LQ security report - Jun 08th 2004
Jun 16th 2004
Kernel Crash-Exploit affects 2.4.2x and 2.6.x kernels on x86 and x86_64 Full report here. A Linux kernel bug allows a simple C program crash the kernel, effectively locking the whole system. The security hole affects both 2.4.2x and 2.6.x kernels on the x86 and x86_64 architectures. Kernel 2.6.7 is out and there are patches for 2.4.2x and 2.6.xx Kernels, x86 and x86_64. The exploit was reported as gcc bug 15905 2004-06-09. This is reported to the linux-kernel list with the subject timer + fpu stuff locks my console race 2004-06-09. The alert on LQ was done by lpd on 2994-06-16 (thanks). Jun 7th 2004 38 of 49 issues handled (ISS) Kerberos krb5_aname_to_localname library function jftpgw log function format string jPortal print.inc.php allows SQL injection GATOS xatitv program allows elevated privileges Linksys WRT54G remote administration function e107 multiple scripts path disclosure spamGuard multiple buffer overflows e107 clock_menu.php cross-site scripting e107 email to a friend feature cross-site scripting e107 user settings.php script cross-site scripting e107 secure_img_render.php PHP file include e107 content.php news.php SQL injection Land Down Under BBcode cross-site scripting SquirrelMail From header cross-site scripting Sambar show.asp and showperf.asp scripts cross-site Sambar showlog.asp and showini.asp scripts PHP-Nuke eregi function path disclosure PHP-Nuke mainfile.php SQL injection osc2nuke eregi path disclosure Oscnukelite eregi path disclosure Nuke Cops eregi path disclosure Linksys BEFSR41 remote administration function Gallery user bypass authentication Linksys Gozila.cgi denial of service Linksys DomainName buffer overflow Opera favicon address spoofing Isoqlog multiple buffer overflows Tripwire fprintf format string Slackware Linux PHP allows elevated privileges log2mail syslog format string NETGEAR WG602 default account UNIX mkdir utility buffer overflow Multiple IBM products cookie session hijack InterBase database allows execution of code Mail Manage EX mmex.php file include SurgeMail invalid HTTP request path disclosure SurgeMail username cross-site scripting Oracle E-Business SQL injection Jun 7th 2004 26 of 32 issues handled (SF) 2. JPortal Print.php SQL Injection Vulnerability 3. PHPoto Picture_view Script Unauthorized Access Vulnerability 5. Isoqlog Multiple Buffer Overflow Vulnerabilities 6. Spamguard Multiple Buffer Overflow Vulnerabilities 7. Land Down Under BBCode HTML Injection Vulnerability 8. e107 Website System Multiple Vulnerabilities 9. Gatos xatitv Missing Configuration File Privilege Escalation... 10. SquirrelMail Email Header HTML Injection Vulnerability 12. Linksys WRT54G Router World Accessible Remote Administration... 13. RARLAB UnRAR File Name Format String Vulnerability 15. Sambar Server Multiple Vulnerabilities 17. Firebird Remote Pre-Authentication Database Name Buffer Over... 18. PHP-Nuke Direct Script Access Security Bypass Vulnerability 19. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na... 20. IBM Multiple Product Unspecified Credential Impersonation Vu... 21. Gallery Authentication Bypass Vulnerability 22. Opera Browser Favicon Address Bar Spoofing Weakness 23. Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner... 24. Tripwire Email Reporting Format String Vulnerability 25. Unix and Unix-based select() System Call Overflow Vulnerabil... 27. Mail Manage EX MMEX Script Settings Parameter Remote PHP Fil... 28. Sun Fire B1600 Network Management Port Remote Denial Of Serv... 29. Netgear WG602 Wireless Access Point Default Backdoor Account... 30. Michael Krax log2mail Log File Writing Format String Vulnera... 31. Slackware Linux PHP Packages Insecure Linking Configuration ... 32. Mkdir Buffer Overflow Vulnerability |
Jun 7th 2004 (ISS)
Internet Security Systems
Date Reported: 06/01/2004 Brief Description: Kerberos krb5_aname_to_localname library function buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Any operating system Any version, Mandrake Linux 10.0, Mandrake Linux 9.1, Mandrake Linux 9.2, Mandrake Linux Corporate Server 2.1, Mandrake Multi Network Firewall 8.2, MIT Kerberos 5 krb5-1.3.3 and prior Vulnerability: Kerberos-krb5anametolocalname-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/16268 Date Reported: 05/30/2004 Brief Description: jftpgw log function format string Risk Factor: High Attack Type: Network Based Platforms: Any operating system Any version, Debian Linux 3.0, jftpgw prior to 0.13.4 Vulnerability: jftpgw-log-format-string X-Force URL: http://xforce.iss.net/xforce/xfdb/16271 Date Reported: 05/27/2004 Brief Description: jPortal print.inc.php allows SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: jPortal Any version, Linux Any version, Unix Any version, Windows Any version Vulnerability: jportal-printincphp-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/16272 Date Reported: 05/30/2004 Brief Description: GATOS xatitv program allows elevated privileges Risk Factor: High Attack Type: Host Based Platforms: GATOS Any version, Linux Any version Vulnerability: gatos-xatitv-gain-privileges X-Force URL: http://xforce.iss.net/xforce/xfdb/16273 Date Reported: 05/31/2004 Brief Description: Linksys WRT54G remote administration function security bypass Risk Factor: Medium Attack Type: Network Based Platforms: Linksys WRT54G 2.02.7 Vulnerability: linksys-remote-bypass-security X-Force URL: http://xforce.iss.net/xforce/xfdb/16274 Date Reported: 05/29/2004 Brief Description: e107 multiple scripts path disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, e107 prior to 0.616 Vulnerability: e107-multiplescripts-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16277 Date Reported: 05/28/2004 Brief Description: spamGuard multiple buffer overflows Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, spamGuard prior to 1.7-BETA, Unix Any version Vulnerability: spamguard-multiple-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/16278 Date Reported: 05/29/2004 Brief Description: e107 clock_menu.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, e107 prior to 0.616 Vulnerability: e107-clock-menu-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16279 Date Reported: 05/29/2004 Brief Description: e107 email to a friend feature cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, e107 prior to 0.616 Vulnerability: e107-email-friend-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16280 Date Reported: 05/29/2004 Brief Description: e107 user settings.php script cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, e107 prior to 0.616 Vulnerability: e107-user-setting-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16281 Date Reported: 05/29/2004 Brief Description: e107 secure_img_render.php PHP file include Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, e107 prior to 0.616 Vulnerability: e107-secure-img-render-file-include X-Force URL: http://xforce.iss.net/xforce/xfdb/16282 Date Reported: 05/29/2004 Brief Description: e107 content.php news.php SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, e107 prior to 0.616 Vulnerability: e107-content-news-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/16283 Date Reported: 05/29/2004 Brief Description: Land Down Under BBcode cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Land Down Under prior to 700-06 Vulnerability: ldu-bbcode-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16284 Date Reported: 05/30/2004 Brief Description: SquirrelMail From header cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, SquirrelMail prior to 1.4.3, SquirrelMail prior to 1.5.1 dev, Unix Any version Vulnerability: squirrelmail-from-header-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16285 Date Reported: 06/01/2004 Brief Description: Sambar show.asp and showperf.asp scripts cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Sambar Server Pro Server 6.1 Beta 2, Windows Any version Vulnerability: sambar-show-showperf-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16286 Date Reported: 06/01/2004 Brief Description: Sambar showlog.asp and showini.asp scripts directory traversal Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Sambar Server Pro Server 6.1 Beta 2, Windows Any version Vulnerability: sambar-multiple-directory-traversal X-Force URL: http://xforce.iss.net/xforce/xfdb/16287 Date Reported: 06/01/2004 Brief Description: PHP-Nuke eregi function path disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 7.3 and prior Vulnerability: phpnuke-eregi-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16294 Date Reported: 05/30/2004 Brief Description: PHP-Nuke mainfile.php SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke Any version Vulnerability: phpnuke-mainfilephp-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/16295 Date Reported: 06/01/2004 Brief Description: osc2nuke eregi path disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, osc2nuke 7.x and prior, Unix Any version, Windows Any version Vulnerability: osc2nuke-eregi-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16296 Date Reported: 06/01/2004 Brief Description: Oscnukelite eregi path disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Oscnukelite 3.1 and prior, Unix Any version, Windows Any version Vulnerability: oscnukelite-eregi-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16297 Date Reported: 06/01/2004 Brief Description: Nuke Cops eregi path disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Nuke Cops betaNC, PHP-Nuke 6.5 and later Vulnerability: nukecops-ergei-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16298 Date Reported: 06/01/2004 Brief Description: Linksys BEFSR41 remote administration function security bypass Risk Factor: Medium Attack Type: Network Based Platforms: Linksys EtherFast BEFSR41 any version Vulnerability: linksys-befsr41-remote-bypass-security X-Force URL: http://xforce.iss.net/xforce/xfdb/16300 Date Reported: 06/02/2004 Brief Description: Gallery user bypass authentication Risk Factor: High Attack Type: Network Based Platforms: Debian Linux 3.0, Gallery 1.2 up to 1.4.3-pl2, Linux Any version Vulnerability: gallery-user-bypass-authentication X-Force URL: http://xforce.iss.net/xforce/xfdb/16301 Date Reported: 06/03/2004 Brief Description: Linksys Gozila.cgi denial of service Risk Factor: Medium Attack Type: Network Based Platforms: Linksys EtherFast BEFSR11 any version, Linksys EtherFast BEFSR41 3, Linksys EtherFast BEFSR81 2, Linksys EtherFast BEFSR81 3, Linksys EtherFast BEFSRU31 any version, Linksys EtherFast BEFSX41 any version, Linksys EtherFast BEFW11S4 3, Linksys EtherFast BEFW11S4 4 Vulnerability: linksys-gozila-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/16302 Date Reported: 06/03/2004 Brief Description: Linksys DomainName buffer overflow Risk Factor: Medium Attack Type: Network Based Platforms: Linksys EtherFast BEFSR11 any version, Linksys EtherFast BEFSR41 any version, Linksys EtherFast BEFSR81 2, Linksys EtherFast BEFSR81 3, Linksys EtherFast BEFSRU31 any version, Linksys EtherFast BEFSX41 any version, Linksys EtherFast BEFW11S4 3, Linksys EtherFast BEFW11S4 4 Vulnerability: linksys-domainname-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/16305 Date Reported: 06/03/2004 Brief Description: Opera favicon address spoofing Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Opera 7.50 and earlier, Windows Any version Vulnerability: opera-favicon-spoofing X-Force URL: http://xforce.iss.net/xforce/xfdb/16307 Date Reported: 05/28/2004 Brief Description: Isoqlog multiple buffer overflows Risk Factor: High Attack Type: Network Based Platforms: Isoqlog 2.2-BETA, Linux Any version, Unix Any version Vulnerability: isoqlog-multiple-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/16308 Date Reported: 06/02/2004 Brief Description: Tripwire fprintf format string Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, Tripwire - Commercial 4.0.1 and earlier, Tripwire - open-source 2.3.1 and prior Vulnerability: tripwire-fprintf-format-string X-Force URL: http://xforce.iss.net/xforce/xfdb/16309 Date Reported: 06/03/2004 Brief Description: Slackware Linux PHP allows elevated privileges Risk Factor: High Attack Type: Host Based Platforms: Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux 9.1 Vulnerability: linux-php-gain-privileges X-Force URL: http://xforce.iss.net/xforce/xfdb/16310 Date Reported: 06/03/2004 Brief Description: log2mail syslog format string Risk Factor: High Attack Type: Host Based Platforms: Debian Linux 3.0, log2mail prior to 0.2.5.2 Vulnerability: log2mail-syslog-format-string X-Force URL: http://xforce.iss.net/xforce/xfdb/16311 Date Reported: 06/03/2004 Brief Description: NETGEAR WG602 default account Risk Factor: High Attack Type: Host Based / Network Based Platforms: NETGEAR WG602 Any version Vulnerability: netgearwg602-default-account X-Force URL: http://xforce.iss.net/xforce/xfdb/16312 Date Reported: 06/02/2004 Brief Description: UNIX mkdir utility buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Unix Any version, Unix Seventh Edition Vulnerability: unix-mkdir-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/16313 Date Reported: 06/03/2004 Brief Description: Multiple IBM products cookie session hijack Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, IBM Tivoli Access Manager for e-business 3.9, IBM Tivoli Access Manager for e-business 4.1, IBM Tivoli Access Manager for e-business 5.1, IBM Tivoli Access Manager Identity 5.1, IBM Tivoli Config Manager for AutoTeller 2.1.0, IBM Tivoli Configuration Manager 4.2, IBM WebSphere Everyplace Server 2.1.3, IBM WebSphere Everyplace Server 2.1.4, IBM WebSphere Everyplace Server 2.1.5, Tivoli SecureWay Policy Director 3.8 Vulnerability: ibm-cookie-session-hijack X-Force URL: http://xforce.iss.net/xforce/xfdb/16315 Date Reported: 06/03/2004 Brief Description: InterBase database allows execution of code Risk Factor: High Attack Type: Network Based Platforms: InterBase 7.1, Linux Any version, Unix Any version Vulnerability: interbase-database-name-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/16316 Date Reported: 06/03/2004 Brief Description: Mail Manage EX mmex.php file include Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Mail Manage EX 3.1.8 and prior Vulnerability: mailmanage-mmex-file-include X-Force URL: http://xforce.iss.net/xforce/xfdb/16317 Date Reported: 06/03/2004 Brief Description: SurgeMail invalid HTTP request path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, SurgeMail 1.9 and earlier, Unix Any version, Windows 2000 Any version, Windows NT Any version Vulnerability: surgemail-invalid-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16319 Date Reported: 06/03/2004 Brief Description: SurgeMail username cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, SurgeMail 1.9 and earlier, Unix Any version, Windows 2000 Any version, Windows NT Any version Vulnerability: surgemail-username-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16320 Date Reported: 06/04/2004 Brief Description: Oracle E-Business SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Oracle E-Business Suite 11.0.x, Oracle E-Business Suite 11.5.1 - 11.5.8, Oracle E-Business Suite 11i Vulnerability: oracle-ebusiness-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/16324 |
Jun 7th 2004 (SF)
SecurityFocus
2. JPortal Print.php SQL Injection Vulnerability BugTraq ID: 10430 Remote: Yes Date Published: May 28 2004 Relevant URL: http://www.securityfocus.com/bid/10430 Summary: JPortal is reportedly affected by a remote SQL injection vulnerability in the print.inc.php script. gThis issue is due to a failure of the application to properly sanitize user-supplied URI input before using it in an SQL query. As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue. 3. PHPoto Picture_view Script Unauthorized Access Vulnerability BugTraq ID: 10431 Remote: Yes Date Published: May 28 2004 Relevant URL: http://www.securityfocus.com/bid/10431 Summary: PHPoto is prone to an unauthorized access vulnerability that can allow remote users to view any pictures hosted on a site, regardless of the user's privileges. PHPoto versions PHPoto 0.4.0-pre-5 and prior are prone to this issue. 5. Isoqlog Multiple Buffer Overflow Vulnerabilities BugTraq ID: 10433 Remote: Yes Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10433 Summary: Isoqlog is prone to multiple buffer overflow vulnerabilities that span various source files and functions. gSome of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk. 6. Spamguard Multiple Buffer Overflow Vulnerabilities BugTraq ID: 10434 Remote: Yes Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10434 Summary: Spamguard is prone to multiple buffer overflow vulnerabilities that span various source files and functions. gSome of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk. 7. Land Down Under BBCode HTML Injection Vulnerability BugTraq ID: 10435 Remote: Yes Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10435 Summary: Land Down Under is prone to an HTML injection vulnerability. This issue is exposed through their BBCode implementation. Exploitation could permit theft of cookie credentials, manipulation of content, or other attacks. 8. e107 Website System Multiple Vulnerabilities BugTraq ID: 10436 Remote: Yes Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10436 Summary: e107 is prone to multiple cross-site scripting, HTML injection, file inclusion, and SQL injection vulnerabilities. gThis may compromise various security properties of a Web site running the software, including allowing remote attackers to execute malicious PHP code. 9. Gatos xatitv Missing Configuration File Privilege Escalation... BugTraq ID: 10437 Remote: No Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10437 Summary: The gatos xatitv utility is prone to a local privilege escalation vulnerability. g This issue may occur when the utility, which is installed setuid root, fails to drop privileges due to a missing configuration file. gUnsanitized user-supplied environment variables may then be exploited to escalate privileges. It is noted that the software ships with a default configuration file, so exploitation would require that the file was removed at some point. 10. SquirrelMail Email Header HTML Injection Vulnerability BugTraq ID: 10439 Remote: Yes Date Published: May 31 2004 Relevant URL: http://www.securityfocus.com/bid/10439 Summary: SquirrelMail is reported to be prone to an email header HTML injection vulnerability. gThis issue is due to a failure of the application to properly sanitize user-supplied email header strings. An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials; disclosure of personal email is possible. Other attacks are also possible. 12. Linksys WRT54G Router World Accessible Remote Administration... BugTraq ID: 10441 Remote: Yes Date Published: May 31 2004 Relevant URL: http://www.securityfocus.com/bid/10441 Summary: A weakness is reported to affect the Linksys WRT54G appliance. It is reported that the web based administration service is published to the WAN interface of the appliance, even when the remote administration functionality is disabled. 13. RARLAB UnRAR File Name Format String Vulnerability BugTraq ID: 10442 Remote: Yes Date Published: May 31 2004 Relevant URL: http://www.securityfocus.com/bid/10442 Summary: RARLAB UnRAR is reportedly affected by a file name format string vulnerability. gThis issue is due to a failure of the affected application to properly implement a formatted string function. This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application. 15. Sambar Server Multiple Vulnerabilities BugTraq ID: 10444 Remote: Yes Date Published: Jun 01 2004 Relevant URL: http://www.securityfocus.com/bid/10444 Summary: Sambar Server is reportedly prone to multiple vulnerabilities. gThese issues may allow an attacker to access sensitive files and carry out directory traversal and cross-site scripting attacks. These issues require an attacker to have administrative privileges, however, it is reported that an administrative password is not set on the server by default. An administrator who is not intended to have certain privileges may also exploit these vulnerabilities. Sambar 6.1 Beta 2 is reported to be prone to these issues, however, it is likely that other versions are affected as well. 17. Firebird Remote Pre-Authentication Database Name Buffer Over... BugTraq ID: 10446 Remote: Yes Date Published: Jun 01 2004 Relevant URL: http://www.securityfocus.com/bid/10446 Summary: Firebird is reported prone to a remote buffer overrun vulnerability. The issue presents itself due to a lack of sufficient boundary checks performed when the database server is handling database names. A remote attacker may exploit this vulnerability, without requiring valid authentication credentials, to influence execution flow of the affected Firebird database server. Ultimately this may lead to the execution of attacker-supplied code in the context of the affected software. 18. PHP-Nuke Direct Script Access Security Bypass Vulnerability BugTraq ID: 10447 Remote: Yes Date Published: Jun 01 2004 Relevant URL: http://www.securityfocus.com/bid/10447 Summary: PHP-Nuke is affected by a direct script access security vulnerability. This issue is due to a failure to properly validate the location and name of the file being accessed. This issue will allow an attacker to gain access to sensitive scripts such as the 'admin.php' script. gThe attacker may be able to exploit this unauthorized access to carry out attacks against the affected application. 19. MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na... BugTraq ID: 10448 Remote: Yes Date Published: Jun 01 2004 Relevant URL: http://www.securityfocus.com/bid/10448 Summary: Kerberos 5 is prone to multiple boundary condition errors that exist in the krb5_aname_to_localname() and helper functions and are due to insufficient bounds checking performed on user-supplied data. An additional boundary condition issue also exists in the krb5_aname_to_localname() function. The condition is reported to present itself in the explicit mapping functionality of the krb5_aname_to_localname() as an off-by-one. These conditions may be theoretically exploitable to execute arbitrary code remotely in the context of the affected service. It is reported that explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() must be enabled for these vulnerabilities to be present. Additionally it is necessary that the principal name used by the attacker to exploit the issue be listed in the explicit mapping list. These vulnerabilities are reported to affect all releases of MIT Kerberos 5, up to and including version krb5-1.3.3. 20. IBM Multiple Product Unspecified Credential Impersonation Vu... BugTraq ID: 10449 Remote: Yes Date Published: Jun 02 2004 Relevant URL: http://www.securityfocus.com/bid/10449 Summary: Multiple IBM products are prone to an unspecified credential impersonation vulnerability. According to IBM this vulnerability may allow a remote attacker to gain access to resources and data, or gain control of the compromised application. It is reported that this attack can allow the attacker to exploit the usage of cookies and impersonate a legitimate user to gain unauthorized access. Due to a lack of details, further information is not available at the moment. This BID will be updated as more information becomes available. 21. Gallery Authentication Bypass Vulnerability BugTraq ID: 10451 Remote: Yes Date Published: Jun 02 2004 Relevant URL: http://www.securityfocus.com/bid/10451 Summary: It has been disclosed that an attacker can bypass Gallery's authentication process, and log in as any user without a password. g An attacker can override configuration variables by passing them in GET, POST or cookie arguments. Gallery simulates the 'register_globals' PHP setting by extracting the values of the various $HTTP_ global variables into the global namespace. Therefore, regardless of the 'register_globals' PHP setting, an attacker can override configuration variables. An attacker can change configuration variables and cause Gallery to skip the authentication steps. Versions prior to 1.4.3-pl2 are reported to be vulnerable. 22. Opera Browser Favicon Address Bar Spoofing Weakness BugTraq ID: 10452 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10452 Summary: Opera Web Browser is prone to a security weakness that may permit malicious web pages to spoof address bar information. gIt is reported that the 'favicon' feature can be used to spoof the domain of a malicious web page. An attacker can create an icon that includes the text of the desired site and is similar to the way Opera displays information in the address bar. The attacker can then obfuscate the real address with spaces. This issue can be used to spoof information in the address bar, page bar and page/window cycler. The vulnerability reportedly affects Opera 7.23 and 7.50. gIt is likely that previous versions are affected as well. 23. Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner... BugTraq ID: 10453 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10453 Summary: Multiple Linksys routers are reported vulnerable to a denial of service condition. The issues presents themselves due to a lack of sufficient sanitization performed on parameters that are passed to the Gozila.CGI script. A remote attacker may potentially exploit these conditions to deny service to an affected appliance. It is reported that the device must be reset to the original factory defaults in order to restore normal device functionality. 24. Tripwire Email Reporting Format String Vulnerability BugTraq ID: 10454 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10454 Summary: Tripwire is affected by an email reporting format string vulnerability. gThis issue is due to a failure to properly inplement a formatted string function. This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the superuser. **Update - It is reported that this issue only presents itself when the MAILMETHOD is sendmail. 25. Unix and Unix-based select() System Call Overflow Vulnerabil... BugTraq ID: 10455 Remote: Unknown Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10455 Summary: The select() system call may be vulnerable to an overflow condition, possibly allowing attackers to write data past the end of a fixed size buffer. select() uses arguments of type 'fd_set', which is of a fixed size in many Unix variants. fd_set is used to keep track of open file descriptors. If a process raises its rlimit for open files past 1024, it is theoretically possible to cause select to change individual bits past the end of the fixed size fds_bits structure. In theory, an attacker may be able to use this vulnerability to cause a denial of service condition, or possibly execute arbitrary code. It should be noted that rlimits can only be raised by root, and that only processes with rlimits allowing more than 1024 file descriptors would be affected. This is a theoretical issue, and it has not been confirmed by any vendor. This BID will be updated when further information is released. 27. Mail Manage EX MMEX Script Settings Parameter Remote PHP Fil... BugTraq ID: 10457 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10457 Summary: Mail Manage EX is reportedly prone to a remote file include vulnerability. gThis vulnerability results from insufficient sanitization of user-supplied data and may allow remote attackers to include arbitrary PHP files located on remote servers. This issue was discovered in Mail Manage EX 3.1.8. gIt is possible that previous versions are affected as well. 28. Sun Fire B1600 Network Management Port Remote Denial Of Serv... BugTraq ID: 10458 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10458 Summary: Sun Fire B1600 is reported prone to remote denial of service vulnerability. The issue exists because the switch firmware will disable all of the network ports on the switch for a short period when an ARP datagram is received on the Network Management Port. 29. Netgear WG602 Wireless Access Point Default Backdoor Account... BugTraq ID: 10459 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10459 Summary: Netgear WG602 reportedly contains a default administrative account. gThis issue can allow a remote attacker to gain administrative access to the device. Netgear WG602 access point with firmware version 1.04.0 is reportedly affected by this issue. gIt is likely that other versions of the firmware are also vulnerable. It is reported that the new version (1.7.14) of the Firmware for WG602 is vulnerable to this issue as well, however, the username and password for the backdoor account has been changed. 30. Michael Krax log2mail Log File Writing Format String Vulnera... BugTraq ID: 10460 Remote: No Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10460 Summary: Michael Krax log2mail is reported prone to a log file writing format string vulnerability. gThis issue is due to a failure of the application to properly implement a formatted string function. This vulnerability will ultimately allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the 'log2mail' user with group 'adm'. 31. Slackware Linux PHP Packages Insecure Linking Configuration ... BugTraq ID: 10461 Remote: No Date Published: Jun 02 2004 Relevant URL: http://www.securityfocus.com/bid/10461 Summary: Slackware Linux PHP Packages are reportedly affected by an insecure linking configuration vulnerability. gThis issue is due to a configuration error that links PHP to be linked against shared libraries in insecure directories. This issue can be leveraged by an attacker to execute arbitrary code in the security context of the user running the affected PHP process; typically the user 'nobody'. 32. Mkdir Buffer Overflow Vulnerability BugTraq ID: 10462 Remote: No Date Published: Jun 02 2004 Relevant URL: http://www.securityfocus.com/bid/10462 Summary: It is reported that mkdir is susceptible to a buffer overflow vulnerability. An attacker with local access passes a long path to mkdir, which overflows a fixed buffer. Mkdir is installed setuid root by default, as the mknod() system call can only be called by root. There is no mkdir() system call, so the mkdir command must use mknod to create a directory node, then populate the node with "." and ".." itself. A local attacker can exploit this issue to execute arbitrary code as root. |
All times are GMT -5. The time now is 01:18 AM. |