LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 06-27-2004, 12:45 AM   #1
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
LQ Security Report - June 27 2004


June 22nd 2004
20 issues handled (ISS)
1. Multiple vendor antivirus scanners archive file
2. Chora diff utility command execution
3. VICE memory dump command format string attack
4. PHP-Nuke Faq and Encyclopedia modules allow cross- site scripting
5. PHP-Nuke Reviews allows SQL injection
6. PHP-Nuke Reviews path disclosure
7. PHP-Nuke Reviews denial of service
8..cPanel passwd allows password modification
9. Linux Kernel fsave and frstor denial of service
10. Racoon and IPsec-Tools eay_check_x509cert
11. Pivot module_db.php PHP file include
12. BEA WebLogic Server and Express SSL denial of service
13. BEA WebLogic Server and Express allows unexpected user identity
14. Thy NULL pointer denial of service
15. Linux Kernel i2c integer overflow
16. singapore adminusers.csv file disclosure
17. webAuction allows deletion of items
18. phpMyChat bypass authentication
19. phpMyChat message cross-site scripting
20. phpMyChat SQL injection

June 22nd 2004
12 issues handled (SF)
1.Horde Chora Viewer Remote Command Execution Vulnerability
2.Multiple Vendor Anti-Virus Scanner Remote Denial Of Service ...
3.Linux Kernel Assembler Inline Function Local Denial Of Servi...
4.Invision Power Board SSI.PHP Cross-Site Scripting Vulnerabil...
5.KAME Racoon IDE Daemon X.509 Improper Certificate Verificati...
6.Check Point Firewall-1 Internet Key Exchange Information Dis...
7.Invision Power Board Potential IP Address Spoofing Vulnerabi..
8.Linux Kernel Inter Intergrated Circuit Bus Driver Integer Ov...
9.Linux Kernel Multiple Device Driver Vulnerabilities
10.Nmap Potential Insecure File Creation Vulnerability
11.MoinMoin Group Name Privilege Escalation Vulnerability
12.Asterisk PBX Multiple Logging Format String Vulnerabilities

June 25th 2004
7 issues handled across 8 distros (LAW)
sup
super
www-sql Buffer overflow vulnerability
rlpr
Multiple 'kernel' vulnerabilities
libpng
Usermin

Last edited by Capt_Caveman; 06-27-2004 at 01:10 AM.
 
Old 06-27-2004, 01:09 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
June 22nd 2004 (ISS)

Internet Security Systems

1. Date Reported: 06/14/2004
Brief Description: Multiple vendor antivirus scanners archive file scan denial of service
Risk Factor: Low
Attack Type: Host Based
Platforms: F-Prot for Linux 4.4.2, McAfee VirusScan 6, McAfee VirusScan Enterprise 7.1, Norton AntiVirus 2002, Norton AntiVirus 2003, RAV AntiVirus Online Virus Scan Any version, Windows Any version
Vulnerability: antivirus-archive-file-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/16399

2. Date Reported: 06/13/2004
Brief Description: Chora diff utility command execution
Risk Factor: High
Attack Type: Network Based
Platforms: Chora prior to 1.2.2, Gentoo Linux Any version, Unix Any version
Vulnerability: chora-diff-command-execution
X-Force URL: http://xforce.iss.net/xforce/xfdb/16401

3. Date Reported: 06/14/2004
Brief Description: VICE memory dump command format string attack
Risk Factor: High
Attack Type: Host Based
Platforms: Any operating system Any version, VICE 1.6 through 1.14
Vulnerability: vice-memory-dump-format-string
X-Force URL: http://xforce.iss.net/xforce/xfdb/16404

4. Date Reported: 06/11/2004
Brief Description: PHP-Nuke Faq and Encyclopedia modules allow cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3
Vulnerability: phpnuke-faq-encyclopedia-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/16406

5. Date Reported: 06/11/2004
Brief Description: PHP-Nuke Reviews allows SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3
Vulnerability: phpnuke-reviews-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/16407

6. Date Reported: 06/11/2004
Brief Description: PHP-Nuke Reviews path disclosure
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3
Vulnerability: phpnuke-reviews-path-disclosure
X-Force URL: http://xforce.iss.net/xforce/xfdb/16408

7. Date Reported: 06/11/2004
Brief Description: PHP-Nuke Reviews denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.3
Vulnerability: phpnuke-reviews-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/16409

8. Date Reported: 06/14/2004
Brief Description: cPanel passwd allows password modification
Risk Factor: Medium
Attack Type: Network Based
Platforms: cPanel any version, Linux Any version, Unix Any version
Vulnerability: cpanel-passwd-password-modify
X-Force URL: http://xforce.iss.net/xforce/xfdb/16410

9. Date Reported: 06/14/2004
Brief Description: Linux Kernel fsave and frstor denial of service
Risk Factor: Low
Attack Type: Host Based
Platforms: Linux kernel 2.4.2x, Linux kernel 2.6.x, Red Hat Enterprise Linux 3AS, Red Hat Enterprise Linux 3ES, Red Hat Enterprise Linux 3WS, Red Hat Linux 3.0, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux 9.1, Slackware Linux current, SuSE Linux 8.0, SuSE Linux 8.1, SuSE Linux 8.2, SuSE Linux 9.0, SuSE Linux 9.1, Turbolinux 10 Desktop, Turbolinux 7 Server, Turbolinux 7 Workstation, Turbolinux 8 Server, Turbolinux 8 Workstation, Turbolinux Appliance Server 1.0
Vulnerability: linux-fsave-frstor-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/16412

10. Date Reported: 06/14/2004
Brief Description: Racoon and IPsec-Tools eay_check_x509cert
authentication bypass
Risk Factor: Medium
Attack Type: Network Based
Platforms: IPsec-Tools prior to 0.3.3, Linux Any version, Racoon Any version
Vulnerability: racoon-eaycheckx509cert-auth-bypass
X-Force URL: http://xforce.iss.net/xforce/xfdb/16414

11. Date Reported: 06/14/2004
Brief Description: Pivot module_db.php PHP file include
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, Pivot Any version
Vulnerability: pivot-moduledbphp-file-include
X-Force URL: http://xforce.iss.net/xforce/xfdb/16418

12. Date Reported: 06/14/2004
Brief Description: BEA WebLogic Server and Express SSL denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, WebLogic Server and Express 8.1 through 8.1 SP2, Windows 2000 Any version, Windows NT Any version
Vulnerability: weblogic-ssl-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/16419

13. Date Reported: 06/14/2004
Brief Description: BEA WebLogic Server and Express allows unexpected user identity
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, WebLogic Server and Express 6.1, WebLogic Server and Express 7.0, WebLogic Server and Express 8.1
Vulnerability: weblogic-unexpected-user-identity
X-Force URL: http://xforce.iss.net/xforce/xfdb/16421

14. Date Reported: 06/15/2004
Brief Description: Thy NULL pointer denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Thy prior to 0.9.2, Unix Any version
Vulnerability: thy-daemon-null-pointer-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/16425

15. Date Reported: 06/16/2004
Brief Description: Linux Kernel i2c integer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux kernel 2.4.x
Vulnerability: linux-i2c-integer-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/16435

16. Date Reported: 06/17/2004
Brief Description: singapore adminusers.csv file disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, singapore Any version
Vulnerability: singapore-adminusers-file-disclosure
X-Force URL: http://xforce.iss.net/xforce/xfdb/16438

17. Date Reported: 06/17/2004
Brief Description: webAuction allows deletion of items
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, webAuction 2.1, Windows Any version
Vulnerability: webauction-item-deletion
X-Force URL: http://xforce.iss.net/xforce/xfdb/16439

18. Date Reported: 06/16/2004
Brief Description: phpMyChat bypass authentication
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, phpMyChat 0.14.5
Vulnerability: phpmychat-auth-bypass
X-Force URL: http://xforce.iss.net/xforce/xfdb/16440

19. Date Reported: 06/16/2004
Brief Description: phpMyChat message cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, phpMyChat 0.14.5
Vulnerability: phpmychat-message-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/16441

20. Date Reported: 06/16/2004
Brief Description: phpMyChat SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, phpMyChat 0.14.5
Vulnerability: phpmychat-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/16442
 
Old 06-27-2004, 01:25 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
June 22nd 2004 (SF)

Security Focus

1. Horde Chora Viewer Remote Command Execution Vulnerability
BugTraq ID: 10531
Remote: Yes
Date Published: Jun 13 2004
Relevant URL: http://www.securityfocus.com/bid/10531
Summary:
Horde Chora Viewer is reported to be prone to a remote command execution vulnerability. The vulnerability is reported to exist due to a lack of sanitization performed on values that may be user-supplied. Shell metacharacters that are included as a value for the affected URI parameter may result in attacker specified shell commands being executed in an exec() call. Command execution will occur in the context of the affected web server. Chora versions up to an including version 1.2.1 are reported to be affected by this vulnerability.

2. Multiple Vendor Anti-Virus Scanner Remote Denial Of Service ...
BugTraq ID: 10537
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10537
Summary:
Multiple vendor anti-virus scanning software is reported prone to a remote denial of service vulnerability. The issue is reported to present itself when certain malicious archives containing large quantities of data are scanned. In the supplied example approximately 300 Gigabytes of data is archived in many different archive types. This archive may be transmitted to a client or submitted to an online anti-virus scanning service in order to crash the anti-virus software.

3. Linux Kernel Assembler Inline Function Local Denial Of Servi...
BugTraq ID: 10538
Remote: No
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10538
Summary:
The Linux Kernel is reportedly to be affected by a local denial of service vulnerability surrounding inline assembly functions. This issue is due to a design error that causes the application to fail to properly handle stack frame management. This issue may be leveraged by an attacker to cause the affected system to crash, denying service to legitimate users. Although only select linux kernels are reported to be affected, it is likely that various other versions are vulnerable as well.

4. Invision Power Board SSI.PHP Cross-Site Scripting Vulnerabil...
BugTraq ID: 10539
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10539
Summary:
Invision Power Board 'ssi.php' script reported prone to a cross-site scripting vulnerability. The issue presents itself due to a lack of sufficient sanitization performed by functions in the 'ssi.php'script on user-influenced 'f' parameter. This can permit the theft of cookie-based authentication credentials; other attacks may also be possible.

5. KAME Racoon IDE Daemon X.509 Improper Certificate Verificati...
BugTraq ID: 10546
Remote: Yes
Date Published: Jun 14 2004
Relevant URL: http://www.securityfocus.com/bid/10546
Summary:
It is reported that racoon improperly validates X.509 certificates when negotiating IPSec connections. When checking certificate validity, racoon ignores many errors from OpenSSL and grants access to invalid certificates. When ignoring these errors, racoon would allow improper certificates to be used when authenticating connections. This vulnerability would allow attackers to forge certificates and potentially gain access to IPSec VPNs. This would also effectively make all certificates permanent. It is unknown the exact versions of racoon that are vulnerable at this time.

6. Check Point Firewall-1 Internet Key Exchange Information Dis...
BugTraq ID: 10558
Remote: Yes
Date Published: Jun 16 2004
Relevant URL: http://www.securityfocus.com/bid/10558
Summary:
Check Point Firewall-1 is affected by an information disclosure vulnerability during an Internet Key Exchange (IKE) phase. This issue is due to a design error that may present sensitive information to an attacker. An attacker can leverage this issue to disclose information about the affected firewall product including the version number and various details about the firewall's capabilities. Furthermore this issue would facilitate fingerprinting or identifying a firewall by carrying out active scans.

7. Invision Power Board Potential IP Address Spoofing Vulnerabi...
BugTraq ID: 10559
Remote: Yes
Date Published: Jun 16 2004
Relevant URL: http://www.securityfocus.com/bid/10559
Summary:
It is reported that Invision Power Board is prone to an IP address spoofing vulnerability. If an attacker is using a proxy to access a remote forum, the application logs the attacker's internal IP address on the LAN, instead of the real IP address of the proxy. This issue is reported to affect Invision Power Board version 1.3, however, it is likely that other versions are affected as well.

8. Linux Kernel Inter Intergrated Circuit Bus Driver Integer Ov...
BugTraq ID: 10563
Remote: No
Date Published: Jun 17 2004
Relevant URL: http://www.securityfocus.com/bid/10563
Summary:
The Linux kernel has been reported to be vulnerable to an integer overflow in the inter integrated circuit (I2C) bus driver. This issue is due to a failure of the offending driver to properly validate user-reported size values. This issue could be leveraged by an attacker to execute machine code with the privileges of the affected driver; potentially leading to privilege escalation and ring 0 access. It should be noted that in most cases I2C device files are by default only readable and writable by superusers; in such a case an attacker would have to have superuser privileges.

9. Linux Kernel Multiple Device Driver Vulnerabilities
BugTraq ID: 10566
Remote: No
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10566
Summary:
It has been reported that the Linux kernel is vulnerable to multiple device driver issues. These issues were found during a recent audit of the Linux kernel source. Drivers reportedly affected by these issues are: aironet, asus_acpi, decnet, mpu401, msnd, and pss. These issues may reportedly allow attackers to gain access to kernel memory or gain escalated privileges on the affected computer.

10. Nmap Potential Insecure File Creation Vulnerability
BugTraq ID: 10567
Remote: No
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10567
Summary:
Nmap is reportedly prone to a potential insecure file creation vulnerability. A local user may exploit this vulnerability to cause files to be overwritten with the privileges of the user running Nmap. This issue occurs when Nmap is launched with the '-oN' option. All versions of Nmap are considered to be vulnerable to this issue. Further analysis has showed that this issue is not a vulnerability. This BID is being retired.

11. MoinMoin Group Name Privilege Escalation Vulnerability
BugTraq ID: 10568
Remote: Yes
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10568
Summary:
It is reported that MoinMoin contains a privilege escalation vulnerability whereby regular users can gain administrative privileges. MoinMoin allows remote web clients to create their own user accounts without administrative intervention or approval. It is reported that if a user creates an account with the same name as an administrative group, the user will inherit the privileges of that same administrative group. An attacker would use this vulnerability to gain complete access to the MoinMoin Wiki, and could gain access to sensitive information, or destroy information. Versions before 1.2.2 are reported vulnerable.

12. Asterisk PBX Multiple Logging Format String Vulnerabilities
BugTraq ID: 10569
Remote: Yes
Date Published: Jun 18 2004
Relevant URL: http://www.securityfocus.com/bid/10569
Summary:
It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable. Versions 0.7.0 through to 0.7.2 are reported vulnerable.

Last edited by Capt_Caveman; 06-27-2004 at 01:27 AM.
 
Old 06-27-2004, 01:37 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Original Poster
Rep: Reputation: 69
June 25th 2004 (LAW)

Linux Advisory Watch

Distribution: Debian

6/19/2004 - sup
Format string vulnerability
By explointing this, a remote attacker could potentially cause
arbitrary code to be executed with the privileges of the
supfilesrv process
http://www.linuxsecurity.com/advisor...sory-4494.html

6/19/2004 - super
Format string vulnerability
This vulnerability could potentially be exploited by a local user
to execute arbitrary code with root privileges.
http://www.linuxsecurity.com/advisor...sory-4500.html

6/19/2004 - www-sql Buffer overflow vulnerability
Format string vulnerability
Exploiting this vulnerability, a local user could cause the
execution of arbitrary code by creating a web page and processing
it with www-sql.
http://www.linuxsecurity.com/advisor...sory-4501.html

6/21/2004 - rlpr
Format string vulnerabilities
By exploiting one of these vulnerabilities, a local or remote user
could potentially cause arbitrary code to be executed with the
privileges of 1) the rlprd process (remote), or 2) root (local).
http://www.linuxsecurity.com/advisor...sory-4508.html


Distribution: EnGarde

6/21/2004 - Multiple
'kernel' vulnerabilities
This update fixes several security vulnerabilities in the Linux
Kernel shipped with EnGarde Secure Linux.
http://www.linuxsecurity.com/advisor...sory-4509.html

6/21/2004 - kernel
2.4 Multiple vulnerabilities
This update fixes several security vulnerabilities, including the
famous "fsave/frstor" vulnerability and an information leak in the
e1000 driver.
http://www.linuxsecurity.com/advisor...sory-4510.html


Distribution: Fedora

6/21/2004 - libpng
1.2 Denial of service vulnerability
An attacker could carefully craft a PNG file in such a way that it
would cause an application linked to libpng to crash or
potentially execute arbitrary code.
http://www.linuxsecurity.com/advisor...sory-4506.html

6/21/2004 - libpng
1.0 Denial of service vulnerability
An attacker could carefully craft a PNG file in such a way that it
would cause an application linked to libpng to crash or
potentially execute arbitrary code when opened by a victim.
http://www.linuxsecurity.com/advisor...sory-4507.html


Distribution: Gentoo

6/18/2004 - Usermin
Multiple vulnerabilities
Usermin contains two security vulnerabilities which could lead to
a Denial of Service attack and information disclosure.
http://www.linuxsecurity.com/advisor...sory-4485.html


Distribution: Openwall

6/21/2004 - kernel
Multiple vulnerabilities
This update fixes multiple security-related bugs in the Linux
kernel as well as two non-security bugs in the patch itself. This
includes the now-famous DoS bug.
http://www.linuxsecurity.com/advisor...sory-4504.html


Distribution: Red Hat

6/18/2004 - libpng
Buffer overflow vulnerability
Updated libpng packages that fix a possible buffer overflow are
now available.
http://www.linuxsecurity.com/advisor...sory-4486.html

6/21/2004 - kernel
Multiple vulnerabilities
This contains two similar advisories, once set fixing RHEE 3, and
the other RHEE 2.1. Patch addresses two DoS attacks and several
vulnerable drivers.
http://www.linuxsecurity.com/advisor...sory-4503.html


Distribution: Trustix

6/21/2004 - kernel
Multiple vulnerabilities
During checks of the Linux 2.6 source using an automated tool
called sparse, several issues were discovered. Some of these were
discovered to also apply to the 2.4 series of the Linux kernel.
http://www.linuxsecurity.com/advisor...sory-4502.html


Distribution: Turbolinux

6/19/2004 - kernel
Denial of service vulnerability
The vulnerability allows an attacker to make the cause of the
denial of service of the kernel.
http://www.linuxsecurity.com/advisor...sory-4493.html
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ Security Report - June 27th 2005 Capt_Caveman Linux - Security 3 06-27-2005 07:54 PM
LQ Security Report - June 12th 2005 Capt_Caveman Linux - Security 2 06-12-2005 09:34 PM
LQ Security Report - June 5th 2005 Capt_Caveman Linux - Security 3 06-05-2005 09:30 PM
LQ Security Report May 28th 2004 Capt_Caveman Linux - Security 4 05-28-2004 01:26 PM
LQ Security Report - May 8th 2004 Capt_Caveman Linux - Security 3 05-08-2004 11:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration