SecurityFocus
1. VBulletin Memberlist.PHP Cross Site Scripting Vulnerability
BugTraq ID: 6226
Remote: Yes
Date Published: Nov 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6226
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
vBulletin does not filter HTML tags from URI parameters, making it prone
to cross-site scripting attacks. The vulnerability exists due to
inadequate filtering in the 'memberlist.php' script of the value for the
'what' parameter.
As a result, it is possible for a remote attacker to create a malicious
link containing script code which will be executed in the browser of a
legitimate user, in the context of the website running vBulletin.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. Cookie-based authentication credentials may be used by the
attacker to hijack the session of the legitimate user.
3. Rational ClearCase Portscan Denial Of Service Vulnerability
BugTraq ID: 6228
Remote: Yes
Date Published: Nov 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6228
Summary:
Rational ClearCase is a software configuration management solution. It
serves to provide version control as well as repositories for software
development.
Rational ClearCase has been reported to be prone to a denial of service
condition. It is possible to cause this condition by portscanning a system
running the vulnerable version of ClearCase. This issue was demonstrated
using the nmap portscanning utility.
An attacker can exploit this vulnerability by making two consecutive
portscans of a vulnerable system. This will cause ClearCase to crash.
Restarting the ClearCase service is required to restore functionality.
This vulnerability has been reported on ClearCase 4.1 and 2002.05 systems.
6. Open WebMail User Name Information Disclosure Vulnerability
BugTraq ID: 6232
Remote: Yes
Date Published: Nov 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6232
Summary:
Open Webmail is a freely available, open source web email application.
It is available for Unix and Linux operating systems.
A problem with Open Webmail may allow remote users to gain access to user
names.
It has been reported that Open Webmail reveals too much information during
the authentication process. When a user enters a user name, Open Webmail
returns information indicating the validity of the entered user name.
This could allow remote users to gather a list of valid user names through
an enumeration attack.
This vulnerability could be used to launch further, more directed attacks.
For example, a brute force password attack to gain access to the passwords
of valid user names.
10. Calisto Internet Talker Denial Of Service Vulnerability
BugTraq ID: 6238
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6238
Summary:
Calisto is an Internet Talker that allows remote users to connect to a
server using telnet and chat.
A vulnerability has been discovered in Calisto that may result in a denial
of service. It is possible to trigger this issue by passing 512 bytes or
more, of data to a vulnerable daemon. Exploitation of this issue will
cause the target process to freeze.
It should be noted that Calisto typically recovers from program crashes
through the use of an autorun shell script. Due to the Calisto process
freezing and not crashing, the autorun script will not be run and a manual
restart of the daemon is required to restore functionality.
This issue was discovered in Calisto Internet Talker 0.4. It is not yet
known whether earlier versions are also affected.
11. WSMP3 Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 6239
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6239
Summary:
WSMP3 is a freely available server that allows users to stream MP3 files.
Several buffer overflow conditions have been reported for WSMP3. The
vulnerability is due to improper bounds checking when copying data to
local buffers. The vulnerabilties exist in the web_server.c file.
An attacker can exploit this vulnerability by sending an overly long
request, consisting of at least 1024 characters, to the vulnerable server.
This will trigger the buffer overflow condition, resulting in memory
corruption. Ovewriting sensitive memory with malicious values may allow an
attacker to execute arbitrary code on the target system.
This vulnerability has been reported for WSMP3 0.0.2 and earlier.
12. Multiple Vendor fs.auto Remote Buffer Overrun Vulnerability
BugTraq ID: 6241
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6241
Summary:
By default multiple vendors include an implementation of the XFS font
server, fs.auto. This service allows for X Windows systems to share font
information across a network.
A remotely exploitable buffer overrun condition has been reported in
fs.auto. The overrun is reportedly due to inadequate bounds checking on
client-supplied data prior to a sensitive memory copy operation. This
occurs during the 'Dispatch()' routine.
Malicious remote clients may exploit this condition to execute
instructions on the target host by issuing a malicious XFS request. The
instructions will execute with user 'nobody' privileges and may result in
the attacker gaining local access to the host.
This vulnerability has been reported fixed in XFree86 3.3.6 and later.
13. WSMP3 Remote Heap Corruption Vulnerability
BugTraq ID: 6240
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6240
Summary:
WSMP3 is a freely available server that allows users to stream MP3 files.
A remotely exploitable heap corruption vulnerability has been reported for
WSMP3. The vulnerability occurs in the 'get_op()' function in the
'web_server.c' file, when copying user-supplied data into the 'op' buffer.
By overruning the 'op' buffer, it is possible for a remote attacker to
corrupt malloc() headers located in heap memory. The execution of
arbitrary attacker-supplied code may be possible, when corrupted memory is
referenced by the free() function.
Successful exploitation of this issue may result in the remote execution
of arbitrary code wiht root privileges.
This vulnerability was reported for WSMP3 0.0.2 and earlier.
15. Pserv HTTP POST Request Buffer Overflow Vulnerability
BugTraq ID: 6242
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6242
Summary:
Pserv (Pico Server) is a freely available web server designed for Linux
and Unix variant operating systems.
A buffer overflow vulnerability has been reported in Pserv. Reportedly, it
is possible to overflow a local buffer by making a malicious HTTP request.
Due to insufficient checks performed on user-supplied, by omitting the
'\n' character from a malicious POST request, it is possible to overrun
the 'token' buffer.
Exploitation of this issue will result in a denial of service. Although it
has not been confirmed, it may be possible for an attacker to execute
arbitrary code.
This vulnerability was reported for Pserv 2.0 beta 3. It is likely that
earlier versions are affected.
16. PHP-Nuke Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 6244
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6244
Summary:
PHP-Nuke is a web based Portal system. Implemented in PHP, it is available
for a range of systems, including Microsoft Windows and Linux.
Several cross site scripting vulnerabilities have been reported for
PHP-Nuke. Affected modules include the Discussion module, News module, and
PM module among others. This vulnerability is due to insufficient
sanitization of all HTML tags.
An attacker may exploit this vulnerability by enticing a victim user to
follow a malicious link. Attacker-supplied HTML and script code may be
executed on a web client in the context of the site hosting the web-based
forum.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
These vulnerabilities have been reported for PHP-Nuke 6.5b1 and earlier.
17. VBulletin members2.php Cross Site Scripting Vulnerability
BugTraq ID: 6246
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6246
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
The $perpage variable is used to control the way of reciting subscribed
threads. This variable is later added to a query that is used to fetch
database records. If an invalid value is passed to the $perpage variable,
an error page is generated. Due to insufficient sanitization of data
passed to the $perpage variable, it is possible to inject script code into
the variable, which will be included in the error page.
As a result, it is possible for a remote attacker to create a malicious
link containing script code which will be executed in the browser of a
legitimate user, in the context of the website running vBulletin.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may use cookie-based authentication credentials to
hijack the session of the legitimate user.
18. NetScreen Malicious URL Filter Bypassing Vulnerability
BugTraq ID: 6245
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6245
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients. A vulnerability has been reported for
NetScreen.
An administrator is able to restrict access to certain URLs by defining a
malicious URL pattern. Reportedly, it is possible to circumvent rules for
malicious URLs by fragmenting the request.
An attacker can exploit this vulnerability to access URLs that are
normally unaccessible to hosts behind the NetScreen appliance.
This vulnerability was reported for NetScreen appliances using ScreenOS
v3.0.1r2.0. Older versions of ScreenOS are likely to be affected as well.
19. NetScreen H.323 Control Session Denial Of Service Vulnerability
BugTraq ID: 6250
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6250
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
H.323 is a network specification to guarantee a certain QoS (Quality of
Service) for video and audio conferencing applications.
A denial of service vulnerability has been reported for all NetScreen
appliances related to the processing of H.323 control sessions. The
vulnerability is due to inadequate clean up of existing, half-open H.323
control sessions that can eventually result in the consumption of all
firewall session table entries.
This vulnerability has been reported to only affect NetScreen appliance
configurations that explicitly permit the forwarding of H.323 or
Netmeeting traffic.
This vulnerability only affects ScreenOS versions 2.8 and later.
20. phpBB Script Injection Vulnerability
BugTraq ID: 6248
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6248
Summary:
phpBB2 is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
phpBB does not properly sanitize script code from HTML tags embedded in a
forum posting. This vulnerability could allow a user to inject malicious
script code into forum postings that would in turn be executed when the
page is viewed by a legitimate user of the forum. The attacker-supplied
code would be executed in the security context of the phpBB site.
The attacker supplied code would be able to access cookie data, including
authentication credentials, and to take actions on the vulnerable site as
the currently authenticated user.
21. SSH Communications SSH Server Privilege Escalation Vulnerability
BugTraq ID: 6247
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6247
Summary:
Secure Shell is the commercial SSH implementation distributed and
maintained by SSH Communications. It is available for the Unix, Linux, and
Microsoft Windows platforms.
SSH Communications has reported a vulnerability in SSH server, which could
result in local privilege escalation.
The setsid() function is used to create a new process group for forked
processes. It has been reported that SSH server fails to run setsid() on
non-interactive sessions, resulting in user processes in the parent
process group and retaining the 'root' login name.
By executing programs that verify privileges against the login name (for
example, those that rely on the BSD getlogin() function), it may be
possible to execute various actions with escalated privileges.
Exploiting this issue has varied results depending on the operating
system.
For this issue to be exploitable an attacker must have a local account on
the target system.
22. Web Server Creator Web Portal Remote File Include Vulnerability
BugTraq ID: 6251
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6251
Summary:
Web Server Creator is a PHP based portal that includes a forum, chat,
guestbook, and news functions. It operates on Windows, Linux, and Unix
systems.
The Web Server Creator Web Portal is prone to an issue which may allow
remote attackers to include arbitrary files located on remote servers.
This issue is present in the customize.php and index.php scripts.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the 'l' or
'pg' parameter.
If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
23. NetScreen ScreenOS Predictable Initial TCP Sequence Number Vulnerability
BugTraq ID: 6249
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6249
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
NetScreen has discovered a vulnerability in the algorithms used by
ScreenOS to generate initial TCP sequence numbers. The ability to predict
TCP sequence numbers may allow a remote attacker to inject packets into a
vulnerable data stream.
It may also be possible for an attacker to launch man-in-the-middle
attacks or hijack network sessions which would allow her to bypass any
necessary authentication procedures.
For this issue to be exploitable the attacker must be able to access to
network session traffic, possibily requiring access to a local network.
24. Netscape/Mozilla POP3 Mail Handler Integer Overflow Vulnerability
BugTraq ID: 6254
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6254
Summary:
The Netscape Communicator and Mozilla browsers include support for email,
and the ability to fetch mail through a POP3 server. Both products are
available for a range of platforms, including Microsoft Windows and Linux.
An integer overflow vulnerability has been reported for the
Netscape/Mozilla POP3 mail handler routines. These routines are found in
'mozilla/mailnews/local/src/nsPop3Protocol.cpp'. Reportedly, insufficient
checks are performed on some server-supplied values. Specifically, the
value for m_pop3ConData->number_of_messages is not sufficiently checked
for large values.
An attacker may exploit this vulnerability through an attacker-controlled
POP3 server. By issuing a very large integer value that is used by the
Netscape/Mozilla POP3 mail handler, it may be possible to cause the
integer overflow condition and allocate a buffer that is too small. A
buffer overflow condition may result if the malicious attacker-controlled
server attempts to write into the buffer at a location beyond the boundary
of what was actually allocated.
Successful exploitation of this vulnerability may allow an attacker to
obtain control over the execution of the vulnerable Netscape/Mozilla
process.
26. Netscape Java canConvert() Buffer Overflow Vulnerability
BugTraq ID: 6256
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6256
Summary:
Netscape Communications Corp.'s Communicator is a popular package that
includes a web browser (Navigator), e-mail client, news client, and
address book.
The Java implementation in Netscape 4 contains an unchecked buffer in the
canConvert() method of the sun.awt.windows.WDefaultFontCharset class.
A malicious Java applet could trigger the overflow by passing a long
string to the class constructor and invoking the canConvert() method on
the newly created instance:
new WDefaultFontCharset(long_string).canConvert('x');
Arbitrary code execution is possible in the security context of the web
browser.
This vulnerability is only reported to affect Netscape 4 browsers running
on Microsoft Windows platforms.
27. Null HTTPD Remote Heap Corruption Vulnerability
BugTraq ID: 6255
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6255
Summary:
Null httpd is a small multithreaded web server for Linux and Windows,
maintained by NullLogic. A heap corruption vulnerability has been
discovered in Null httpd.
The ReadPOSTData() function allocates in_ContentLength+1024 into the
pPostData buffer, which is used to receive POST data. The server reads
POST data into the pPostData buffer from a network socket until the data
received is less then 1024 bytes.
Sending over 1024 bytes of POST data will cause the server to read up to
another 1024 bytes from the socket. If a small ContentLength is supplied
by the attacker, it is possible overflow the allocated buffer while
reading in the second packet of data. This is due to an insufficient loop
parameter while receiving data from the network.
An attacker may exploit this condition to overwrite arbitrary words in
memory through the free() function. This may allow for the execution of
arbitrary code.
It should be noted that this vulnerability is similar to the issue
described in BID 5574, but requires a slightly different method to
trigger.
28. Bugzilla quips Feature Cross Site Scripting Vulnerability
BugTraq ID: 6257
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6257
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Operating Systems.
A cross site scripting vulnerability has been reported for Bugzilla. This
vulnerability only affects users who have the 'quips' feature enabled.
The quips feature is designed to put short, user-supplied comments at the
top of bug lists. Reportedly, Bugzilla does not properly sanitize any
input submitted by users.
As a result, it is possible for a remote attacker to create a malicious
link containing script code which will be executed in the browser of a
legitimate user, in the context of the website running Bugzilla.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software.
29. FreeNews Include Undefined Variable Command Execution Vulnerability
BugTraq ID: 6258
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6258
Summary:
FreeNews is a freely available, open source News software package. It is
written in PHP, and designed for use on Unix and Linux operating systems.
A problem with FreeNews could make command execution possible.
Programming errors in FreeNews could lead to the inclusion of arbitrary
files on remote servers in the web application. It is possible for a
remote user to place commands in these include files that could result in
execution on the local host. This would make remote arbitrary command
execution as the web user possible.
The problem occurs in the aff_news.php file. By loading this file, and
defining the chemin variable to an arbitrary location, commands can be
executed on the local host. This vulnerability may also be used to reveal
sensitive information on the local host.
