ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may still
be open to a Blind SQL Injection Attack. Blind SQL Injection can deliver
total control of your server to a hacker giving them the ability to read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
I. FRONT AND CENTER
1. Wireless Attacks and Penetration Testing (part 1 of 3)
2. Catching a Virus Writer
3. Multiple Security Roles With Unix/Linux
II. BUGTRAQ SUMMARY
1. MollenSoft Lightweight FTP Server Remote Buffer Overflow Vul...
2. JPortal Print.php SQL Injection Vulnerability
3. PHPoto Picture_view Script Unauthorized Access Vulnerability
4. Apple Mac OS X Multiple Unspecified Security Vulnerabilities
5. Isoqlog Multiple Buffer Overflow Vulnerabilities
6. Spamguard Multiple Buffer Overflow Vulnerabilities
7. Land Down Under BBCode HTML Injection Vulnerability
8. e107 Website System Multiple Vulnerabilities
9. Gatos xatitv Missing Configuration File Privilege Escalation...
10. SquirrelMail Email Header HTML Injection Vulnerability
11. Microsoft Windows 2000 Domain Expired Account Security Polic...
12. Linksys WRT54G Router World Accessible Remote Administration...
13. RARLAB UnRAR File Name Format String Vulnerability
14. Qualcomm Eudora Internet Mail Server For Mac OS 7 Remote Buf...
15. Sambar Server Multiple Vulnerabilities
16. Rit Research Labs TinyWeb Server Unauthorized Script Disclos...
17. Firebird Remote Pre-Authentication Database Name Buffer Over...
18. PHP-Nuke Direct Script Access Security Bypass Vulnerability
19. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
20. IBM Multiple Product Unspecified Credential Impersonation Vu...
21. Gallery Authentication Bypass Vulnerability
22. Opera Browser Favicon Address Bar Spoofing Weakness
23. Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner...
24. Tripwire Email Reporting Format String Vulnerability
25. Unix and Unix-based select() System Call Overflow Vulnerabil...
26. Trend Micro Scanning Engine Report Generation HTML Injection...
27. Mail Manage EX MMEX Script Settings Parameter Remote PHP Fil...
28. Sun Fire B1600 Network Management Port Remote Denial Of Serv...
29. Netgear WG602 Wireless Access Point Default Backdoor Account...
30. Michael Krax log2mail Log File Writing Format String Vulnera...
31. Slackware Linux PHP Packages Insecure Linking Configuration ...
32. Mkdir Buffer Overflow Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Wardriver pleads guilty in Lowes WiFi hacks
2. Ex-investigator's suit against DirecTV dismissed
3. FDIC faulted for weak security
4. Virus writers deploy bulk mail software
5. 'Potter-mania' fuels spread of NetSky-P
6. Mutant son of MyDoom plans three-pronged attack
IV. SECURITYFOCUS TOP 6 TOOLS
1. XArp 0.1
2. Devil-Linux v1.2 Beta 1
3. GNU Anubis v3.9.94
4. DNSSEC Walker v3.4
5. vthrottle v0.50
6. Honeynet Security Console 1.0
V. SECURITYJOBS LIST SUMMARY
1. Job opportunity (Sercurity Software Developer) Fort ... (Thread)
2. Information Security Engineer Needed Immediately!!! ... (Thread)
3. Senior Security Analyst- Boston Area (Thread)
4. Virus Analysts (Thread)
5. Tempest Engineer needed in Annapolis, MD (Thread)
6. SR. SECURITY SYSTEM ADMINISTRATOR - Redwood City, C... (Thread)
7. Security Engineer, Washington, DC (Thread)
8. Texas CISA Needed (Thread)
9. Multiple Computer Systems Security Analyst positions... (Thread)
10. Security Engineer- Denver, CO (Thread)
11. Position available in WA - IT Internal Audit and Co... (Thread)
12. Penetration Testing and Intrusion Detection Consulta... (Thread)
13. Sr level network security engineer, Richmond, VA: Wa... (Thread)
14. Information Security with Microsoft emphasis - CA, T... (Thread)
15. Need travelling Professional Services Engineer based... (Thread)
16. AE in NYC (Thread)
17. SE in NYC & Atlanta (Thread)
18. Job opening: travelling security programmer (Thread)
19. (job offered) Sr. SMS Consultants with security expe... (Thread)
20. Lead unix system administrator- London - Need Kickst... (Thread)
21. consulting opportunity (Thread)
22. Technical Security Specialist, London, UK - Contract (Thread)
VI. INCIDENTS LIST SUMMARY
1. Incident investigation methodologies (Thread)
2. Incident investigation methodologies, update (Thread)
3. Dead Thread: NKADM rootkit - Something new? (Thread)
4. NKADM rootkit - Something new? (Thread)
5. Increase in MS vuln WebDav scans (Thread)
6. Changing file times, was -> Re: Trojan of somesort -... (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. FW: Returned post for vuln-dev (at) securityfocus (dot) com [email concealed] (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Exchange Information Store Security? Send As... (Thread)
2. SecurityFocus Microsoft Newsletter #191 (Thread)
3. Relative Security Provided by Cached Domain Credenti... (Thread)
IX. SUN FOCUS LIST SUMMARY
1. "/etc/vfstab" re-creation (Thread)
2. kernel patch loading but not updating KernelID (Thread)
X. LINUX FOCUS LIST SUMMARY
1. mrtg/snmp/subinterfaces (Thread)
2. OpenVPN? (Thread)
3. Block martians with source address 127.0.0.1 (Thread)
4. Martians? (Thread)
XI. UNSUBSCRIBE INSTRUCTIONS
XII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Wireless Attacks and Penetration Testing (part 1 of 3)
By Jonathan Hassell
This is the first of a three part series on penetration testing for
wireless networks. This installment will detail common styles of attacks
against wireless networks, introduce WEP key-cracking, and then discuss
some recent developments in wireless security.
http://www.securityfocus.com/infocus/1783
2. Catching a Virus Writer
By Kelly Martin
With the consumer WiFi explosion, launching a virus into the wild has
never been easier and more anonymous than it is today.
http://www.securityfocus.com/columnists/246
3. Multiple Security Roles With Unix/Linux
By Daniel Hanson
There are some areas of security where Linux and Unix have some strong
wins, and simply fit in better than anything else.
http://www.securityfocus.com/columnists/247
II. BUGTRAQ SUMMARY
-------------------
1. MollenSoft Lightweight FTP Server Remote Buffer Overflow Vul...
BugTraq ID: 10429
Remote: Yes
Date Published: May 28 2004
Relevant URL: http://www.securityfocus.com/bid/10429
Summary:
Lightweight FTP Server is prone to a remote buffer overflow vulnerability. This vulnerability can potentially allow a remote attacker to execute arbitrary code in the context of the server process. This issue presents itself due to a lack of sufficient boundary checks performed on CD command arguments.
Lightweight FTP Server version 3.6 is prone to this issue.
This issue is likely related to the issue previously described in BID 10409 (MollenSoft Lightweight FTP Server Remote Denial Of Service Vulnerability). This BID will be updated or retired subsequent to further analysis.
2. JPortal Print.php SQL Injection Vulnerability
BugTraq ID: 10430
Remote: Yes
Date Published: May 28 2004
Relevant URL: http://www.securityfocus.com/bid/10430
Summary:
JPortal is reportedly affected by a remote SQL injection vulnerability in the print.inc.php script. This issue is due to a failure of the application to properly sanitize user-supplied URI input before using it in an SQL query.
As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
3. PHPoto Picture_view Script Unauthorized Access Vulnerability
BugTraq ID: 10431
Remote: Yes
Date Published: May 28 2004
Relevant URL: http://www.securityfocus.com/bid/10431
Summary:
PHPoto is prone to an unauthorized access vulnerability that can allow remote users to view any pictures hosted on a site, regardless of the user's privileges.
PHPoto versions PHPoto 0.4.0-pre-5 and prior are prone to this issue.
4. Apple Mac OS X Multiple Unspecified Security Vulnerabilities
BugTraq ID: 10432
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10432
Summary:
Multiple unspecified security vulnerabilities were reported in Mac OS X. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements.
5. Isoqlog Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10433
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10433
Summary:
Isoqlog is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk.
6. Spamguard Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10434
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10434
Summary:
Spamguard is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk.
7. Land Down Under BBCode HTML Injection Vulnerability
BugTraq ID: 10435
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10435
Summary:
Land Down Under is prone to an HTML injection vulnerability. This issue is exposed through their BBCode implementation. Exploitation could permit theft of cookie credentials, manipulation of content, or other attacks.
8. e107 Website System Multiple Vulnerabilities
BugTraq ID: 10436
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10436
Summary:
e107 is prone to multiple cross-site scripting, HTML injection, file inclusion, and SQL injection vulnerabilities. This may compromise various security properties of a Web site running the software, including allowing remote attackers to execute malicious PHP code.
9. Gatos xatitv Missing Configuration File Privilege Escalation...
BugTraq ID: 10437
Remote: No
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10437
Summary:
The gatos xatitv utility is prone to a local privilege escalation vulnerability.
This issue may occur when the utility, which is installed setuid root, fails to drop privileges due to a missing configuration file. Unsanitized user-supplied environment variables may then be exploited to escalate privileges.
It is noted that the software ships with a default configuration file, so exploitation would require that the file was removed at some point.
10. SquirrelMail Email Header HTML Injection Vulnerability
BugTraq ID: 10439
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10439
Summary:
SquirrelMail is reported to be prone to an email header HTML injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied email header strings.
An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials; disclosure of personal email is possible. Other attacks are also possible.
11. Microsoft Windows 2000 Domain Expired Account Security Polic...
BugTraq ID: 10440
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10440
Summary:
Windows 2000 domain controllers are reported prone to a weakness that may permit user accounts with expired passwords to logon to the domain.
This weakness may lead to a security policy violation. Where an administrator expires a users password to force them to modify it, or sets a weak password while creating the account. The user does not modify the password and can still logon to the affected domain. The administrator however believes that the password has been modified.
12. Linksys WRT54G Router World Accessible Remote Administration...
BugTraq ID: 10441
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10441
Summary:
A weakness is reported to affect the Linksys WRT54G appliance. It is reported that the web based administration service is published to the WAN interface of the appliance, even when the remote administration functionality is disabled.
13. RARLAB UnRAR File Name Format String Vulnerability
BugTraq ID: 10442
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10442
Summary:
RARLAB UnRAR is reportedly affected by a file name format string vulnerability. This issue is due to a failure of the affected application to properly implement a formatted string function.
This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application.
14. Qualcomm Eudora Internet Mail Server For Mac OS 7 Remote Buf...
BugTraq ID: 10443
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10443
Summary:
Qualcomm Eudora Internet Mail Server (EIMS) is reported prone to a remote heap-based buffer overrun vulnerability. The issue exists due to a lack of sufficient boundary checks performed on data that is received on port 105. A remote attacker may potentially leverage the condition to corrupt memory management structures.
This vulnerability may ultimately be exploited to execute arbitrary code in the context of the affected software, immediate consequence of an attack is likely to be a denial of service.
15. Sambar Server Multiple Vulnerabilities
BugTraq ID: 10444
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10444
Summary:
Sambar Server is reportedly prone to multiple vulnerabilities. These issues may allow an attacker to access sensitive files and carry out directory traversal and cross-site scripting attacks.
These issues require an attacker to have administrative privileges, however, it is reported that an administrative password is not set on the server by default. An administrator who is not intended to have certain privileges may also exploit these vulnerabilities.
Sambar 6.1 Beta 2 is reported to be prone to these issues, however, it is likely that other versions are affected as well.
16. Rit Research Labs TinyWeb Server Unauthorized Script Disclos...
BugTraq ID: 10445
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10445
Summary:
TinyWeb Server is affected by an unauthorized script disclosure vulnerability. This issue is due to an input validation error that allows malicious users to bypass standard web server rules.
This issue will allow an attacker to download or view scripts residing in the 'cgi-bin' directory.
This issue is reported to affect TinyWeb 1.92, it is likely that other versions are also vulnerable.
17. Firebird Remote Pre-Authentication Database Name Buffer Over...
BugTraq ID: 10446
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10446
Summary:
Firebird is reported prone to a remote buffer overrun vulnerability. The issue presents itself due to a lack of sufficient boundary checks performed when the database server is handling database names.
A remote attacker may exploit this vulnerability, without requiring valid authentication credentials, to influence execution flow of the affected Firebird database server. Ultimately this may lead to the execution of attacker-supplied code in the context of the affected software.
18. PHP-Nuke Direct Script Access Security Bypass Vulnerability
BugTraq ID: 10447
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10447
Summary:
PHP-Nuke is affected by a direct script access security vulnerability. This issue is due to a failure to properly validate the location and name of the file being accessed.
This issue will allow an attacker to gain access to sensitive scripts such as the 'admin.php' script. The attacker may be able to exploit this unauthorized access to carry out attacks against the affected application.
19. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
BugTraq ID: 10448
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10448
Summary:
Kerberos 5 is prone to multiple boundary condition errors that exist in the krb5_aname_to_localname() and helper functions and are due to insufficient bounds checking performed on user-supplied data.
An additional boundary condition issue also exists in the krb5_aname_to_localname() function. The condition is reported to present itself in the explicit mapping functionality of the krb5_aname_to_localname() as an off-by-one.
These conditions may be theoretically exploitable to execute arbitrary code remotely in the context of the affected service.
It is reported that explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() must be enabled for these vulnerabilities to be present. Additionally it is necessary that the principal name used by the attacker to exploit the issue be listed in the explicit mapping list.
These vulnerabilities are reported to affect all releases of MIT Kerberos 5, up to and including version krb5-1.3.3.
20. IBM Multiple Product Unspecified Credential Impersonation Vu...
BugTraq ID: 10449
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10449
Summary:
Multiple IBM products are prone to an unspecified credential impersonation vulnerability.
According to IBM this vulnerability may allow a remote attacker to gain access to resources and data, or gain control of the compromised application. It is reported that this attack can allow the attacker to exploit the usage of cookies and impersonate a legitimate user to gain unauthorized access.
Due to a lack of details, further information is not available at the moment. This BID will be updated as more information becomes available.
21. Gallery Authentication Bypass Vulnerability
BugTraq ID: 10451
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10451
Summary:
It has been disclosed that an attacker can bypass Gallery's authentication process, and log in as any user without a password.
An attacker can override configuration variables by passing them in GET, POST or cookie arguments. Gallery simulates the 'register_globals' PHP setting by extracting the values of the various $HTTP_ global variables into the global namespace. Therefore, regardless of the 'register_globals' PHP setting, an attacker can override configuration variables.
An attacker can change configuration variables and cause Gallery to skip the authentication steps.
Versions prior to 1.4.3-pl2 are reported to be vulnerable.
22. Opera Browser Favicon Address Bar Spoofing Weakness
BugTraq ID: 10452
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10452
Summary:
Opera Web Browser is prone to a security weakness that may permit malicious web pages to spoof address bar information. It is reported that the 'favicon' feature can be used to spoof the domain of a malicious web page. An attacker can create an icon that includes the text of the desired site and is similar to the way Opera displays information in the address bar. The attacker can then obfuscate the real address with spaces.
This issue can be used to spoof information in the address bar, page bar and page/window cycler.
The vulnerability reportedly affects Opera 7.23 and 7.50. It is likely that previous versions are affected as well.
23. Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner...
BugTraq ID: 10453
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10453
Summary:
Multiple Linksys routers are reported vulnerable to a denial of service condition. The issues presents themselves due to a lack of sufficient sanitization performed on parameters that are passed to the Gozila.CGI script.
A remote attacker may potentially exploit these conditions to deny service to an affected appliance. It is reported that the device must be reset to the original factory defaults in order to restore normal device functionality.
24. Tripwire Email Reporting Format String Vulnerability
BugTraq ID: 10454
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10454
Summary:
Tripwire is affected by an email reporting format string vulnerability. This issue is due to a failure to properly inplement a formatted string function.
This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the superuser.
**Update - It is reported that this issue only presents itself when the MAILMETHOD is sendmail.
25. Unix and Unix-based select() System Call Overflow Vulnerabil...
BugTraq ID: 10455
Remote: Unknown
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10455
Summary:
The select() system call may be vulnerable to an overflow condition, possibly allowing attackers to write data past the end of a fixed size buffer.
select() uses arguments of type 'fd_set', which is of a fixed size in many Unix variants. fd_set is used to keep track of open file descriptors.
If a process raises its rlimit for open files past 1024, it is theoretically possible to cause select to change individual bits past the end of the fixed size fds_bits structure. In theory, an attacker may be able to use this vulnerability to cause a denial of service condition, or possibly execute arbitrary code.
It should be noted that rlimits can only be raised by root, and that only processes with rlimits allowing more than 1024 file descriptors would be affected.
This is a theoretical issue, and it has not been confirmed by any vendor. This BID will be updated when further information is released.
26. Trend Micro Scanning Engine Report Generation HTML Injection...
BugTraq ID: 10456
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10456
Summary:
Trend Micro's scanning engine is reportedly affected by an HTML injection vulnerability in its report generation feature. This issue is due to a failure to properly sanitize user-supplied before including it in a HTML report.
It has been speculated that the offending HTML alert reports run from the local zone on the affected computer, although this has not been verified.
This issue may be exploited by a remote attacker to execute arbitrary HTML or script code on an affected computer; potentially resulting in unauthorized access. Other attackers are also possible.
27. Mail Manage EX MMEX Script Settings Parameter Remote PHP Fil...
BugTraq ID: 10457
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10457
Summary:
Mail Manage EX is reportedly prone to a remote file include vulnerability. This vulnerability results from insufficient sanitization of user-supplied data and may allow remote attackers to include arbitrary PHP files located on remote servers.
This issue was discovered in Mail Manage EX 3.1.8. It is possible that previous versions are affected as well.
28. Sun Fire B1600 Network Management Port Remote Denial Of Serv...
BugTraq ID: 10458
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10458
Summary:
Sun Fire B1600 is reported prone to remote denial of service vulnerability. The issue exists because the switch firmware will disable all of the network ports on the switch for a short period when an ARP datagram is received on the Network Management Port.
29. Netgear WG602 Wireless Access Point Default Backdoor Account...
BugTraq ID: 10459
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10459
Summary:
Netgear WG602 reportedly contains a default administrative account. This issue can allow a remote attacker to gain administrative access to the device.
Netgear WG602 access point with firmware version 1.04.0 is reportedly affected by this issue. It is likely that other versions of the firmware are also vulnerable. It is reported that the new version (1.7.14) of the Firmware for WG602 is vulnerable to this issue as well, however, the username and password for the backdoor account has been changed.
30. Michael Krax log2mail Log File Writing Format String Vulnera...
BugTraq ID: 10460
Remote: No
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10460
Summary:
Michael Krax log2mail is reported prone to a log file writing format string vulnerability. This issue is due to a failure of the application to properly implement a formatted string function.
This vulnerability will ultimately allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the 'log2mail' user with group 'adm'.
31. Slackware Linux PHP Packages Insecure Linking Configuration ...
BugTraq ID: 10461
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10461
Summary:
Slackware Linux PHP Packages are reportedly affected by an insecure linking configuration vulnerability. This issue is due to a configuration error that links PHP to be linked against shared libraries in insecure directories.
This issue can be leveraged by an attacker to execute arbitrary code in the security context of the user running the affected PHP process; typically the user 'nobody'.
32. Mkdir Buffer Overflow Vulnerability
BugTraq ID: 10462
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10462
Summary:
It is reported that mkdir is susceptible to a buffer overflow vulnerability. An attacker with local access passes a long path to mkdir, which overflows a fixed buffer.
Mkdir is installed setuid root by default, as the mknod() system call can only be called by root. There is no mkdir() system call, so the mkdir command must use mknod to create a directory node, then populate the node with "." and ".." itself.
A local attacker can exploit this issue to execute arbitrary code as root.
III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Wardriver pleads guilty in Lowes WiFi hacks
By: Kevin Poulsen
Hacker agrees to cooperate with prosecutors to reduce a potential 12 to 15 year prison sentence.
http://www.securityfocus.com/news/8835
2. Ex-investigator's suit against DirecTV dismissed
By: Kevin Poulsen
A judge throws out a lawsuit filed by a turncoat insider in DirecTV's war on signal pirates.
http://www.securityfocus.com/news/8815
3. FDIC faulted for weak security
By: Kevin Poulsen
Congressional investigators find vulnerabilities in critical financial systems.
http://www.securityfocus.com/news/8796
4. Virus writers deploy bulk mail software
By: John Leyden, The Register
Hackers have used spamming software to distribute thousands of copies of a new Trojan. Email filtering firm MessageLabs alone has intercepted more than 4,000 copies of the Demonize-T Trojan over the last 24 hours.
http://www.securityfocus.com/news/8846
5. 'Potter-mania' fuels spread of NetSky-P
By: John Leyden, The Register
The frenzy surrounding the latest Harry Potter cinematic offering is helping to keep the prevalent NetSky-P worm alive.
http://www.securityfocus.com/news/8832
6. Mutant son of MyDoom plans three-pronged attack
By: John Leyden, The Register
Virus writers have used code from the infamous Mydoom worm to create a potentially dangerous new Internet worm which uses multiple methods to spread.
http://www.securityfocus.com/news/8823
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. XArp 0.1
By: Christoph Mayer
Relevant URL: http://www.chrismc.de
Platforms: Windows 2000, Windows XP
Summary:
XArp is a graphical tool to monitor the ARP cache. It periodically requests the local ARP cache and reports changes in the IP to MAC mapping. Thus it can be used to recognize ARP poisoning which is used to prepare 'man in the middle' attacks on switched networks.
Devil-Linux is a special Linux distribution which is used for firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and secure Linux system. Configuration is saved on a floppy disk, and it has several optional packages.
3. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary:
GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail User Agent) and the MTA (Mail Transport Agent), and can perform various sorts of processing and conversion on-the-fly in accordance with the sender's specified rules, based on a highly configurable regular expressions system. It operates as a proxy server, and can edit outgoing mail headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels using the TLS/SSL encryption even if your mail user agent doesn't support it, or tunnel a connection through a SOCKS proxy server.
DNSSEC Walker is a tool to recover DNS zonefiles using the DNS protocol. The server does not have to support zonetransfer, but the zone must contain DNSSEC "NXT" records.
vthrottle is an implementation of an SMTP throttling engine for Sendmail servers, based upon M. Williamson's mechanisms, as described in his 2003 Usenix Security paper. It allows the administrator to control how much email users and hosts may send, hindering the rapid spread of viruses, worms, and spam.
6. Honeynet Security Console 1.0
By: Activeworx, Inc.
Relevant URL: http://www.activeworx.org
Platforms: Windows 2000, Windows XP
Summary:
Honeynet Security Console is an analysis tool to view events on your personal honeynet. It gives you the power to view events from Snort, TCPDump, Firewall, Syslog and Sebek logs. It also allows you to correlate events from each of these data types to have a full grasp of the attackers' actions.
V. SECURITYJOBS LIST SUMMARY
----------------------------
1. Job opportunity (Sercurity Software Developer) Fort ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365179
2. Information Security Engineer Needed Immediately!!! ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365178
3. Senior Security Analyst- Boston Area (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365172
4. Virus Analysts (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365158
5. Tempest Engineer needed in Annapolis, MD (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365155
6. SR. SECURITY SYSTEM ADMINISTRATOR - Redwood City, C... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365092
7. Security Engineer, Washington, DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365091
8. Texas CISA Needed (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365090
9. Multiple Computer Systems Security Analyst positions... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365084
10. Security Engineer- Denver, CO (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365075
11. Position available in WA - IT Internal Audit and Co... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365063
12. Penetration Testing and Intrusion Detection Consulta... (Thread)
Relevant URL:
5. Increase in MS vuln WebDav scans (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/364921
6. Changing file times, was -> Re: Trojan of somesort -... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/364763
VII. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. FW: Returned post for vuln-dev (at) securityfocus (dot) com [email concealed] (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/364823
VIII. MICROSOFT FOCUS LIST SUMMARY
----------------------------------
1. Exchange Information Store Security? Send As... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/365052
2. SecurityFocus Microsoft Newsletter #191 (Thread)
Relevant URL:
IX. SUN FOCUS LIST SUMMARY
--------------------------
1. "/etc/vfstab" re-creation (Thread)
Relevant URL:
http://www.securityfocus.com/archive/92/365020
2. kernel patch loading but not updating KernelID (Thread)
Relevant URL:
http://www.securityfocus.com/archive/92/364916
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. mrtg/snmp/subinterfaces (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365318
2. OpenVPN? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365209
3. Block martians with source address 127.0.0.1 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365207
4. Martians? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/364805
XI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to be manually removed.
XII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may still
be open to a Blind SQL Injection Attack. Blind SQL Injection can deliver
total control of your server to a hacker giving them the ability to read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
------------------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may still
be open to a Blind SQL Injection Attack. Blind SQL Injection can deliver
total control of your server to a hacker giving them the ability to read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/sponsor/SPIDynamics_sf-news_040607
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Wireless Attacks and Penetration Testing (part 1 of 3)
2. Catching a Virus Writer
3. Multiple Security Roles With Unix/Linux
II. BUGTRAQ SUMMARY
1. MollenSoft Lightweight FTP Server Remote Buffer Overflow Vul...
2. JPortal Print.php SQL Injection Vulnerability
3. PHPoto Picture_view Script Unauthorized Access Vulnerability
4. Apple Mac OS X Multiple Unspecified Security Vulnerabilities
5. Isoqlog Multiple Buffer Overflow Vulnerabilities
6. Spamguard Multiple Buffer Overflow Vulnerabilities
7. Land Down Under BBCode HTML Injection Vulnerability
8. e107 Website System Multiple Vulnerabilities
9. Gatos xatitv Missing Configuration File Privilege Escalation...
10. SquirrelMail Email Header HTML Injection Vulnerability
11. Microsoft Windows 2000 Domain Expired Account Security Polic...
12. Linksys WRT54G Router World Accessible Remote Administration...
13. RARLAB UnRAR File Name Format String Vulnerability
14. Qualcomm Eudora Internet Mail Server For Mac OS 7 Remote Buf...
15. Sambar Server Multiple Vulnerabilities
16. Rit Research Labs TinyWeb Server Unauthorized Script Disclos...
17. Firebird Remote Pre-Authentication Database Name Buffer Over...
18. PHP-Nuke Direct Script Access Security Bypass Vulnerability
19. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
20. IBM Multiple Product Unspecified Credential Impersonation Vu...
21. Gallery Authentication Bypass Vulnerability
22. Opera Browser Favicon Address Bar Spoofing Weakness
23. Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner...
24. Tripwire Email Reporting Format String Vulnerability
25. Unix and Unix-based select() System Call Overflow Vulnerabil...
26. Trend Micro Scanning Engine Report Generation HTML Injection...
27. Mail Manage EX MMEX Script Settings Parameter Remote PHP Fil...
28. Sun Fire B1600 Network Management Port Remote Denial Of Serv...
29. Netgear WG602 Wireless Access Point Default Backdoor Account...
30. Michael Krax log2mail Log File Writing Format String Vulnera...
31. Slackware Linux PHP Packages Insecure Linking Configuration ...
32. Mkdir Buffer Overflow Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Wardriver pleads guilty in Lowes WiFi hacks
2. Ex-investigator's suit against DirecTV dismissed
3. FDIC faulted for weak security
4. Virus writers deploy bulk mail software
5. 'Potter-mania' fuels spread of NetSky-P
6. Mutant son of MyDoom plans three-pronged attack
IV. SECURITYFOCUS TOP 6 TOOLS
1. XArp 0.1
2. Devil-Linux v1.2 Beta 1
3. GNU Anubis v3.9.94
4. DNSSEC Walker v3.4
5. vthrottle v0.50
6. Honeynet Security Console 1.0
V. SECURITYJOBS LIST SUMMARY
1. Job opportunity (Sercurity Software Developer) Fort ... (Thread)
2. Information Security Engineer Needed Immediately!!! ... (Thread)
3. Senior Security Analyst- Boston Area (Thread)
4. Virus Analysts (Thread)
5. Tempest Engineer needed in Annapolis, MD (Thread)
6. SR. SECURITY SYSTEM ADMINISTRATOR - Redwood City, C... (Thread)
7. Security Engineer, Washington, DC (Thread)
8. Texas CISA Needed (Thread)
9. Multiple Computer Systems Security Analyst positions... (Thread)
10. Security Engineer- Denver, CO (Thread)
11. Position available in WA - IT Internal Audit and Co... (Thread)
12. Penetration Testing and Intrusion Detection Consulta... (Thread)
13. Sr level network security engineer, Richmond, VA: Wa... (Thread)
14. Information Security with Microsoft emphasis - CA, T... (Thread)
15. Need travelling Professional Services Engineer based... (Thread)
16. AE in NYC (Thread)
17. SE in NYC & Atlanta (Thread)
18. Job opening: travelling security programmer (Thread)
19. (job offered) Sr. SMS Consultants with security expe... (Thread)
20. Lead unix system administrator- London - Need Kickst... (Thread)
21. consulting opportunity (Thread)
22. Technical Security Specialist, London, UK - Contract (Thread)
VI. INCIDENTS LIST SUMMARY
1. Incident investigation methodologies (Thread)
2. Incident investigation methodologies, update (Thread)
3. Dead Thread: NKADM rootkit - Something new? (Thread)
4. NKADM rootkit - Something new? (Thread)
5. Increase in MS vuln WebDav scans (Thread)
6. Changing file times, was -> Re: Trojan of somesort -... (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. FW: Returned post for vuln-dev (at) securityfocus (dot) com [email concealed] (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Exchange Information Store Security? Send As... (Thread)
2. SecurityFocus Microsoft Newsletter #191 (Thread)
3. Relative Security Provided by Cached Domain Credenti... (Thread)
IX. SUN FOCUS LIST SUMMARY
1. "/etc/vfstab" re-creation (Thread)
2. kernel patch loading but not updating KernelID (Thread)
X. LINUX FOCUS LIST SUMMARY
1. mrtg/snmp/subinterfaces (Thread)
2. OpenVPN? (Thread)
3. Block martians with source address 127.0.0.1 (Thread)
4. Martians? (Thread)
XI. UNSUBSCRIBE INSTRUCTIONS
XII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Wireless Attacks and Penetration Testing (part 1 of 3)
By Jonathan Hassell
This is the first of a three part series on penetration testing for
wireless networks. This installment will detail common styles of attacks
against wireless networks, introduce WEP key-cracking, and then discuss
some recent developments in wireless security.
http://www.securityfocus.com/infocus/1783
2. Catching a Virus Writer
By Kelly Martin
With the consumer WiFi explosion, launching a virus into the wild has
never been easier and more anonymous than it is today.
http://www.securityfocus.com/columnists/246
3. Multiple Security Roles With Unix/Linux
By Daniel Hanson
There are some areas of security where Linux and Unix have some strong
wins, and simply fit in better than anything else.
http://www.securityfocus.com/columnists/247
II. BUGTRAQ SUMMARY
-------------------
1. MollenSoft Lightweight FTP Server Remote Buffer Overflow Vul...
BugTraq ID: 10429
Remote: Yes
Date Published: May 28 2004
Relevant URL: http://www.securityfocus.com/bid/10429
Summary:
Lightweight FTP Server is prone to a remote buffer overflow vulnerability. This vulnerability can potentially allow a remote attacker to execute arbitrary code in the context of the server process. This issue presents itself due to a lack of sufficient boundary checks performed on CD command arguments.
Lightweight FTP Server version 3.6 is prone to this issue.
This issue is likely related to the issue previously described in BID 10409 (MollenSoft Lightweight FTP Server Remote Denial Of Service Vulnerability). This BID will be updated or retired subsequent to further analysis.
2. JPortal Print.php SQL Injection Vulnerability
BugTraq ID: 10430
Remote: Yes
Date Published: May 28 2004
Relevant URL: http://www.securityfocus.com/bid/10430
Summary:
JPortal is reportedly affected by a remote SQL injection vulnerability in the print.inc.php script. This issue is due to a failure of the application to properly sanitize user-supplied URI input before using it in an SQL query.
As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
3. PHPoto Picture_view Script Unauthorized Access Vulnerability
BugTraq ID: 10431
Remote: Yes
Date Published: May 28 2004
Relevant URL: http://www.securityfocus.com/bid/10431
Summary:
PHPoto is prone to an unauthorized access vulnerability that can allow remote users to view any pictures hosted on a site, regardless of the user's privileges.
PHPoto versions PHPoto 0.4.0-pre-5 and prior are prone to this issue.
4. Apple Mac OS X Multiple Unspecified Security Vulnerabilities
BugTraq ID: 10432
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10432
Summary:
Multiple unspecified security vulnerabilities were reported in Mac OS X. Mac OS X 10.3.4 has been released to address these issues and provide other security enhancements.
5. Isoqlog Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10433
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10433
Summary:
Isoqlog is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk.
6. Spamguard Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 10434
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10434
Summary:
Spamguard is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk.
7. Land Down Under BBCode HTML Injection Vulnerability
BugTraq ID: 10435
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10435
Summary:
Land Down Under is prone to an HTML injection vulnerability. This issue is exposed through their BBCode implementation. Exploitation could permit theft of cookie credentials, manipulation of content, or other attacks.
8. e107 Website System Multiple Vulnerabilities
BugTraq ID: 10436
Remote: Yes
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10436
Summary:
e107 is prone to multiple cross-site scripting, HTML injection, file inclusion, and SQL injection vulnerabilities. This may compromise various security properties of a Web site running the software, including allowing remote attackers to execute malicious PHP code.
9. Gatos xatitv Missing Configuration File Privilege Escalation...
BugTraq ID: 10437
Remote: No
Date Published: May 29 2004
Relevant URL: http://www.securityfocus.com/bid/10437
Summary:
The gatos xatitv utility is prone to a local privilege escalation vulnerability.
This issue may occur when the utility, which is installed setuid root, fails to drop privileges due to a missing configuration file. Unsanitized user-supplied environment variables may then be exploited to escalate privileges.
It is noted that the software ships with a default configuration file, so exploitation would require that the file was removed at some point.
10. SquirrelMail Email Header HTML Injection Vulnerability
BugTraq ID: 10439
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10439
Summary:
SquirrelMail is reported to be prone to an email header HTML injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied email header strings.
An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials; disclosure of personal email is possible. Other attacks are also possible.
11. Microsoft Windows 2000 Domain Expired Account Security Polic...
BugTraq ID: 10440
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10440
Summary:
Windows 2000 domain controllers are reported prone to a weakness that may permit user accounts with expired passwords to logon to the domain.
This weakness may lead to a security policy violation. Where an administrator expires a users password to force them to modify it, or sets a weak password while creating the account. The user does not modify the password and can still logon to the affected domain. The administrator however believes that the password has been modified.
12. Linksys WRT54G Router World Accessible Remote Administration...
BugTraq ID: 10441
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10441
Summary:
A weakness is reported to affect the Linksys WRT54G appliance. It is reported that the web based administration service is published to the WAN interface of the appliance, even when the remote administration functionality is disabled.
13. RARLAB UnRAR File Name Format String Vulnerability
BugTraq ID: 10442
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10442
Summary:
RARLAB UnRAR is reportedly affected by a file name format string vulnerability. This issue is due to a failure of the affected application to properly implement a formatted string function.
This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application.
14. Qualcomm Eudora Internet Mail Server For Mac OS 7 Remote Buf...
BugTraq ID: 10443
Remote: Yes
Date Published: May 31 2004
Relevant URL: http://www.securityfocus.com/bid/10443
Summary:
Qualcomm Eudora Internet Mail Server (EIMS) is reported prone to a remote heap-based buffer overrun vulnerability. The issue exists due to a lack of sufficient boundary checks performed on data that is received on port 105. A remote attacker may potentially leverage the condition to corrupt memory management structures.
This vulnerability may ultimately be exploited to execute arbitrary code in the context of the affected software, immediate consequence of an attack is likely to be a denial of service.
15. Sambar Server Multiple Vulnerabilities
BugTraq ID: 10444
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10444
Summary:
Sambar Server is reportedly prone to multiple vulnerabilities. These issues may allow an attacker to access sensitive files and carry out directory traversal and cross-site scripting attacks.
These issues require an attacker to have administrative privileges, however, it is reported that an administrative password is not set on the server by default. An administrator who is not intended to have certain privileges may also exploit these vulnerabilities.
Sambar 6.1 Beta 2 is reported to be prone to these issues, however, it is likely that other versions are affected as well.
16. Rit Research Labs TinyWeb Server Unauthorized Script Disclos...
BugTraq ID: 10445
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10445
Summary:
TinyWeb Server is affected by an unauthorized script disclosure vulnerability. This issue is due to an input validation error that allows malicious users to bypass standard web server rules.
This issue will allow an attacker to download or view scripts residing in the 'cgi-bin' directory.
This issue is reported to affect TinyWeb 1.92, it is likely that other versions are also vulnerable.
17. Firebird Remote Pre-Authentication Database Name Buffer Over...
BugTraq ID: 10446
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10446
Summary:
Firebird is reported prone to a remote buffer overrun vulnerability. The issue presents itself due to a lack of sufficient boundary checks performed when the database server is handling database names.
A remote attacker may exploit this vulnerability, without requiring valid authentication credentials, to influence execution flow of the affected Firebird database server. Ultimately this may lead to the execution of attacker-supplied code in the context of the affected software.
18. PHP-Nuke Direct Script Access Security Bypass Vulnerability
BugTraq ID: 10447
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10447
Summary:
PHP-Nuke is affected by a direct script access security vulnerability. This issue is due to a failure to properly validate the location and name of the file being accessed.
This issue will allow an attacker to gain access to sensitive scripts such as the 'admin.php' script. The attacker may be able to exploit this unauthorized access to carry out attacks against the affected application.
19. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na...
BugTraq ID: 10448
Remote: Yes
Date Published: Jun 01 2004
Relevant URL: http://www.securityfocus.com/bid/10448
Summary:
Kerberos 5 is prone to multiple boundary condition errors that exist in the krb5_aname_to_localname() and helper functions and are due to insufficient bounds checking performed on user-supplied data.
An additional boundary condition issue also exists in the krb5_aname_to_localname() function. The condition is reported to present itself in the explicit mapping functionality of the krb5_aname_to_localname() as an off-by-one.
These conditions may be theoretically exploitable to execute arbitrary code remotely in the context of the affected service.
It is reported that explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() must be enabled for these vulnerabilities to be present. Additionally it is necessary that the principal name used by the attacker to exploit the issue be listed in the explicit mapping list.
These vulnerabilities are reported to affect all releases of MIT Kerberos 5, up to and including version krb5-1.3.3.
20. IBM Multiple Product Unspecified Credential Impersonation Vu...
BugTraq ID: 10449
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10449
Summary:
Multiple IBM products are prone to an unspecified credential impersonation vulnerability.
According to IBM this vulnerability may allow a remote attacker to gain access to resources and data, or gain control of the compromised application. It is reported that this attack can allow the attacker to exploit the usage of cookies and impersonate a legitimate user to gain unauthorized access.
Due to a lack of details, further information is not available at the moment. This BID will be updated as more information becomes available.
21. Gallery Authentication Bypass Vulnerability
BugTraq ID: 10451
Remote: Yes
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10451
Summary:
It has been disclosed that an attacker can bypass Gallery's authentication process, and log in as any user without a password.
An attacker can override configuration variables by passing them in GET, POST or cookie arguments. Gallery simulates the 'register_globals' PHP setting by extracting the values of the various $HTTP_ global variables into the global namespace. Therefore, regardless of the 'register_globals' PHP setting, an attacker can override configuration variables.
An attacker can change configuration variables and cause Gallery to skip the authentication steps.
Versions prior to 1.4.3-pl2 are reported to be vulnerable.
22. Opera Browser Favicon Address Bar Spoofing Weakness
BugTraq ID: 10452
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10452
Summary:
Opera Web Browser is prone to a security weakness that may permit malicious web pages to spoof address bar information. It is reported that the 'favicon' feature can be used to spoof the domain of a malicious web page. An attacker can create an icon that includes the text of the desired site and is similar to the way Opera displays information in the address bar. The attacker can then obfuscate the real address with spaces.
This issue can be used to spoof information in the address bar, page bar and page/window cycler.
The vulnerability reportedly affects Opera 7.23 and 7.50. It is likely that previous versions are affected as well.
23. Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner...
BugTraq ID: 10453
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10453
Summary:
Multiple Linksys routers are reported vulnerable to a denial of service condition. The issues presents themselves due to a lack of sufficient sanitization performed on parameters that are passed to the Gozila.CGI script.
A remote attacker may potentially exploit these conditions to deny service to an affected appliance. It is reported that the device must be reset to the original factory defaults in order to restore normal device functionality.
24. Tripwire Email Reporting Format String Vulnerability
BugTraq ID: 10454
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10454
Summary:
Tripwire is affected by an email reporting format string vulnerability. This issue is due to a failure to properly inplement a formatted string function.
This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the superuser.
**Update - It is reported that this issue only presents itself when the MAILMETHOD is sendmail.
25. Unix and Unix-based select() System Call Overflow Vulnerabil...
BugTraq ID: 10455
Remote: Unknown
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10455
Summary:
The select() system call may be vulnerable to an overflow condition, possibly allowing attackers to write data past the end of a fixed size buffer.
select() uses arguments of type 'fd_set', which is of a fixed size in many Unix variants. fd_set is used to keep track of open file descriptors.
If a process raises its rlimit for open files past 1024, it is theoretically possible to cause select to change individual bits past the end of the fixed size fds_bits structure. In theory, an attacker may be able to use this vulnerability to cause a denial of service condition, or possibly execute arbitrary code.
It should be noted that rlimits can only be raised by root, and that only processes with rlimits allowing more than 1024 file descriptors would be affected.
This is a theoretical issue, and it has not been confirmed by any vendor. This BID will be updated when further information is released.
26. Trend Micro Scanning Engine Report Generation HTML Injection...
BugTraq ID: 10456
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10456
Summary:
Trend Micro's scanning engine is reportedly affected by an HTML injection vulnerability in its report generation feature. This issue is due to a failure to properly sanitize user-supplied before including it in a HTML report.
It has been speculated that the offending HTML alert reports run from the local zone on the affected computer, although this has not been verified.
This issue may be exploited by a remote attacker to execute arbitrary HTML or script code on an affected computer; potentially resulting in unauthorized access. Other attackers are also possible.
27. Mail Manage EX MMEX Script Settings Parameter Remote PHP Fil...
BugTraq ID: 10457
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10457
Summary:
Mail Manage EX is reportedly prone to a remote file include vulnerability. This vulnerability results from insufficient sanitization of user-supplied data and may allow remote attackers to include arbitrary PHP files located on remote servers.
This issue was discovered in Mail Manage EX 3.1.8. It is possible that previous versions are affected as well.
28. Sun Fire B1600 Network Management Port Remote Denial Of Serv...
BugTraq ID: 10458
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10458
Summary:
Sun Fire B1600 is reported prone to remote denial of service vulnerability. The issue exists because the switch firmware will disable all of the network ports on the switch for a short period when an ARP datagram is received on the Network Management Port.
29. Netgear WG602 Wireless Access Point Default Backdoor Account...
BugTraq ID: 10459
Remote: Yes
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10459
Summary:
Netgear WG602 reportedly contains a default administrative account. This issue can allow a remote attacker to gain administrative access to the device.
Netgear WG602 access point with firmware version 1.04.0 is reportedly affected by this issue. It is likely that other versions of the firmware are also vulnerable. It is reported that the new version (1.7.14) of the Firmware for WG602 is vulnerable to this issue as well, however, the username and password for the backdoor account has been changed.
30. Michael Krax log2mail Log File Writing Format String Vulnera...
BugTraq ID: 10460
Remote: No
Date Published: Jun 03 2004
Relevant URL: http://www.securityfocus.com/bid/10460
Summary:
Michael Krax log2mail is reported prone to a log file writing format string vulnerability. This issue is due to a failure of the application to properly implement a formatted string function.
This vulnerability will ultimately allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the 'log2mail' user with group 'adm'.
31. Slackware Linux PHP Packages Insecure Linking Configuration ...
BugTraq ID: 10461
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10461
Summary:
Slackware Linux PHP Packages are reportedly affected by an insecure linking configuration vulnerability. This issue is due to a configuration error that links PHP to be linked against shared libraries in insecure directories.
This issue can be leveraged by an attacker to execute arbitrary code in the security context of the user running the affected PHP process; typically the user 'nobody'.
32. Mkdir Buffer Overflow Vulnerability
BugTraq ID: 10462
Remote: No
Date Published: Jun 02 2004
Relevant URL: http://www.securityfocus.com/bid/10462
Summary:
It is reported that mkdir is susceptible to a buffer overflow vulnerability. An attacker with local access passes a long path to mkdir, which overflows a fixed buffer.
Mkdir is installed setuid root by default, as the mknod() system call can only be called by root. There is no mkdir() system call, so the mkdir command must use mknod to create a directory node, then populate the node with "." and ".." itself.
A local attacker can exploit this issue to execute arbitrary code as root.
III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Wardriver pleads guilty in Lowes WiFi hacks
By: Kevin Poulsen
Hacker agrees to cooperate with prosecutors to reduce a potential 12 to 15 year prison sentence.
http://www.securityfocus.com/news/8835
2. Ex-investigator's suit against DirecTV dismissed
By: Kevin Poulsen
A judge throws out a lawsuit filed by a turncoat insider in DirecTV's war on signal pirates.
http://www.securityfocus.com/news/8815
3. FDIC faulted for weak security
By: Kevin Poulsen
Congressional investigators find vulnerabilities in critical financial systems.
http://www.securityfocus.com/news/8796
4. Virus writers deploy bulk mail software
By: John Leyden, The Register
Hackers have used spamming software to distribute thousands of copies of a new Trojan. Email filtering firm MessageLabs alone has intercepted more than 4,000 copies of the Demonize-T Trojan over the last 24 hours.
http://www.securityfocus.com/news/8846
5. 'Potter-mania' fuels spread of NetSky-P
By: John Leyden, The Register
The frenzy surrounding the latest Harry Potter cinematic offering is helping to keep the prevalent NetSky-P worm alive.
http://www.securityfocus.com/news/8832
6. Mutant son of MyDoom plans three-pronged attack
By: John Leyden, The Register
Virus writers have used code from the infamous Mydoom worm to create a potentially dangerous new Internet worm which uses multiple methods to spread.
http://www.securityfocus.com/news/8823
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. XArp 0.1
By: Christoph Mayer
Relevant URL: http://www.chrismc.de
Platforms: Windows 2000, Windows XP
Summary:
XArp is a graphical tool to monitor the ARP cache. It periodically requests the local ARP cache and reports changes in the IP to MAC mapping. Thus it can be used to recognize ARP poisoning which is used to prepare 'man in the middle' attacks on switched networks.
2. Devil-Linux v1.2 Beta 1
By: Heiko Zuerker <heiko (at) devil-linux (dot) org [email concealed]>
Relevant URL: http://www.devil-linux.org/download.htm
Platforms: Linux
Summary:
Devil-Linux is a special Linux distribution which is used for firewalls/routers. The goal of Devil-Linux is to have a small, customizable, and secure Linux system. Configuration is saved on a floppy disk, and it has several optional packages.
3. GNU Anubis v3.9.94
By: Wojciech Polak
Relevant URL: http://www.gnu.org/software/anubis/
Platforms: Linux, POSIX
Summary:
GNU Anubis is an outgoing mail processor. It goes between the MUA (Mail User Agent) and the MTA (Mail Transport Agent), and can perform various sorts of processing and conversion on-the-fly in accordance with the sender's specified rules, based on a highly configurable regular expressions system. It operates as a proxy server, and can edit outgoing mail headers, encrypt or sign mail with the GnuPG, build secure SMTP tunnels using the TLS/SSL encryption even if your mail user agent doesn't support it, or tunnel a connection through a SOCKS proxy server.
4. DNSSEC Walker v3.4
By: Simon Josefsson
Relevant URL: http://josefsson.org/walker/
Platforms: Linux, UNIX
Summary:
DNSSEC Walker is a tool to recover DNS zonefiles using the DNS protocol. The server does not have to support zonetransfer, but the zone must contain DNSSEC "NXT" records.
5. vthrottle v0.50
By: jose nazario
Relevant URL: http://monkey.org/~jose/software/vthrottle/
Platforms: POSIX
Summary:
vthrottle is an implementation of an SMTP throttling engine for Sendmail servers, based upon M. Williamson's mechanisms, as described in his 2003 Usenix Security paper. It allows the administrator to control how much email users and hosts may send, hindering the rapid spread of viruses, worms, and spam.
6. Honeynet Security Console 1.0
By: Activeworx, Inc.
Relevant URL: http://www.activeworx.org
Platforms: Windows 2000, Windows XP
Summary:
Honeynet Security Console is an analysis tool to view events on your personal honeynet. It gives you the power to view events from Snort, TCPDump, Firewall, Syslog and Sebek logs. It also allows you to correlate events from each of these data types to have a full grasp of the attackers' actions.
V. SECURITYJOBS LIST SUMMARY
----------------------------
1. Job opportunity (Sercurity Software Developer) Fort ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365179
2. Information Security Engineer Needed Immediately!!! ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365178
3. Senior Security Analyst- Boston Area (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365172
4. Virus Analysts (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365158
5. Tempest Engineer needed in Annapolis, MD (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365155
6. SR. SECURITY SYSTEM ADMINISTRATOR - Redwood City, C... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365092
7. Security Engineer, Washington, DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365091
8. Texas CISA Needed (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365090
9. Multiple Computer Systems Security Analyst positions... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365084
10. Security Engineer- Denver, CO (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365075
11. Position available in WA - IT Internal Audit and Co... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365063
12. Penetration Testing and Intrusion Detection Consulta... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365061
13. Sr level network security engineer, Richmond, VA: Wa... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365059
14. Information Security with Microsoft emphasis - CA, T... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365058
15. Need travelling Professional Services Engineer based... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365056
16. AE in NYC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365010
17. SE in NYC & Atlanta (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/365009
18. Job opening: travelling security programmer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/364981
19. (job offered) Sr. SMS Consultants with security expe... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/364968
20. Lead unix system administrator- London - Need Kickst... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/364958
21. consulting opportunity (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/364949
22. Technical Security Specialist, London, UK - Contract (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/364867
VI. INCIDENTS LIST SUMMARY
--------------------------
1. Incident investigation methodologies (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/365273
2. Incident investigation methodologies, update (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/364997
3. Dead Thread: NKADM rootkit - Something new? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/364929
4. NKADM rootkit - Something new? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/364926
5. Increase in MS vuln WebDav scans (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/364921
6. Changing file times, was -> Re: Trojan of somesort -... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/364763
VII. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. FW: Returned post for vuln-dev (at) securityfocus (dot) com [email concealed] (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/364823
VIII. MICROSOFT FOCUS LIST SUMMARY
----------------------------------
1. Exchange Information Store Security? Send As... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/365052
2. SecurityFocus Microsoft Newsletter #191 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/364918
3. Relative Security Provided by Cached Domain Credenti... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/364873
IX. SUN FOCUS LIST SUMMARY
--------------------------
1. "/etc/vfstab" re-creation (Thread)
Relevant URL:
http://www.securityfocus.com/archive/92/365020
2. kernel patch loading but not updating KernelID (Thread)
Relevant URL:
http://www.securityfocus.com/archive/92/364916
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. mrtg/snmp/subinterfaces (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365318
2. OpenVPN? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365209
3. Block martians with source address 127.0.0.1 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/365207
4. Martians? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/91/364805
XI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to sf-news-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to be manually removed.
XII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks- New White Paper
The newest web app vulnerability... Blind SQL Injection!
Even if your web application does not return error messages, it may still
be open to a Blind SQL Injection Attack. Blind SQL Injection can deliver
total control of your server to a hacker giving them the ability to read,
write and manipulate all data stored in your backend systems! Download
this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/sponsor/SPIDynamics_sf-news_040607
------------------------------------------------------------------------
[ reply ]