SecurityFocus Microsoft Newsletter #137
---------------------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Security Tools: From Mermaids to Suckling Pigs
2. Malware Myths and Misinformation, Part One
3. Securing Apache: Step-by-Step
4. U.S. Information Security Law, Part 3
5. Relax, It Was a Honeypot
II. MICROSOFT VULNERABILITY SUMMARY
1. BitchX Mode Change Denial Of Service Vulnerability
2. PHPNuke Web_Links Module Remote SQL Injection Vulnerability
3. Microsoft SQL Server Unspecified Vulnerability
4. Netbus Authentication Bypass Vulnerability
5. EType EServ Resource Exhaustion Denial Of Service Vulnerability
6. Cerberus FTP Server Plaintext User Password Weakness
7. Youngzsoft CMailServer MAIL FROM Buffer Overflow Vulnerability
8. Internet Explorer file:// Request Zone Bypass Vulnerability
9. Best Practical Solutions RT HTML Injection Vulnerability
10. Snitz Forums 2000 Register.ASP SQL Injection Vulnerability
11. PHP-Nuke Modules.PHP Username URI Parameter Cross Site...
12. Youngzsoft CMailServer RCPT TO Buffer Overflow Vulnerability
13. PHP-Nuke Multiple Downloads Module SQL Injection Vulnerabilities
14. Netscape Navigator False URL Information Vulnerability
15. vBulletin Private Message HTML Injection Vulnerability
16. Inktomi Traffic Server Cross-Site Scripting Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Article Announcement: Security Tools: From Mermaids to Suckling...
2. Article Announcement: U.S. Information Security Law, Part 3...
3. Harden ASP.NET Configuration (Thread)
4. Share Point? (Thread)
5. SecurityFocus Microsoft Newsletter #136 (Thread)
6. Timbuktu, etc. (Thread)
7. (prevent + detect Arp spoofing) + Securing Terminal Services...
8. IPSEC through Ms ISA Server (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Abtrusion Protector
2. Kerio Personal Firewall
3. Symantec's Norton Internet Security 2003
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. NoTrax v1.3
2. RainPortal v1.0
3. Glub Tech Secure FTP v2.0.4
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Security Tools: From Mermaids to Suckling Pigs
By Scott Granneman
The recent Nmap-hackers survey provides a glimpse of what security
professionals are packing in their tool-belts these days.
http://www.securityfocus.com/columnists/161
2. Malware Myths and Misinformation, Part One
By David Harley
This article is the first of a three-part series looking at some of the
myths and misconceptions that undermine anti-virus protection. The
fallacies we address here tend to begin with the words "I'm safe from
viruses because..."
http://www.securityfocus.com/infocus/1695
3. Securing Apache: Step-by-Step
By Artur Maj
This article shows in a step-by-step fashion, how to install and configure
the Apache 1.3.x Web server in order to mitigate or avoid successful
break-in when new vulnerabilities in this software are found.
4. U.S. Information Security Law, Part 3
By Steven Robinson
This is the third part of a four-part series looking at U.S. information
security laws and the way those laws affect security professionals. In
this installment, we will look at the basics of the criminal information
security law.
http://www.securityfocus.com/infocus/1693
5. Relax, It Was a Honeypot
By Tim Mullen
A security company cleverly tricks hackers into compromising one of its
distribution sites. Really.
http://www.securityfocus.com/columnists/162
II. BUGTRAQ SUMMARY
-------------------
1. BitchX Mode Change Denial Of Service Vulnerability
BugTraq ID: 7551
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7551
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A denial of service vulnerability has been reported for BitchX. It is
possible to cause BitchX to crash when certain mode changes are made.
The vulnerability exists in the names.c source file where a check is not
made for any arguments provided with a mode change.
The precise details of this vulnerability are currently unknown. This BID
will be updated as more information becomes available.
This vulnerability affects BitchX cvs versions prior to 05/09/2003.
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
It has been reported that multiple input validation bugs exist in the
Web_Links module used by PHPNuke.
The problem is in the sanitizing of data passed to construct database
queries. Insufficient sanity checks are performed by the Web_Links
module, making it possible to inject SQL code into the database behind
PHPNuke. This issue could be exploited to gain access to potentially
sensitive information contained in the database with the privileges of the
web application. Compromise of the web forums may also be possible.
Consequences could vary depending on the the queries involved and the
capabilities of the underlying database implementation.
These issues could be especially dangerous for databases that support the
UNION function, allowing for execution of multiple queries. It should
also be noted that an additional 20 instances of SQL injection
vulnerabilities exist in this module.
3. Microsoft SQL Server Unspecified Vulnerability
BugTraq ID: 7541
Remote: Unknown
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7541
Summary:
A reliable source has reported an unspecified vulnerability in Microsoft
SQL Server. SQL Server versions 7 and 2000, as well as the MSDE are said
to be affected by this vulnerability.
The report indicates that this vulnerability involves the Microsoft Jet
OLE DB provider. This component is not enabled by default and should be
disabled until a fix is available if it is not needed. Linked servers
using the OLE DB provider are also reported to be vulnerable.
Though unconfirmed, exploitation of this vulnerability by remote attackers
may result in the compromise of affected hosts.
This is a preliminary alert. This record will be updated when further
details become available.
** Reports suggest that this issue may be a variant of the vulnerability
described in BID 5057. This however, has not been confirmed.
4. Netbus Authentication Bypass Vulnerability
BugTraq ID: 7538
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7538
Summary:
Netbus is a backdoor program that allows remote administration of a
compromised system. It is available for Microsoft Windows operating
systems.
Netbus can be configured to require a password for backdoor server access.
A vulnerability in Netbus may permit remote users to bypass
authentication. If a connection is made to a Netbus server from a host,
further connections from that IP address may not need to authenticate with
the server.
This could allow unauthorized access to the Netbus server.
5. EType EServ Resource Exhaustion Denial Of Service Vulnerability
BugTraq ID: 7552
Remote: Yes
Date Published: May 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7552
Summary:
EServ is a proxy software package distributed by EType. It is available
for Microsoft Windows operating systems.
A denial of service vulnerability has been reported for EServ. The
vulnerability exists due to the way the server handles connections.
Specifically, when EServ receives a connection, the server allocates a
specific block of heap memory. Reportedly, when a connection is
disconnected, the allocated memory is not adequately freed.
This vulnerability exists due to a delayed response time, upwards of up to
two minutes, when de-allocating memory from closed connections.
An attacker can exploit this vulnerability by making numerous connections
to the vulnerable server. For every connection, a small amount of memory
is not properly freed from heap memory. Many connections to the vulnerable
server will eventually result in a consumption of all available memory
resources which may cause the system to become unstable.
This vulnerability affects EServ 2.92 to 2.99.
6. Cerberus FTP Server Plaintext User Password Weakness
BugTraq ID: 7556
Remote: No
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7556
Summary:
Cerberus is an FTP Server for Microsoft Windows operating systems.
Cerberus FTP Server stores authentication credentials for the FTP service
on the local system in plaintext. These credentials are stored in the
'users.pro' file in the program directory. Local users with access to
this file may gain unauthorized access to the server as a result.
Exposure of authentication credentials may also lead to compromise of
other services/resources if the same credentials are commonly used.
7. Youngzsoft CMailServer MAIL FROM Buffer Overflow Vulnerability
BugTraq ID: 7547
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7547
Summary:
CMailServer is a e-mail server designed for use with Microsoft Windows
operating environments.
A buffer overflow vulnerability has been reported for CMailServer. The
vulnerability exists due to insufficient bounds checking when parsing
e-mail headers. Specifically, an overly long MAIL FROM e-mail header will
cause CMailServer to crash and corrupt sensitive memory.
An attacker can exploit this vulnerability by crafting a malicious e-mail
with an overly long MAIL FROM header field, consisting of at least 2000
bytes, to a vulnerable system. This will trigger the buffer overflow
condition when CMailServer is used to process the e-mail and will result
in the corruption of sensitive memory. It may also be possible for an
attacker to cause CMailServer to execute malicious attacker-supplied
instructions.
8. Internet Explorer file:// Request Zone Bypass Vulnerability
BugTraq ID: 7539
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7539
Summary:
Internet Explorer uses zones in order to limit the scope of execution of
code depending on the zone it originates from.
A vulnerability has been reported that could allegedly allow an executable
from the Internet to be run in the Local Computer zone.
It has been alleged that if Internet Explorer attempts to open a web page
containing more than 200 Iframes containing 'file://' requests for the
same executable file, the file will eventually be executed in the Local
Computer zone. This file would have to reside on the remote website
serving the HTML document.
A reliable source has reported that this vulnerability may be due to some
form of resource exhaustion. It is unclear how resource exhaustion would
allow the Iframe to violate the Internet Explorer security zone. This
record will be updated if more information becomes available.
9. Best Practical Solutions RT HTML Injection Vulnerability
BugTraq ID: 7509
Remote: Yes
Date Published: May 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7509
Summary:
RT (Request Tracker) is a ticketing system implemented in Perl. It is
distributed by Best Practical Solutions and is available for a variety of
platforms including Microsoft Windows and Linux variant systems.
A vulnerability has been discovered in RT which may make it prone to HTML
injection attacks.
The vulnerability exists due to insufficient sanitization of user-supplied
values. Specifically, the content included in message bodies is not
properly sanitized of malicious HTML code.
This lack of sanitization provides an opportunity for an attacker to
launch HTML injection attacks against the vulnerable site hosting RT. It
is possible for a remote attacker to create a malicious ticket containing
script code that will be executed in the browser of a legitimate user.
Any attacker-supplied code will be executed within the context of the
website running RT.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.
This vulnerability was reported for RT 1.0.7 and earlier.
Snitz Forums 2000 is ASP-based web forum software. It runs on Microsoft
Windows operating systems. Snitz is back-ended by a database and supports
Microsoft Access 97/2000, SQL Server 6.5/7.0/2000 and MySQL.
It is possible for a remote attacker to inject SQL into queries made by
the register.asp script. Specifically, the 'email' variable is not
properly sanitized of malicious SQL instructions.
It is possible for a remote attacker to inject SQL into queries made by
the register.asp script. This may be exploited to manipulate the logic of
a query made by the script.
Depending on the database implementation used, this may possibly result in
sensitive information in the database being disclosed to the attacker or
may enable the attacker to modify data. There is also the possibility
that this issue may be leveraged to exploit vulnerabilities that may exist
in the underlying database.
The attacker would have to pass properly formatted SQL to the vulnerable
script to exploit this issue.
This vulnerability was reported for Snitz Forum 2000 3.3.03. It is likely
that earlier versions are affected.
11. PHP-Nuke Modules.PHP Username URI Parameter Cross Site Scripting Vulnerability
BugTraq ID: 7570
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7570
Summary:
PHP-Nuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A cross site scripting vulnerability has been reported for PHP-Nuke.
Specifically, PHP-Nuke does not sufficiently sanitize user-supplied input
for the 'username' URI parameter to the modules.php script.
As a result of this deficiency, it is possible for a remote attacker to
create a malicious link containing script code that will be executed in
the browser of a legitimate user. Specifically the attacker can pass
malicious HTML code as a value for the 'username' URI parameter supplied
to the 'modules.php' page. All code will be executed within the context of
the website running PHP-Nuke.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported to affect PHP-Nuke version 6.5.
12. Youngzsoft CMailServer RCPT TO Buffer Overflow Vulnerability
BugTraq ID: 7548
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7548
Summary:
CMailServer is a e-mail server designed for use with Microsoft Windows
operating environments.
A buffer overflow vulnerability has been reported for CMailServer. The
vulnerability exists due to insufficient bounds checking when parsing
e-mail headers. Specifically, an overly long RCPT TO e-mail header will
cause CMailServer to crash and corrupt sensitive memory.
An attacker can exploit this vulnerability by crafting a malicious e-mail
with an overly long RCPT TO header field, consisting of at least 2000
bytes, to a vulnerable system. This will trigger the buffer overflow
condition when CMailServer is used to process the e-mail and will result
in the corruption of sensitive memory. It may also be possible for an
attacker to cause CMailServer to execute malicious attacker-supplied
instructions.
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
PHP-Nuke is reportedly prone to multiple SQL injection vulnerabilities in
the Downloads. User-supplied input is included in SQL queries made by the
module without being sanitized.
Exploitation could allow for injection of malicious SQL syntax, resulting
in modification of SQL query logic or other attacks. Consequences will
vary depending on the specific queries and the capabilities of the
underlying database implementation. At the very minimum it may be
possible to gain access to sensitive information that is stored in the
database.
14. Netscape Navigator False URL Information Vulnerability
BugTraq ID: 7564
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7564
Summary:
Netscape is a web browser that is available for a number of platforms,
including Microsoft Windows and Unix and Linux variants.
An issue has been reported for Netscape Navigator that may result in a
false sense of security for a user.
Due to the way Netscape handles the history.back() function, the URL
displayed on the 'location bar' will not correspond to the actual URL of
the site displayed in the browser window. As a result, a malicious
attacker can exploit this issue to entice a user to visit a web site and
make them believe they are at known or trusted page.
This vulnerability was reported for Netscape Navigator 7.02 for Windows
operating systems.
15. vBulletin Private Message HTML Injection Vulnerability
BugTraq ID: 7594
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7594
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
A vulnerability has been reported for vBulletin 3.0.0. beta 2 which may
make it prone to HTML injection attacks. The problem is said to occur
while previewing private messages.
Specifically, private messages may not be sufficiently sanitized of
malicious content. This may make it possible for an attacker to place HTML
or script code within a private message for another user. When the
legitimate forum user attempts to preview the message the malicious code
will be interpreted by their browser.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
16. Inktomi Traffic Server Cross-Site Scripting Vulnerability
BugTraq ID: 7596
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7596
Summary:
Inktomi Traffic Server is a transparent web caching application. It is
designed for use with Unix and Linux variants as well as Microsoft Windows
operating environments.
Inktomi Traffic Server is prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of input passed to the proxy,
which will be echoed back in error pages under some circumstances.
It has been reported that Inktomi Traffic Server will generate errors when
an open port other than 80/http is requested. The connection will time
out when the request port on the remote system is closed, which will not
generate an error. There is one reported exception to this. The proxy
server will generate an error for requests to port 443/https regardless of
whether the port is open or whether the requested host exists.
A malicious attacker could exploit this issue by creating a link which
contains hostile HTML and script code and then enticing users of the proxy
to visit the link. When the link is visited via the proxy,
attacker-supplied script may be interpreted in the user's browser.
Exploitation could permit HTML and script code to access properties of the
domain that is requested through the proxy. This could permit theft of
cookie-based authentication credentials from arbitrary domains or other
attacks.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Article Announcement: Security Tools: From Mermaids to Suckling Pigs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321655
2. Article Announcement: U.S. Information Security Law, Part 3 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321459
3. Harden ASP.NET Configuration (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321353
4. Share Point? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321276
5. SecurityFocus Microsoft Newsletter #136 (Thread)
Relevant URL:
8. IPSEC through Ms ISA Server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320975
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Abtrusion Protector
by Abtrusion Security AB
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.abtrusion.com/abtrusion_protector_ps.asp
Summary:
Abtrusion Protector prevents Windows from loading unrecognized or unknown
software. Only software that you have safely installed or explicitly
allowed can be loaded into memory. Contrary to typical anti-virus
scanners, Abtrusion Protector is not dependent on frequent virus
definition updates.
2. Kerio Personal Firewall
by Kerio Technologies Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.kerio.com/us/kpf_home.html
Summary:
Kerio Personal Firewall represents smart, easy-to-use personal security
technology that fully protects personal computers against hackers and
internal misuse.
3. Symantec's Norton Internet Security 2003
by Symantec
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.symantec.com/sabu/nis/nis_pe/
Summary:
Symantec's Norton Internet Security 2003 provides essential protection
from viruses, hackers, and privacy threats. Included are full versions of
Norton AntiVirus and Norton Personal Firewall, which efficiently defend
your PC from the most common Internet dangers. You also get Norton Spam
Alert to block unwanted email, and Norton Parental Control to protect your
children online.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. NoTrax v1.3
by Heidi Computers Ltd
Relevant URL:
http://www.heidi.ie/notrax/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Are You Concerned?
- that browsing the Internet has left traces of sites you've visited, all
over your hard drive i.e. in the Registry, Cache etc.
- that a website you are browsing may install Spyware or Viruses on your
PC?
- that your Credit Card details are being tracked by your browser while
purchasing online?
- that eliminator-type programs have not really cleaned your Registry
properly?
- that your laptop is lost or stolen with all the sensitive information
still stored in the history and cache of your browser?
- that unauthorised personnel may take a look at your PC, while you were
not around? Or that Hackers are probing your PC?
- that a company or individual is interested in tracking your online
habits for marketing or other more dangerous purposes?
- NoTrax PREVENTS this.
2. RainPortal v1.0
by Florent DEFONTIS
Relevant URL:
http://www.securesphere.net/html/projects_rainp.php
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
RainPortal was designed to secure your private messages while talking on
IRC networks. As long as you have RainPortal running and the person you
are talking to also, all your private messages will be strongly encrypted
while passing on the server.
3. Glub Tech Secure FTP v2.0.4
by glub
Relevant URL:
http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
------------------------------------------------------------------------
-----
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-focus-ms
------------------------------------------------------------------------
------
---------------------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Security Tools: From Mermaids to Suckling Pigs
2. Malware Myths and Misinformation, Part One
3. Securing Apache: Step-by-Step
4. U.S. Information Security Law, Part 3
5. Relax, It Was a Honeypot
II. MICROSOFT VULNERABILITY SUMMARY
1. BitchX Mode Change Denial Of Service Vulnerability
2. PHPNuke Web_Links Module Remote SQL Injection Vulnerability
3. Microsoft SQL Server Unspecified Vulnerability
4. Netbus Authentication Bypass Vulnerability
5. EType EServ Resource Exhaustion Denial Of Service Vulnerability
6. Cerberus FTP Server Plaintext User Password Weakness
7. Youngzsoft CMailServer MAIL FROM Buffer Overflow Vulnerability
8. Internet Explorer file:// Request Zone Bypass Vulnerability
9. Best Practical Solutions RT HTML Injection Vulnerability
10. Snitz Forums 2000 Register.ASP SQL Injection Vulnerability
11. PHP-Nuke Modules.PHP Username URI Parameter Cross Site...
12. Youngzsoft CMailServer RCPT TO Buffer Overflow Vulnerability
13. PHP-Nuke Multiple Downloads Module SQL Injection Vulnerabilities
14. Netscape Navigator False URL Information Vulnerability
15. vBulletin Private Message HTML Injection Vulnerability
16. Inktomi Traffic Server Cross-Site Scripting Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Article Announcement: Security Tools: From Mermaids to Suckling...
2. Article Announcement: U.S. Information Security Law, Part 3...
3. Harden ASP.NET Configuration (Thread)
4. Share Point? (Thread)
5. SecurityFocus Microsoft Newsletter #136 (Thread)
6. Timbuktu, etc. (Thread)
7. (prevent + detect Arp spoofing) + Securing Terminal Services...
8. IPSEC through Ms ISA Server (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Abtrusion Protector
2. Kerio Personal Firewall
3. Symantec's Norton Internet Security 2003
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. NoTrax v1.3
2. RainPortal v1.0
3. Glub Tech Secure FTP v2.0.4
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Security Tools: From Mermaids to Suckling Pigs
By Scott Granneman
The recent Nmap-hackers survey provides a glimpse of what security
professionals are packing in their tool-belts these days.
http://www.securityfocus.com/columnists/161
2. Malware Myths and Misinformation, Part One
By David Harley
This article is the first of a three-part series looking at some of the
myths and misconceptions that undermine anti-virus protection. The
fallacies we address here tend to begin with the words "I'm safe from
viruses because..."
http://www.securityfocus.com/infocus/1695
3. Securing Apache: Step-by-Step
By Artur Maj
This article shows in a step-by-step fashion, how to install and configure
the Apache 1.3.x Web server in order to mitigate or avoid successful
break-in when new vulnerabilities in this software are found.
4. U.S. Information Security Law, Part 3
By Steven Robinson
This is the third part of a four-part series looking at U.S. information
security laws and the way those laws affect security professionals. In
this installment, we will look at the basics of the criminal information
security law.
http://www.securityfocus.com/infocus/1693
5. Relax, It Was a Honeypot
By Tim Mullen
A security company cleverly tricks hackers into compromising one of its
distribution sites. Really.
http://www.securityfocus.com/columnists/162
II. BUGTRAQ SUMMARY
-------------------
1. BitchX Mode Change Denial Of Service Vulnerability
BugTraq ID: 7551
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7551
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A denial of service vulnerability has been reported for BitchX. It is
possible to cause BitchX to crash when certain mode changes are made.
The vulnerability exists in the names.c source file where a check is not
made for any arguments provided with a mode change.
The precise details of this vulnerability are currently unknown. This BID
will be updated as more information becomes available.
This vulnerability affects BitchX cvs versions prior to 05/09/2003.
2. PHPNuke Web_Links Module Remote SQL Injection Vulnerability
BugTraq ID: 7558
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7558
Summary:
PHPNuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
It has been reported that multiple input validation bugs exist in the
Web_Links module used by PHPNuke.
The problem is in the sanitizing of data passed to construct database
queries. Insufficient sanity checks are performed by the Web_Links
module, making it possible to inject SQL code into the database behind
PHPNuke. This issue could be exploited to gain access to potentially
sensitive information contained in the database with the privileges of the
web application. Compromise of the web forums may also be possible.
Consequences could vary depending on the the queries involved and the
capabilities of the underlying database implementation.
These issues could be especially dangerous for databases that support the
UNION function, allowing for execution of multiple queries. It should
also be noted that an additional 20 instances of SQL injection
vulnerabilities exist in this module.
3. Microsoft SQL Server Unspecified Vulnerability
BugTraq ID: 7541
Remote: Unknown
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7541
Summary:
A reliable source has reported an unspecified vulnerability in Microsoft
SQL Server. SQL Server versions 7 and 2000, as well as the MSDE are said
to be affected by this vulnerability.
The report indicates that this vulnerability involves the Microsoft Jet
OLE DB provider. This component is not enabled by default and should be
disabled until a fix is available if it is not needed. Linked servers
using the OLE DB provider are also reported to be vulnerable.
Though unconfirmed, exploitation of this vulnerability by remote attackers
may result in the compromise of affected hosts.
This is a preliminary alert. This record will be updated when further
details become available.
** Reports suggest that this issue may be a variant of the vulnerability
described in BID 5057. This however, has not been confirmed.
4. Netbus Authentication Bypass Vulnerability
BugTraq ID: 7538
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7538
Summary:
Netbus is a backdoor program that allows remote administration of a
compromised system. It is available for Microsoft Windows operating
systems.
Netbus can be configured to require a password for backdoor server access.
A vulnerability in Netbus may permit remote users to bypass
authentication. If a connection is made to a Netbus server from a host,
further connections from that IP address may not need to authenticate with
the server.
This could allow unauthorized access to the Netbus server.
5. EType EServ Resource Exhaustion Denial Of Service Vulnerability
BugTraq ID: 7552
Remote: Yes
Date Published: May 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7552
Summary:
EServ is a proxy software package distributed by EType. It is available
for Microsoft Windows operating systems.
A denial of service vulnerability has been reported for EServ. The
vulnerability exists due to the way the server handles connections.
Specifically, when EServ receives a connection, the server allocates a
specific block of heap memory. Reportedly, when a connection is
disconnected, the allocated memory is not adequately freed.
This vulnerability exists due to a delayed response time, upwards of up to
two minutes, when de-allocating memory from closed connections.
An attacker can exploit this vulnerability by making numerous connections
to the vulnerable server. For every connection, a small amount of memory
is not properly freed from heap memory. Many connections to the vulnerable
server will eventually result in a consumption of all available memory
resources which may cause the system to become unstable.
This vulnerability affects EServ 2.92 to 2.99.
6. Cerberus FTP Server Plaintext User Password Weakness
BugTraq ID: 7556
Remote: No
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7556
Summary:
Cerberus is an FTP Server for Microsoft Windows operating systems.
Cerberus FTP Server stores authentication credentials for the FTP service
on the local system in plaintext. These credentials are stored in the
'users.pro' file in the program directory. Local users with access to
this file may gain unauthorized access to the server as a result.
Exposure of authentication credentials may also lead to compromise of
other services/resources if the same credentials are commonly used.
7. Youngzsoft CMailServer MAIL FROM Buffer Overflow Vulnerability
BugTraq ID: 7547
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7547
Summary:
CMailServer is a e-mail server designed for use with Microsoft Windows
operating environments.
A buffer overflow vulnerability has been reported for CMailServer. The
vulnerability exists due to insufficient bounds checking when parsing
e-mail headers. Specifically, an overly long MAIL FROM e-mail header will
cause CMailServer to crash and corrupt sensitive memory.
An attacker can exploit this vulnerability by crafting a malicious e-mail
with an overly long MAIL FROM header field, consisting of at least 2000
bytes, to a vulnerable system. This will trigger the buffer overflow
condition when CMailServer is used to process the e-mail and will result
in the corruption of sensitive memory. It may also be possible for an
attacker to cause CMailServer to execute malicious attacker-supplied
instructions.
8. Internet Explorer file:// Request Zone Bypass Vulnerability
BugTraq ID: 7539
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7539
Summary:
Internet Explorer uses zones in order to limit the scope of execution of
code depending on the zone it originates from.
A vulnerability has been reported that could allegedly allow an executable
from the Internet to be run in the Local Computer zone.
It has been alleged that if Internet Explorer attempts to open a web page
containing more than 200 Iframes containing 'file://' requests for the
same executable file, the file will eventually be executed in the Local
Computer zone. This file would have to reside on the remote website
serving the HTML document.
A reliable source has reported that this vulnerability may be due to some
form of resource exhaustion. It is unclear how resource exhaustion would
allow the Iframe to violate the Internet Explorer security zone. This
record will be updated if more information becomes available.
9. Best Practical Solutions RT HTML Injection Vulnerability
BugTraq ID: 7509
Remote: Yes
Date Published: May 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7509
Summary:
RT (Request Tracker) is a ticketing system implemented in Perl. It is
distributed by Best Practical Solutions and is available for a variety of
platforms including Microsoft Windows and Linux variant systems.
A vulnerability has been discovered in RT which may make it prone to HTML
injection attacks.
The vulnerability exists due to insufficient sanitization of user-supplied
values. Specifically, the content included in message bodies is not
properly sanitized of malicious HTML code.
This lack of sanitization provides an opportunity for an attacker to
launch HTML injection attacks against the vulnerable site hosting RT. It
is possible for a remote attacker to create a malicious ticket containing
script code that will be executed in the browser of a legitimate user.
Any attacker-supplied code will be executed within the context of the
website running RT.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.
This vulnerability was reported for RT 1.0.7 and earlier.
10. Snitz Forums 2000 Register.ASP SQL Injection Vulnerability
BugTraq ID: 7549
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7549
Summary:
Snitz Forums 2000 is ASP-based web forum software. It runs on Microsoft
Windows operating systems. Snitz is back-ended by a database and supports
Microsoft Access 97/2000, SQL Server 6.5/7.0/2000 and MySQL.
It is possible for a remote attacker to inject SQL into queries made by
the register.asp script. Specifically, the 'email' variable is not
properly sanitized of malicious SQL instructions.
It is possible for a remote attacker to inject SQL into queries made by
the register.asp script. This may be exploited to manipulate the logic of
a query made by the script.
Depending on the database implementation used, this may possibly result in
sensitive information in the database being disclosed to the attacker or
may enable the attacker to modify data. There is also the possibility
that this issue may be leveraged to exploit vulnerabilities that may exist
in the underlying database.
The attacker would have to pass properly formatted SQL to the vulnerable
script to exploit this issue.
This vulnerability was reported for Snitz Forum 2000 3.3.03. It is likely
that earlier versions are affected.
11. PHP-Nuke Modules.PHP Username URI Parameter Cross Site Scripting Vulnerability
BugTraq ID: 7570
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7570
Summary:
PHP-Nuke is a freely available, open source content management system
written in PHP. It is available for Unix, Linux, and Microsoft Operating
Systems.
A cross site scripting vulnerability has been reported for PHP-Nuke.
Specifically, PHP-Nuke does not sufficiently sanitize user-supplied input
for the 'username' URI parameter to the modules.php script.
As a result of this deficiency, it is possible for a remote attacker to
create a malicious link containing script code that will be executed in
the browser of a legitimate user. Specifically the attacker can pass
malicious HTML code as a value for the 'username' URI parameter supplied
to the 'modules.php' page. All code will be executed within the context of
the website running PHP-Nuke.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This vulnerability was reported to affect PHP-Nuke version 6.5.
12. Youngzsoft CMailServer RCPT TO Buffer Overflow Vulnerability
BugTraq ID: 7548
Remote: Yes
Date Published: May 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7548
Summary:
CMailServer is a e-mail server designed for use with Microsoft Windows
operating environments.
A buffer overflow vulnerability has been reported for CMailServer. The
vulnerability exists due to insufficient bounds checking when parsing
e-mail headers. Specifically, an overly long RCPT TO e-mail header will
cause CMailServer to crash and corrupt sensitive memory.
An attacker can exploit this vulnerability by crafting a malicious e-mail
with an overly long RCPT TO header field, consisting of at least 2000
bytes, to a vulnerable system. This will trigger the buffer overflow
condition when CMailServer is used to process the e-mail and will result
in the corruption of sensitive memory. It may also be possible for an
attacker to cause CMailServer to execute malicious attacker-supplied
instructions.
13. PHP-Nuke Multiple Downloads Module SQL Injection Vulnerabilities
BugTraq ID: 7588
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7588
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
PHP-Nuke is reportedly prone to multiple SQL injection vulnerabilities in
the Downloads. User-supplied input is included in SQL queries made by the
module without being sanitized.
Exploitation could allow for injection of malicious SQL syntax, resulting
in modification of SQL query logic or other attacks. Consequences will
vary depending on the specific queries and the capabilities of the
underlying database implementation. At the very minimum it may be
possible to gain access to sensitive information that is stored in the
database.
14. Netscape Navigator False URL Information Vulnerability
BugTraq ID: 7564
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7564
Summary:
Netscape is a web browser that is available for a number of platforms,
including Microsoft Windows and Unix and Linux variants.
An issue has been reported for Netscape Navigator that may result in a
false sense of security for a user.
Due to the way Netscape handles the history.back() function, the URL
displayed on the 'location bar' will not correspond to the actual URL of
the site displayed in the browser window. As a result, a malicious
attacker can exploit this issue to entice a user to visit a web site and
make them believe they are at known or trusted page.
This vulnerability was reported for Netscape Navigator 7.02 for Windows
operating systems.
15. vBulletin Private Message HTML Injection Vulnerability
BugTraq ID: 7594
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7594
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
A vulnerability has been reported for vBulletin 3.0.0. beta 2 which may
make it prone to HTML injection attacks. The problem is said to occur
while previewing private messages.
Specifically, private messages may not be sufficiently sanitized of
malicious content. This may make it possible for an attacker to place HTML
or script code within a private message for another user. When the
legitimate forum user attempts to preview the message the malicious code
will be interpreted by their browser.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
16. Inktomi Traffic Server Cross-Site Scripting Vulnerability
BugTraq ID: 7596
Remote: Yes
Date Published: May 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7596
Summary:
Inktomi Traffic Server is a transparent web caching application. It is
designed for use with Unix and Linux variants as well as Microsoft Windows
operating environments.
Inktomi Traffic Server is prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of input passed to the proxy,
which will be echoed back in error pages under some circumstances.
It has been reported that Inktomi Traffic Server will generate errors when
an open port other than 80/http is requested. The connection will time
out when the request port on the remote system is closed, which will not
generate an error. There is one reported exception to this. The proxy
server will generate an error for requests to port 443/https regardless of
whether the port is open or whether the requested host exists.
A malicious attacker could exploit this issue by creating a link which
contains hostile HTML and script code and then enticing users of the proxy
to visit the link. When the link is visited via the proxy,
attacker-supplied script may be interpreted in the user's browser.
Exploitation could permit HTML and script code to access properties of the
domain that is requested through the proxy. This could permit theft of
cookie-based authentication credentials from arbitrary domains or other
attacks.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Article Announcement: Security Tools: From Mermaids to Suckling Pigs (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321655
2. Article Announcement: U.S. Information Security Law, Part 3 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321459
3. Harden ASP.NET Configuration (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321353
4. Share Point? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321276
5. SecurityFocus Microsoft Newsletter #136 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321196
6. Timbuktu, etc. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321050
7. (prevent + detect Arp spoofing) + Securing Terminal Services (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320976
8. IPSEC through Ms ISA Server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320975
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Abtrusion Protector
by Abtrusion Security AB
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.abtrusion.com/abtrusion_protector_ps.asp
Summary:
Abtrusion Protector prevents Windows from loading unrecognized or unknown
software. Only software that you have safely installed or explicitly
allowed can be loaded into memory. Contrary to typical anti-virus
scanners, Abtrusion Protector is not dependent on frequent virus
definition updates.
2. Kerio Personal Firewall
by Kerio Technologies Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.kerio.com/us/kpf_home.html
Summary:
Kerio Personal Firewall represents smart, easy-to-use personal security
technology that fully protects personal computers against hackers and
internal misuse.
3. Symantec's Norton Internet Security 2003
by Symantec
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.symantec.com/sabu/nis/nis_pe/
Summary:
Symantec's Norton Internet Security 2003 provides essential protection
from viruses, hackers, and privacy threats. Included are full versions of
Norton AntiVirus and Norton Personal Firewall, which efficiently defend
your PC from the most common Internet dangers. You also get Norton Spam
Alert to block unwanted email, and Norton Parental Control to protect your
children online.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. NoTrax v1.3
by Heidi Computers Ltd
Relevant URL:
http://www.heidi.ie/notrax/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Are You Concerned?
- that browsing the Internet has left traces of sites you've visited, all
over your hard drive i.e. in the Registry, Cache etc.
- that a website you are browsing may install Spyware or Viruses on your
PC?
- that your Credit Card details are being tracked by your browser while
purchasing online?
- that eliminator-type programs have not really cleaned your Registry
properly?
- that your laptop is lost or stolen with all the sensitive information
still stored in the history and cache of your browser?
- that unauthorised personnel may take a look at your PC, while you were
not around? Or that Hackers are probing your PC?
- that a company or individual is interested in tracking your online
habits for marketing or other more dangerous purposes?
- NoTrax PREVENTS this.
2. RainPortal v1.0
by Florent DEFONTIS
Relevant URL:
http://www.securesphere.net/html/projects_rainp.php
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
RainPortal was designed to secure your private messages while talking on
IRC networks. As long as you have RainPortal running and the person you
are talking to also, all your private messages will be strongly encrypted
while passing on the server.
3. Glub Tech Secure FTP v2.0.4
by glub
Relevant URL:
http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
------------------------------------------------------------------------
-----
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-focus-ms
------------------------------------------------------------------------
------
[ reply ]