Qualys FreeScan enables the enterprise to immediately identify the
prevalent and critical security vulnerabilities most likely to be
exploited on the network perimeter. With the largest vulnerability testing
database in the industry, QualysGuard enables you to assess, prioritize,
and remediate the vulnerabilities in heterogeneous networks of any size.
Our Web service provides you with the ability to run immediate assessments
without installation of hardware or software.
Click on the link below to scan your network perimeter.
http://www.securityfocus.com/sponsor/Qualys_sf-news_040126
------------------------------------------------------------------------
I. FRONT AND CENTER
1. A Visit from the FBI
2. The Giant Wooden Horse Did It!
II. BUGTRAQ SUMMARY
1. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
2. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
3. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
4. OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
5. OpenBSD 3.4 Crypto Card Handlers File Descriptor Leak Vulner...
6. PHPShop Project Multiple Vulnerabilities
7. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
8. MetaDot Corporation MetaDot Portal Server Multiple Vulnerabi...
9. Ultr@VNC ShellExecute() Local Privilege Escalation Vulnerabi...
10. Agnitum Outpost Firewall Local Privilege Escalation Vulnerab...
11. Netpbm Temporary File Vulnerabilities
12. Pablos FTP Server Unauthorized File Existence Disclosure Vul...
13. Multiple JDBC Database Insecure Default Policy Vulnerabiliti...
14. Mambo Open Source mod_mainmenu.php Remote File Include Vulne...
15. Legato NetWorker NSR_Shutdown Script Temporary File Symlink ...
16. Invision Power Board Index.php Cross-Site Scripting Vulnerab...
17. Veritas Net Backup Professional Open Transaction Manager Rem...
18. YABB SE SSI.PHP ID_MEMBER SQL Injection Vulnerability
19. GoAhead WebServer Directory Management Policy Bypass Vulnera...
20. GetWare Web Server Component Content-Length Value Remote Den...
21. GoAhead WebServer Post Content-Length Remote Resource Consum...
22. Multiple Liquid War Undisclosed Buffer Overflow Vulnerabilit...
23. NetScreen Security Manager Insecure Default Remote Communica...
24. AIPTEK NETCam Webserver Directory Traversal Vulnerability
25. SuSE Multiple Scripts Insecure Temporary File Handling Symbo...
26. PHPix Remote Arbitrary Command Execution Vulnerability
27. WebTrends Reporting Center Management Interface Path Disclos...
28. Anteco Visual Technologies OwnServer Directory Traversal Vul...
29. DUware Software Multiple Vulnerabilities
30. 2Wire HomePortal Series Directory Traversal Vulnerability
31. Honeyd Remote Virtual Host Detection Vulnerability
32. Darkwet Network WebcamXP Cross-Site Scripting Vulnerability
33. Microsoft Windows Samba File Sharing Resource Exhaustion Vul...
34. Cisco Voice Product IBM Director Agent Unauthorized Remote A...
35. Cisco Voice Product IBM Director Agent Port Scan Denial Of S...
36. Mephistoles HTTPD Cross-Site Scripting Vulnerability
37. Apache mod_perl Module File Descriptor Leakage Vulnerability
38. Native Solutions TBE Banner Engine Server Side Script Execut...
39. EA Black Box Need For Speed Hot Pursuit 2 Game Client Remote...
40. Acme thttpd CGI Test Script Cross-Site Scripting Vulnerabili...
41. Netbus Directory Listings Disclosure and File Upload Vulnera...
42. McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanage...
III. SECURITYFOCUS NEWS ARTICLES
1. Online fraud, I.D. theft soars
2. Prison time for unlucky phisher
3. Feds seek input on spammer sentencing
4. The voodoo that Dumaru doesn?t do too well?
5. We'll kill spam in two years - Gates
6. Chip and PIN hits 8 million cards
IV. SECURITYFOCUS TOP 6 TOOLS
1. Brcontrol v0.02
2. op v1.1.9
3. weedlog v1.0.1
4. phpOpenTracker v1.4.0
5. PeerProtect v0.5
6. m0n0wall vpb26r614
V. SECURITYJOBS LIST SUMMARY
1. Dead Threads (Thread)
2. Network Security Federal Account Executive- DOD, DC (Thread)
3. Network Security Sales Engineer, UK (Thread)
4. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
5. No Security clearance = No INFOSEC Job? (Thread)
6. Network/UNIX Security Application (Thread)
7. Security Consulting Engineer-Professional Services-P... (Thread)
8. Two week giving notice/no notice when being terminat... (Thread)
9. RE: Getting a cleared INFOSEC job <was---RE: No Secu... (Thread)
10. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
11. Does one have to be a US citizen to get Secret Clear... (Thread)
12. experience vs. cert/degree - trade vs. profession (Thread)
13. Network Security Regional Sales Manager/Senior Terri... (Thread)
14. Network Security- INSIDE/TELESALES REP - OUTBOUND, S... (Thread)
15. Validation of Clearance?? WAS: No Security clearan... (Thread)
16. Application Security Consultant (Thread)
17. Getting a cleared INFOSEC job (Thread)
18. Clearances within the US -- ISM Reference (Thread)
19. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
20. Unix Security Engineer needed for Contract to Hire N... (Thread)
21. No Security clearance = No INFOSEC Job? - > Then wha... (Thread)
22. Security Software Channel Sales Job opening - Chicag... (Thread)
23. Current threads - dropped messages (Thread)
24. Sr. Security Engineer -- NYC (Thread)
25. Information Security Consultant, Commercial Sector, ... (Thread)
26. BMC Patrol Consultant Dubai and Middle East States (Thread)
27. Systems Security Analyst positions (Level I, II, III... (Thread)
28. Positions for cleared software developers in Boston ... (Thread)
29. I'm looking for work in the Washington DC Metro Area (Thread)
30. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
31. CISA Banking Experience -Bahrain (Thread)
32. VA/MD/DC Federal Account Executive (Thread)
33. Two week giving notice/no notice when being terminat... (Thread)
34. Two week giving notice/no notice when being terminat... (Thread)
35. Two week giving notice/no notice when being terminat... (Thread)
36. Two week giving notice/no notice when being terminat... (Thread)
37. Two week giving notice/no notice when being terminat... (Thread)
38. Two week giving notice/no notice when being terminat... (Thread)
39. Two week giving notice/no notice when being terminat... (Thread)
40. AMS - C&A Consultants needed - Herndon, VA (Thread)
41. Senior Security Consultant - Michigan (Thread)
42. Zone Labs-California-Bay Area only (Thread)
43. National Sales Director - NY (Thread)
44. Zone Labs- Software Engineer- Security Researcher-Sa... (Thread)
45. Sales Engineer- California (Bay Area), Atlanta, Bost... (Thread)
46. Information assurance engineer (w/ C&A) seeking empl... (Thread)
47. Senior Advisor, Homeland Security & Intelligence, Mi... (Thread)
48. Enterprise Account Manager-West Coast (Thread)
49. Security Engineers, DC Metro Area (Thread)
50. Security Consultants, New York & DC Metro Area (Thread)
51. Security Candidate (Thread)
52. Applicaton Security Architect/Consultant NYC $100-... (Thread)
53. Security Analysts/Engineers - Washington DC (Thread)
54. NYC Area (Thread)
55. Northeast U.S. positions with Guardent (Thread)
56. Chicago area - Senior System Engineer, Enterprise So... (Thread)
57. 2 Positions, F/T, northern NJ-Security Engineer and ... (Thread)
VI. INCIDENTS LIST SUMMARY
1. Dameware scans, worm? (Thread)
2. Jump in Telnet and Auth scans (Thread)
3. Dameware scans, worm? (Thread)
4. Dameware intrusion (was Increase in TCP 6129 (Damewa... (Thread)
5. Increase in TCP 6129 (Dameware) scans? (Thread)
6. [Securityfocus-incidents] Dameware scans, worm? (Thread)
7. Issue of AIM; was -> UDP Port 5140 (Thread)
8. UDP Port 5140 (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Hacking USB Thumbdrives, Thumprint authentication (Thread)
2. --== Fragementation Attacks ==-- (Thread)
3. vBulletin Security Vulnerability - POC (Thread)
4. vBulletin Security Vulnerability (Thread)
5. Password Setup (Thread)
6. a method for bypassing cookie restrictions in web br... (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Encrypt data - SQL Server 2000 (Thread)
2. Microsoft Security (...how to reassure customers of) (Thread)
3. Local Account Vs Domain Account (Thread)
4. SecurityFocus Microsoft Newsletter #172 (Thread)
5. About MS-Networking security. (Thread)
IX. SUN FOCUS LIST SUMMARY
1. SPARC assembly training courses? (Thread)
2. Regarding #52465 "Solaris System may Panic While Ret... (Thread)
X. LINUX FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2004-01-19 to 2004-01-26.
XI. UNSUBSCRIBE INSTRUCTIONS
XII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. A Visit from the FBI
By Scott Granneman
I had a little visit from the FBI recently,
in response to one of my SecurityFocus columns.
http://www.securityfocus.com/columnists/215
2. The Giant Wooden Horse Did It!
By Mark Rasch
Introducing a new legal defense to computer crime
charges -- one that's all the more frightening because it could be true.
http://www.securityfocus.com/columnists/208
II. BUGTRAQ SUMMARY
-------------------
1. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
BugTraq ID: 9432
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9432
Summary:
qmail is a popular Mail Transfer Agent (MTA).
A vulnerability has been reported to exist in qmail-smtpd that may allow a
remote attacker to cause a denial of service condition in the software. It
has been reported that an attacker may be able to crash the current
qmail-smtpd session via a long SMTP request. The problem is reported to
exist due to an integer-handling bug. It has reported that the excessive
SMTP session data causes a signed integer to wrap; this negative value is
then employed as an array subscript. A subsequent attempt to access the
out-of-bounds address based on the wrapped integer will trigger a segment
violation. This may be leveraged by a remote attacker to consume resources
and thereby deny service to legitimate users.
A remote attacker may potentially exploit this vulnerability to crash or
hang a qmail SMTP session.
qmail 1.03 running on a Linux platform has been reported to be prone to
this issue, however, other versions may be affected as well.
2. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
BugTraq ID: 9433
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9433
Summary:
The Bat! is a commercially-available mail user agent, distributed and
maintained by Rit Research Labs. It is available for the Microsoft Windows
platform.
It has been reported that there is an issue with the way The Bat! handles
certain malformed PGP signed messages. PGP support is configured by
default.
The issue exists when The Bat! processes email messages containing PGP
signatures with multiple recursively included parts. Specially
constructed malformed signatures could allow The Bat! to read and write to
unallocated regions of memory. This could potentially allow for execution
of arbitrary attacker-supplied code.
It is important to note that since The Bat! contains its own exception
handler, the application will not crash when processing messages
containing these malformed PGP signatures.
This issue was reported to affect The Bat! 2.01. The vendor has reported
that the issue could not be reproduced on The Bat! 2.03 beta and that 2.02
CE is probably not vulnerable. The Bat! versions 1.x are not vulnerable
to this issue.
3. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
BugTraq ID: 9434
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9434
Summary:
3Ddiag is a 3D diagnosis tool designed to evaluate the 3D hardware,
software libraries and hardware driver configuration on SuSE Linux 7.3 and
greater.
A vulnerability has been found in the handling of temporary files by the
3Ddiag tool in the SuSE Linux distribution. This issue may allow local
destruction of data on affected systems potentially leading to a loss of
sensitive data or denial of service.
This issue is due to the 3Ddiag tool failing to properly handle the
creation and state of temporary files in the /usr/bin/switch2nv,
/usr/bin/switch2nvdia and /usr/bin/3Ddiag.ignoredb applications.
The switch2nv and switch2nvidia scripts, which are used by the 3Ddiag
utility, create a file in the /tmp directory named XF86Config. An attacker
would be able to remove the temporary file and replace it with a malicious
symbolic link pointing to a target file. When either application is
activated it will write to the link with root privileges and without
verifying the files validity, causing the target file to be overwritten.
The 3Ddiag.ignoredb application creates a temporary file in the /tmp/
directory named 3Ddiag.ignoredb. An attacker can create a symbolic link
with a name corresponding to the temporary file. When the 3Ddiag
application is activated, the target file will be overwritten with root
privileges thus causing loss of sensitive data or denial of service
against the vulnerable system.
This issue is likely only to affect personal desktop machines and poorly
configured servers as this tool is implemented to update software
libraries and hardware configurations, and is not intended for use by
remote users. Furthermore this tool is only available for SuSE Linux 7.3
and greater.
4. OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
BugTraq ID: 9435
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9435
Summary:
OpenCA is an Open Source Certification Authority solution. OpenCA includes
a library to support Crypto procedures, this library is named
crypto-utils.lib.
OpenCA has reported a vulnerability in the crypto-utils.lib library,
specifically in the libCheckSignature() function. This function is
normally employed to load a signature from the OpenCA database and ensure
that the signer certificate matches. However a flaw has been discovered in
the manner in which the affected function operates, the
libCheckSignature() function only performs a comparison on the base of the
serial of the associated certificate. This may inadvertently lead to the
acceptance of a malicious certificate.
The vendor has reported that, if the signature chain can manufacture a
trust-relationship to the chain directory of OpenCA, and a valid
certificate that possesses a matching serial already exists in the Public
Key Infrastructure that is being used, then the malicious certificate may
be accepted.
The result of this issue is that a malicious party in possession of a
certificate that has been crafted in a manner sufficient to trigger this
vulnerability, could possibly sign something that may verify. This can be
abused to establish a false sense of trust, leading to a variety of other
attacks.
This issue has been reported to affect all versions of OpenCA up to and
including OpenCA version 0.9.1.6.
5. OpenBSD 3.4 Crypto Card Handlers File Descriptor Leak Vulner...
BugTraq ID: 9436
Remote: No
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9436
Summary:
OpenBSD 3.4 has been reported prone to an undisclosed file descriptor leak
vulnerability. The vendor has reported that this vulnerability may present
problems when a crypto card is installed in the affected system.
Although unconfirmed it has been conjectured that this issue may be
exploited by a local attacker to gain access to a privileged IO channel.
Ultimately this may in turn allow an attacker to become privy to sensitive
data related to cryptological procedures. This, however, has not been
confirmed.
This issue does not affect OpenBSD 3.3.
This BID will be updated as further details regarding this vulnerability
are disclosed.
6. PHPShop Project Multiple Vulnerabilities
BugTraq ID: 9437
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9437
Summary:
phpShop Project is a web based application development platform written in
php.
Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to carry out attacks against the database, disclose
sensitive information, and execute HTML or script code in a user's
browser.
The following specific issues were outlined:
Multiple vulnerabilities have been reported to exist in the software that
may allow a remote user to inject malicious SQL syntax into database
queries. The issues may be exploited via the 'page', 'offset' and
'product_id' variables of the software. The problems exist due to
insufficient sanitization of user-supplied data. A remote attacker may
exploit these issues to influence SQL query logic to disclose sensitive
information that could be used to gain unauthorized access.
An information disclosure issue has been identified in the software as
well. It has been reported that a user with valid credentials is able to
view sensitive information about any customer such as Nickname, Company
Name, Last Name, First Name, Middle Name, Address including City, State,
Zip Code, Country, Telephone, Fax Number via the account/shipto module.
Furthermore, it has been reported that the information is fairly easy to
gather as user IDs usually start with numbers ranging from 18 to 20. An
attacker may also be able to gather information about the administrator.
An HTML injection vulnerability is reported to exist in the software that
may allow an attacker to include malicious HTML code in one or many fields
of shipping information page. The injected code could then be interpreted
by the browser of a user visiting the vulnerable site.
Finally, multiple vulnerabilities have been reported to exist in the
software that may allow a remote user to launch cross-site scripting
attacks. Reportedly, the software contains various variables that are
prone to these attacks via HTTP GET requests. An attacker may carry out
cross-site scripting attacks without having access to a page as well.
Various proof of concepts including vulnerable variables have been
provided in the report. The cause of these vulnerabilities is improper
sanitization of user-supplied data.
phpShop versions 0.6.1-b and prior are reported to be vulnerable to these
issues.
7. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
BugTraq ID: 9438
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9438
Summary:
XtremeASP PhotoGallery is a web-based picture gallery script. It is
implemented in ASP and available for Microsoft Windows platforms.
XtremeASP PhotoGallery is back-ended by a MySQL database.
XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The
issue is reported to exist in 'adminlogin.asp', which does not
sufficiently sanitize user-supplied input for username and password values
before including it in SQL queries. This could permit remote attackers to
pass malicious input to database queries, resulting in modification of
query logic or other attacks.
Successful exploitation could result in compromise of the photo gallery,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
8. MetaDot Corporation MetaDot Portal Server Multiple Vulnerabi...
BugTraq ID: 9439
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9439
Summary:
MetaDot Portal Server is an open source portal software which provides
content management, portal, and online database applications. It is used
to create web portals and websites.
A number of vulnerabilities have been found in MetaDot Corporation's
MetaDot Portal Server. Due to a failure of the software to properly
validate user input, an attacker may be able to carry out SQL injection
attacks that may lead to data corruption data or force the server to
disclose system configuration information. Cross-site scripting
vulnerabilities have also been identified that are related to a similar
issue.
MetaDot portal server is vulnerable to a SQL injection vulnerability.
This vulnerability may allow an attacker to destroy or corrupt data on
vulnerable systems. It has also been reported that this issue may
disclose server configuration information. An attacker may exploit this
vulnerability by issuing a specially crafted URI to the MetaDot server.
This is due to the software failing to properly validate the values
assigned to URL variables.
The values stored in the 'key', 'id' and 'iid' variables defined in the
URI are used in an SQL statement and may allow a user to inject SQL
commands. It has also been reported that this issue also produces a
cross-site scripting vulnerability, as an attacker can force the error
message to execute a script supplied in the variable. Furthermore, the
error message issue by a failed SQL command reveals a significant amount
of information to the attacker as it is displayed in the error message.
This information includes system configuration details such as the current
perl version as well as web server path.
Aside from the above-mentioned cross-site scripting vulnerabilities, there
are a number of other URIs that will produce similar effects. These
issues are also due to improper validation of variables specified in the
URI.
MetaDot Portal Server versions 5.6.5.4 b5 and prior have been reported to
be vulnerable to these issues.
These issues are currently undergoing further analysis. This cumulative
BID will be separated into individual entries when analysis is complete.
9. Ultr@VNC ShellExecute() Local Privilege Escalation Vulnerabi...
BugTraq ID: 9440
Remote: No
Date Published: Jan 17 2004
Relevant URL: http://www.securityfocus.com/bid/9440
Summary:
Ultr@VNC is a client/server remote access suite that allows for a remote
user to access their desktop as though they are a local user.
When Ultr@VNC is in use, part of the application runs with SYSTEM
privileges. It has been reported that it is possible for attackers with
desktop access to elevate to these privileges through an access validation
error in Ultr@VNC.
The vulnerability is due to the use of the Win32 API call ShellExecute()
to create a browser window. The window is created when the user selects
either "Online Help" or "Home Page" from within the Ultr@VNC console.
Privileges are not lowered before the IEXPLORE.EXE process is created
and, consequently, the Explorer window will inherit administrative
privileges. A malicious user may then use the SYSTEM level instance of
Explorer to navigate the local filesystem and execute arbitrary programs.
10. Agnitum Outpost Firewall Local Privilege Escalation Vulnerab...
BugTraq ID: 9441
Remote: No
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9441
Summary:
Outpost Firewall is a Win32 personal firewall suite developed by Agnitum.
When Outpost Firewall is in use, the desktop console runs with SYSTEM
privileges. It has been reported that it is possible for attackers with
desktop access to elevate to these privileges through access validation
errors.
There are allegedly two instances where the console invokes, without
dropping privileges first, commands or programs not under its control that
can be hijacked by malicious users. One of the instances is through the
addition of plug-ins: a user can specify an arbitrary executable as a
plug-in. The chosen file will promptly be run by the console, inheriting
SYSTEM privileges. The other instance is through the HTML-based help
subsystem. It is possible for attackers to, in the help window, spawn a
privileged instance of NOTEPAD.EXE through a "View Source" option. From
Notepad the attacker can then spawn a command-shell, also as SYSTEM.
11. Netpbm Temporary File Vulnerabilities
BugTraq ID: 9442
Remote: No
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9442
Summary:
Netpbm is a collection of utilities for the manipulation of graphic
images.
Debian has announced that Netpbm is affected by numerous vulnerabilities
related to its use of temporary files. These vulnerabilities may allow
for a malicious local user to cause the corruption of files owned by other
users. It is likely that the attacker must wait for the target user to
run one of the Netpbm utilities before any of the vulnerabilities can be
exploited. The attacker may also be required to successfully guess the
filename of the temporary file, though it may be trivial to do so. Any
file overwrites most likely occur with the privilege level of the victim
user who is running Netpbm.
12. Pablos FTP Server Unauthorized File Existence Disclosure Vul...
BugTraq ID: 9443
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9443
Summary:
Pablos FTP server is a multi-threaded Win32 FTP server.
A vulnerability reportedly affects Pablo's FTP server that can allow for a
remote attacker to determine whether files outside of the FTP root
directory exist or not.
This behavior is exhibited when a client attempts to delete a file outside
of the FTP root directory using a relative path to the file comprised of
".." sequences. While the file is not deleted in any case, the error
message displayed will differ depending on whether or not the file exists.
If the file exists, the server will transmit the response:
550 Permission denied.
If not:
550 File not found.
An attacker can then detect the presence of specific files and, to a
limited extent, map the filesystem by repeatedly issuing such requests and
observing the server response.
13. Multiple JDBC Database Insecure Default Policy Vulnerabiliti...
BugTraq ID: 9444
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9444
Summary:
It has been reported that multiple JDBC database implementations include
insecure default security policies. The source of these issues is that
the security policy included with vulnerable implementations does not
sufficiently restrict access to certain JDK facilities, such as
sun.misc.MessageUtils.toStderr. This could expose vulnerable databases to
denial of service attacks. This could also permit remote attackers to
execute arbitrary commands on systems hosting vulnerable implementations
in some circumstances. It appears as though a remote attacker would need
to authenticate to exploit these issues.
Proof-of-concept code has been released for J2EE/RI Pointbase Database to
demonstrate potential attacks that could result from insecure default
security policies. Further technical details regarding other specific
database implementations are pending release by the researcher who
discovered these issues. This BID will be updated when more details are
made available.
These issues are reportedly similar in nature to BIDs 9230 and 8773.
14. Mambo Open Source mod_mainmenu.php Remote File Include Vulne...
BugTraq ID: 9445
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9445
Summary:
Mambo Open Source is a web based content management system.
A vulnerability has been reported to exist in the software that may allow
an attacker to include malicious external files containing arbitrary PHP
code to be executed on a vulnerable system. This vulnerability is
reported to exist because remote users can influence the
'mosConfig_absolute_path' variable in the 'mod_mainmenu.php' script to
specify an arbitrary include path.
Remote attackers could potentially exploit this issue via the vulnerable
variable to include a remote malicious script, which will be executed in
the context of the web server hosting the vulnerable software.
Mambo Open Source versions 4.5 and 4.6 have been reported to be prone to
this issue, however other versions could be affected as well.
15. Legato NetWorker NSR_Shutdown Script Temporary File Symlink ...
BugTraq ID: 9446
Remote: No
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9446
Summary:
Legato NetWorker is a server package designed to help share data, media
and backup processes across a heterogeneous network. The Legato NetWorker
server will run on a number of Unix variants, as well as Microsoft Windows
NT/2000 systems.
Legato NetWorker has been reported prone to a Symbolic link vulnerability.
The issue presents itself, because the NetWorker script "nsr_shutdown"
creates temporary files in an insecure manner. Specifically, when the
"nsr_shutdown" script is invoked a temporary file "nsrsh$$" is created,
where "$$" represents the current ID of the running process. To exploit
this issue, a local attacker may create many symbolic links in the "tmp"
directory with incremental values representing the "$$" part of the
filename, each of these links will point to an arbitrary file that the
attacker wishes to target. When the vulnerable script is invoked,
operations that were supposed for the temporary file will be carried out
on the file that is linked by the malicious symbolic link.
An attacker may exploit this issue to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.
It has been reported that a user will require root privileges to invoke
the affected script; this may magnify the impact of this vulnerability.
It should be noted that although this vulnerability has been reported to
affect NetWorker version 6.0, other versions might also be affected.
16. Invision Power Board Index.php Cross-Site Scripting Vulnerab...
BugTraq ID: 9447
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9447
Summary:
Invision Power Board is web forum software. It is implemented in PHP and
is available for Unix and Linux variants and Microsoft Windows operating
systems.
A vulnerability has been reported to exist in Invision Power Board that
may allow a remote user to launch cross-site scripting attacks.
The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via the
'act' URI parameter of 'Index.php' script. This vulnerability makes it
possible for an attacker to construct a malicious link containing HTML or
script code that may be rendered in a user's browser upon visiting that
link. This attack would occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
All versions of Invision Power Board have been reported to be vulnerable
to this issue.
17. Veritas Net Backup Professional Open Transaction Manager Rem...
BugTraq ID: 9448
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9448
Summary:
Veritas Net Backup Professional is a backup utility.
A vulnerability has been reported to exist in the software that may allow
an attacker to gain full access to certain resources of a targeted system.
It has been reported that Veritas Net Backup Open Transaction Manager
(OTM) creates a shared drive on the system during a client backup. This
share is reportedly available to anyone on the network and is created with
default 'Everyone/Full Control' permissions. This vulnerability does not
compromise local folder permissions on a client machine.
Successful exploitation of this issue may allow a remote attacker to gain
access to files on a targeted system drive during a backup operation.
18. YABB SE SSI.PHP ID_MEMBER SQL Injection Vulnerability
BugTraq ID: 9449
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9449
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.
A problem with YaBB SE could make it possible for a remote user to launch
SQL injection attacks.
It has been reported that a problem exists in the SSI.php script
distributed as part of YaBB SE. Due to insufficient sanitizing of the
user-supplied ID_MEMBER URI parameter, it is possible for a remote user to
inject arbitrary SQL queries into the database used by YaBB SE. This could
permit remote attackers to pass malicious input to database queries,
resulting in modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
19. GoAhead WebServer Directory Management Policy Bypass Vulnera...
BugTraq ID: 9450
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9450
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft Windows
and Unix/Linux derivatives.
GoAhead WebServer allows users to configure a policy for how requests for
resources in certain directories are handled, such as defining default
actions for resources in cgi-bin or other directories. This is handled
internally via the websUrlHandlerRequest() server function. GoAhead
WebServer is prone to a vulnerability that may permit remote attackers to
bypass directory management policy.
It is reported that certain syntax may be used in HTTP GET requests to
bypass the policy for how certain requests should be handled, for example,
a script that should be interpreted may be downloaded by the attacker
instead. The following example requests are reported to reproduce this
behavior:
GET cgi-bin/cgitest.c HTTP/1.0
GET \cgi-bin/cgitest.c HTTP/1.0
GET %5ccgi-bin/cgitest.c HTTP/1.0
By omitting the initial forward-slash (/) or substituting a back-slash (/)
for the initial forward-slash, it is possible to bypass directory
management policy. A URL-encoded back-slash (%5c) at the beginning of the
request may also bypass the policy. Other variations also exist.
This could allow for unauthorized access to resources hosted on the
server, likely resulting in disclosure of sensitive information such as
script source code. The exact consequences will depend on what sort of
directory management policy is in place and also the nature of information
included in scripts or other sensitive resources hosted on the server.
20. GetWare Web Server Component Content-Length Value Remote Den...
BugTraq ID: 9451
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9451
Summary:
GetWare develop and maintain two products WebCam Live and PhotoHost. These
products ship with a common Web Server component.
The GetWare Web Server component has been reported prone to a remote
denial of service vulnerability. It has been reported that the issue will
present itself when the affected web server receives malicious HTTP
requests that contain negative values for the Content-Length field in the
HTTP header. After 300 of these malicious requests, the GetWare Web Server
component will supposedly crash, effectively denying service to legitimate
users.
A remote attacker may exploit this issue to deny service to the GetWare
Web Server.
It should be noted that this vulnerability has been reported to affect
WebCam Live versions up to and including version 2.01 and PhotoHost up to
and including version 4.0. This is because both of these products ship
with the GetWare Web Server component.
21. GoAhead WebServer Post Content-Length Remote Resource Consum...
BugTraq ID: 9452
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9452
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft Windows
and Unix/Linux derivatives.
A vulnerability in the handling of unusual HTTP requests and
content-length sizes may cause a vulnerable GoAhead WebServer to become
unstable. Because of this, a remote attacker may be able consume
excessive resources on the underlying host, resulting in a denial of
service condition.
The problem is in the handling of remote POST requests. By specifying a
content-length of a specific size in a POST request, and sending data of a
lesser size then breaking the connection, it is possible to send the
service into an infinite loop. The program does not sufficiently handle
the condition of a broken connection, and can consume excessive system
resources, potentially taking down the system with the service.
22. Multiple Liquid War Undisclosed Buffer Overflow Vulnerabilit...
BugTraq ID: 9453
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9453
Summary:
Liquid War is a multiplayer computer game available for multiple
platforms.
Liquid war has been reported prone to multiple buffer overrun
vulnerabilities. These issues are reported to exist due to a lack of
sufficient bounds checking performed by "sprintf like" functions on
user-supplied data before it is copied into reserved buffers in memory.
Additionally a potential buffer overflow has been reported in network flow
handler procedures of Liquid War.
Although unconfirmed it has been conjectured that an attacker may exploit
these conditions to corrupt sensitive process memory with attacker
supplied values.
This BID will be updated as further analysis of these issues is completed.
23. NetScreen Security Manager Insecure Default Remote Communica...
BugTraq ID: 9455
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9455
Summary:
NetScreen-Security Manager is the firewall and security management product
distributed and maintained by NetScreen.
A problem in the handling of default communications has been identified in
NetScreen-Security Manager. Because of this, an attacker may be able to
gain access to potentially sensitive information.
The problem is in the default use of encryption. When NetScreen-Security
Manager is used to communicate with remote ScreenOS 5.0 devices, the
device does not use encryption by default. Information sent between the
ScreenOS devices and NetScreen-Security Manager may transit in plain text,
making it possible for an intermediary network to capture potentially
sensitive data while traveling between end-points.
24. AIPTEK NETCam Webserver Directory Traversal Vulnerability
BugTraq ID: 9456
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9456
Summary:
AIPTEK NETCam Viewer is a webcam server. It also has a built in web
server called NETCam webserver.
A vulnerability has been reported to exist in the NETCam webserver of
NETCam Viewer that may allow a remote attacker to access information
outside the server root directory. The problem exists due to insufficient
sanitization of user-supplied data. The issue may allow a remote attacker
to traverse outside the server root directory by using '../' character
sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
AIPTEK NETCam Viewer versions 1.0.0.28 and prior are reported to be prone
to this issue, however, other versions could be affected as well.
**It has been reported that NETCam Viewer employs the Boa web server
(0.93.15) and possibly other versions. Therefore, this issue may be
related to Boa Webserver File Disclosure Vulnerability (BID 7544) and Boa
Webserver 0.94.2.x File Disclosure Vulnerability (BID 1770).
25. SuSE Multiple Scripts Insecure Temporary File Handling Symbo...
BugTraq ID: 9457
Remote: No
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9457
Summary:
fvwmbug is a helper shell script to allow a user to compose and email
bug-reports that concern FVWM. wm-oldmenu2new is used to convert from an
old-style WindowMaker menu file to the new PropertyList style. x11perfcomp
is a script that merges and formats the output of x11perf. xf86debug is a
script used to debug X server, it must be invoked by a root user.
winpopup-send.sh is a script that is shipped as a part of the kopete
package. lvmcreate_initrd is used to create a new compressed initial
ramdisk.
Multiple scripts that are shipped with SuSE 9.0 have been reported prone
to insecure temporary file creation and symbolic link vulnerabilities. The
following scripts have been reported vulnerable:
/usr/X11R6/bin/fvwm-bug
/usr/X11R6/bin/wm-oldmenu2new
/usr/X11R6/bin/x11perfcomp
/usr/X11R6/bin/xf86debug
/opt/kde3/bin/winpopup-send.sh
/sbin/lvmcreate_initrd
The issues are present, because the vulnerable scripts create temporary
files in an insecure manner. Specifically, when a script is invoked a
predictable temporary file is created. To exploit this issue, a local
attacker may create many symbolic links in the "tmp" directory with
incremental values representing the variable part of the vulnerable
temporary filename. Each of these links will point to an arbitrary file
that the attacker wishes to target. When the vulnerable script is invoked,
operations that were supposed for the temporary file will be carried out
on the file that is linked by the malicious symbolic link.
An attacker may exploit these issues to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.
Each issue described in this BID will be given individual BID's once
further analysis is complete.
26. PHPix Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 9458
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9458
Summary:
PHPix is a Web-based photo album viewer written in PHP. It facilitates
image displays at various sizes as specified by the user.
It has been reported that PHPix is vulnerable to a remote command
execution vulnerability due to poor handling of externally supplied data.
This issue may allow unauthorized access to the affected system with the
privileges of the web server hosting the vulnerable program.
The source of the problem is that PHPix makes insecure calls to the PHP
system() function. The system() function passes user-supplied input to the
shell for execution without properly escaping shell metacharacters. An
attacker could specify the values of the non-validated variables that are
passed to the system() function using a specially crafted URI. In this
way, the attacker could use shell metacharacters to append commands to be
executed in the context of the hosting server process when system() is
called.
This issue is known to affect PHPix version 2.0.3, however it most likely
affects earlier versions as well.
27. WebTrends Reporting Center Management Interface Path Disclos...
BugTraq ID: 9460
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9460
Summary:
WebTrends Reporting Center is used to organize and present usage
information for multiple server web environments. Reporting Center is
available for Microsoft Windows, Linux and Solaris.
The WebTrends Reporting Center management interface discloses installation
path information when a non-existent resource is requested. The
management interface is accessible via HTTP on TCP port 1099. This issue
exists in the 'viewreport.pl' script included with the interface and may
be triggering by specifying a non-existent ID for the 'profileid'
parameter. The absolute physical path of the software installation will
be disclosed in the error response to such a request. This information
may permit an attacker to enumerate the layout of the underlying file
system of the host.
This issue was reported for version 6.1a of the software running on
Microsoft Windows. Other platforms and versions may also be affected.
28. Anteco Visual Technologies OwnServer Directory Traversal Vul...
BugTraq ID: 9461
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9461
Summary:
OwnServer is a web server used for remotely monitoring security cameras.
This facilitates streaming of live video that is viewable via the
Internet.
A vulnerability in OwnServer 1.0 and earlier has been reported that may
allow a remote attacker to view files residing outside of the web server
root directory on the affected system. This problem exists due to a
failure to validate user specified URI data.
It has been reported that the OwnServer fails to properly sanitize the
user supplied URI, allowing an attacker to use the '../' character
sequence to break out of the web server root directory.
An attacker may exploit this condition to disclose the contents of Web
server readable files. Information harvested in this manner may be used to
aid in further attacks targeted against the vulnerable system.
29. DUware Software Multiple Vulnerabilities
BugTraq ID: 9462
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9462
Summary:
DUware makes various web-based software products including DUcalendar,
DUclassified, DUdirectory, DUdownload, DUgallery, DUpics, DUportal,
DUarticle, DUclassmate, DUpoll, DUnews, DUamazon, DUpaypal, DUfaq, and
DUforum.
Multiple vulnerabilities have been identified in the software that may
allow a remote attacker to gain administrative access and upload arbitrary
files.
An authentication bypass vulnerability has been identified in various
DUware products. It has been reported that an attacker may gain
unauthorized access to various scripts with administrative privileges. An
attacker may be able to access various files directly via a URI parameter
and bypass authentication.
The following products are prone to the authentication bypass issue:
DUamazon
DUarticle
DUcalendar
DUclassified
DUclassmate
DUdirectory
DUdownload
DUfaq
DUforum
DUgallery
DUnews
DUpaypal
DUpics
DUpoll
DUportal
DUpics has been reported to be prone to a remote file upload
vulnerability. This issue reportedly exists in the 'inc_add.asp' script.
Remote attackers may upload arbitrary files to a location writeable by the
web server.
Successful exploitation of these issue may allow an attacker to gain
unauthorized access to sensitive resources and upload arbitrary files to
the host. An attacker can exploit this vulnerability to upload malicious
applications to the vulnerable system.
Some of these issues may be related to one or more of the issues described
in DUware DUportal Multiple Vulnerabilities (BID 9246).
30. 2Wire HomePortal Series Directory Traversal Vulnerability
BugTraq ID: 9463
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9463
Summary:
2Wire HomePortal Series is a set of gateway servers designed for home
users. HomePortal Series supports Microsoft Windows and Apple Mac OS
operating systems.
A vulnerability has been alleged to exist in the software that may allow a
remote attacker to access information outside the server root directory.
The problem exists due to insufficient sanitization of user-supplied data
through the 'return' parameter in the 'wralogin' authentication form that
is accessed through the HTTPS (SSL) interface. The issue may allow a
remote attacker to traverse outside the server root directory by using
'../' character sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
All versions of 2Wire HomePortal Series have been reported to be
vulnerable to this issue.
31. Honeyd Remote Virtual Host Detection Vulnerability
BugTraq ID: 9464
Remote: Yes
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9464
Summary:
Honeyd is honeypot software that simulates virtual hosts on IP addresses
that are not in use. It is available for various Unix/Linux derivatives.
Honeyd is prone to a vulnerability that may permit remote users to detect
the presence of the server. This is due to a flaw in how Honeyd responds
to certain TCP SYN packets, effectively allowing a remote user to
determine if a scanned address is a virtual Honeyd host. Upon receipt of
such a packet, the daemon will respond with a packet that has the SYN and
RST flags set. The consequence is that a remote attacker could enumerate
the existence of simulated Honeyd hosts and then either target specific
attacks against these hosts or avoid them altogether.
32. Darkwet Network WebcamXP Cross-Site Scripting Vulnerability
BugTraq ID: 9465
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9465
Summary:
WebcamXP is a webcam utility with an integrated http server designed to
operate on windows platforms.
A vulnerability has been reported to exist in Webcam XP that may allow a
remote attacker to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via a
malicious URI. This vulnerability makes it possible for an attacker to
construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
WebcamXP version 1.06.945 has been identified as vulnerable, however,
other versions could be affected as well.
33. Microsoft Windows Samba File Sharing Resource Exhaustion Vul...
BugTraq ID: 9467
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9467
Summary:
A vulnerability has been identified in Microsoft Windows when file Sharing
with a Unix client is enabled. It has been reported that this issue
presents itself if a system has enabled file sharing with a Unix client
running Samba. An attacker on a Unix client with write/create permissions
to the mounted share can cause a resource exhaustion condition in the
Windows system. This attack may lead to a denial of service condition,
preventing Windows from sharing files.
The issue may be exploited by creating and deleting up to 1000 directories
on a share. Reportedly, every time a directory is created, Windows
allocates paged pool memory for the directory. Paged pool memory is
limited to 343MB on a Windows System. The allocated memory is not freed
when the directory is deleted. The resource exhaustion occurs when a
large number of directories (from 3.5 million to 5.8 million) have been
deleted and created. Successful exploitation of this attack may cause a
Windows system to discontinue file sharing due to memory exhaustion. A
system reboot is reported to restart the services in a working order.
Microsoft Windows XP Professional Service Pack 1 and Microsoft Windows
Server 2003 are reported to be vulnerable to this issue. This issue does
not affect Microsoft Windows 2000 Professional and prior.
34. Cisco Voice Product IBM Director Agent Unauthorized Remote A...
BugTraq ID: 9468
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9468
Summary:
IBM Director agents installed with Cisco voice products on IBM servers are
prone to a vulnerability that could permit remote attackers to gain
unauthorized administrative access. This could be exploited by any
Director Server/Console agent that can connect to the administrative port
(14247). The remote attacker can gain unauthorized administrative access
via this port without being required to supply authentication credentials.
The source of this vulnerability is that the default installation of an
IBM Director agent leaves TCP/UDP port 14247 open, allowing connections
from arbitrary Director Server/Console agents. Administrative access will
permit the attacker to perform various actions, including transfer files,
stop/start services, create Windows 2000 user accounts and modify
configuration.
35. Cisco Voice Product IBM Director Agent Port Scan Denial Of S...
BugTraq ID: 9469
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9469
Summary:
IBM Director installed with Cisco voice products on IBM servers has been
reported prone to a remote denial of service vulnerability. The issue is
reported to present itself when port 14247, which is associated with the
affected software, is scanned with a port scanner. This will cause the
executable "twgipc.exe" to exponentially consume CPU resources until the
server becomes unresponsive.
A remote attacker may exploit this vulnerability to render a target Cisco
voice server inoperative until the affected server is rebooted. This
denial of service may additionally have a system wide impact.
36. Mephistoles HTTPD Cross-Site Scripting Vulnerability
BugTraq ID: 9470
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9470
Summary:
Mephistoles httpd is a simple web server implemented in PERL.
It has been discovered that Mephistoles httpd daemon fails to sanitize
user-supplied input, making it vulnerable to cross-site scripting attacks.
This vulnerability makes it possible for an attacker to construct a
malicious link containing HTML or script code that may be rendered in a
user's browser upon visiting that link. This attack would occur in the
security context of the affected server.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
37. Apache mod_perl Module File Descriptor Leakage Vulnerability
BugTraq ID: 9471
Remote: No
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9471
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. mod_perl is an Apache
module that provides for Perl functionality in websites.
A vulnerability has been reported to exist in the Apache mod_perl module
that may allow local attackers to gain access to privileged file
descriptors. This issue could be exploited by an attacker to hijack a
vulnerable server daemon.
It has been reported that multiple file descriptors, including those
associated with the sockets listening on ports 443 and 80, are leaked to
the mod_perl module and any processes it creates. Additionally file
descriptors associated with logging functionality are also leaked. This
allows for Perl scripts and any processes they spawn to access the
privileged I/O streams.
This issue may allow an attacker to pose as a legitimate server to
clients. An attacker may also steal sensitive information, or read and
write to a privileged I/O stream.
It should be noted that this issue appears to be distinct from the
vulnerability described in BID 7255 (and patched in Apache 2.0.45).
Versions later than Apache 2.0.45 reportedly still leak descriptors.
Additionally, it is not recommended that mod_perl be run in a shared user
environment, as mod_perl is not intended to run untrusted Perl code. This
BID will be updated as further information becomes available.
38. Native Solutions TBE Banner Engine Server Side Script Execut...
BugTraq ID: 9472
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9472
Summary:
Native Solutions TBE Banner Engine is a software written in PHP. It is
used to created banners.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to execute malicious scripts on a vulnerable server.
User-supplied banners are stored in the 'tbe-$user_id-$banner_id.html'
file on the server. It has been reported that due to improper
sanitization of user-supplied banner data, an attacker may be able to
embed malicious PHP script code in this file to be executed on the server.
It may also be possible to embed code from other server-side scripting
languages that are supported by the underlying server, such as Server Side
Includes.
Successful exploitation of this issue may allow an attacker to execute
malicious script code on a vulnerable server whenever the malicious banner
is interpreted by the server. This attack would occur in the context of
the vulnerable server.
TBE Banner Engine versions 4.0 and 5.0 may be prone to this vulnerability.
39. EA Black Box Need For Speed Hot Pursuit 2 Game Client Remote...
BugTraq ID: 9473
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9473
Summary:
Electronic Arts Black Box Need for Speed Hot Pursuit 2 is a game
distributed by Electronic Arts and maintained/developed by Electronic Arts
Black Box. It includes features that allow users to game locally or across
a network.
Need for Speed Hot Pursuit 2 game client has been reported prone to a
remotely exploitable buffer overflow condition.
The issue presents itself in the client network connection routines used
by the client to negotiate a connection to a Need for Speed Hot Pursuit 2
game server. Due to a lack of sufficient bounds checking performed on the
parameters; gamename, gamever, hostname, gametype, mapname and gamemode a
malicious server may potentially corrupt sensitive process memory in the
affected game client and ultimately execute arbitrary code with the
privileges of the user who invoked the game.
The impact of the issue may be exaggerated due to the procedures used to
connect to a remote game server. It has been reported that when the
Multiplayer screen is launched in the game, the client will transmit a
query packet to all of the game servers that are listed in the Master
Server's list. The client will then await a reply from each of the
servers. If a remote attacker can manage to place a malicious server into
the Master Server's list then every client that launches a multi-player
game may potentially be exploited.
It should be noted that this issue has been reported to affect Need for
Speed Hot Pursuit 2 version 242 and all previous versions.
40. Acme thttpd CGI Test Script Cross-Site Scripting Vulnerabili...
BugTraq ID: 9474
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9474
Summary:
thttpd is an HTTP server implementation that is maintained by Acme. It is
intended to run on Unix/Linux variants.
thttpd is prone to a cross-site scripting vulnerability in the CGI test
script. This could permit a remote attacker to create a malicious link to
the web server that includes hostile HTML and script code. If this link
were followed, the hostile code may be rendered in the web browser of the
victim user. This would occur in the security context of the web server
and may allow for theft of cookie-based authentication credentials or
other attacks.
It should be noted that FREESCO includes an embedded version of thttpd and
is also prone to this vulnerability due to their inclusion of the
vulnerable component.
41. Netbus Directory Listings Disclosure and File Upload Vulnera...
BugTraq ID: 9475
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9475
Summary:
Netbus is a backdoor program that allows remote administration of a
compromised system. It is available for Microsoft Windows operating
systems. Netbus can be configured to require a password for backdoor
server access. The software is also shipped with a built in web server.
A vulnerability has been reported in the web server software that may
allow a remote user to the disclose root directory listings. Furthermore,
it has been reported that a remote attacker may upload a malicious file to
an attacker-specified location via a URI parameter. Successful
exploitation may provide for possible disclosure of sensitive information
and the possibility of corrupting files by uploading malicious files onto
the affected system.
Netbus Pro has been reported to be vulnerable to this issue.
42. McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanage...
BugTraq ID: 9476
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9476
Summary:
McAfee ePolicy Orchestrator (ePO) is a product designed to remotely manage
various policies and antivirus products. It is available for the Microsoft
Windows operating system.
The McAfee ePolicy agent has been reported to a buffer management
vulnerability that may be exploited to crash the affected agent. Although
unconfirmed, it has been reported that the issue may also allow a remote
attacker to trigger a buffer overflow vulnerability, ultimately providing
for the execution of arbitrary code.
The issue reportedly presents itself, because the "Content-Length" values
in HTTP POST headers processed by the ePolicy Orchestrator are not
sufficiently sanitized. A remote attacker may exploit this issue to
trigger the allocation of 4GB of data, causing the agent to crash. It has
also been reported that the attacker may create a buffer overflow
condition, by specifying a content length size that is not sufficient to
store attacker-supplied data.
III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1.
Online fraud, I.D. theft soars
By: Kevin Poulsen
A U.S. government report counts half-a-million fraud complaints in 2003,
most of them Internet-related.
http://www.securityfocus.com/news/7897
2. Prison time for unlucky phisher
By: Kevin Poulsen
Fraudster who unwittingly spammed the FBI is sentenced to nearly four
years in custody.
http://www.securityfocus.com/news/7871
3. Feds seek input on spammer sentencing
By: Kevin Poulsen
Should deceptive spammers get extra prison time for harvesting e-mail
addresses from websites? Should their punishment be tied to the number of
messages they send? The commission charged with establishing sentences for
CAN-SPAM Act violators wants your input.
http://www.securityfocus.com/news/7846
4. The voodoo that Dumaru doesn?t do too well?
By: Mike Kemp, The Register
http://www.securityfocus.com/news/7903
5. We'll kill spam in two years - Gates
By: John Leyden, The Register
http://www.securityfocus.com/news/7902
6. Chip and PIN hits 8 million cards
By: John Leyden, The Register
http://www.securityfocus.com/news/7901
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. Brcontrol v0.02
By: tascon
Relevant URL: http://sourceforge.net/proje
SecurityFocus Newsletter #233
------------------------------
This Issue Sponsored by: Qualys
Test the Security of Your Network! Scan Your Perimeter for
the SANS Top 20 Vulnerabilities - FREE.
http://www.securityfocus.com/sponsor/Qualys_sf-news_040126
Qualys FreeScan enables the enterprise to immediately identify the
prevalent and critical security vulnerabilities most likely to be
exploited on the network perimeter. With the largest vulnerability testing
database in the industry, QualysGuard enables you to assess, prioritize,
and remediate the vulnerabilities in heterogeneous networks of any size.
Our Web service provides you with the ability to run immediate assessments
without installation of hardware or software.
Click on the link below to scan your network perimeter.
http://www.securityfocus.com/sponsor/Qualys_sf-news_040126
------------------------------------------------------------------------
I. FRONT AND CENTER
1. A Visit from the FBI
2. The Giant Wooden Horse Did It!
II. BUGTRAQ SUMMARY
1. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
2. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
3. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
4. OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
5. OpenBSD 3.4 Crypto Card Handlers File Descriptor Leak Vulner...
6. PHPShop Project Multiple Vulnerabilities
7. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
8. MetaDot Corporation MetaDot Portal Server Multiple Vulnerabi...
9. Ultr@VNC ShellExecute() Local Privilege Escalation Vulnerabi...
10. Agnitum Outpost Firewall Local Privilege Escalation Vulnerab...
11. Netpbm Temporary File Vulnerabilities
12. Pablos FTP Server Unauthorized File Existence Disclosure Vul...
13. Multiple JDBC Database Insecure Default Policy Vulnerabiliti...
14. Mambo Open Source mod_mainmenu.php Remote File Include Vulne...
15. Legato NetWorker NSR_Shutdown Script Temporary File Symlink ...
16. Invision Power Board Index.php Cross-Site Scripting Vulnerab...
17. Veritas Net Backup Professional Open Transaction Manager Rem...
18. YABB SE SSI.PHP ID_MEMBER SQL Injection Vulnerability
19. GoAhead WebServer Directory Management Policy Bypass Vulnera...
20. GetWare Web Server Component Content-Length Value Remote Den...
21. GoAhead WebServer Post Content-Length Remote Resource Consum...
22. Multiple Liquid War Undisclosed Buffer Overflow Vulnerabilit...
23. NetScreen Security Manager Insecure Default Remote Communica...
24. AIPTEK NETCam Webserver Directory Traversal Vulnerability
25. SuSE Multiple Scripts Insecure Temporary File Handling Symbo...
26. PHPix Remote Arbitrary Command Execution Vulnerability
27. WebTrends Reporting Center Management Interface Path Disclos...
28. Anteco Visual Technologies OwnServer Directory Traversal Vul...
29. DUware Software Multiple Vulnerabilities
30. 2Wire HomePortal Series Directory Traversal Vulnerability
31. Honeyd Remote Virtual Host Detection Vulnerability
32. Darkwet Network WebcamXP Cross-Site Scripting Vulnerability
33. Microsoft Windows Samba File Sharing Resource Exhaustion Vul...
34. Cisco Voice Product IBM Director Agent Unauthorized Remote A...
35. Cisco Voice Product IBM Director Agent Port Scan Denial Of S...
36. Mephistoles HTTPD Cross-Site Scripting Vulnerability
37. Apache mod_perl Module File Descriptor Leakage Vulnerability
38. Native Solutions TBE Banner Engine Server Side Script Execut...
39. EA Black Box Need For Speed Hot Pursuit 2 Game Client Remote...
40. Acme thttpd CGI Test Script Cross-Site Scripting Vulnerabili...
41. Netbus Directory Listings Disclosure and File Upload Vulnera...
42. McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanage...
III. SECURITYFOCUS NEWS ARTICLES
1. Online fraud, I.D. theft soars
2. Prison time for unlucky phisher
3. Feds seek input on spammer sentencing
4. The voodoo that Dumaru doesn?t do too well?
5. We'll kill spam in two years - Gates
6. Chip and PIN hits 8 million cards
IV. SECURITYFOCUS TOP 6 TOOLS
1. Brcontrol v0.02
2. op v1.1.9
3. weedlog v1.0.1
4. phpOpenTracker v1.4.0
5. PeerProtect v0.5
6. m0n0wall vpb26r614
V. SECURITYJOBS LIST SUMMARY
1. Dead Threads (Thread)
2. Network Security Federal Account Executive- DOD, DC (Thread)
3. Network Security Sales Engineer, UK (Thread)
4. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
5. No Security clearance = No INFOSEC Job? (Thread)
6. Network/UNIX Security Application (Thread)
7. Security Consulting Engineer-Professional Services-P... (Thread)
8. Two week giving notice/no notice when being terminat... (Thread)
9. RE: Getting a cleared INFOSEC job <was---RE: No Secu... (Thread)
10. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
11. Does one have to be a US citizen to get Secret Clear... (Thread)
12. experience vs. cert/degree - trade vs. profession (Thread)
13. Network Security Regional Sales Manager/Senior Terri... (Thread)
14. Network Security- INSIDE/TELESALES REP - OUTBOUND, S... (Thread)
15. Validation of Clearance?? WAS: No Security clearan... (Thread)
16. Application Security Consultant (Thread)
17. Getting a cleared INFOSEC job (Thread)
18. Clearances within the US -- ISM Reference (Thread)
19. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
20. Unix Security Engineer needed for Contract to Hire N... (Thread)
21. No Security clearance = No INFOSEC Job? - > Then wha... (Thread)
22. Security Software Channel Sales Job opening - Chicag... (Thread)
23. Current threads - dropped messages (Thread)
24. Sr. Security Engineer -- NYC (Thread)
25. Information Security Consultant, Commercial Sector, ... (Thread)
26. BMC Patrol Consultant Dubai and Middle East States (Thread)
27. Systems Security Analyst positions (Level I, II, III... (Thread)
28. Positions for cleared software developers in Boston ... (Thread)
29. I'm looking for work in the Washington DC Metro Area (Thread)
30. Getting a cleared INFOSEC job <was---RE: No Security... (Thread)
31. CISA Banking Experience -Bahrain (Thread)
32. VA/MD/DC Federal Account Executive (Thread)
33. Two week giving notice/no notice when being terminat... (Thread)
34. Two week giving notice/no notice when being terminat... (Thread)
35. Two week giving notice/no notice when being terminat... (Thread)
36. Two week giving notice/no notice when being terminat... (Thread)
37. Two week giving notice/no notice when being terminat... (Thread)
38. Two week giving notice/no notice when being terminat... (Thread)
39. Two week giving notice/no notice when being terminat... (Thread)
40. AMS - C&A Consultants needed - Herndon, VA (Thread)
41. Senior Security Consultant - Michigan (Thread)
42. Zone Labs-California-Bay Area only (Thread)
43. National Sales Director - NY (Thread)
44. Zone Labs- Software Engineer- Security Researcher-Sa... (Thread)
45. Sales Engineer- California (Bay Area), Atlanta, Bost... (Thread)
46. Information assurance engineer (w/ C&A) seeking empl... (Thread)
47. Senior Advisor, Homeland Security & Intelligence, Mi... (Thread)
48. Enterprise Account Manager-West Coast (Thread)
49. Security Engineers, DC Metro Area (Thread)
50. Security Consultants, New York & DC Metro Area (Thread)
51. Security Candidate (Thread)
52. Applicaton Security Architect/Consultant NYC $100-... (Thread)
53. Security Analysts/Engineers - Washington DC (Thread)
54. NYC Area (Thread)
55. Northeast U.S. positions with Guardent (Thread)
56. Chicago area - Senior System Engineer, Enterprise So... (Thread)
57. 2 Positions, F/T, northern NJ-Security Engineer and ... (Thread)
VI. INCIDENTS LIST SUMMARY
1. Dameware scans, worm? (Thread)
2. Jump in Telnet and Auth scans (Thread)
3. Dameware scans, worm? (Thread)
4. Dameware intrusion (was Increase in TCP 6129 (Damewa... (Thread)
5. Increase in TCP 6129 (Dameware) scans? (Thread)
6. [Securityfocus-incidents] Dameware scans, worm? (Thread)
7. Issue of AIM; was -> UDP Port 5140 (Thread)
8. UDP Port 5140 (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Hacking USB Thumbdrives, Thumprint authentication (Thread)
2. --== Fragementation Attacks ==-- (Thread)
3. vBulletin Security Vulnerability - POC (Thread)
4. vBulletin Security Vulnerability (Thread)
5. Password Setup (Thread)
6. a method for bypassing cookie restrictions in web br... (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Encrypt data - SQL Server 2000 (Thread)
2. Microsoft Security (...how to reassure customers of) (Thread)
3. Local Account Vs Domain Account (Thread)
4. SecurityFocus Microsoft Newsletter #172 (Thread)
5. About MS-Networking security. (Thread)
IX. SUN FOCUS LIST SUMMARY
1. SPARC assembly training courses? (Thread)
2. Regarding #52465 "Solaris System may Panic While Ret... (Thread)
X. LINUX FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2004-01-19 to 2004-01-26.
XI. UNSUBSCRIBE INSTRUCTIONS
XII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. A Visit from the FBI
By Scott Granneman
I had a little visit from the FBI recently,
in response to one of my SecurityFocus columns.
http://www.securityfocus.com/columnists/215
2. The Giant Wooden Horse Did It!
By Mark Rasch
Introducing a new legal defense to computer crime
charges -- one that's all the more frightening because it could be true.
http://www.securityfocus.com/columnists/208
II. BUGTRAQ SUMMARY
-------------------
1. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Ser...
BugTraq ID: 9432
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9432
Summary:
qmail is a popular Mail Transfer Agent (MTA).
A vulnerability has been reported to exist in qmail-smtpd that may allow a
remote attacker to cause a denial of service condition in the software. It
has been reported that an attacker may be able to crash the current
qmail-smtpd session via a long SMTP request. The problem is reported to
exist due to an integer-handling bug. It has reported that the excessive
SMTP session data causes a signed integer to wrap; this negative value is
then employed as an array subscript. A subsequent attempt to access the
out-of-bounds address based on the wrapped integer will trigger a segment
violation. This may be leveraged by a remote attacker to consume resources
and thereby deny service to legitimate users.
A remote attacker may potentially exploit this vulnerability to crash or
hang a qmail SMTP session.
qmail 1.03 running on a Linux platform has been reported to be prone to
this issue, however, other versions may be affected as well.
2. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
BugTraq ID: 9433
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9433
Summary:
The Bat! is a commercially-available mail user agent, distributed and
maintained by Rit Research Labs. It is available for the Microsoft Windows
platform.
It has been reported that there is an issue with the way The Bat! handles
certain malformed PGP signed messages. PGP support is configured by
default.
The issue exists when The Bat! processes email messages containing PGP
signatures with multiple recursively included parts. Specially
constructed malformed signatures could allow The Bat! to read and write to
unallocated regions of memory. This could potentially allow for execution
of arbitrary attacker-supplied code.
It is important to note that since The Bat! contains its own exception
handler, the application will not crash when processing messages
containing these malformed PGP signatures.
This issue was reported to affect The Bat! 2.01. The vendor has reported
that the issue could not be reproduced on The Bat! 2.03 beta and that 2.02
CE is probably not vulnerable. The Bat! versions 1.x are not vulnerable
to this issue.
3. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link V...
BugTraq ID: 9434
Remote: No
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9434
Summary:
3Ddiag is a 3D diagnosis tool designed to evaluate the 3D hardware,
software libraries and hardware driver configuration on SuSE Linux 7.3 and
greater.
A vulnerability has been found in the handling of temporary files by the
3Ddiag tool in the SuSE Linux distribution. This issue may allow local
destruction of data on affected systems potentially leading to a loss of
sensitive data or denial of service.
This issue is due to the 3Ddiag tool failing to properly handle the
creation and state of temporary files in the /usr/bin/switch2nv,
/usr/bin/switch2nvdia and /usr/bin/3Ddiag.ignoredb applications.
The switch2nv and switch2nvidia scripts, which are used by the 3Ddiag
utility, create a file in the /tmp directory named XF86Config. An attacker
would be able to remove the temporary file and replace it with a malicious
symbolic link pointing to a target file. When either application is
activated it will write to the link with root privileges and without
verifying the files validity, causing the target file to be overwritten.
The 3Ddiag.ignoredb application creates a temporary file in the /tmp/
directory named 3Ddiag.ignoredb. An attacker can create a symbolic link
with a name corresponding to the temporary file. When the 3Ddiag
application is activated, the target file will be overwritten with root
privileges thus causing loss of sensitive data or denial of service
against the vulnerable system.
This issue is likely only to affect personal desktop machines and poorly
configured servers as this tool is implemented to update software
libraries and hardware configurations, and is not intended for use by
remote users. Furthermore this tool is only available for SuSE Linux 7.3
and greater.
4. OpenCA Crypto-Utils.Lib Signature Verification Vulnerability
BugTraq ID: 9435
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9435
Summary:
OpenCA is an Open Source Certification Authority solution. OpenCA includes
a library to support Crypto procedures, this library is named
crypto-utils.lib.
OpenCA has reported a vulnerability in the crypto-utils.lib library,
specifically in the libCheckSignature() function. This function is
normally employed to load a signature from the OpenCA database and ensure
that the signer certificate matches. However a flaw has been discovered in
the manner in which the affected function operates, the
libCheckSignature() function only performs a comparison on the base of the
serial of the associated certificate. This may inadvertently lead to the
acceptance of a malicious certificate.
The vendor has reported that, if the signature chain can manufacture a
trust-relationship to the chain directory of OpenCA, and a valid
certificate that possesses a matching serial already exists in the Public
Key Infrastructure that is being used, then the malicious certificate may
be accepted.
The result of this issue is that a malicious party in possession of a
certificate that has been crafted in a manner sufficient to trigger this
vulnerability, could possibly sign something that may verify. This can be
abused to establish a false sense of trust, leading to a variety of other
attacks.
This issue has been reported to affect all versions of OpenCA up to and
including OpenCA version 0.9.1.6.
5. OpenBSD 3.4 Crypto Card Handlers File Descriptor Leak Vulner...
BugTraq ID: 9436
Remote: No
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9436
Summary:
OpenBSD 3.4 has been reported prone to an undisclosed file descriptor leak
vulnerability. The vendor has reported that this vulnerability may present
problems when a crypto card is installed in the affected system.
Although unconfirmed it has been conjectured that this issue may be
exploited by a local attacker to gain access to a privileged IO channel.
Ultimately this may in turn allow an attacker to become privy to sensitive
data related to cryptological procedures. This, however, has not been
confirmed.
This issue does not affect OpenBSD 3.3.
This BID will be updated as further details regarding this vulnerability
are disclosed.
6. PHPShop Project Multiple Vulnerabilities
BugTraq ID: 9437
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9437
Summary:
phpShop Project is a web based application development platform written in
php.
Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to carry out attacks against the database, disclose
sensitive information, and execute HTML or script code in a user's
browser.
The following specific issues were outlined:
Multiple vulnerabilities have been reported to exist in the software that
may allow a remote user to inject malicious SQL syntax into database
queries. The issues may be exploited via the 'page', 'offset' and
'product_id' variables of the software. The problems exist due to
insufficient sanitization of user-supplied data. A remote attacker may
exploit these issues to influence SQL query logic to disclose sensitive
information that could be used to gain unauthorized access.
An information disclosure issue has been identified in the software as
well. It has been reported that a user with valid credentials is able to
view sensitive information about any customer such as Nickname, Company
Name, Last Name, First Name, Middle Name, Address including City, State,
Zip Code, Country, Telephone, Fax Number via the account/shipto module.
Furthermore, it has been reported that the information is fairly easy to
gather as user IDs usually start with numbers ranging from 18 to 20. An
attacker may also be able to gather information about the administrator.
An HTML injection vulnerability is reported to exist in the software that
may allow an attacker to include malicious HTML code in one or many fields
of shipping information page. The injected code could then be interpreted
by the browser of a user visiting the vulnerable site.
Finally, multiple vulnerabilities have been reported to exist in the
software that may allow a remote user to launch cross-site scripting
attacks. Reportedly, the software contains various variables that are
prone to these attacks via HTTP GET requests. An attacker may carry out
cross-site scripting attacks without having access to a page as well.
Various proof of concepts including vulnerable variables have been
provided in the report. The cause of these vulnerabilities is improper
sanitization of user-supplied data.
phpShop versions 0.6.1-b and prior are reported to be vulnerable to these
issues.
7. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
BugTraq ID: 9438
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9438
Summary:
XtremeASP PhotoGallery is a web-based picture gallery script. It is
implemented in ASP and available for Microsoft Windows platforms.
XtremeASP PhotoGallery is back-ended by a MySQL database.
XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The
issue is reported to exist in 'adminlogin.asp', which does not
sufficiently sanitize user-supplied input for username and password values
before including it in SQL queries. This could permit remote attackers to
pass malicious input to database queries, resulting in modification of
query logic or other attacks.
Successful exploitation could result in compromise of the photo gallery,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
8. MetaDot Corporation MetaDot Portal Server Multiple Vulnerabi...
BugTraq ID: 9439
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9439
Summary:
MetaDot Portal Server is an open source portal software which provides
content management, portal, and online database applications. It is used
to create web portals and websites.
A number of vulnerabilities have been found in MetaDot Corporation's
MetaDot Portal Server. Due to a failure of the software to properly
validate user input, an attacker may be able to carry out SQL injection
attacks that may lead to data corruption data or force the server to
disclose system configuration information. Cross-site scripting
vulnerabilities have also been identified that are related to a similar
issue.
MetaDot portal server is vulnerable to a SQL injection vulnerability.
This vulnerability may allow an attacker to destroy or corrupt data on
vulnerable systems. It has also been reported that this issue may
disclose server configuration information. An attacker may exploit this
vulnerability by issuing a specially crafted URI to the MetaDot server.
This is due to the software failing to properly validate the values
assigned to URL variables.
The values stored in the 'key', 'id' and 'iid' variables defined in the
URI are used in an SQL statement and may allow a user to inject SQL
commands. It has also been reported that this issue also produces a
cross-site scripting vulnerability, as an attacker can force the error
message to execute a script supplied in the variable. Furthermore, the
error message issue by a failed SQL command reveals a significant amount
of information to the attacker as it is displayed in the error message.
This information includes system configuration details such as the current
perl version as well as web server path.
Aside from the above-mentioned cross-site scripting vulnerabilities, there
are a number of other URIs that will produce similar effects. These
issues are also due to improper validation of variables specified in the
URI.
MetaDot Portal Server versions 5.6.5.4 b5 and prior have been reported to
be vulnerable to these issues.
These issues are currently undergoing further analysis. This cumulative
BID will be separated into individual entries when analysis is complete.
9. Ultr@VNC ShellExecute() Local Privilege Escalation Vulnerabi...
BugTraq ID: 9440
Remote: No
Date Published: Jan 17 2004
Relevant URL: http://www.securityfocus.com/bid/9440
Summary:
Ultr@VNC is a client/server remote access suite that allows for a remote
user to access their desktop as though they are a local user.
When Ultr@VNC is in use, part of the application runs with SYSTEM
privileges. It has been reported that it is possible for attackers with
desktop access to elevate to these privileges through an access validation
error in Ultr@VNC.
The vulnerability is due to the use of the Win32 API call ShellExecute()
to create a browser window. The window is created when the user selects
either "Online Help" or "Home Page" from within the Ultr@VNC console.
Privileges are not lowered before the IEXPLORE.EXE process is created
and, consequently, the Explorer window will inherit administrative
privileges. A malicious user may then use the SYSTEM level instance of
Explorer to navigate the local filesystem and execute arbitrary programs.
10. Agnitum Outpost Firewall Local Privilege Escalation Vulnerab...
BugTraq ID: 9441
Remote: No
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9441
Summary:
Outpost Firewall is a Win32 personal firewall suite developed by Agnitum.
When Outpost Firewall is in use, the desktop console runs with SYSTEM
privileges. It has been reported that it is possible for attackers with
desktop access to elevate to these privileges through access validation
errors.
There are allegedly two instances where the console invokes, without
dropping privileges first, commands or programs not under its control that
can be hijacked by malicious users. One of the instances is through the
addition of plug-ins: a user can specify an arbitrary executable as a
plug-in. The chosen file will promptly be run by the console, inheriting
SYSTEM privileges. The other instance is through the HTML-based help
subsystem. It is possible for attackers to, in the help window, spawn a
privileged instance of NOTEPAD.EXE through a "View Source" option. From
Notepad the attacker can then spawn a command-shell, also as SYSTEM.
11. Netpbm Temporary File Vulnerabilities
BugTraq ID: 9442
Remote: No
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9442
Summary:
Netpbm is a collection of utilities for the manipulation of graphic
images.
Debian has announced that Netpbm is affected by numerous vulnerabilities
related to its use of temporary files. These vulnerabilities may allow
for a malicious local user to cause the corruption of files owned by other
users. It is likely that the attacker must wait for the target user to
run one of the Netpbm utilities before any of the vulnerabilities can be
exploited. The attacker may also be required to successfully guess the
filename of the temporary file, though it may be trivial to do so. Any
file overwrites most likely occur with the privilege level of the victim
user who is running Netpbm.
12. Pablos FTP Server Unauthorized File Existence Disclosure Vul...
BugTraq ID: 9443
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9443
Summary:
Pablos FTP server is a multi-threaded Win32 FTP server.
A vulnerability reportedly affects Pablo's FTP server that can allow for a
remote attacker to determine whether files outside of the FTP root
directory exist or not.
This behavior is exhibited when a client attempts to delete a file outside
of the FTP root directory using a relative path to the file comprised of
".." sequences. While the file is not deleted in any case, the error
message displayed will differ depending on whether or not the file exists.
If the file exists, the server will transmit the response:
550 Permission denied.
If not:
550 File not found.
An attacker can then detect the presence of specific files and, to a
limited extent, map the filesystem by repeatedly issuing such requests and
observing the server response.
13. Multiple JDBC Database Insecure Default Policy Vulnerabiliti...
BugTraq ID: 9444
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9444
Summary:
It has been reported that multiple JDBC database implementations include
insecure default security policies. The source of these issues is that
the security policy included with vulnerable implementations does not
sufficiently restrict access to certain JDK facilities, such as
sun.misc.MessageUtils.toStderr. This could expose vulnerable databases to
denial of service attacks. This could also permit remote attackers to
execute arbitrary commands on systems hosting vulnerable implementations
in some circumstances. It appears as though a remote attacker would need
to authenticate to exploit these issues.
Proof-of-concept code has been released for J2EE/RI Pointbase Database to
demonstrate potential attacks that could result from insecure default
security policies. Further technical details regarding other specific
database implementations are pending release by the researcher who
discovered these issues. This BID will be updated when more details are
made available.
These issues are reportedly similar in nature to BIDs 9230 and 8773.
14. Mambo Open Source mod_mainmenu.php Remote File Include Vulne...
BugTraq ID: 9445
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9445
Summary:
Mambo Open Source is a web based content management system.
A vulnerability has been reported to exist in the software that may allow
an attacker to include malicious external files containing arbitrary PHP
code to be executed on a vulnerable system. This vulnerability is
reported to exist because remote users can influence the
'mosConfig_absolute_path' variable in the 'mod_mainmenu.php' script to
specify an arbitrary include path.
Remote attackers could potentially exploit this issue via the vulnerable
variable to include a remote malicious script, which will be executed in
the context of the web server hosting the vulnerable software.
Mambo Open Source versions 4.5 and 4.6 have been reported to be prone to
this issue, however other versions could be affected as well.
15. Legato NetWorker NSR_Shutdown Script Temporary File Symlink ...
BugTraq ID: 9446
Remote: No
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9446
Summary:
Legato NetWorker is a server package designed to help share data, media
and backup processes across a heterogeneous network. The Legato NetWorker
server will run on a number of Unix variants, as well as Microsoft Windows
NT/2000 systems.
Legato NetWorker has been reported prone to a Symbolic link vulnerability.
The issue presents itself, because the NetWorker script "nsr_shutdown"
creates temporary files in an insecure manner. Specifically, when the
"nsr_shutdown" script is invoked a temporary file "nsrsh$$" is created,
where "$$" represents the current ID of the running process. To exploit
this issue, a local attacker may create many symbolic links in the "tmp"
directory with incremental values representing the "$$" part of the
filename, each of these links will point to an arbitrary file that the
attacker wishes to target. When the vulnerable script is invoked,
operations that were supposed for the temporary file will be carried out
on the file that is linked by the malicious symbolic link.
An attacker may exploit this issue to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.
It has been reported that a user will require root privileges to invoke
the affected script; this may magnify the impact of this vulnerability.
It should be noted that although this vulnerability has been reported to
affect NetWorker version 6.0, other versions might also be affected.
16. Invision Power Board Index.php Cross-Site Scripting Vulnerab...
BugTraq ID: 9447
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9447
Summary:
Invision Power Board is web forum software. It is implemented in PHP and
is available for Unix and Linux variants and Microsoft Windows operating
systems.
A vulnerability has been reported to exist in Invision Power Board that
may allow a remote user to launch cross-site scripting attacks.
The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via the
'act' URI parameter of 'Index.php' script. This vulnerability makes it
possible for an attacker to construct a malicious link containing HTML or
script code that may be rendered in a user's browser upon visiting that
link. This attack would occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
All versions of Invision Power Board have been reported to be vulnerable
to this issue.
17. Veritas Net Backup Professional Open Transaction Manager Rem...
BugTraq ID: 9448
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9448
Summary:
Veritas Net Backup Professional is a backup utility.
A vulnerability has been reported to exist in the software that may allow
an attacker to gain full access to certain resources of a targeted system.
It has been reported that Veritas Net Backup Open Transaction Manager
(OTM) creates a shared drive on the system during a client backup. This
share is reportedly available to anyone on the network and is created with
default 'Everyone/Full Control' permissions. This vulnerability does not
compromise local folder permissions on a client machine.
Successful exploitation of this issue may allow a remote attacker to gain
access to files on a targeted system drive during a backup operation.
18. YABB SE SSI.PHP ID_MEMBER SQL Injection Vulnerability
BugTraq ID: 9449
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9449
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for Unix, Linux, and Microsoft Operating
Systems.
A problem with YaBB SE could make it possible for a remote user to launch
SQL injection attacks.
It has been reported that a problem exists in the SSI.php script
distributed as part of YaBB SE. Due to insufficient sanitizing of the
user-supplied ID_MEMBER URI parameter, it is possible for a remote user to
inject arbitrary SQL queries into the database used by YaBB SE. This could
permit remote attackers to pass malicious input to database queries,
resulting in modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
19. GoAhead WebServer Directory Management Policy Bypass Vulnera...
BugTraq ID: 9450
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9450
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft Windows
and Unix/Linux derivatives.
GoAhead WebServer allows users to configure a policy for how requests for
resources in certain directories are handled, such as defining default
actions for resources in cgi-bin or other directories. This is handled
internally via the websUrlHandlerRequest() server function. GoAhead
WebServer is prone to a vulnerability that may permit remote attackers to
bypass directory management policy.
It is reported that certain syntax may be used in HTTP GET requests to
bypass the policy for how certain requests should be handled, for example,
a script that should be interpreted may be downloaded by the attacker
instead. The following example requests are reported to reproduce this
behavior:
GET cgi-bin/cgitest.c HTTP/1.0
GET \cgi-bin/cgitest.c HTTP/1.0
GET %5ccgi-bin/cgitest.c HTTP/1.0
By omitting the initial forward-slash (/) or substituting a back-slash (/)
for the initial forward-slash, it is possible to bypass directory
management policy. A URL-encoded back-slash (%5c) at the beginning of the
request may also bypass the policy. Other variations also exist.
This could allow for unauthorized access to resources hosted on the
server, likely resulting in disclosure of sensitive information such as
script source code. The exact consequences will depend on what sort of
directory management policy is in place and also the nature of information
included in scripts or other sensitive resources hosted on the server.
20. GetWare Web Server Component Content-Length Value Remote Den...
BugTraq ID: 9451
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9451
Summary:
GetWare develop and maintain two products WebCam Live and PhotoHost. These
products ship with a common Web Server component.
The GetWare Web Server component has been reported prone to a remote
denial of service vulnerability. It has been reported that the issue will
present itself when the affected web server receives malicious HTTP
requests that contain negative values for the Content-Length field in the
HTTP header. After 300 of these malicious requests, the GetWare Web Server
component will supposedly crash, effectively denying service to legitimate
users.
A remote attacker may exploit this issue to deny service to the GetWare
Web Server.
It should be noted that this vulnerability has been reported to affect
WebCam Live versions up to and including version 2.01 and PhotoHost up to
and including version 4.0. This is because both of these products ship
with the GetWare Web Server component.
21. GoAhead WebServer Post Content-Length Remote Resource Consum...
BugTraq ID: 9452
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9452
Summary:
GoAhead WebServer is an embedded web server implementation that is
available for a number of operating systems, including Microsoft Windows
and Unix/Linux derivatives.
A vulnerability in the handling of unusual HTTP requests and
content-length sizes may cause a vulnerable GoAhead WebServer to become
unstable. Because of this, a remote attacker may be able consume
excessive resources on the underlying host, resulting in a denial of
service condition.
The problem is in the handling of remote POST requests. By specifying a
content-length of a specific size in a POST request, and sending data of a
lesser size then breaking the connection, it is possible to send the
service into an infinite loop. The program does not sufficiently handle
the condition of a broken connection, and can consume excessive system
resources, potentially taking down the system with the service.
22. Multiple Liquid War Undisclosed Buffer Overflow Vulnerabilit...
BugTraq ID: 9453
Remote: Yes
Date Published: Jan 19 2004
Relevant URL: http://www.securityfocus.com/bid/9453
Summary:
Liquid War is a multiplayer computer game available for multiple
platforms.
Liquid war has been reported prone to multiple buffer overrun
vulnerabilities. These issues are reported to exist due to a lack of
sufficient bounds checking performed by "sprintf like" functions on
user-supplied data before it is copied into reserved buffers in memory.
Additionally a potential buffer overflow has been reported in network flow
handler procedures of Liquid War.
Although unconfirmed it has been conjectured that an attacker may exploit
these conditions to corrupt sensitive process memory with attacker
supplied values.
This BID will be updated as further analysis of these issues is completed.
23. NetScreen Security Manager Insecure Default Remote Communica...
BugTraq ID: 9455
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9455
Summary:
NetScreen-Security Manager is the firewall and security management product
distributed and maintained by NetScreen.
A problem in the handling of default communications has been identified in
NetScreen-Security Manager. Because of this, an attacker may be able to
gain access to potentially sensitive information.
The problem is in the default use of encryption. When NetScreen-Security
Manager is used to communicate with remote ScreenOS 5.0 devices, the
device does not use encryption by default. Information sent between the
ScreenOS devices and NetScreen-Security Manager may transit in plain text,
making it possible for an intermediary network to capture potentially
sensitive data while traveling between end-points.
24. AIPTEK NETCam Webserver Directory Traversal Vulnerability
BugTraq ID: 9456
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9456
Summary:
AIPTEK NETCam Viewer is a webcam server. It also has a built in web
server called NETCam webserver.
A vulnerability has been reported to exist in the NETCam webserver of
NETCam Viewer that may allow a remote attacker to access information
outside the server root directory. The problem exists due to insufficient
sanitization of user-supplied data. The issue may allow a remote attacker
to traverse outside the server root directory by using '../' character
sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
AIPTEK NETCam Viewer versions 1.0.0.28 and prior are reported to be prone
to this issue, however, other versions could be affected as well.
**It has been reported that NETCam Viewer employs the Boa web server
(0.93.15) and possibly other versions. Therefore, this issue may be
related to Boa Webserver File Disclosure Vulnerability (BID 7544) and Boa
Webserver 0.94.2.x File Disclosure Vulnerability (BID 1770).
25. SuSE Multiple Scripts Insecure Temporary File Handling Symbo...
BugTraq ID: 9457
Remote: No
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9457
Summary:
fvwmbug is a helper shell script to allow a user to compose and email
bug-reports that concern FVWM. wm-oldmenu2new is used to convert from an
old-style WindowMaker menu file to the new PropertyList style. x11perfcomp
is a script that merges and formats the output of x11perf. xf86debug is a
script used to debug X server, it must be invoked by a root user.
winpopup-send.sh is a script that is shipped as a part of the kopete
package. lvmcreate_initrd is used to create a new compressed initial
ramdisk.
Multiple scripts that are shipped with SuSE 9.0 have been reported prone
to insecure temporary file creation and symbolic link vulnerabilities. The
following scripts have been reported vulnerable:
/usr/X11R6/bin/fvwm-bug
/usr/X11R6/bin/wm-oldmenu2new
/usr/X11R6/bin/x11perfcomp
/usr/X11R6/bin/xf86debug
/opt/kde3/bin/winpopup-send.sh
/sbin/lvmcreate_initrd
The issues are present, because the vulnerable scripts create temporary
files in an insecure manner. Specifically, when a script is invoked a
predictable temporary file is created. To exploit this issue, a local
attacker may create many symbolic links in the "tmp" directory with
incremental values representing the variable part of the vulnerable
temporary filename. Each of these links will point to an arbitrary file
that the attacker wishes to target. When the vulnerable script is invoked,
operations that were supposed for the temporary file will be carried out
on the file that is linked by the malicious symbolic link.
An attacker may exploit these issues to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.
Each issue described in this BID will be given individual BID's once
further analysis is complete.
26. PHPix Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 9458
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9458
Summary:
PHPix is a Web-based photo album viewer written in PHP. It facilitates
image displays at various sizes as specified by the user.
It has been reported that PHPix is vulnerable to a remote command
execution vulnerability due to poor handling of externally supplied data.
This issue may allow unauthorized access to the affected system with the
privileges of the web server hosting the vulnerable program.
The source of the problem is that PHPix makes insecure calls to the PHP
system() function. The system() function passes user-supplied input to the
shell for execution without properly escaping shell metacharacters. An
attacker could specify the values of the non-validated variables that are
passed to the system() function using a specially crafted URI. In this
way, the attacker could use shell metacharacters to append commands to be
executed in the context of the hosting server process when system() is
called.
This issue is known to affect PHPix version 2.0.3, however it most likely
affects earlier versions as well.
27. WebTrends Reporting Center Management Interface Path Disclos...
BugTraq ID: 9460
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9460
Summary:
WebTrends Reporting Center is used to organize and present usage
information for multiple server web environments. Reporting Center is
available for Microsoft Windows, Linux and Solaris.
The WebTrends Reporting Center management interface discloses installation
path information when a non-existent resource is requested. The
management interface is accessible via HTTP on TCP port 1099. This issue
exists in the 'viewreport.pl' script included with the interface and may
be triggering by specifying a non-existent ID for the 'profileid'
parameter. The absolute physical path of the software installation will
be disclosed in the error response to such a request. This information
may permit an attacker to enumerate the layout of the underlying file
system of the host.
This issue was reported for version 6.1a of the software running on
Microsoft Windows. Other platforms and versions may also be affected.
28. Anteco Visual Technologies OwnServer Directory Traversal Vul...
BugTraq ID: 9461
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9461
Summary:
OwnServer is a web server used for remotely monitoring security cameras.
This facilitates streaming of live video that is viewable via the
Internet.
A vulnerability in OwnServer 1.0 and earlier has been reported that may
allow a remote attacker to view files residing outside of the web server
root directory on the affected system. This problem exists due to a
failure to validate user specified URI data.
It has been reported that the OwnServer fails to properly sanitize the
user supplied URI, allowing an attacker to use the '../' character
sequence to break out of the web server root directory.
An attacker may exploit this condition to disclose the contents of Web
server readable files. Information harvested in this manner may be used to
aid in further attacks targeted against the vulnerable system.
29. DUware Software Multiple Vulnerabilities
BugTraq ID: 9462
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9462
Summary:
DUware makes various web-based software products including DUcalendar,
DUclassified, DUdirectory, DUdownload, DUgallery, DUpics, DUportal,
DUarticle, DUclassmate, DUpoll, DUnews, DUamazon, DUpaypal, DUfaq, and
DUforum.
Multiple vulnerabilities have been identified in the software that may
allow a remote attacker to gain administrative access and upload arbitrary
files.
An authentication bypass vulnerability has been identified in various
DUware products. It has been reported that an attacker may gain
unauthorized access to various scripts with administrative privileges. An
attacker may be able to access various files directly via a URI parameter
and bypass authentication.
The following products are prone to the authentication bypass issue:
DUamazon
DUarticle
DUcalendar
DUclassified
DUclassmate
DUdirectory
DUdownload
DUfaq
DUforum
DUgallery
DUnews
DUpaypal
DUpics
DUpoll
DUportal
DUpics has been reported to be prone to a remote file upload
vulnerability. This issue reportedly exists in the 'inc_add.asp' script.
Remote attackers may upload arbitrary files to a location writeable by the
web server.
Successful exploitation of these issue may allow an attacker to gain
unauthorized access to sensitive resources and upload arbitrary files to
the host. An attacker can exploit this vulnerability to upload malicious
applications to the vulnerable system.
Some of these issues may be related to one or more of the issues described
in DUware DUportal Multiple Vulnerabilities (BID 9246).
30. 2Wire HomePortal Series Directory Traversal Vulnerability
BugTraq ID: 9463
Remote: Yes
Date Published: Jan 20 2004
Relevant URL: http://www.securityfocus.com/bid/9463
Summary:
2Wire HomePortal Series is a set of gateway servers designed for home
users. HomePortal Series supports Microsoft Windows and Apple Mac OS
operating systems.
A vulnerability has been alleged to exist in the software that may allow a
remote attacker to access information outside the server root directory.
The problem exists due to insufficient sanitization of user-supplied data
through the 'return' parameter in the 'wralogin' authentication form that
is accessed through the HTTPS (SSL) interface. The issue may allow a
remote attacker to traverse outside the server root directory by using
'../' character sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.
All versions of 2Wire HomePortal Series have been reported to be
vulnerable to this issue.
31. Honeyd Remote Virtual Host Detection Vulnerability
BugTraq ID: 9464
Remote: Yes
Date Published: Jan 18 2004
Relevant URL: http://www.securityfocus.com/bid/9464
Summary:
Honeyd is honeypot software that simulates virtual hosts on IP addresses
that are not in use. It is available for various Unix/Linux derivatives.
Honeyd is prone to a vulnerability that may permit remote users to detect
the presence of the server. This is due to a flaw in how Honeyd responds
to certain TCP SYN packets, effectively allowing a remote user to
determine if a scanned address is a virtual Honeyd host. Upon receipt of
such a packet, the daemon will respond with a packet that has the SYN and
RST flags set. The consequence is that a remote attacker could enumerate
the existence of simulated Honeyd hosts and then either target specific
attacks against these hosts or avoid them altogether.
32. Darkwet Network WebcamXP Cross-Site Scripting Vulnerability
BugTraq ID: 9465
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9465
Summary:
WebcamXP is a webcam utility with an integrated http server designed to
operate on windows platforms.
A vulnerability has been reported to exist in Webcam XP that may allow a
remote attacker to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via a
malicious URI. This vulnerability makes it possible for an attacker to
construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
WebcamXP version 1.06.945 has been identified as vulnerable, however,
other versions could be affected as well.
33. Microsoft Windows Samba File Sharing Resource Exhaustion Vul...
BugTraq ID: 9467
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9467
Summary:
A vulnerability has been identified in Microsoft Windows when file Sharing
with a Unix client is enabled. It has been reported that this issue
presents itself if a system has enabled file sharing with a Unix client
running Samba. An attacker on a Unix client with write/create permissions
to the mounted share can cause a resource exhaustion condition in the
Windows system. This attack may lead to a denial of service condition,
preventing Windows from sharing files.
The issue may be exploited by creating and deleting up to 1000 directories
on a share. Reportedly, every time a directory is created, Windows
allocates paged pool memory for the directory. Paged pool memory is
limited to 343MB on a Windows System. The allocated memory is not freed
when the directory is deleted. The resource exhaustion occurs when a
large number of directories (from 3.5 million to 5.8 million) have been
deleted and created. Successful exploitation of this attack may cause a
Windows system to discontinue file sharing due to memory exhaustion. A
system reboot is reported to restart the services in a working order.
Microsoft Windows XP Professional Service Pack 1 and Microsoft Windows
Server 2003 are reported to be vulnerable to this issue. This issue does
not affect Microsoft Windows 2000 Professional and prior.
34. Cisco Voice Product IBM Director Agent Unauthorized Remote A...
BugTraq ID: 9468
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9468
Summary:
IBM Director agents installed with Cisco voice products on IBM servers are
prone to a vulnerability that could permit remote attackers to gain
unauthorized administrative access. This could be exploited by any
Director Server/Console agent that can connect to the administrative port
(14247). The remote attacker can gain unauthorized administrative access
via this port without being required to supply authentication credentials.
The source of this vulnerability is that the default installation of an
IBM Director agent leaves TCP/UDP port 14247 open, allowing connections
from arbitrary Director Server/Console agents. Administrative access will
permit the attacker to perform various actions, including transfer files,
stop/start services, create Windows 2000 user accounts and modify
configuration.
35. Cisco Voice Product IBM Director Agent Port Scan Denial Of S...
BugTraq ID: 9469
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9469
Summary:
IBM Director installed with Cisco voice products on IBM servers has been
reported prone to a remote denial of service vulnerability. The issue is
reported to present itself when port 14247, which is associated with the
affected software, is scanned with a port scanner. This will cause the
executable "twgipc.exe" to exponentially consume CPU resources until the
server becomes unresponsive.
A remote attacker may exploit this vulnerability to render a target Cisco
voice server inoperative until the affected server is rebooted. This
denial of service may additionally have a system wide impact.
36. Mephistoles HTTPD Cross-Site Scripting Vulnerability
BugTraq ID: 9470
Remote: Yes
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9470
Summary:
Mephistoles httpd is a simple web server implemented in PERL.
It has been discovered that Mephistoles httpd daemon fails to sanitize
user-supplied input, making it vulnerable to cross-site scripting attacks.
This vulnerability makes it possible for an attacker to construct a
malicious link containing HTML or script code that may be rendered in a
user's browser upon visiting that link. This attack would occur in the
security context of the affected server.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
37. Apache mod_perl Module File Descriptor Leakage Vulnerability
BugTraq ID: 9471
Remote: No
Date Published: Jan 21 2004
Relevant URL: http://www.securityfocus.com/bid/9471
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. mod_perl is an Apache
module that provides for Perl functionality in websites.
A vulnerability has been reported to exist in the Apache mod_perl module
that may allow local attackers to gain access to privileged file
descriptors. This issue could be exploited by an attacker to hijack a
vulnerable server daemon.
It has been reported that multiple file descriptors, including those
associated with the sockets listening on ports 443 and 80, are leaked to
the mod_perl module and any processes it creates. Additionally file
descriptors associated with logging functionality are also leaked. This
allows for Perl scripts and any processes they spawn to access the
privileged I/O streams.
This issue may allow an attacker to pose as a legitimate server to
clients. An attacker may also steal sensitive information, or read and
write to a privileged I/O stream.
It should be noted that this issue appears to be distinct from the
vulnerability described in BID 7255 (and patched in Apache 2.0.45).
Versions later than Apache 2.0.45 reportedly still leak descriptors.
Additionally, it is not recommended that mod_perl be run in a shared user
environment, as mod_perl is not intended to run untrusted Perl code. This
BID will be updated as further information becomes available.
38. Native Solutions TBE Banner Engine Server Side Script Execut...
BugTraq ID: 9472
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9472
Summary:
Native Solutions TBE Banner Engine is a software written in PHP. It is
used to created banners.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to execute malicious scripts on a vulnerable server.
User-supplied banners are stored in the 'tbe-$user_id-$banner_id.html'
file on the server. It has been reported that due to improper
sanitization of user-supplied banner data, an attacker may be able to
embed malicious PHP script code in this file to be executed on the server.
It may also be possible to embed code from other server-side scripting
languages that are supported by the underlying server, such as Server Side
Includes.
Successful exploitation of this issue may allow an attacker to execute
malicious script code on a vulnerable server whenever the malicious banner
is interpreted by the server. This attack would occur in the context of
the vulnerable server.
TBE Banner Engine versions 4.0 and 5.0 may be prone to this vulnerability.
39. EA Black Box Need For Speed Hot Pursuit 2 Game Client Remote...
BugTraq ID: 9473
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9473
Summary:
Electronic Arts Black Box Need for Speed Hot Pursuit 2 is a game
distributed by Electronic Arts and maintained/developed by Electronic Arts
Black Box. It includes features that allow users to game locally or across
a network.
Need for Speed Hot Pursuit 2 game client has been reported prone to a
remotely exploitable buffer overflow condition.
The issue presents itself in the client network connection routines used
by the client to negotiate a connection to a Need for Speed Hot Pursuit 2
game server. Due to a lack of sufficient bounds checking performed on the
parameters; gamename, gamever, hostname, gametype, mapname and gamemode a
malicious server may potentially corrupt sensitive process memory in the
affected game client and ultimately execute arbitrary code with the
privileges of the user who invoked the game.
The impact of the issue may be exaggerated due to the procedures used to
connect to a remote game server. It has been reported that when the
Multiplayer screen is launched in the game, the client will transmit a
query packet to all of the game servers that are listed in the Master
Server's list. The client will then await a reply from each of the
servers. If a remote attacker can manage to place a malicious server into
the Master Server's list then every client that launches a multi-player
game may potentially be exploited.
It should be noted that this issue has been reported to affect Need for
Speed Hot Pursuit 2 version 242 and all previous versions.
40. Acme thttpd CGI Test Script Cross-Site Scripting Vulnerabili...
BugTraq ID: 9474
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9474
Summary:
thttpd is an HTTP server implementation that is maintained by Acme. It is
intended to run on Unix/Linux variants.
thttpd is prone to a cross-site scripting vulnerability in the CGI test
script. This could permit a remote attacker to create a malicious link to
the web server that includes hostile HTML and script code. If this link
were followed, the hostile code may be rendered in the web browser of the
victim user. This would occur in the security context of the web server
and may allow for theft of cookie-based authentication credentials or
other attacks.
It should be noted that FREESCO includes an embedded version of thttpd and
is also prone to this vulnerability due to their inclusion of the
vulnerable component.
41. Netbus Directory Listings Disclosure and File Upload Vulnera...
BugTraq ID: 9475
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9475
Summary:
Netbus is a backdoor program that allows remote administration of a
compromised system. It is available for Microsoft Windows operating
systems. Netbus can be configured to require a password for backdoor
server access. The software is also shipped with a built in web server.
A vulnerability has been reported in the web server software that may
allow a remote user to the disclose root directory listings. Furthermore,
it has been reported that a remote attacker may upload a malicious file to
an attacker-specified location via a URI parameter. Successful
exploitation may provide for possible disclosure of sensitive information
and the possibility of corrupting files by uploading malicious files onto
the affected system.
Netbus Pro has been reported to be vulnerable to this issue.
42. McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanage...
BugTraq ID: 9476
Remote: Yes
Date Published: Jan 22 2004
Relevant URL: http://www.securityfocus.com/bid/9476
Summary:
McAfee ePolicy Orchestrator (ePO) is a product designed to remotely manage
various policies and antivirus products. It is available for the Microsoft
Windows operating system.
The McAfee ePolicy agent has been reported to a buffer management
vulnerability that may be exploited to crash the affected agent. Although
unconfirmed, it has been reported that the issue may also allow a remote
attacker to trigger a buffer overflow vulnerability, ultimately providing
for the execution of arbitrary code.
The issue reportedly presents itself, because the "Content-Length" values
in HTTP POST headers processed by the ePolicy Orchestrator are not
sufficiently sanitized. A remote attacker may exploit this issue to
trigger the allocation of 4GB of data, causing the agent to crash. It has
also been reported that the attacker may create a buffer overflow
condition, by specifying a content length size that is not sufficient to
store attacker-supplied data.
III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1.
Online fraud, I.D. theft soars
By: Kevin Poulsen
A U.S. government report counts half-a-million fraud complaints in 2003,
most of them Internet-related.
http://www.securityfocus.com/news/7897
2. Prison time for unlucky phisher
By: Kevin Poulsen
Fraudster who unwittingly spammed the FBI is sentenced to nearly four
years in custody.
http://www.securityfocus.com/news/7871
3. Feds seek input on spammer sentencing
By: Kevin Poulsen
Should deceptive spammers get extra prison time for harvesting e-mail
addresses from websites? Should their punishment be tied to the number of
messages they send? The commission charged with establishing sentences for
CAN-SPAM Act violators wants your input.
http://www.securityfocus.com/news/7846
4. The voodoo that Dumaru doesn?t do too well?
By: Mike Kemp, The Register
http://www.securityfocus.com/news/7903
5. We'll kill spam in two years - Gates
By: John Leyden, The Register
http://www.securityfocus.com/news/7902
6. Chip and PIN hits 8 million cards
By: John Leyden, The Register
http://www.securityfocus.com/news/7901
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. Brcontrol v0.02
By: tascon
Relevant URL: http://sourceforge.net/proje
[ reply ]