LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-04-2002, 08:57 PM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
LQ weekly security rep - Mon Nov 04th 2002


Nov 8th 2002
16 issues handled (LAW)
log2mail
apache
luxman
wmaker
squirrelmail
IPFilter
perl-MailTools
glibc
kerberos
heartbeat
dvips
krb5
gv
tar/unzip
ypserv
linuxconf

Nov 04th 2002
21 of 40 issues handled (SF)
3. Benjamin Lefevre Dobermann Forum Remote File Include Vulnerability
4. phpBB2 Unauthorized Administrative Access Vulnerability
5. MailReader.com NPH-MR.CGI File Disclosure Vulnerability
6. MailReader.com Remote Command Execution Vulnerability
8. Sun Solaris Web-Based Enterprise Management Insecure Default File Permissions Vulnerability
9. SonicWall Content Filtering Software URL Filter Bypassing Vulnerability
10. Arescom NetDSL-800 Firmware Undocumented Username/Password Weakness
11. GTetrinet Multiple Remote Buffer Overflow Vulnerabilities
12. Apache 2 WebDAV CGI POST Request Information Disclosure Vulnerability
22. LPRNG runlpr Local Privilege Escalation Vulnerability
23. LPRNG html2ps Remote Command Execution Vulnerability
30. Oracle 9i Database Server Malformed USERID Buffer Overflow Vulnerability
31. Linksys BEFSR41 Gozila.CGI Denial Of Service Vulnerability
32. Jason Orcutt Prometheus Remote File Include Vulnerability
33. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
34. Michael Krax log2mail Remote Buffer Overflow Vulnerability
35. ION Script Remote File Disclosure Vulnerability
36. Multiple Vendor Access Point Embedded HTTP Server Denial of Service Vulnerability
37. Iomega NAS A300U CIFS/SMB Mounts Plaintext Authentication Vulnerability
38. Iomega NAS A300U Plaintext NAS Administration Credentials Vulnerability
39. Abuse Local Buffer Overflow Vulnerability

Nov 04th 200
22 of 42 issues handled (ISS)
Mojo Mail mojo.cgi script cross-site scripting
Solaris 8 kmem_flags 0x02 kernel bit denial of
phpBB admin_ug_auth.php script could allow
Dobermann could allow an attacker to include PHP
Mailreader.com "dot dot" directory traversal
Mailreader.com compose.cgi script could allow an
Solaris 8 WBEM installation creates insecure files
NetDSL-800 included with MSN DSL services provides
GTetrinet multiple functions buffer overflows
Motorola Surfboard 4200 cable modem port scan
Linksys EtherFast gozila.cgi remote management
Prometheus could allow an attacker to execute
PHP-Nuke account manager module SQL injection
Abuse -net command-line argument buffer overflow
Oracle9i Database Server iSQL*Plus USERID buffer
LPRng runlpr could allow an attacker to gain local
LPRng html2ps print filter could allow remote
Monkey HTTP Daemon malformed HTTP POST denial of
Iomega NAS A300U stores administrative password
Iomega NAS A300U man-in-the-middle attack
log2mail log file buffer overflow
NetScreen-25 remote SSH request denial of service

//note: if you're near a Cisco ONS15.* check out the report URI's for 6 vulns.

Last edited by unSpawn; 11-11-2002 at 07:54 AM.
 
Old 11-04-2002, 08:58 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Original Poster
Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
Nov 04th 2002 (ISS)

Internet Security Systems

Date Reported: 10/24/2002
Brief Description: Mojo Mail mojo.cgi script cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Mojo Mail 2.7
Vulnerability: mojo-mail-mojo-xss
X-Force URL: http://www.iss.net/security_center/static/10477.php

Date Reported: 10/24/2002
Brief Description: Solaris 8 kmem_flags 0x02 kernel bit denial of
service
Risk Factor: Low
Attack Type: Host Based
Platforms: Solaris 8
Vulnerability: solaris-kmem-flags-dos
X-Force URL: http://www.iss.net/security_center/static/10496.php

Date Reported: 10/27/2002
Brief Description: phpBB admin_ug_auth.php script could allow
unauthorized administrative privileges
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, phpBB 2.0
Vulnerability: phpbb-adminugauth-admin-privileges
X-Force URL: http://www.iss.net/security_center/static/10489.php

Date Reported: 10/27/2002
Brief Description: Dobermann could allow an attacker to include PHP
files
Risk Factor: Medium
Attack Type: Network Based
Platforms: Windows Any version, Dobermann 0.5
Vulnerability: dobermann-php-file-include
X-Force URL: http://www.iss.net/security_center/static/10492.php

Date Reported: 10/28/2002
Brief Description: Mailreader.com "dot dot" directory traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Mailreader.com 2.3.31 and earlier
Vulnerability: mailreader-dotdot-directory-traversal
X-Force URL: http://www.iss.net/security_center/static/10490.php

Date Reported: 10/28/2002
Brief Description: Mailreader.com compose.cgi script could allow an
attacker to execute commands
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Mailreader.com 2.3.31 and earlier
Vulnerability: mailreader-compose-command-execution
X-Force URL: http://www.iss.net/security_center/static/10491.php

Date Reported: 10/28/2002
Brief Description: Solaris 8 WBEM installation creates insecure files
Risk Factor: Medium
Attack Type: Host Based
Platforms: Solaris 8
Vulnerability: solaris-wbem-files-insecure
X-Force URL: http://www.iss.net/security_center/static/10495.php

Date Reported: 10/29/2002
Brief Description: NetDSL-800 included with MSN DSL services provides
a default username and password
Risk Factor: Medium
Attack Type: Network Based
Platforms: NetDSL ADSL Modem 800 series
Vulnerability: netdsl-msn-default-account
X-Force URL: http://www.iss.net/security_center/static/10498.php

Date Reported: 10/29/2002
Brief Description: GTetrinet multiple functions buffer overflows
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, GTetrinet
prior to 0.4.4
Vulnerability: gtetrinet-multiple-functions-bo
X-Force URL: http://www.iss.net/security_center/static/10511.php

Date Reported: 10/30/2002
Brief Description: Motorola Surfboard 4200 cable modem port scan
denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Motorola Surfboard 4200
Vulnerability: motorola-surfboard-portscan-dos
X-Force URL: http://www.iss.net/security_center/static/10513.php

Date Reported: 10/31/2002
Brief Description: Linksys EtherFast gozila.cgi remote management
interface denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linksys EtherFast BEFSR41 prior to 1.42.7
Vulnerability: linksys-etherfast-gozila-dos
X-Force URL: http://www.iss.net/security_center/static/10514.php

Date Reported: 10/31/2002
Brief Description: Prometheus could allow an attacker to execute
remote PHP code
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Prometheus 6.0, Prometheus 4.0-beta,
Prometheus 3.0-beta
Vulnerability: prometheus-php-file-include
X-Force URL: http://www.iss.net/security_center/static/10515.php

Date Reported: 10/31/2002
Brief Description: PHP-Nuke account manager module SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Unix Any version, PHP-Nuke 5.6
Vulnerability: phpnuke-accountmanager-sql-injection
X-Force URL: http://www.iss.net/security_center/static/10516.php

Date Reported: 10/31/2002
Brief Description: Abuse -net command-line argument buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Abuse 2.00
Vulnerability: abuse-net-command-bo
X-Force URL: http://www.iss.net/security_center/static/10519.php

Date Reported: 10/31/2002
Brief Description: Oracle9i Database Server iSQL*Plus USERID buffer
overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Oracle9i Database Server 9.0.x, Oracle9i Database
Server 9.2.0.1, Oracle9i Database Server 9.2.0.2
Vulnerability: oracle-isqlplus-userid-bo
X-Force URL: http://www.iss.net/security_center/static/10524.php
Date Reported: 10/31/2002
Brief Description: LPRng runlpr could allow an attacker to gain local
root privileges
Risk Factor: High
Attack Type: Host Based
Platforms: SuSE Linux 7.0, SuSE Linux 7.1, SuSE Linux 7.2,
SuSE Linux 7.3, SuSE Linux 8.0, LPRng Any version,
SuSE Linux 8.1
Vulnerability: lprng-runlpr-gain-privileges
X-Force URL: http://www.iss.net/security_center/static/10525.php

Date Reported: 10/31/2002
Brief Description: LPRng html2ps print filter could allow remote
command execution
Risk Factor: High
Attack Type: Network Based
Platforms: SuSE Linux 7.0, SuSE Linux 7.1, SuSE Linux 7.2,
SuSE Linux 7.3, SuSE Linux 8.0, LPRng Any version,
SuSE Linux 8.1
Vulnerability: lprng-html2ps-command-execution
X-Force URL: http://www.iss.net/security_center/static/10526.php

Date Reported: 10/31/2002
Brief Description: Monkey HTTP Daemon malformed HTTP POST denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: Monkey HTTP Daemon prior to 0.5.1, Linux Any
version
Vulnerability: monkey-http-post-dos
X-Force URL: http://www.iss.net/security_center/static/10529.php

Date Reported: 11/01/2002
Brief Description: Iomega NAS A300U stores administrative password
in plain text
Risk Factor: Medium
Attack Type: Network Based
Platforms: Unix Any version, Iomega NAS A300U Any version
Vulnerability: iomega-plaintext-administrative-password
X-Force URL: http://www.iss.net/security_center/static/10521.php

Date Reported: 11/01/2002
Brief Description: Iomega NAS A300U man-in-the-middle attack
Risk Factor: Medium
Attack Type: Network Based
Platforms: Unix Any version, Iomega NAS A300U Any version
Vulnerability: iomega-nas-a300u-mitm
X-Force URL: http://www.iss.net/security_center/static/10523.php
Date Reported: 11/01/2002
Brief Description: log2mail log file buffer overflow
Risk Factor: High
Attack Type: Host Based / Network Based
Platforms: Debian Linux 3.0, log2mail prior to 0.2.5.1
Vulnerability: log2mail-log-file-bo
X-Force URL: http://www.iss.net/security_center/static/10527.php

Date Reported: 11/01/2002
Brief Description: NetScreen-25 remote SSH request denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: NetScreen 25
Vulnerability: netscreen-ssh-dos
X-Force URL: http://www.iss.net/security_center/static/10528.php
 
Old 11-04-2002, 09:01 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Original Poster
Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
Nov 04th 2002 (SF)

SecurityFocus

3. Benjamin Lefevre Dobermann Forum Remote File Include Vulnerability
BugTraq ID: 6057
Remote: Yes
Date Published: Oct 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6057
Summary:

Dobermann Forum is a Web forum implemented in PHP. It is available for Unix
and Linux variants as well as Microsoft Windows operating systems.

Dobermann Forum is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present in
the following PHP script files provided with Dobermann Forum:
entete.php
enteteacceuil.php topic/entete.php
index.php
newtopic.php

An attacker may exploit this by supplying a path to a maliciously created
'banniere.php' file, located on an attacker-controlled host as a value for
the 'subpath' parameter.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver. Successful
exploitation may provide local access to the attacker.

4. phpBB2 Unauthorized Administrative Access Vulnerability
BugTraq ID: 6056
Remote: Yes
Date Published: Oct 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6056
Summary:

phpBB2 is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

The admin_ug_auth.php script is used by phpBB administrators to specify user
privileges. Depending on the permissions set via admin_ug_auth.php,
administrative privileges may be required to view certain pages.

A vulnerability has been discovered the admin_ug_auth.php script, which
allows malicious users to post responses to administrative pages, without
the need to view them. By constructing a malicious response, it may be
possible for an unauthorized user to grant 'administrator' privileges to
arbitrary users.

Exploiting this issue could allow a remote attacker to gain complete control
of a target forum.

It has been reported that third party utilities that use phpBB v2.0.0 may
also be vulnerable to this issue.

5. MailReader.com NPH-MR.CGI File Disclosure Vulnerability
BugTraq ID: 6055
Remote: Yes
Date Published: Oct 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6055
Summary:

Mailreader.com is a web-based e-mail client.

A vulnerability exists in Mailreader.com which may enable remote attackers
to disclose the contents of arbitrary webserver readable files. An attacker
may exploit this issue by submitting a malicious web request containing
dot-dot-slash (../) directory traversal sequences. The request must be for
a known resource, and the file request must be appended by a null byte
(%00). Such a request will break out of the webroot directory and cause the
attacker-specified file to be served, provided it is readable by the
webserver.

This problem exists in the 'nph-mr.cgi' and is due to insufficient
validation of the input supplied to the 'configLanguage' CGI parameter.

Exploitation of this vulnerability has the potential to disclose sensitive
information to attackers which may aid in further attacks.

6. MailReader.com Remote Command Execution Vulnerability
BugTraq ID: 6058
Remote: Yes
Date Published: Oct 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6058
Summary:

Mailreader.com is a web-based e-mail client.

A vulnerability has been reported in Mailreader.com which may allow remote
attackers to execute arbitrary commands on the underlying shell with the
privileges of the webserver.

This issue was introduced in version 2.3.30. User-supplied input is passed
to the sendmail Mail Transfer Agent (MTA), but is not sufficiently sanitized
of shell metacharacters before being passed through the shell. This input
is supplied via the '$CONFIG{RealEmail}' variable in the 'compose.cgi'
script. The input is then passed through the shell via the '$from' variable
in the 'network.cgi' script when the MTA is requested.

8. Sun Solaris Web-Based Enterprise Management Insecure Default File Permissions Vulnerability
BugTraq ID: 6061
Remote: No
Date Published: Oct 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6061
Summary:

A problem with some releases of Solaris 8 may make it possible for local
users to perform unintended actions. The problem is in the Web-Based
Enterprise Management (WBEM) component packaged with recent releases of
Solaris.

The WBEM packages included with some releases of Solaris install files with
insecure permissions. By default, some files contained within WBEM packages
are installed with default group-writable permissions, and in some cases
default world-writable permissions. This could lead to local users gaining
write access to potentially sensitive files, and potentially launching a
denial of service or privilege escalation attack.

This problem is known to exist in Solaris 8 Update 1/01 and later, and
exists primarily in the packages SUNWwbdoc, SUNWwbcou, SUNWwbdev, and
SUNWmgapp. It should be noted that WBEM was introduced with Solaris 8
Update 1/01, therefore versions Solaris 8, Solaris 8 Update 6/00 and Solaris
8 Update 10/00 are not vulnerable to this particular problem.

9. SonicWall Content Filtering Software URL Filter Bypassing Vulnerability
BugTraq ID: 6063
Remote: Yes
Date Published: Oct 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6063
Summary:

SonicWall Content Filtering software is designed for use with SonicWall
Appliances.

A problem with the software could make it possible for a user to circumvent
restrictions placed on URLs.

It has been reported that the SonicWall Content Filtering software does not
sufficiently check addresses when requests are made. Because of this, it
would be possible for a user behind the system to reach a restricted-access
site by requesting the site on the basis of IP addresses.

It should be noted that this is potentially a configuration issue. The
design of URL filtering software typically requires that all sites be
blacklisted by default, with a whitelist of authorized sites specified.

10. Arescom NetDSL-800 Firmware Undocumented Username/Password Weakness
BugTraq ID: 6064
Remote: Yes
Date Published: Oct 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6064
Summary:

The Arescom NetDSL 800 series ADSL modem/router is a stand-alone device. It
is compatible with various operating systems including Windows, MacOS, Unix,
and Linux.

A weakness has been discovered in NetDSL-800 router firmware.

It has been reported that NetDSL-800 firmware, configured by certain
Internet Service Providers(ISP), contain undocumented users. Undocumented
users have administrative privileges.

It is possible to obtain a target devices undocumented username and password
using a network sniffer and the Arescom NetDSL Remote Manager. Access to
this information could grant unauthorized administrative access to remote
attackers.

Administrative privileges gained on target routers may allow attackers to
corrupt configuration settings or cause a denial of service.

It should be noted that all firmware configurations may not contain
undocumented users. Firmware configured by the MSN ISP are reported to be
vulnerable.

It should also be noted that it has not yet been confirmed whether unique
username and passwords are generated for each device.

11. GTetrinet Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 6062
Remote: Yes
Date Published: Oct 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6062
Summary:

GTetrinet is a freely available, open source networked Tetris game client.
It is available for Linux and Microsoft Windows systems.

Several problems have been reported in the GTetrinet client that could
result in remote exploitation. Due to several bounds checking
vulnerabilities in GTetrinet, the user of a vulnerable client could allow
unintended actions on the part of a malicious server. Exploitation of these
vulnerabilities by a malicious server could result in a denial of service,
and potentially execution of arbitrary instructions in the security context
of the user.

These vulnerabilities are due to numerous insecure strcat and strcpy
functions in the GTetrinet code. Code executed through these
vulnerabilities could result in an attacker gaining access to the vulnerable
system with the privileges of the client.

12. Apache 2 WebDAV CGI POST Request Information Disclosure Vulnerability
BugTraq ID: 6065
Remote: Yes
Date Published: Oct 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6065
Summary:

WebDAV (Web-based Distributed Authoring and Versioning) is a set of HTTP
extensions that allows multiple users to edit and manage files on remote web
servers.

An information disclosure vulnerability has been for Apache 2. The
vulnerability occurs due to inadequate checks being performed on CGI
scripts. This vulnerability exists only when both WebDAV and CGI are enabled
for folders.

An attacker can exploit this vulnerability by making a POST request to a CGI
script. Due to improper interaction between WebDAV and CGI scripts, this
will result in the Web server returning the contents of the CGI script to
the remote attacker.

Information obtained in this manner may allow an attacker to launch further,
potentially destructive, attacks against a vulnerable system.

22. LPRNG runlpr Local Privilege Escalation Vulnerability
BugTraq ID: 6077
Remote: No
Date Published: Oct 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6077
Summary:

The 'runlpr' utility is distributed with lprng and is used to allow regular
users to invoke the lpr process as the root user.

A vulnerability has been discovered in the 'runlpr' utility, which could
allow a malicious user to execute arbitrary commands with elevated
privileges.

An attacker can exploit this vulnerability by passing malicious commands to
lpr via the commandline. This will result in arbitrary attacker-supplied
commands being executed with root level privileges.

Precise technical details regarding this issue are unknown at this time.
This bid will updated accordingly, as more information regarding the
vulnerability becomes available.

23. LPRNG html2ps Remote Command Execution Vulnerability
BugTraq ID: 6079
Remote: Yes
Date Published: Oct 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6079
Summary:

A vulnerability has been discovered in the html2ps filter which is included
in the lprng print system.

It has been reported that it is possible for a remote attacker to execute
arbitrary commands, with the privileges of the 'lp' user. Depending on the
method used to invoke the lpr daemon, it may be possible to execute commands
with root privileges.

Precise technical details regarding this issue are unknown at this time.
This bid will updated accordingly, as more information regarding the
vulnerability becomes available.

30. Oracle 9i Database Server Malformed USERID Buffer Overflow Vulnerability
BugTraq ID: 6085
Remote: Yes
Date Published: Oct 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6085
Summary:

A buffer overflow vulnerability has been reported for Oracle 9i Database
Server. The vulnerability affects iSQL *Plus which is a web based interface
to the Database Server.

The vulnerability is due to improper bounds checking of the USERID
parameter. An attacker can exploit this vulnerability by sending a malformed
USERID parameter to the vulnerable server. This will trigger the buffer
overflow condition and produce undersired results on the vulnerable system.

Precise technical details regarding the vulnerability are not yet known,
however, this problem may allow an attacker to overwrite sensitive stack
variables, in an effort to execute arbitrary code. The attacker may also
cause the service to crash by sending excessive amounts of data that has not
specifically been designed to cause code execution.

Oracle has reported that this vulnerability does not affect SQL *Plus.

31. Linksys BEFSR41 Gozila.CGI Denial Of Service Vulnerability
BugTraq ID: 6086
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6086
Summary:

Linksys BEFSR41 is vulnerable to a denial of service condition.

The denial of service condition will be triggered when the device receives a
request for the script file 'Gozila.cgi' without any parameters.

An attacker can exploit this vulnerability to cause the device to stop
functioning. Rebooting the device is necessary to restore functionality.

This vulnerability affects the Linksys BEFSR41 device with firmware older
than 1.42.7. Other devices employing the same firmware are likely to be
vulnerable to this issue.

32. Jason Orcutt Prometheus Remote File Include Vulnerability
BugTraq ID: 6087
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6087
Summary:

Jason Orcutt Prometheus is a collection of tools to facilitate the design
and implementation of active content Web sites. It is implemented in PHP and
is available for Unix and Linux variants as well as Microsoft Windows
operating systems.

Prometheus is prone to an issue which may allow remote attackers to include
arbitrary files located on remote servers. This issue is present in the
following PHP script files provided with Prometheus:
index.php
install.php
test_*.php

An attacker may exploit this by supplying a path to a maliciously created
'autoload.lib' file, located on an attacker-controlled host as a value for
the 'PROMETHEUS_LIBRARY_BASE' parameter.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver. Successful
exploitation may provide local access to the attacker.

33. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
BugTraq ID: 6088
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6088
Summary:

PHP-Nuke is a web based Portal system. Implemented in PHP, it is available
for a range of systems, including Microsoft Windows and Linux.

A SQL injection vulnerability has been reported for PHP-Nuke 5.6.

The vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'modules.php' script. It is possible to modify
the logic of SQL queries through malformed query strings in requests for the
vulnerable script.

By injecting SQL code into variables, it may be possible for an attacker to
corrupt database information.

This issue was reported in PHPNuke version 5.6. Other versions may also be
affected.

34. Michael Krax log2mail Remote Buffer Overflow Vulnerability
BugTraq ID: 6089
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6089
Summary:

The log2mail daemon is a small utility used to watch logfiles and send mail
when specified patterns are matched. It is available for Linux and Unix
operating systems.

Typically, the log2mail daemon is invoked, by init scripts, during the boot
process and is run with root privileges.

A remotely exploitable buffer overflow has been discovered in the log2mail
daemon. By generating malicious log entries, it is possible for a remote
attacker to cause a static buffer to be overrun, resulting in memory
corruption.

By exploiting this vulnerability, it may be possible to overwrite sensitive
memory variables with attacker-supplied values, resulting in the execution
of arbitrary code with the privileges of the daemon.

This vulnerability was reported in log2mail v0.2.5. It is not yet known if
this issue affects earlier versions.

35. ION Script Remote File Disclosure Vulnerability
BugTraq ID: 6091
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6091
Summary:

ION Script is language that is used to create IDL-driven Web documents. It
is available for the Microsoft Windows and Unix operating systems.

A vulnerability has been discovered in the 'ion-p' script included with ION
Script.

It is possible to disclose known sensitive resources by entering malicious
values into the 'page' variable, used by 'ion-p'.

By sending a maliciously constructed HTTP request to a vulnerable webserver,
it is possible for a remote attacker to disclose arbitrary webserver
readable files. As webservers are often run with high privileges, it may be
possible to disclose sensitive system files.

Exploiting this issue may allow an attacker to gain information rquired to
launch further attacks against the target system.

ION Script for UNIX has also been confirmed vulnerable to this issue.

It is not yet known exactly which ION Script versions are vulnerable to this
issue.

36. Multiple Vendor Access Point Embedded HTTP Server Denial of Service Vulnerability
BugTraq ID: 6090
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6090
Summary:

A denial of service vulnerability has been reported for HTTP servers used by
multiple networking devices.

The denial of service will be triggered when the embedded web server
receives an HTTP request that contains an overly long header. An attacker
can exploit this vulnerability to cause the device to stop functioning.

Rebooting the device is necessary to restore functionality.

This vulnerability was reported for Access Point devices by Linksys and
D-Link. Other vendors may be affected.

Although not yet confirmed, it has been speculated that this issue is a
result of a buffer overflow.

37. Iomega NAS A300U CIFS/SMB Mounts Plaintext Authentication Vulnerability
BugTraq ID: 6093
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6093
Summary:

Iomega NAS A300U (Network Attached Storage) is a network storage device that
supports Unix variants and Microsoft Windows operating systems.

Iomega NAS A300U devices provide support for drive mounts using CIFS/SMB.

Iomega NAS A300U devices are reported to use LANMAN authentication for
access to CIFS/SMB mounts.

LANMAN authentication credentials are sent across the network in plaintext
and may be intercepted by attackers with the ability to sniff network
traffic. It has also been reported that this may allow session hijacking
attacks to occur. Exploitation of this issue will allow attackers to gain
unauthorized access to CIFS/SMB mounts.

This issue was reported for Iomega NAS A300U on Unix platforms. Other
platforms and Iomega devices may also be affected.

38. Iomega NAS A300U Plaintext NAS Administration Credentials Vulnerability
BugTraq ID: 6092
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6092
Summary:

Iomega NAS A300U (Network Attached Storage) is a network storage device that
supports Unix variants and Microsoft Windows operating systems.

Iomega NAS A300U devices provide a web interface for remote administration.

Iomega NAS A300U is reported to send NAS administrative interface
authentication credentials in plaintext across the network. The credentials
may be disclosed to attackers with the ability to intercept network traffic,
which may enable them to gain unauthorized access to the NAS administrative
interface.

It has also been reported that the documentation for the device claims that
authentication credentials will be sent encrypted. Users of the device may
be led to believe that credentials are sent encrypted, creating a false
sense of security.

This issue was reported for Iomega NAS A300U on Unix platforms. Other
platforms and Iomega devices may also be affected.

39. Abuse Local Buffer Overflow Vulnerability
BugTraq ID: 6094
Remote: No
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6094
Summary:

Abuse is a popular side-scrolling video game. It is available for Linux and
Unix operating systems.

Buffer overflow vulnerabilities have been discovered in both the
abuse.console and abuse.x11R6 files, which are installed setuid 'root' and
setgid 'games' respectively.

It is possible to trigger the overflow by passing an execessively long
string, containing roughly 500 bytes, as a parameter to the '-net' command
line argument.

Exploiting this issue would allow a local attacker to overwrite sensitive
memory variables, potentially resulting in the execution of arbitrary code
with super user privileges.

It should be noted that Abuse 2.00, packaged and distributed with the x86
architecture of Debian Linux 3.0 has been reported vulnerable. It is not yet
known if other packages are affected by this.
 
Old 11-11-2002, 07:56 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Original Poster
Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
November 8th 2002, (LAW)

Linux Advisory Watch

Package: log2mail
Date: 11-05-2002
Description:
Enrico Zini discovered a buffer overflow in log2mail, a daemon for
watching logfiles and sending lines with matching patterns via mail.
The log2mail daemon is started upon system boot and runs as root. A
specially crafted (remote) log message could overflow a static
buffer, potentially leaving log2mail to execute arbitrary code as
root.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2525.html

Package: apache
Date: 11-04-2002
Description:
According to David Wagner, iDEFENSE and the Apache HTTP Server Project,
several remotely exploitable vulnerabilities have been found in the Apache
package, a commonly used webserver. These vulnerabilities could allow an
attacker to enact a denial of service against a server or execute a cross
scripting attack.
Debian Vendor Advisory: (apache-ssl)
http:http://www.linuxsecurity.com/advisor...sory-2527.html
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2531.html

Package: luxman
Date: 11-06-2002
Description:
iDEFENSE reported about a vulnerability in LuxMan, a maze game for
GNU/Linux, similar to the PacMan arcade game. When successfully exploited
it a local attacker with read write access to the Memory, leading to a
local root compromise in many ways, examples of which include scanning the
file for fragments of the master password file and modifying kernel memory
to re-map system calls.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2538.html

Package: wmaker
Date: 11-07-2002
Description:
iDEFENSE reported about a vulnerability in LuxMan, a maze game for
GNU/Linux, similar to the PacMan arcade game. When successfully exploited
it a local attacker with read write access to the Memory, leading to a
local root compromise in many ways, examples of which include scanning the
file for fragments of the master password file and modifying kernel memory
to re-map system calls.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2541.html

Package: squirrelmail
Date: 11-07-2002
Description:
Several cross site scripting vulnerabilities have been found in
squirrelmail, a feature-rich webmail package written in PHP4.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2543.html

Package: IPFilter (FTP
Date: 11-05-2002
Description:
FTP proxy module in IPFilter package may not adequately maintain the state
of FTP commands and responses. As a result, an attacker could establish
arbitrary TCP connections to FTP servers or clients located behind a
vulnerable firewall.
NetBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2528.html

Package: perl-MailTools
Date: 11-05-2002
Description:
This package contains a security hole which allows remote attackers to
execute arbitrary commands in certain circumstances. This is due to the
usage of mailx as default mailer which allows commands to be embedded in
the mail body.
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2529.html
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2530.html

Package: glibc
Date: 11-07-2002
Description:
A read buffer overflow vulnerability exists in the glibc resolver code in
versions of glibc up to and including 2.2.5. The vulnerability is
triggered by DNS packets larger than 1024 bytes and can cause applications
to crash.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2542.html
Contectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2537.html

Package: kerberos
Date: 11-07-2002
Description:
A remotely exploitable stack buffer overflow has been found in the
Kerberos v4 compatibility administration daemon distributed with the Red
Hat Linux krb5 packages.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2544.html

Package: heartbeat
Date: 11-03-2002
Description:
Nathan Wallwork reported several format string vulnerabilities[2] in
heartbeat that could possibly be used by a remote attacker to execute
arbitrary code with root privileges.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2532.html

Package: dvips
Date: 11-03-2002
Description:
Olaf Kirch from SuSE discovered a vulnerability in the dvips utility,
which is used to convert .dvi files to PostScript. dvips is calling the
system() function in an insecure way when handling font names. An attacker
can exploit this by creating a carefully crafted dvi file which, when
opened by dvips, will cause the execution of arbitrary commands.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2533.html

Package: krb5
Date: 11-07-2002
Description:
There is a buffer overflow vulnerability[2][3] in the Kerberos 4 remote
administration service (kadmind4) that could be used by a remote attacker
to execute arbitrary commands on the server with root privileges.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2534.html

Package: gv
Date: 11-07-2002
Description:
Zen Parse found[1] a buffer overflow vulnerability in gv version 3.5.8 and
earlier. kghostview (from kdegraphics versions prior to 3.0.4) is also
affected, since it has some code derived from the same project. An
attacker can exploit this vulnerability by creating a carefully crafted
pdf file that, when opened by gv or kghostview, causes the execution of
arbitrary code.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2535.html

Package: tar/unzip
Date: 11-07-2002
Description:
Both tar and unzip have directory transversal vulnerabilities in the way
they extract filenames containning ".." or "/" characteres at the
beginning. By exploiting these vulnerabilities, a malicious user can
overwrite arbitrary files if the user unpacking such an archive has
sufficient filesystem permissions to do so.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2536.html
Package: ypserv


Date: 11-07-2002
Description:
Thorsten Kukuk identified and fixed a memory leak vulnerability[2] in the
ypserv daemon. Requests for non-existing maps would cause the ypserv
daemon to consume more and more memory. An attacker in the local network
could flood the service with such requests until the memory is exhausted,
characterizing a DoS condition.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2539.html
Package: linuxconf
Date: 11-06-2002
Description:
There is a problem[1] in the sendmail.cf file generated by the mailconf
module that allows sendmail to be used as an open relay. By exploiting
this vulnerability, a malicious user could send SPAM through the sendmail
server without being in its served network. In order to do that, the
recipient address of the messages must be in the format "user%domain@".
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2540.html

Last edited by unSpawn; 11-11-2002 at 07:57 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ weekly security rep - Mon Nov 25th 2002 unSpawn Linux - Security 3 11-29-2002 07:16 PM
LQ weekly security rep - Mon Nov 18th 2002 unSpawn Linux - Security 3 11-25-2002 05:03 AM
LQ weekly security rep - Tue Nov 12th 2002 unSpawn Linux - Security 5 11-17-2002 06:55 AM
LQ weekly security rep - Mon Oct 07th 2002 unSpawn Linux - Security 4 10-09-2002 08:21 AM
LQ weekly security rep - Mon Sep 23th 2002 unSpawn Linux - Security 4 09-29-2002 06:12 AM


All times are GMT -5. The time now is 05:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration