SecurityFocus
28. Util-Linux Login Program Information Leakage Vulnerability
BugTraq ID: 9558
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9558
Summary:
Login is a component of the util-linux package. It is available for the
Linux platform.
A problem has been identified in the handling of information by the login
component of the util-linux package. Because of this, an attacker may be
able to gain access to sensitive information.
The problem is an issue in the handling of pointers within the program.
In some situations, a function within the program may attempt to use a
pointer in system memory that has already been freed and reallocated by
another function. Under these circumstances, it would be possible for an
attacker to gain access to potentially sensitive information.
It is conjectured that this issue requires specific circumstances and
numerous attempts to glean useful information. However, no proof of
proof-of-concept exists upon which further analysis can be made.
29. PHP-Nuke GBook Module HTML Injection Vulnerability
BugTraq ID: 9559
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9559
Summary:
PHP-Nuke is web portal software. GBook is a guestbook module for
PHP-Nuke.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to carry out HTML injection attacks in order to steal
sensitive data such as authentication credentials.
It has been reported that due to insufficient sanitization of
user-supplied data, various parameters passed to the GBook module are
vulnerable to HTML injection. Some of the affected parameters include
'name', 'email', 'city', and 'message'. As a result, users may include
malicious HTML and script code inside of guestbook entries. The
attacker-supplied code will be rendered in the web client of the user who
views a malicious guestbook entry, and will be executed in the security
context of the site hosting the guestbook software.
It has been noted that GBook employs HTTP POST requests to communicate
with the server and HTTP POST requests are filtered by PHP-Nuke. Due to
this, an attacker may not be able to directly inject HTML code into the
site, however, an attacker may pass malicious HTML code via a '$_COOKIE'
array. '$_COOKIE' arrays are reportedly not filtered by PHP-Nuke. If
administrative access is enabled in the software, this may allow the
attacker to steal cookie-based authentication credentials from the
administrative guestbook user. Other attacks may be possible as well.
Gbook script for PHP-Nuke version 1.0 has been tested for this issue,
however, it is likely that other versions of PHP-Nuke are vulnerable as
well.
30. Qualiteam X-Cart Remote Command Execution Vulnerability
BugTraq ID: 9560
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9560
Summary:
X-Cart is a web based shopping card application implemented in PHP and
integrated with a MySQL database backend.
X-Cart has been reported to be prone to an issue that may allow remote
attackers to execute arbitrary commands on the affected system. The issue
is caused by a failure of the application to sanitize values specified by
parameters in the URI. This issue has been reported to affect the
'upgrade.php' and 'general.php' scripts which reside in the 'admin'
directory of the application.
The upgrade.php script expects the parameter 'perl_binary' to be specified
via the URI. The 'perl_binary' parameter is used by the application to
execute Perl scripts for upgrading the software. Due to insufficient
sanitization of the value passed through this parameter, it is possible to
specify any executable file that is readable by the web server.
The general.php expects the parameter 'config[General][perl_binary]' to be
specified via the URI. Insufficient sanitization of this value may also
allow remote command execution of applications that are readable by the
web server.
This issue is reported to affect X-Cart version 3.4.3, however other
version of the software may also be vulnerable.
31. Sun ONE/iPlanet Web Server HTTP TRACE Credential Theft Vulne...
BugTraq ID: 9561
Remote: Yes
Date Published: Feb 02 2004
Relevant URL:
http://www.securityfocus.com/bid/9561
Summary:
Sun ONE Web Server is a web server implementation that is maintained by
Sun Microsystems. It has been rebranded from iPlanet.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to steal sensitive information such as cookie-based
authentication credentials.
It has been reported that Sun ONE/iPlanet Web Server responds to the HTTP
TRACE request by default. The HTTP TRACE request used for debugging
purposes allows a web server to echo the contents of the request back to
the client. The complete request, including HTTP headers, is returned in
the entity-body of a TRACE response. This request also allows web sites to
cause user browsers to issue TRACE requests.
Enabling HTTP TRACE functionality by default may allow an attacker to
compromise user accounts by gaining access to sensitive header
information. This issue may be combined with other attacks such as
cross-site scripting, to steal cookie-based authentication credentials.
32. Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service Vu...
BugTraq ID: 9562
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9562
Summary:
IOS is the device operating system available for the Cisco hardware
platform. It is maintained and distributed by Cisco.
A problem has been identified in the handling of specific types of traffic
by Cisco 6000, 6500, and 7600 routers with the MSFC2 device. Because of
this, an attacker could potentially crash a vulnerable system.
The problem is in the handling of malformed layer 2 frames. When a layer
2 frame encapsulating a layer 3 frame is sent to a Cisco device using an
affected version of IOS and the layer 2 frame length is inconsistent with
the encapsulated layer 3 packet. When an affected device receives such a
packet, it becomes unstable and crashes.
It should be noted that this vulnerability presents a risk under very
specific circumstances. The first circumstance is that a system on a
network segment local to the affected router can send a packet directly to
the router without intermediary hops that remove the layers 1 and 2
frames. The other is the circumstance that a tunnel to carry layer 2
frames between segments of networks exists, and a system on one segment of
network can send a malicious packet through the tunnel to a vulnerable
router on another segment of network.
33. Qualiteam X-Cart Multiple Remote Information Disclosure Vuln...
BugTraq ID: 9563
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9563
Summary:
X-Cart is a web based shopping card application implemented in PHP and
integrated with a MySQL database backend.
X-Cart has been reported to be prone to an issue that may allow remote
attackers to view any web server readable files on the affected system.
The issue is caused by a failure of the application to sanitize values
specified by parameters in the URI. This issue has been reported to affect
the 'auth.php' script.
The auth.php script expects the parameters and 'shop_closed_file' to be
specified via the URI. The 'shop_closed_file' parameter is used by the
application to select the specified file to be viewed. Due to insufficient
sanitization of the value passed through this parameter, it is possible to
specify any file that is readable by the web server.
It has been reported that there is also an information disclosure issue
with the 'general.php' script that resides in the 'admin' directory of the
application. The 'mode' URI parameter can be set to request information
on the current PHP and Perl software versions, allowing potential
attackers the gain access to sensitive system details.
This issue is reported to affect X-Cart version 3.4.3, however other
version of the software may also be vulnerable.
34. phpMyAdmin Export.PHP File Disclosure Vulnerability
BugTraq ID: 9564
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9564
Summary:
phpMyAdmin is a freely available tool that provides a web interface for
handling MySQL administrative tasks.
phpMyAdmin is prone to a vulnerability that may permit remote attackers to
gain access to files that are readable by the hosting web server. These
files may exist outside of the server root. The issue is reported to exist
in the 'export.php' script and may be exploited by providing directory
traversal sequences and the absolute path to a system file as an argument
for the 'what' URI parameter.
This could expose sensitive information that may be useful in further
attacks against the host.
35. Tunez Multiple Remote SQL Injection Vulnerabilities
BugTraq ID: 9565
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9565
Summary:
Tunez is a freely available, open source web MP3 jukebox. It is available
for the Unix and Linux platforms.
Several problems in the handling of user-supplied input have been
identified in Tunez. Because of this, an attacker may be able to gain
unauthorized access to the backend database.
Specific details concerning these issues are not currently available.
However, it has been disclosed by the project maintainers that numerous
SQL injection issues exist that can permit an attacker to submit SQL
directly to the database, potentially allowing an attacker to perform
unauthorized database functions.
36. Linley Henzell Dungeon Crawl Unspecified Local Buffer Overfl...
BugTraq ID: 9566
Remote: No
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9566
Summary:
Linley Henzell Dungeon Crawl is a console based game.
Dungeon Crawl has been reported to be prone to an unspecified local buffer
overflow vulnerability. The condition is present due to insufficient
boundary checking.
It has been reported that the software copies various environment
variables into a fixed size buffer without proper bounds checking. An
attacker may pass excessive data to the vulnerable application via an
affected environment variable. Immediate consequences of an attack may
result in a denial of service condition.
A local attacker may leverage the issue by exploiting an unbounded memory
copy operation to overwrite the saved return address/base pointer, causing
the affected procedures to return to an address of their choice.
Successful exploitation may allow an attacker to ultimately execute
arbitrary code in the context of the affected application. Although
unconfirmed, Crawl is likely installed with setgid games privileges on
most system.
Crawl 4.0.0 beta 26 and prior may be prone to this issue.
39. PHPX Multiple Vulnerabilities
BugTraq ID: 9569
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9569
Summary:
PHPX is a PHP-based content management system.
Multiple vulnerabilities were reported in PHPX. The specific issues
include cross-site scripting, HTML injection and account hijacking via
specially crafted cookies.
Two cross-site scripting issues exist in the main.inc.php and help.inc.php
scripts. These are due to insufficient sanitization of input supplied via
URI parameters. In particular, main.inc.php does not sanitize input
supplied to the 'keywords' parameter while help.inc.php does not sanitize
input supplied to the 'body' parameter. An attacker could exploit these
issues by enticing a victim user to follow a malicious link that includes
embedded HTML and script code. This would mostly likely result in cookie
theft though other attacks are also possible.
HTML injection issues exist in the 'Subject' field for Personal Messages
and the Forum. This could permit a user of the software to persistently
inject hostile HTML and script code into the content management system.
The attacker could exploit this to steal cookies but it would also be
possible to influence site content.
An account hijacking vulnerability was reported due to insufficient
validation of values embedded in user-supplied cookies. Specifically, the
PXL cookie value corresponds to the userID and may be changed to an
arbitrary value, resulting in hijacking of other user and administrative
accounts.
These issues were reported to exist in PHPX 3.2.3. Earlier versions are
also likely affected.
40. Linux Kernel R128 Device Driver Unspecified Privilege Escala...
BugTraq ID: 9570
Remote: No
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9570
Summary:
The Linux Kernel supports numerous driver modules; one such is the R128
ATI Rage 128 bit video card driver module.
It has been reported that the Linux Kernel is prone to an unspecified
local privilege escalation vulnerability. The issue is reportedly due to
an R128 DRI limits checking issue and may lead to privilege escalation on
affected systems.
This BID will be updated with further technical details if more
information is made available.
41. Apache mod_digest Client-Supplied Nonce Verification Vulnera...
BugTraq ID: 9571
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9571
Summary:
mod_digest is a digest authentication module that is included in Apache
HTTPD.
Patches have been released for the Apache mod_digest module to include
digest replay protection. The module reportedly did not adequately verify
client-supplied nonces against the server issued nonce. The nonce is a
random server generated value that is sent for session verification
purposes during digest authentication. This vulnerability could permit a
remote attacker to replay the response of another website or section of
the same website under some circumstances, potentially allowing
unauthorized access to sessions.
It should be noted that this issue does not exist in mod_auth_digest
module.
42. FreeBSD NetINet TCP Maximum Segment Size Remote Denial Of Se...
BugTraq ID: 9572
Remote: Yes
Date Published: Feb 03 2004
Relevant URL:
http://www.securityfocus.com/bid/9572
Summary:
The FreeBSD netinet implementation has been reported prone to a
vulnerability that may allow remote attackers to deny service to affected
servers.
The issue presents itself, due to a lack of restrictions placed on TCP MSS
(Maximum Segment Size) values. When a TCP connection is negotiated the MSS
values are exchanged between the connected hosts. This may provide a
remote attacker an opportunity to set the Maximum Segment Size to a low
value (>64 octets). This will result in data transmission that consists of
large amounts of small packets. As the server attempts to commit to the
transmission, processing and receiving of this malicious traffic,
resources may be exhausted. Ultimately the affected server may cease to
serve legitimate traffic.
A remote attacker may exploit this condition to deny service to legitimate
users.
43. TYPSoft FTP Server Remote Denial Of Service Vulnerability
BugTraq ID: 9573
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9573
Summary:
TYPSoft FTP Server is a freely available ftp server implemented for the
Windows platform.
TYPSoft FTP server has been reported to be prone to a remote denial of
service vulnerability. A malevolent user may leverage this issue to cause
the ftp server to crash, denying service to legitimate users.
This issue can be leveraged by first authenticating with the server, and
then initiating the login sequence without supplying a user name. The
software attempts to carry out operations on an un-initialized buffer,
causing an dereference of unallocated memory and inevitably forcing the
server to crash.
This issue has been reported to affect version 1.10 of the software,
however previous versions may also be affected.
44. All Enthusiast ReviewPost PHP Pro Multiple SQL Injection Vul...
BugTraq ID: 9574
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9574
Summary:
ReviewPost PHP Pro is a web based bulletin board application written in
PHP.
Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to influence SQL query logic. This issue could be
exploited to disclose sensitive information that may be used to gain
unauthorized access.
The issues exist due to insufficient sanitization of user-supplied data
via the 'product' parameter of 'showproduct.php' script and the 'cat'
parameter of 'showcat.php' script. It has been reported that a malicious
user may influence database queries in order to view or modify sensitive
information potentially compromising the software or the underlying
database.
Although unconfirmed, ReviewPost PHP Pro 2.5.1 and prior may be prone to
these issues.
45. RXGoogle.CGI Cross Site Scripting Vulnerability.
BugTraq ID: 9575
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9575
Summary:
RXGoogle.CGI is a free search script implemented in perl that facilitates
internet wide searching from a local web site.
It has been reported that the rxgoogle.cgi search script is prone to a
cross site scripting vulnerability. This issue is reportedly due to a
failure to sanitize user input and so allows various meta-characters that
may facilitate cross site scripting attacks.
This could permit a remote attacker to create a malicious link to the web
server that includes hostile HTML and script code. If this link were
followed, the hostile code may be rendered in the web browser of the
victim user. This would occur in the security context of the web server
and may allow for theft of cookie-based authentication credentials or
other attacks.
46. Web Crossing Web Server Component Remote Denial Of Service V...
BugTraq ID: 9576
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9576
Summary:
Web Crossing is a collaboration server platform. Web Crossing ships with a
Web Server component.
The Web Crossing Web Server component has been reported prone to a remote
denial of service vulnerability. It has been reported that the issue will
present itself when the affected web server receives a malicious HTTP POST
request that contains negative or excessive values for the Content-Length
field in the HTTP header. When such a request is processed an integer
divide by zero operation will occur causing the affected server to crash
A remote attacker may exploit this issue to deny service to the Web
Crossing Web Server.
47. OpenBSD ICMPV6 Handling Routines Remote Denial Of Service Vu...
BugTraq ID: 9577
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9577
Summary:
OpenBSD has been reported prone to a remote denial of service attack when
configured to process IPV6 traffic. The issue occurs when an affected host
handles ICMPV6 traffic that is configured with an arbitrarily low MTU
size. It has been reported that when traffic of the aforementioned type is
handled an unspecified kernel error occurs, denying service to the
affected system.
A remote attacker may exploit this vulnerability to deny service to
legitimate users.
FreeBSD does not appear to be affected. It is undetermined if NetBSD is
similarly affected. This BID will be updated as further information
relating to this issue is disclosed.
48. GNU Radius Remote Denial Of Service Vulnerability
BugTraq ID: 9578
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9578
Summary:
GNU Radius is a server used primarily by Internet service providers as a
solution for authentication and accounting.
GNU Radius has been reported prone to a remote denial of service
vulnerability. The issue presents itself when a single UDP datagram is
processed that contains an Acct-Status-Type attribute without any other
data. When the affected server handles this datagram, the server will
segfault due to a NULL Pointer dereference.
Specifically, when the Acct-Status-Type attribute is encountered the
following operation is processed:
avl_find(req->request, DA_ACCT_STATUS_TYPE);
Because the datagram contains no other data the following operation will
result in a null value for the *sid_pair pointer:
VALUE_PAIR *sid_pair = avl_find(req->request, DA_ACCT_SESSION_ID);
Finally when a member is referenced in the sid_pair structure, via the
following operation:
snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
The NULL pointer dereference operation will cause the service process to
fail.
It should be noted that although this issue has been reported to affect
GNU Radius version 1.1, pervious versions might also be affected.
49. Multiple RealPlayer/RealOne Player Supported File Type Buffe...
BugTraq ID: 9579
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9579
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.
It has been reported that various RealPlayer/RealOne Player releases are
prone to multiple exploitable stack and heap overrun vulnerabilities.
This is due to insufficient bounds checking when handling malformed files
of various supported file types (.RP, .RT, .RAM, .RPM and .SMIL). When
the player loads such a file, stack or heap memory may be corrupted with
embedded data in the file, possibly allowing for sensitive variables in
memory to be overwritten. In this manner, it would be possible to execute
arbitrary code on the client system in the context of the user invoking
the vulnerable player.
This issue could be exploited by forcing a user to visit a malicious
website that is hosting the file, causing it to be automatically invoked.
File attachments also provide an attack vector, but would require the user
to interactively upon the malformed file (with the exception of .RPM
files, which may automatically open).
50. RealPlayer/RealOne Player RMP File Handler Unspecified Code ...
BugTraq ID: 9580
Remote: Yes
Date Published: Feb 04 2004
Relevant URL:
http://www.securityfocus.com/bid/9580
Summary:
RealPlayer/RealOne Player are media players that are available for various
operating systems, including Microsoft Windows and Mac OS.
RealPlayer/RealOne Players have been reported prone to an unspecified code
execution vulnerability. The issue occurs within the RMP file processing
routines of affected versions of the player.
Although unconfirmed it has been conjectured that arbitrary code execution
may occur when a malicious RMP file is processed. This will reportedly
cause malicious code to be downloaded and executed. Code execution would
occur in the context of the user who is running the affected player.
This BID will be updated as further details regarding this vulnerability
are disclosed.