February 2nd 2004 (SF)
1. Gaim Multiple Remote Boundary Condition Error Vulnerabilitie...
BugTraq ID: 9489
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9489
Gaim is an instant messaging client that supports numerous protocols.
It is available for the Unix and Linux platforms.
Several vulnerabilities in the handling of YMSG protocol, Oscar
protocol, proxy handling, and Gaim utilities have been identified.
Because of these issues, it may be possible for a remote attacker
to gain unauthorized access to hosts using the vulnerable software.
Reports indicate the following 12 problems:
Due to two errors in the handling of octal decoding code used for
e-mail notification, it is possible to create a condition suitable for
heap-based overflow attacks.
An overflow in the parsing of Yahoo Web cookies in HTTP headers
exists when handling a specially prepared cookie. Initial reports indicate
a low possibility of exploitation due to circumstances in memory
management of various platforms.
There is insufficient bounds checking of data returned from the Yahoo!
Login page. Name and Value strings returned to the client from a
system purporting to be the Yahoo! Login page could potentially
result in the execution of arbitrary code on the client side.
The YMSG protocol handler is vulnerable to a buffer overflow when
handling keynames of excessive sizes, usually greater than 64 bytes.
Remote communications with maliciously crafted keynames can be
forwarded through the Yahoo! server.
An integer overflow exists in the DirectIM handling by Gaim. A remote
user sending a value to a vulnerable Gaim client with a payload
length of UINT_MAX will result in an overflow in the calloc function.
Due to two errors in the handling of Quoted Printable decoding code
used for e-mail notification, it is possible to create conditions suitable
for heap-based overflow attacks.
The URI parsing utility contains an overflow in the handling of specially
crafted URIs. An attacker could pass along a URI of excessive length to
create an exploitable stack overflow.
The Get User Info utility performs inadequate bounds checking on data
received from the YMSG and MSN protocol handlers. Because of this,
it is possible for a remote attacker to exploit a stack overflow in the
utility to execute arbitrary code.
A client-side overflow in the handling of HTTP proxy connections
exists in Gaim. A remote proxy sending a string of data in excess of 8192
bytes could potentially create an exploitable stack overflow on the client
These issues are undergoing further analysis and will be separated
into individual BIDs when analysis is complete.
*Update: Ultramagnetic, a concurrent fork of the Gaim instant
messaging software, has also been reported to be affected by the issues
listed under CAN-2004-0006, CAN-2004-0007 and CAN-2004-0008.
2. Antologic Antolinux Administrative Interface NDCR Parameter ...
BugTraq ID: 9495
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9495
Antologic Antolinux is a Linux server based server. The server is shipped
with an administrative interface written in PHP.
A vulnerability has been reported to exist in the administration interface of
the product that may allow a remote attacker to execute arbitrary
commands on vulnerable systems. The issue reportedly exists in
the 'NDCR' parameter of the software. Due to insufficient sanitization of
user-supplied input, data supplied to this variable will be interpreted in
the shell. An attacker can exploit this vulnerability by passing malicious
shell metacharacters to the software in order to execute arbitrary
commands with the privileges of the server hosting the vulnerable
software. It has been demonstrated that an attacker may gain access to
the password file by carrying out a 'cat' command. An attacker may need
to spoof the HTTP REFERER to carry out successful exploitation.
Antologic Antolinux 1.0 has been reported to be prone to this issue,
however, other versions may be affected as well.
3. Cherokee Error Page Cross Site Scripting Vulnerability
BugTraq ID: 9496
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9496
Cherokee is a web server distributed under the GNU public license.
It is available for numerous platforms, including Microsoft Windows and
Cherokee has been reported to contain a cross-site scripting vulnerability.
This issue is due to the server failing to check and filter user-supplied
strings issued to the server in a web request, which are then included
directly in error output.
An attacker can exploit this issue by crafting a URI link containing the
malevolent HTML or script code, and enticing a user to follow it. If this link
were followed, the hostile code may be rendered in the web browser of
the victim user. This would occur in the security context of the affected
web server and may allow for theft of cookie-based authentication
credentials or other attacks.
4. Xoops Viewtopic.php Cross-Site Scripting Vulnerability
BugTraq ID: 9497
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9497
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
A vulnerability has been reported to exist in Xoops that may allow a
remote user to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via
the 'topic_id' and 'forum' URI parameters of 'newbb/viewtopic.php' script.
This vulnerability makes it possible for an attacker to construct a malicious
link containing HTML or script code that may be rendered in a user's
browser upon visiting that link. This attack would occur in the security
context of the site.
Successful exploitation of this attack may allow an attacker to steal cookie-
based authentication credentials. Other attacks are also possible.
Xoops versions 2.x have been reported to be prone to this issue.
5. TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabi...
BugTraq ID: 9507
Date Published: Jan 27 2004
Relevant URL: http://www.securityfocus.com/bid/9507
tcpdump is a freely available, open source network monitoring tool.
It is available for the Unix, Linux, and Microsoft Windows operating
A vulnerability has been identified in the software that may allow a
remote attacker to cause a denial of service condition in the software.
The issue occurs due to the way tcpdump decodes Internet Security
Association and Key Management Protocol (ISAKMP) packets. A remote
attacker may cause the software to enter an infinite loop by sending
malformed ISAKMP packets resulting in a crash or hang.
Although unconfirmed, due to the nature of this issue, an attacker may
leverage the issue by exploiting an unbounded memory copy operation to
overwrite the saved return address/base pointer, causing an affected
procedure to return to an address of their choice. Successful exploitation
of this issue may allow an attacker to execute arbitrary code with the
privileges of the tcpdump process in order to gain unauthorized access.
tcpdump versions prior to 3.8.1 have been reported to be prone to this
6. Macromedia ColdFusion MX Security Sandbox Circumvention Vuln...
BugTraq ID: 9521
Date Published: Jan 28 2004
Relevant URL: http://www.securityfocus.com/bid/9521
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a
standalone product for Unix, Linux, and Microsoft Operating Systems.
ColdFusion MX has been reported prone to a security sandbox
circumvention vulnerability. The issue is reported to exist because
programmers have the ability to create instances of classes without using
"CreateObject()" or "<cfobject>" tags. It has been reported that the
security sandbox does not prevent this behavior.
This issue cannot be exploited remotely, but the vulnerability may present
a danger in a shared hosted environment.
An attacker may exploit this issue to circumvent the security sandbox of
This issue has been reported to affect ColdFusion MX 6.1.
7. Third-party CVSup Binary Insecure ELF RPATH Library Replacem...
BugTraq ID: 9523
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9523
CVSup is a network file distribution utility that is intended to be used with
CVS repositories. It is available for various Unix/Linux derivatives.
It has been reported that some third-party vendor-supplied CVSup
binaries may have an insecure ELF RPATH that includes world-writeable
directories in the path. This variable is used to specify the run-time search
path for ELF objects. A local attacker could exploit this issue by placing
malicious libraries in these directories, which would be dynamically linked
against at run-time when the cvsup, cvsupd or cvpasswd programs are
executed. This would result in execution of arbitrary code with elevated
This issue was reported to affect CVSup RPMs that ship with SuSE
Linux. Other distributions may also be affected. In the instance of SuSE,
the /home/anthon and /usr/src/packages directories included in the search
path may be world-writeable, depending on the value of the
PERMISSIONS_SECURITY setting in the /etc/sysconfig/security configuration
file. Statically linked versions of the software should not be affected by