LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-18-2004, 05:26 PM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
LQ security report - Feb 18th 2004


WARNING: please upgrade your kernel. A second mremap vuln has been found.
Please see thread 147599 for more info.


Feb 17th 2004
36 of 60 issues handled (SF)
1. Multiple Oracle Database Parameter/Statement Buffer Overflow...
2. Mambo Open Source Itemid Parameter Cross-Site Scripting Vuln...
4. Apache-SSL Client Certificate Forging Vulnerability
5. Joe Lumbroso Jack's Formmail.php Unauthorized Remote File Up...
6. Linux VServer Project CHRoot Breakout Vulnerability
7. OpenJournal Authentication Bypassing Vulnerability
8. Apache mod_php Global Variables Information Disclosure Weakn...
10. Brad Fears PHPCodeCabinet comments.php HTML Injection Vulner...
11. The Palace Graphical Chat Client Remote Buffer Overflow Vuln...
13. Nadeo Game Engine Remote Denial of Service Vulnerability
14. PHP-Nuke 'News' Module Cross-Site Scripting Vulnerability
15. Eggdrop Share Module Arbitrary Share Bot Add Vulnerability
18. JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerab...
19. ClamAV Daemon Malformed UUEncoded Message Denial Of Service ...
21. PHP-Nuke 'Reviews' Module Cross-Site Scripting Vulnerability
23. PHP-Nuke Public Message SQL Injection Vulnerability
24. Computer Associates eTrust InoculateIT For Linux Vulnerabili...
26. Multiple Red-M Red-Alert Remote Vulnerabilities
27. Linux Kernel Samba Share Local Privilege Elevation Vulnerabi...
28. GNU Mailman Malformed Message Remote Denial Of Service Vulne...
35. PHPNuke Category Parameter SQL Injection Vulnerability
41. XFree86 Font Information File Buffer Overflow Vulnerability
42. Samba Mksmbpasswd.sh Insecure User Account Creation Vulnerab...
43. VisualShapers ezContents Multiple Module File Include Vulner...
44. BosDev BosDates SQL Injection Vulnerability
46. Mutt Menu Drawing Remote Buffer Overflow Vulnerability
47. Monkey HTTP Daemon Missing Host Field Denial Of Service Vuln...
50. PHPCodeCabinet Multiple Cross-Site Scripting Vulnerabilities
52. SandSurfer Unspecified User Authentication Vulnerability
53. Sophos Anti-Virus MIME Header Handling Denial Of Service Vul...
54. JelSoft VBulletin Cross-Site Scripting Vulnerability
55. Sophos Anti-Virus Delivery Status Notification Handling Scan...
57. XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulne...
58. AIM Sniff Temporary File Symlink Attack Vulnerability
59. Mailmgr Insecure Temporary File Creation Vulnerabilities
60. XFree86 Unspecified Vulnerability


Feb 16th 2004
39 of 56 issues handled (ISS)
Sambar Server HTTP POST request buffer overflow
Linux-VServer allows elevated privileges
Palace long server address buffer overflow
Matrix FTP Server login and issue FTP LIST denial
PHP-Nuke News and Reviews modules cross-site
Clam AntiVirus uuencoded message denial of service
Jack's FormMail.php PHP file upload
PHP-Nuke public message feature SQL injection
TrackMania denial of service
Eggdrop share.mod module allows unauthorized access
Red-Alert long request denial of service
Red-Alert allows unauthorized access
Red-Alert security bypass
JShop Server search.php cross-site scripting
eTrust InoculateIT for Linux symlink attack
eTrust InoculateIT for Linux directories have
GNU Mailman command handler denial of service
Linux rsync open_socket_out function buffer
PHP-Nuke Search and Web_links modules SQL injection
MaxWebPortal dl_showall.asp, Personal Messages, and
MaxWebPortal Personal Messages SQL injection
MaxWebPortal register form cross-site scripting
RealOne Player .RMP "dot dot" directory traversal
XFree86 font.alias file buffer overflow
Samba smbmnt allows elevated privileges
Samba mksmbpasswd.sh could allow an attacker to
BosDates calendar SQL injection
Mutt index menu buffer overflow
ezContents multiple .php arbitrary PHP file
ezContents login bypass
Monkey httpd get_real_string denial of service
phpCodeCabinet multiple scripts cross-site
Sophos Anti-Virus incomplete MIME header denial of
Sophos Anti-Virus email virus may not be detected
SandSurfer undisclosed user authentication
AIM Sniff symlink attack
XFree86 CopyISOLatin1Lowered buffer overflow
PWLib message denial of service
Mailmgr insecure temporary directory
 
Old 02-18-2004, 05:28 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Original Poster
Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Feb 16th 2004 (ISS)

Internet Security Systems


Date Reported: 02/06/2004
Brief Description: Sambar Server HTTP POST request buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Sambar Server 6.0, Windows Any
version
Vulnerability: sambar-http-post-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15071

Date Reported: 02/06/2004
Brief Description: Linux-VServer allows elevated privileges
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Linux-VServer prior to 1.25
Vulnerability: linux-vserver-gain-privileges
X-Force URL: http://xforce.iss.net/xforce/xfdb/15073

Date Reported: 02/07/2004
Brief Description: Palace long server address buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Macintosh Any version, Palace
3.5 and earlier, Unix Any version, Windows Any
version
Vulnerability: palace-server-address-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15074

Date Reported: 02/06/2004
Brief Description: Matrix FTP Server login and issue FTP LIST denial
of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Matrix FTP Server Any version,
Windows Any version
Vulnerability: matrixftp-login-list-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15075

Date Reported: 02/08/2004
Brief Description: PHP-Nuke News and Reviews modules cross-site
scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, PHP-Nuke 6.x though 7.1.0, Unix
Any version, Windows Any version
Vulnerability: phpnuke-mulitple-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15076

Date Reported: 02/09/2004
Brief Description: Clam AntiVirus uuencoded message denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Clam AntiVirus 0.65, Linux Any version, Unix Any
version
Vulnerability: clam-antivirus-uuencoded-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15077

Date Reported: 02/06/2004
Brief Description: Jack's FormMail.php PHP file upload
Risk Factor: Medium
Attack Type: Network Based
Platforms: Jack's FormMail.php Any version, Linux Any version,
Unix Any version, Windows Any version
Vulnerability: jack-formmail-file-upload
X-Force URL: http://xforce.iss.net/xforce/xfdb/15079

Date Reported: 02/09/2004
Brief Description: PHP-Nuke public message feature SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, PHP-Nuke 6.x though 7.1.0, Unix
Any version, Windows Any version
Vulnerability: phpnuke-publicmessage-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15080

Date Reported: 02/08/2004
Brief Description: TrackMania denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, TrackMania Demo
version
Vulnerability: trackmania-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15081

Date Reported: 02/08/2004
Brief Description: Eggdrop share.mod module allows unauthorized access
Risk Factor: Medium
Attack Type: Network Based
Platforms: Eggdrop 1.6.x - 1.6.15, Linux Any version, Unix Any
version, Windows Any version
Vulnerability: eggdrop-sharemod-gain-access
X-Force URL: http://xforce.iss.net/xforce/xfdb/15084

Date Reported: 02/09/2004
Brief Description: Red-Alert long request denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Red-Alert 2.7.5, Red-Alert version 3.1 build 24
Vulnerability: redalert-long-request-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15086

Date Reported: 02/09/2004
Brief Description: Red-Alert allows unauthorized access
Risk Factor: High
Attack Type: Network Based
Platforms: Red-Alert 2.7.5, Red-Alert version 3.1 build 24
Vulnerability: redalert-gain-access
X-Force URL: http://xforce.iss.net/xforce/xfdb/15088

Date Reported: 02/09/2004
Brief Description: Red-Alert security bypass
Risk Factor: Medium
Attack Type: Network Based
Platforms: Red-Alert 2.7.5, Red-Alert version 3.1 build 24
Vulnerability: redalert-bypass-security
X-Force URL: http://xforce.iss.net/xforce/xfdb/15089

Date Reported: 02/09/2004
Brief Description: JShop Server search.php cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: JShop Server Any version, Linux Any version, Unix
Any version, Windows Any version
Vulnerability: jshop-searchphp-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15100

Date Reported: 02/09/2004
Brief Description: eTrust InoculateIT for Linux symlink attack
Risk Factor: High
Attack Type: Host Based
Platforms: eTrust InoculateIT for Linux 6.0, Linux Any version
Vulnerability: etrust-inoculateit-symlink
X-Force URL: http://xforce.iss.net/xforce/xfdb/15102

Date Reported: 02/10/2004
Brief Description: eTrust InoculateIT for Linux directories have
insecure permissions
Risk Factor: High
Attack Type: Host Based
Platforms: eTrust InoculateIT for Linux 6.0, Linux Any version
Vulnerability: etrust-inoculateit-insecure-permissions
X-Force URL: http://xforce.iss.net/xforce/xfdb/15103

Date Reported: 02/08/2004
Brief Description: GNU Mailman command handler denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: GNU Mailman prior to 2.0.14, Linux Any version, Red
Hat Advanced Workstation 2.1, Red Hat Enterprise
Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Unix
Any version
Vulnerability: mailman-command-handler-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15106

Date Reported: 02/09/2004
Brief Description: Linux rsync open_socket_out function buffer
overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, rsync 2.5.7 and earlier
Vulnerability: linux-rsync-opensocketout-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15108

Brief Description: PHP-Nuke Search and Web_links modules SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, PHP-Nuke 6.9 and earlier, Unix
Any version, Windows Any version
Vulnerability: phpnuke-modules-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15115

Date Reported: 02/10/2004
Brief Description: MaxWebPortal dl_showall.asp, Personal Messages, and
down.asp cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, MaxWebPortal prior to 1.32,
Windows Any version
Vulnerability: maxwebportal-multiple-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15120

Date Reported: 02/10/2004
Brief Description: MaxWebPortal Personal Messages SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, MaxWebPortal prior to 1.32,
Windows Any version
Vulnerability: maxwebportal-personalmesssages-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15121

Date Reported: 02/10/2004
Brief Description: MaxWebPortal register form cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, MaxWebPortal prior to 1.32,
Windows Any version
Vulnerability: maxwebportal-register-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15122

Date Reported: 02/10/2004
Brief Description: RealOne Player .RMP "dot dot" directory traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, RealOne
Enterprise Desktop Any version, RealOne Player 1.0,
RealOne Player 2.0
Vulnerability: realoneplayer-rmp-directory-traversal
X-Force URL: http://xforce.iss.net/xforce/xfdb/15123

Brief Description: XFree86 font.alias file buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Gentoo Linux Any version, Immunix OS 7.3, Red Hat
Linux 9, Slackware Linux 8.1, Slackware Linux 9.0,
Slackware Linux 9.1, Slackware Linux current,
XFree86 4.1.0 through 4.3.0
Vulnerability: xfree86-fontalias-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15130

Date Reported: 02/10/2004
Brief Description: Samba smbmnt allows elevated privileges
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Samba 3.x
Vulnerability: samba-smbmnt-gain-privileges
X-Force URL: http://xforce.iss.net/xforce/xfdb/15131

Date Reported: 02/09/2004
Brief Description: Samba mksmbpasswd.sh could allow an attacker to
gain access to user's account
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Samba 3.0, Samba 3.0.1
Vulnerability: samba-mksmbpasswd-gain-access
X-Force URL: http://xforce.iss.net/xforce/xfdb/15132

Date Reported: 02/11/2004
Brief Description: BosDates calendar SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: BosDates 3.2 and earlier, Linux Any version, Unix
Any version, Windows Any version
Vulnerability: bosdates-calendar-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/15133

Date Reported: 02/11/2004
Brief Description: Mutt index menu buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Mandrake Linux 9.1, Mandrake Linux 9.2, Mandrake
Linux Corporate Server 2.1, Mutt prior to 1.4.2,
Red Hat Linux 9, Slackware Linux 8.1, Slackware
Linux 9.0, Slackware Linux 9.1, Slackware Linux
current, Trustix Secure Linux 2.0
Vulnerability: mutt-index-menu-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15134

Date Reported: 02/11/2004
Brief Description: ezContents multiple .php arbitrary PHP file
inclusion
Risk Factor: Medium
Attack Type: Network Based
Platforms: ezContents 2.02 and earlier, Linux Any version
Vulnerability: ezcontents-multiple-file-include
X-Force URL: http://xforce.iss.net/xforce/xfdb/15135

Date Reported: 02/11/2004
Brief Description: ezContents login bypass
Risk Factor: Medium
Attack Type: Network Based
Platforms: ezContents 2.02 and earlier, Linux Any version
Vulnerability: ezcontents-login-bypass
X-Force URL: http://xforce.iss.net/xforce/xfdb/15136

Brief Description: Monkey httpd get_real_string denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Monkey HTTP Daemon 0.8.1 and
earlier
Vulnerability: monkey-getrealstring-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15187

Date Reported: 02/12/2004
Brief Description: phpCodeCabinet multiple scripts cross-site
scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, phpCodeCabinet
0.4
Vulnerability: phpcodecabinet-multiple-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/15190

Date Reported: 02/12/2004
Brief Description: Sophos Anti-Virus incomplete MIME header denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: AIX Any version, FreeBSD 3.0 and later, HP-UX Any
version, Linux Any version, Solaris Any version,
Sophos Anti-Virus 3.78, Windows 2000 Any version,
Windows 2003 Any version, Windows NT Any version,
Windows XP Any version
Vulnerability: sophos-mime-header-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15191

Date Reported: 02/12/2004
Brief Description: Sophos Anti-Virus email virus may not be detected
Risk Factor: Medium
Attack Type: Network Based
Platforms: AIX Any version, FreeBSD 3.0 and later, HP-UX Any
version, Linux Any version, Solaris Any version,
Sophos Anti-Virus 3.78, Windows 2000 Any version,
Windows 2003 Any version, Windows NT Any version,
Windows XP Any version
Vulnerability: sophos-email-virus-undetected
X-Force URL: http://xforce.iss.net/xforce/xfdb/15192

Date Reported: 02/12/2004
Brief Description: SandSurfer undisclosed user authentication
unauthorized access
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, SandSurfer prior to 1.7.0
Vulnerability: sandsurfer-undisclosed-gain-access
X-Force URL: http://xforce.iss.net/xforce/xfdb/15193

Date Reported: 02/12/2004
Brief Description: AIM Sniff symlink attack
Risk Factor: Medium
Attack Type: Host Based
Platforms: AIM Sniff 0.9b, Linux Any version
Vulnerability: aim-sniff-symlink
X-Force URL: http://xforce.iss.net/xforce/xfdb/15199

Date Reported: 02/12/2004
Brief Description: XFree86 CopyISOLatin1Lowered buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Immunix OS 7.3, Linux Any version, Red Hat Linux 9,
Slackware Linux 8.0, Slackware Linux 9.0, Slackware
Linux 9.1, Slackware Linux current, XFree86 4.1.0
through 4.3.0
Vulnerability: xfree86-copyisolatin1lLowered-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/15200

Date Reported: 02/13/2004
Brief Description: PWLib message denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: PWLib prior to 1.6.0, Red Hat Linux 9
Vulnerability: pwlib-message-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/15202

Date Reported: 02/13/2004
Brief Description: Mailmgr insecure temporary directory
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Mailmgr prior to 1.2.3, Unix Any
version
Vulnerability: mailmgr-insecure-temp-directory
X-Force URL: http://xforce.iss.net/xforce/xfdb/15203
 
Old 02-18-2004, 05:30 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Original Poster
Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Feb 17th 2004 (SF) pt. 1/2

SecurityFocus


1. Multiple Oracle Database Parameter/Statement Buffer Overflow...
BugTraq ID: 9587
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9587
Summary:
Oracle is a commercial database product, which is available for a number
of platforms including Microsoft Windows and Unix and Linux variants.

Oracle database has been reported prone to multiple buffer overflow
vulnerabilities when processing certain parameters and functions.
Specifically the TIME_ZONE parameter lacks sufficient boundary checks.
Therefore an excessive value assigned to TIME_ZONE may potentially overrun
the bounds of a buffer in stack-based memory. This may result in the
corruption of memory adjacent to the affected buffer, and ultimately may
provide for arbitrary code execution.

Additionally the NUMTOYMINTERVAL function has been reported prone to a
buffer overflow vulnerability. The issue presents itself due to a lack of
sufficient boundary checks performed on char_expr parameters passed as an
argument to the function. Again this issue may be exploited by passing
excessive data as the second argument to a NUMTOYMINTERVAL statement call.

The NUMTODSINTERVAL function has also been reported prone to a buffer
overflow vulnerability. The issue again presents itself due to a lack of
sufficient boundary checks performed on char_expr parameters passed as an
argument to the function. This issue may be exploited in a similar manner
to the NUMTOYMINTERVAL issue, by passing excessive data as the second
argument to a NUMTODSINTERVAL statement call.

Finally the FROM_TZ function has been reported prone to a buffer overflow
vulnerability. The issue will present itself when excessive data is passed
as the third parameter of a properly formatted FROM_TZ statement call.

Any one of these issues may be exploited to execute arbitrary code with
elevated privileges.

2. Mambo Open Source Itemid Parameter Cross-Site Scripting Vuln...
BugTraq ID: 9588
Remote: Yes
Date Published: Feb 05 2004
Relevant URL: http://www.securityfocus.com/bid/9588
Summary:
Mambo Open Source is a web based content management system.

A vulnerability has been reported to exist in the server that may allow a
remote attacker to execute arbitrary HTML or script code in a user's
browser. The issue occurs due to insufficient sanitization of
user-supplied data via the 'Itemid' parameter of 'index.php' script. An
attacker may exploit this vulnerability by creating a specially crafted
URL that includes malicious HTML code as URI parameters for the server
'index.php' page. The malicious script code may be rendered in a user's
browser upon visiting the link. This attack would occur in the security
context of the site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.

Mambo Open Source version 4.6 has been reported to be prone to this issue,
however, other versions may be affected has well.

4. Apache-SSL Client Certificate Forging Vulnerability
BugTraq ID: 9590
Remote: Yes
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9590
Summary:
Apache-SSL is an implementation of SSL (Secure Socket Layer) for the
Apache webserver.

Apache-SSL has been reported to be prone to a vulnerability. The issue
exists when Apache-SSL is configured with SSLVerifyClient set to 1 or 3
and SSLFakeBasicAuth active. It has been reported that a server possessing
the aforementioned configuration may provide a conduit that will allow a
remote attacker to forge a valid client certificate.

The attacker may exploit this issue by connecting to the affected service
and supplying a one-line DN of a valid user along with the password
"password". This will result in the issue of a valid client certificate.

This issue is reported to affect Apache-SSL 1.3.28+1.52 and all earlier
versions.

5. Joe Lumbroso Jack's Formmail.php Unauthorized Remote File Up...
BugTraq ID: 9591
Remote: Yes
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9591
Summary:
Jack's Formmail.php is a web based form to e-mail gateway. The
application is written in PHP, however, a Perl version is available as
well.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to gain unauthorized access to a vulnerable server and
upload arbitrary files.

It has been reported that the software verifies the origin of a request
via HTTP referer. Due to improper validation performed in the
'check_referer()' function, an attacker can bypass the checks by supplying
an empty value for HTTP referer. This issue may then allow an attacker to
upload a file via the 'css' variable of 'file.php' script.

Successful exploitation of this issue may allow an attacker to save
malicious files to the system or potentially overwrite sensitive files.

Although unconfirmed, Formmail.php versions 5.0 and prior may be affected
by this issue.

6. Linux VServer Project CHRoot Breakout Vulnerability
BugTraq ID: 9596
Remote: No
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9596
Summary:
The Linux VServer Project is implemented with a linux kernel patch and a
group of tools that facilitate the partition of a single linux server into
multiple virtual servers. It is implemented with a combination of
"security contexts", chroot, segmented routing, extended quotas and other
standard tools.

It has been reported that VServer is prone to a breakout vulnerability
that would allow a malicious user to escape from the context of the
virtual server. This issue is due to the VServer application failing to
secure itself against a "chroot-again" style vulnerability. Successful
exploitation of this issue may allow an attacker to gain access to the
file system outside of the chrooted root directory.

This issue is leveraged when processes running in the context of the
virtual server utilize the chroot function. The process would change its
current directory to the root directory of the virtual server. It would
then create a temporary directory and chroot itself to the temporary
directory. The process, however still resides in the directory that is
outside of the one that it has chrooted itself to, and so, by making
multiple calls to chdir( ".." ) it is able to move to the true root
directory of the vulnerable system.

This problem makes it possible for a local user with superuser access in
the virtual server environment to execute commands outside of the VServer
context, and possibly gain unrestricted access to the system.

7. OpenJournal Authentication Bypassing Vulnerability
BugTraq ID: 9598
Remote: Yes
Date Published: Feb 06 2004
Relevant URL: http://www.securityfocus.com/bid/9598
Summary:
OpenJournal is a web-based application implemented using PERL that
features automated file creation, automated index updating, editing of
files through a Web-based interface and automated archiving.

It has been reported that OpenJournal is prone to an authentication bypass
vulnerability. This issue is caused by the application failing to
properly sanitize URI specified parameters. Successful exploitation of
this issue may lead to remote attackers gaining unauthorized access to
online journal files associated with the application, adding new users to
the database as well as a number of other possibilities.

The issue is due to the URI parameter 'uid'. A malevolent user may gain
access to the OpenJournal control panel by assigning a specially crafted
value to the 'uid' parameter in a URI and submitting it to the
application.

8. Apache mod_php Global Variables Information Disclosure Weakn...
BugTraq ID: 9599
Remote: Yes
Date Published: Feb 07 2004
Relevant URL: http://www.securityfocus.com/bid/9599
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.

A weakness has been reported to exist in Apache mod_php module that may
allow remote attackers to disclose sensitive information via influencing
global variables.

The issue reportedly presents itself when the php.ini configuration file
has the parameter setting 'register_globals = on'. If a request is made
to a virtual host which has the setting 'php_admin_flag register_globals
off' and another request is made to a different virtual host which does
not have "php_admin_flag register_globals off", the original setting may
continue to exist. This issue could lead to other vulnerabilities such as
php file include, due to an attacker's ability to influence global
variables. An attacker may also be able to disclose sensitive information
in order to gain unauthorized access.

10. Brad Fears PHPCodeCabinet comments.php HTML Injection Vulner...
BugTraq ID: 9601
Remote: Yes
Date Published: Feb 07 2004
Relevant URL: http://www.securityfocus.com/bid/9601
Summary:
PHPCodeCabinet is a web based application that allows software developers
to store code snippets from any language.

A vulnerability has been reported in the software that may allow a remote
attacker to execute HTML and script code in a user's browser. The problem
is reported to exist due to improper sanitizing of user-supplied data via
the 'sid' parameter of 'comments.php' script. It may be possible for an
attacker to include malicious HTML code in the vulnerable parameter. The
injected code could then be interpreted by the browser of a user visiting
the vulnerable site. This attack would occur in the security context of
the affected site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.

PHPCodeCabinet versions 0.4 and prior have been reported to be vulnerable
to this issue.

11. The Palace Graphical Chat Client Remote Buffer Overflow Vuln...
BugTraq ID: 9602
Remote: Yes
Date Published: Feb 07 2004
Relevant URL: http://www.securityfocus.com/bid/9602
Summary:
The Palace is a graphical chat client application.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to execute arbitrary code on a vulnerable system in
order to gain unauthorized access. The condition is present due to
insufficient boundary checking.

It has been reported that The Palace chat client allows users to join a
chat server via specially crafted hyperlinks that automatically load the
application and connect to a server:

palace://example:9998/

The issue presents itself when a user attempts to follow a link that is
excessively long such as:

palace://('a'x118)('BBBB')('XXXX')

Immediate consequences of an attack may result in a denial of service
condition. An attacker may leverage the issue by exploiting an unbounded
memory copy operation to overwrite the saved return address/base pointer,
causing an affected procedure to return to an address of their choice.
Successful exploitation of this issue may allow an attacker to execute
arbitrary code in the context of the vulnerable user in order to gain
unauthorized access, however, this has not been confirmed at the moment.

The Palace chat client versions 3.5 and prior have been reported to be
prone to this issue.

13. Nadeo Game Engine Remote Denial of Service Vulnerability
BugTraq ID: 9604
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9604
Summary:
Nadeo Game Engine is a multiplayer game engine used in several Nadeo
titles.

A vulnerability has been reported to exist in the software that may allow
a remote attacker to cause a denial of service condition. It has been
reported that Trackmania uses TCP port 2350 for communication. A denial
of service condition may be caused by sending arbitrary data on this port.

Successful exploitation may allow an attacker to cause the software to
crash or hang affectively denying server to users.

14. PHP-Nuke 'News' Module Cross-Site Scripting Vulnerability
BugTraq ID: 9605
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9605
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.

It has been reported that the PHP-Nuke 'News' module is prone to a
cross-site scripting vulnerability. The issue arises due to the module
failing to properly sanitize user-supplied information. The URI parameter
'title' is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It has been reported that this issue affects versions 6.x - 7.x of the
software, however earlier versions may also be vulnerable.

15. Eggdrop Share Module Arbitrary Share Bot Add Vulnerability
BugTraq ID: 9606
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9606
Summary:
Eggdrop is an Open Source multi-platform IRC (Internet Relay Chat) robot,
designed for IRC channel administration and maintenance. Eggdrop may be
configured as a share Bot, which means that two or more Bots share user
records.

Share.mod, a component of Eggdrop, has been reported prone to a
vulnerability that may result in the compromise of an entire Bot Network.
The issue presents itself due to a programming error in the
check_expired_tbufs() function that results in a failure to implement
intended program logic. This failure will result in every Bot that is
processed by check_expired_tbufs() receiving STAT_OFFERED status. The
attacker may further leverage this issue by employing the share_ufyes()
function, which only checks the STAT_OFFERED status of a prospective Bot,
before granting STAT_SHARE status to a malicious Bot.

If the aforementioned status is obtained, the malicious Bot will be
recognized as a Share Bot and will therefore have the ability to perform
administrative tasks, for example adduser, deluser, chattr, that will be
distributed through the entire Bot network.

An attacker may exploit this condition to gain control of an Eggdrop Bot
network.


18. JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerab...
BugTraq ID: 9609
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9609
Summary:
JShop E-Commerce Suite is a web based E-Commerce system implemented in
PHP. It is back-ended by a MySQL database.

A vulnerability has been reported to exist in JShop E-Commerce that may
allow a remote user to execute HTML or script code in a user's browser.

The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via the
'xSearch' URI parameter of the 'search.php' script. This vulnerability
makes it possible for an attacker to construct a malicious link containing
HTML or script code that may be rendered in a user's browser upon visiting
that link. This attack would occur in the security context of the site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.

19. ClamAV Daemon Malformed UUEncoded Message Denial Of Service ...
BugTraq ID: 9610
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9610
Summary:
ClamAV is a freely available, open source virus scanning utility. It is
available for the Unix and Linux platforms.

A problem in the handling of specially crafted UUEncoded messages has been
identified in ClamAV. Because of this, an attacker may prevent the
delivery of e-mail to users.

The problem is in the handling of malformed UUEncoded messages. When an
attacker sends an e-mail containing UUEncoded content and the line length
is a value that does not conform to UUEncoding conventions, the ClamAV
program terminates. Because of this, mail delivered to the system that
is routed through the scanner will not arrive at its destination,
resulting in a denial of service.

It should be noted that earlier versions of the software may also be
affected, though no information concerning the scope of the issue is
available.

21. PHP-Nuke 'Reviews' Module Cross-Site Scripting Vulnerability
BugTraq ID: 9613
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9613
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.

It has been reported that the PHP-Nuke 'Reviews' module is prone to a
cross-site scripting vulnerability. The issue arises due to the module
failing to properly sanitize user-supplied information. The URI parameter
'title' is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It has been reported that this issue affects versions 6.x - 7.x of the
software, however earlier versions may also be vulnerable.

23. PHP-Nuke Public Message SQL Injection Vulnerability
BugTraq ID: 9615
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9615
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.

It has been reported that the 'public message' feature of PHP-Nuke is
vulnerable to an SQL injection vulnerability. The issue is due to a
failure to properly sanitize the '$p_msg' parameter in the
'public_message()' function of the '/mainfile.php' script.

As PHP-Nuke forces all variables to be global within the context of the
application, the '$p_msg' parameter may be specified in either POST, GET
or COOKIE data. Within the 'public_message()' function, the '$p_msg'
parameter is decoded into the '$c_mid' parameter, which is directly used
in the generation of the SQL query. An attacker could use an SQL Union
command passed via the '$p_msg' parameter to mine data from the database.

As a result of this issue an attacker could modify the logic and structure
of database queries. Other attacks may also be possible, such as gaining
access to sensitive information.

It has been reported that this issue affects versions 6.x - 7.x of the
software, however earlier versions may also be vulnerable.

24. Computer Associates eTrust InoculateIT For Linux Vulnerabili...
BugTraq ID: 9616
Remote: No
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9616
Summary:
Multiple vulnerabilities have been reported in eTrust InoculateIT for
Linux operating systems, including issues with temporary files that could
allow for symbolic link attacks and permissions problems that could permit
local attackers to modify sensitive information.

The following specific vulnerabilities were reported:

The insecure temporary file issues are reported to exist in the following
scripts:
ino/scripts/inoregupdate
scripts/uniftest
scripts/unimove

Due to the way in which these scripts create temporary files, it will be
possible to for a remote attacker to create a symbolic link in the
location that temporary files will be created. This will cause operations
that are intended to be performed on temporary files to be performed on
files pointed to by the malicious symbolic link. The most likely
consequences will be destruction of sensitive files, though in some
circumstances, if the attacker can control the data written in the attack,
it may be possible to gain elevated privileges.

There are insecure permissions on the eTrustAE.lnx/tmp/.caipcs/.sem
directory, allowing local attackers to modify sensitive configuration
files for the software.

The software installs several registry files that contain various software
settings. These registry files are included to simulate software settings
in the Windows Registry on Linux installations of the software. Some of
these files are reported to allow modification by unprivileged local
users, which could be exploited to lower security settings for the
software, such as removing scanned file types from the current user's
registry setting. Hard-coded search paths for executables may also be
embedded in user-modifiable registry files, allowing for execution of
arbitrary code with elevated privileges in some circumstances.
 
Old 02-18-2004, 05:32 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Original Poster
Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Feb 17th 2004 (SF) pt. 2/2

SecurityFocus

26. Multiple Red-M Red-Alert Remote Vulnerabilities
BugTraq ID: 9618
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9618
Summary:
Red-Alert is an airspace monitor for unauthorized wireless network
activity. It is distributed and maintained by Red-M.

Problems in various features have been identified in the Red-M Red-Alert
network monitors. Because of this issues, an attacker may be able to
crash a vulnerable device and eliminate logs, gain unauthorized access to
the administrative interface, or partially evade detection by an affected
device.

The first problem makes it possible for a remote attacker to crash the
device. By requesting an URI from the device web server with a length of
1230 or greater bytes, an attacker could force the host to become unstable
and crash. During the reboot process, the system is not able to log any
activity. Additionally, the reboot results in the loss of any locally
stored logs.

The second problem makes it possible for an unauthorized user to gain
access to the Red-Alert administration interface. Red-Alert does not
properly handle authentication, restricting administrative access solely
on the basis of IP address. In circumstances where network address
translation is performed, a user behind the NAT interface could
potentially gain unauthorized access to the device.

The third problem is in the parsing of Server Set IDs (SSIDs). Systems
with SSIDs that contain one or more space characters (ASCII character 32)
in the name are logged as a single space character. This problem could
allow an attacker to evade location through misrepresentation in log
files.

27. Linux Kernel Samba Share Local Privilege Elevation Vulnerabi...
BugTraq ID: 9619
Remote: No
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9619
Summary:
A local privilege escalation vulnerability has been reported to affect the
2.6 Linux kernel.

The issue appears to exist due to a lack of sufficient sanity checks
performed when executing a file that is hosted on a remote Samba share.
This issue has been reported to occur when a setuid or setgid file is made
available as a shared network resource through the samba service. An
attacker, who has local interactive access to an affected host, may mount
the remote share and execute the remote setuid/setgid application. This
will reportedly result in elevated privileges, as the setuid/setgid bit of
the remote file is honored on the local system. The problem exist because
smb file system is not mounted using mount and ignores the setuid/setgid
permissions from smbmnt.

It should be noted that although this vulnerability has been reported to
affect 2.6 versions of the Linux kernel, other versions might also be
affected.

Conflicting reports suggest that this is expected behavior that results
from the smbmnt utility being setuid root.

It has been reported that the attacker does not have to mount the file
system as a local user. The vulnerability still exists if root mounts the
file system and the attacker can execute a setuid binary on the server.
Unix extensions have to be enabled on both the client and the server for
this issue to occur.

28. GNU Mailman Malformed Message Remote Denial Of Service Vulne...
BugTraq ID: 9620
Remote: Yes
Date Published: Feb 09 2004
Relevant URL: http://www.securityfocus.com/bid/9620
Summary:
GNU Mailman is a web integrated software package used for managing
electronic mail discussion and e-newsletter lists. It is freely
distributed under the GNU Public License.

It has been reported that GNU Mailman is prone to a denial of service
vulnerability. An attacker could send a carefully crafted message that
would cause the Mailman process to crash.

Successful exploitation of this issue could deny service to legitimate
users.

35. PHPNuke Category Parameter SQL Injection Vulnerability
BugTraq ID: 9630
Remote: Yes
Date Published: Feb 10 2004
Relevant URL: http://www.securityfocus.com/bid/9630
Summary:
PHPNuke is a freely available, open source web content management system.
It is maintained by Francisco Burzi, and available for the Unix, Linux,
and Microsoft Operating Systems.

A vulnerability has been reported to exist in PHPNuke that may allow a
remote attacker to inject malicious SQL syntax into database queries. The
source of this issue is insufficient sanitization of user-supplied input.

The problem is reported to exist in the $category variable contained
within the 'index.php' page. It has been reported that $category is not
sanitized for user-supplied input before it is included in SQL queries
that are later executed by the database. A remote attacker may exploit
this issue while performing a search in 'index.php' to influence SQL query
logic.

A malicious user may influence database queries in order to view or modify
sensitive information, potentially compromising the software or the
database. It has been reported that an attacker may be able to disclose
the administrator password hash by exploiting this issue.

PHPNuke versions 6.9 and prior have been reported to be prone to this
issue, however other versions may be affected as well.

41. XFree86 Font Information File Buffer Overflow Vulnerability
BugTraq ID: 9636
Remote: No
Date Published: Feb 10 2004
Relevant URL: http://www.securityfocus.com/bid/9636
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.

It has been reported that the XFree86 X Windows system is prone to a local
buffer overflow vulnerability. The issue arises from improper bounds
checking when parsing the font.alias file.

The issue occurs in the 'ReadFontAlias()' function in the 'dirfile.c' file
and surrounds the 'alias[1024]' buffer. The function reads arbitrary
length tokens from the 'font.alias' file without performing any bounds
checking. The function stops reading the file once white spaces are
reached. It then uses the 'strcpy()' function to copy the input into the
'alias[1024]' buffer. An attacker may exploit this issue to execute
arbitrary code within the context of the XFree86 process, potentially
gaining root privileges on the affected system.

This issue has been reported to affect version 4.1.0 through 4.3.0
inclusive, it is likely however that this issue affects earlier versions
of the software as well.

42. Samba Mksmbpasswd.sh Insecure User Account Creation Vulnerab...
BugTraq ID: 9637
Remote: Yes
Date Published: Feb 10 2004
Relevant URL: http://www.securityfocus.com/bid/9637
Summary:
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. Samba ships with several helper scripts, one of these scripts
is mksmbpasswd.sh, which is used to aid in user account creation.

The mksmbpasswd.sh shell script is reported prone to a vulnerability. The
issue results in the creation of insecure user accounts. Specifically it
has been reported that a password initialization problem in the
mksmbpasswd.sh shell script results in user accounts being created with
insecure passwords.

The issue surrounds the passwords for disabled user accounts. In some
cases the affected script may overwrite these passwords with uninitialized
memory. If an attacker were able to ascertain the contents of memory used
to overwrite disabled account passwords they may be able to gain
unauthorized access.

A remote attacker may exploit this issue by accessing a Samba share using
an insecure account that was created using the affected script.

43. VisualShapers ezContents Multiple Module File Include Vulner...
BugTraq ID: 9638
Remote: Yes
Date Published: Feb 11 2004
Relevant URL: http://www.securityfocus.com/bid/9638
Summary:
VisualShapers ezContents is a website content management system based on
PHP and MySQL. It allows multiple users to update and maintain a website.

A vulnerability has been reported to exist in the software that may allow
an attacker to include malicious files containing arbitrary code to be
executed on a vulnerable system. The problem reportedly exists because
remote users may influence the 'GLOBALS[rootdp]' and
'GLOBALS[language_home]' variables in the 'db.php' and 'archivednews.php'
modules.

Remote attackers could potentially exploit this issue via by influencing
the include path to specify a remote malicious PHP script, which will be
executed in the context of the web server hosting the vulnerable software.

This vulnerability is reported to affect ezContents 2.0.2 and prior
running on PHP 4.3.0 or above.

44. BosDev BosDates SQL Injection Vulnerability
BugTraq ID: 9639
Remote: Yes
Date Published: Feb 11 2004
Relevant URL: http://www.securityfocus.com/bid/9639
Summary:
BosDates is a commercially available web based event calendar organization
system. It is implemented using PHP with a MySQL database backend for
Unix and Unix like operating systems as well as Windows.

An SQL injection vulnerability has been reported to affect BosDates
calendar system. The issue arises due to insufficient sanitization of
user-supplied data.

The vulnerability surrounds the 'calendar' parameter passed via the URI of
the 'calendar_download.php' script. The 'calendar' parameter is used in
an SQL statement without being properly sanitized. A malevolent user may
craft an SQL statement and assign it to the improperly sanitized
parameter.

As a result of this issue an attacker may be able to modify the logic and
structure of database queries. This may provide for other attacks, such as
gaining access to sensitive information.

46. Mutt Menu Drawing Remote Buffer Overflow Vulnerability
BugTraq ID: 9641
Remote: Yes
Date Published: Feb 11 2004
Relevant URL: http://www.securityfocus.com/bid/9641
Summary:
Mutt is a freely available, open source mail user agent (MUA). It is
available for the Unix and Linux platforms.

A problem in the handling of some types of input has been identified in
Mutt. Because of this, a remote attacker may be able to crash a
vulnerable client.

The problem is in the handling of specially-crafted strings. Upon
embedding particular strings of arbitrary length in an e-mail, a remote
user can force a buffer overflow in the menu drawing function of mutt.
This problem could potentially also be exploited to overwrite arbitrary
structures in process memory, and potentially execute code with the
privileges of the mutt user.

Specifics concerning the mechanics of this bug are not currently
available.

47. Monkey HTTP Daemon Missing Host Field Denial Of Service Vuln...
BugTraq ID: 9642
Remote: Yes
Date Published: Feb 11 2004
Relevant URL: http://www.securityfocus.com/bid/9642
Summary:
Monkey is an open source Web server written in C, based on the HTTP/1.1
protocol. It is available for Linux platforms.

Monkey HTTP Daemon is prone to a denial of service attacks. HTTP GET
requests, which do not include a ?Host? header field, will trigger this
condition. This issue is reportedly due a programming error in the
get_real_string() function.

The server will need to be restarted to regain normal functionality.

50. PHPCodeCabinet Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 9645
Remote: Yes
Date Published: Feb 11 2004
Relevant URL: http://www.securityfocus.com/bid/9645
Summary:
The phpCodeCabinet scripts are designed to be a reference library for
personal and professional use. They are implemented in PHP and are freely
distributable under the GNU Public License.

It has been reported that a number of phpCodeCabinet scripts are prone to
cross site scripting vulnerabilities. These issues are reportedly due to a
failure to sanitize user input and so allow HTML and script code that may
facilitate cross-site scripting attacks.

These issue are reported to affect the 'sid' parameter of the
'comments.php' script, the 'cid' parameter of the 'input.php' script, the
'cid' parameter of the 'browser.php' script and the 'cid', 'cf', and 'rfd'
parameters of the 'category.php' script.

This could permit a remote attacker to create a malicious link to the
vulnerable application that includes hostile HTML and script code. If this
link were followed, the hostile code may be rendered in the web browser of
the victim user. This would occur in the security context of the web
server and may allow for theft of cookie-based authentication credentials
or other attacks.

52. SandSurfer Unspecified User Authentication Vulnerability
BugTraq ID: 9647
Remote: Yes
Date Published: Feb 08 2004
Relevant URL: http://www.securityfocus.com/bid/9647
Summary:
SandSurfer is a web-based time keeping application. It is available for
Unix/Linux variants.

An unspecified vulnerability related to user authentication was reported
in SandSurfer that may allow remote attackers to gain unauthorized access
to the software.

There are no further technical details at the time of writing.

53. Sophos Anti-Virus MIME Header Handling Denial Of Service Vul...
BugTraq ID: 9648
Remote: Yes
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9648
Summary:
Sophos Anti-Virus is multi platform computer virus detection software.

Sophos Anti-Virus has been reported prone to a remote denial of service
vulnerability. The issue presents itself when a malicious MIME header that
is terminated at the end of the file in an unexpected manner is
encountered. Because the virus detection engine erroneously continues to
read beyond the end of the file, it will fall into an infinite loop. It
has been conjectured that this will result in a denial of service to the
affected Sophos virus detection software.

This issue has been reported to affect SAVI-compliant Sophos products.

It should be noted that although this issue has been reported to affect
Sophos Anti-Virus version 3.78, other versions might also be affected.

54. JelSoft VBulletin Cross-Site Scripting Vulnerability
BugTraq ID: 9649
Remote: Yes
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9649
Summary:
VBulletin is a commercially available web based bulletin board
application. It is implemented in PHP and may be run on Unix and Unix
like operating systems as well as Windows.

It has been reported that VBulletin is prone to a cross-site scripting
vulnerability. This issue is reportedly due to a failure to sanitize user
input and so allow HTML and script code that may facilitate cross-site
scripting attacks.

This issue is reported to affect the 'url' parameter of the 'register.php'
script, which is passed through a URI.

This could permit a remote attacker to create a malicious link to the
vulnerable application that includes hostile HTML and script code. If this
link were followed, the hostile code may be rendered in the web browser of
the victim user. This would occur in the security context of the web
server and may allow for theft of cookie-based authentication credentials
or other attacks.

55. Sophos Anti-Virus Delivery Status Notification Handling Scan...
BugTraq ID: 9650
Remote: Yes
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9650
Summary:
Sophos Anti-Virus is multi platform computer virus detection software.

Sophos Anti-Virus has been reported prone to a scanner bypass
vulnerability. The issue presents itself when certain types of Delivery
Status Notification (DSN) are encountered. The vendor has reported that
qmail servers generate this DSN type when they are configured to include
the original email message in a bounce notification. It is reported that
the vulnerability results because the aforementioned DSN will not include
MIME boundary definitions.

An attacker may exploit this condition, to bypass virus scans. This may
result in a false sense of security and malicious code completely
bypassing detection.

It should be noted that although this issue has been reported to affect
Sophos Anti-Virus version 3.78, other versions might also be affected.

57. XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulne...
BugTraq ID: 9652
Remote: No
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9652
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.

It has been reported that the XFree86 X Windows system is prone to a local
buffer overflow vulnerability. The issue arises from improper bounds
checking performed in the CopyISOLatin1Lowered() function on data before
it is copied into a 1024 byte buffer. Specifically, the size of data that
is permitted to be copied is taken from the size of the user-supplied
string, rather than the size of the intended buffer.

It has been reported that excessive data (2048 bytes) read from the
font.alias file, as a value for the lexToken argument of
CopyISOLatin1Lowered(), will overrun the bounds of the font_name buffer.
An attacker may exploit this issue to execute arbitrary code within the
context of the XFree86 process, potentially gaining root privileges on the
affected system.

This issue has been reported to affect version 4.1.0 through 4.3.0
inclusive; it is likely however that this issue affects earlier versions
of the software as well.

58. AIM Sniff Temporary File Symlink Attack Vulnerability
BugTraq ID: 9653
Remote: No
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9653
Summary:
AIM Sniff is a network reconnaissance tool that is used to specifically
target AIM traffic.

AIM Sniff has been reported prone to a Symbolic link vulnerability. The
issue presents itself, because the aimSniff.pl script creates temporary
files in an insecure manner. Specifically, when the aimSniff.pl script is
invoked (And debugging mode is enabled) a temporary file "/tmp/AS.log" is
created. To exploit this issue, a local attacker may create a symbolic
link in the "tmp" directory in place of the "/tmp/AS.log" file. The link
will point to an arbitrary file that the attacker wishes to target. When
the vulnerable script is invoked, operations that were supposed for the
temporary file will be carried out on the file that is linked by the
malicious symbolic link.

An attacker may exploit this issue to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.

It has been reported that a user will require root privileges to invoke
the affected script; this may magnify the impact of this vulnerability.

59. Mailmgr Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 9654
Remote: No
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9654
Summary:
Mailmgr is an application for analyzing Sendmail logs and generating
reports in HTML. It is available for Unix/Linux variants.

Mailmgr is reportedly to be prone to a vulnerability related to temporary
file handling. The specific issue is that a number of temporary files are
created in an insecure manner, potentially providing malicious local users
with an opportunity to launch symbolic link attacks and cause files to be
corrupted.

The following temporary files are created in an insecure manner:
/tmp/mailmgr.unsort
/tmp/mailmgr.tmp
/tmp/mailmgr.sort

It is possible to create a symbolic link that is named after one of these
files. When the program is run by another user, any operations that were
intended to be performed on these files (such as creating them or
appending to them), would actually be performed on the file pointed to by
the symbolic link. The only caveat is that the user running the
application must have permission to write to the file pointed to by the
symbolic link. This would most likely result in a denial of service or
destruction of data as critical or sensitive files may be corrupted, but
under some circumstances this type of vulnerability could lead to elevated
privileges. The possibility of exploiting these particular issues to gain
elevated privileges has not been confirmed.

This issue was reported to exist in Mailmgr 1.2.3. Other versions are
also likely affected.

60. XFree86 Unspecified Vulnerability
BugTraq ID: 9655
Remote: Unknown
Date Published: Feb 12 2004
Relevant URL: http://www.securityfocus.com/bid/9655
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.

XFree86 has been reported prone to an unspecified vulnerability
(CAN-2004-0106). It is likely that this issue is related to BID 9652
(XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability) and
BID 9636 (XFree86 Font Information File Buffer Overflow Vulnerability),
although this has not been confirmed. The issue is reported to present
itself due to programming flaws in procedures used to parse or read font
files.

It is believed that this issue affects version 4.1.0 through 4.3.0
inclusive, just like BIDs 9652 and 9636; it is likely however that this
issue also affects earlier versions of the software as well.

This BID will be updated as further details regarding this issue are
disclosed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ Security Report - April 18th 2005 Capt_Caveman Linux - Security 4 04-19-2005 12:10 AM
LQ Security Report - September 18th 2004 unSpawn Linux - Security 2 09-18-2004 08:55 AM
LQ Security Report - June 27 2004 Capt_Caveman Linux - Security 3 06-27-2004 02:37 AM
LQ security report - Feb 24th 2004 unSpawn Linux - Security 2 02-24-2004 05:13 PM
LQ security report - Feb 13th 2004 unSpawn Linux - Security 5 02-13-2004 12:36 PM


All times are GMT -5. The time now is 08:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration