LQ security report - Apr 22th 2004
Apr 26th 2004
Linux kernel setsockopt MCAST_MSFILTER: FIX There's a fix out provided by nolife. Here's the Bugtraq article, here's the linux kernel module code and here is me testing the fix. Apr 21th 2004 Linux kernel setsockopt MCAST_MSFILTER integer overflow 3. Impact Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. Unsuccesfull exploitation of the vulnerability may lead to a denial-of-service attack causing machine crash or instant reboot. 4. Solution This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases. All users of vulnerable kernels are advised to upgrade to the latest kernel version. For further information please contact your vendor. Apr 19th 2004 31 of 69 issues handled (SF) 1. Scorched 3D Server Memory Corruption Vulnerabilities 2. Open WebMail Arbitrary Directory Creation Vulnerability 6. Crackalaka IRC Server Remote Denial of Service Vulnerability 7. RSniff Remote Denial of Service Vulnerability 9. X-Micro WLAN 11b Broadband Router Backdoor Administration Ac... 10. Linux Kernel Sigqueue Blocking Denial Of Service Vulnerabili... 13. Eazel Nautilus Trash Folder Handler Buffer Overflow Vulnerab... 14. TikiWiki Project Multiple Input Validation Vulnerabilities 15. Blackboard Learning System Multiple Cross-Site Scripting Vul... 17. SurgeLDAP User.CGI Directory Traversal Vulnerability 18. Nuked-Klan Multiple Vulnerabilities 20. KDE Konqueror Bitmap File Processing Denial of Service Vulne... 39. PHP-Nuke CookieDecode Cross-Site Scripting Vulnerability 40. TUTOS Multiple Input Validation Vulnerabilities 46. PHP-Nuke Multiple SQL Injection Vulnerabilities 47. Neon WebDAV Client Library Format String Vulnerabilities 49. CVS Client RCS Diff File Corruption Vulnerability 51. CVS Server Piped Checkout Access Validation Vulnerability 52. Linux Kernel ISO9660 File System Buffer Overflow Vulnerabili... 53. MySQL MYSQLD_Multi Insecure Temporary File Creation Vulnerab... 54. Linux Kernel JFS File System Information Leakage Vulnerabili... 56. Mozilla Messenger Remote Denial Of Service Vulnerability 57. PostNuke Pheonix Multiple Module SQL Injection Vulnerabiliti... 58. Red Hat Linux GNU Mailman Remote Denial Of Service Vulnerabi... 60. Xonix X11 Game Insecure Privilege Dropping Vulnerability 61. ssmtp Mail Transfer Agent Multiple Format String Vulnerabili... 62. Linux Kernel XFS File System Information Leakage Vulnerabili... 63. Linux Kernel EXT3 File System Information Leakage Vulnerabil... 64. PHPBugTracker Multiple Input Validation Vulnerabilities 66. Cisco IPsec VPN Client Group Password Disclosure Vulnerabili... 67. Gemitel Affich.PHP Remote File Include Command Injection Vul... Apr 19th 2004 40 of 78 issues handled (ISS) Crackalaka hash_strcmp denial of service Sun Ray servers lockscreen fails if Smartcard is X-Micro WLAN 11b Broadband Router default Nautilus long directory name buffer overflow PHP-Nuke admin authentication bypass NewsPHP could allow administrative access NewsPHP index.php cross-site scripting NewsPHP file upload PHP-Nuke bypass authentication Adobe Acrobat Reader PDF denial of service PHP-Nuke cookiedecode function cross-site scripting Nuked-Klan PHP file include Nuked-Klan configuration file corruption TikiWiki SQL injection TikiWiki cross-site scripting TikiWiki path disclosure TikiWiki tiki-map.phtml file and directory TikiWiki file upload SurgeLDAP "dot dot" directory traversal TUTOS multiple scripts cross-site scripting TUTOS note_overview.php script path disclosure Blackboard cross-site scripting neon format string attack CVS RCS diff command file creation Linux Kernel ISO9660 filesystem buffer overflow Linux Kernel ext3 information disclosure Linux Kernel Sound Blaster driver denial of service PostNuke index.php script SQL injection Cisco IPsec VPN Group Password information Cisco IPsec VPN man-in-the-middle attack ssmtp die and log_event functions format string xonix fails to drop privileges KPhone STUN packet can cause denial of service PostNuke changeinfo.php script SQL injection phpBugTracker multiple scripts SQL injection RealNetworks' Helix Universal Server GET denial of phpBugTracker multiple scripts cross-site scripting MySQL mysqld_multi script symlink attack WIKINDX config.inc file allows attacker to obtain Gemitel sp-turn.php file PHP file include Apr 16th 2004 18 issues in 8 distro's(LAW) apache cadaver cvs heimdal iproute ipsec-tools kernel mailman mod_python dos mysql openoffice pwlib scorched squid ssmtp subversion tcpdump xonix |
Apr 16th 2004 (LAW)
Linux Advisory Watch
Distribution: Conectiva 4/12/2004 - 'mod_python' DoS This update fixes a remote denial of service vulnerabiliy in Apache web-servers which have mod_python enabled. http://www.linuxsecurity.com/advisor...sory-4216.html 4/13/2004 - 'squid' ACL bypass vulnerability This update fixes a vulnerability that allows a malicious user to bypass url_regex ACLs by using a specially crafted URL. http://www.linuxsecurity.com/advisor...sory-4217.html 4/14/2004 - apache Multiple vulnerabilities Patch corrects non-filtered escape sequences and a DoS attack. http://www.linuxsecurity.com/advisor...sory-4219.html Distribution: Debian 4/14/2004 - kernel Multiple vulnerabilities This is three advisories in one, each for the same group of kernel 2.4.x vulnerabilities. The first is for the PA-RISC architecture, the second for the IA-64 architecture, and the third for the PowerPC/apus and S/390 architectures. http://www.linuxsecurity.com/advisor...sory-4229.html 4/14/2004 - mysql Insecure temporary file vulnerabilities Two scripts contained in the package don't create temporary files in a secure fashion, which could lead to a root exploit. http://www.linuxsecurity.com/advisor...sory-4230.html 4/15/2004 - kernel 2.4.18 Multiple vulnerabilities Here is a patch release specifically for kernel 2.4.18 on the i386 architecture, fixing multiple kernel security issues, and fixing a build error from a previous patch to same. http://www.linuxsecurity.com/advisor...sory-4231.html 4/15/2004 - xonix Privilege retention vulnerability A local attacker could exploit this vulnerability to gain gid "games". http://www.linuxsecurity.com/advisor...sory-4232.html 4/15/2004 - ssmtp Format string vulnerability These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root). http://www.linuxsecurity.com/advisor...sory-4233.html Distribution: Fedora 4/14/2004 - kernel Multiple vulnerabilities This patch fixes a variety of buffer overflow and information leak vulnerabilities. http://www.linuxsecurity.com/advisor...sory-4228.html 4/15/2004 - kernel Corrected md4sums Something went wrong with the md5sums in yesterdays announcement. http://www.linuxsecurity.com/advisor...sory-4234.html 4/15/2004 - openoffice Multiple format string vulnerabilities This patch fixes vulnerabilities that may allow execution of arbitrary code, as well as other bugfixes. http://www.linuxsecurity.com/advisor...sory-4238.html 4/15/2004 - squid 2.5 ACL escape vulnerability This is a backport of an older patch which prevented crafted URLs from being able to ignore Squid's ACLs. http://www.linuxsecurity.com/advisor...sory-4239.html Distribution: FreeBSD 4/15/2004 - cvs Chroot escape vulnerability This patch fixes two cvs errors, one with the client and one with the server. Both allow chroot escapes. http://www.linuxsecurity.com/advisor...sory-4240.html Distribution: Gentoo 4/9/2004 - Heimdal Cross-realm scripting vulnerability Heimdal contains cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path. http://www.linuxsecurity.com/advisor...sory-4211.html 4/9/2004 - iproute Denial of service vulnerability The iproute package allows local users to cause a denial of service. http://www.linuxsecurity.com/advisor...sory-4212.html 4/9/2004 - pwlib Multiple vulnerabilities Multiple vulnerabilites have been found in pwlib that may lead to a remote denial of service or buffer overflow attack. http://www.linuxsecurity.com/advisor...sory-4213.html 4/9/2004 - Scorched 3D Format string attack vulnerability Scorched 3D is vulnerable to a format string attack in the chat box that leads to Denial of Service on the game server and possibly allows execution of arbitrary code. http://www.linuxsecurity.com/advisor...sory-4214.html 4/15/2004 - cvs Multiple vulnerabilities There are two vulnerabilities in CVS; one in the server and one in the client. These vulnerabilities allow the reading and writing of arbitrary files on both client and server. http://www.linuxsecurity.com/advisor...sory-4235.html Distribution: Mandrake 4/9/2004 - ipsec-tools Signature non-verification vulnerability Multiple vulnerabilities Racoon does not verify the RSA signature during phase one of a connection using either main or aggressive mode. Only the certificate of the client is verified, the certificate is not used to verify the client's signature. http://www.linuxsecurity.com/advisor...sory-4215.html 4/14/2004 - cvs Chroot escape vulnerability A maliciously configured server could then create any file with content on the local user's disk. http://www.linuxsecurity.com/advisor...sory-4226.html 4/14/2004 - kernel Multiple vulnerabilities This patch fixes a large variety of kernel bugs, including an assortment of filesystem related vulnerabilities. http://www.linuxsecurity.com/advisor...sory-4227.html 4/15/2004 - tcpdump Multiple vulnerabilities Corrects out of bounds read and DoS attack. http://www.linuxsecurity.com/advisor...sory-4236.html Distribution: Red Hat 4/14/2004 - cvs Chroot escape vulnerability Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available. http://www.linuxsecurity.com/advisor...sory-4222.html 4/14/2004 - cadaver Multiple format string vulnerabilities An updated cadaver package that fixes a vulnerability in neon exploitable by a malicious DAV server is now available. http://www.linuxsecurity.com/advisor...sory-4223.html 4/14/2004 - mailman Denial of service vulnerability An updated mailman package that closes a DoS vulnerability in mailman introduced by RHSA-2004:019 is now available. http://www.linuxsecurity.com/advisor...sory-4224.html 4/14/2004 - OpenOffice Multiple format string vulnerabilities An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client. http://www.linuxsecurity.com/advisor...sory-4225.html 4/15/2004 - subversion Multiple format string vulnerabilities An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client connecting via subserversion. http://www.linuxsecurity.com/advisor...sory-4237.html Distribution: Suse 4/14/2004 - kernel Multiple vulnerabilities Two vulnerabilities, one involving symlink names and one involving the JFS filesystem, can both be used to gain root privileges. http://www.linuxsecurity.com/advisor...sory-4220.html 4/14/2004 - cvs Chroot escape vulnerability Patches an ability for a rogue CVS server to remotely create arbitrary absolute-path files with the user's permission. http://www.linuxsecurity.com/advisor...sory-4221.html |
Apr 19th 2004 (ISS)
Internet Security Systems
Date Reported: 04/09/2004 Brief Description: Crackalaka hash_strcmp denial of service Risk Factor: Low Attack Type: Network Based Platforms: Crackalaka 1.0.8, Linux Any version, Unix Any version Vulnerability: crackalaka-hashstrcmp-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15824 Date Reported: 04/09/2004 Brief Description: Sun Ray servers lockscreen fails if Smartcard is removed and reinserted Risk Factor: Low Attack Type: Host Based Platforms: Solaris 8, Solaris 9, Sun Ray Server Any version Vulnerability: sun-ray--lockscreen-fail X-Force URL: http://xforce.iss.net/xforce/xfdb/15825 Date Reported: 04/10/2004 Brief Description: X-Micro WLAN 11b Broadband Router default administrative interface account Risk Factor: Medium Attack Type: Network Based Platforms: X-Micro WLAN 11b Broadband Router 1.2.2, X-Micro WLAN 11b Broadband Router 1.2.2.3 Vulnerability: xmicro-router-default-account X-Force URL: http://xforce.iss.net/xforce/xfdb/15829 Date Reported: 04/12/2004 Brief Description: Nautilus long directory name buffer overflow Risk Factor: Low Attack Type: Host Based Platforms: Linux Any version, Nautilus 2.2.1 Vulnerability: nautilus-directory-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15834 Date Reported: 04/12/2004 Brief Description: PHP-Nuke admin authentication bypass Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.2 Vulnerability: phpnuke-admin-bypass-authentication X-Force URL: http://xforce.iss.net/xforce/xfdb/15835 Date Reported: 04/13/2004 Brief Description: NewsPHP could allow administrative access Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, NewsPHP Any version Vulnerability: newsphp-gain-admin-access X-Force URL: http://xforce.iss.net/xforce/xfdb/15836 Date Reported: 04/13/2004 Brief Description: NewsPHP index.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, NewsPHP Any version Vulnerability: newsphp-index-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15837 Date Reported: 04/13/2004 Brief Description: NewsPHP file upload Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, NewsPHP Any version Vulnerability: newsphp-file-upload X-Force URL: http://xforce.iss.net/xforce/xfdb/15838 Date Reported: 04/12/2004 Brief Description: PHP-Nuke bypass authentication Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.2 Vulnerability: phpnuke-bypass-authentication X-Force URL: http://xforce.iss.net/xforce/xfdb/15839 Date Reported: 04/12/2004 Brief Description: Adobe Acrobat Reader PDF denial of service Risk Factor: Low Attack Type: Network Based Platforms: Acrobat Reader 4.0, Acrobat Reader 5.0, Any operating system Any version Vulnerability: adobe-acrobat-pdf-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15840 Date Reported: 04/12/2004 Brief Description: PHP-Nuke cookiedecode function cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, PHP-Nuke 6.x through 7.2 Vulnerability: phpnuke-cookiedecode-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15842 Date Reported: 04/12/2004 Brief Description: Nuked-Klan PHP file include Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Nuked-Klan 1.4b, Nuked-Klan 1.5b Vulnerability: nuked-klan-file-include X-Force URL: http://xforce.iss.net/xforce/xfdb/15843 Date Reported: 04/12/2004 Brief Description: Nuked-Klan configuration file corruption Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Nuked-Klan 1.4b, Nuked-Klan 1.5b Vulnerability: nuked-klan-configurtion-corruption X-Force URL: http://xforce.iss.net/xforce/xfdb/15844 Date Reported: 04/12/2004 Brief Description: TikiWiki SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, TikiWiki 1.8.1 and earlier Vulnerability: tikiwiki-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15845 Date Reported: 04/12/2004 Brief Description: TikiWiki cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, TikiWiki 1.8.1 and earlier Vulnerability: tikiwiki-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15846 Date Reported: 04/12/2004 Brief Description: TikiWiki path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, TikiWiki 1.8.1 and earlier Vulnerability: tikiwiki-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/15847 Date Reported: 04/12/2004 Brief Description: TikiWiki tiki-map.phtml file and directory disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, TikiWiki 1.8.1 and earlier Vulnerability: tikiwiki-tikimap-file-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/15848 Date Reported: 04/12/2004 Brief Description: TikiWiki file upload Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, TikiWiki 1.8.1 and earlier Vulnerability: tikiwiki-file-upload X-Force URL: http://xforce.iss.net/xforce/xfdb/15849 Date Reported: 04/13/2004 Brief Description: SurgeLDAP "dot dot" directory traversal Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, SurgeLDAP Any version, Windows Any version Vulnerability: surgeldap-dotdot-directory-traversal X-Force URL: http://xforce.iss.net/xforce/xfdb/15851 Date Reported: 04/13/2004 Brief Description: TUTOS multiple scripts cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, TUTOS 1.1.20030715, Unix Any version, Windows Any version Vulnerability: tutos-multiple-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15852 Date Reported: 04/13/2004 Brief Description: TUTOS note_overview.php script path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, TUTOS 1.1.20030715, Unix Any version, Windows Any version Vulnerability: tutos-noteoverview-path-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/15854 Date Reported: 04/12/2004 Brief Description: Blackboard cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Blackboard 6.0 Vulnerability: blackboard-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15855 Date Reported: 04/14/2004 Brief Description: neon format string attack Risk Factor: High Attack Type: Network Based Platforms: Debian Linux 3.0, neon 0.24.4 and earlier, Red Hat Linux 9 Vulnerability: neon-format-string X-Force URL: http://xforce.iss.net/xforce/xfdb/15863 Date Reported: 04/14/2004 Brief Description: CVS RCS diff command file creation Risk Factor: Medium Attack Type: Network Based Platforms: CVS (Concurrent Versions System) Any version, Debian Linux 3.0, FreeBSD prior to 2004-04-15, Red Hat Linux 9 Vulnerability: cvs-rcs-create-files X-Force URL: http://xforce.iss.net/xforce/xfdb/15864 Date Reported: 04/14/2004 Brief Description: Linux Kernel ISO9660 filesystem buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Debian Linux 3.0, Linux kernel prior to 2.4.26-rc4, Mandrake Linux 10.0, Mandrake Linux 9.1, Mandrake Linux 9.2, Mandrake Linux Corporate Server 2.1, Mandrake Multi Network Firewall 8.2 Vulnerability: linux-iso9660-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15866 Date Reported: 04/14/2004 Brief Description: Linux Kernel ext3 information disclosure Risk Factor: Medium Attack Type: Host Based Platforms: Debian Linux 3.0, Linux kernel prior to 2.4.26- pre4, Mandrake Linux 10.0, Mandrake Linux 9.1, Mandrake Linux 9.2, Mandrake Linux Corporate Server 2.1, Mandrake Multi Network Firewall 8.2 Vulnerability: linux-ext3-info-disclosure X-Force URL: http://xforce.iss.net/xforce/xfdb/15867 Date Reported: 04/14/2004 Brief Description: Linux Kernel Sound Blaster driver denial of service Risk Factor: Low Attack Type: Host Based Platforms: Debian Linux 3.0, Linux kernel prior to 2.4.26-pre3 Vulnerability: linux-sound-blaster-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15868 Date Reported: 04/14/2004 Brief Description: PostNuke index.php script SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PostNuke 0.726 and earlier, Unix Any version, Windows Any version Vulnerability: postnuke-indexphp-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15869 Date Reported: 04/15/2004 Brief Description: Cisco IPsec VPN Group Password information disclosure Risk Factor: Medium Attack Type: Network Based Platforms: Cisco IPsec VPN implementation Any version, Linux Any version, Windows Any version Vulnerability: ipsec-vpn-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/15870 Date Reported: 04/15/2004 Brief Description: Cisco IPsec VPN man-in-the-middle attack Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, Cisco IPsec VPN implementation Any version Vulnerability: ipsec-vpn-mitm X-Force URL: http://xforce.iss.net/xforce/xfdb/15871 Date Reported: 04/14/2004 Brief Description: ssmtp die and log_event functions format string Risk Factor: High Attack Type: Network Based Platforms: Debian Linux 3.0, Linux Any version, ssmtp prior to 2.50.6.1 Vulnerability: ssmtp-die-logeventformat-string X-Force URL: http://xforce.iss.net/xforce/xfdb/15872 Date Reported: 04/14/2004 Brief Description: xonix fails to drop privileges Risk Factor: High Attack Type: Host Based Platforms: Debian Linux 3.0, Linux Any version, xonix Any version Vulnerability: xonix-privilege-dropping X-Force URL: http://xforce.iss.net/xforce/xfdb/15873 Date Reported: 04/14/2004 Brief Description: KPhone STUN packet can cause denial of service Risk Factor: Low Attack Type: Network Based Platforms: KPhone 4.0.1 and prior, Linux Any version Vulnerability: kphone-stun-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15874 Date Reported: 04/14/2004 Brief Description: PostNuke changeinfo.php script SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PHP-Nuke 0.726 and earlier, Unix Any version, Windows Any version Vulnerability: postnuke-changeinfo-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15875 Date Reported: 04/15/2004 Brief Description: phpBugTracker multiple scripts SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, phpBugTracker 0.9.1, Unix Any version, Windows Any version Vulnerability: phpbugtracker-multiple-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15879 Date Reported: 04/15/2004 Brief Description: RealNetworks' Helix Universal Server GET denial of service Risk Factor: Low Attack Type: Network Based Platforms: Helix Universal Server 9.0.1 for Windows, Helix Universal Server 9.0.2 for Linux, Linux Any version, Windows Any version Vulnerability: helix-get-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15880 Date Reported: 04/15/2004 Brief Description: phpBugTracker multiple scripts cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, phpBugTracker 0.9.1, Unix Any version, Windows Any version Vulnerability: phpbugtracker-multiple-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15881 Date Reported: 04/14/2004 Brief Description: MySQL mysqld_multi script symlink attack Risk Factor: High Attack Type: Network Based Platforms: Any operating system Any version, Debian Linux 3.0, MySQL Any version Vulnerability: mysql-mysqldmulti-symlink X-Force URL: http://xforce.iss.net/xforce/xfdb/15883 Date Reported: 04/16/2004 Brief Description: WIKINDX config.inc file allows attacker to obtain information Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, WIKINDX prior to 0.9.9g Vulnerability: wikindx-configinc-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/15885 Date Reported: 04/15/2004 Brief Description: Gemitel sp-turn.php file PHP file include Risk Factor: Medium Attack Type: Network Based Platforms: Gemitel 3 build 50, Linux Any version, Unix Any version, Windows Any version Vulnerability: gemitel-spturnphpfile-include X-Force URL: http://xforce.iss.net/xforce/xfdb/15887 |
Apr 19th 2004 (SF)
SecurityFocus
1. Scorched 3D Server Memory Corruption Vulnerabilities BugTraq ID: 10086 Remote: Yes Date Published: Apr 09 2004 Relevant URL: http://www.securityfocus.com/bid/10086 Summary: The Scorched 3D server component has been reported prone to multiple memory corruption vulnerabilities. One of the issues is reportedly a heap-based buffer overrun that is exposed when a client supplies an excessive number of format string characters in the server chat box text input field. Other unspecified issues related to bounds checking were also reported. These issues could be exploited to crash the server or potentially execute arbitrary code. 2. Open WebMail Arbitrary Directory Creation Vulnerability BugTraq ID: 10087 Remote: Yes Date Published: Apr 09 2004 Relevant URL: http://www.securityfocus.com/bid/10087 Summary: It has been reported that Open WebMail may be prone to an arbitrary directory creation vulnerability that may allow remote attackers to create potentially malicious directories in the underlying file system through the web interface. Open WebMail versions 2.30 and prior are vulnerable to these issues, however, the problem has been addressed in the product CVS. 6. Crackalaka IRC Server Remote Denial of Service Vulnerability BugTraq ID: 10092 Remote: Yes Date Published: Apr 09 2004 Relevant URL: http://www.securityfocus.com/bid/10092 Summary: It has been reported that Crackalaka may be prone to a remote denial of service vulnerability that may allow an attacker to crash the server by sending an excessive amount of data. Crackalaka version 1.0.8 is reported to be prone to this issue, however, other versions could be vulnerable as well. 7. RSniff Remote Denial of Service Vulnerability BugTraq ID: 10093 Remote: Yes Date Published: Apr 09 2004 Relevant URL: http://www.securityfocus.com/bid/10093 Summary: It has been reported that RSniff may be prone to a remote denial of service issue when a client repeatedly connects to the RSniff daemon and does not issue the 'AUTHENTICATE' command to log in or simply closes the connection. The server fails to accept new connections after about 1024 malicious connection attempts have been made. RSniff 1.0 has been reported to be prone to this issue. 9. X-Micro WLAN 11b Broadband Router Backdoor Administration Ac... BugTraq ID: 10095 Remote: Yes Date Published: Apr 10 2004 Relevant URL: http://www.securityfocus.com/bid/10095 Summary: It has been reported that the firmware shipped with the X-Micro 11b Broadband Router has built-in an administrative account that cannot be disabled. The account, username and password "super", appears to be a backdoor and may provide remote attackers possessing knowledge of the account with complete control over the device. According to the author of the report, the built-in administration webserver listens on both internal and external interfaces. Attackers may authenticate with the "super" account from outside of the LAN and gain control of the device through this web interface. Once authenticated, it is possible for attackers to install new firmware on the device. **It has been reported that version 1.6.0.1 of WLAN 11b Broadband Router also contains a built-in an administrative account that cannot be disabled. The account, username and password "1502", appears to be a backdoor and may provide remote attackers possessing knowledge of the account with complete control over the device. 10. Linux Kernel Sigqueue Blocking Denial Of Service Vulnerabili... BugTraq ID: 10096 Remote: No Date Published: Apr 12 2004 Relevant URL: http://www.securityfocus.com/bid/10096 Summary: A vulnerability has been reported in the Linux Kernel that may permit a malicious local user to affect a system-wide denial of service condition. This issue may be triggered via the Kernel signal queue (struct sigqueue) and may be exploited to exhaust the system process table by causing an excessive number of threads to be left in a zombie state. 13. Eazel Nautilus Trash Folder Handler Buffer Overflow Vulnerab... BugTraq ID: 10099 Remote: No Date Published: Apr 12 2004 Relevant URL: http://www.securityfocus.com/bid/10099 Summary: Nautilus has been reported to be prone to a buffer overflow vulnerability. The vulnerability is reported to present itself when Nautilus attempts to delete a malicious directory and that directory is later operated on in the "Trash" folder. An attacker who has some degree of interactive access to an affected system may attempt to exploit this vulnerability to execute code in the context of the user who is invoking Nautilus file manager. 14. TikiWiki Project Multiple Input Validation Vulnerabilities BugTraq ID: 10100 Remote: Yes Date Published: Apr 12 2004 Relevant URL: http://www.securityfocus.com/bid/10100 Summary: Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload. 15. Blackboard Learning System Multiple Cross-Site Scripting Vul... BugTraq ID: 10101 Remote: Yes Date Published: Apr 12 2004 Relevant URL: http://www.securityfocus.com/bid/10101 Summary: Blackboard Learning System has been reported prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly validate user supplied URI input. The first issue is reported to affect the "addressbook.pl" script. The second issue is reported to affect the "tasks.pl" script. The third issue is reported to affect three URI parameters, of the "calendar.pl" script. In all cases the user-supplied parameters are not sufficiently sanitized prior to being rendered in the browser of the target user. These issues could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks. 17. SurgeLDAP User.CGI Directory Traversal Vulnerability BugTraq ID: 10103 Remote: Yes Date Published: Apr 12 2004 Relevant URL: http://www.securityfocus.com/bid/10103 Summary: SurgeLDAP is prone to a directory traversal vulnerability in one of the scripts included with the built-in web administrative server, potentially resulting in disclosure of files. A remote attacker could exploit this issue to gain access to system files outside of the web root directory of the built-in web server. Files that are readable by the web server could be disclosed via this issue. 18. Nuked-Klan Multiple Vulnerabilities BugTraq ID: 10104 Remote: Yes Date Published: Apr 12 2004 Relevant URL: http://www.securityfocus.com/bid/10104 Summary: Nuked-Klan is prone to multiple vulnerabilities. These issues include information disclosure via inclusion of local files, an issue that may permit remote attackers to corrupt configuration files and an SQL injection vulnerability. 20. KDE Konqueror Bitmap File Processing Denial of Service Vulne... BugTraq ID: 10107 Remote: Yes Date Published: Apr 13 2004 Relevant URL: http://www.securityfocus.com/bid/10107 Summary: It has been reported that Konqueror may be prone to a denial of service vulnerability when processing malformed bitmap files. An attacker can cause a denial of service condition in the system by specifying a large value for a bitmap file to be loaded by the browser. This attack may lead to a denial of service condition in the system to the exhaustion of memory resources. This vulnerability has been tested on KDE 3.2.1 running on a Freebsd5.2-CURRENT system, however, it is possible that other versions running on different platforms are vulnerable as well. It is likely that this issue is present in a shared KDE bitmap processing component, presenting attack vectors in other applications that use the component. This vulnerability is similar to the issue described in BID 10097 (Microsoft Internet Explorer Bitmap File Processing Denial of Service Vulnerability). 39. PHP-Nuke CookieDecode Cross-Site Scripting Vulnerability BugTraq ID: 10128 Remote: Yes Date Published: Apr 13 2004 Relevant URL: http://www.securityfocus.com/bid/10128 Summary: Reportedly PHP-NuKe is prone to a remote cross-site scripting vulnerability. This issue is due to a failure of the 'cookiedecode()' function to properly sanitize user supplied cookie parameters. These issues could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks. 40. TUTOS Multiple Input Validation Vulnerabilities BugTraq ID: 10129 Remote: Yes Date Published: Apr 13 2004 Relevant URL: http://www.securityfocus.com/bid/10129 Summary: Multiple vulnerabilities have been identified in various modules of TUTOS. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, and possibly SQL injection. 46. PHP-Nuke Multiple SQL Injection Vulnerabilities BugTraq ID: 10135 Remote: Yes Date Published: Apr 13 2004 Relevant URL: http://www.securityfocus.com/bid/10135 Summary: Reportedly PHP-Nuke is prone to multiple SQL injection vulnerabilities. These issues are due to a failure of the application to properly sanitize user supplied input. As a result of these issues an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information. 47. Neon WebDAV Client Library Format String Vulnerabilities BugTraq ID: 10136 Remote: Yes Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10136 Summary: It has been reported that the Neon client library is prone to multiple remote format string vulnerabilities. This issue is due to a failure of the application to properly implement format string functions. Ultimately this vulnerability could allow for execution of arbitrary code on the system implementing the affected client software, which would occur in the security context of the server process. 49. CVS Client RCS Diff File Corruption Vulnerability BugTraq ID: 10138 Remote: Yes Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10138 Summary: A vulnerability has been discovered in the CVS client. It is reported that a problem in the revision control system (RCS) diff files may allow an attacker to create an arbitrary file on a remote system. The file will be created with the privileges of the user who is invoking the CVS client. 51. CVS Server Piped Checkout Access Validation Vulnerability BugTraq ID: 10140 Remote: Yes Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10140 Summary: CVS server has been reported prone to an access validation vulnerability. It is reported that the CVS server does not sufficiently validate piped checkouts. The CVS server may honor a request for a piped checkout for a path that resides outside of the cvsroot. Data that is harvested in this manner may be used to aid in further attacks that are launched against the target server. 52. Linux Kernel ISO9660 File System Buffer Overflow Vulnerabili... BugTraq ID: 10141 Remote: No Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10141 Summary: It has been reported that the Linux Kernel is prone to a local ISO9660 file system buffer overflow vulnerability. This issue is due to a failure of the application to properly validate buffer boundaries when processing file system information. An attacker must have adequate permissions to mount the malicious file system to exploit the issue. This is not enabled by default on a number of available Linux distributions. This issue may be exploited by an attacker to overflow and modify kernel memory, potentially allowing the attacker to create an arbitrary data structure in kernel memory. This issue may be leveraged to gain kernel level access to the affected system. 53. MySQL MYSQLD_Multi Insecure Temporary File Creation Vulnerab... BugTraq ID: 10142 Remote: No Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10142 Summary: mysqld_multi is reported prone to insecure temporary file handling. The script likely creates temporary files with predictable filenames. An attacker may exploit this issue to launch symbolic link attacks that will most likely result in corruption of files when the vulnerable script is launched. This issue would only affect Unix/Linux-based operating systems. 54. Linux Kernel JFS File System Information Leakage Vulnerabili... BugTraq ID: 10143 Remote: No Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10143 Summary: A vulnerability has been reported in the Linux Kernel that is related to how JFS file systems are cleaned up. In particular, a root user may potentially gain access to private or sensitive information on these file systems. This really only poses a security risk if the root user is not intended to access this information already. 56. Mozilla Messenger Remote Denial Of Service Vulnerability BugTraq ID: 10145 Remote: Yes Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10145 Summary: Mozilla Messenger has been reported prone to a remote denial of service vulnerability. The issue is reported to present itself when a NULL is encountered in the message body of an e-mail. It is reported that when the vulnerable software encounters a malicious e-mail as described above, the GUI will cease to respond properly. A remote attacker may potentially exploit this condition to deny service to Mozilla Messenger users. 57. PostNuke Pheonix Multiple Module SQL Injection Vulnerabiliti... BugTraq ID: 10146 Remote: Yes Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10146 Summary: It has been reported that PostNuke Pheonix is prone to a remote SQL injection vulnerability in multiple modules. This issue is due to a failure of the application to properly sanitize user supplied URI input. This may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation. 58. Red Hat Linux GNU Mailman Remote Denial Of Service Vulnerabi... BugTraq ID: 10147 Remote: Yes Date Published: Apr 14 2004 Relevant URL: http://www.securityfocus.com/bid/10147 Summary: An update that was released by Red Hat(RHSA-2004:019) to address the issue described in BID 9620 (GNU Mailman Malformed Message Remote Denial Of Service Vulnerability), is reported to introduce a denial of service vulnerability. A remote attacker may exploit this vulnerability to cause the mailman to crash, effectively denying service to legitimate users. 60. Xonix X11 Game Insecure Privilege Dropping Vulnerability BugTraq ID: 10149 Remote: No Date Published: Apr 15 2004 Relevant URL: http://www.securityfocus.com/bid/10149 Summary: It has been reported that Xonix is prone to a vulnerability that may allow an attacker to gain elevated privileges. This issue occurs because the application fails to drop privileges. Successful exploitation of this issue may result in a local attacker gaining gid 'games' privileges. This issue has been reported to affect Xonix version 1.4, however, it is possible that other versions are affected as well. Due to a lack of details, further information is not available at the moment. This BID will be updated as more information becomes available. 61. ssmtp Mail Transfer Agent Multiple Format String Vulnerabili... BugTraq ID: 10150 Remote: Yes Date Published: Apr 15 2004 Relevant URL: http://www.securityfocus.com/bid/10150 Summary: It has been reported that ssmtp may be prone to multiple format string vulnerabilities that could allow a remote attacker to execute arbitrary code in the context of the vulnerable process. A successful attack may allow an attacker to gain root privileges. 62. Linux Kernel XFS File System Information Leakage Vulnerabili... BugTraq ID: 10151 Remote: No Date Published: Apr 15 2004 Relevant URL: http://www.securityfocus.com/bid/10151 Summary: An information leakage vulnerability has been reported to exist in the Linux kernel when writing to an XFS file system. This issue is due to a design error that causes some kernel information to be leaked. It has been reported that this issue requires that the attacker be able to read the raw device; an action which is restricted to privileges users. Due to the nature of the issue, this really only poses a security risk if the privileged user is not intended to access this information already. 63. Linux Kernel EXT3 File System Information Leakage Vulnerabil... BugTraq ID: 10152 Remote: No Date Published: Apr 15 2004 Relevant URL: http://www.securityfocus.com/bid/10152 Summary: An information leakage vulnerability has been reported to exist in the Linux kernel when writing to an ext3 file system. This issue is due to a design error that causes some kernel information to be leaked. It has been reported that this issue requires that the attacker be able to read the raw device; an action which is restricted to privileged users. Due to the nature of the issue, this really only poses a security risk if the privileged user is not intended to access this information already. 64. PHPBugTracker Multiple Input Validation Vulnerabilities BugTraq ID: 10153 Remote: Yes Date Published: Apr 15 2004 Relevant URL: http://www.securityfocus.com/bid/10153 Summary: Reportedly phpBugTracker contains multiple input validation vulnerabilities; it is prone to multiple SQL injection, cross-site scripting and HTML injection issues. These issues are all due to a failure of the application to properly sanitize user supplied input. The SQL injection issues may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation. The cross-site scripting and HTML injection issues may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks may also be possible. 66. Cisco IPsec VPN Client Group Password Disclosure Vulnerabili... BugTraq ID: 10155 Remote: No Date Published: Apr 15 2004 Relevant URL: http://www.securityfocus.com/bid/10155 Summary: The Cisco IPsec VPN client has been reported prone to a vulnerability, which may result in the compromise of the Group Password. The issue is reported to present itself because the Group Password is not encrypted or obfuscated in any way when it is stored in process memory. 67. Gemitel Affich.PHP Remote File Include Command Injection Vul... BugTraq ID: 10156 Remote: Yes Date Published: Apr 15 2004 Relevant URL: http://www.securityfocus.com/bid/10156 Summary: A vulnerability has been identified in the handling of input by Gemitel. Because of this, it may be possible for a remote user to gain unauthorized access to a system using the vulnerable software. It is possible to influence the include path of certain files, which could lead to an attacker including arbitrary PHP files from an external system. |
All times are GMT -5. The time now is 03:19 PM. |