LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   LQ weekly security report - Nov 11th 2003 (http://www.linuxquestions.org/questions/linux-security-4/lq-weekly-security-report-nov-11th-2003-a-115007/)

unSpawn 11-11-2003 07:35 PM

LQ weekly security report - Nov 11th 2003
 
Nov 10th 2003
27 of 47 issues handled (SF)
1. Sun Java Installation File Corruption Vulnerability
2. BEA WebLogic InteractiveQuery.jsp Cross-Site Scripting Vulne...
7. Tritanium Scripts Tritanium Bulletin Board Unauthorized Acce...
9. Mldonkey Web Interface Error Message Cross-site Scripting Vu...
13. DATEV Nutzungskontrolle Unauthorized Access Vulnerability
14. Multiple Ethereal Protocol Dissector Vulnerabilities
15. Cups Internet Printing Protocol Job Loop Denial Of Service V...
16. Bugzilla Multiple Vulnerabilities
18. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability
19. Web Wiz Forum Unauthorized Private Forum Access Vulnerabilit...
20. MPM Guestbook Cross-Site Scripting Vulnerability
21. ThWboard Cross-Site Scripting Vulnerability
22. PHPKit Include.PHP Cross-Site Scripting Vulnerability
23. ThWboard SQL Injection Vulnerability
25. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio...
26. OpenBSD isakmpd Multiple IKE Payload Handling Security Weakn...
28. Oracle9iAS Portal Component SQL Injection Vulnerability
32. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
34. OpenAutoClassifieds Listing Parameter Cross-Site Scripting V...
35. CDE LibDTHelp DTHelpUserSearchPath Local Buffer Overflow Vul...
36. John Beatty Easy PHP Photo Album dir Parameter HTML Injectio...
37. OpenBSD Local Malformed Binary Execution Denial of Service V...
40. Multiple Vendor S/MIME ASN.1 Parsing Denial of Service Vulne...
41. Clearswift MAILsweeper for SMTP Zip Archive Filtering Bypass...
42. X-CD-Roast Local Insecure File Creation Symlink Vulnerabilit...
46. Linux Kernel Trojan Horse Vulnerability
47. Ganglia gmond Malformed Packet Remote Denial of Service Vuln...

Nov 10th 2003
37 of 56 issues handled (ISS)
PHPRecipeBook recipe cross-site scripting
MPM Guestbook Ing parameter cross-site scripting
Ethereal GTP MSISDN buffer overflow
Ethereal ISAKMP and MEGACO packet buffer overflow
Ethereal SOCKS protocol dissector heap overflow
frox FTP Proxy port scan denial of service
ThWboard multiple fields cross-site scripting
ThWboard multiple SQL injection
Tritanium Bulletin Board thread_id could allow an
Nutzungskontrolle imported registry key could
PHPKIT include.php cross-site scripting
Oracle Application Server Portal components SQL
Bugzilla product name SQL injection
OpenSSL ASN.1 sequence denial of service
Bugzilla URL SQL injection
Bugzilla group ID allows attacker to gain
Bugzilla allows attacker to obtain summary of bug
Multiple vendor X.400 protocol implementations
Bugzilla describecomponents.cgi script allows
Multiple vendor S/MIME protocol implementation
OpenAutoClassifieds friendmail.php script cross-
Unichat non-alphanumeric characters denial of
X-CD-Roast symlink attack
OpenBSD ibcs2_exec.c and exec_elf.c denial of
MLdonkey cross-site scripting
MLdonkey administrative interface allows attacker
OpenBSD isakmpd daemon does not apply encryption to
OpenBSD ISAKMP daemon encryption failure
Sympoll index.php cross-site scripting
Ganglia gmond denial of service
DB2 db2start, db2stop, and db2govd binaries contain
PowerPortal search forum cross-site scripting
terminatorX buffer overflows in parse_arg function
termintorX tX_ladspa.cc buffer overflow
terminatorX tx_note function format string
Conquest long environment variable buffer overflow
phpBB profile.php SQL injection

unSpawn 11-11-2003 07:37 PM

Nov 10th 2003 (ISS)
 
Internet Security Systems


Date Reported: 11/03/2003
Brief Description: PHPRecipeBook recipe cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version,
PHPRecipeBook prior to 2.18, Windows 2000 Any
version, Windows NT Any version
Vulnerability: phprecipebook-recipe-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13574

Date Reported: 11/03/2003
Brief Description: MPM Guestbook Ing parameter cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: MPM Guestbook 1.2, Unix Any version
Vulnerability: mpmguestbook-ing-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13575

Date Reported: 11/03/2003
Brief Description: Ethereal GTP MSISDN buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva
Linux 9.0, Ethereal 0.9.15, Linux Any version, Unix
Any version, Windows Any version
Vulnerability: ethereal-gtp-msisdn-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13576

Date Reported: 11/03/2003
Brief Description: Ethereal ISAKMP and MEGACO packet buffer overflow
Risk Factor: Medium
Attack Type: Network Based
Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva
Linux 9.0, Ethereal 0.9.15, Linux Any version, Unix
Any version, Windows Any version
Vulnerability: ethereal-isakmp-megaco-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13577

Date Reported: 11/03/2003
Brief Description: Ethereal SOCKS protocol dissector heap overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva
Linux 9.0, Ethereal 0.9.15, Linux Any version, Unix
Any version, Windows Any version
Vulnerability: ethereal-socks-heap-overflow
X-Force URL: http://xforce.iss.net/xforce/xfdb/13578

Date Reported: 11/01/2003
Brief Description: frox FTP Proxy port scan denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: frox 0.7.8 and earlier, Linux Any version
Vulnerability: frox-ftp-portscan-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13579

Date Reported: 11/02/2003
Brief Description: ThWboard multiple fields cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, ThWboard prior to Beta 2.82,
Unix Any version, Windows Any version
Vulnerability: thwboard-multiple-fields-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13582

Date Reported: 11/02/2003
Brief Description: ThWboard multiple SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, ThWboard prior to Beta 2.82,
Unix Any version, Windows Any version
Vulnerability: thwboard-multiple-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13583

Date Reported: 10/31/2003
Brief Description: Tritanium Bulletin Board thread_id could allow an
attacker to view messages
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Tritanium Bulletin Board 1.2.3,
Unix Any version, Windows Any version
Vulnerability: tritanium-threadid-view-messages
X-Force URL: http://xforce.iss.net/xforce/xfdb/13587

Date Reported: 11/02/2003
Brief Description: Nutzungskontrolle imported registry key could
bypass security
Risk Factor: Medium
Attack Type: Host Based
Platforms: Linux Any version, Nutzungskontrolle 2.1,
Nutzungskontrolle 2.2, Unix Any version, Windows
Any version
Vulnerability: nutzungskontrolle-registry-security-bypass
X-Force URL: http://xforce.iss.net/xforce/xfdb/13589

Date Reported: 11/02/2003
Brief Description: PHPKIT include.php cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, PHPKIT Any version, Unix Any
version, Windows Any version
Vulnerability: phpkit-include-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13590

Date Reported: 11/03/2003
Brief Description: Oracle Application Server Portal components SQL
injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Oracle9i Application Server
Release 1 3.0.9.8.5 - earlier, Oracle9i Application
Server Release 2 9.0.2.3.0 - earlier, Unix Any
version, Windows Any version
Vulnerability: oracle-portal-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13593

Date Reported: 11/02/2003
Brief Description: Bugzilla product name SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Bugzilla 2.16.3 and earlier, Conectiva Linux 9.0,
Linux Any version, Unix Any version, Windows Any
version
Vulnerability: bugzilla-productname-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13594

Date Reported: 11/04/2003
Brief Description: OpenSSL ASN.1 sequence denial of service
Risk Factor: Medium
Attack Type: Network Based
Platforms: EnGarde Secure Linux 1.0.1, EnGarde Secure Linux
Community Edition 2, EnGarde Secure Linux
Professional 1.1, EnGarde Secure Linux Professional
1.2, EnGarde Secure Linux Professional Ed 1.5,
OpenSSL 0.9.6k, Windows Any version
Vulnerability: openssl-asn1-sequence-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13595

Date Reported: 11/02/2003
Brief Description: Bugzilla URL SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Bugzilla 2.16.3 and earlier, Bugzilla 2.17.1 to
2.17.4, Conectiva Linux 9.0, Linux Any version,
Unix Any version, Windows Any version
Vulnerability: bugzilla-url-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13596

Date Reported: 11/02/2003
Brief Description: Bugzilla group ID allows attacker to gain
privileges of users who have previously been
trusted
Risk Factor: Medium
Attack Type: Network Based
Platforms: Bugzilla 2.16.3 and earlier, Conectiva Linux 8.0,
Linux Any version, Unix Any version, Windows Any
version
Vulnerability: bugzilla-groupid-gain-privileges
X-Force URL: http://xforce.iss.net/xforce/xfdb/13597

Date Reported: 11/02/2003
Brief Description: Bugzilla allows attacker to obtain summary of bug
information
Risk Factor: Medium
Attack Type: Network Based
Platforms: Bugzilla 2.16.3 and earlier, Bugzilla 2.17.1 to
2.17.4, Conectiva Linux 9.0, Linux Any version,
Unix Any version, Windows Any version
Vulnerability: bugzilla-obtain-information
X-Force URL: http://xforce.iss.net/xforce/xfdb/13600

Date Reported: 11/04/2003
Brief Description: Multiple vendor X.400 protocol implementations
message buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Any application Any version
Vulnerability: x400-message-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13601

Date Reported: 11/02/2003
Brief Description: Bugzilla describecomponents.cgi script allows
attacker to obtain information
Risk Factor: Medium
Attack Type: Network Based
Platforms: Bugzilla 2.17.1 to 2.17.4, Linux Any version, Unix
Any version, Windows Any version
Vulnerability: bugzilla-describecomponents-obatin-info
X-Force URL: http://xforce.iss.net/xforce/xfdb/13602

Date Reported: 11/04/2003
Brief Description: Multiple vendor S/MIME protocol implementation
ASN.1 buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Any application Any version
Vulnerability: smime-asn1-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13603

Date Reported: 11/03/2003
Brief Description: OpenAutoClassifieds friendmail.php script cross-
site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, OpenAutoClassifieds 1.0
Vulnerability: openautoclassifieds-friendmail-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13604

Date Reported: 11/01/2003
Brief Description: Unichat non-alphanumeric characters denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: Unichat Any version, Windows 9x, Windows NT Any
version
Vulnerability: unichat-nonalphanumeric-character-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13610

Date Reported: 11/04/2003
Brief Description: X-CD-Roast symlink attack
Risk Factor: Medium
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, X-CD-Roast
prior to 0.98alpha15
Vulnerability: xcdroast-symlink
X-Force URL: http://xforce.iss.net/xforce/xfdb/13612

Date Reported: 11/04/2003
Brief Description: OpenBSD ibcs2_exec.c and exec_elf.c denial of
service
Risk Factor: Low
Attack Type: Host Based
Platforms: OpenBSD 2.8, OpenBSD 3.3
Vulnerability: openbsd-ibcs2exe-execelf-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13614

Date Reported: 11/05/2003
Brief Description: MLdonkey cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version, MLdonkey
2.x, Unix Any version
Vulnerability: mldonkey-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13615

Date Reported: 11/05/2003
Brief Description: MLdonkey administrative interface allows attacker
to obtain information
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Mac OS X Any version, MLdonkey
2.x, Unix Any version
Vulnerability: mldonkey-admininterface-obtain-information
X-Force URL: http://xforce.iss.net/xforce/xfdb/13616

Date Reported: 11/02/2003
Brief Description: OpenBSD isakmpd daemon does not apply encryption to
Quick Mode messages
Risk Factor: Medium
Attack Type: Network Based
Platforms: OpenBSD 3.x
Vulnerability: openbsd-isakmpd-no-encryption
X-Force URL: http://xforce.iss.net/xforce/xfdb/13625

Date Reported: 11/02/2003
Brief Description: OpenBSD ISAKMP daemon encryption failure
Risk Factor: Medium
Attack Type: Network Based
Platforms: OpenBSD 3.x
Vulnerability: openbsd-isakmpd-encryption-failure
X-Force URL: http://xforce.iss.net/xforce/xfdb/13626

Date Reported: 11/01/2003
Brief Description: Sympoll index.php cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Sympoll 1.5, Unix Any version, Windows Any version
Vulnerability: sympoll-indexphp-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13630

Date Reported: 11/06/2003
Brief Description: Ganglia gmond denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: ganglia 2.5.3, Linux Any version, Mac OS X Any
version, Unix Any version
Vulnerability: ganglia-gmond-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/13631

Date Reported: 11/08/2003
Brief Description: DB2 db2start, db2stop, and db2govd binaries contain
buffer overflow
Risk Factor: Low
Attack Type: Host Based
Platforms: IBM DB2 7.0, IBM DB2 8.0, Linux Any version, Unix
Any version
Vulnerability: db2-multiple-binaries-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13633

Date Reported: 11/07/2003
Brief Description: PowerPortal search forum cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: PowerPortal 1.1b, Unix Any version
Vulnerability: powerportal-search-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/13634

Date Reported: 11/07/2003
Brief Description: terminatorX buffer overflows in parse_arg function
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, terminatorX 3.8.1, Unix Any
version
Vulnerability: terminatorx-multiple-parsearg-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13635

Date Reported: 11/07/2003
Brief Description: termintorX tX_ladspa.cc buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, terminatorX 3.8.1, Unix Any
version
Vulnerability: terminatorx-txladspa-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13636

Date Reported: 11/07/2003
Brief Description: terminatorX tx_note function format string
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, terminatorX 3.8.1, Unix Any
version
Vulnerability: terminatorx-txnote-format-string
X-Force URL: http://xforce.iss.net/xforce/xfdb/13637

Date Reported: 11/10/2003
Brief Description: Conquest long environment variable buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Conquest Any version, Debian Linux 3.0
Vulnerability: conquest-long-environment-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/13640

Date Reported: 11/08/2003
Brief Description: phpBB profile.php SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, phpBB 2.0.5 and earlier, Unix
Any version, Windows Any version
Vulnerability: phpbb-profile-sql-injection
X-Force URL: http://xforce.iss.net/xforce/xfdb/13641

unSpawn 11-11-2003 07:38 PM

Nov 10th 2003 (SF) pt 1/2
 
SecurityFocus


1. Sun Java Installation File Corruption Vulnerability
BugTraq ID: 8937
Remote: No
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8937
Summary:
Sun Java implementations are reported to create temporary files in an
insecure manner when the software is installed. A local attacker could
exploit this issue to corrupt files owned by the user installing the
software, most likely resulting in a denial of service.
This issue was reported in Sun JRE and SDK 1.4.2 for Linux platforms.
Other versions and platforms may also be affected.

2. BEA WebLogic InteractiveQuery.jsp Cross-Site Scripting Vulne...
BugTraq ID: 8938
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8938
Summary:
BEA WebLogic InteractiveQuery.jsp is an example CGI application supplied
with WebLogic. It is used to demonstrate use of arguments to query a
database.
A cross-site scripting vulnerability has been reported in the software.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
BEA WebLogic 8.1 and prior are reported to be prone to this issue, however
other versions may be affected as well.

7. Tritanium Scripts Tritanium Bulletin Board Unauthorized Acce...
BugTraq ID: 8944
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8944
Summary:
Tritanium Bulletin Board is a bulletin board application written in PHP.
A vulnerability has been reported in the software that may allow a remote
attacker to gain unauthorized access to threads. The problem may occur
due to improper handling of user-supplied input. A remote attacker may be
able to access sensitive data by modifying the URL and supplying a value
for thread_id, forum_id, and sid paremeters. It has been reported that
the thread id is not a randomly generated number therefore an attacker may
easily gain access to all threads without authorization.
Successful exploitation of this issue may allow an attacker to gain access
to sensitive information that could be used to launch further attacks
against a system.
Tritanium Bulletin Board version 1.2.3 has been reported to be prone to
this issue, however other versions may be affected as well.

9. Mldonkey Web Interface Error Message Cross-site Scripting Vu...
BugTraq ID: 8946
Remote: Yes
Date Published: Oct 31 2003
Relevant URL: http://www.securityfocus.com/bid/8946
Summary:
Mldonkey is a client program for the E-Donkey network. It is configurable
to implement the use of a web-based interface that can listen on an
arbitrary port. It has been reported that the Mldonkey interface is prone
to cross-site scripting attacks when generated error pages for an invalid
request.
This vulnerability occurs due to the Mldonkey application failing to carry
out sufficient sanitization of URI parameters. An attacker could
potentially exploit this condition to execute arbitrary script code within
the context of the web interface. Ultimately, this could lead to a variety
attacks.

13. DATEV Nutzungskontrolle Unauthorized Access Vulnerability
BugTraq ID: 8950
Remote: No
Date Published: Nov 01 2003
Relevant URL: http://www.securityfocus.com/bid/8950
Summary:
DATEV Nutzungskontrolle (NUKO) is a software used to enforce access
control for various applications and systems.
A vulnerability has been reported in the software that may allow a local
attacker to access restricted data. The issue presents itself as a local
user is able modify certain keys in the Windows registry resulting in
bypassing the security model of the software. An attacker may then gain
unauthorized access to sensitive data. This issue would not present
itself if the registry keys were set to read only.
Successful exploitation of this issue may allow an attacker to gain access
to sensitive data that could be used to launch further attacks against the
system.
Nutzungskontrolle V.2.1 and V.2.2 has been reported to be prone to this
issue, however other versions may be affected as well.

14. Multiple Ethereal Protocol Dissector Vulnerabilities
BugTraq ID: 8951
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8951
Summary:
Multiple Ethereal protocol dissectors are prone to remotely exploitable
vulnerabilities. These issues have been addressed with the release of
Ethereal 0.9.16.
The following specific issues were reported:
A malformed GTP MSISDN string could cause a buffer overrun to occur.
Malformed ISAKMP or MEGACO packets could cause Ethereal or Tethereal to
crash, resulting in a denial of service.
The SOCKS dissector is reported to be prone to a heap overrun.
These issues may be exploited by causing Ethereal to process a malformed
packet, either while Ethereal is monitoring live network traffic or via a
packet trace. Successful exploitation could lead to code execution or
denial of service attacks against Ethereal.

15. Cups Internet Printing Protocol Job Loop Denial Of Service V...
BugTraq ID: 8952
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8952
Summary:
CUPS is a freely available, open source UNIX printing utility. It is
freely available for the Unix and Linux platforms.
A problem has been identified in the handling of requests via CUPS
Internet Printing Protocol (IPP). Because of this, it is possible for an
attacker to deny service to legitimate users.
The specifics of the problem are not currently available. It is known
that an attacker must have the ability to connect to the vulnerable
service on the IPP port, and that submitting a specially-crafted request
can result in a busy loop of the software. This issue may be related to
Bugtraq ID 7637, and will be further updated when additional details
become available.

16. Bugzilla Multiple Vulnerabilities
BugTraq ID: 8953
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8953
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.
Multiple vulnerabilities has been reported to exist in the software. The
issues include SQL injection, unauthorized privileges, and information
disclosure.
A SQL injection issue has been reported to be present in the nightly
statistics cron job called collectstats.pl. A user with 'editproducts'
privileges which are usually granted to administrators may be to carry out
SQL injection attacks. This issue affects Bugzilla versions 2.16.3 and
earlier.
Another SQL injection vulnerability has been reported that may allow a
user with 'editkeywords' privileges which are usually granted to
administrators. An attacker may be able to inject arbitrary SQL code in
the underlying database through the URL used to edit an existing keyword.
This issue affects Bugzilla versions 2.16.3 and earlier and 2.17.1 through
2.17.4.
A vulnerability has been reported that may allow users to retain
privileges that were previously granted. This issue may occur when
products are being deleted. If the 'usebuggroups' parameter was selected,
users may still be able to add others to the group that is being deleted.
If another group is created that reuses the group id from the group being
deleted, they may automatically inherit privileges granted to the group.
This vulnerability only allows users that had those privileges before to
retain them. This issue affects Bugzilla versions 2.16.3 and earlier.
An information disclosure issue has been reported that may allow an
attacker to view restricted bugs stored in the database. It has been
reported that if an attacker knows the e-mail address of a user who has
voted on a secure or restricted bug they may be able to view the summary
of the bug without having sufficient permissions. This issue affects
Bugzilla versions 2.16.3 and earlier and 2.17.1 through 2.17.4.
Another information disclosure issue has been reported that may allow an
attacker to disclose component descriptions for a product without proper
authorization. This issue affects Bugzilla versions 2.17.3 and 2.17.4.

18. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability
BugTraq ID: 8956
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8956
Summary:
Sympoll is web-based voting booth software. It is implemented in PHP and
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data through the 'vo' parameter. HTML and script code will be rendered in
a user's browser, therefore making it possible for an attacker to a
construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
Sympoll version 1.5 is reported to be prone to this issue, however other
versions may be affected as well.

19. Web Wiz Forum Unauthorized Private Forum Access Vulnerabilit...
BugTraq ID: 8957
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8957
Summary:
A vulnerability has been reported for Web Wiz Forum. The problem is said
to occur due to the application failing to compare specific request
parameters in specially formatted requests. Specifically, by setting the
'mode' parameter to 'quote', Web Wiz Forum will not carry out sufficient
comparison checks of the Post number (PID) and Forum number (FID).
An attacker could exploit this condition by supplying a PID relating to a
private forum and an FID to a forum that they access to. A Topic number
(TID) must also be supplied that is associated with the Post number, such
as the thread that the post will be written to or accessed from.
When the application handles the above request, due to the selected mode,
sufficient checks will not be carried out on the supplied parameters and
the application may erroneously allow the user to post or read messages on
the forum.
In a worst case scenario, successful exploitation of this issue could lead
to the exposure of sensitive information.

20. MPM Guestbook Cross-Site Scripting Vulnerability
BugTraq ID: 8958
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8958
Summary:
MPM Guestbook is a freely available web application. It is implemented in
PHP and available for Unix/Linux variants as well as Microsoft Windows
platforms.
MPM Guestbook is reported to be prone to a cross-site scripting
vulnerability. This is due to insufficient sanitization of HTML from URI
parameters, which will be displayed in web pages that are dynamically
generated by the software. In particular, the 'lng' URI parameter is not
filtered.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the guestbook is
rendered to the user following the link, allowing for a variety of other
attacks.

21. ThWboard Cross-Site Scripting Vulnerability
BugTraq ID: 8959
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8959
Summary:
ThWboard is a bulletin board software written in PHP and MySQL.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data. HTML and script code will be rendered in a user's browser,
therefore making it possible for an attacker to a construct a malicious
link containing HTML or script code that may be rendered in a user's
browser upon visiting that link. This attack would occur in the security
context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
ThWboard versions 2.8 and 2.81 may be prone to this issue, however other
versions may be affected as well.
This BID will be updated as more information becomes available.

22. PHPKit Include.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 8960
Remote: Yes
Date Published: Nov 02 2003
Relevant URL: http://www.securityfocus.com/bid/8960
Summary:
PHPKIT is content management software. It is implemented in PHP and
available for Unix/Linux variants as well as Microsoft Windows.
PHPKIT is reported to be prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of HTML from URI parameters,
which will be displayed in web pages that are dynamically generated by the
software. The issue exists in the 'include.php' script and is specific to
the 'contact_email' URI parameter.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the site is rendered to
the user following the link, allowing for a variety of other attacks.

23. ThWboard SQL Injection Vulnerability
BugTraq ID: 8961
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8961
Summary:
ThWboard is a bulletin board software written in PHP and MySQL.
A vulnerability has been reported to exist in the software that may a
remote user to inject malicious SQL syntax into database queries. This
issue is caused by insufficient sanitization of user-supplied data. A
remote attacker may exploit this issue to influence SQL query logic to
disclose sensitive information that could be used to gain unauthorized
access.
A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.
ThWboard versions 2.8 and 2.81 may be prone to this issue, however other
versions may be affected as well.

25. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio...
BugTraq ID: 8963
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8963
Summary:
PHPRecipeBook is a web application for managing recipes. It is
implemented in PHP and available for Unix/Linux and Microsoft Windows.
PHPRecipeBook 2.18 has been released to address an unspecified cross-site
scripting vulnerability. This issue is likely due to insufficient
sanitization of HTML from URI parameters, which will be displayed in web
pages that are dynamically generated by the software.
An attacker could exploit this issue by enticing a user to follow a
malicious link. This could theoretically allow for theft of cookie-based
authentication credentials or other attacks.
An attacker could possibly exploit this issue by enticing a victim user to
follow a malicious link that includes HTML and script code as a value for
the vulnerable URI parameter. The attacker-supplied code could be
rendered in the victim's browser in the context of the site hosting the
software. This could theoretically allow for theft of cookie-based
authentication credentials. The attacker may also influence how the site
is rendered to the user following the link, allowing for a variety of
other attacks.
It should also be noted that the vendor has reported that HTML and script
code will now be sanitized (as of version 2.18) before being included in
recipes as a measure to mitigate against potential HTML injection attacks.
This could allow users to inject hostile HTML into a PHPRecipeBook site if
successfully exploited.

26. OpenBSD isakmpd Multiple IKE Payload Handling Security Weakn...
BugTraq ID: 8964
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8964
Summary:
isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is
used when negotiating security associations in authenticated or encrypted
network traffic and is normally used to facilitate VPN.
OpenBSD's isakmpd daemon is said to be prone to multiple weaknesses when
handling various IKE payloads. Specifically, four weaknesses have been
discovered in various implementations of the daemon. The problems include:
1) Fails to enforce encrypted Quick Mode messages despite RFC 2409
specification. This could lead to the unintentional exposure of sensitive
session initialization data.
2) isakmpd fails to encrypt Quick Mode payloads, when acting as the
responder, if the initiator has not implemented encryption on the payload.
The issue occurs due to a check by the message_recv() function, located
within the message.c source file. Specifically, an if statement within the
function determines the status by checking the ISAKMP_FLAGS_ENC flag of
the received packet, only if the flag is set will the responder enforce
payload encryption. This could also potentially lead to the exposure of
sensitive session initialization data.
3) Hash payloads are only enforced on Quick Mode exchanges, despite the
RFC 2409 and RFC 2407 specifications stating that Phase 2 messages
containing delete payloads and 'notify' status messages should also
contain hash payloads. This could result in isakmpd not having a mechanism
for verifying the sanity of specific payloads received. It has also been
reported that hash payloads received from an unexpected source are not
verified.
4) Phase 2 delete messages are not verified to ensure that the origin of
the request is the owner of the requested SA to be deleted. The check
occurs within the ipsec_handle_leftover_payload() function, located in the
ipsec.c source file. This does not violate RFC specification, however it
is an insecure security policy that could be exploited by an unauthorized
user to delete an arbitrary SA.
It should be noted that due to the isakmpd daemon being widely
distributed, other operating systems may also be affected by this issue.
As further analysis of these weaknesses are carried out, it is likely that
each issue will be given a separate BID. At this time, this BID will be
updated and subsequently retired.

28. Oracle9iAS Portal Component SQL Injection Vulnerability
BugTraq ID: 8966
Remote: Yes
Date Published: Nov 03 2003
Relevant URL: http://www.securityfocus.com/bid/8966
Summary:
A vulnerability has been reported to exist in the software that may allow
a remote user to inject malicious SQL syntax into database queries through
a URL. This issue is caused by insufficient sanitization of user-supplied
data.
The problem is reported to exist in the Portal component which is
installed by default in the application server. A remote attacker may
exploit this issue to influence SQL query logic to disclose sensitive
information from the database.
Successful exploitation may allow a malicious user to influence database
queries in order to view or modify sensitive information, and potentially
compromising the software or the database. It is reported that
unauthenticated users may access PL/SQL packages and procedures from the
web. This would occur within the context of the invoker or definer. If a
procedure were to be executed by a definer with SYS or SYSTEM access
rights, this would allow the attacker to gain access to all data within
the database. The Portal DB Forms, Hierarchy, XML Components and List of
Values packages may allow this level of access. It should also be noted
that these packages are required by the software and cannot be disabled or
deleted.

32. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
BugTraq ID: 8970
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8970
Summary:
OpenSSL is a freely available, open source implementation of Secure Socket
Layer tools. It is available for the Unix, Linux, and Microsoft
platforms.
A problem has been identified in OpenSSL when handling specific types of
ASN.1 requests. This may result in remote attackers creating a denial of
service condition.
The problem is in the handling of specific types of requests when handling
ASN.1 data that causes large recursion. Though specifics of how this
occurs are not available, it has been reported that this can result in a
crash of OpenSSL. This could potentially lead to an attacker crashing a
service that uses an implementation of the vulnerable software.
This issue is also known to affect numerous Cisco products. It is
possible that other vendors will also be acknowledging this issue and
providing fixes.

34. OpenAutoClassifieds Listing Parameter Cross-Site Scripting V...
BugTraq ID: 8972
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8972
Summary:
OpenAutoClassifieds is an open source classifieds manager written in PHP.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data through the 'listings' parameter. HTML and script code will be
rendered in a user's browser, therefore making it possible for an attacker
to a construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Since the attacker can influence
how to site will be rendered to a victim user, other attacks are also
possible such as manipulating site content.
OpenAutoClassifieds version 1.0 is reported to be prone to this issue,
however other versions may be affected as well.

unSpawn 11-11-2003 07:41 PM

Nov 10th 2003 (SF) pt 2/2
 
SecurityFocus


35. CDE LibDTHelp DTHelpUserSearchPath Local Buffer Overflow Vul...
BugTraq ID: 8973
Remote: No
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8973
Summary:
Common Desktop Environment (CDE) is a commercially-available desktop
environment for the Unix and Linux operating systems.
A problem has been identified in CDE libDtHelp. Because of this, it may
be possible for a local attacker to gain elevated privileges.
The problem is in the handling of data in the DTHELPUSERSEARCHPATH
environment variable. Due to insufficient bounds checking, it is possible
to corrupt system memory, potentially overwriting sensitive values. As a
result, it may be possible for a local attacker to execute arbitrary code.
Applications linked against libDtHelp are typically installed with setuid
root privileges. An attacker taking advantage of this issue could
therefore potentially gain administrative access on a vulnerable system.
This issue may be related to Bugtraq ID 7730, although this has not been
confirmed by Symantec.

36. John Beatty Easy PHP Photo Album dir Parameter HTML Injectio...
BugTraq ID: 8977
Remote: Yes
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8977
Summary:
A vulnerability has been reported in the software that may allow a remote
attacker to execute HTML and script code in a user's browser. The issue is
reported to be present in the 'dir' parameter. The problem exists due to
insufficient sanitization of user-supplied input. It may be possible for
an attacker to include malicious HTML code in one of the vulnerable
fields. The injected code could then be interpreted by the browser of a
user visiting the vulnerable site. This attack would occur in the security
context of the affected site.
Successful exploitation of this issue may allow a remote attacker to steal
cookie-based authentication credentials. Other attacks are possible as
well.
Easy PHP Photo Album version 1.0 has been reported to be vulnerable to
this issue, however prior versions may be affected as well.

37. Ope37. OpenBSD Local Malformed Binary Execution Denial of Service V...
BugTraq ID: 8978
Remote: No
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8978
Summary:
iBCS2 (Intel Binary Compatibility Specification 2) is a binary
compatibility format designed commonly used by SCO and ISC binaries. ELF
is the executable and linkable format which is the default binary format
used on Unix and Linux operating systems.
The OpenBSD has recently fixed a vulnerability in the OpenBSD kernel when
handling iBCS2 binaries. The problem occurs within the ibcs2_exec.c source
file and is due to insufficient sanity checks before allocating memory via
malloc(), using the xe_segsize binary parameter.
The precise technical details regarding this issue are currently unknown,
however it is believed that a segment table size (xe_segsize) value
greater than the maximum allowable number of segments (16) could
potentially cause malloc() to fail and under some circumstances return 0.
Because sufficient checks of the return value of malloc() are not carried
out, an unexpected value may be used in future calculations, effectively
triggering a kernel panic.
An additional issue was also addressed in exec_elf.c that could
potentially result in a kernel panic. This particular problem also
involved insufficient checks before calling malloc(), in this case with
the ELF program header size value as an argument. If a malicious binary
with a malformed size were handled, this may cause an unexpected
calculation in the code, effectively triggering a kernel panic.
The OpenBSD team has addressed this issue by verifying the size of the two
size values prior to calling the malloc() function.
An attacker could exploit this condition by constructing a malicious iBCS2
or ELF binary. It should be noted that, in the case of an iBCS2 binary,
support for the format would explicitly need to supported by the kernel
configuration.

*** November 5, 2003 - New information discovered by the researcher
suggests that the implications of this vulnerability could in fact be
higher then initially anticipated. As such, it is believed that successful
exploitation of this issue under some conditions could potentially lead to
code execution within the context of the kernel. This has been conjectured
due to varying crashes observed when triggering the condition. Due to the
lack of details regarding this possiblity, the status of this BID will
remain the same until more information is available.


40. Multiple Vendor S/MIME ASN.1 Parsing Denial of Service Vulne...
BugTraq ID: 8981
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8981
Summary:
Multiple vulnerabilities have been reported to be present in various
implementations of S/MIME protocol. S/MIME is used to send binary data
and attachments across e-mail in a secure fashion. S/MIME is also used to
package ASN.1.
It has been reported that various products may be affected by denial of
service issues resulting from improperly handling of exceptional ASN.1
elements. An attacker may exploit this issue by sending an exceptional
ASN.1 element to a vulnerable system in order to cause a denial of service
condition.
Successful exploitation of this issue may allow an attacker cause the
software to behave in an unstable manner leading to a crash or hang.
Theses issues are reported to affect ASN.1 parsing routines, however
cryptographic libraries that implement S/MIME may affected as well due to
sharing of ASN.1 code between the cryptographic functions and S/MIME.
Currently Hitachi PKI Runtime Library and Hitachi Hitachi Groupmax Mail -
Security Option version 6 and possibly prior have reported to be
vulnerable, however this BID will be updated as more information becomes
available.nBSD Local Malformed Binary Execution Denial of Service V...
BugTraq ID: 8978
Remote: No
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8978
Summary:
iBCS2 (Intel Binary Compatibility Specification 2) is a binary
compatibility format designed commonly used by SCO and ISC binaries. ELF
is the executable and linkable format which is the default binary format
used on Unix and Linux operating systems.
The OpenBSD has recently fixed a vulnerability in the OpenBSD kernel when
handling iBCS2 binaries. The problem occurs within the ibcs2_exec.c source
file and is due to insufficient sanity checks before allocating memory via
malloc(), using the xe_segsize binary parameter.
The precise technical details regarding this issue are currently unknown,
however it is believed that a segment table size (xe_segsize) value
greater than the maximum allowable number of segments (16) could
potentially cause malloc() to fail and under some circumstances return 0.
Because sufficient checks of the return value of malloc() are not carried
out, an unexpected value may be used in future calculations, effectively
triggering a kernel panic.
An additional issue was also addressed in exec_elf.c that could
potentially result in a kernel panic. This particular problem also
involved insufficient checks before calling malloc(), in this case with
the ELF program header size value as an argument. If a malicious binary
with a malformed size were handled, this may cause an unexpected
calculation in the code, effectively triggering a kernel panic.
The OpenBSD team has addressed this issue by verifying the size of the two
size values prior to calling the malloc() function.
An attacker could exploit this condition by constructing a malicious iBCS2
or ELF binary. It should be noted that, in the case of an iBCS2 binary,
support for the format would explicitly need to supported by the kernel
configuration.

*** November 5, 2003 - New information discovered by the researcher
suggests that the implications of this vulnerability could in fact be
higher then initially anticipated. As such, it is believed that successful
exploitation of this issue under some conditions could potentially lead to
code execution within the context of the kernel. This has been conjectured
due to varying crashes observed when triggering the condition. Due to the
lack of details regarding this possiblity, the status of this BID will
remain the same until more information is available.


40. Multiple Vendor S/MIME ASN.1 Parsing Denial of Service Vulne...
BugTraq ID: 8981
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8981
Summary:
Multiple vulnerabilities have been reported to be present in various
implementations of S/MIME protocol. S/MIME is used to send binary data
and attachments across e-mail in a secure fashion. S/MIME is also used to
package ASN.1.
It has been reported that various products may be affected by denial of
service issues resulting from improperly handling of exceptional ASN.1
elements. An attacker may exploit this issue by sending an exceptional
ASN.1 element to a vulnerable system in order to cause a denial of service
condition.
Successful exploitation of this issue may allow an attacker cause the
software to behave in an unstable manner leading to a crash or hang.
Theses issues are reported to affect ASN.1 parsing routines, however
cryptographic libraries that implement S/MIME may affected as well due to
sharing of ASN.1 code between the cryptographic functions and S/MIME.
Currently Hitachi PKI Runtime Library and Hitachi Hitachi Groupmax Mail -
Security Option version 6 and possibly prior have reported to be
vulnerable, however this BID will be updated as more information becomes
available.

41. Clearswift MAILsweeper for SMTP Zip Archive Filtering Bypass...
BugTraq ID: 8982
Remote: Yes
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8982
Summary:
MAILsweeper for SMTP is a commercial application for filtering e-mail
content at the gateway level.
A vulnerability has been reported to be present in the software that may
cause the software to fail in detecting malicious zip archives. It has
been reported that the software does not filter certain malicious zip
archives such as those generated by the Mimail worm (MCID 1763).
Successful exploitation may allow malicious code to be executed on client
systems. This is due to the fact that the malicious e-mail will not be
filtered at the gateway level and may affect users within an organization
that is using MAILsweeper to filter e-mail content. Exploitation can only
occur if a user executes a malicious attachment and malicious files must
also bypass any local anti virus software.
MAILsweeper for SMTP 4.3.10 and prior versions have been reported to be
prone to this issue.

42. X-CD-Roast Local Insecure File Creation Symlink Vulnerabilit...
BugTraq ID: 8983
Remote: No
Date Published: Nov 04 2003
Relevant URL: http://www.securityfocus.com/bid/8983
Summary:
X-CD-Roast is a freely available CD burning utility available for Linux
and Unix based systems.
X-CD-Roast has been reported prone to an insecure file creation
vulnerability that may be exploited to corrupt arbitrary files. The issue
has been reported to present itself because X-CD-Roast will follow
symbolic links when writing certain specific files. The problem is also
conjectured to be exaggerated as a result of a lack of sufficient access
controls set by X-CD-Roast on the files that it creates and employs.
Ultimately a local user may exploit this condition by creating a symbolic
link in the place of the vulnerable X-CD-Roast file. The malicious
symbolic link will point to an arbitrary file on the system. When an
unsuspecting user invokes X-CD-Roast the file linked by the symbolic link
will be corrupted, the file corruption will occur only if the user
invoking X-CD-Roast has sufficient privileges to write to the target file.
A local user may leverage this condition to corrupt arbitrary files
triggering a system wide denial of service or potentially elevating their
system privileges.

46. Linux Kernel Trojan Horse Vulnerability
BugTraq ID: 8987
Remote: No
Date Published: Nov 05 2003
Relevant URL: http://www.securityfocus.com/bid/8987
Summary:
It has been announced that a file 'kernel/exit.c' was modified on the
kernel.bkbits.net Linux Kernel CVS tree by a malicious party. The file
'kernel/exit.c' was modified to include trojan horse code that would
potentially allow a local user to elevate privileges.
Specifically, when '__WCLONE|__WALL' is passed to the sys_wait4() function
in a sufficient manner a malicious procedure in the trojaned kernel
'current->uid = 0' is performed to elevate the malicious user to uid '0'
or root system privileges.
It is not currently known what version of the Linux kernel is affected by
this issue. This BID will be updated as further information regarding this
issue is disclosed.

47. Ganglia gmond Malformed Packet Remote Denial of Service Vuln...
BugTraq ID: 8988
Remote: Yes
Date Published: Nov 06 2003
Relevant URL: http://www.securityfocus.com/bid/8988
Summary:
Ganglia Monitoring Daemon (gmond) is cluster monitoring software available
for a wide variety of Unix-based operating systems, as well as Linux.
When a user transmits a packet to the gmond service, advertising a metric,
a hashing function handles the packet. The advertisement packet, when
transmitted from an official client, will include a name string that will
be a minimum of 2 bytes; 1 character followed by a NULL byte. The hashval
function, located within the lib/hash.c source file, parses the string
name and attempts to calculate the hash value within a for loop. The
calculated value is then used as an index into a specific array of hashes.
A vulnerability has been discovered in this procedure that could
potentially result in a denial of service condition. The problem occurs
when a malformed packet from a modified client or custom program is
transmitted with a 1 byte name string. When the hashval function handles
this packet, due to the unexpected name string size, the calculated value
will not be run through a modulus operation designed to ensure the value
is a legitimate index. As a result, a 1 byte number of greater size than a
valid index could potentially cause an unexpected calculation or invalid
pointer dereference.
It has been reported that due to this miscalculation, the gmond service
will crash when attempting to lock access to the hash entry by locking the
data at the calculated pointer. This would effectively result in a denial
of service condition.
This vulnerability is said to affected gmond version 2.5.3 however, other
versions may also be affected.


All times are GMT -5. The time now is 11:43 PM.