LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   LQ security report - Feb 13th 2004 (http://www.linuxquestions.org/questions/linux-security-4/lq-security-report-feb-13th-2004-a-145674/)

unSpawn 02-13-2004 11:29 AM

LQ security report - Feb 13th 2004
 
Feb 9th 2004
48 of 56 issues handled (SF)
1. PhpGedView Editconfig_gedcom.php Directory Traversal Vulnera...
2. GNU LibTool Local Insecure Temporary Directory Creation Vuln...
3. PhpGedView [GED_File]_conf.php Remote File Include Vulnerabi...
4. ChatterBox Remote Denial of Service Vulnerability
5. FreeBSD mksnap_ffs File System Option Reset Vulnerability
6. Sun Solaris PFExec Custom Profile Arbitrary Privileges Vulne...
7. JBrowser Browser.PHP Directory Traversal Vulnerability
8. Laurent Adda Les Commentaires PHP Script Multiple Module Fil...
9. JBrowser Unauthorized Admin Access Vulnerability
10. Leif M. Wright Web Blog Remote Command Execution Vulnerabili...
11. Aprox Portal File Disclosure Vulnerability
12. SqWebMail Authentication Response Information Leakage Weakne...
13. BugPort Unauthorized Configuration File Viewing Vulnerabilit...
14. Suidperl Unspecified Information Disclosure Vulnerability
15. PHP-Nuke Multiple Module SQL Injection Vulnerabilities
18. SGI IRIX Libdesktopicon.so Local Buffer Overflow Vulnerabili...
19. Sun Solaris TCSetAttr System Hang Denial Of Service Vulnerab...
20. Crob FTP Server Denial Of Service Vulnerability
21. 0verkill Game Client Multiple Local Buffer Overflow Vulnerab...
23. GNU Chess '-s' Local Buffer Overflow Vulnerability
24. SurgeFTP Surgeftpmgr.CGI Denial Of Service Vulnerability
26. Clearswift MAILsweeper For SMTP RAR Archive Denial Of Servic...
27. All Enthusiast Photopost PHP Pro SQL Injection Vulnerability
28. Util-Linux Login Program Information Leakage Vulnerability
29. PHP-Nuke GBook Module HTML Injection Vulnerability
30. Qualiteam X-Cart Remote Command Execution Vulnerability
31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne...
32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu...
33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln...
34. phpMyAdmin Export.PHP File Disclosure Vulnerability
35. Tunez Multiple Remote SQL Injection Vulnerabilities
36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl...
39. PHPX Multiple Vulnerabilities
40. Linux Kernel R128 Device Driver Unspecified Privilege Escala...
41. Apache mod_digest Client-Supplied Nonce Verification Vulnera...
42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se...
43. TYPSoft FTP Server Remote Denial Of Service Vulnerability
44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul...
45. RXGoogle.CGI Cross Site Scripting Vulnerability.
46. Web Crossing Web Server Component Remote Denial Of Service V...
47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu...
48. GNU Radius Remote Denial Of Service Vulnerability
49. Multiple RealPlayer/RealOne Player Supported File Type Buffe...
50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ...
51. Multiple Check Point Firewall-1 HTTP Security Server Remote ...
52. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques...
54. Crossday Discuz! Cross Site Scripting Vulnerability
56. BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil...

Feb 09th 2004
39 of 55 issues handled (ISS)
Overkill client has multiple buffer overflows
Overkill server parse_command_line buffer overflow
SurgeFTP Web interface denial of service
Caravan Business Server sample_showcode directory
FreeBSD mksnap_ffs security bypass
PhotoPost PHP Pro SQL injection
iSearch isearch.inc.php script PHP file include
ChatterBox denial of service
suidperl information disclosure
Aprox PHP portal index.php script directory
Apache httpd server httpd.conf could allow a local
util-linux information leak
GNU Libtool creates insecure temporary directory
Web Blog file parameter command execution
Tunez multiple SQL injection
phpMyAdmin "dot dot" Directory Traversal
Web Crossing Content-Length header denial of
Gbook message HTML injection
BugPort sensitive information exposure
Linley's Dungeon Crawl long environment variable
X-Cart "dot dot" directory traversal
X-Cart perl_binary variable command execution
ReviewPost PHP Pro showproduct.php and showcat.php
X-Cart general.php information disclosure
RealOne Player multiple file buffer overflows
RxGoogle query cross-site scripting
OpenBSD IPv6 packet denial of service
Linux kernel 2.4.x ixj telephony card driver buffer
GNU Radius rad_print_request denial of service
PHPX subject HTML injection
PHPX main.inc.php and help.inc.php cross-site
PHPX could allow an attacker to modify cookie to
SqWebMail login error information disclosure
Oracle Database Server multiple functions buffer
Multiple vendor BSD platforms allows elevated
Mambo Itemid parameter cross-site scripting
Apache-SSL has a default password
Discuz! Board image tag cross-site scripting
OpenJournal uid could allow an attacker

Feb 6th 2004
12 issues, 5 distro's: (LAW)
crawl
cvs
etherial
gaim
kernel
mc
mksnap_ffs
netpbm
perl
tcpdump
util-linux

unSpawn 02-13-2004 11:30 AM

Feb 6th 2004 (LAW)
 
Linux Advisory Watch
Distribution: Debian

2/2/2004 - perl
Information leak

An attacker could abuse suidperl to discover information about
files that should not be accessible to unprivileged users.
http://www.linuxsecurity.com/advisor...sory-3986.html

2/3/2004 - crawl
Buffer overflow vulnerability

The program applies an unchecked-length environment variable into
a fixed size buffer.
http://www.linuxsecurity.com/advisor...sory-3994.html

2/4/2004 - kernel
Privilage escalation MIPS patch

Integer overflow in the do_brk() function of the Linux kernel
allows local users to gain root privileges.
http://www.linuxsecurity.com/advisor...sory-3996.html


Distribution: Fedora

2/2/2004 - cvs
Multiple vulnerabilities

Vulnerabilities allow cvs to write to root filesystem and retain
root privileges.
http://www.linuxsecurity.com/advisor...sory-3987.html

2/3/2004 - tcpdump
Malformed packet vulnerability

If the victim uses tcpdump, attack could result in a denial of
service, or possibly execute arbitrary code as the 'pcap' user.
http://www.linuxsecurity.com/advisor...sory-3992.html

2/3/2004 - etherial
Denial of service vulnerability


Multiple security vulnerabilities may allow attackers to make
Ethereal crash using intentionally malformed packets.
http://www.linuxsecurity.com/advisor...sory-3993.html


Distribution: FreeBSD

1/30/2004 - mksnap_ffs
Improper option clearing

Possible consequences an include disabling extended access control
lists or enabling the use of setuid executables stored on an
untrusted filesystem.
http://www.linuxsecurity.com/advisor...sory-3985.html


Distribution: Mandrake

2/2/2004 - gaim
Multiple vulernabilities

Multiple buffer overflows exist in gaim 0.75 and earlier.
http://www.linuxsecurity.com/advisor...sory-3988.html


Distribution: Red Hat

2/3/2004 - NetPBM
Temporary file vulnerabilities

A number of temporary file bugs have been found in versions of
NetPBM.
http://www.linuxsecurity.com/advisor...sory-3989.html

2/3/2004 - mc
Buffer overflow vulnerability

A buffer overflow allows remote attackers to execute arbitrary
code during symlink conversion.
http://www.linuxsecurity.com/advisor...sory-3990.html

2/3/2004 - util-linux Login data leakage
Buffer overflow vulnerability

In some situations, the login program could use a pointer that had
been freed and reallocated.
http://www.linuxsecurity.com/advisor...sory-3991.html

2/3/2004 - kernel
Multiple vulnerabilities

Updated kernel packages are now available that fix a few security
issues.
http://www.linuxsecurity.com/advisor...sory-3995.html

unSpawn 02-13-2004 11:31 AM

Feb 09th 2004 (ISS)
 
Internet Security Systems


Date Reported: 02/01/2004
Brief Description: Overkill client has multiple buffer overflows
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, OS/2 Any version, Overkill
0.15pre3 and earlier, Windows Any version
Vulnerability: overkill-client-multiple-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/14999

Date Reported: 02/01/2004
Brief Description: Overkill server parse_command_line buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, OS/2 Any version, Overkill
0.15pre3 and earlier, Windows Any version
Vulnerability: overkill-server-parsecommandline-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15000

Date Reported: 02/02/2004
Brief Description: SurgeFTP Web interface denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, SurgeFTP Server
2.2k1
Vulnerability: surgeftp-web-interface-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15001

Date Reported: 02/02/2004
Brief Description: Caravan Business Server sample_showcode directory
traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Caravan 2.00/03d, Linux Any version, OS/2 Any
version, Windows Any version
Vulnerability: caravan-dotdot-directory-traveral
X-Force URL: http://xforce.iss.net/xforce/xfdb/15004

Date Reported: 01/30/2004
Brief Description: FreeBSD mksnap_ffs security bypass
Risk Factor: Medium
Attack Type: Host Based
Platforms: FreeBSD 5.1-RELEASE, FreeBSD 5.2-RELEASE
Vulnerability: freebsd-mksnapffs-bypass-security
X-Force URL: http://xforce.iss.net/xforce/xfdb/15005

Date Reported: 02/03/2004
Brief Description: PhotoPost PHP Pro SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, PhotoPost PHP Pro
4.6 and earlier
Vulnerability: photopostphp-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15008

Date Reported: 02/02/2004
Brief Description: iSearch isearch.inc.php script PHP file include
Risk Factor: Medium
Attack Type: Network Based
Platforms: iSearch Any version, Linux Any version, Unix Any
version, Windows Any version
Vulnerability: isearch-isearchincphp-file-include
X-Force URL: http://xforce.iss.net/xforce/xfdb/15009

Date Reported: 01/30/2004
Brief Description: ChatterBox denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, ChatterBox 2.0
Vulnerability: chatterbox-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15011

Date Reported: 02/01/2004
Brief Description: suidperl information disclosure
Risk Factor: Medium
Attack Type: Host Based
Platforms: Debian Linux 3.0, Linux Any version, suidperl Any
version, Unix Any version
Vulnerability: suidperl-obtain-information
X-Force URL: http://xforce.iss.net/xforce/xfdb/15012

Date Reported: 01/31/2004
Brief Description: Aprox PHP portal index.php script directory
traversal
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, Aprox PHP Portal
Any version
Vulnerability: aproxphpportal-index-directory-traversal
X-Force URL: http://xforce.iss.net/xforce/xfdb/15014

Date Reported: 01/31/2004
Brief Description: Apache httpd server httpd.conf could allow a local
user to bypass restrictions
Risk Factor: Medium
Attack Type: Host Based
Platforms: Apache HTTP Server 2.0.47 and earlier, Red Hat
Linux Any version, Windows XP Any version
Vulnerability: apache-httpd-bypass-restriction
X-Force URL: http://xforce.iss.net/xforce/xfdb/15015

Date Reported: 02/03/2004
Brief Description: util-linux information leak
Risk Factor: Medium
Attack Type: Host Based
Platforms: Red Hat Advanced Workstation 2.1, Red Hat
Enterprise Linux 2.1AS, Red Hat Enterprise Linux
2.1ES, Red Hat Enterprise Linux 2.1WS
Vulnerability: utillinux-information-leak
X-Force URL: http://xforce.iss.net/xforce/xfdb/15016

Date Reported: 02/03/2004
Brief Description: GNU Libtool creates insecure temporary directory
Risk Factor: Medium
Attack Type: Host Based
Platforms: Conectiva Linux 8.0, Conectiva Linux 9.0, GNU
Libtool prior to 1.5.2, Linux Any version
Vulnerability: libtool-insecure-temp-directory
X-Force URL: http://xforce.iss.net/xforce/xfdb/15017

Date Reported: 02/03/2004
Brief Description: Web Blog file parameter command execution
Risk Factor: High
Attack Type: Network Based
Platforms: Any operating system Any version, Web Blog 1.1.5
Vulnerability: webblog-file-command-execution
X-Force URL: http://xforce.iss.net/xforce/xfdb/15019

Date Reported: 02/03/2004
Brief Description: Tunez multiple SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Tunez prior to 1.20-pre2, Unix
Any version
Vulnerability: tunez-multiple-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15020

Date Reported: 02/03/2004
Brief Description: phpMyAdmin "dot dot" Directory Traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, phpMyAdmin 2.5.5-pl1 and prior,
Unix Any version, Windows Any version
Vulnerability: phpmyadmin-dotdot-directory-traversal
X-Force URL: http://xforce.iss.net/xforce/xfdb/15021

Date Reported: 02/03/2004
Brief Description: Web Crossing Content-Length header denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, Web Crossing 4.0,
Web Crossing 5.0
Vulnerability: webcrossing-contentlength-post-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15022

Date Reported: 02/02/2004
Brief Description: Gbook message HTML injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: GBook 1.0, Linux Any version, Unix Any version,
Windows Any version
Vulnerability: gbook-message-html-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15027

Date Reported: 01/30/2004
Brief Description: BugPort sensitive information exposure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, BugPort prior to
1.099
Vulnerability: bugport-obtain-information
X-Force URL: http://xforce.iss.net/xforce/xfdb/15030

Brief Description: Linley's Dungeon Crawl long environment variable
buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Debian Linux 3.0, Linley's Dungeon Crawl prior to
4.0.0 b23
Vulnerability: crawl-long-environment-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15032

Date Reported: 02/03/2004
Brief Description: X-Cart "dot dot" directory traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Windows Any
version, X-Cart 3.4.3
Vulnerability: xcart-dotdot-directory-traversal
X-Force URL: http://xforce.iss.net/xforce/xfdb/15033

Date Reported: 02/03/2004
Brief Description: X-Cart perl_binary variable command execution
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Windows Any
version, X-Cart 3.4.3
Vulnerability: xcart-perlbinary-execute-commands
X-Force URL: http://xforce.iss.net/xforce/xfdb/15034

Date Reported: 02/04/2004
Brief Description: ReviewPost PHP Pro showproduct.php and showcat.php
script SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, ReviewPost Pro
Any version
Vulnerability: reviewpostpro-showproduct-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15035

Date Reported: 02/04/2004
Brief Description: X-Cart general.php information disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Windows Any
version, X-Cart 3.4.3
Vulnerability: xcart-generalphp-obtain-information
X-Force URL: http://xforce.iss.net/xforce/xfdb/15036

Date Reported: 02/04/2004
Brief Description: RealOne Player multiple file buffer overflows
Risk Factor: High
Attack Type: Network Based
Platforms: Any operating system Any version, RealOne
Enterprise Desktop Any version, RealOne Player 1.0,
RealOne Player 2.0
Vulnerability: realoneplayer-multiple-file-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15040

Date Reported: 02/04/2004
Brief Description: RxGoogle query cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: RxGoogle Any version, Unix Any version
Vulnerability: rxgoogle-query-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15043

Date Reported: 02/04/2004
Brief Description: OpenBSD IPv6 packet denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: OpenBSD 3.4
Vulnerability: openbsd-ipv6-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15044

Date Reported: 02/04/2004
Brief Description: Linux kernel 2.4.x ixj telephony card driver buffer
overflow
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux kernel prior to 2.4.20, Red Hat Enterprise
Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Red
Hat Enterprise Linux 2.1WS
Vulnerability: linux-ixj-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15045

Date Reported: 02/04/2004
Brief Description: GNU Radius rad_print_request denial of service
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, GNU Radius 1.1
Vulnerability: radius-radprintrequest-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15046

Date Reported: 02/03/2004
Brief Description: PHPX subject HTML injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: BSD Any version, Linux Any version, PHPX 3.2.3,
Solaris Any version
Vulnerability: phpx-subject-html-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15050

Date Reported: 02/03/2004
Brief Description: PHPX main.inc.php and help.inc.php cross-site
scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: BSD Any version, Linux Any version, PHPX 3.2.3,
Solaris Any version
Vulnerability: phpx-main-help-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15051

Date Reported: 02/03/2004
Brief Description: PHPX could allow an attacker to modify cookie to
hijack another user's account
Risk Factor: Medium
Attack Type: Network Based
Platforms: BSD Any version, Linux Any version, PHPX 3.2.3,
Solaris Any version
Vulnerability: phpx-cookie-account-hijacking
X-Force URL: http://xforce.iss.net/xforce/xfdb/15052

Date Reported: 01/31/2004
Brief Description: SqWebMail login error information disclosure
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, SqWebMail Any version, Unix Any
version
Vulnerability: sqwebmail-login-info-disclosure
X-Force URL: http://xforce.iss.net/xforce/xfdb/15058

Date Reported: 02/05/2004
Brief Description: Oracle Database Server multiple functions buffer
overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Oracle9i Database Server Release 2 prior to
9.2.0.3, Unix Any version, Windows Any version
Vulnerability: oracle-multiple-function-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15060

Date Reported: 02/05/2004
Brief Description: Multiple vendor BSD platforms allows elevated
privileges
Risk Factor: High
Attack Type: Host Based
Platforms: FreeBSD Any version, NetBSD Any version, OpenBSD
3.x
Vulnerability: bsd-shmat-gain-privileges
X-Force URL: http://xforce.iss.net/xforce/xfdb/15061

Date Reported: 02/05/2004
Brief Description: Mambo Itemid parameter cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Mambo Open Source 4.5, Mambo Open Source 4.6, Unix
Any version, Windows 2000 Any version, Windows XP
Any version
Vulnerability: mambo-itemid-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15062

Date Reported: 02/06/2004
Brief Description: Apache-SSL has a default password
Risk Factor: Medium
Attack Type: Network Based
Platforms: Apache-SSL 1.3.28+1.52 -earlier, Apache-SSL
1.3.28+1.52 -earlier, Apache-SSL 1.3.28+1.52 -
earlier, Linux Any version, Windows Any version
Vulnerability: apachessl-default-password
X-Force URL: http://xforce.iss.net/xforce/xfdb/15065

Date Reported: 02/05/2004
Brief Description: Discuz! Board image tag cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Discuz! Board 2.x, Discuz! Board 3.x, Linux Any
version, Unix Any version, Windows Any version
Vulnerability: discuzboard-image-tag-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15066

Brief Description: OpenJournal uid could allow an attacker
administrative access
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, OpenJournal prior
to 2.06
Vulnerability: openjournal-uid-admin-access
X-Force URL: http://xforce.iss.net/xforce/xfdb/15069

unSpawn 02-13-2004 11:33 AM

Thread title: Feb 9th 2004 (SF) pt. 1/3
 
SecurityFocus


1. PhpGedView Editconfig_gedcom.php Directory Traversal Vulnera...
BugTraq ID: 9529
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9529
Summary:
PhpGedView is web-based geneology software that is implemented in PHP.

A vulnerability has been reported to exist in PhpGedView that may allow a
remote attacker to access information outside the server root directory.
The problem exists due to insufficient sanitization of user-supplied data
via the 'gedcom_config' parameter of the 'editconfig_gedcom.php' script.
The issue may allow a remote attacker to traverse outside the server root
directory by using '../' character sequences.

Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.

PhpGedView versions 2.65.1 and prior have been reported to be prone to
this issue.

2. GNU LibTool Local Insecure Temporary Directory Creation Vuln...
BugTraq ID: 9530
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9530
Summary:
libtool is a freely available, open source library management script. It
is available for the Unix and Linux platforms.

A problem has been identified in the creation of temporary directories by
the libtool script. Because of this, an attacker may be able to corrupt
arbitrary files on a system.

libtool does not securely create temporary directories. When the script
is executed during compilation of a program, it creates a situation where
an attacker can potentially overwrite target files using predicted
symbolic links, potentially destroying data.

It should be noted that this issue only affects programs that use libtool
during compilation time. Additionally, resolution of this issue only
limits scope to programs that use the system libtool, and does not resolve
the issue in programs that package their own version of libtool.

3. PhpGedView [GED_File]_conf.php Remote File Include Vulnerabi...
BugTraq ID: 9531
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9531
Summary:
PhpGedView is web-based geneology software that is implemented in PHP.

A vulnerability has been reported to exist in the software that may allow
an attacker to include malicious files containing arbitrary code to be
executed on a vulnerable system. The problem reportedly exists because
remote users may influence the 'PGV_BASE_DIRECTORY' variable in the
[GED_File]_conf.php module, which specifies an include path that is used
as an argument to the PHP require() function.

Remote attackers could potentially exploit this issue via by influencing
the include path to specify a remote malicious PHP script, which will be
executed in the context of the web server hosting the vulnerable software.

PhpGedView versions 2.65.1 and prior have been reported to be prone to
this issue.

This issue may be related to PhpGedView Multiple PHP Remote File Include
Vulnerabilities BID 9368.

4. ChatterBox Remote Denial of Service Vulnerability
BugTraq ID: 9532
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9532
Summary:
ChatterBox is a multiple client, single server graphical chat program
implemented using Java with Swing user interface components. ChatterBox is
designed to run on any platform with a Java 2 runtime environment.

ChatterBox has been reported to be prone to a remote denial of service
vulnerability. This issue may be exploited by issuing irregular commands
to the chat server and is caused by a failure of the server to validate
input.

Successful exploitation will cause a denial of service condition in the
server application, forcing the affected process to crash and deny service
to legitimate users.

5. FreeBSD mksnap_ffs File System Option Reset Vulnerability
BugTraq ID: 9533
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9533
Summary:
FreeBSD 5.0-RELEASE and later includes a tool called mksnap_ffs to
facilitate taking snapsnots of file systems. This utility is only
accessible to administrative users by default.

A vulnerability has been reported in the FreeBSD mksnap_ffs utility that
could cause file system security properties to be reset. When the utility
is run, it does not preserve various file system flags. If the file
system is restored from the snapshot, these settings will have their
default values, which may impact security if file system security settings
were enabled on the file system prior to the utility being run to take a
snapsnot of the file system.

This could impact any extended access control lists that are enabled on
the file system or re-enable the use of setuid executables. The exact
consequences will depend on the security configuration that was in place
prior to the snapshot being taken and the file system being restored from
the snapshot.

6. Sun Solaris PFExec Custom Profile Arbitrary Privileges Vulne...
BugTraq ID: 9534
Remote: No
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9534
Summary:
Solaris is the Unix operating system distributed and maintained by Sun
Microsystems.

A problem in pfexec included with Sun Solaris has been identified.
Because of this issue, it may be possible for a local user to gain
elevated privileges.

pfexec is the profile execution command, used by the Role-Based Access
Control infrastructure to permit an attacker to execute certain commands
as a member of a specific group profile. This infrastructure can permit a
local user to execute certain commands that require privileges while
limiting or preventing access to other system commands.

It is possible for a system user that is a member of a specific custom
rights profile to abuse the rights profile to potentially execute
additional commands outside of the profile authorization. Specifics of
this vulnerability are not currently available. However, it is
conjectured that this issue could permit an attacker to gain access to
additional system authorizations.

7. JBrowser Browser.PHP Directory Traversal Vulnerability
BugTraq ID: 9535
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9535
Summary:
JBrowser is a web-based image gallery application implemented using PHP.

JBrowser has been reported to be vulnerable to directory traversal
vulnerability that may allow a remote attacker to gain access to files
readable by the web-server that reside outside of the server root
directory. The problem exists due to insufficient sanitization of
user-supplied data via the 'directory' parameter of the 'browser.php'
script.

Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.

8. Laurent Adda Les Commentaires PHP Script Multiple Module Fil...
BugTraq ID: 9536
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9536
Summary:
Laurent Adda Les Commentaires is a web based message board application
written in PHP.

A vulnerability has been reported to exist in the software that may allow
an attacker to include malicious external files containing arbitrary PHP
code to be executed on a vulnerable system. This vulnerability is reported
to exist because remote users can influence the 'rep' variable in the
'derniers_commentaires.php', 'admin.php', and 'fonctions.lib.php' modules
to specify an arbitrary include path.

Remote attackers could potentially exploit this issue via the vulnerable
variable to include a remote malicious script, which will be executed in
the context of the web server hosting the vulnerable software.

All versions of Les Commentaires have been reported to be prone to this
issue.

9. JBrowser Unauthorized Admin Access Vulnerability
BugTraq ID: 9537
Remote: Yes
Date Published: Jan 30 2004
Relevant URL: http://www.securityfocus.com/bid/9537
Summary:
JBrowser is a web-based image gallery application implemented using PHP.

Due to a lack of access validation to the '_admin' directory, malevolent
users may be able to execute arbitrary admin scripts. Potentially
exploitable scripts located in the '_admin' directory include
'upload.php3', 'upload_ftp.php3' and 'list_all.php'.

Using the 'upload.php3' and 'upload_ftp.php3' scripts a malevolent user
may be able to upload arbitrary files to any location on the system
accessible by the webserver. By specifying the file location an attacker
could save malicious files to the system or potentially overwrite
sensitive files.

Using the 'list_all.php' script a malevolent user may be able to traverse
outside of the web-server root directory by manipulating the 'folder'
parameter.

Exploitation of these issues could lead to disclosure of sensitive
information, which may facilitate further attacks against the affected
system. Furthermore these issues could allow an attacker to upload or
overwrite arbitrary files on the system. There may also be other
consequences associated with this vulnerability.

10. Leif M. Wright Web Blog Remote Command Execution Vulnerabili...
BugTraq ID: 9539
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9539
Summary:
Web Blog is a web application, written by Leif M. Wright.

Web Blog has been reported to be prone to a vulnerability that may permit
remote attackers to execute arbitrary commands in the context of the
hosting web server. This is due to insufficient sanitization of shell
metacharacters from variables which will be used as an argument to a
function that invokes the shell directly.

This issue exists in the blog.cgi script and is exposed via the 'file' URI
parameter when submitting a 'ViewFile' request to the script.
Exploitation could permit a remote attacker to gain interactive access to
the underlying operating system of the host.

11. Aprox Portal File Disclosure Vulnerability
BugTraq ID: 9540
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9540
Summary:
Aprox Portal is web portal software that is written in PHP.

Aprox Portal is prone to a vulnerability that may permit remote attackers
to gain access to files that are readable by the hosting web server.
These files may exist outside of the server root. The issue is reported
to exist in the 'index.php' script and may be exploited by providing the
absolute path to a system file as an argument for the 'show' parameter.

This could expose sensitive information that may be useful in further
attacks against the host.

12. SqWebMail Authentication Response Information Leakage Weakne...
BugTraq ID: 9541
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9541
Summary:
SqWebMail is a web-based e-mail application.

SqWebMail leaks sensitive information in authentication responses that may
permit aid an attacker in brute forcing the root password on the
underlying operating system. The software reportedly issues different
responses when the user authenticates successfully as the root user then
when a failed attempt occurs.

For example, when an authentication attempt fails, the web interface will
issue the following response:
"invalid user or password"

When authentication succeeds for the root user, the interface reportedly
issues this response instead:
"maildir doesn't exist or has incorrect ownership or permission"

It should be noted that this may depend on there not being a Maildir for
the root user on the underlying operating system. This type of response
could also be issued for other users on the system that do not have a
Maildir.

This vulnerability may provide a covert means of brute-forcing the root
password via the SqWebMail interface.

This issue reportedly exists when SqWebMail is run with qmail, qmailadmin,
vpopmail with vchkpw-auth. Other reports specify that this issue exists
solely in SqWebMail.

13. BugPort Unauthorized Configuration File Viewing Vulnerabilit...
BugTraq ID: 9542
Remote: Yes
Date Published: Jan 31 2004
Relevant URL: http://www.securityfocus.com/bid/9542
Summary:
BugPort is a web-based bug tracking and development application that is
written in PHP.

A vulnerability has been reported in BugPort that has the potential to
disclose sensitive information to remote attackers. The contents of the
BugReport configuration file will be served to remote users who request
the file. The source of the vulnerability is that the configuration file
(conf/config.conf) will be served as opposed to interpreted due to the
file extension.

This could disclose sensitive configuration information that may be useful
when mounting further attacks.

14. Suidperl Unspecified Information Disclosure Vulnerability
BugTraq ID: 9543
Remote: No
Date Published: Feb 01 2004
Relevant URL: http://www.securityfocus.com/bid/9543
Summary:
SuidPerl is the Perl interpreter for setuid Perl scripts. It is included
with distributions of the Perl package and is available for Linux and Unix
variant operating environments.

A vulnerability has been reported in Suidperl that may cause sensitive
information to be disclosed to unauthorized users. This could potentially
permit users to enumerate the existence of files or determine other
attributes that should not be accessible to unprivileged users.

This issue may be exploited by a malicious local user.

15. PHP-Nuke Multiple Module SQL Injection Vulnerabilities
BugTraq ID: 9544
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9544
Summary:
PHP-Nuke is web portal software.

Multiple SQL injection vulnerabilities have been reported in various
modules included in PHP-Nuke versions 6.9 and earlier. These issues could
permit remote attackers to compromise PHP-Nuke user and administrative
accounts. The source of the problem is that affected modules do not
adequately sanitize user-supplied HTTP GET/POST data before including this
input in a database query. As a result, an attacker could modify the
logic and structure of database queries. Other attacks may also be
possible, such as gaining access to sensitive information.

These vulnerabilities were reported in the Web_Links, Downloads, Reviews,
Sections and Stories_Archive modules. Some of these issues may overlap
with previously reported SQL injection vulnerabilities in PHP-Nuke, but
have all been reportedly addressed in PHP-Nuke 7.0.

18. SGI IRIX Libdesktopicon.so Local Buffer Overflow Vulnerabili...
BugTraq ID: 9547
Remote: No
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9547
Summary:
A vulnerability has been reported in SGI IRIX that may allow an attacker
to execute arbitrary code on a vulnerable system in order to gain
unauthorized access.

The problem is reported to exist in libdesktopicon.so library. It has
been reported that the issue presents itself due to improper bounds
checking of the HOME environment variable. The HOME environment variable
is set to a long string. A buffer overflow condition may be caused by
supplying excessive data via this variable and invoking the
'/usr/sbin/printers' binary linked to the Libdesktopicon.so library. An
attacker may leverage the issues by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing the
affected procedures to return to an address of their choice.

Successful exploitation may allow a local attacker to ultimately execute
arbitrary code in order to gain unauthorized access to a system.

SGI IRIX versions 6.5.22 and prior may be prone to this issue.

19. Sun Solaris TCSetAttr System Hang Denial Of Service Vulnerab...
BugTraq ID: 9548
Remote: No
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9548
Summary:
Solaris is a freely available UNIX operating system distributed and
maintained by Sun Microsystems.

A vulnerability has been identified in the tcsetattr library call
available in default versions of Sun Solaris. Because of this, it may be
possible for an unprivileged local user to deny service to legitimate
users.

The problem is in invocation of the library call. Under some
circumstances, it may be possible to invoke the library in a method that
causes the system to hang for a period of time. This could potentially
result in a denial of service to legitimate users of the system, and could
potentially result in an extended denial of service.

20. Crob FTP Server Denial Of Service Vulnerability
BugTraq ID: 9549
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9549
Summary:
Crob FTP server is a file transfer utility developed for the Windows
platform.

A vulnerability has been reported in the Crob FTP server, which occurs due
to a lack of validation of input from the user. By issuing a malformed
request a malevolent user may be able to force the server to crash,
denying service to legitimate users.

This vulnerability was reported for Crob FTP Server 3.5.1, however earlier
versions may also be affected.

21. 0verkill Game Client Multiple Local Buffer Overflow Vulnerab...
BugTraq ID: 9550
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9550
Summary:
0verkill is a client-server game. It is available for the Linux, OS/2 and
Windows operating systems.

The 0verkill game client has been reported prone to multiple instances of
exploitable buffer overrun vulnerabilities. The functions that have been
reported to be affected are load_cfg(), save_cfg() and send_message().
These functions are implemented in client.c. It has been reported that due
to a lack of sufficient boundary checks performed on data contained in
HOME environment variables, a local attacker may overrun a 256 bytes stack
based buffer. Additionally excessive data supplied as values for the
players name and also the hostname, may also be used to corrupt sensitive
process memory. Finally, the potential buffer overflow reported to exist
in the network 'chat' routines may be exploited to overwrite 2 bytes of
data beyond the affected buffer.

An attacker may exploit any one of these issues to potentially execute
arbitrary instructions in the security context of the 0verkill game
client.

23. GNU Chess '-s' Local Buffer Overflow Vulnerability
BugTraq ID: 9553
Remote: No
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9553
Summary:
GNU Chess is a chess game developed for Linux and Unix based systems.

It has been reported that GNU Chess is prone to a buffer overflow issue
that may allow an attacker to gain elevated privileges.

The problem is present due to improper handling of user-supplied data from
'-s' command line parameters. A buffer overflow condition may be caused by
supplying more than 652 bytes of data as a value for this parameter. The
condition is present due to insufficient boundary checking. A local
attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing the
affected procedures to return to an address of their choice.

Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the affected application, although
unconfirmed GNU Chess is likely installed with setgid games privileges on
most system.

24. SurgeFTP Surgeftpmgr.CGI Denial Of Service Vulnerability
BugTraq ID: 9554
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9554
Summary:
SurgeFTP server is a file transfer server. SurgeFTP server ships with an
administrative web interface.

A vulnerability has been reported in the administrative interface
(surgeftpmgr.cgi) of the SurgeFTP server. The issue occurs due to a lack
of validation of input supplied as a value for URI parameters to the
affected script. By issuing a malformed request a malevolent user may be
able to force the server to crash.

Although unconfirmed, this vulnerability may potentially exist as a result
of a format string handling issue.

A remote attacker may exploit this vulnerability by supplying URI
parameters that contain "%%" symbols to the affected script. It has been
reported that this will result in the server failing, effectively denying
service to legitimate users.

26. Clearswift MAILsweeper For SMTP RAR Archive Denial Of Servic...
BugTraq ID: 9556
Remote: Yes
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9556
Summary:
MAILsweeper for SMTP is a commercial application for filtering e-mail
content at the gateway level.

MAILsweeper has been reported prone to a remote denial of service
vulnerability. The issue presents itself when MAILsweeper encounters an
email that has a malicious RAR archive attached. A properly constructed
RAR archive will trigger an infinite loop causing the affected software to
consume CPU system resources in an exponential manner.

A remote attacker may exploit this condition in order to deny service to
legitimate users of the targeted SMTP server.

27. All Enthusiast Photopost PHP Pro SQL Injection Vulnerability
BugTraq ID: 9557
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9557
Summary:
Photopost PHP Pro is a web based gallery application written in PHP.

A vulnerability has been reported to exist in the software that may allow
an attacker to influence SQL query logic to disclose sensitive information
that could be used to gain unauthorized access.

The issue exists due to insufficient sanitization of user-supplied data
via the 'photo' parameter of 'showphoto.php' script. It has been reported
that a malicious user may influence database queries in order to view or
modify sensitive information potentially compromising the software or the
underlying database.

Photopost PHP Pro versions 4.6 and prior have been reported to be prone to
this vulnerability.

unSpawn 02-13-2004 11:34 AM

Feb 9th 2004 (SF) pt. 2/3
 
SecurityFocus


28. Util-Linux Login Program Information Leakage Vulnerability
BugTraq ID: 9558
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9558
Summary:
Login is a component of the util-linux package. It is available for the
Linux platform.

A problem has been identified in the handling of information by the login
component of the util-linux package. Because of this, an attacker may be
able to gain access to sensitive information.

The problem is an issue in the handling of pointers within the program.
In some situations, a function within the program may attempt to use a
pointer in system memory that has already been freed and reallocated by
another function. Under these circumstances, it would be possible for an
attacker to gain access to potentially sensitive information.

It is conjectured that this issue requires specific circumstances and
numerous attempts to glean useful information. However, no proof of
proof-of-concept exists upon which further analysis can be made.

29. PHP-Nuke GBook Module HTML Injection Vulnerability
BugTraq ID: 9559
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9559
Summary:
PHP-Nuke is web portal software. GBook is a guestbook module for
PHP-Nuke.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to carry out HTML injection attacks in order to steal
sensitive data such as authentication credentials.

It has been reported that due to insufficient sanitization of
user-supplied data, various parameters passed to the GBook module are
vulnerable to HTML injection. Some of the affected parameters include
'name', 'email', 'city', and 'message'. As a result, users may include
malicious HTML and script code inside of guestbook entries. The
attacker-supplied code will be rendered in the web client of the user who
views a malicious guestbook entry, and will be executed in the security
context of the site hosting the guestbook software.

It has been noted that GBook employs HTTP POST requests to communicate
with the server and HTTP POST requests are filtered by PHP-Nuke. Due to
this, an attacker may not be able to directly inject HTML code into the
site, however, an attacker may pass malicious HTML code via a '$_COOKIE'
array. '$_COOKIE' arrays are reportedly not filtered by PHP-Nuke. If
administrative access is enabled in the software, this may allow the
attacker to steal cookie-based authentication credentials from the
administrative guestbook user. Other attacks may be possible as well.

Gbook script for PHP-Nuke version 1.0 has been tested for this issue,
however, it is likely that other versions of PHP-Nuke are vulnerable as
well.

30. Qualiteam X-Cart Remote Command Execution Vulnerability
BugTraq ID: 9560
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9560
Summary:
X-Cart is a web based shopping card application implemented in PHP and
integrated with a MySQL database backend.

X-Cart has been reported to be prone to an issue that may allow remote
attackers to execute arbitrary commands on the affected system. The issue
is caused by a failure of the application to sanitize values specified by
parameters in the URI. This issue has been reported to affect the
'upgrade.php' and 'general.php' scripts which reside in the 'admin'
directory of the application.

The upgrade.php script expects the parameter 'perl_binary' to be specified
via the URI. The 'perl_binary' parameter is used by the application to
execute Perl scripts for upgrading the software. Due to insufficient
sanitization of the value passed through this parameter, it is possible to
specify any executable file that is readable by the web server.

The general.php expects the parameter 'config[General][perl_binary]' to be
specified via the URI. Insufficient sanitization of this value may also
allow remote command execution of applications that are readable by the
web server.

This issue is reported to affect X-Cart version 3.4.3, however other
version of the software may also be vulnerable.

31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne...
BugTraq ID: 9561
Remote: Yes
Date Published: Feb 02 2004
Relevant URL: http://www.securityfocus.com/bid/9561
Summary:
Sun ONE Web Server is a web server implementation that is maintained by
Sun Microsystems. It has been rebranded from iPlanet.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to steal sensitive information such as cookie-based
authentication credentials.

It has been reported that Sun ONE/iPlanet Web Server responds to the HTTP
TRACE request by default. The HTTP TRACE request used for debugging
purposes allows a web server to echo the contents of the request back to
the client. The complete request, including HTTP headers, is returned in
the entity-body of a TRACE response. This request also allows web sites to
cause user browsers to issue TRACE requests.

Enabling HTTP TRACE functionality by default may allow an attacker to
compromise user accounts by gaining access to sensitive header
information. This issue may be combined with other attacks such as
cross-site scripting, to steal cookie-based authentication credentials.

32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu...
BugTraq ID: 9562
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9562
Summary:
IOS is the device operating system available for the Cisco hardware
platform. It is maintained and distributed by Cisco.

A problem has been identified in the handling of specific types of traffic
by Cisco 6000, 6500, and 7600 routers with the MSFC2 device. Because of
this, an attacker could potentially crash a vulnerable system.

The problem is in the handling of malformed layer 2 frames. When a layer
2 frame encapsulating a layer 3 frame is sent to a Cisco device using an
affected version of IOS and the layer 2 frame length is inconsistent with
the encapsulated layer 3 packet. When an affected device receives such a
packet, it becomes unstable and crashes.

It should be noted that this vulnerability presents a risk under very
specific circumstances. The first circumstance is that a system on a
network segment local to the affected router can send a packet directly to
the router without intermediary hops that remove the layers 1 and 2
frames. The other is the circumstance that a tunnel to carry layer 2
frames between segments of networks exists, and a system on one segment of
network can send a malicious packet through the tunnel to a vulnerable
router on another segment of network.

33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln...
BugTraq ID: 9563
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9563
Summary:
X-Cart is a web based shopping card application implemented in PHP and
integrated with a MySQL database backend.

X-Cart has been reported to be prone to an issue that may allow remote
attackers to view any web server readable files on the affected system.
The issue is caused by a failure of the application to sanitize values
specified by parameters in the URI. This issue has been reported to affect
the 'auth.php' script.

The auth.php script expects the parameters and 'shop_closed_file' to be
specified via the URI. The 'shop_closed_file' parameter is used by the
application to select the specified file to be viewed. Due to insufficient
sanitization of the value passed through this parameter, it is possible to
specify any file that is readable by the web server.

It has been reported that there is also an information disclosure issue
with the 'general.php' script that resides in the 'admin' directory of the
application. The 'mode' URI parameter can be set to request information
on the current PHP and Perl software versions, allowing potential
attackers the gain access to sensitive system details.

This issue is reported to affect X-Cart version 3.4.3, however other
version of the software may also be vulnerable.

34. phpMyAdmin Export.PHP File Disclosure Vulnerability
BugTraq ID: 9564
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9564
Summary:
phpMyAdmin is a freely available tool that provides a web interface for
handling MySQL administrative tasks.

phpMyAdmin is prone to a vulnerability that may permit remote attackers to
gain access to files that are readable by the hosting web server. These
files may exist outside of the server root. The issue is reported to exist
in the 'export.php' script and may be exploited by providing directory
traversal sequences and the absolute path to a system file as an argument
for the 'what' URI parameter.

This could expose sensitive information that may be useful in further
attacks against the host.

35. Tunez Multiple Remote SQL Injection Vulnerabilities
BugTraq ID: 9565
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9565
Summary:
Tunez is a freely available, open source web MP3 jukebox. It is available
for the Unix and Linux platforms.

Several problems in the handling of user-supplied input have been
identified in Tunez. Because of this, an attacker may be able to gain
unauthorized access to the backend database.

Specific details concerning these issues are not currently available.
However, it has been disclosed by the project maintainers that numerous
SQL injection issues exist that can permit an attacker to submit SQL
directly to the database, potentially allowing an attacker to perform
unauthorized database functions.

36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl...
BugTraq ID: 9566
Remote: No
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9566
Summary:
Linley Henzell Dungeon Crawl is a console based game.

Dungeon Crawl has been reported to be prone to an unspecified local buffer
overflow vulnerability. The condition is present due to insufficient
boundary checking.

It has been reported that the software copies various environment
variables into a fixed size buffer without proper bounds checking. An
attacker may pass excessive data to the vulnerable application via an
affected environment variable. Immediate consequences of an attack may
result in a denial of service condition.

A local attacker may leverage the issue by exploiting an unbounded memory
copy operation to overwrite the saved return address/base pointer, causing
the affected procedures to return to an address of their choice.

Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the affected application. Although
unconfirmed, Crawl is likely installed with setgid games privileges on
most system.

Crawl 4.0.0 beta 26 and prior may be prone to this issue.

39. PHPX Multiple Vulnerabilities
BugTraq ID: 9569
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9569
Summary:
PHPX is a PHP-based content management system.

Multiple vulnerabilities were reported in PHPX. The specific issues
include cross-site scripting, HTML injection and account hijacking via
specially crafted cookies.

Two cross-site scripting issues exist in the main.inc.php and help.inc.php
scripts. These are due to insufficient sanitization of input supplied via
URI parameters. In particular, main.inc.php does not sanitize input
supplied to the 'keywords' parameter while help.inc.php does not sanitize
input supplied to the 'body' parameter. An attacker could exploit these
issues by enticing a victim user to follow a malicious link that includes
embedded HTML and script code. This would mostly likely result in cookie
theft though other attacks are also possible.

HTML injection issues exist in the 'Subject' field for Personal Messages
and the Forum. This could permit a user of the software to persistently
inject hostile HTML and script code into the content management system.
The attacker could exploit this to steal cookies but it would also be
possible to influence site content.

An account hijacking vulnerability was reported due to insufficient
validation of values embedded in user-supplied cookies. Specifically, the
PXL cookie value corresponds to the userID and may be changed to an
arbitrary value, resulting in hijacking of other user and administrative
accounts.

These issues were reported to exist in PHPX 3.2.3. Earlier versions are
also likely affected.

40. Linux Kernel R128 Device Driver Unspecified Privilege Escala...
BugTraq ID: 9570
Remote: No
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9570
Summary:
The Linux Kernel supports numerous driver modules; one such is the R128
ATI Rage 128 bit video card driver module.

It has been reported that the Linux Kernel is prone to an unspecified
local privilege escalation vulnerability. The issue is reportedly due to
an R128 DRI limits checking issue and may lead to privilege escalation on
affected systems.

This BID will be updated with further technical details if more
information is made available.

41. Apache mod_digest Client-Supplied Nonce Verification Vulnera...
BugTraq ID: 9571
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9571
Summary:
mod_digest is a digest authentication module that is included in Apache
HTTPD.

Patches have been released for the Apache mod_digest module to include
digest replay protection. The module reportedly did not adequately verify
client-supplied nonces against the server issued nonce. The nonce is a
random server generated value that is sent for session verification
purposes during digest authentication. This vulnerability could permit a
remote attacker to replay the response of another website or section of
the same website under some circumstances, potentially allowing
unauthorized access to sessions.

It should be noted that this issue does not exist in mod_auth_digest
module.

42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se...
BugTraq ID: 9572
Remote: Yes
Date Published: Feb 03 2004
Relevant URL: http://www.securityfocus.com/bid/9572
Summary:
The FreeBSD netinet implementation has been reported prone to a
vulnerability that may allow remote attackers to deny service to affected
servers.

The issue presents itself, due to a lack of restrictions placed on TCP MSS
(Maximum Segment Size) values. When a TCP connection is negotiated the MSS
values are exchanged between the connected hosts. This may provide a
remote attacker an opportunity to set the Maximum Segment Size to a low
value (>64 octets). This will result in data transmission that consists of
large amounts of small packets. As the server attempts to commit to the
transmission, processing and receiving of this malicious traffic,
resources may be exhausted. Ultimately the affected server may cease to
serve legitimate traffic.

A remote attacker may exploit this condition to deny service to legitimate
users.

43. TYPSoft FTP Server Remote Denial Of Service Vulnerability
BugTraq ID: 9573
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9573
Summary:
TYPSoft FTP Server is a freely available ftp server implemented for the
Windows platform.

TYPSoft FTP server has been reported to be prone to a remote denial of
service vulnerability. A malevolent user may leverage this issue to cause
the ftp server to crash, denying service to legitimate users.

This issue can be leveraged by first authenticating with the server, and
then initiating the login sequence without supplying a user name. The
software attempts to carry out operations on an un-initialized buffer,
causing an dereference of unallocated memory and inevitably forcing the
server to crash.

This issue has been reported to affect version 1.10 of the software,
however previous versions may also be affected.

44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul...
BugTraq ID: 9574
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9574
Summary:
ReviewPost PHP Pro is a web based bulletin board application written in
PHP.

Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to influence SQL query logic. This issue could be
exploited to disclose sensitive information that may be used to gain
unauthorized access.

The issues exist due to insufficient sanitization of user-supplied data
via the 'product' parameter of 'showproduct.php' script and the 'cat'
parameter of 'showcat.php' script. It has been reported that a malicious
user may influence database queries in order to view or modify sensitive
information potentially compromising the software or the underlying
database.

Although unconfirmed, ReviewPost PHP Pro 2.5.1 and prior may be prone to
these issues.

45. RXGoogle.CGI Cross Site Scripting Vulnerability.
BugTraq ID: 9575
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9575
Summary:
RXGoogle.CGI is a free search script implemented in perl that facilitates
internet wide searching from a local web site.

It has been reported that the rxgoogle.cgi search script is prone to a
cross site scripting vulnerability. This issue is reportedly due to a
failure to sanitize user input and so allows various meta-characters that
may facilitate cross site scripting attacks.

This could permit a remote attacker to create a malicious link to the web
server that includes hostile HTML and script code. If this link were
followed, the hostile code may be rendered in the web browser of the
victim user. This would occur in the security context of the web server
and may allow for theft of cookie-based authentication credentials or
other attacks.

46. Web Crossing Web Server Component Remote Denial Of Service V...
BugTraq ID: 9576
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9576
Summary:
Web Crossing is a collaboration server platform. Web Crossing ships with a
Web Server component.

The Web Crossing Web Server component has been reported prone to a remote
denial of service vulnerability. It has been reported that the issue will
present itself when the affected web server receives a malicious HTTP POST
request that contains negative or excessive values for the Content-Length
field in the HTTP header. When such a request is processed an integer
divide by zero operation will occur causing the affected server to crash

A remote attacker may exploit this issue to deny service to the Web
Crossing Web Server.

47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu...
BugTraq ID: 9577
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9577
Summary:
OpenBSD has been reported prone to a remote denial of service attack when
configured to process IPV6 traffic. The issue occurs when an affected host
handles ICMPV6 traffic that is configured with an arbitrarily low MTU
size. It has been reported that when traffic of the aforementioned type is
handled an unspecified kernel error occurs, denying service to the
affected system.

A remote attacker may exploit this vulnerability to deny service to
legitimate users.

FreeBSD does not appear to be affected. It is undetermined if NetBSD is
similarly affected. This BID will be updated as further information
relating to this issue is disclosed.

48. GNU Radius Remote Denial Of Service Vulnerability
BugTraq ID: 9578
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9578
Summary:
GNU Radius is a server used primarily by Internet service providers as a
solution for authentication and accounting.

GNU Radius has been reported prone to a remote denial of service
vulnerability. The issue presents itself when a single UDP datagram is
processed that contains an Acct-Status-Type attribute without any other
data. When the affected server handles this datagram, the server will
segfault due to a NULL Pointer dereference.

Specifically, when the Acct-Status-Type attribute is encountered the
following operation is processed:
avl_find(req->request, DA_ACCT_STATUS_TYPE);

Because the datagram contains no other data the following operation will
result in a null value for the *sid_pair pointer:
VALUE_PAIR *sid_pair = avl_find(req->request, DA_ACCT_SESSION_ID);

Finally when a member is referenced in the sid_pair structure, via the
following operation:
snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
The NULL pointer dereference operation will cause the service process to
fail.

It should be noted that although this issue has been reported to affect
GNU Radius version 1.1, pervious versions might also be affected.

49. Multiple RealPlayer/RealOne Player Supported File Type Buffe...
BugTraq ID: 9579
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9579
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.

It has been reported that various RealPlayer/RealOne Player releases are
prone to multiple exploitable stack and heap overrun vulnerabilities.
This is due to insufficient bounds checking when handling malformed files
of various supported file types (.RP, .RT, .RAM, .RPM and .SMIL). When
the player loads such a file, stack or heap memory may be corrupted with
embedded data in the file, possibly allowing for sensitive variables in
memory to be overwritten. In this manner, it would be possible to execute
arbitrary code on the client system in the context of the user invoking
the vulnerable player.

This issue could be exploited by forcing a user to visit a malicious
website that is hosting the file, causing it to be automatically invoked.
File attachments also provide an attack vector, but would require the user
to interactively upon the malformed file (with the exception of .RPM
files, which may automatically open).

50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ...
BugTraq ID: 9580
Remote: Yes
Date Published: Feb 04 2004
Relevant URL: http://www.securityfocus.com/bid/9580
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.

RealPlayer/RealOne Players have been reported prone to an unspecified code
execution vulnerability. The issue occurs within the RMP file processing
routines of affected versions of the player.

Although unconfirmed it has been conjectured that arbitrary code execution
may occur when a malicious RMP file is processed. This will reportedly
cause malicious code to be downloaded and executed. Code execution would
occur in the context of the user who is running the affected player.

This BID will be updated as further details regarding this vulnerability
are disclosed.

unSpawn 02-13-2004 11:36 AM

Feb 9th 2004 (SF) pt. 3/3
 
SecurityFocus


51. Multiple Check Point Firewall-1 HTTP Security Server Remote ...
BugTraq ID: 9581
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9581
Summary:
Firewall-1 is a commercially available enterprise firewall software
package. It is distributed by Check Point, and available for the Unix,
Linux, and Microsoft Windows platforms.

Problems in the handling of some types of HTTP requests from remote users
have been identified in Check Point Firewall-1 HTTP Application
Intelligence and HTTP Security Server. Because of this, it is possible
for a remote attacker to gain unauthorized access to a vulnerable system
with administrative privileges.

It has been reported that several occurrences of format string
vulnerabilities exist in the HTTP Application Intelligence and HTTP
Security Server components of Firewall-1. One disclosed example cites
placing an invalid scheme in a URI and submitting it to the vulnerable
component, resulting an attacker passing an arbitrary format string to an
sprintf() call.

Other format string issues may result in heap corruption attacks. Since
the Firewall-1 software is most often executed as the administrative user
on systems, this issue has the potential to result in complete compromise
of an affected host.

52. Check Point VPN-1/SecuRemote ISAKMP Large Certificate Reques...
BugTraq ID: 9582
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9582
Summary:
VPN-1, SecuRemote, and SecureClient are secure remote access components
distributed and maintained by Check Point Software. They are available
for the Unix, Linux, and Microsoft Windows platforms.

A problem has been identified in the handling of large Certificate Request
payload exchanges in Check Point VPN-1, SecuRemote, and SecureClient.
Because of this, it is possible for a remote attacker to gain unauthorized
access to vulnerable systems.

During the establishing of an ISAKMP session, it is possible for one
system to send to another a Certificate Request payload to solicit
credentials. However, bounds checking is not adequately performed on
received Certificate Request payload packets by clients or servers in the
Check Point implementations.

An attacker could take advantage of this issue to exploit a buffer
overflow in the client and server implementations, resulting in the
execution of attacker-supplied code with the privileges of the software,
run as the administrative user it typical configurations.

54. Crossday Discuz! Cross Site Scripting Vulnerability
BugTraq ID: 9584
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9584
Summary:
Discuz! is web based message board software implemented in PHP.

It has been reported that Discuz! is prone to an Cross Site Scripting
vulnerability. This issue is caused by the application failing to
properly sanitize links embedded within user messages.

The software allows users to post images by enclosing the URL of an image
within [img]..[/img] tags. The application displays a thumbnail view of
the specified image as a link to the full size version. The URL of the
file that is specified between the image tags is not properly sanitized,
allowing a user to enter malicious script. This issue arises due to the
user specified URL being included inside JavaScript tags used to open the
image in a new browser window. This may allow the user to craft malicious
script and have it executed when an unsuspecting user follows the link.

An attacker may exploit this vulnerability to execute arbitrary HTML and
script code in the browser of an unsuspecting user who views the malicious
post. Code execution will occur in the context of the vulnerable site.
This issue may be exploited to steal cookie based credentials. Other
attacks are also possible.

56. BSD Kernel SHMAT System Call Privilege Escalation Vulnerabil...
BugTraq ID: 9586
Remote: No
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9586
Summary:
A vulnerability has been reported to exist in the shmat system call used
in the BSD kernel. This may allow a local attacker to inject instructions
into the memory of a privileged process.

BSD systems support the System V Shared Memory interface that provides
primitives for sharing memory segments between separate processes. The
shmat(2) system call allows a shared memory segment that is created with
the the shmget(2) function to be mapped to the calling process's address
space. The issue presents itself due to an error in the shmat(2) system
call which is included with the System V Shared Memory interface.
shmat(2) is implemented in the sysv_shm.c file.

The vulnerability occurs when shmat(2) does not decrement the reference
count of a shared memory segment when an error occurs. Reportedly,
shmat(2) increments a count prior to attempting to reference a virtual
memory object, but fails to decrement the count when an error occurs. An
attacker could create two shared memory segments, then abuse the shmat
system call with invalid calls (the reported amount is 2^32-2 calls, or
4,294,967,294) to force a wrapping of the count in memory. Upon
deferencing one of the shared memory segments and executing a privileged
program, the attacker could force the privileged program to reuse the
section of shared memory still under control of the attacker.

The attacker could use this as a means of modifying the memory of the
running process, executing arbitrary attacker-supplied instructions
injected into the running process memory, granting privilege escalation to
the attacker.


All times are GMT -5. The time now is 12:04 AM.