel Fragment Reassembly Remote Denial Of Service Vulnerability
BugTraq ID: 7797
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7797
Summary:
The Linux kernel is the core of all Linux operating systems. It is
community-maintained.
A problem in the kernel network code could make a remote denial of service
possible.
It has been reported that the Linux kernel does not properly handle some
specific types of network traffic. Because of this, an attacker may be
able to cause excessive consumption of resources with malicious TCP/IP
packets, resulting in a denial of service.
The problem is in the handling packet reassembly. By sending maliciously
crafted packet fragments to a system using the vulnerable kernel, it would
be possible to consume an excessive amount of resources during the packet
reassembly phase. This could cause the system to become unstable.
This vulnerability has been reported to be similar to the issue described
in 7601.
41. HP-UX UUSUB Unspecified Buffer Overflow Vulnerability
BugTraq ID: 7798
Remote: Unknown
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7798
Summary:
UUSUB is an application that is designed to define a UUCP subnetwork and
subsequently monitor connections and traffic among the members of the
subnetwork.
A vulnerability has been discovered in the HP-UX implementation of UUSUB.
The problem is likely due to insufficient bounds checking of user-supplied
data. By passing excessive data to UUSUB in a sufficient manner it is
possible to trigger a buffer overflow. An attacker may exploit this issue
to overwrite sensitive locations in memory; it may be possible for an
attacker to execute arbitrary code.
42. Pablo Software Solutions FTP Server Anonymous Users Privileges Vulnerability
BugTraq ID: 7799
Remote: Yes
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7799
Summary:
Pablo Software Solutions FTP Server is freely available software for
Microsoft Windows operating systems.
An issue in Pablo FTP Service may make it possible for remote users to
perform unauthorized actions.
It has been reported that Pablo FTP Service does not sufficiently restrict
the anonymous user account, which is active by default. Because of this, a
default configuration may provide a conduit for the disclosure of
potentially sensitive information.
The problem is in the permission scheme implemented with a default
installation. Reports indicate that the default anonymous account does not
restrict the user from downloading files from any FTP server readable
location on the affected system. By default the drive on which the
software is installed is mapped readable from the root directory eg 'C:\'.
An attacker may exploit this vulnerability to access arbitrary files on
the underlying system and potentially disclose sensitive information.
Information gathered in this way may be harness in further attacks
launched against the affected system.
It should be noted that while this vulnerability has been reported to
affect Pablo FTP service version 1.2, other versions might also be
affected.
43. Pablo Software Solutions FTP Server Plaintext Password Weakness
BugTraq ID: 7801
Remote: No
Date Published: Jun 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7801
Summary:
Pablo Software Solutions FTP Server is freely available software for
Microsoft Windows operating systems.
An issue in Pablo FTP Service may make it possible for a user to access
FTP account credentials.
It has been reported that Pablo FTP Service stores FTP User account
passwords in plaintext format. As a result, these credentials could be
exposed to other users. Passwords are stored in the 'users.dat' file. Any
user who has read access to this file may retrieve Pablo FTP Service user
account credentials.
This issue may be further exaggerated by BID 7799.
It should be noted that while this weakness has been reported to affect
Pablo FTP service version 1.2, other versions might also be affected.
III. SECURITYFOCUS NEWS AND COMMENTARY
--------------------------------------
1. Group Releases Anti-Disclosure Plan
By Kevin Poulsen
Security companies and software-makers want your opinion on a proposal to
voluntarily limit discussion of security holes.
http://www.securityfocus.com/news/5458
2. Holy Grail of crypto to arrive in three years, say UK boffins
By John Leyden, The Register
UK boffins have demonstrated unbreakable quantum cryptography over fibre
links longer than 100km for the first time.
http://www.securityfocus.com/news/5519
3. Cisco builds WLAN security framework
By John Leyden, The Register
Cisco Systems this week introduced an architecture designed to make
wireless LANs easier to manage and more secure.
http://www.securityfocus.com/news/5480
4. U.S. reviewing old, secret surveillance files in terrorism
investigations
By Ted Bridis, The Associated Press
Government prosecutors are reviewing years worth of sensitive telephone
and e-mail wiretaps and results from secret searches to decide whether
they can file criminal charges against suspected terrorists in the United
States.
http://www.securityfocus.com/news/5452
IV. SECURITYFOCUS TOP 6 TOOLS
------------------------------
1. Passcheck v2.99
by merlin262
Relevant URL:
http://savannah.nongnu.org/projects/passcheck/
Platforms: Linux
Summary:
Passcheck is a drop-in replacement or rewrite of the original cracklib,
and shares no code with the original. It features an enhanced dictionary
check, and the ability to use the standard system wordlist.
2. LibTomCrypt v0.76
by Tom St Denis tomstdenis (at) iahu (dot) ca [email concealed]
Relevant URL:
http://www.libtomcrypt.org
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
LibTomCrypt is a comprehensive, modular, and portable cryptographic
toolkit that provides developers with a vast array of well known published
block ciphers, one-way hash functions, chaining modes, pseudo- random
number generators, public key cryptography, and a plethora of other
routines. It has been designed from the ground up to be very simple to
use. It has a modular and standard API that allows new ciphers, hashes,
and PRNGs to be added or removed without change to the overall end
application. It features easy to use functions and a complete user manual
which has many source snippet examples.
3. OpenSSH SecurID patch v3.6.1p2 v1
by Theo Schlossnagle
Relevant URL:
http://www.omniti.com/~jesus/projects/
Platforms: N/A
Summary:
This patch integrates SecurID authentication services directly into the
OpenSSH daemon, allowing users to use SecurID tokens directly as their
passwords instead of relying on the clunky sdshell.
4. Logdog v2.0-RC3
by Brandon Zehm
Relevant URL:
http://caspian.dotconf.net/menu/Software/LogDog/
Platforms: Linux
Summary:
LogDog monitors messages passing through syslogd and takes actions based
on key words and phrases (which can be regular expressions). It has a
configuration file which allows you to specify a list of key words or
phrases to alert on and a list of commands that can be run when those
words are encountered.
5. KisMAC v0.05a
by mick
Relevant URL:
http://kismac.binaervarianz.de/
Platforms: MacOS
Summary:
KisMAC is a stumbler application for Mac OS X that puts your card into
monitor mode. Unlike most other applications for OS X, it is completely
invisible and sends no probe requests.
6. A Joint Monitoring System (AJMS) v1.8
by Andrew Gray
Relevant URL:
http://www.argray.org/ams/
Platforms: Java, Perl (any system supporting perl)
Summary:
AJMS (AKA "AMS") displays syslog messages in realtime via a browser or
standalone Java client. It also supports searches of any SQL database. It
offers straightforward configuration and integrates easily into any
existing syslog environment.
V. SECURITY JOBS SUMMARY
------------------------
1. Looking for an infosec position in Calgary, AB (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323916
2. SR. IT MANAGER WITH SECURITY BACKGROUND LOOKING IN MINNESOTA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323914
3. PWC - Threat & Vulnerability Management (Senior Associate ) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323875
4. LOOKING FOR A SR. IDS MANAGER - BETHESDA, MD (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323874
5. Newport News, VA - MS Exchange SW Development Manager (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323873
6. Networking and Security Engineer Available. Travel OK. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323872
7. Recent CISSP seeking in GA or NC. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323871
8. Metro DC - junior to midlevel security position sought (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323546
9. Corporate Security Analyst - San Jose, CA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323870
10. Seeking infosec employment (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323747
11. 20-yr International IT & Internet Security Veteran (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323772
12. New Focus Areas on SecurityFocus.com X-POST (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323702
13. Tivoli Security Specialist needed (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323701
14. Looking for a sales position (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323654
15. Neoteris is hiring!!! - Regional Sales Manager - Benelux (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323652
16. Neoteris is hiring!!! - Regional Sales Manager - Japan (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323650
17. Neoteris is hiring!!! - Federal Sales Manager - VA/MD/DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323649
18. Neoteris is hiring!!! - Senior Technical Support Engineer - Silicon Valley (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323648
19. CISSP, Looking for assignment in Research Triangle Park, NC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323570
20. Very Experienced British Expat Returning (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323545
21. Security professional looking for work. (willing to relocate) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323527
22. CISSP & CISA Available Nationwide for Contract Consulting (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323526
23. Credit Card Fraud Analyst/Project Manager ? Chicago (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323502
24. IT PROFESSIONALS WANTED (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323488
25. Java / Web Developer - Senior - 8 - 12 month contract (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323489
26. Position In Jacksonville, FL (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323328
27. Systems Security Engineer, TiVo, Inc., Alviso, CA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323327
28. Rocky Mtn. CISSP for hire (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323311
29. Security Engineer/Santa Monica, CA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323309
30. systems administrator looking for work - NW Ohio (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323257
31. Need Security Evangelist in Dallas (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323258
32. Verisign - number in the UK (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323243
33. Security Sales Engineers and Account Executives/Seattle (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/323242
VI. INCIDENTS LIST SUMMARY
-------------------------
1. FW: File Folders Own Changed (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323990
2. Help with an odd log file... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323987
3. strange cmd.exe access (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323984
4. strange traffic on UDP port 53 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323986
5. Dameware Malcode? Is anyone aware of it? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323982
6. KazaaLite 2.0.2 Build 1 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323985
7. FW: KazaaLite 2.0.2 Build 1 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323803
8. Dubious e-mail: [Fwd: Dell.com (Password Request)] (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323758
9. Hmm....901 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323756
10. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323771
11. FW: Hmm....901 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323722
12. A question for the list... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323574
13. Whois updates, Was: [ Possible Intrusion Attempt?] (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323341
14. Weird Traffic from www.eyeblaster-bs.com (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/323344
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Decision (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324034
2. win32 shellcoding (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324031
3. Shellcode questions (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324018
4. win32 command line overflows: (ex: ollydbg.exe) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324027
5. strcpy bug (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324025
6. Exploiting new IE Object Type Overflow (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324026
7. New Secuity Vulnerabilities (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324023
8. possible remote buffer overflow in atftpd (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323886
9. Frame pointer overwriting and FreeBSD (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323840
10. man[v1.5l]: format string exploit / POC. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/324011
11. [Vuln-dev Challenge] Challenge #2 (New technique maybe?) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323814
12. Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323696
13. Windows XP mmc.exe Crash (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323700
14. Gera's Insecure Programing abo7 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323725
15. Windows XP SP1 gethostbyaddr() flow (Re[3]: mirc32 6.0x crash when resolving dns.) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323699
16. xmame gain root exploit (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323736
17. netstrings example vulnerable (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/323440
VIII. MICROSOFT FO
[ reply ]