SecurityFocus
1. Sun Microsystems Java Virtual Machine Insecure Temporary File Vulnerability
BugTraq ID: 7848
Remote: No
Date Published: Jun 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7848
Summary:
The Java Virtual Machine is a component of the Java Runtime Environment,
distributed by Sun Microsystems.
A problem has been reported that may make it possible for an attacker to
gain unauthorized privileges.
It has been reported that the Java Virtual Machine distributed by Sun does
not safely generate temporary files. Because of this, an attacker may be
able to launch a symbolic link attack.
The problem is in the handling temporary files. When the Java Virtual
Machine is invoked, it creates a temporary file in the /tmp directory with
the prefix of jpsock.**_*, and varying characters in the place of the
asterisks. An attacker could create a range of symbolic links pointing to
a specific file, attempting to predict the future name of a temporary file
created by the JVM. Upon a successful guess, the file at the end of the
symbolic link would be overwritten.
5. Spyke PHP Board Information Disclosure Vulnerability
BugTraq ID: 7856
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7856
Summary:
Spyke PHP Board is a web-based Content Management System (CMS) implemented
in PHP. It is available for a variety of platforms including Microsoft
Windows and Unix variant operating environments.
A vulnerability has been reported for Spyke's PHP Board that may result in
an attacker obtaining access to sensitive information.
The vulnerability exists due to the way the CMS stores data. Specifically,
the system uses plaintext files for the storage of sensitive information.
An attacker can exploit this vulnerability to issue a request for the
'info.dat' configuration file. This will return a plaintext file to the
attacker the contents of which contain administrative authentication
information.
User authentication information is stored under the 'user' directory with
a .TXT extension.
Information obtained in this manner may allow an attacker to launch
further destructive attacks against a vulnerable system.
This vulnerability was reported for Spyke PHP Board 2.1.
6. H-Sphere HTML Template Inclusion Cross-Site Scripting Vulnerabilities
BugTraq ID: 7855
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7855
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere is available
for Microsoft Windows, Linux, and Unix operating systems.
H-Sphere is prone to multiple cross-site scripting vulnerabilities via the
HTML template feature in the Hosting Control Panel. HTML and script code
will not be filtered from pages which are generated when a request for an
invalid or unknown template is made.
This could be exploited if a web user follows a malicious link to a site
hosting the vulnerable software that includes hostile HTML or script code.
This code would be executed in the context of the site hosting the
software. The link may also need to contain the username of a valid,
logged in user.
Successful exploitation could permit theft of cookie-based authentication
credentials from legitimate users of the Hosting Control Panel, which may
in turn permit unauthorized access to resources that are managed by the
software. Other attacks may also be possible.
15. MNOGoSearch Search.CGI UL Buffer Overflow Vulnerability
BugTraq ID: 7865
Remote: Yes
Date Published: Jun 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7865
Summary:
mnoGoSearch is multi-platform web search engine software for Intranet and
Internet servers.
mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow
vulnerability.
The issue is a result of a lack of sufficient bounds checking performed on
a user-supplied URI parameter that is passed to the 'search.cgi'
application.
Reportedly, if a 'ul' URI parameter containing excessive data is passed in
a HTTP request for 'search.cgi', the bounds of an internal memory buffer
will be overrun. Memory adjacent to the affected buffer will be corrupted
with attacker-supplied values.
It has been reported that adjacent memory space contains values that are
crucial to the control of program execution flow. It is therefore possible
for the attacker to seize control of the 'search.cgi' application, and
have arbitrary code executed in the context of the web-server process.
This vulnerability was reported to exist in mnoGoSearch 3.1.20.
16. MNOGoSearch Search.CGI TMPLT Buffer Overflow Vulnerability
BugTraq ID: 7866
Remote: Yes
Date Published: Jun 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7866
Summary:
mnoGoSearch is multi-platform web search engine software for Intranet and
Internet servers.
mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow
vulnerability.
The issue is a result of a lack of sufficient bounds checking performed on
a user-supplied URI parameter that is passed to the 'search.cgi'
application.
Reportedly, if a 'tmplt' URI parameter containing excessive data is passed
in a HTTP request for 'search.cgi', the bounds of an internal memory
buffer will be overrun. Memory adjacent to the affected buffer will be
corrupted with attacker-supplied values.
It has been reported that adjacent memory space contains values that are
crucial to the control of program execution flow. It is therefore possible
for the attacker to seize control of the 'search.cgi' application, and
have arbitrary code executed in the context of the web-server process.
This vulnerability was reported to exist in mnoGoSearch 3.2.10.
19. XMB Forum Member.PHP U2U Private Message HTML Injection Vulnerability
BugTraq ID: 7869
Remote: Yes
Date Published: Jun 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7869
Summary:
XMB Forum 1.8 is a web based discussion forum.
A vulnerability has been reported for XMB Forum 1.8 which may make it
prone to HTML injection attacks. The problem is said to occur while
viewing U2U private messages.
Specifically, U2U private messages may not be sufficiently sanitized of
malicious content. This may make it possible for an attacker to place HTML
or script code within the message body of a private U2U message for
another user. When the legitimate forum user attempts to view the message
the malicious code will be interpreted by their browser in the security
context of the forum website.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
20. XMB Forum Member.PHP Location Field HTML Injection Vulnerability
BugTraq ID: 7870
Remote: Yes
Date Published: Jun 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7870
Summary:
XMB Forum is a web-based discussion forum.
A vulnerability has been reported in XMB Forum that may result in HTML
injection. The vulnerability occurs because XMB Forum fails to
sufficiently sanitize user-supplied input that is used for the 'Location'
field in a registered user's personal information page. Other fields may
also be similarly affected.
Due to this condition, a malicious user may be able to submit arbitrary
HTML code, as 'Location' field data. The arbitrary code will then be
displayed to unsuspecting users who view the XMB Forum member's profile
information. Any attacker-supplied code will be interpreted in a victim
user's web browser in the security context of the site hosting the
software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. Other
attacks may also be possible.
22. GZip ZNew Insecure Temporary File Creation Symbolic Link Vulnerability
BugTraq ID: 7872
Remote: No
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7872
Summary:
gzip is a freely available, open source file compression utility. It is
maintained by public domain, and available for the Unix, Linux, and
Microsoft operating systems.
A problem with the utility may make the local destruction of data
possible.
It has been reported that gzip does not securely handle temporary files in
the znew script. Because of this, a local attacker may be able to launch
a symbolic link attack against sensitive files.
The problem is in the handling of checking for existing files. When the
znew script executes, it does not sufficiently validate the value returned
when the program checks for the existence of a file in the temporary
directory. Because of this, znew could potentially write to a symbolic
link that would destroy the data at the end of the symbolic link, provided
the user has sufficient privileges to write to the file. This may also
potentially lead to elevated privileges, though this theory is
unconfirmed.
24. RPM Package Manager FTP NLST Data Integer Overflow Remote Memory Corruption Vulnerability
BugTraq ID: 7874
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7874
Summary:
The RPM Package Manager is a command line utility for creating, installing
and managing RPM packages. It is available for a wide range of Linux
distributions.
A vulnerability has been reported for the RPM Package Manager. The problem
occurs when using the application to access FTP listings on a remote
server. Specifically, RPM fails to sufficiently carry out sanity checks on
the size of data returned by an FTP NLST listing. The size value is
subsequently shifted 2 bits to the left, effectively increasing it's size
exponentially by 3, and is then used as a malloc() function parameter. The
NLST data is then copied into the buffer returned by malloc().
An attacker could exploit this issue by controlling a malicious FTP server
configured in such a way as to transmit NLST data in excess of 1 gigabyte.
If this were to occur, when the RPM application carried out the shift
procedure, the size value would overflow. As a result, an insufficient
memory buffer will be allocated to store the data.
The exploitability of this vulnerability to execute code is highly
implausible as copying data of this size will typically result in a page
fault. However, this issue could result in the exhaustion of available
system resources and would ultimately cause the RPM utility to crash.
25. Gnome FTP NLST Data Integer Overflow Memory Corruption Vulnerability
BugTraq ID: 7875
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7875
Summary:
A vulnerability has been reported for Gnome. It has been reported that
when processing NLST data from an FTP server, various Gnome functions or
utilities may fail to sufficiently handle the size of data returned. Due
to subsequent calculations, insufficient data may be allocated for storage
of the NLST data. This may result in excessive data being copied into
insufficient memory, effectively causing a denial of service.
It should be noted that this issue presents itself when a large amount of
NLST data in excess of 1 gigabyte is received. As such, exploitation of
this issue will inevitably result in the exhaustion of available
resources, followed by a segmentation violation. Also, due to the
excessive amount of data copied to memory, the exploitability of this
issue to execute code may not be plausible. Furthermore, it is said that
the exploitation of this issue may only be possible on architectures with
specific variable width characteristics, typically 64-bit systems.
It should be noted that the precise details regarding this vulnerability
are currently unknown. The problem may lie in specific Gnome utilities or
possibly in Gnome library string parsing functions linked to by other
applications.
26. SMC Wireless Router Malformed PPTP Packet Denial of Service Vulnerability
BugTraq ID: 7876
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7876
Summary:
SMC SMC7004VWBR is a wireless Cable/DSL broadband router with integrated
wireless access point and SPI firewall.
It has been discovered this device is prone to a denial of service attack.
The problem occurs when processing a sequence of malformed PPTP packets
transmitted to the router's internal interface.
The successful exploitation of this vulnerability will result in the
router no longer responding to internal wireless traffic. This will
effectively deny legitimate wireless users further network services.
It should be noted that the device would need to be physically reset to
restore typical functionality.
This vulnerability affects firmware versions earlier then 1.23.
27. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
BugTraq ID: 7877
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7877
Summary:
Gnocatan is a multiplayer game. It is available for Microsoft Windows and
Linux operating systems.
The Gnocatan game server is prone to multiple remotely exploitable buffer
overflow vulnerabilities. The vulnerabilities are due to insufficient
bounds checking of data supplied to the server, which could result in
corruption of memory with attacker-supplied values. These conditions
could potentially be exploited to execute malicious code in the context of
the server or to launch denial of service attacks.
Specific technical details regarding these vulnerabilities are not
available at this time. This BID will be updated as more details become
available.
28. Ethereal DCERPC Dissector Memory Allocation Vulnerability
BugTraq ID: 7878
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7878
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The DCERPC dissector of Ethereal is prone to a condition whereby too much
memory may be allocated when decoding certain NDR strings.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
This may result in the vulnerable Ethereal process allocating too much
memory. Repeated decoding of malformed NDR packets may result in the
consumption of all available memory resources which may lead to a denial
of service condition.
This vulnerability affects Ethereal 0.9.12 and earlier.
29. Ethereal SPNEGO Dissector Denial Of Service Vulnerability
BugTraq ID: 7879
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7879
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The SPNEGO dissector of Ethereal, when parsing certain ASN.1 codes, may
cause a segmentation fault.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet with an invalid ASN.1 value and sending it to a
system using the vulnerable dissector.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.12 and earlier.
30. Ethereal OSI Dissector Buffer Overflow Vulnerability
BugTraq ID: 7880
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7880
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The OSI dissector is prone to a buffer overflow condition when handling
bad IPv4 or IPv6 prefix lengths. This is likely due to insufficient bounds
checking.
It may be possible to construct an IPv4 or IPv6 packet that will, when
decoded by Ethereal, trigger the overflow condition. Successful
exploitation of this vulnerability may result in the attacker gaining
access to the Ethereal host via execution of attacker-supplied
instructions.
This BID will be updated when further technical details are disclosed.
This vulnerability affects Ethereal 0.9.12 and earlier.
31. Ethereal Multiple Dissector String Handling Vulnerabilities
BugTraq ID: 7881
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7881
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
Several dissectors included with Ethereal do not properly handle strings.
Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner. The BGP, WTP, DNS, 802.11, ISAKMP, WSP,
CLNP, ISIS, and RMI dissectors are vulnerable to this issue.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissectors or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.12 and earlier.
32. Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability
BugTraq ID: 7883
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7883
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
An Ethereal routine, tvb_get_nstringz0(), has been reported prone to a
memory handling vulnerability. Reportedly tvb_get_nstringz0() incorrectly
handles a zero-length buffer size. Although unconfirmed, it has been
conjectured that this issue may be due to an incorrect allocation of
memory, caused when an unsigned integer is used when calculating the size
of memory to be allocated.
Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for either a remotely triggered
denial of service condition or ultimately in the execution of arbitrary
code with the privileges of the Ethereal process.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated, as further information is available.
This vulnerability affects Ethereal 0.9.12 and earlier.
33. FakeBO Syslog Format String Vulnerability
BugTraq ID: 7882
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7882
Summary:
FakeBO is a utility to log common trojan attempts in an effort to possibly
emulate one. It may also be used in a honeypot setup to facilitate
security monitoring. It is available for Microsoft Windows, Linux, and
Unix variant operating systems.
A vulnerability has been reported for FakeBO that may result in an
attacker obtaining elevated privileges on a target system.
Due to a programming error, it may be possible to exploit a format string
vulnerability in the affected utility. Specifically, a logging function in
FakeBO contains insecure syslog() calls. This could result in the
execution of attacker-supplied code.
The vulnerability occurs when FakeBO resolves a carefully constructed
hostname that include malicious format string specifiers. In the event
that this vulnerability is exploited, an attacker could cause arbitrary
locations in memory to be corrupted with attacker-specified data and
execute code with elevated privileges.
This vulnerability was reported for FakeBO 0.4.1.
36. MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
BugTraq ID: 7887
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7887
Summary:
MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.
MySQL contains a library called libmysqlclient. A problem exists in the
sql_real_connect() function of the libmysqlclient library that could
result in a buffer being overrun.
The problem likely occurs due to insufficient bounds checking of
user-supplied parameters and could allow an attacker to corrupt sensitive
process memory. It is possible to trigger this condition by supplying a
parameter containing approximately 350 or more bytes of data.
An attacker could potentially be capable of exploiting this issue to
execute arbitrary code on a remote system. It should be noted that this
issue would be required to be exploited in conjunction with an unrelated
remote SQL injection attack or possibly used on a system which allows for
the uploading of scripts.
41. Typespeed Remote Memory Corruption Vulnerability
BugTraq ID: 7891
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7891
Summary:
Typespeed is a game designed to test typing skills. It is available for
the Linux operating system. Typespeed is installed setgid 'games' by
default on the Debian Linux distribution.
A memory corruption vulnerability has been reported for Typespeed that may
result in code execution with elevated privileges. The vulnerability
exists in the net_swapscore() function of the 'network.c' source file.
Specifically, proper bounds checks are not performed prior to executing
the 'strncpy' function.
A remote attacker may be able to exploit this vulnerability to corrupt
sensitive with attacker-supplied code.
This vulnerability was reported for Typespeed 0.4.1 and earlier.
