|
LQ security report - Feb 13th 2004
Feb 9th 2004
48 of 56 issues handled (SF) 1. PhpGedView Editconfig_gedcom.php Directory Traversal Vulnera... 2. GNU LibTool Local Insecure Temporary Directory Creation Vuln... 3. PhpGedView [GED_File]_conf.php Remote File Include Vulnerabi... 4. ChatterBox Remote Denial of Service Vulnerability 5. FreeBSD mksnap_ffs File System Option Reset Vulnerability 6. Sun Solaris PFExec Custom Profile Arbitrary Privileges Vulne... 7. JBrowser Browser.PHP Directory Traversal Vulnerability 8. Laurent Adda Les Commentaires PHP Script Multiple Module Fil... 9. JBrowser Unauthorized Admin Access Vulnerability 10. Leif M. Wright Web Blog Remote Command Execution Vulnerabili... 11. Aprox Portal File Disclosure Vulnerability 12. SqWebMail Authentication Response Information Leakage Weakne... 13. BugPort Unauthorized Configuration File Viewing Vulnerabilit... 14. Suidperl Unspecified Information Disclosure Vulnerability 15. PHP-Nuke Multiple Module SQL Injection Vulnerabilities 18. SGI IRIX Libdesktopicon.so Local Buffer Overflow Vulnerabili... 19. Sun Solaris TCSetAttr System Hang Denial Of Service Vulnerab... 20. Crob FTP Server Denial Of Service Vulnerability 21. 0verkill Game Client Multiple Local Buffer Overflow Vulnerab... 23. GNU Chess '-s' Local Buffer Overflow Vulnerability 24. SurgeFTP Surgeftpmgr.CGI Denial Of Service Vulnerability 26. Clearswift MAILsweeper For SMTP RAR Archive Denial Of Servic... 27. All Enthusiast Photopost PHP Pro SQL Injection Vulnerability 28. Util-Linux Login Program Information Leakage Vulnerability 29. PHP-Nuke GBook Module HTML Injection Vulnerability 30. Qualiteam X-Cart Remote Command Execution Vulnerability 31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne... 32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu... 33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln... 34. phpMyAdmin Export.PHP File Disclosure Vulnerability 35. Tunez Multiple Remote SQL Injection Vulnerabilities 36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl... 39. PHPX Multiple Vulnerabilities 40. Linux Kernel R128 Device Driver Unspecified Privilege Escala... 41. Apache mod_digest Client-Supplied Nonce Verification Vulnera... 42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se... 43. TYPSoft FTP Server Remote Denial Of Service Vulnerability 44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul... 45. RXGoogle.CGI Cross Site Scripting Vulnerability. 46. Web Crossing Web Server Component Remote Denial Of Service V... 47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu... 48. GNU Radius Remote Denial Of Service Vulnerability 49. Multiple RealPlayer/RealOne Player Supported File Type Buffe... 50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ... 51. Multiple Check Point Firewall-1 HTTP Security Server Remote ... 52. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques... 54. Crossday Discuz! Cross Site Scripting Vulnerability 56. BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil... Feb 09th 2004 39 of 55 issues handled (ISS) Overkill client has multiple buffer overflows Overkill server parse_command_line buffer overflow SurgeFTP Web interface denial of service Caravan Business Server sample_showcode directory FreeBSD mksnap_ffs security bypass PhotoPost PHP Pro SQL injection iSearch isearch.inc.php script PHP file include ChatterBox denial of service suidperl information disclosure Aprox PHP portal index.php script directory Apache httpd server httpd.conf could allow a local util-linux information leak GNU Libtool creates insecure temporary directory Web Blog file parameter command execution Tunez multiple SQL injection phpMyAdmin "dot dot" Directory Traversal Web Crossing Content-Length header denial of Gbook message HTML injection BugPort sensitive information exposure Linley's Dungeon Crawl long environment variable X-Cart "dot dot" directory traversal X-Cart perl_binary variable command execution ReviewPost PHP Pro showproduct.php and showcat.php X-Cart general.php information disclosure RealOne Player multiple file buffer overflows RxGoogle query cross-site scripting OpenBSD IPv6 packet denial of service Linux kernel 2.4.x ixj telephony card driver buffer GNU Radius rad_print_request denial of service PHPX subject HTML injection PHPX main.inc.php and help.inc.php cross-site PHPX could allow an attacker to modify cookie to SqWebMail login error information disclosure Oracle Database Server multiple functions buffer Multiple vendor BSD platforms allows elevated Mambo Itemid parameter cross-site scripting Apache-SSL has a default password Discuz! Board image tag cross-site scripting OpenJournal uid could allow an attacker Feb 6th 2004 12 issues, 5 distro's: (LAW) crawl cvs etherial gaim kernel mc mksnap_ffs netpbm perl tcpdump util-linux |
Feb 6th 2004 (LAW)
Linux Advisory Watch
Distribution: Debian 2/2/2004 - perl Information leak An attacker could abuse suidperl to discover information about files that should not be accessible to unprivileged users. http://www.linuxsecurity.com/advisor...sory-3986.html 2/3/2004 - crawl Buffer overflow vulnerability The program applies an unchecked-length environment variable into a fixed size buffer. http://www.linuxsecurity.com/advisor...sory-3994.html 2/4/2004 - kernel Privilage escalation MIPS patch Integer overflow in the do_brk() function of the Linux kernel allows local users to gain root privileges. http://www.linuxsecurity.com/advisor...sory-3996.html Distribution: Fedora 2/2/2004 - cvs Multiple vulnerabilities Vulnerabilities allow cvs to write to root filesystem and retain root privileges. http://www.linuxsecurity.com/advisor...sory-3987.html 2/3/2004 - tcpdump Malformed packet vulnerability If the victim uses tcpdump, attack could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. http://www.linuxsecurity.com/advisor...sory-3992.html 2/3/2004 - etherial Denial of service vulnerability Multiple security vulnerabilities may allow attackers to make Ethereal crash using intentionally malformed packets. http://www.linuxsecurity.com/advisor...sory-3993.html Distribution: FreeBSD 1/30/2004 - mksnap_ffs Improper option clearing Possible consequences an include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem. http://www.linuxsecurity.com/advisor...sory-3985.html Distribution: Mandrake 2/2/2004 - gaim Multiple vulernabilities Multiple buffer overflows exist in gaim 0.75 and earlier. http://www.linuxsecurity.com/advisor...sory-3988.html Distribution: Red Hat 2/3/2004 - NetPBM Temporary file vulnerabilities A number of temporary file bugs have been found in versions of NetPBM. http://www.linuxsecurity.com/advisor...sory-3989.html 2/3/2004 - mc Buffer overflow vulnerability A buffer overflow allows remote attackers to execute arbitrary code during symlink conversion. http://www.linuxsecurity.com/advisor...sory-3990.html 2/3/2004 - util-linux Login data leakage Buffer overflow vulnerability In some situations, the login program could use a pointer that had been freed and reallocated. http://www.linuxsecurity.com/advisor...sory-3991.html 2/3/2004 - kernel Multiple vulnerabilities Updated kernel packages are now available that fix a few security issues. http://www.linuxsecurity.com/advisor...sory-3995.html |
Feb 09th 2004 (ISS)
Internet Security Systems
Date Reported: 02/01/2004 Brief Description: Overkill client has multiple buffer overflows Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, OS/2 Any version, Overkill 0.15pre3 and earlier, Windows Any version Vulnerability: overkill-client-multiple-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/14999 Date Reported: 02/01/2004 Brief Description: Overkill server parse_command_line buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, OS/2 Any version, Overkill 0.15pre3 and earlier, Windows Any version Vulnerability: overkill-server-parsecommandline-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15000 Date Reported: 02/02/2004 Brief Description: SurgeFTP Web interface denial of service Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, SurgeFTP Server 2.2k1 Vulnerability: surgeftp-web-interface-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15001 Date Reported: 02/02/2004 Brief Description: Caravan Business Server sample_showcode directory traversal Risk Factor: Medium Attack Type: Network Based Platforms: Caravan 2.00/03d, Linux Any version, OS/2 Any version, Windows Any version Vulnerability: caravan-dotdot-directory-traveral X-Force URL: http://xforce.iss.net/xforce/xfdb/15004 Date Reported: 01/30/2004 Brief Description: FreeBSD mksnap_ffs security bypass Risk Factor: Medium Attack Type: Host Based Platforms: FreeBSD 5.1-RELEASE, FreeBSD 5.2-RELEASE Vulnerability: freebsd-mksnapffs-bypass-security X-Force URL: http://xforce.iss.net/xforce/xfdb/15005 Date Reported: 02/03/2004 Brief Description: PhotoPost PHP Pro SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PhotoPost PHP Pro 4.6 and earlier Vulnerability: photopostphp-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15008 Date Reported: 02/02/2004 Brief Description: iSearch isearch.inc.php script PHP file include Risk Factor: Medium Attack Type: Network Based Platforms: iSearch Any version, Linux Any version, Unix Any version, Windows Any version Vulnerability: isearch-isearchincphp-file-include X-Force URL: http://xforce.iss.net/xforce/xfdb/15009 Date Reported: 01/30/2004 Brief Description: ChatterBox denial of service Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, ChatterBox 2.0 Vulnerability: chatterbox-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15011 Date Reported: 02/01/2004 Brief Description: suidperl information disclosure Risk Factor: Medium Attack Type: Host Based Platforms: Debian Linux 3.0, Linux Any version, suidperl Any version, Unix Any version Vulnerability: suidperl-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/15012 Date Reported: 01/31/2004 Brief Description: Aprox PHP portal index.php script directory traversal Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, Aprox PHP Portal Any version Vulnerability: aproxphpportal-index-directory-traversal X-Force URL: http://xforce.iss.net/xforce/xfdb/15014 Date Reported: 01/31/2004 Brief Description: Apache httpd server httpd.conf could allow a local user to bypass restrictions Risk Factor: Medium Attack Type: Host Based Platforms: Apache HTTP Server 2.0.47 and earlier, Red Hat Linux Any version, Windows XP Any version Vulnerability: apache-httpd-bypass-restriction X-Force URL: http://xforce.iss.net/xforce/xfdb/15015 Date Reported: 02/03/2004 Brief Description: util-linux information leak Risk Factor: Medium Attack Type: Host Based Platforms: Red Hat Advanced Workstation 2.1, Red Hat Enterprise Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Red Hat Enterprise Linux 2.1WS Vulnerability: utillinux-information-leak X-Force URL: http://xforce.iss.net/xforce/xfdb/15016 Date Reported: 02/03/2004 Brief Description: GNU Libtool creates insecure temporary directory Risk Factor: Medium Attack Type: Host Based Platforms: Conectiva Linux 8.0, Conectiva Linux 9.0, GNU Libtool prior to 1.5.2, Linux Any version Vulnerability: libtool-insecure-temp-directory X-Force URL: http://xforce.iss.net/xforce/xfdb/15017 Date Reported: 02/03/2004 Brief Description: Web Blog file parameter command execution Risk Factor: High Attack Type: Network Based Platforms: Any operating system Any version, Web Blog 1.1.5 Vulnerability: webblog-file-command-execution X-Force URL: http://xforce.iss.net/xforce/xfdb/15019 Date Reported: 02/03/2004 Brief Description: Tunez multiple SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Tunez prior to 1.20-pre2, Unix Any version Vulnerability: tunez-multiple-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15020 Date Reported: 02/03/2004 Brief Description: phpMyAdmin "dot dot" Directory Traversal Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, phpMyAdmin 2.5.5-pl1 and prior, Unix Any version, Windows Any version Vulnerability: phpmyadmin-dotdot-directory-traversal X-Force URL: http://xforce.iss.net/xforce/xfdb/15021 Date Reported: 02/03/2004 Brief Description: Web Crossing Content-Length header denial of service Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, Web Crossing 4.0, Web Crossing 5.0 Vulnerability: webcrossing-contentlength-post-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15022 Date Reported: 02/02/2004 Brief Description: Gbook message HTML injection Risk Factor: Medium Attack Type: Network Based Platforms: GBook 1.0, Linux Any version, Unix Any version, Windows Any version Vulnerability: gbook-message-html-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15027 Date Reported: 01/30/2004 Brief Description: BugPort sensitive information exposure Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, BugPort prior to 1.099 Vulnerability: bugport-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/15030 Brief Description: Linley's Dungeon Crawl long environment variable buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Debian Linux 3.0, Linley's Dungeon Crawl prior to 4.0.0 b23 Vulnerability: crawl-long-environment-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15032 Date Reported: 02/03/2004 Brief Description: X-Cart "dot dot" directory traversal Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, Windows Any version, X-Cart 3.4.3 Vulnerability: xcart-dotdot-directory-traversal X-Force URL: http://xforce.iss.net/xforce/xfdb/15033 Date Reported: 02/03/2004 Brief Description: X-Cart perl_binary variable command execution Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Unix Any version, Windows Any version, X-Cart 3.4.3 Vulnerability: xcart-perlbinary-execute-commands X-Force URL: http://xforce.iss.net/xforce/xfdb/15034 Date Reported: 02/04/2004 Brief Description: ReviewPost PHP Pro showproduct.php and showcat.php script SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, ReviewPost Pro Any version Vulnerability: reviewpostpro-showproduct-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15035 Date Reported: 02/04/2004 Brief Description: X-Cart general.php information disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, Windows Any version, X-Cart 3.4.3 Vulnerability: xcart-generalphp-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/15036 Date Reported: 02/04/2004 Brief Description: RealOne Player multiple file buffer overflows Risk Factor: High Attack Type: Network Based Platforms: Any operating system Any version, RealOne Enterprise Desktop Any version, RealOne Player 1.0, RealOne Player 2.0 Vulnerability: realoneplayer-multiple-file-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15040 Date Reported: 02/04/2004 Brief Description: RxGoogle query cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: RxGoogle Any version, Unix Any version Vulnerability: rxgoogle-query-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15043 Date Reported: 02/04/2004 Brief Description: OpenBSD IPv6 packet denial of service Risk Factor: Low Attack Type: Network Based Platforms: OpenBSD 3.4 Vulnerability: openbsd-ipv6-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15044 Date Reported: 02/04/2004 Brief Description: Linux kernel 2.4.x ixj telephony card driver buffer overflow Risk Factor: Low Attack Type: Network Based Platforms: Linux kernel prior to 2.4.20, Red Hat Enterprise Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Red Hat Enterprise Linux 2.1WS Vulnerability: linux-ixj-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15045 Date Reported: 02/04/2004 Brief Description: GNU Radius rad_print_request denial of service Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, GNU Radius 1.1 Vulnerability: radius-radprintrequest-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15046 Date Reported: 02/03/2004 Brief Description: PHPX subject HTML injection Risk Factor: Medium Attack Type: Network Based Platforms: BSD Any version, Linux Any version, PHPX 3.2.3, Solaris Any version Vulnerability: phpx-subject-html-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15050 Date Reported: 02/03/2004 Brief Description: PHPX main.inc.php and help.inc.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: BSD Any version, Linux Any version, PHPX 3.2.3, Solaris Any version Vulnerability: phpx-main-help-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15051 Date Reported: 02/03/2004 Brief Description: PHPX could allow an attacker to modify cookie to hijack another user's account Risk Factor: Medium Attack Type: Network Based Platforms: BSD Any version, Linux Any version, PHPX 3.2.3, Solaris Any version Vulnerability: phpx-cookie-account-hijacking X-Force URL: http://xforce.iss.net/xforce/xfdb/15052 Date Reported: 01/31/2004 Brief Description: SqWebMail login error information disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, SqWebMail Any version, Unix Any version Vulnerability: sqwebmail-login-info-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/15058 Date Reported: 02/05/2004 Brief Description: Oracle Database Server multiple functions buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Oracle9i Database Server Release 2 prior to 9.2.0.3, Unix Any version, Windows Any version Vulnerability: oracle-multiple-function-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15060 Date Reported: 02/05/2004 Brief Description: Multiple vendor BSD platforms allows elevated privileges Risk Factor: High Attack Type: Host Based Platforms: FreeBSD Any version, NetBSD Any version, OpenBSD 3.x Vulnerability: bsd-shmat-gain-privileges X-Force URL: http://xforce.iss.net/xforce/xfdb/15061 Date Reported: 02/05/2004 Brief Description: Mambo Itemid parameter cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Mambo Open Source 4.5, Mambo Open Source 4.6, Unix Any version, Windows 2000 Any version, Windows XP Any version Vulnerability: mambo-itemid-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15062 Date Reported: 02/06/2004 Brief Description: Apache-SSL has a default password Risk Factor: Medium Attack Type: Network Based Platforms: Apache-SSL 1.3.28+1.52 -earlier, Apache-SSL 1.3.28+1.52 -earlier, Apache-SSL 1.3.28+1.52 - earlier, Linux Any version, Windows Any version Vulnerability: apachessl-default-password X-Force URL: http://xforce.iss.net/xforce/xfdb/15065 Date Reported: 02/05/2004 Brief Description: Discuz! Board image tag cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Discuz! Board 2.x, Discuz! Board 3.x, Linux Any version, Unix Any version, Windows Any version Vulnerability: discuzboard-image-tag-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15066 Brief Description: OpenJournal uid could allow an attacker administrative access Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, OpenJournal prior to 2.06 Vulnerability: openjournal-uid-admin-access X-Force URL: http://xforce.iss.net/xforce/xfdb/15069 |
Thread title: Feb 9th 2004 (SF) pt. 1/3
SecurityFocus
1. PhpGedView Editconfig_gedcom.php Directory Traversal Vulnera... BugTraq ID: 9529 Remote: Yes Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9529 Summary: PhpGedView is web-based geneology software that is implemented in PHP. A vulnerability has been reported to exist in PhpGedView that may allow a remote attacker to access information outside the server root directory. The problem exists due to insufficient sanitization of user-supplied data via the 'gedcom_config' parameter of the 'editconfig_gedcom.php' script. The issue may allow a remote attacker to traverse outside the server root directory by using '../' character sequences. Successful exploitation of this vulnerability may allow a remote attacker to gain access to sensitive information that may be used to launch further attacks against a vulnerable system. PhpGedView versions 2.65.1 and prior have been reported to be prone to this issue. 2. GNU LibTool Local Insecure Temporary Directory Creation Vuln... BugTraq ID: 9530 Remote: No Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9530 Summary: libtool is a freely available, open source library management script. It is available for the Unix and Linux platforms. A problem has been identified in the creation of temporary directories by the libtool script. Because of this, an attacker may be able to corrupt arbitrary files on a system. libtool does not securely create temporary directories. When the script is executed during compilation of a program, it creates a situation where an attacker can potentially overwrite target files using predicted symbolic links, potentially destroying data. It should be noted that this issue only affects programs that use libtool during compilation time. Additionally, resolution of this issue only limits scope to programs that use the system libtool, and does not resolve the issue in programs that package their own version of libtool. 3. PhpGedView [GED_File]_conf.php Remote File Include Vulnerabi... BugTraq ID: 9531 Remote: Yes Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9531 Summary: PhpGedView is web-based geneology software that is implemented in PHP. A vulnerability has been reported to exist in the software that may allow an attacker to include malicious files containing arbitrary code to be executed on a vulnerable system. The problem reportedly exists because remote users may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php module, which specifies an include path that is used as an argument to the PHP require() function. Remote attackers could potentially exploit this issue via by influencing the include path to specify a remote malicious PHP script, which will be executed in the context of the web server hosting the vulnerable software. PhpGedView versions 2.65.1 and prior have been reported to be prone to this issue. This issue may be related to PhpGedView Multiple PHP Remote File Include Vulnerabilities BID 9368. 4. ChatterBox Remote Denial of Service Vulnerability BugTraq ID: 9532 Remote: Yes Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9532 Summary: ChatterBox is a multiple client, single server graphical chat program implemented using Java with Swing user interface components. ChatterBox is designed to run on any platform with a Java 2 runtime environment. ChatterBox has been reported to be prone to a remote denial of service vulnerability. This issue may be exploited by issuing irregular commands to the chat server and is caused by a failure of the server to validate input. Successful exploitation will cause a denial of service condition in the server application, forcing the affected process to crash and deny service to legitimate users. 5. FreeBSD mksnap_ffs File System Option Reset Vulnerability BugTraq ID: 9533 Remote: No Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9533 Summary: FreeBSD 5.0-RELEASE and later includes a tool called mksnap_ffs to facilitate taking snapsnots of file systems. This utility is only accessible to administrative users by default. A vulnerability has been reported in the FreeBSD mksnap_ffs utility that could cause file system security properties to be reset. When the utility is run, it does not preserve various file system flags. If the file system is restored from the snapshot, these settings will have their default values, which may impact security if file system security settings were enabled on the file system prior to the utility being run to take a snapsnot of the file system. This could impact any extended access control lists that are enabled on the file system or re-enable the use of setuid executables. The exact consequences will depend on the security configuration that was in place prior to the snapshot being taken and the file system being restored from the snapshot. 6. Sun Solaris PFExec Custom Profile Arbitrary Privileges Vulne... BugTraq ID: 9534 Remote: No Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9534 Summary: Solaris is the Unix operating system distributed and maintained by Sun Microsystems. A problem in pfexec included with Sun Solaris has been identified. Because of this issue, it may be possible for a local user to gain elevated privileges. pfexec is the profile execution command, used by the Role-Based Access Control infrastructure to permit an attacker to execute certain commands as a member of a specific group profile. This infrastructure can permit a local user to execute certain commands that require privileges while limiting or preventing access to other system commands. It is possible for a system user that is a member of a specific custom rights profile to abuse the rights profile to potentially execute additional commands outside of the profile authorization. Specifics of this vulnerability are not currently available. However, it is conjectured that this issue could permit an attacker to gain access to additional system authorizations. 7. JBrowser Browser.PHP Directory Traversal Vulnerability BugTraq ID: 9535 Remote: Yes Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9535 Summary: JBrowser is a web-based image gallery application implemented using PHP. JBrowser has been reported to be vulnerable to directory traversal vulnerability that may allow a remote attacker to gain access to files readable by the web-server that reside outside of the server root directory. The problem exists due to insufficient sanitization of user-supplied data via the 'directory' parameter of the 'browser.php' script. Successful exploitation of this vulnerability may allow a remote attacker to gain access to sensitive information that may be used to launch further attacks against a vulnerable system. 8. Laurent Adda Les Commentaires PHP Script Multiple Module Fil... BugTraq ID: 9536 Remote: Yes Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9536 Summary: Laurent Adda Les Commentaires is a web based message board application written in PHP. A vulnerability has been reported to exist in the software that may allow an attacker to include malicious external files containing arbitrary PHP code to be executed on a vulnerable system. This vulnerability is reported to exist because remote users can influence the 'rep' variable in the 'derniers_commentaires.php', 'admin.php', and 'fonctions.lib.php' modules to specify an arbitrary include path. Remote attackers could potentially exploit this issue via the vulnerable variable to include a remote malicious script, which will be executed in the context of the web server hosting the vulnerable software. All versions of Les Commentaires have been reported to be prone to this issue. 9. JBrowser Unauthorized Admin Access Vulnerability BugTraq ID: 9537 Remote: Yes Date Published: Jan 30 2004 Relevant URL: http://www.securityfocus.com/bid/9537 Summary: JBrowser is a web-based image gallery application implemented using PHP. Due to a lack of access validation to the '_admin' directory, malevolent users may be able to execute arbitrary admin scripts. Potentially exploitable scripts located in the '_admin' directory include 'upload.php3', 'upload_ftp.php3' and 'list_all.php'. Using the 'upload.php3' and 'upload_ftp.php3' scripts a malevolent user may be able to upload arbitrary files to any location on the system accessible by the webserver. By specifying the file location an attacker could save malicious files to the system or potentially overwrite sensitive files. Using the 'list_all.php' script a malevolent user may be able to traverse outside of the web-server root directory by manipulating the 'folder' parameter. Exploitation of these issues could lead to disclosure of sensitive information, which may facilitate further attacks against the affected system. Furthermore these issues could allow an attacker to upload or overwrite arbitrary files on the system. There may also be other consequences associated with this vulnerability. 10. Leif M. Wright Web Blog Remote Command Execution Vulnerabili... BugTraq ID: 9539 Remote: Yes Date Published: Jan 31 2004 Relevant URL: http://www.securityfocus.com/bid/9539 Summary: Web Blog is a web application, written by Leif M. Wright. Web Blog has been reported to be prone to a vulnerability that may permit remote attackers to execute arbitrary commands in the context of the hosting web server. This is due to insufficient sanitization of shell metacharacters from variables which will be used as an argument to a function that invokes the shell directly. This issue exists in the blog.cgi script and is exposed via the 'file' URI parameter when submitting a 'ViewFile' request to the script. Exploitation could permit a remote attacker to gain interactive access to the underlying operating system of the host. 11. Aprox Portal File Disclosure Vulnerability BugTraq ID: 9540 Remote: Yes Date Published: Jan 31 2004 Relevant URL: http://www.securityfocus.com/bid/9540 Summary: Aprox Portal is web portal software that is written in PHP. Aprox Portal is prone to a vulnerability that may permit remote attackers to gain access to files that are readable by the hosting web server. These files may exist outside of the server root. The issue is reported to exist in the 'index.php' script and may be exploited by providing the absolute path to a system file as an argument for the 'show' parameter. This could expose sensitive information that may be useful in further attacks against the host. 12. SqWebMail Authentication Response Information Leakage Weakne... BugTraq ID: 9541 Remote: Yes Date Published: Jan 31 2004 Relevant URL: http://www.securityfocus.com/bid/9541 Summary: SqWebMail is a web-based e-mail application. SqWebMail leaks sensitive information in authentication responses that may permit aid an attacker in brute forcing the root password on the underlying operating system. The software reportedly issues different responses when the user authenticates successfully as the root user then when a failed attempt occurs. For example, when an authentication attempt fails, the web interface will issue the following response: "invalid user or password" When authentication succeeds for the root user, the interface reportedly issues this response instead: "maildir doesn't exist or has incorrect ownership or permission" It should be noted that this may depend on there not being a Maildir for the root user on the underlying operating system. This type of response could also be issued for other users on the system that do not have a Maildir. This vulnerability may provide a covert means of brute-forcing the root password via the SqWebMail interface. This issue reportedly exists when SqWebMail is run with qmail, qmailadmin, vpopmail with vchkpw-auth. Other reports specify that this issue exists solely in SqWebMail. 13. BugPort Unauthorized Configuration File Viewing Vulnerabilit... BugTraq ID: 9542 Remote: Yes Date Published: Jan 31 2004 Relevant URL: http://www.securityfocus.com/bid/9542 Summary: BugPort is a web-based bug tracking and development application that is written in PHP. A vulnerability has been reported in BugPort that has the potential to disclose sensitive information to remote attackers. The contents of the BugReport configuration file will be served to remote users who request the file. The source of the vulnerability is that the configuration file (conf/config.conf) will be served as opposed to interpreted due to the file extension. This could disclose sensitive configuration information that may be useful when mounting further attacks. 14. Suidperl Unspecified Information Disclosure Vulnerability BugTraq ID: 9543 Remote: No Date Published: Feb 01 2004 Relevant URL: http://www.securityfocus.com/bid/9543 Summary: SuidPerl is the Perl interpreter for setuid Perl scripts. It is included with distributions of the Perl package and is available for Linux and Unix variant operating environments. A vulnerability has been reported in Suidperl that may cause sensitive information to be disclosed to unauthorized users. This could potentially permit users to enumerate the existence of files or determine other attributes that should not be accessible to unprivileged users. This issue may be exploited by a malicious local user. 15. PHP-Nuke Multiple Module SQL Injection Vulnerabilities BugTraq ID: 9544 Remote: Yes Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9544 Summary: PHP-Nuke is web portal software. Multiple SQL injection vulnerabilities have been reported in various modules included in PHP-Nuke versions 6.9 and earlier. These issues could permit remote attackers to compromise PHP-Nuke user and administrative accounts. The source of the problem is that affected modules do not adequately sanitize user-supplied HTTP GET/POST data before including this input in a database query. As a result, an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information. These vulnerabilities were reported in the Web_Links, Downloads, Reviews, Sections and Stories_Archive modules. Some of these issues may overlap with previously reported SQL injection vulnerabilities in PHP-Nuke, but have all been reportedly addressed in PHP-Nuke 7.0. 18. SGI IRIX Libdesktopicon.so Local Buffer Overflow Vulnerabili... BugTraq ID: 9547 Remote: No Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9547 Summary: A vulnerability has been reported in SGI IRIX that may allow an attacker to execute arbitrary code on a vulnerable system in order to gain unauthorized access. The problem is reported to exist in libdesktopicon.so library. It has been reported that the issue presents itself due to improper bounds checking of the HOME environment variable. The HOME environment variable is set to a long string. A buffer overflow condition may be caused by supplying excessive data via this variable and invoking the '/usr/sbin/printers' binary linked to the Libdesktopicon.so library. An attacker may leverage the issues by exploiting an unbounded memory copy operation to overwrite the saved return address/base pointer, causing the affected procedures to return to an address of their choice. Successful exploitation may allow a local attacker to ultimately execute arbitrary code in order to gain unauthorized access to a system. SGI IRIX versions 6.5.22 and prior may be prone to this issue. 19. Sun Solaris TCSetAttr System Hang Denial Of Service Vulnerab... BugTraq ID: 9548 Remote: No Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9548 Summary: Solaris is a freely available UNIX operating system distributed and maintained by Sun Microsystems. A vulnerability has been identified in the tcsetattr library call available in default versions of Sun Solaris. Because of this, it may be possible for an unprivileged local user to deny service to legitimate users. The problem is in invocation of the library call. Under some circumstances, it may be possible to invoke the library in a method that causes the system to hang for a period of time. This could potentially result in a denial of service to legitimate users of the system, and could potentially result in an extended denial of service. 20. Crob FTP Server Denial Of Service Vulnerability BugTraq ID: 9549 Remote: Yes Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9549 Summary: Crob FTP server is a file transfer utility developed for the Windows platform. A vulnerability has been reported in the Crob FTP server, which occurs due to a lack of validation of input from the user. By issuing a malformed request a malevolent user may be able to force the server to crash, denying service to legitimate users. This vulnerability was reported for Crob FTP Server 3.5.1, however earlier versions may also be affected. 21. 0verkill Game Client Multiple Local Buffer Overflow Vulnerab... BugTraq ID: 9550 Remote: Yes Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9550 Summary: 0verkill is a client-server game. It is available for the Linux, OS/2 and Windows operating systems. The 0verkill game client has been reported prone to multiple instances of exploitable buffer overrun vulnerabilities. The functions that have been reported to be affected are load_cfg(), save_cfg() and send_message(). These functions are implemented in client.c. It has been reported that due to a lack of sufficient boundary checks performed on data contained in HOME environment variables, a local attacker may overrun a 256 bytes stack based buffer. Additionally excessive data supplied as values for the players name and also the hostname, may also be used to corrupt sensitive process memory. Finally, the potential buffer overflow reported to exist in the network 'chat' routines may be exploited to overwrite 2 bytes of data beyond the affected buffer. An attacker may exploit any one of these issues to potentially execute arbitrary instructions in the security context of the 0verkill game client. 23. GNU Chess '-s' Local Buffer Overflow Vulnerability BugTraq ID: 9553 Remote: No Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9553 Summary: GNU Chess is a chess game developed for Linux and Unix based systems. It has been reported that GNU Chess is prone to a buffer overflow issue that may allow an attacker to gain elevated privileges. The problem is present due to improper handling of user-supplied data from '-s' command line parameters. A buffer overflow condition may be caused by supplying more than 652 bytes of data as a value for this parameter. The condition is present due to insufficient boundary checking. A local attacker may leverage the issue by exploiting an unbounded memory copy operation to overwrite the saved return address/base pointer, causing the affected procedures to return to an address of their choice. Successful exploitation may allow an attacker to ultimately execute arbitrary code in the context of the affected application, although unconfirmed GNU Chess is likely installed with setgid games privileges on most system. 24. SurgeFTP Surgeftpmgr.CGI Denial Of Service Vulnerability BugTraq ID: 9554 Remote: Yes Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9554 Summary: SurgeFTP server is a file transfer server. SurgeFTP server ships with an administrative web interface. A vulnerability has been reported in the administrative interface (surgeftpmgr.cgi) of the SurgeFTP server. The issue occurs due to a lack of validation of input supplied as a value for URI parameters to the affected script. By issuing a malformed request a malevolent user may be able to force the server to crash. Although unconfirmed, this vulnerability may potentially exist as a result of a format string handling issue. A remote attacker may exploit this vulnerability by supplying URI parameters that contain "%%" symbols to the affected script. It has been reported that this will result in the server failing, effectively denying service to legitimate users. 26. Clearswift MAILsweeper For SMTP RAR Archive Denial Of Servic... BugTraq ID: 9556 Remote: Yes Date Published: Jan 29 2004 Relevant URL: http://www.securityfocus.com/bid/9556 Summary: MAILsweeper for SMTP is a commercial application for filtering e-mail content at the gateway level. MAILsweeper has been reported prone to a remote denial of service vulnerability. The issue presents itself when MAILsweeper encounters an email that has a malicious RAR archive attached. A properly constructed RAR archive will trigger an infinite loop causing the affected software to consume CPU system resources in an exponential manner. A remote attacker may exploit this condition in order to deny service to legitimate users of the targeted SMTP server. 27. All Enthusiast Photopost PHP Pro SQL Injection Vulnerability BugTraq ID: 9557 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9557 Summary: Photopost PHP Pro is a web based gallery application written in PHP. A vulnerability has been reported to exist in the software that may allow an attacker to influence SQL query logic to disclose sensitive information that could be used to gain unauthorized access. The issue exists due to insufficient sanitization of user-supplied data via the 'photo' parameter of 'showphoto.php' script. It has been reported that a malicious user may influence database queries in order to view or modify sensitive information potentially compromising the software or the underlying database. Photopost PHP Pro versions 4.6 and prior have been reported to be prone to this vulnerability. |
Feb 9th 2004 (SF) pt. 2/3
SecurityFocus
28. Util-Linux Login Program Information Leakage Vulnerability BugTraq ID: 9558 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9558 Summary: Login is a component of the util-linux package. It is available for the Linux platform. A problem has been identified in the handling of information by the login component of the util-linux package. Because of this, an attacker may be able to gain access to sensitive information. The problem is an issue in the handling of pointers within the program. In some situations, a function within the program may attempt to use a pointer in system memory that has already been freed and reallocated by another function. Under these circumstances, it would be possible for an attacker to gain access to potentially sensitive information. It is conjectured that this issue requires specific circumstances and numerous attempts to glean useful information. However, no proof of proof-of-concept exists upon which further analysis can be made. 29. PHP-Nuke GBook Module HTML Injection Vulnerability BugTraq ID: 9559 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9559 Summary: PHP-Nuke is web portal software. GBook is a guestbook module for PHP-Nuke. A vulnerability has been reported to exist in the software that may allow a remote attacker to carry out HTML injection attacks in order to steal sensitive data such as authentication credentials. It has been reported that due to insufficient sanitization of user-supplied data, various parameters passed to the GBook module are vulnerable to HTML injection. Some of the affected parameters include 'name', 'email', 'city', and 'message'. As a result, users may include malicious HTML and script code inside of guestbook entries. The attacker-supplied code will be rendered in the web client of the user who views a malicious guestbook entry, and will be executed in the security context of the site hosting the guestbook software. It has been noted that GBook employs HTTP POST requests to communicate with the server and HTTP POST requests are filtered by PHP-Nuke. Due to this, an attacker may not be able to directly inject HTML code into the site, however, an attacker may pass malicious HTML code via a '$_COOKIE' array. '$_COOKIE' arrays are reportedly not filtered by PHP-Nuke. If administrative access is enabled in the software, this may allow the attacker to steal cookie-based authentication credentials from the administrative guestbook user. Other attacks may be possible as well. Gbook script for PHP-Nuke version 1.0 has been tested for this issue, however, it is likely that other versions of PHP-Nuke are vulnerable as well. 30. Qualiteam X-Cart Remote Command Execution Vulnerability BugTraq ID: 9560 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9560 Summary: X-Cart is a web based shopping card application implemented in PHP and integrated with a MySQL database backend. X-Cart has been reported to be prone to an issue that may allow remote attackers to execute arbitrary commands on the affected system. The issue is caused by a failure of the application to sanitize values specified by parameters in the URI. This issue has been reported to affect the 'upgrade.php' and 'general.php' scripts which reside in the 'admin' directory of the application. The upgrade.php script expects the parameter 'perl_binary' to be specified via the URI. The 'perl_binary' parameter is used by the application to execute Perl scripts for upgrading the software. Due to insufficient sanitization of the value passed through this parameter, it is possible to specify any executable file that is readable by the web server. The general.php expects the parameter 'config[General][perl_binary]' to be specified via the URI. Insufficient sanitization of this value may also allow remote command execution of applications that are readable by the web server. This issue is reported to affect X-Cart version 3.4.3, however other version of the software may also be vulnerable. 31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne... BugTraq ID: 9561 Remote: Yes Date Published: Feb 02 2004 Relevant URL: http://www.securityfocus.com/bid/9561 Summary: Sun ONE Web Server is a web server implementation that is maintained by Sun Microsystems. It has been rebranded from iPlanet. A vulnerability has been reported to exist in the software that may allow a remote attacker to steal sensitive information such as cookie-based authentication credentials. It has been reported that Sun ONE/iPlanet Web Server responds to the HTTP TRACE request by default. The HTTP TRACE request used for debugging purposes allows a web server to echo the contents of the request back to the client. The complete request, including HTTP headers, is returned in the entity-body of a TRACE response. This request also allows web sites to cause user browsers to issue TRACE requests. Enabling HTTP TRACE functionality by default may allow an attacker to compromise user accounts by gaining access to sensitive header information. This issue may be combined with other attacks such as cross-site scripting, to steal cookie-based authentication credentials. 32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu... BugTraq ID: 9562 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9562 Summary: IOS is the device operating system available for the Cisco hardware platform. It is maintained and distributed by Cisco. A problem has been identified in the handling of specific types of traffic by Cisco 6000, 6500, and 7600 routers with the MSFC2 device. Because of this, an attacker could potentially crash a vulnerable system. The problem is in the handling of malformed layer 2 frames. When a layer 2 frame encapsulating a layer 3 frame is sent to a Cisco device using an affected version of IOS and the layer 2 frame length is inconsistent with the encapsulated layer 3 packet. When an affected device receives such a packet, it becomes unstable and crashes. It should be noted that this vulnerability presents a risk under very specific circumstances. The first circumstance is that a system on a network segment local to the affected router can send a packet directly to the router without intermediary hops that remove the layers 1 and 2 frames. The other is the circumstance that a tunnel to carry layer 2 frames between segments of networks exists, and a system on one segment of network can send a malicious packet through the tunnel to a vulnerable router on another segment of network. 33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln... BugTraq ID: 9563 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9563 Summary: X-Cart is a web based shopping card application implemented in PHP and integrated with a MySQL database backend. X-Cart has been reported to be prone to an issue that may allow remote attackers to view any web server readable files on the affected system. The issue is caused by a failure of the application to sanitize values specified by parameters in the URI. This issue has been reported to affect the 'auth.php' script. The auth.php script expects the parameters and 'shop_closed_file' to be specified via the URI. The 'shop_closed_file' parameter is used by the application to select the specified file to be viewed. Due to insufficient sanitization of the value passed through this parameter, it is possible to specify any file that is readable by the web server. It has been reported that there is also an information disclosure issue with the 'general.php' script that resides in the 'admin' directory of the application. The 'mode' URI parameter can be set to request information on the current PHP and Perl software versions, allowing potential attackers the gain access to sensitive system details. This issue is reported to affect X-Cart version 3.4.3, however other version of the software may also be vulnerable. 34. phpMyAdmin Export.PHP File Disclosure Vulnerability BugTraq ID: 9564 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9564 Summary: phpMyAdmin is a freely available tool that provides a web interface for handling MySQL administrative tasks. phpMyAdmin is prone to a vulnerability that may permit remote attackers to gain access to files that are readable by the hosting web server. These files may exist outside of the server root. The issue is reported to exist in the 'export.php' script and may be exploited by providing directory traversal sequences and the absolute path to a system file as an argument for the 'what' URI parameter. This could expose sensitive information that may be useful in further attacks against the host. 35. Tunez Multiple Remote SQL Injection Vulnerabilities BugTraq ID: 9565 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9565 Summary: Tunez is a freely available, open source web MP3 jukebox. It is available for the Unix and Linux platforms. Several problems in the handling of user-supplied input have been identified in Tunez. Because of this, an attacker may be able to gain unauthorized access to the backend database. Specific details concerning these issues are not currently available. However, it has been disclosed by the project maintainers that numerous SQL injection issues exist that can permit an attacker to submit SQL directly to the database, potentially allowing an attacker to perform unauthorized database functions. 36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl... BugTraq ID: 9566 Remote: No Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9566 Summary: Linley Henzell Dungeon Crawl is a console based game. Dungeon Crawl has been reported to be prone to an unspecified local buffer overflow vulnerability. The condition is present due to insufficient boundary checking. It has been reported that the software copies various environment variables into a fixed size buffer without proper bounds checking. An attacker may pass excessive data to the vulnerable application via an affected environment variable. Immediate consequences of an attack may result in a denial of service condition. A local attacker may leverage the issue by exploiting an unbounded memory copy operation to overwrite the saved return address/base pointer, causing the affected procedures to return to an address of their choice. Successful exploitation may allow an attacker to ultimately execute arbitrary code in the context of the affected application. Although unconfirmed, Crawl is likely installed with setgid games privileges on most system. Crawl 4.0.0 beta 26 and prior may be prone to this issue. 39. PHPX Multiple Vulnerabilities BugTraq ID: 9569 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9569 Summary: PHPX is a PHP-based content management system. Multiple vulnerabilities were reported in PHPX. The specific issues include cross-site scripting, HTML injection and account hijacking via specially crafted cookies. Two cross-site scripting issues exist in the main.inc.php and help.inc.php scripts. These are due to insufficient sanitization of input supplied via URI parameters. In particular, main.inc.php does not sanitize input supplied to the 'keywords' parameter while help.inc.php does not sanitize input supplied to the 'body' parameter. An attacker could exploit these issues by enticing a victim user to follow a malicious link that includes embedded HTML and script code. This would mostly likely result in cookie theft though other attacks are also possible. HTML injection issues exist in the 'Subject' field for Personal Messages and the Forum. This could permit a user of the software to persistently inject hostile HTML and script code into the content management system. The attacker could exploit this to steal cookies but it would also be possible to influence site content. An account hijacking vulnerability was reported due to insufficient validation of values embedded in user-supplied cookies. Specifically, the PXL cookie value corresponds to the userID and may be changed to an arbitrary value, resulting in hijacking of other user and administrative accounts. These issues were reported to exist in PHPX 3.2.3. Earlier versions are also likely affected. 40. Linux Kernel R128 Device Driver Unspecified Privilege Escala... BugTraq ID: 9570 Remote: No Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9570 Summary: The Linux Kernel supports numerous driver modules; one such is the R128 ATI Rage 128 bit video card driver module. It has been reported that the Linux Kernel is prone to an unspecified local privilege escalation vulnerability. The issue is reportedly due to an R128 DRI limits checking issue and may lead to privilege escalation on affected systems. This BID will be updated with further technical details if more information is made available. 41. Apache mod_digest Client-Supplied Nonce Verification Vulnera... BugTraq ID: 9571 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9571 Summary: mod_digest is a digest authentication module that is included in Apache HTTPD. Patches have been released for the Apache mod_digest module to include digest replay protection. The module reportedly did not adequately verify client-supplied nonces against the server issued nonce. The nonce is a random server generated value that is sent for session verification purposes during digest authentication. This vulnerability could permit a remote attacker to replay the response of another website or section of the same website under some circumstances, potentially allowing unauthorized access to sessions. It should be noted that this issue does not exist in mod_auth_digest module. 42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se... BugTraq ID: 9572 Remote: Yes Date Published: Feb 03 2004 Relevant URL: http://www.securityfocus.com/bid/9572 Summary: The FreeBSD netinet implementation has been reported prone to a vulnerability that may allow remote attackers to deny service to affected servers. The issue presents itself, due to a lack of restrictions placed on TCP MSS (Maximum Segment Size) values. When a TCP connection is negotiated the MSS values are exchanged between the connected hosts. This may provide a remote attacker an opportunity to set the Maximum Segment Size to a low value (>64 octets). This will result in data transmission that consists of large amounts of small packets. As the server attempts to commit to the transmission, processing and receiving of this malicious traffic, resources may be exhausted. Ultimately the affected server may cease to serve legitimate traffic. A remote attacker may exploit this condition to deny service to legitimate users. 43. TYPSoft FTP Server Remote Denial Of Service Vulnerability BugTraq ID: 9573 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9573 Summary: TYPSoft FTP Server is a freely available ftp server implemented for the Windows platform. TYPSoft FTP server has been reported to be prone to a remote denial of service vulnerability. A malevolent user may leverage this issue to cause the ftp server to crash, denying service to legitimate users. This issue can be leveraged by first authenticating with the server, and then initiating the login sequence without supplying a user name. The software attempts to carry out operations on an un-initialized buffer, causing an dereference of unallocated memory and inevitably forcing the server to crash. This issue has been reported to affect version 1.10 of the software, however previous versions may also be affected. 44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul... BugTraq ID: 9574 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9574 Summary: ReviewPost PHP Pro is a web based bulletin board application written in PHP. Multiple vulnerabilities have been reported to exist in the software that may allow an attacker to influence SQL query logic. This issue could be exploited to disclose sensitive information that may be used to gain unauthorized access. The issues exist due to insufficient sanitization of user-supplied data via the 'product' parameter of 'showproduct.php' script and the 'cat' parameter of 'showcat.php' script. It has been reported that a malicious user may influence database queries in order to view or modify sensitive information potentially compromising the software or the underlying database. Although unconfirmed, ReviewPost PHP Pro 2.5.1 and prior may be prone to these issues. 45. RXGoogle.CGI Cross Site Scripting Vulnerability. BugTraq ID: 9575 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9575 Summary: RXGoogle.CGI is a free search script implemented in perl that facilitates internet wide searching from a local web site. It has been reported that the rxgoogle.cgi search script is prone to a cross site scripting vulnerability. This issue is reportedly due to a failure to sanitize user input and so allows various meta-characters that may facilitate cross site scripting attacks. This could permit a remote attacker to create a malicious link to the web server that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the web server and may allow for theft of cookie-based authentication credentials or other attacks. 46. Web Crossing Web Server Component Remote Denial Of Service V... BugTraq ID: 9576 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9576 Summary: Web Crossing is a collaboration server platform. Web Crossing ships with a Web Server component. The Web Crossing Web Server component has been reported prone to a remote denial of service vulnerability. It has been reported that the issue will present itself when the affected web server receives a malicious HTTP POST request that contains negative or excessive values for the Content-Length field in the HTTP header. When such a request is processed an integer divide by zero operation will occur causing the affected server to crash A remote attacker may exploit this issue to deny service to the Web Crossing Web Server. 47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu... BugTraq ID: 9577 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9577 Summary: OpenBSD has been reported prone to a remote denial of service attack when configured to process IPV6 traffic. The issue occurs when an affected host handles ICMPV6 traffic that is configured with an arbitrarily low MTU size. It has been reported that when traffic of the aforementioned type is handled an unspecified kernel error occurs, denying service to the affected system. A remote attacker may exploit this vulnerability to deny service to legitimate users. FreeBSD does not appear to be affected. It is undetermined if NetBSD is similarly affected. This BID will be updated as further information relating to this issue is disclosed. 48. GNU Radius Remote Denial Of Service Vulnerability BugTraq ID: 9578 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9578 Summary: GNU Radius is a server used primarily by Internet service providers as a solution for authentication and accounting. GNU Radius has been reported prone to a remote denial of service vulnerability. The issue presents itself when a single UDP datagram is processed that contains an Acct-Status-Type attribute without any other data. When the affected server handles this datagram, the server will segfault due to a NULL Pointer dereference. Specifically, when the Acct-Status-Type attribute is encountered the following operation is processed: avl_find(req->request, DA_ACCT_STATUS_TYPE); Because the datagram contains no other data the following operation will result in a null value for the *sid_pair pointer: VALUE_PAIR *sid_pair = avl_find(req->request, DA_ACCT_SESSION_ID); Finally when a member is referenced in the sid_pair structure, via the following operation: snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue); The NULL pointer dereference operation will cause the service process to fail. It should be noted that although this issue has been reported to affect GNU Radius version 1.1, pervious versions might also be affected. 49. Multiple RealPlayer/RealOne Player Supported File Type Buffe... BugTraq ID: 9579 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9579 Summary: RealPlayer/RealOne Player are media players that are available for various operating systems, including Microsoft Windows and Mac OS. It has been reported that various RealPlayer/RealOne Player releases are prone to multiple exploitable stack and heap overrun vulnerabilities. This is due to insufficient bounds checking when handling malformed files of various supported file types (.RP, .RT, .RAM, .RPM and .SMIL). When the player loads such a file, stack or heap memory may be corrupted with embedded data in the file, possibly allowing for sensitive variables in memory to be overwritten. In this manner, it would be possible to execute arbitrary code on the client system in the context of the user invoking the vulnerable player. This issue could be exploited by forcing a user to visit a malicious website that is hosting the file, causing it to be automatically invoked. File attachments also provide an attack vector, but would require the user to interactively upon the malformed file (with the exception of .RPM files, which may automatically open). 50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ... BugTraq ID: 9580 Remote: Yes Date Published: Feb 04 2004 Relevant URL: http://www.securityfocus.com/bid/9580 Summary: RealPlayer/RealOne Player are media players that are available for various operating systems, including Microsoft Windows and Mac OS. RealPlayer/RealOne Players have been reported prone to an unspecified code execution vulnerability. The issue occurs within the RMP file processing routines of affected versions of the player. Although unconfirmed it has been conjectured that arbitrary code execution may occur when a malicious RMP file is processed. This will reportedly cause malicious code to be downloaded and executed. Code execution would occur in the context of the user who is running the affected player. This BID will be updated as further details regarding this vulnerability are disclosed. |
Feb 9th 2004 (SF) pt. 3/3
SecurityFocus
51. Multiple Check Point Firewall-1 HTTP Security Server Remote ... BugTraq ID: 9581 Remote: Yes Date Published: Feb 05 2004 Relevant URL: http://www.securityfocus.com/bid/9581 Summary: Firewall-1 is a commercially available enterprise firewall software package. It is distributed by Check Point, and available for the Unix, Linux, and Microsoft Windows platforms. Problems in the handling of some types of HTTP requests from remote users have been identified in Check Point Firewall-1 HTTP Application Intelligence and HTTP Security Server. Because of this, it is possible for a remote attacker to gain unauthorized access to a vulnerable system with administrative privileges. It has been reported that several occurrences of format string vulnerabilities exist in the HTTP Application Intelligence and HTTP Security Server components of Firewall-1. One disclosed example cites placing an invalid scheme in a URI and submitting it to the vulnerable component, resulting an attacker passing an arbitrary format string to an sprintf() call. Other format string issues may result in heap corruption attacks. Since the Firewall-1 software is most often executed as the administrative user on systems, this issue has the potential to result in complete compromise of an affected host. 52. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques... BugTraq ID: 9582 Remote: Yes Date Published: Feb 05 2004 Relevant URL: http://www.securityfocus.com/bid/9582 Summary: VPN-1, SecuRemote, and SecureClient are secure remote access components distributed and maintained by Check Point Software. They are available for the Unix, Linux, and Microsoft Windows platforms. A problem has been identified in the handling of large Certificate Request payload exchanges in Check Point VPN-1, SecuRemote, and SecureClient. Because of this, it is possible for a remote attacker to gain unauthorized access to vulnerable systems. During the establishing of an ISAKMP session, it is possible for one system to send to another a Certificate Request payload to solicit credentials. However, bounds checking is not adequately performed on received Certificate Request payload packets by clients or servers in the Check Point implementations. An attacker could take advantage of this issue to exploit a buffer overflow in the client and server implementations, resulting in the execution of attacker-supplied code with the privileges of the software, run as the administrative user it typical configurations. 54. Crossday Discuz! Cross Site Scripting Vulnerability BugTraq ID: 9584 Remote: Yes Date Published: Feb 05 2004 Relevant URL: http://www.securityfocus.com/bid/9584 Summary: Discuz! is web based message board software implemented in PHP. It has been reported that Discuz! is prone to an Cross Site Scripting vulnerability. This issue is caused by the application failing to properly sanitize links embedded within user messages. The software allows users to post images by enclosing the URL of an image within [img]..[/img] tags. The application displays a thumbnail view of the specified image as a link to the full size version. The URL of the file that is specified between the image tags is not properly sanitized, allowing a user to enter malicious script. This issue arises due to the user specified URL being included inside JavaScript tags used to open the image in a new browser window. This may allow the user to craft malicious script and have it executed when an unsuspecting user follows the link. An attacker may exploit this vulnerability to execute arbitrary HTML and script code in the browser of an unsuspecting user who views the malicious post. Code execution will occur in the context of the vulnerable site. This issue may be exploited to steal cookie based credentials. Other attacks are also possible. 56. BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil... BugTraq ID: 9586 Remote: No Date Published: Feb 05 2004 Relevant URL: http://www.securityfocus.com/bid/9586 Summary: A vulnerability has been reported to exist in the shmat system call used in the BSD kernel. This may allow a local attacker to inject instructions into the memory of a privileged process. BSD systems support the System V Shared Memory interface that provides primitives for sharing memory segments between separate processes. The shmat(2) system call allows a shared memory segment that is created with the the shmget(2) function to be mapped to the calling process's address space. The issue presents itself due to an error in the shmat(2) system call which is included with the System V Shared Memory interface. shmat(2) is implemented in the sysv_shm.c file. The vulnerability occurs when shmat(2) does not decrement the reference count of a shared memory segment when an error occurs. Reportedly, shmat(2) increments a count prior to attempting to reference a virtual memory object, but fails to decrement the count when an error occurs. An attacker could create two shared memory segments, then abuse the shmat system call with invalid calls (the reported amount is 2^32-2 calls, or 4,294,967,294) to force a wrapping of the count in memory. Upon deferencing one of the shared memory segments and executing a privileged program, the attacker could force the privileged program to reuse the section of shared memory still under control of the attacker. The attacker could use this as a means of modifying the memory of the running process, executing arbitrary attacker-supplied instructions injected into the running process memory, granting privilege escalation to the attacker. |
| All times are GMT -5. The time now is 04:31 AM. |