LQ Security Report - June 27 2004
June 22nd 2004
20 issues handled (ISS) 1. Multiple vendor antivirus scanners archive file 2. Chora diff utility command execution 3. VICE memory dump command format string attack 4. PHP-Nuke Faq and Encyclopedia modules allow cross- site scripting 5. PHP-Nuke Reviews allows SQL injection 6. PHP-Nuke Reviews path disclosure 7. PHP-Nuke Reviews denial of service 8..cPanel passwd allows password modification 9. Linux Kernel fsave and frstor denial of service 10. Racoon and IPsec-Tools eay_check_x509cert 11. Pivot module_db.php PHP file include 12. BEA WebLogic Server and Express SSL denial of service 13. BEA WebLogic Server and Express allows unexpected user identity 14. Thy NULL pointer denial of service 15. Linux Kernel i2c integer overflow 16. singapore adminusers.csv file disclosure 17. webAuction allows deletion of items 18. phpMyChat bypass authentication 19. phpMyChat message cross-site scripting 20. phpMyChat SQL injection June 22nd 2004 12 issues handled (SF) 1.Horde Chora Viewer Remote Command Execution Vulnerability 2.Multiple Vendor Anti-Virus Scanner Remote Denial Of Service ... 3.Linux Kernel Assembler Inline Function Local Denial Of Servi... 4.Invision Power Board SSI.PHP Cross-Site Scripting Vulnerabil... 5.KAME Racoon IDE Daemon X.509 Improper Certificate Verificati... 6.Check Point Firewall-1 Internet Key Exchange Information Dis... 7.Invision Power Board Potential IP Address Spoofing Vulnerabi.. 8.Linux Kernel Inter Intergrated Circuit Bus Driver Integer Ov... 9.Linux Kernel Multiple Device Driver Vulnerabilities 10.Nmap Potential Insecure File Creation Vulnerability 11.MoinMoin Group Name Privilege Escalation Vulnerability 12.Asterisk PBX Multiple Logging Format String Vulnerabilities June 25th 2004 7 issues handled across 8 distros (LAW) sup super www-sql Buffer overflow vulnerability rlpr Multiple 'kernel' vulnerabilities libpng Usermin |
June 22nd 2004 (ISS)
Internet Security Systems
1. Date Reported: 06/14/2004 Brief Description: Multiple vendor antivirus scanners archive file scan denial of service Risk Factor: Low Attack Type: Host Based Platforms: F-Prot for Linux 4.4.2, McAfee VirusScan 6, McAfee VirusScan Enterprise 7.1, Norton AntiVirus 2002, Norton AntiVirus 2003, RAV AntiVirus Online Virus Scan Any version, Windows Any version Vulnerability: antivirus-archive-file-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/16399 2. Date Reported: 06/13/2004 Brief Description: Chora diff utility command execution Risk Factor: High Attack Type: Network Based Platforms: Chora prior to 1.2.2, Gentoo Linux Any version, Unix Any version Vulnerability: chora-diff-command-execution X-Force URL: http://xforce.iss.net/xforce/xfdb/16401 3. Date Reported: 06/14/2004 Brief Description: VICE memory dump command format string attack Risk Factor: High Attack Type: Host Based Platforms: Any operating system Any version, VICE 1.6 through 1.14 Vulnerability: vice-memory-dump-format-string X-Force URL: http://xforce.iss.net/xforce/xfdb/16404 4. Date Reported: 06/11/2004 Brief Description: PHP-Nuke Faq and Encyclopedia modules allow cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3 Vulnerability: phpnuke-faq-encyclopedia-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16406 5. Date Reported: 06/11/2004 Brief Description: PHP-Nuke Reviews allows SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3 Vulnerability: phpnuke-reviews-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/16407 6. Date Reported: 06/11/2004 Brief Description: PHP-Nuke Reviews path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3 Vulnerability: phpnuke-reviews-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16408 7. Date Reported: 06/11/2004 Brief Description: PHP-Nuke Reviews denial of service Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3 Vulnerability: phpnuke-reviews-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/16409 8. Date Reported: 06/14/2004 Brief Description: cPanel passwd allows password modification Risk Factor: Medium Attack Type: Network Based Platforms: cPanel any version, Linux Any version, Unix Any version Vulnerability: cpanel-passwd-password-modify X-Force URL: http://xforce.iss.net/xforce/xfdb/16410 9. Date Reported: 06/14/2004 Brief Description: Linux Kernel fsave and frstor denial of service Risk Factor: Low Attack Type: Host Based Platforms: Linux kernel 2.4.2x, Linux kernel 2.6.x, Red Hat Enterprise Linux 3AS, Red Hat Enterprise Linux 3ES, Red Hat Enterprise Linux 3WS, Red Hat Linux 3.0, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux 9.1, Slackware Linux current, SuSE Linux 8.0, SuSE Linux 8.1, SuSE Linux 8.2, SuSE Linux 9.0, SuSE Linux 9.1, Turbolinux 10 Desktop, Turbolinux 7 Server, Turbolinux 7 Workstation, Turbolinux 8 Server, Turbolinux 8 Workstation, Turbolinux Appliance Server 1.0 Vulnerability: linux-fsave-frstor-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/16412 10. Date Reported: 06/14/2004 Brief Description: Racoon and IPsec-Tools eay_check_x509cert authentication bypass Risk Factor: Medium Attack Type: Network Based Platforms: IPsec-Tools prior to 0.3.3, Linux Any version, Racoon Any version Vulnerability: racoon-eaycheckx509cert-auth-bypass X-Force URL: http://xforce.iss.net/xforce/xfdb/16414 11. Date Reported: 06/14/2004 Brief Description: Pivot module_db.php PHP file include Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Pivot Any version Vulnerability: pivot-moduledbphp-file-include X-Force URL: http://xforce.iss.net/xforce/xfdb/16418 12. Date Reported: 06/14/2004 Brief Description: BEA WebLogic Server and Express SSL denial of service Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, Unix Any version, WebLogic Server and Express 8.1 through 8.1 SP2, Windows 2000 Any version, Windows NT Any version Vulnerability: weblogic-ssl-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/16419 13. Date Reported: 06/14/2004 Brief Description: BEA WebLogic Server and Express allows unexpected user identity Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, WebLogic Server and Express 6.1, WebLogic Server and Express 7.0, WebLogic Server and Express 8.1 Vulnerability: weblogic-unexpected-user-identity X-Force URL: http://xforce.iss.net/xforce/xfdb/16421 14. Date Reported: 06/15/2004 Brief Description: Thy NULL pointer denial of service Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, Thy prior to 0.9.2, Unix Any version Vulnerability: thy-daemon-null-pointer-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/16425 15. Date Reported: 06/16/2004 Brief Description: Linux Kernel i2c integer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux kernel 2.4.x Vulnerability: linux-i2c-integer-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/16435 16. Date Reported: 06/17/2004 Brief Description: singapore adminusers.csv file disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, singapore Any version Vulnerability: singapore-adminusers-file-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/16438 17. Date Reported: 06/17/2004 Brief Description: webAuction allows deletion of items Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, webAuction 2.1, Windows Any version Vulnerability: webauction-item-deletion X-Force URL: http://xforce.iss.net/xforce/xfdb/16439 18. Date Reported: 06/16/2004 Brief Description: phpMyChat bypass authentication Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, phpMyChat 0.14.5 Vulnerability: phpmychat-auth-bypass X-Force URL: http://xforce.iss.net/xforce/xfdb/16440 19. Date Reported: 06/16/2004 Brief Description: phpMyChat message cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, phpMyChat 0.14.5 Vulnerability: phpmychat-message-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/16441 20. Date Reported: 06/16/2004 Brief Description: phpMyChat SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, phpMyChat 0.14.5 Vulnerability: phpmychat-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/16442 |
June 22nd 2004 (SF)
Security Focus
1. Horde Chora Viewer Remote Command Execution Vulnerability BugTraq ID: 10531 Remote: Yes Date Published: Jun 13 2004 Relevant URL: http://www.securityfocus.com/bid/10531 Summary: Horde Chora Viewer is reported to be prone to a remote command execution vulnerability. The vulnerability is reported to exist due to a lack of sanitization performed on values that may be user-supplied. Shell metacharacters that are included as a value for the affected URI parameter may result in attacker specified shell commands being executed in an exec() call. Command execution will occur in the context of the affected web server. Chora versions up to an including version 1.2.1 are reported to be affected by this vulnerability. 2. Multiple Vendor Anti-Virus Scanner Remote Denial Of Service ... BugTraq ID: 10537 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10537 Summary: Multiple vendor anti-virus scanning software is reported prone to a remote denial of service vulnerability. The issue is reported to present itself when certain malicious archives containing large quantities of data are scanned. In the supplied example approximately 300 Gigabytes of data is archived in many different archive types. This archive may be transmitted to a client or submitted to an online anti-virus scanning service in order to crash the anti-virus software. 3. Linux Kernel Assembler Inline Function Local Denial Of Servi... BugTraq ID: 10538 Remote: No Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10538 Summary: The Linux Kernel is reportedly to be affected by a local denial of service vulnerability surrounding inline assembly functions. This issue is due to a design error that causes the application to fail to properly handle stack frame management. This issue may be leveraged by an attacker to cause the affected system to crash, denying service to legitimate users. Although only select linux kernels are reported to be affected, it is likely that various other versions are vulnerable as well. 4. Invision Power Board SSI.PHP Cross-Site Scripting Vulnerabil... BugTraq ID: 10539 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10539 Summary: Invision Power Board 'ssi.php' script reported prone to a cross-site scripting vulnerability. The issue presents itself due to a lack of sufficient sanitization performed by functions in the 'ssi.php'script on user-influenced 'f' parameter. This can permit the theft of cookie-based authentication credentials; other attacks may also be possible. 5. KAME Racoon IDE Daemon X.509 Improper Certificate Verificati... BugTraq ID: 10546 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10546 Summary: It is reported that racoon improperly validates X.509 certificates when negotiating IPSec connections. When checking certificate validity, racoon ignores many errors from OpenSSL and grants access to invalid certificates. When ignoring these errors, racoon would allow improper certificates to be used when authenticating connections. This vulnerability would allow attackers to forge certificates and potentially gain access to IPSec VPNs. This would also effectively make all certificates permanent. It is unknown the exact versions of racoon that are vulnerable at this time. 6. Check Point Firewall-1 Internet Key Exchange Information Dis... BugTraq ID: 10558 Remote: Yes Date Published: Jun 16 2004 Relevant URL: http://www.securityfocus.com/bid/10558 Summary: Check Point Firewall-1 is affected by an information disclosure vulnerability during an Internet Key Exchange (IKE) phase. This issue is due to a design error that may present sensitive information to an attacker. An attacker can leverage this issue to disclose information about the affected firewall product including the version number and various details about the firewall's capabilities. Furthermore this issue would facilitate fingerprinting or identifying a firewall by carrying out active scans. 7. Invision Power Board Potential IP Address Spoofing Vulnerabi... BugTraq ID: 10559 Remote: Yes Date Published: Jun 16 2004 Relevant URL: http://www.securityfocus.com/bid/10559 Summary: It is reported that Invision Power Board is prone to an IP address spoofing vulnerability. If an attacker is using a proxy to access a remote forum, the application logs the attacker's internal IP address on the LAN, instead of the real IP address of the proxy. This issue is reported to affect Invision Power Board version 1.3, however, it is likely that other versions are affected as well. 8. Linux Kernel Inter Intergrated Circuit Bus Driver Integer Ov... BugTraq ID: 10563 Remote: No Date Published: Jun 17 2004 Relevant URL: http://www.securityfocus.com/bid/10563 Summary: The Linux kernel has been reported to be vulnerable to an integer overflow in the inter integrated circuit (I2C) bus driver. This issue is due to a failure of the offending driver to properly validate user-reported size values. This issue could be leveraged by an attacker to execute machine code with the privileges of the affected driver; potentially leading to privilege escalation and ring 0 access. It should be noted that in most cases I2C device files are by default only readable and writable by superusers; in such a case an attacker would have to have superuser privileges. 9. Linux Kernel Multiple Device Driver Vulnerabilities BugTraq ID: 10566 Remote: No Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10566 Summary: It has been reported that the Linux kernel is vulnerable to multiple device driver issues. These issues were found during a recent audit of the Linux kernel source. Drivers reportedly affected by these issues are: aironet, asus_acpi, decnet, mpu401, msnd, and pss. These issues may reportedly allow attackers to gain access to kernel memory or gain escalated privileges on the affected computer. 10. Nmap Potential Insecure File Creation Vulnerability BugTraq ID: 10567 Remote: No Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10567 Summary: Nmap is reportedly prone to a potential insecure file creation vulnerability. A local user may exploit this vulnerability to cause files to be overwritten with the privileges of the user running Nmap. This issue occurs when Nmap is launched with the '-oN' option. All versions of Nmap are considered to be vulnerable to this issue. Further analysis has showed that this issue is not a vulnerability. This BID is being retired. 11. MoinMoin Group Name Privilege Escalation Vulnerability BugTraq ID: 10568 Remote: Yes Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10568 Summary: It is reported that MoinMoin contains a privilege escalation vulnerability whereby regular users can gain administrative privileges. MoinMoin allows remote web clients to create their own user accounts without administrative intervention or approval. It is reported that if a user creates an account with the same name as an administrative group, the user will inherit the privileges of that same administrative group. An attacker would use this vulnerability to gain complete access to the MoinMoin Wiki, and could gain access to sensitive information, or destroy information. Versions before 1.2.2 are reported vulnerable. 12. Asterisk PBX Multiple Logging Format String Vulnerabilities BugTraq ID: 10569 Remote: Yes Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10569 Summary: It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable. Versions 0.7.0 through to 0.7.2 are reported vulnerable. |
June 25th 2004 (LAW)
Linux Advisory Watch
Distribution: Debian 6/19/2004 - sup Format string vulnerability By explointing this, a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process http://www.linuxsecurity.com/advisor...sory-4494.html 6/19/2004 - super Format string vulnerability This vulnerability could potentially be exploited by a local user to execute arbitrary code with root privileges. http://www.linuxsecurity.com/advisor...sory-4500.html 6/19/2004 - www-sql Buffer overflow vulnerability Format string vulnerability Exploiting this vulnerability, a local user could cause the execution of arbitrary code by creating a web page and processing it with www-sql. http://www.linuxsecurity.com/advisor...sory-4501.html 6/21/2004 - rlpr Format string vulnerabilities By exploiting one of these vulnerabilities, a local or remote user could potentially cause arbitrary code to be executed with the privileges of 1) the rlprd process (remote), or 2) root (local). http://www.linuxsecurity.com/advisor...sory-4508.html Distribution: EnGarde 6/21/2004 - Multiple 'kernel' vulnerabilities This update fixes several security vulnerabilities in the Linux Kernel shipped with EnGarde Secure Linux. http://www.linuxsecurity.com/advisor...sory-4509.html 6/21/2004 - kernel 2.4 Multiple vulnerabilities This update fixes several security vulnerabilities, including the famous "fsave/frstor" vulnerability and an information leak in the e1000 driver. http://www.linuxsecurity.com/advisor...sory-4510.html Distribution: Fedora 6/21/2004 - libpng 1.2 Denial of service vulnerability An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code. http://www.linuxsecurity.com/advisor...sory-4506.html 6/21/2004 - libpng 1.0 Denial of service vulnerability An attacker could carefully craft a PNG file in such a way that it would cause an application linked to libpng to crash or potentially execute arbitrary code when opened by a victim. http://www.linuxsecurity.com/advisor...sory-4507.html Distribution: Gentoo 6/18/2004 - Usermin Multiple vulnerabilities Usermin contains two security vulnerabilities which could lead to a Denial of Service attack and information disclosure. http://www.linuxsecurity.com/advisor...sory-4485.html Distribution: Openwall 6/21/2004 - kernel Multiple vulnerabilities This update fixes multiple security-related bugs in the Linux kernel as well as two non-security bugs in the patch itself. This includes the now-famous DoS bug. http://www.linuxsecurity.com/advisor...sory-4504.html Distribution: Red Hat 6/18/2004 - libpng Buffer overflow vulnerability Updated libpng packages that fix a possible buffer overflow are now available. http://www.linuxsecurity.com/advisor...sory-4486.html 6/21/2004 - kernel Multiple vulnerabilities This contains two similar advisories, once set fixing RHEE 3, and the other RHEE 2.1. Patch addresses two DoS attacks and several vulnerable drivers. http://www.linuxsecurity.com/advisor...sory-4503.html Distribution: Trustix 6/21/2004 - kernel Multiple vulnerabilities During checks of the Linux 2.6 source using an automated tool called sparse, several issues were discovered. Some of these were discovered to also apply to the 2.4 series of the Linux kernel. http://www.linuxsecurity.com/advisor...sory-4502.html Distribution: Turbolinux 6/19/2004 - kernel Denial of service vulnerability The vulnerability allows an attacker to make the cause of the denial of service of the kernel. http://www.linuxsecurity.com/advisor...sory-4493.html |
All times are GMT -5. The time now is 12:05 AM. |