SecurityFocus
1. Oracle E-Business Suite RRA/FNDFS Arbitrary File Disclosure
Vulnerability
BugTraq ID: 7325
Remote: Yes
Date Published: Apr 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7325
Summary:
The Oracle RRA/FNDFS server is used in usual circumstances, by oracle
utilities, to retrieve and extract report data from Concurrent Manager
server. The RRA is the Report Review Agent and is also known as the FND
File Server(FNDS).
Oracle E-Business suite FNDFS server has been reported prone to an
arbitrary file disclosure vulnerability.
A vulnerability has been discovered in the communication protocol that is
used by the FNDFS server. It has been reported that this vulnerability may
be exploited by an attacker to bypass system, database and application
based authentication mechanisms to reveal the contents of arbitrary files
located on the Concurrent Manager server. It should be noted that an
attacker may only disclose files that are readable by the 'oracle' or
'applmgr' user accounts. Direct SQL*Net access to the Concurrent Manager
server is also required in order to successfully exploit this
vulnerability.
Sensitive information obtained in this manner may be used in further
attacks launched against the vulnerable system.
7. WebGUI HTTPProxy Denial Of Service Vulnerability
BugTraq ID: 7331
Remote: Yes
Date Published: Apr 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7331
Summary:
WebGUI is a content management framework built to allow average users to
build and maintain complex Web sites.
WebGUI has been reported prone to Denial of Service vulnerability when
handling malicious HttpProxy requests.
It has been reported that an attacker may make a malicious proxy request
passed to the WebGUI HttpProxy function. This activity may trigger a
persistant denial of service condition. If the attack is successful the
WebGUI HttpProxy web object may fall into an infinate recursive loop
attempting to proxy its own content.
This vulnerability has been reported to affect WebGUI version 5.2.3
altough uconfirmed previous versions may also be affected.
8. BitchX Trojan Horse Vulnerability
BugTraq ID: 7333
Remote: Yes
Date Published: Apr 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7333
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
It has been announced that the server hosting BitchX,
www.bitchx.org, was
compromised recently. It has been reported that the intruder made
modifications to the source code of BitchX to include trojan horse code.
Downloads of the source code of BitchX from
www.bitchx.org, and mirrors,
likely contain the trojan code.
Reports say that the trojan will run once upon compilation of BitchX. Once
the trojan is executed, it attempts to connect to host 207.178.61.5 on
port 6667.
The trojan horse modifications can be found in the configure script in
BitchX 1.0c19.
Additionally, the trojan displays similarity to those found in irssi,
fragroute, fragrouter, tcpdump, libpcap, OpenSSH, and Sendmail.
This BID will be updated as more information becomes available.
9. LPRng PSBanner Insecure Temporary File Creation Vulnerability
BugTraq ID: 7334
Remote: No
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7334
Summary:
LPRng psbanner is a printer filter utility that creates a PostScript
format banner and is part of LPRng.
psbanner filter has been reported prone to insecure temporary file
creation vulnerability.
Under certain circumstances, specifically when psbanner is configured as a
filter, psbanner creates temporary files for debugging purposes in an
insecure manner.
It has been reported that psbanner does not check if a previous file
exists or whether the file is symlinked to another location before using
it for a specific action. The action taken on the file will be committed
with the user id 'daemon'.
This vulnerability may lead to symbolic link attacks with in the context
of the user running the vulnerable utility.
10. SheerDNS Information Disclosure Vulnerability
BugTraq ID: 7336
Remote: Yes
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7336
Summary:
SheerDNS is a master DNS server implementation for Unix and Linux
variants.
A vulnerability has been discovered in SheerDNS. Due to insufficient
sanitization of user-supplied data within DNS requests, an attacker may be
capable of viewing the contents of an arbitrary directory or file.
Specifically, SheerDNS fails to filter directory traversal sequences (../)
embedded in DNS queries.
As SheerDNS runs with root privileges, exploitation of this issue would
allow an attacker to view the contents of all system directories.
This issue was discovered in SheerDNS version 1.0.0, however, earlier
versions may also be affected.
11. SheerDNS CNAME Buffer Overflow Vulnerability
BugTraq ID: 7335
Remote: No
Date Published: Apr 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7335
Summary:
SheerDNS is a master DNS server implementation for Unix and Linux
variants.
SheerDNS is prone to a buffer overflow when constructing responses to
CNAME queries. This is due to insufficient bounds checking of lookup
information. Specifically, the static buffer for lookup results is much
larger than the buffer for queries. The program does a strcpy() operation
to copy the lookup results into the query buffer.
Lookup information which is fetched from local files. If an attacker can
influence the contents of these files, then it will be possible to trigger
this condition to corrupt adjacent regions of stack memory with malicious
data.
Exploitation could lead to a denial of service or execution of malicious
instructions.
This issue was discovered in SheerDNS version 1.0.0, however, earlier
versions may also be affected.
12. GS-Common PS2Epsi Insecure Temporary File Vulnerability
BugTraq ID: 7337
Remote: No
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7337
Summary:
gs-common is a set of common files for different Ghostscript releases.
The ps2espi script included with gs-common creates temporary files in an
insecure manner when invoking Ghostscript. A malicious local user could
exploit this condition to create a symbolic link that could corrupt any
local file which is writeable by the user invoking the vulnerable script.
Exploitation may result in a denial of service if critical files are
corrupted. Privilege elevation may also be possible if the local attacker
can corrupt local files with custom data.
14. InstaBoard Index.CFM SQL Injection Vulnerability
BugTraq ID: 7338
Remote: Yes
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7338
Summary:
InstaBoard is a multi-featured web-based discussion forum.
Multiple SQL injection vulnerabilities were reported to affect the
'index.cfm' page of InstaBoard. This is reportedly due to insufficient
sanitization of externally supplied data that is used to construct SQL
queries. This data may be supplied via URI parameters in requests for
certain functions. A remote attacker may take advantage of these issues to
inject malicious data into SQL queries, possibly resulting in modification
of query logic.
The consequences may vary depending on the particular database
implementation and the nature of the specific queries. SQL injection also
makes it possible, under some circumstances, to exploit latent
vulnerabilities that may exist in the underlying database.
It should be noted that although this vulnerability has been reported to
affect InstaBoard version 1.3 previous versions might also be affected.
16. Web Wiz Site News Information Disclosure Vulnerability
BugTraq ID: 7341
Remote: Yes
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7341
Summary:
Web Wiz Site News is a freely distributed news management system
implemented in ASP.
Web Wiz Site News has been reported prone to sensitive information
disclosure vulnerability.
An attacker may make a request for and download the underlying Access
database file 'news.mdb' that is located in the 'news' folder and is used
by the Site News application. Site News administration credentials that
are contained in the database and stored in plaintext format may be
revealed to the attacker.
Information collected in this way may be used to aid in further attacks
against the system.
It should be noted that although this vulnerability has been reported to
affect Site News version 3.06, previous versions might also be affected.
17. IBM FTP Daemon Kerberos 5 Unspecified Administrative Access Vulnerability
BugTraq ID: 7346
Remote: Yes
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7346
Summary:
AIX is the commercially available UNIX operating system distributed by
IBM.
A problem in the operating system could make it possible for a remote user
to gain unauthorized access.
It has been reported that a vulnerability exists with the ftpd implemented
with AIX when Kerberos 5 is used for authentication. This could make it
possible for a remote user to gain unauthorized remote access.
Few details are available about the nature of the problem. It is
confirmed however that the FTP daemon distributed with AIX must be
configured to use its native Kerberos 5 functionality as its
authentication method. It is also confirmed that exploitation of this
issue could lead to an attacker gaining administrative access to a
vulnerable host.
18. EZ Publish site.ini Information Disclosure Vulnerability
BugTraq ID: 7347
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7347
Summary:
eZ Publish is a web content management system for Microsoft Windows and
Unix and Linux variants.
eZ Publish has been reported prone to sensitive information disclosure
vulnerability.
An attacker may make a request for and download the underlying site.ini
configuration file. The file contains eZ Publish administration
credentials stored in plaintext format. Any HTTP requests for this file
will reveal the contents of this file to remote attackers.
Information collected in this way may be used to aid in further attacks
against the system.
This vulnerability was reported for eZ Publish 3.0. It is likely that
earlier versions are affected by this vulnerability.
19. EZ Publish Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 7348
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7348
Summary:
eZ Publish is a web content management system for Microsoft Windows and
Unix and Linux variants.
Several cross site scripting vulnerabilities have been reported for eZ
Publish. These vulnerabilities are due to insufficient sanitization of
user-supplied data submitted to eZ Publish.
An attacker can exploit this vulnerability by creating malicious links to
a site hosting the vulnerable software which contains hostile HTML and
script code. If this link is visited, the attacker-supplied HTML and
script code will be interpreted by their browser. This will occur in the
context of the site hosting the vulnerable software.
Exploitation may allow theft of cookie-based authentication credentials or
other attacks.
This issue was reported in eZ Publish 3.0. It is likely that earlier
versions are affected.
20. EZ Publish Multiple Path Disclosure Vulnerabilities
BugTraq ID: 7349
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7349
Summary:
eZ Publish is a web content management system for Microsoft Windows and
Unix and Linux variants.
Several path disclosure vulnerabilities have been reported for eZ Publish.
The vulnerabilities affect several PHP script files in the kernel/class
and kernel/classes directory.
An attacker can exploit this vulnerability by making a HTTP request for
any of the affected pages. This may result in a condition where path
information is returned to the attacker. Information gathered in this way
may be used in further attacks against the system.
This vulnerability affects eZ Publish 3.0. It is likely that earlier
versions are also affected.
21. GTKHTML Malformed HTML Document Denial Of Service Vulnerability
BugTraq ID: 7350
Remote: Yes
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7350
Summary:
GtkHTML is a HTML rendering and editing engine for Gnome. It is embedded
in many applications, such as Evolution personal and workgroup information
management software.
It has been reported that GtkHTML is prone to a vulnerability that may be
exploited to cause a denial of service. This issue is present in GtkHTML
with Evolution. It is possible to crash the Evolution e-mail client with
a malformed message due to this flaw in GtkHTML.
It is possible that this flaw may affect other applications that rely upon
GtkHTML, though this has not been confirmed.
Further details are not available at this time. This BID will be updated
as more details become available.
22. Progress Database BINPATHX Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 7352
Remote: No
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7352
Summary:
Progress Database is a commercial database for Microsoft Windows and Unix
systems.
A buffer overflow vulnerability has been discovered in Progress Database.
The problem occurs due to insufficient bounds checking when processing the
'BINPATHX' environment variable.
The 'BINPATHX' variable is used to specify the location of shared
libraries and other installation files however, placing approximately 240
bytes within the variable may trigger a buffer overflow. This may result
in sensitive locations in memory being replaced with attacker-supplied
values.
Exploitation of this issue may make it possible for an attacker to execute
arbitrary code with the privileges of the Progress Database application
23. OSCommerce Product_Info.PHP Denial Of Service Vulnerability
BugTraq ID: 7351
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7351
Summary:
osCommerce is an online shop e-commerce solution under on going
development by the open source community.
It has been reported that a remote attacker may trigger a denial of
service condition in the osCommerce application. If malicious URI
parameters, for example, 'products_id' are passed to the
'product_info.php' page the mySQL and web server hosting osCommerce
reportedly becomes unstable. This action may be repeated continuously and
could possibly result in a persistent denial of service condition.
It should be noted that although osCommerce version 2.2cvs was reported
vulnerable, previous versions may also be affected.
24. Xoops Glossary Module Cross Site Scripting Vulnerability
BugTraq ID: 7356
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7356
Summary:
A cross site scripting vulnerability has been reported in Xoops.
It has been reported that user-supplied input to the 'glossaire-aff.php'
page, as the 'lettre' URI parameter, is not sufficiently sanitized. This
lack of sanitization provides an opportunity for an attacker to launch
cross-site scripting attacks against the vulnerable site. It is possible
for a remote attacker to create a malicious link containing script code
that will be executed in the browser of a legitimate user.
Any attacker-supplied code will be executed within the context of the
website running Xoops.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.
While this vulnerability has been reported to affect Xoops versions 1.3.8
and 1.3.9.
25. 12Planet Chat Server Error Message Installation Path Disclosure Vulnerability
BugTraq ID: 7355
Remote: Yes
Date Published: Apr 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7355
Summary:
12Planet Chat Server is web forum software that runs on Windows
NT/2000/XP, Linux, Sun Solaris, IBM AIX, and HP UNIX.
When certain malformed URL requests are received by the chat server, an
error message is returned containing the full path of the chat server's
installation. The URL must contain at least three '/qwe' sequences in
order to generate this error message. ie.
http://www.victim.com:8080/qwe/qwe/qwe/index.html
If the URL does not contain at least three '/qwe' sequences, a simple HTTP
500 error message will be returned to the remote user.
26. 12Planet Chat Server Administration Page Clear Text Authentication Vulnerability
BugTraq ID: 7354
Remote: Yes
Date Published: Apr 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7354
Summary:
12Planet Chat Server is web forum software that runs on Windows
NT/2000/XP, Linux, Sun Solaris, IBM AIX, and HP UNIX.
The login page of the administration site for the chat server sends
usernames and passwords in clear text. This could allow a remote attacker
to sniff the administrator's authentication information.
The interface that allows the administrator to change their passwords also
transmits the new password in clear text.
27. Python Documentation Server Error Page Cross-Site Scripting Vulnerability
BugTraq ID: 7353
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7353
Summary:
Python Documentation Server is a freely available server distributed with
the Python software package. It is available for Unix, Linux, and
Microsoft Operating Systems.
It has been reported that the Python Documentation Server is vulnerable to
a cross-site scripting vulnerability.
The problem is due to insufficient sanitization of HTML and script code
from error output. When HTML and script code are passed to the vulnerable
server in a URI, the code will be displayed in the server's error page.
An attacker could exploit this issue by constructing a malicious link
which contains hostile HTML and script code and then enticing web users to
visit the link. When the error page is displayed, the attacker-supplied
code may be rendered in the user's web browser. This will occur in the
security context of the documentation server.
The server runs on port 7464 by default.
28. OSCommerce Authentication Bypass Vulnerability
BugTraq ID: 7357
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7357
Summary:
osCommerce is an online shop e-commerce solution under on going
development by the open source community.
osCommerce has been reported prone to authentication bypass vulnerability.
It has been reported that osCommerce uses HTTP header information as a
part of its authentication mechanism. Reportedly an attacker may spoof the
HTTP 'referrer' header information. If the attacker spoofs a localhost
address as the referrer the authentication system used by osCommerce may
be subverted.
This attack may be used in conjunction with other attacks to disclose,
what may be sensitive information, to the attacker. Specifically product
information may be disclosed and administration page access achieved.
It should be noted that although osCommerce version 2.2cvs was reported
vulnerable, previous versions may also be affected.
31. Netcomm NB1300 Modem/Router Weak Default Configuration Settings Vulnerability
BugTraq ID: 7359
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7359
Summary:
Netcomm NB1300 modem/router is a device used to connect SOHO or Small
Business networks to an ADSL service provider. The ADSL Router supports IP
Packet routing and functions such as NAT and DHCP allowing users to have
their IP address assigned automatically and share a single ISP account.
It has been reported that the Netcomm NB1300 modem/router ships with weak
default configuration settings. The NB1300 has, by default, an FTP server
(VxWorks 5.4.1) exposed on the WAN interface. The default username is set
as 'admin' and the password is, by default, 'password'.
A remote user may connect to the FTP server and authenticate using default
credentials if they have not been changed. The attacker may then download
the router configuration information contained as plaintext in the
'config.reg' file. Other attacks may also be possible.
Information gathered in this may be used in further attacks launched
against the victim host/network.
It should be noted that this vulnerability has been reported to affect all
known releases of Netcomm NB1300 firmware.
32. IkonBoard Lang Cookie Arbitrary Command Execution Vulnerability
BugTraq ID: 7361
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7361
Summary:
IkonBoard is a Web Bulletin Board Service (BBS) software package written
in Perl that runs on several web server platforms.
It has been reported that IkonBoard is prone to an arbitrary command
execution vulnerability. The vulnerability is due to insufficient
sanitization performed on user supplied 'lang' cookie data.
Specifically a flaw has been reported in the pattern matching code
implemented to sanitize user-supplied cookie data before it is
interpolated into a string. An attacker may exploit this issue to execute
arbitrary commands. If the attacker supplies a malicious cookie that
contains illegal characters designed to break the sanitization
functionality of IkonBoard, the data will get passed to a Perl eval()
function. This circumstance could allow the attacker to have arbitrary
Perl code evaluated. Therefore, using for example Perl system() calls as a
conduit, arbitrary command execution may be possible in the security
context of the web server hosting the vulnerable IkonBoard.
It should be noted that although this vulnerability was reported to affect
IkonBoard version 3.1.1, previous versions might also be affected.
34. Mozilla Browser Cross Domain Violation Vulnerability
BugTraq ID: 7363
Remote: Yes
Date Published: Apr 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7363
Summary:
Mozilla is an open source web browser available for a number of platforms,
including Microsoft Windows and Linux.
A problem has been reported in Mozilla that could allow access to
information in other browser windows. The vulnerability exists because
Mozilla does not properly sanitize links when transferring documents from
one domain to another. Specifically, malicious HTML code is not sanitized
from the 'onclick' property.
Upon the execution of code through the 'onclick' property, a violation in
browser security zone policy would occur that allows the original web site
to view the contents of web pages in other browser windows.
This problem would require a user visiting a web page that has been
designed to present malicious dialog boxes. This type of attack would most
commonly occur through social engineering.
Other browsers based on the Mozilla codebase are vulnerable to this issue.
