SecurityFocus
1. Multiple VBulletin Cross Site Scripting Vulnerabilities
BugTraq ID: 5997
Remote: Yes
Date Published: Oct 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5997
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
vBulletin does not filter HTML tags from URI parameters, making it prone
to cross-site scripting attacks. The vulnerability exists due to
inadequate filtering of the '$scriptpath' and '$url' parameters. The
contents of these variables will be displayed in a few error pages.
As a result, it is possible for a remote attacker to create a malicious
link containing script code which will be executed in the browser of a
legitimate user, in the context of the website running vBulletin.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. Cookie-based authentication credentials may be used by the
attacker to hijack the session of the legitimate user.
2. Perlbot Remote Command Execution Vulnerability
BugTraq ID: 5998
Remote: Yes
Date Published: Oct 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5998
Summary:
Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its
goals are simplicity and modularity. It is available for Linux and Unix
operating systems.
A remote command execution vulnerability has been discovered in Perlbot
v1.0 beta.
Reportedly, the script does not properly sanitize the input for the
'$word' variable. Additionally, this input is passed through a function
which invokes the shell directly. If a user enters a command into this
variable, the commands will executed on the host with the privileges of
Perlbot.
This issue was reported for Perlbot v1.0 beta.
3. Perlbot Email Sending Remote Command Execution Vulnerability
BugTraq ID: 5999
Remote: Yes
Date Published: Oct 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5999
Summary:
Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its
goals are simplicity and modularity. It is available for Linux and Unix
operating systems.
A remote command execution vulnerability has been discovered in Perlbot
v1.0 beta.
Reportedly, the script does not properly sanitize the input for the
'$recipient' variable. Additionally, this input is passed through the
open() function which invokes the shell directly. If a user enters a
command into this variable, the commands will executed on the host with
the privileges of Perlbot.
This issue was reported for Perlbot v1.0 beta.
6. YaBB Login Cross-Site Scripting Vulnerability
BugTraq ID: 6004
Remote: Yes
Date Published: Oct 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6004
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, MacOS,
and Microsoft Windows 9x/ME/NT/2000/XP platforms.
A cross-site scripting vulnerability has been reported in the YaBB forum
login script. When a user enters an erroneous username/password, the YaBB
forum login script will display an error page containing the values the
user entered. However, HTML tags or script code are not sanitized from
the password error output.
As a result, it is possible for a remote attacker to create a malicious
link to the login page of a site hosting the web forum. The malicious
link may contain arbitrary HTML and script code in the password field.
When this link is visited by an unsuspecting web user, the
attacker-supplied code will be executed in their browser in the security
context of the vulnerable website.
It has been demonstrated that this vulnerability may be exploited to steal
cookie-based authentication credentials. Furthermore, once an attacker
has hijacked a user's session with the credentials it is possible to
change that user's password without needing to further authenticate.
8. Hans Persson Molly Multiple Remote Command Execution Vulnerabilities
BugTraq ID: 6007
Remote: Yes
Date Published: Oct 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6007
Summary:
Molly is a small IRC bot that is intended for use in intra-office
environments. It is written in Perl and is maintained by Hans Persson. It
is available for Unix and Linux variant operating systems.
Several remote command execution vulnerabilities have been discovered in
Molly v0.5.
The script 'plugins/nslookup.pl' does not adequately sanitize the input
for the '$host' variable. Additionally, this variable is passed, without
any checks, through the script and invokes the shell directly. If a user
enters a command into this variable, the commands will executed on the
host with the privileges of Molly.
Other script files that exist in the unsupported 'unusedplugins' folder
are also vulnerable to similar attacks. The files are called 'sms.pl',
'pop.pl', and 'hpled.pl'.
9. Perlbot Text Variable Remote Command Execution Vulnerability
BugTraq ID: 6008
Remote: Yes
Date Published: Oct 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6008
Summary:
Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its
goals are simplicity and modularity. It is available for Linux and Unix
operating systems.
A remote command execution vulnerability has been discovered in Perlbot
v1.0 beta.
Reportedly, the Plugins/Misc/SpelCheck/SpelCheck.pm script fails to
properly sanitize the input for the '$text' variable. Additionally, this
input is passed through a function which invokes the shell directly. If a
user enters a semi-colon (
followed by a command into this variable,
attacker-supplied commands will executed on the host with the privileges
of Perlbot.
This issue was reported for Perlbot v1.9.2.
10. Perlbot Filename Variable Remote Command Execution Vulnerability
BugTraq ID: 6009
Remote: Yes
Date Published: Oct 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6009
Summary:
Perlbot is an IRC bot written in Perl. It depends on Net::IRC and its
goals are simplicity and modularity. It is available for Linux and Unix
operating systems. A remote command execution vulnerability has been
discovered in Perlbot v1.0 beta.
Reportedly, the 'Plog.pl' script does not properly sanitize the input for
the '$filename variable. Additionally, this input is passed through the
open() function which invokes the shell directly. If a user enters a
command into this variable, the commands will executed on the host with
the privileges of Perlbot.
This issue was reported for Perlbot v1.0 beta.
11. IPFilter FTP Proxy Unauthorized Access Vulnerability
BugTraq ID: 6010
Remote: Yes
Date Published: Oct 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6010
Summary:
IPFilter is a packet filtering implementation that is in wide use on a
variety of Unix systems. IPFilter includes an in-kernel FTP proxy that
attempts to make access control decisions based on the state of FTP
sessions. A vulnerability has been reported in this component.
In versions of IPFilter prior to 3.4.29, the FTP proxy was vulnerable to a
flaw that allowed for attackers to open ports on FTP servers under certain
circumstances. Attackers may fool vulnerable versions of IPFilter into
opening ports if a FTP server is in use that will echo text from a client
back to the client.
Ths may result in a violation of security policy and subsequent compromise
if the attacker can exploit services listening on vulnerable ports.
12. Multiple Vendor IPSec Implementation Denial of Service Vulnerabilities
BugTraq ID: 6011
Remote: Yes
Date Published: Oct 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6011
Summary:
IPSec is a set of extensions to IP that provides encryption and
authentication. A vulnerability in several implementations of IPSec
related to handling of malformed ESP packets has been reported. On many
systems, the conditions may be exploited to cause kernel panics.
According to the report, many implementations lack adequate sanity checks
on the header fields of ESP packets. By "spoofing" short ESP packets with
high sequence numbers, it is allegedly possible to cause invalid memory
accesses that will often result in a total system crash.
Implementations based on KAME and FreeSWAN are vulnerable.
14. D-Link DWL-900AP+ TFTP Server Arbitrary File Retrieval Vulnerability
BugTraq ID: 6015
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6015
Summary:
The DWL-900AP+ is a wireless access point distributed by D-Link.
A problem with DWL-900AP+ systems could make it possible for remote users
to gain access to sensitive information.
The DWL-900AP+ offers an undocumented feature. By default, DWL-900AP+
systems come with a TFTP server enabled by default.
The TFTP server included in DWL-900AP+ firmware may reveal sensitive
information. An attacker logging into the TFTP server may be able to
request various binary data files from the router. This could lead to the
disclosure of sensitive information.
An attacker exploiting this issue could log into the TFTP server to
download the config.img, which contains sensitive information such as the
WEP keys, admin password to the HTTP interface, and network configuration
data. The attacker could also gain access to files eeprom.dat, mac.dat,
wtune.dat, rom.img, normal.img.
15. KMMail E-Mail HTML Injection Vulnerability
BugTraq ID: 6013
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6013
Summary:
kmMail is an open source web based e-mail client.
kmMail does not sufficiently sanitize HTML and script code from the body
of e-mail messages. As a result, an attacker may send a malicious message
to a user of kmMail that includes arbitrary HTML and script code. If a
user of the webmail system views the malicious message, then the
attacker-supplied code will execute in their web browser in the security
context of the webmail system.
This may allow an attacker to steal cookie-based authentication
credentials from users of the webmail system. Other attacks are also
possible.
This is a variant of the issue described in Bugtraq ID 5173.
17. YPServ Remote Network Information Leakage Vulnerability
BugTraq ID: 6016
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6016
Summary:
The ypserv daemon is a component of the Network Information Service (NIS),
and is available for Linux and Unix operating systems.
A remotely exploitable information leakage vulnerablity has been
discovered in the ypserv daemon. Versions prior to 2.5 are affected.
The 'lib/yp_db.c' file fails to verify whether a request map exists before
allocating memory for needed space, resulting in memory leakage. It has
been reported that by passing a malicious reqest for a non-existing map to
the ypserv daemon, a remote attacker could potentially access information
from an old domainname and mapname.
Information obtained through exploiting this issue may aid an attacker in
launching further attacks against the target network.
It should be noted that this issue may be similar to the issue described
in bid 5914.
18. Fragrouter Trojan Horse Vulnerability
BugTraq ID: 6022
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6022
Summary:
fragrouter is a freely available, open source intrusion detection evasion
tool. It is available for the Unix and Linux operating systems.
It has been announced that the server hosting fragrouter,
www.anzen.com,
was compromised recently. It has been reported that the intruder made
modifications to the source code of fragrouter to include trojan horse
code. Downloads of the fragrouter source code from
www.anzen.com between
October 18, 2002 and October 19, 2002 likely contain the trojan code.
Reports say that the trojan will run once upon compilation of fragrouter.
Once the trojan is executed, it attempts to connect to host
210.224.164.100 on port 6667.
Although unconfirmed, it has been reported that the service listening on
port 6667 of host 210.224.164.100 has been disabled.
It is not known whether, or what other sites are affected in addition to
www.anzen.com.
The maintainers of fragrouter have stated that the fragrouter source code
has not been maintained since release 1.6, a period of approximately 3
years, and that release 1.7 is bogus. The MD5 hash of the bogus release
is 8329c34704287a1fb1e5d6f1ba81f456.
The posting of the trojaned version of fragrouter was additionally
announced on the cisco-nsp and linux-kernel mailing lists. Additionally,
the trojan displays similarity to those found in irssi, fragroute, BitchX,
OpenSSH, and Sendmail.
19. PHP Arena PAFileDB Rate File Cross-Site Scripting Vulnerability
BugTraq ID: 6019
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6019
Summary:
PHP Arena paFileDB is an application which allows webmasters to post files
for download on a website. It is implemented in PHP and is available for
Unix and Linux variants as well as Microsoft Windows operating systems.
paFileDB is prone to cross-site scripting attacks.
An attacker may construct a malicious link to the vulnerable script which
contains arbitrary HTML and script code. If this link is visited by a web
user, the attacker-supplied code will execute in their web client in the
security context of the paFileDB site.
This issue is in the "Rate File" function of the paFileDB script.
An attacker may potentially exploit this to steal cookie-based
authentication credentials. Other attacks are also possible.
20. PHP Arena PAFileDB Email To Friend Cross-Site Scripting Vulnerability
BugTraq ID: 6018
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6018
Summary:
PHP Arena paFileDB is an application which allows webmasters to post files
for download on a website. It is implemented in PHP and is available for
Unix and Linux variants as well as Microsoft Windows operating systems.
paFileDB is prone to cross-site scripting attacks.
An attacker may construct a malicious link to the vulnerable script which
contains arbitrary HTML and script code. If this link is visited by a web
user, the attacker-supplied code will execute in their web client in the
security context of the paFileDB site.
This issue is in the "Email to Friend" function of the paFileDB script.
An attacker may potentially exploit this to steal cookie-based
authentication credentials. Other attacks are also possible.
21. PHP Arena PAFileDB Download Cross-Site Scripting Vulnerability
BugTraq ID: 6020
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6020
Summary:
PHP Arena paFileDB is an application which allows webmasters to post files
for download on a website. It is implemented in PHP and is available for
Unix and Linux variants as well as Microsoft Windows operating systems.
paFileDB is prone to cross-site scripting attacks.
An attacker may construct a malicious link to the vulnerable script which
contains arbitrary HTML and script code. If this link is visited by a web
user, the attacker-supplied code will execute in their web client in the
security context of the paFileDB site.
This issue is in the "Download" function of the paFileDB script.
An attacker may potentially exploit this to steal cookie-based
authentication credentials. Other attacks are also possible.
22. PHP Arena PAFileDB Search Cross-Site Scripting Vulnerability
BugTraq ID: 6021
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6021
Summary:
PHP Arena paFileDB is an application which allows webmasters to post files
for download on a website. It is implemented in PHP and is available for
Unix and Linux variants as well as Microsoft Windows operating systems.
paFileDB is prone to cross-site scripting attacks.
An attacker may construct a malicious link to the vulnerable script which
contains arbitrary HTML and script code. If this link is visited by a web
user, the attacker-supplied code will execute in their web client in the
security context of the paFileDB site.
This issue is reported to be exploitable by providing HTML and script code
as a search string.
An attacker may potentially exploit this to steal cookie-based
authentication credentials. Other attacks are also possible.
23. Multiple Firewall Vendor Packet Flood State Table Filling Vulnerability
BugTraq ID: 6023
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6023
Summary:
A vulnerability has been discovered in multiple firewall systems that
could make denial of service attacks possible.
It has been reported that many firewalls do not properly handle certain
types of input. Firewall systems that maintain state could be attacked
and forced into a situation where all service is denied. This condition
would occur as a result of certain types of traffic floods.
It has been reported that this vulnerability may be exploited through
various attack methods.
One method that can be used is a TCP Syn flood. By launching a TCP Syn
flood, especially one using multiple spoofed source IP addresses, an
attacker could fill the state table of a vulnerable firewall.
Another method is to use UDP packets with numerous spoofed source
addresses. By sending large amounts of UDP packets to a vulnerable
firewall, an attacker could fill the state table to the point that further
entries could not be made.
The final method identified for this type of attack is one called the
"Crikey CRC Flood". An attacker sending transport-layer (layer 4 of the
OSI model) packets such as TCP or UDP with invalid checksums could fill
the firewall state table.
The use of these types of attacks require a fundamental flaw in firewall
design, or configuration. The flaw requires that the firewall state table
be designed, or at least configured, to eliminate firewall state table
entries at a slower speed than they are added.
A comprehensive listing of affected products is not available at this
time. Updates will be made if more information about affected vendors and
products becomes available.
24. Multiple Vendor kadmind Remote Buffer Overflow Vulnerability
BugTraq ID: 6024
Remote: Yes
Date Published: Oct 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6024
Summary:
The kadmind daemon is a server for allowing remote administrative access
to Kerberos databases.
A vulnerability has been discovered in the kadmind daemon.
It has been reported that kadmind is vulnerable to a remotely exploitable
buffer overflow. This issue is due to insufficient bounds checking in the
kadm_ser_in() function. The function fails to verify the size of
'authent.length' before copying data, of 'authent.length' size, into
'authent.dat', resulting in a buffer being overrun.
An attacker can exploit this issue by making a request that will overflow
the buffer on the system stack. This could potentially allow an attacker
to overwrite sensitive locations in memory, such as a return address,
resulting in the execution of arbitrary code with the privileges of the
kadmind process.
28. Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability
BugTraq ID: 6029
Remote: Yes
Date Published: Oct 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6029
Summary:
Mod_SSL is an implementation of SSL (Secure Socket Layer) for the Apache
webserver. The Apache HTTP Server is a popular open-source HTTP server for
multiple platforms, including Windows and Unix.
A cross site scripting vulnerability has been discovered in mod_ssl.
It has been reported that Apache v1.x, when using the mod_ssl module will
return an unescaped server name in response to HTTP requests on SSL ports.
When Apache must construct a self-referencing URL, it will behave in one
of two manners, depending on the value of the 'UseCanonicalName' option.
With the option enabled, Apache will use the ServerName and Port values to
form a canonical name. With this option turned off, Apache will attempt to
use the hostname and port supplied by the client.
It should be noted that the existance of this vulnerability is limited to
configurations with both the 'UseCanonicalName' option turned off and
wildcard DNS enabled.
If all of these circumstances are met, an attacker may be able to exploit
this issue via a malicious link containing arbitrary HTML and script code
as part of the hostname. When the malicious link is clicked by an
unsuspecting user, the attacker-supplied HTML and script code will be
executed by their web client. This will occur because the server will echo
back the malicious hostname supplied in the client's request, without
sufficiently escaping HTML and script code.
An attacker may exploit this vulnerability by enticing a victim user to
follow a malicious link. Attacker-supplied HTML and script code may be
executed on a web client visiting the malicious link in the context of the
webserver.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
30. Virgil CGI Scanner Remote Command Execution Vulnerability
BugTraq ID: 6031
Remote: Yes
Date Published: Oct 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6031
Summary:
Virgil CGI Scanner is a remote vulnerability auditing tool written in the
Bash Scripting language. It is available for the Linux and Unix operating
systems.
A vulnerability has been discovered in Virgil CGI Scanner.
It has been reported that the Virgil CGI Scanner fails to sufficiently
sanitize user-supplied input in the $TARGET and $ZIELPORT variables. The
software passes these variables as part of a command line argument,
potentially allowing characters to be passed, which could cause arbitrary
commands to be executed.
By exploiting this issue, a remote attacker may be able to cause arbitrary
commands to be executed on the system, with the privileges of the
webserver process.
