SecurityFocus
1. Sun Java Installation File Corruption Vulnerability
BugTraq ID: 8937
Remote: No
Date Published: Oct 31 2003
Relevant URL:
http://www.securityfocus.com/bid/8937
Summary:
Sun Java implementations are reported to create temporary files in an
insecure manner when the software is installed. A local attacker could
exploit this issue to corrupt files owned by the user installing the
software, most likely resulting in a denial of service.
This issue was reported in Sun JRE and SDK 1.4.2 for Linux platforms.
Other versions and platforms may also be affected.
2. BEA WebLogic InteractiveQuery.jsp Cross-Site Scripting Vulne...
BugTraq ID: 8938
Remote: Yes
Date Published: Oct 31 2003
Relevant URL:
http://www.securityfocus.com/bid/8938
Summary:
BEA WebLogic InteractiveQuery.jsp is an example CGI application supplied
with WebLogic. It is used to demonstrate use of arguments to query a
database.
A cross-site scripting vulnerability has been reported in the software.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
BEA WebLogic 8.1 and prior are reported to be prone to this issue, however
other versions may be affected as well.
7. Tritanium Scripts Tritanium Bulletin Board Unauthorized Acce...
BugTraq ID: 8944
Remote: Yes
Date Published: Oct 31 2003
Relevant URL:
http://www.securityfocus.com/bid/8944
Summary:
Tritanium Bulletin Board is a bulletin board application written in PHP.
A vulnerability has been reported in the software that may allow a remote
attacker to gain unauthorized access to threads. The problem may occur
due to improper handling of user-supplied input. A remote attacker may be
able to access sensitive data by modifying the URL and supplying a value
for thread_id, forum_id, and sid paremeters. It has been reported that
the thread id is not a randomly generated number therefore an attacker may
easily gain access to all threads without authorization.
Successful exploitation of this issue may allow an attacker to gain access
to sensitive information that could be used to launch further attacks
against a system.
Tritanium Bulletin Board version 1.2.3 has been reported to be prone to
this issue, however other versions may be affected as well.
9. Mldonkey Web Interface Error Message Cross-site Scripting Vu...
BugTraq ID: 8946
Remote: Yes
Date Published: Oct 31 2003
Relevant URL:
http://www.securityfocus.com/bid/8946
Summary:
Mldonkey is a client program for the E-Donkey network. It is configurable
to implement the use of a web-based interface that can listen on an
arbitrary port. It has been reported that the Mldonkey interface is prone
to cross-site scripting attacks when generated error pages for an invalid
request.
This vulnerability occurs due to the Mldonkey application failing to carry
out sufficient sanitization of URI parameters. An attacker could
potentially exploit this condition to execute arbitrary script code within
the context of the web interface. Ultimately, this could lead to a variety
attacks.
13. DATEV Nutzungskontrolle Unauthorized Access Vulnerability
BugTraq ID: 8950
Remote: No
Date Published: Nov 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8950
Summary:
DATEV Nutzungskontrolle (NUKO) is a software used to enforce access
control for various applications and systems.
A vulnerability has been reported in the software that may allow a local
attacker to access restricted data. The issue presents itself as a local
user is able modify certain keys in the Windows registry resulting in
bypassing the security model of the software. An attacker may then gain
unauthorized access to sensitive data. This issue would not present
itself if the registry keys were set to read only.
Successful exploitation of this issue may allow an attacker to gain access
to sensitive data that could be used to launch further attacks against the
system.
Nutzungskontrolle V.2.1 and V.2.2 has been reported to be prone to this
issue, however other versions may be affected as well.
14. Multiple Ethereal Protocol Dissector Vulnerabilities
BugTraq ID: 8951
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8951
Summary:
Multiple Ethereal protocol dissectors are prone to remotely exploitable
vulnerabilities. These issues have been addressed with the release of
Ethereal 0.9.16.
The following specific issues were reported:
A malformed GTP MSISDN string could cause a buffer overrun to occur.
Malformed ISAKMP or MEGACO packets could cause Ethereal or Tethereal to
crash, resulting in a denial of service.
The SOCKS dissector is reported to be prone to a heap overrun.
These issues may be exploited by causing Ethereal to process a malformed
packet, either while Ethereal is monitoring live network traffic or via a
packet trace. Successful exploitation could lead to code execution or
denial of service attacks against Ethereal.
15. Cups Internet Printing Protocol Job Loop Denial Of Service V...
BugTraq ID: 8952
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8952
Summary:
CUPS is a freely available, open source UNIX printing utility. It is
freely available for the Unix and Linux platforms.
A problem has been identified in the handling of requests via CUPS
Internet Printing Protocol (IPP). Because of this, it is possible for an
attacker to deny service to legitimate users.
The specifics of the problem are not currently available. It is known
that an attacker must have the ability to connect to the vulnerable
service on the IPP port, and that submitting a specially-crafted request
can result in a busy loop of the software. This issue may be related to
Bugtraq ID 7637, and will be further updated when additional details
become available.
16. Bugzilla Multiple Vulnerabilities
BugTraq ID: 8953
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8953
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.
Multiple vulnerabilities has been reported to exist in the software. The
issues include SQL injection, unauthorized privileges, and information
disclosure.
A SQL injection issue has been reported to be present in the nightly
statistics cron job called collectstats.pl. A user with 'editproducts'
privileges which are usually granted to administrators may be to carry out
SQL injection attacks. This issue affects Bugzilla versions 2.16.3 and
earlier.
Another SQL injection vulnerability has been reported that may allow a
user with 'editkeywords' privileges which are usually granted to
administrators. An attacker may be able to inject arbitrary SQL code in
the underlying database through the URL used to edit an existing keyword.
This issue affects Bugzilla versions 2.16.3 and earlier and 2.17.1 through
2.17.4.
A vulnerability has been reported that may allow users to retain
privileges that were previously granted. This issue may occur when
products are being deleted. If the 'usebuggroups' parameter was selected,
users may still be able to add others to the group that is being deleted.
If another group is created that reuses the group id from the group being
deleted, they may automatically inherit privileges granted to the group.
This vulnerability only allows users that had those privileges before to
retain them. This issue affects Bugzilla versions 2.16.3 and earlier.
An information disclosure issue has been reported that may allow an
attacker to view restricted bugs stored in the database. It has been
reported that if an attacker knows the e-mail address of a user who has
voted on a secure or restricted bug they may be able to view the summary
of the bug without having sufficient permissions. This issue affects
Bugzilla versions 2.16.3 and earlier and 2.17.1 through 2.17.4.
Another information disclosure issue has been reported that may allow an
attacker to disclose component descriptions for a product without proper
authorization. This issue affects Bugzilla versions 2.17.3 and 2.17.4.
18. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability
BugTraq ID: 8956
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8956
Summary:
Sympoll is web-based voting booth software. It is implemented in PHP and
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data through the 'vo' parameter. HTML and script code will be rendered in
a user's browser, therefore making it possible for an attacker to a
construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
Sympoll version 1.5 is reported to be prone to this issue, however other
versions may be affected as well.
19. Web Wiz Forum Unauthorized Private Forum Access Vulnerabilit...
BugTraq ID: 8957
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8957
Summary:
A vulnerability has been reported for Web Wiz Forum. The problem is said
to occur due to the application failing to compare specific request
parameters in specially formatted requests. Specifically, by setting the
'mode' parameter to 'quote', Web Wiz Forum will not carry out sufficient
comparison checks of the Post number (PID) and Forum number (FID).
An attacker could exploit this condition by supplying a PID relating to a
private forum and an FID to a forum that they access to. A Topic number
(TID) must also be supplied that is associated with the Post number, such
as the thread that the post will be written to or accessed from.
When the application handles the above request, due to the selected mode,
sufficient checks will not be carried out on the supplied parameters and
the application may erroneously allow the user to post or read messages on
the forum.
In a worst case scenario, successful exploitation of this issue could lead
to the exposure of sensitive information.
20. MPM Guestbook Cross-Site Scripting Vulnerability
BugTraq ID: 8958
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8958
Summary:
MPM Guestbook is a freely available web application. It is implemented in
PHP and available for Unix/Linux variants as well as Microsoft Windows
platforms.
MPM Guestbook is reported to be prone to a cross-site scripting
vulnerability. This is due to insufficient sanitization of HTML from URI
parameters, which will be displayed in web pages that are dynamically
generated by the software. In particular, the 'lng' URI parameter is not
filtered.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the guestbook is
rendered to the user following the link, allowing for a variety of other
attacks.
21. ThWboard Cross-Site Scripting Vulnerability
BugTraq ID: 8959
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8959
Summary:
ThWboard is a bulletin board software written in PHP and MySQL.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data. HTML and script code will be rendered in a user's browser,
therefore making it possible for an attacker to a construct a malicious
link containing HTML or script code that may be rendered in a user's
browser upon visiting that link. This attack would occur in the security
context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
ThWboard versions 2.8 and 2.81 may be prone to this issue, however other
versions may be affected as well.
This BID will be updated as more information becomes available.
22. PHPKit Include.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 8960
Remote: Yes
Date Published: Nov 02 2003
Relevant URL:
http://www.securityfocus.com/bid/8960
Summary:
PHPKIT is content management software. It is implemented in PHP and
available for Unix/Linux variants as well as Microsoft Windows.
PHPKIT is reported to be prone to a cross-site scripting vulnerability.
This is due to insufficient sanitization of HTML from URI parameters,
which will be displayed in web pages that are dynamically generated by the
software. The issue exists in the 'include.php' script and is specific to
the 'contact_email' URI parameter.
An attacker could exploit this issue by enticing a victim user to follow a
malicious link that includes HTML and script code as a value for the
vulnerable URI parameter. The attacker-supplied code could be rendered in
the victim's browser in the context of the site hosting the software.
This could theoretically allow for theft of cookie-based authentication
credentials. The attacker may also influence how the site is rendered to
the user following the link, allowing for a variety of other attacks.
23. ThWboard SQL Injection Vulnerability
BugTraq ID: 8961
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8961
Summary:
ThWboard is a bulletin board software written in PHP and MySQL.
A vulnerability has been reported to exist in the software that may a
remote user to inject malicious SQL syntax into database queries. This
issue is caused by insufficient sanitization of user-supplied data. A
remote attacker may exploit this issue to influence SQL query logic to
disclose sensitive information that could be used to gain unauthorized
access.
A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.
ThWboard versions 2.8 and 2.81 may be prone to this issue, however other
versions may be affected as well.
25. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio...
BugTraq ID: 8963
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8963
Summary:
PHPRecipeBook is a web application for managing recipes. It is
implemented in PHP and available for Unix/Linux and Microsoft Windows.
PHPRecipeBook 2.18 has been released to address an unspecified cross-site
scripting vulnerability. This issue is likely due to insufficient
sanitization of HTML from URI parameters, which will be displayed in web
pages that are dynamically generated by the software.
An attacker could exploit this issue by enticing a user to follow a
malicious link. This could theoretically allow for theft of cookie-based
authentication credentials or other attacks.
An attacker could possibly exploit this issue by enticing a victim user to
follow a malicious link that includes HTML and script code as a value for
the vulnerable URI parameter. The attacker-supplied code could be
rendered in the victim's browser in the context of the site hosting the
software. This could theoretically allow for theft of cookie-based
authentication credentials. The attacker may also influence how the site
is rendered to the user following the link, allowing for a variety of
other attacks.
It should also be noted that the vendor has reported that HTML and script
code will now be sanitized (as of version 2.18) before being included in
recipes as a measure to mitigate against potential HTML injection attacks.
This could allow users to inject hostile HTML into a PHPRecipeBook site if
successfully exploited.
26. OpenBSD isakmpd Multiple IKE Payload Handling Security Weakn...
BugTraq ID: 8964
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8964
Summary:
isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is
used when negotiating security associations in authenticated or encrypted
network traffic and is normally used to facilitate VPN.
OpenBSD's isakmpd daemon is said to be prone to multiple weaknesses when
handling various IKE payloads. Specifically, four weaknesses have been
discovered in various implementations of the daemon. The problems include:
1) Fails to enforce encrypted Quick Mode messages despite RFC 2409
specification. This could lead to the unintentional exposure of sensitive
session initialization data.
2) isakmpd fails to encrypt Quick Mode payloads, when acting as the
responder, if the initiator has not implemented encryption on the payload.
The issue occurs due to a check by the message_recv() function, located
within the message.c source file. Specifically, an if statement within the
function determines the status by checking the ISAKMP_FLAGS_ENC flag of
the received packet, only if the flag is set will the responder enforce
payload encryption. This could also potentially lead to the exposure of
sensitive session initialization data.
3) Hash payloads are only enforced on Quick Mode exchanges, despite the
RFC 2409 and RFC 2407 specifications stating that Phase 2 messages
containing delete payloads and 'notify' status messages should also
contain hash payloads. This could result in isakmpd not having a mechanism
for verifying the sanity of specific payloads received. It has also been
reported that hash payloads received from an unexpected source are not
verified.
4) Phase 2 delete messages are not verified to ensure that the origin of
the request is the owner of the requested SA to be deleted. The check
occurs within the ipsec_handle_leftover_payload() function, located in the
ipsec.c source file. This does not violate RFC specification, however it
is an insecure security policy that could be exploited by an unauthorized
user to delete an arbitrary SA.
It should be noted that due to the isakmpd daemon being widely
distributed, other operating systems may also be affected by this issue.
As further analysis of these weaknesses are carried out, it is likely that
each issue will be given a separate BID. At this time, this BID will be
updated and subsequently retired.
28. Oracle9iAS Portal Component SQL Injection Vulnerability
BugTraq ID: 8966
Remote: Yes
Date Published: Nov 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8966
Summary:
A vulnerability has been reported to exist in the software that may allow
a remote user to inject malicious SQL syntax into database queries through
a URL. This issue is caused by insufficient sanitization of user-supplied
data.
The problem is reported to exist in the Portal component which is
installed by default in the application server. A remote attacker may
exploit this issue to influence SQL query logic to disclose sensitive
information from the database.
Successful exploitation may allow a malicious user to influence database
queries in order to view or modify sensitive information, and potentially
compromising the software or the database. It is reported that
unauthenticated users may access PL/SQL packages and procedures from the
web. This would occur within the context of the invoker or definer. If a
procedure were to be executed by a definer with SYS or SYSTEM access
rights, this would allow the attacker to gain access to all data within
the database. The Portal DB Forms, Hierarchy, XML Components and List of
Values packages may allow this level of access. It should also be noted
that these packages are required by the software and cannot be disabled or
deleted.
32. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne...
BugTraq ID: 8970
Remote: Yes
Date Published: Nov 04 2003
Relevant URL:
http://www.securityfocus.com/bid/8970
Summary:
OpenSSL is a freely available, open source implementation of Secure Socket
Layer tools. It is available for the Unix, Linux, and Microsoft
platforms.
A problem has been identified in OpenSSL when handling specific types of
ASN.1 requests. This may result in remote attackers creating a denial of
service condition.
The problem is in the handling of specific types of requests when handling
ASN.1 data that causes large recursion. Though specifics of how this
occurs are not available, it has been reported that this can result in a
crash of OpenSSL. This could potentially lead to an attacker crashing a
service that uses an implementation of the vulnerable software.
This issue is also known to affect numerous Cisco products. It is
possible that other vendors will also be acknowledging this issue and
providing fixes.
34. OpenAutoClassifieds Listing Parameter Cross-Site Scripting V...
BugTraq ID: 8972
Remote: Yes
Date Published: Nov 04 2003
Relevant URL:
http://www.securityfocus.com/bid/8972
Summary:
OpenAutoClassifieds is an open source classifieds manager written in PHP.
A cross-site scripting vulnerability has been reported in the software.
The problem is reported to exist due to improper handling of user-supplied
data through the 'listings' parameter. HTML and script code will be
rendered in a user's browser, therefore making it possible for an attacker
to a construct a malicious link containing HTML or script code that may be
rendered in a user's browser upon visiting that link. This attack would
occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Since the attacker can influence
how to site will be rendered to a victim user, other attacks are also
possible such as manipulating site content.
OpenAutoClassifieds version 1.0 is reported to be prone to this issue,
however other versions may be affected as well.
