LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-11-2003, 05:27 AM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,761
Blog Entries: 54

Rep: Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975
LQ weekly security rep - Tue Feb 11th 2003


A bit late/stale, but here's LAW anyway:
Feb 14th 2003
9 issues handled (LAW)
w3m
uml-net
hypermail
postgresql
lynx
python
pam_xauth
fileutils
mozilla

Feb 10th 2003
11 of 22 issues handled (SF)
1. SILC Server SSH2 Authentication Password Persistence Weakness
2. myphpPageTool Remote File Include Vulnerability
3. Bladeenc Signed Integer Memory Corruption Vulnerability
4. phpMyShop compte.php SQL Injection Vulnerability
5. OpenBSD CHPass Temporary File Link File Content Revealing Vulnerability
8. PHP-Nuke Avatar HTML Injection Vulnerability
9. PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
14. IBM WebSphere Exported XML Password Encoding Weakness
15. Majordomo Default Configuration Remote List Subscriber Disclosure Vulnerability
17. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
22. Epic Games Unreal Engine Memory Consumption Denial Of Service Vulnerability

Feb 10th 2003
17 of 33 issues handled (ISS)
Nukebrowser $filhead remote PHP file include
WebLogic keystores store plaintext passwords
WebLogic clustered environment race condition
IlohaMail compose.php script could allow an attacker to upload files
SILC stores passwords and session information in plain text
SpamProbe HTML tag new line denial of service
BladeEnc myFseek() code execution
PHP-Nuke avatar field could allow an attacker to execute code
OpenBSD chpass user database information disclosure
Majordomo which_access variable set to "open" could disclose email addresses
Linux kernel O_DIRECT information leak
Red Hat Linux pam_xauth could allow an attacker to gain privileges
IBM WebSphere uses weak encryption algorithm to store passwords
phpMyNewsletter customize.php unauthorized file access
F-Prot FreeBSD for Small Business command line buffer overflow
HP-UX /usr/sbin/wall buffer overflow
Red Hat Linux uml_net utility could allow an attacker to gain privileges

Feb 7th 2003
13 issues handled (LAW)
cvs
mcrypt
slocate
qt-dcgui
bladeenc
vim
mysql
kernel
kerberos
php
OpenLDAP
windowmaker
xpdf

Last edited by unSpawn; 02-17-2003 at 07:15 AM.
 
Old 02-11-2003, 05:28 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,761
Blog Entries: 54

Original Poster
Rep: Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975
Feb 7th 2003 (LAW)

Linux Advisory Watch

Package: cvs
Date: 01-31-2003
Description:
Double-free vulnerabiity in CVS allows remote attackers to cause a denial
of service and possibly execute arbitrary code via a malformed Directory
request.
Caldera Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2826.html
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2833.html

Package: mcrypt
Date: 02-02-2003
Description:
Ilia Alshanetsky found several buffer overflows vulnerabilities in
libmcrypt. These vulnerabilities basically consist of improper or lack of
validation for some input (which in some scenarios can came from a local
user or from a network connection).
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2836.html

Package: slocate
Date: 02-02-2003
Description:
"The overflow appears when the slocate is runned with two parameters: -c
and -r, using as arguments a 1024 (or 10240, as Knight420 has informed us
earlier) bytes string."
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2828.html
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2838.html

Package: qt-dcgui
Date: 02-02-2003
Description:
"All versions < 0.2.2 have a major security vulnerability in the directory
parser. This bug allow a remote attacker to download files outside the
sharelist. It's recommend that you upgrade the packages immediatly."
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2831.html

Package: bladeenc
Date: 02-05-2003
Description:
"A wave file let the attacker to execute all the code he want on the
victim"
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2834.html

Package: vim
Date: 02-03-2003
Description:
A vulnerability was discovered in vim by Georgi Guninski that allows
arbitrary command execution using the libcall feature found in modelines.
A patch to fix this problem was introduced in vim 6.1 patchlevel 265.
This patch has been applied to the provided update packages.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2829.html

Package: mysql
Date: 02-03-2003
Description:
Aleksander Adamowski informed MandrakeSoft that the MySQL developers fixed
a DoS vulnerability in the recently released 3.23.55 version of MySQL. A
double free() pointer bug in the ysql_change_user() handling would allow a
specially hacked mysql client to crash the main mysqld server. This
vulnerability can only be exploited by first logging in with a valid user
account.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2829.html

Package: kernel
Date: 02-05-2003
Description:
An updated kernel for 9.0 is available with a number of bug fixes.
Supermount has been completely overhauled and should be solid on all
systems. Other fixes include XFS with high memory, a netfilter fix, a fix
for Sony VAIO DMI, i845 should now work with UDMA, and new support for VIA
C3 is included. Prism24 has been updated so it now works properly on HP
laptops and a new ACPI is included, although it is disabled by default for
broader compatibility.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2837.html
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2832.html

Package: kerberos
Date: 02-05-2003
Description:
A problem has been found in the Kerberos ftp client. When retrieving a
file with a filename beginning with a pipe character, the ftp client will
pass the filename to the command shell in a system() call. This could
allow a malicious ftp server to write to files outside of the current
directory or execute commands as the user running the ftp client.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2825.html

Package: php
Date: 02-04-2003
Description:
A heap-based buffer overflow was found in the wordwrap() function in PHP
versions after 4.1.2 and before 4.3.0. If wordwrap() is used on
user-supplied input this could allow remote attackers to cause a denial of
service or execute arbitrary code.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2835.html

Package: OpenLDAP
Date: 02-05-2003
Description:
Updated openldap packages are available which fix a number of local and
remote buffer overflows in libldap and the slapd and slurpd servers, and
potential issues stemming from using user-specified LDAP configuration
files.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2839.html

Package: windowmaker
Date: 02-05-2003
Description:
Al Viro found a buffer overflow in Window Maker 0.80.0 and earlier which
may allow remote attackers to execute arbitrary code via a certain image
file that is not properly handled when Window Maker uses width and height
information to allocate a buffer. This could be exploited for example by
a user opening a malicious theme.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2840.html

Package: xpdf
Date: 02-06-2003
Description:
During an audit of CUPS, a printing system, Zen Parsec found an integer
overflow vulnerability in the pdftops filter. Since the code for pdftops
is taken from the Xpdf project, all versions of Xpdf including 2.01 are
also vulnerable to this issue. An attacker could create a PDF file that
could execute arbitrary code. This could would have the same access
privileges as the user who viewed the file with Xpdf.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2841.html
 
Old 02-11-2003, 05:30 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,761
Blog Entries: 54

Original Poster
Rep: Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975
Feb 10th 2003 (ISS)

Internet Security Systems


Date Reported: 01/27/2003
Brief Description: Nukebrowser $filhead remote PHP file include
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Nukebrowser 2.1 to 2.41
Vulnerability: nukebrowser-php-file-include
X-Force URL: http://www.iss.net/security_center/static/11217.php

Date Reported: 01/28/2003
Brief Description: WebLogic keystores store plaintext passwords
Risk Factor: Medium
Attack Type: Host Based
Platforms: Windows NT 4.0, Solaris 2.6, HP-UX 11.00, Red Hat
Linux Any version, Solaris 7, Solaris 8, Windows
2000 Server, Windows 2000 Advanced Server, HP-UX
11i, AIX 4.3.3, Windows XP, AIX 5.1L, Windows 2000
Professional, WebLogic Server 7.0, WebLogic Server
7.0.0.1, WebLogic Express 7.0, WebLogic Express
7.0.0.1
Vulnerability: weblogic-keystore-plaintext-passwords
X-Force URL: http://www.iss.net/security_center/static/11220.php

Date Reported: 01/28/2003
Brief Description: WebLogic clustered environment race condition
session sharing
Risk Factor: Medium
Attack Type: Network Based
Platforms: Tru64 UNIX Any version, Windows NT 4.0, Solaris
2.6, HP-UX 11.00, Red Hat Linux Any version, SuSE
Linux Any version, Solaris 7, Solaris 8, Windows
2000 Server, Windows 2000 Advanced Server, WebLogic
Server 6.0, HP-UX 11i, AIX 4.3.3, Windows XP,
WebLogic Express 5.1, Compaq NonStop Himalaya
Servers Any version, AIX 5.1L, Solaris 9, Windows
2000 Professional, OpenVMS Any version, WebLogic
Server 6.1, WebLogic Server 7.0, WebLogic Server
7.0.0.1, WebLogic Express 6.1, WebLogic Express
7.0, WebLogic Express 7.0.0.1, WebLogic Express
6.0, WebLogic Server 5.1, IBM AS/400e OS/400
V4R4/V4R5, IBM Dynix/ptx Any version, IBM S/390
Vulnerability: weblogic-clustered-race-condition
X-Force URL: http://www.iss.net/security_center/static/11221.php

Date Reported: 01/28/2003
Brief Description: IlohaMail compose.php script could allow an
attacker to upload files
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version, IlohaMail
prior to 0.7.9
Vulnerability: ilohamail-compose-file-upload
X-Force URL: http://www.iss.net/security_center/static/11251.php

Date Reported: 01/31/2003
Brief Description: SILC stores passwords and session information in
plain text
Risk Factor: Medium
Attack Type: Host Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, SILC Client Any version
Vulnerability: silc-plaintext-account-information
X-Force URL: http://www.iss.net/security_center/static/11244.php

Date Reported: 01/31/2003
Brief Description: SpamProbe HTML tag new line denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, SpamProbe 0.8a
Vulnerability: spamprobe-newlines-href-dos
X-Force URL: http://www.iss.net/security_center/static/11247.php

Date Reported: 02/02/2003
Brief Description: BladeEnc myFseek() code execution
Risk Factor: Medium
Attack Type: Network Based
Platforms: BSD Any version, Linux Any version, Windows Any
version, Unix Any version, Gentoo Linux Any
version, BladeEnc 0.94.2 and earlier
Vulnerability: bladeenc-myfseek-code-execution
X-Force URL: http://www.iss.net/security_center/static/11227.php

Date Reported: 02/03/2003
Brief Description: PHP-Nuke avatar field could allow an attacker to
execute code
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, PHP-Nuke 6.0 and earlier
Vulnerability: phpnuke-avatar-code-execution
X-Force URL: http://www.iss.net/security_center/static/11229.php

Date Reported: 02/03/2003
Brief Description: OpenBSD chpass user database information disclosure
Risk Factor: Medium
Attack Type: Host Based
Platforms: OpenBSD 2.1, OpenBSD 2.2, OpenBSD 2.3, OpenBSD 2.4,
OpenBSD 2.0, OpenBSD 2.5, OpenBSD 2.6, OpenBSD 2.7,
OpenBSD 2.8, OpenBSD 2.9, OpenBSD 3.0, OpenBSD 3.1,
OpenBSD 3.2
Vulnerability: openbsd-chpass-information-disclosure
X-Force URL: http://www.iss.net/security_center/static/11233.php

Date Reported: 02/03/2003
Brief Description: Majordomo which_access variable set to "open" could
disclose email addresses
Risk Factor: Low
Attack Type: Network Based
Platforms: Unix Any version, Majordomo 2 and earlier
Vulnerability: majordomo-whichaccess-email-disclosure
X-Force URL: http://www.iss.net/security_center/static/11243.php

Date Reported: 02/03/2003
Brief Description: Linux kernel O_DIRECT information leak
Risk Factor: Medium
Attack Type: Host Based
Platforms: Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux
7.3, Red Hat Linux 8.0, Mandrake Linux 9.0, Linux
kernel 2.4.10 to 2.4.18
Vulnerability: linux-odirect-information-leak
X-Force URL: http://www.iss.net/security_center/static/11249.php

Date Reported: 02/03/2003
Brief Description: Red Hat Linux pam_xauth could allow an attacker to
gain privileges
Risk Factor: High
Attack Type: Host Based
Platforms: Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux
7.3, Red Hat Linux 8.0
Vulnerability: linux-pamxauth-gain-privileges
X-Force URL: http://www.iss.net/security_center/static/11254.php
Date Reported: 02/04/2003
Brief Description: IBM WebSphere uses weak encryption algorithm to
store passwords in an exported XML file
Risk Factor: Medium
Attack Type: Network Based
Platforms: AIX Any version, HP-UX Any version, Linux Any
version, Unix Any version, Windows NT Any version,
Windows 2000 Any version, IBM WebSphere Advanced
Server Edition 4.0.4
Vulnerability: websphere-xml-weak-encryption
X-Force URL: http://www.iss.net/security_center/static/11245.php

Date Reported: 02/04/2003
Brief Description: phpMyNewsletter customize.php unauthorized file
access
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, phpMyNewsletter 0.6.11
Vulnerability: phpmynewsletter-customize-file-access
X-Force URL: http://www.iss.net/security_center/static/11261.php

Date Reported: 02/06/2003
Brief Description: F-Prot FreeBSD for Small Business command line
buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: FreeBSD Any version, F-Prot FreeBSD for Small
Business 3.12b
Vulnerability: fprot-command-line-bo
X-Force URL: http://www.iss.net/security_center/static/11271.php

Date Reported: 02/07/2003
Brief Description: HP-UX /usr/sbin/wall buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: HP-UX Any version
Vulnerability: hp-wall-bo
X-Force URL: http://www.iss.net/security_center/static/11272.php

Date Reported: 02/07/2003
Brief Description: Red Hat Linux uml_net utility could allow an
attacker to gain privileges
Risk Factor: High
Attack Type: Host Based
Platforms: Red Hat Linux 8.0
Vulnerability: linux-umlnet-gain-privileges
X-Force URL: http://www.iss.net/security_center/static/11276.php
 
Old 02-11-2003, 05:31 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,761
Blog Entries: 54

Original Poster
Rep: Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975
Feb 10th 2003 (SF)

SecurityFocus

1. SILC Server SSH2 Authentication Password Persistence Weakness
BugTraq ID: 6743
Remote: No
Date Published: Feb 01 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6743
Summary:

SILC (Secure Internet Live Conferencing) is a protocol which provides
secure conferencing services in the Internet.

A problem with SILC may allow the recovery of sensitive information.

It has been reported that SILC does not safely handle password
information. As a result, a local user may be able to recover
authentication passwords.

The problem is in the handling of authentication passwords after
authentication has been negotiated. Correct behavior of such applications
is to remove passwords from memory immediately after authentication has
occurred. However, SILC retains password information in memory, which may
result in recovery by another user with sufficient privileges. In addition
to being present in process memory space, this information may also be
retrieved from memory dumps of processes.

2. myphpPageTool Remote File Include Vulnerability
BugTraq ID: 6744
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6744
Summary:

myphpPagetool is an application used to maintain a web site using a mysql
database, which stores and manage all web pages and their contents.
myphpPagetool is written in PHP and is available for a variety of
platforms.

myphpPageTool is prone to an issue which may allow remote attackers to
include files located on remote servers. This issue is present in the
index.php, help1.php, help2.php, help3.php, help4.php, help5.php,
help6.php, help7.php, help8.php and help9.php pages existing in the
/doc/admin folder.

Under some circumstances, it is possible for remote attackers to influence
the include path for 'pt_config.inc' to point to an external file on a
remote server by manipulating the $ptinclude URI parameter.

If the remote file is a malicious file, this may be exploited to execute
arbitrary system commands in the context of the webserver.

This vulnerability was reported for myphpPageTool 0.43-1. It is not known
whether other versions are affected.

3. Bladeenc Signed Integer Memory Corruption Vulnerability
BugTraq ID: 6745
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6745
Summary:

Bladeenc is an open-source MP3 encoder and is available for a variety of
platforms including Microsoft Windows and Linux and Unix variant operating
systems.

A memory corruption vulnerability has been reported for Bladeenc. Bladeenc
encodes WAV files in 'chunks' of data. The vulnerability exists when
Bladeenc is seeking a WAV file chunk. Specifically, in the function
__myfseek() in the samplein.c source file, an integer value is not
properly verified. When this function is given a negative value, it will
result in the corruption of sensitive areas of memory with
attacker-supplied values.

An attacker can exploit this vulnerability by creating a malicious WAV
file with carefully crafted headers that will cause Bladeenc to execute
malicious attacker-supplied code.

This vulnerability was reported for Bladeenc 0.94.2 and earlier.

4. phpMyShop compte.php SQL Injection Vulnerability
BugTraq ID: 6746
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6746
Summary:

phpMyShop is an application written in PHP that makes it possible to
manage a web based electronic shop.

phpMyShop, in some cases, does not sufficiently sanitize user-supplied
input which is used when constructing SQL queries. As a result, attackers
may supply malicious parameters to manipulate the structure and logic of
SQL queries. This may result in unauthorized operations being performed on
the underlying database.

This vulnerability was reported to exist in the compte.php script file
distributed with phpMyShop. A remote attacker may exploit this
vulnerability to bypass the authentication/registration process used by
phpMyShop sites.

SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.

This vulnerability was reported for phpMyShop 1.00. It is not known
whether other versions are affected.

5. OpenBSD CHPass Temporary File Link File Content Revealing Vulnerability
BugTraq ID: 6748
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6748
Summary:

OpenBSD is a freely available version of the BSD Unix operating system.

A problem in OpenBSD may result in the disclosure of the contents of
specific files.

It has been reported that a vulnerability in chpass may allow local users
to gain access to the content of specific files. This vulnerability
requires that lines in the target file be constructed in a specific
format. The issue also affects the chfn and chsh programs which are hard
links to the chpass binary.

While chpass executes, it is possible for a user to halt the executing
process by sending a SIGSTOP signal to the process via the shell. While
the process is stopped, it is possible for the user to manipulate the
temporary file created by the process, and change the file to a symbolic
link to an arbitrary file. When the process resumes execution, it will
read the content of the linked file. Since the chpass program is a setuid
root executable, this may result in the display of some lines contained in
the file to standard output.

This could allow a local user to read the contents of restricted files,
and may result in further attack against the vulnerable system.

8. PHP-Nuke Avatar HTML Injection Vulnerability
BugTraq ID: 6750
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6750
Summary:

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.

A vulnerability has been reported in PHP-Nuke that may result in HTML
injection. The vulnerability occurs because PHP-Nuke does not sanitize
some user-supplied input submitted to a site when selecting 'avatar'
images. Due to this condition, a malicious user may be able to insert
malicious HTML code which will then be displayed to unsuspecting users of
PHP-Nuke forums. Any attacker-supplied code will be interpreted in a
victim user's web browser in the security context of the site hosting the
software.

It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. It is
also possible to modify or corrupt other user's Avatars. Other attacks are
also possible.

This vulnerability was reported for PHP-Nuke 6.0 and earlier.

9. PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
BugTraq ID: 6753
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6753
Summary:

Pluggable Authentication Modules (PAM) is shipped with RedHat Linux 8.0
and earlier, by default. PAM comes with the pam_xauth module which can be
used in conjuction with the su utility to pass X MIT-Magic-Cookies to
newly created sessions.

A vulnerability has been discovered when the pam_xauth module is used in
conjunction with the su utility within an X session. When a user (user1)
runs the su utility to assume the identity of another user (user2),
pam_xauth will create a temporary .xauth cookie file located in the
assumed users (user2) home directory. The file is created with read-write
only permissions for the assumed user and contains sensitive information
regarding the suing users X session.

This poses a security risk when a user (user1) runs the su utility to
assume the identity of another user. The real user (user2) is able to read
the contents of the cookie file. The vulnerability lies in the fact that
the cookie file contains sensitive information pertaining to the suing
users X session. This issue could be exploited by the real user (user2)
to connect to the X server with the credentials of the suing user (user1).

Accessing another users X session may allow an attacker to obtain
sensitive information otherwise restricted. It may also grant the ability
to run commands with the privileges of the victim user.

This vulnerability could result in elevated privileges in the event that a
higher privileged user made use of the su program to log into the account
of a lower-privileged user. The lower-privileged user could exploit this
issue to gain administrative access to the local system.

It has been reported that this issue does not affect RedHat 7.0.

14. IBM WebSphere Exported XML Password Encoding Weakness
BugTraq ID: 6758
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6758
Summary:

IBM WebSphere is a commercial web application server which runs on a
number of platforms including Linux and Unix variants and Microsoft
Windows operating environments.

IBM WebSphere allows administrators to export configuration files to XML.
When the WebSphere configuration file is exported in this manner,
passwords are obfuscated using an easily reversible algorithm.

The algorithm used to obfuscate the password is as follows:

CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_")

where n is the position of the character.

The obfuscated password is then Base64 encoded.

If an attacker gains access to an exported XML configuration file, it is a
trivial task to decode the password.

To exploit this weakness, an administrator must first export the
configuration to XML and then the attacker may gain unauthorized access to
the exported file.

The WebSphere documentation states that exported configurations will
contain encoded (and not encrypted) passwords. Administrators should be
cautious when exporting configuration files.

This issue was reported in IBM WebSphere Advanced Server Edition 4.0.4.
It is not known if the same encoding is used in other versions. Though
the core weakness is that passwords are encoded and may be easier to
reverse than if encrypted using a strong algorithm, so all current
versions should be considered prone to this weakness to some degree.

15. Majordomo Default Configuration Remote List Subscriber Disclosure Vulnerability
BugTraq ID: 6761
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6761
Summary:

Majordomo is a freely available, open source mailing list management
software package. It is available for Unix, Linux, and Microsoft Windows
platforms.

A problem with Majordomo may allow remote users to gain access to
sensitive information.

It has been reported that Majordomo does not sufficiently guard list
subscriber information. By sending specific commands to a default
implementation, a remote user may be able to gain access to the list of
mailing list subscribers. This issue is documented in the Majordomo
documentation.

The problem is in the default configuration of the mailing list manager.
The software does not place sufficient access controls on the ability of
users to execute the which command. By sending the command "which @",
remote users may be able to list the entire member base of the list,
resulting in a loss of privacy.

It should be noted that in the Majordomo 2 branch, this vulnerability is
limited to gaining access to one address per submission per list.

17. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
BugTraq ID: 6763
Remote: No
Date Published: Feb 04 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6763
Summary:

The Linux Kernel is the core of the Linux operating system. It is
distributed by various Linux distributions.

A problem with the O_DIRECT flag could make it possible for local users to
gain access to potentially sensitive information.

It has been reported that some Linux Kernels do not properly handle
O_DIRECT, which is used for direct input and output. Any user with system
write privileges may be able to read limited information from other files.

This problem could allow a local user to read limited data from current
files, and may be able to read data from previously deleted files. The
ability of an attacker to exploit this issue at will is not known.
Additionally, exploitation could result in minor corruption of the file
system, which would require repair with the fsck utility.

It should be noted that this vulnerability can not be exploited on systems
using a vulnerable kernel and the EXT3 file system.

22. Epic Games Unreal Engine Memory Consumption Denial Of Service Vulnerability
BugTraq ID: 6770
Remote: Yes
Date Published: Feb 05 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6770
Summary:

Epic Games' Unreal Engine is a 3D game engine used by Unreal and many
other games.

A memory exhaustion vulnerability has been reported for several games
using some versions of the Unreal Engine.

The Unreal Engine includes a facility to provide networked gaming to its
users and uses a method known as 'Compact Indices' in an attempt to save
some network bandwidth. Unreal Engine allocates memory based on the index
value included in client-supplied packets. Due to inconsistent
interpretation of integers, it is possible for attackers to cause the
server to allocate large amounts of memory by sending a packet with a
negative index value.

This likely occurs due to maximum index checks being performed on the
index value as a signed integer.

There are currently no fixes available.
 
Old 02-17-2003, 07:16 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,761
Blog Entries: 54

Original Poster
Rep: Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975Reputation: 2975
Feb 14th 2003 (LAW)

Linux Advisory Watch

Package: w3m
Date: 02-07-2003
Description:
An XSS vulnerability in w3m 0.3.2 allows remote attackers to insert
arbitrary HTML and web script into frames. Frames are disabled by default
in the version of w3m shipped with Red Hat Linux. Therefore, this problem
will not appear as long as users do not use w3m with the -F option, or
enable frame support in either the /etc/w3m/w3mconfig or ~/.w3m/config
configuration files. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1335 to this issue.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2826.html
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2846.html

Package: uml-net
Date: 02-07-2003
Description:
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2844.html

Package: hypermail
Date: 02-07-2003
Description:
An attacker could craft a long filename for an attachment that would
overflow two buffers when a certain option for interactive use was given,
opening the possibility to inject arbitrary code. This code would then be
executed under the user id hypermail runs as, mostly as a local user.
Automatic and silent use of hypermail does not seem to be affected.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2845.html

Package: postgresql
Date: 02-11-2003
Description:
Vulnerabilities were discovered in the Postgresql relational database by
Mordred Labs. These vulnerabilities are buffer overflows in the rpad(),
lpad(), repeat(), and cash_words() functions. The Postgresql developers
also fixed a buffer overflow in functions that deal with time/date and
timezone.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2847.html

Package: lynx
Date: 02-11-2003
Description:
Updated lynx packages are available that fix an error in the way lynx
parses its command line arguments, which can lead to faked headers being
sent to a web server.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2848.html

Package: python
Date: 02-11-2003
Description:
An insecure use of a temporary file has been found in Python. This
erratum provides updated Python packages.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2849.html

Package: pam_xauth
Date: 02-11-2003
Description:
Updated PAM packages are now available for Red Hat Linux 7.1, 7.2, 7.3,
and 8.0. These packages correct a bug in pam_xauth's handling of
authorization data for the root user.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2850.html

Package: fileutils
Date: 02-12-2003
Description:
A race condition in the recursive use of 'rm' and 'mv' in fileutils 4.1
and earlier could allow local users to delete files and directories (as
the user running fileutils) if the user has write access to part of the
tree being moved or deleted.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2851.html

Package: mozilla
Date: 02-13-2003
Description:
A remote attacker could exploit these vulnerabilities by creating
malicious web pages that, when acessed, would crash the browser,
potentially allow remote arbitrary code execution or cause some sort of
unexpected behavior.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2853.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ weekly security rep - Tue May 02nd 2003 unSpawn Linux - Security 3 05-06-2003 06:46 AM
LQ weekly security rep - Tue Mar 25th 2003 unSpawn Linux - Security 4 03-28-2003 06:10 PM
LQ weekly security rep - Mon Feb 24th 2003 unSpawn Linux - Security 2 02-24-2003 09:00 PM
LQ weekly security rep - Mon Feb 17th 2003 unSpawn Linux - Security 3 02-19-2003 01:35 PM
LQ weekly security rep - Tue Feb 04th 2003 unSpawn Linux - Security 2 02-04-2003 06:47 AM


All times are GMT -5. The time now is 11:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration