LQ security report - Feb 18th 2004
WARNING: please upgrade your kernel. A second mremap vuln has been found.
Please see thread 147599 for more info. Feb 17th 2004 36 of 60 issues handled (SF) 1. Multiple Oracle Database Parameter/Statement Buffer Overflow... 2. Mambo Open Source Itemid Parameter Cross-Site Scripting Vuln... 4. Apache-SSL Client Certificate Forging Vulnerability 5. Joe Lumbroso Jack's Formmail.php Unauthorized Remote File Up... 6. Linux VServer Project CHRoot Breakout Vulnerability 7. OpenJournal Authentication Bypassing Vulnerability 8. Apache mod_php Global Variables Information Disclosure Weakn... 10. Brad Fears PHPCodeCabinet comments.php HTML Injection Vulner... 11. The Palace Graphical Chat Client Remote Buffer Overflow Vuln... 13. Nadeo Game Engine Remote Denial of Service Vulnerability 14. PHP-Nuke 'News' Module Cross-Site Scripting Vulnerability 15. Eggdrop Share Module Arbitrary Share Bot Add Vulnerability 18. JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerab... 19. ClamAV Daemon Malformed UUEncoded Message Denial Of Service ... 21. PHP-Nuke 'Reviews' Module Cross-Site Scripting Vulnerability 23. PHP-Nuke Public Message SQL Injection Vulnerability 24. Computer Associates eTrust InoculateIT For Linux Vulnerabili... 26. Multiple Red-M Red-Alert Remote Vulnerabilities 27. Linux Kernel Samba Share Local Privilege Elevation Vulnerabi... 28. GNU Mailman Malformed Message Remote Denial Of Service Vulne... 35. PHPNuke Category Parameter SQL Injection Vulnerability 41. XFree86 Font Information File Buffer Overflow Vulnerability 42. Samba Mksmbpasswd.sh Insecure User Account Creation Vulnerab... 43. VisualShapers ezContents Multiple Module File Include Vulner... 44. BosDev BosDates SQL Injection Vulnerability 46. Mutt Menu Drawing Remote Buffer Overflow Vulnerability 47. Monkey HTTP Daemon Missing Host Field Denial Of Service Vuln... 50. PHPCodeCabinet Multiple Cross-Site Scripting Vulnerabilities 52. SandSurfer Unspecified User Authentication Vulnerability 53. Sophos Anti-Virus MIME Header Handling Denial Of Service Vul... 54. JelSoft VBulletin Cross-Site Scripting Vulnerability 55. Sophos Anti-Virus Delivery Status Notification Handling Scan... 57. XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulne... 58. AIM Sniff Temporary File Symlink Attack Vulnerability 59. Mailmgr Insecure Temporary File Creation Vulnerabilities 60. XFree86 Unspecified Vulnerability Feb 16th 2004 39 of 56 issues handled (ISS) Sambar Server HTTP POST request buffer overflow Linux-VServer allows elevated privileges Palace long server address buffer overflow Matrix FTP Server login and issue FTP LIST denial PHP-Nuke News and Reviews modules cross-site Clam AntiVirus uuencoded message denial of service Jack's FormMail.php PHP file upload PHP-Nuke public message feature SQL injection TrackMania denial of service Eggdrop share.mod module allows unauthorized access Red-Alert long request denial of service Red-Alert allows unauthorized access Red-Alert security bypass JShop Server search.php cross-site scripting eTrust InoculateIT for Linux symlink attack eTrust InoculateIT for Linux directories have GNU Mailman command handler denial of service Linux rsync open_socket_out function buffer PHP-Nuke Search and Web_links modules SQL injection MaxWebPortal dl_showall.asp, Personal Messages, and MaxWebPortal Personal Messages SQL injection MaxWebPortal register form cross-site scripting RealOne Player .RMP "dot dot" directory traversal XFree86 font.alias file buffer overflow Samba smbmnt allows elevated privileges Samba mksmbpasswd.sh could allow an attacker to BosDates calendar SQL injection Mutt index menu buffer overflow ezContents multiple .php arbitrary PHP file ezContents login bypass Monkey httpd get_real_string denial of service phpCodeCabinet multiple scripts cross-site Sophos Anti-Virus incomplete MIME header denial of Sophos Anti-Virus email virus may not be detected SandSurfer undisclosed user authentication AIM Sniff symlink attack XFree86 CopyISOLatin1Lowered buffer overflow PWLib message denial of service Mailmgr insecure temporary directory |
Feb 16th 2004 (ISS)
Internet Security Systems
Date Reported: 02/06/2004 Brief Description: Sambar Server HTTP POST request buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Sambar Server 6.0, Windows Any version Vulnerability: sambar-http-post-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15071 Date Reported: 02/06/2004 Brief Description: Linux-VServer allows elevated privileges Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, Linux-VServer prior to 1.25 Vulnerability: linux-vserver-gain-privileges X-Force URL: http://xforce.iss.net/xforce/xfdb/15073 Date Reported: 02/07/2004 Brief Description: Palace long server address buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, Macintosh Any version, Palace 3.5 and earlier, Unix Any version, Windows Any version Vulnerability: palace-server-address-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15074 Date Reported: 02/06/2004 Brief Description: Matrix FTP Server login and issue FTP LIST denial of service Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, Matrix FTP Server Any version, Windows Any version Vulnerability: matrixftp-login-list-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15075 Date Reported: 02/08/2004 Brief Description: PHP-Nuke News and Reviews modules cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PHP-Nuke 6.x though 7.1.0, Unix Any version, Windows Any version Vulnerability: phpnuke-mulitple-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15076 Date Reported: 02/09/2004 Brief Description: Clam AntiVirus uuencoded message denial of service Risk Factor: Low Attack Type: Network Based Platforms: Clam AntiVirus 0.65, Linux Any version, Unix Any version Vulnerability: clam-antivirus-uuencoded-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15077 Date Reported: 02/06/2004 Brief Description: Jack's FormMail.php PHP file upload Risk Factor: Medium Attack Type: Network Based Platforms: Jack's FormMail.php Any version, Linux Any version, Unix Any version, Windows Any version Vulnerability: jack-formmail-file-upload X-Force URL: http://xforce.iss.net/xforce/xfdb/15079 Date Reported: 02/09/2004 Brief Description: PHP-Nuke public message feature SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PHP-Nuke 6.x though 7.1.0, Unix Any version, Windows Any version Vulnerability: phpnuke-publicmessage-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15080 Date Reported: 02/08/2004 Brief Description: TrackMania denial of service Risk Factor: Low Attack Type: Network Based Platforms: Any operating system Any version, TrackMania Demo version Vulnerability: trackmania-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15081 Date Reported: 02/08/2004 Brief Description: Eggdrop share.mod module allows unauthorized access Risk Factor: Medium Attack Type: Network Based Platforms: Eggdrop 1.6.x - 1.6.15, Linux Any version, Unix Any version, Windows Any version Vulnerability: eggdrop-sharemod-gain-access X-Force URL: http://xforce.iss.net/xforce/xfdb/15084 Date Reported: 02/09/2004 Brief Description: Red-Alert long request denial of service Risk Factor: Low Attack Type: Network Based Platforms: Red-Alert 2.7.5, Red-Alert version 3.1 build 24 Vulnerability: redalert-long-request-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15086 Date Reported: 02/09/2004 Brief Description: Red-Alert allows unauthorized access Risk Factor: High Attack Type: Network Based Platforms: Red-Alert 2.7.5, Red-Alert version 3.1 build 24 Vulnerability: redalert-gain-access X-Force URL: http://xforce.iss.net/xforce/xfdb/15088 Date Reported: 02/09/2004 Brief Description: Red-Alert security bypass Risk Factor: Medium Attack Type: Network Based Platforms: Red-Alert 2.7.5, Red-Alert version 3.1 build 24 Vulnerability: redalert-bypass-security X-Force URL: http://xforce.iss.net/xforce/xfdb/15089 Date Reported: 02/09/2004 Brief Description: JShop Server search.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: JShop Server Any version, Linux Any version, Unix Any version, Windows Any version Vulnerability: jshop-searchphp-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15100 Date Reported: 02/09/2004 Brief Description: eTrust InoculateIT for Linux symlink attack Risk Factor: High Attack Type: Host Based Platforms: eTrust InoculateIT for Linux 6.0, Linux Any version Vulnerability: etrust-inoculateit-symlink X-Force URL: http://xforce.iss.net/xforce/xfdb/15102 Date Reported: 02/10/2004 Brief Description: eTrust InoculateIT for Linux directories have insecure permissions Risk Factor: High Attack Type: Host Based Platforms: eTrust InoculateIT for Linux 6.0, Linux Any version Vulnerability: etrust-inoculateit-insecure-permissions X-Force URL: http://xforce.iss.net/xforce/xfdb/15103 Date Reported: 02/08/2004 Brief Description: GNU Mailman command handler denial of service Risk Factor: Low Attack Type: Network Based Platforms: GNU Mailman prior to 2.0.14, Linux Any version, Red Hat Advanced Workstation 2.1, Red Hat Enterprise Linux 2.1AS, Red Hat Enterprise Linux 2.1ES, Unix Any version Vulnerability: mailman-command-handler-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15106 Date Reported: 02/09/2004 Brief Description: Linux rsync open_socket_out function buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, rsync 2.5.7 and earlier Vulnerability: linux-rsync-opensocketout-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15108 Brief Description: PHP-Nuke Search and Web_links modules SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PHP-Nuke 6.9 and earlier, Unix Any version, Windows Any version Vulnerability: phpnuke-modules-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15115 Date Reported: 02/10/2004 Brief Description: MaxWebPortal dl_showall.asp, Personal Messages, and down.asp cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, MaxWebPortal prior to 1.32, Windows Any version Vulnerability: maxwebportal-multiple-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15120 Date Reported: 02/10/2004 Brief Description: MaxWebPortal Personal Messages SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, MaxWebPortal prior to 1.32, Windows Any version Vulnerability: maxwebportal-personalmesssages-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15121 Date Reported: 02/10/2004 Brief Description: MaxWebPortal register form cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, MaxWebPortal prior to 1.32, Windows Any version Vulnerability: maxwebportal-register-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15122 Date Reported: 02/10/2004 Brief Description: RealOne Player .RMP "dot dot" directory traversal Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, RealOne Enterprise Desktop Any version, RealOne Player 1.0, RealOne Player 2.0 Vulnerability: realoneplayer-rmp-directory-traversal X-Force URL: http://xforce.iss.net/xforce/xfdb/15123 Brief Description: XFree86 font.alias file buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Gentoo Linux Any version, Immunix OS 7.3, Red Hat Linux 9, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux 9.1, Slackware Linux current, XFree86 4.1.0 through 4.3.0 Vulnerability: xfree86-fontalias-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15130 Date Reported: 02/10/2004 Brief Description: Samba smbmnt allows elevated privileges Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, Samba 3.x Vulnerability: samba-smbmnt-gain-privileges X-Force URL: http://xforce.iss.net/xforce/xfdb/15131 Date Reported: 02/09/2004 Brief Description: Samba mksmbpasswd.sh could allow an attacker to gain access to user's account Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Samba 3.0, Samba 3.0.1 Vulnerability: samba-mksmbpasswd-gain-access X-Force URL: http://xforce.iss.net/xforce/xfdb/15132 Date Reported: 02/11/2004 Brief Description: BosDates calendar SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: BosDates 3.2 and earlier, Linux Any version, Unix Any version, Windows Any version Vulnerability: bosdates-calendar-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/15133 Date Reported: 02/11/2004 Brief Description: Mutt index menu buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Mandrake Linux 9.1, Mandrake Linux 9.2, Mandrake Linux Corporate Server 2.1, Mutt prior to 1.4.2, Red Hat Linux 9, Slackware Linux 8.1, Slackware Linux 9.0, Slackware Linux 9.1, Slackware Linux current, Trustix Secure Linux 2.0 Vulnerability: mutt-index-menu-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15134 Date Reported: 02/11/2004 Brief Description: ezContents multiple .php arbitrary PHP file inclusion Risk Factor: Medium Attack Type: Network Based Platforms: ezContents 2.02 and earlier, Linux Any version Vulnerability: ezcontents-multiple-file-include X-Force URL: http://xforce.iss.net/xforce/xfdb/15135 Date Reported: 02/11/2004 Brief Description: ezContents login bypass Risk Factor: Medium Attack Type: Network Based Platforms: ezContents 2.02 and earlier, Linux Any version Vulnerability: ezcontents-login-bypass X-Force URL: http://xforce.iss.net/xforce/xfdb/15136 Brief Description: Monkey httpd get_real_string denial of service Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, Monkey HTTP Daemon 0.8.1 and earlier Vulnerability: monkey-getrealstring-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15187 Date Reported: 02/12/2004 Brief Description: phpCodeCabinet multiple scripts cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Any operating system Any version, phpCodeCabinet 0.4 Vulnerability: phpcodecabinet-multiple-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/15190 Date Reported: 02/12/2004 Brief Description: Sophos Anti-Virus incomplete MIME header denial of service Risk Factor: Low Attack Type: Network Based Platforms: AIX Any version, FreeBSD 3.0 and later, HP-UX Any version, Linux Any version, Solaris Any version, Sophos Anti-Virus 3.78, Windows 2000 Any version, Windows 2003 Any version, Windows NT Any version, Windows XP Any version Vulnerability: sophos-mime-header-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15191 Date Reported: 02/12/2004 Brief Description: Sophos Anti-Virus email virus may not be detected Risk Factor: Medium Attack Type: Network Based Platforms: AIX Any version, FreeBSD 3.0 and later, HP-UX Any version, Linux Any version, Solaris Any version, Sophos Anti-Virus 3.78, Windows 2000 Any version, Windows 2003 Any version, Windows NT Any version, Windows XP Any version Vulnerability: sophos-email-virus-undetected X-Force URL: http://xforce.iss.net/xforce/xfdb/15192 Date Reported: 02/12/2004 Brief Description: SandSurfer undisclosed user authentication unauthorized access Risk Factor: High Attack Type: Network Based Platforms: Linux Any version, SandSurfer prior to 1.7.0 Vulnerability: sandsurfer-undisclosed-gain-access X-Force URL: http://xforce.iss.net/xforce/xfdb/15193 Date Reported: 02/12/2004 Brief Description: AIM Sniff symlink attack Risk Factor: Medium Attack Type: Host Based Platforms: AIM Sniff 0.9b, Linux Any version Vulnerability: aim-sniff-symlink X-Force URL: http://xforce.iss.net/xforce/xfdb/15199 Date Reported: 02/12/2004 Brief Description: XFree86 CopyISOLatin1Lowered buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Immunix OS 7.3, Linux Any version, Red Hat Linux 9, Slackware Linux 8.0, Slackware Linux 9.0, Slackware Linux 9.1, Slackware Linux current, XFree86 4.1.0 through 4.3.0 Vulnerability: xfree86-copyisolatin1lLowered-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/15200 Date Reported: 02/13/2004 Brief Description: PWLib message denial of service Risk Factor: Low Attack Type: Network Based Platforms: PWLib prior to 1.6.0, Red Hat Linux 9 Vulnerability: pwlib-message-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/15202 Date Reported: 02/13/2004 Brief Description: Mailmgr insecure temporary directory Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, Mailmgr prior to 1.2.3, Unix Any version Vulnerability: mailmgr-insecure-temp-directory X-Force URL: http://xforce.iss.net/xforce/xfdb/15203 |
Feb 17th 2004 (SF) pt. 1/2
SecurityFocus
1. Multiple Oracle Database Parameter/Statement Buffer Overflow... BugTraq ID: 9587 Remote: Yes Date Published: Feb 05 2004 Relevant URL: http://www.securityfocus.com/bid/9587 Summary: Oracle is a commercial database product, which is available for a number of platforms including Microsoft Windows and Unix and Linux variants. Oracle database has been reported prone to multiple buffer overflow vulnerabilities when processing certain parameters and functions. Specifically the TIME_ZONE parameter lacks sufficient boundary checks. Therefore an excessive value assigned to TIME_ZONE may potentially overrun the bounds of a buffer in stack-based memory. This may result in the corruption of memory adjacent to the affected buffer, and ultimately may provide for arbitrary code execution. Additionally the NUMTOYMINTERVAL function has been reported prone to a buffer overflow vulnerability. The issue presents itself due to a lack of sufficient boundary checks performed on char_expr parameters passed as an argument to the function. Again this issue may be exploited by passing excessive data as the second argument to a NUMTOYMINTERVAL statement call. The NUMTODSINTERVAL function has also been reported prone to a buffer overflow vulnerability. The issue again presents itself due to a lack of sufficient boundary checks performed on char_expr parameters passed as an argument to the function. This issue may be exploited in a similar manner to the NUMTOYMINTERVAL issue, by passing excessive data as the second argument to a NUMTODSINTERVAL statement call. Finally the FROM_TZ function has been reported prone to a buffer overflow vulnerability. The issue will present itself when excessive data is passed as the third parameter of a properly formatted FROM_TZ statement call. Any one of these issues may be exploited to execute arbitrary code with elevated privileges. 2. Mambo Open Source Itemid Parameter Cross-Site Scripting Vuln... BugTraq ID: 9588 Remote: Yes Date Published: Feb 05 2004 Relevant URL: http://www.securityfocus.com/bid/9588 Summary: Mambo Open Source is a web based content management system. A vulnerability has been reported to exist in the server that may allow a remote attacker to execute arbitrary HTML or script code in a user's browser. The issue occurs due to insufficient sanitization of user-supplied data via the 'Itemid' parameter of 'index.php' script. An attacker may exploit this vulnerability by creating a specially crafted URL that includes malicious HTML code as URI parameters for the server 'index.php' page. The malicious script code may be rendered in a user's browser upon visiting the link. This attack would occur in the security context of the site. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication credentials. Other attacks are also possible. Mambo Open Source version 4.6 has been reported to be prone to this issue, however, other versions may be affected has well. 4. Apache-SSL Client Certificate Forging Vulnerability BugTraq ID: 9590 Remote: Yes Date Published: Feb 06 2004 Relevant URL: http://www.securityfocus.com/bid/9590 Summary: Apache-SSL is an implementation of SSL (Secure Socket Layer) for the Apache webserver. Apache-SSL has been reported to be prone to a vulnerability. The issue exists when Apache-SSL is configured with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth active. It has been reported that a server possessing the aforementioned configuration may provide a conduit that will allow a remote attacker to forge a valid client certificate. The attacker may exploit this issue by connecting to the affected service and supplying a one-line DN of a valid user along with the password "password". This will result in the issue of a valid client certificate. This issue is reported to affect Apache-SSL 1.3.28+1.52 and all earlier versions. 5. Joe Lumbroso Jack's Formmail.php Unauthorized Remote File Up... BugTraq ID: 9591 Remote: Yes Date Published: Feb 06 2004 Relevant URL: http://www.securityfocus.com/bid/9591 Summary: Jack's Formmail.php is a web based form to e-mail gateway. The application is written in PHP, however, a Perl version is available as well. A vulnerability has been reported to exist in the software that may allow a remote attacker to gain unauthorized access to a vulnerable server and upload arbitrary files. It has been reported that the software verifies the origin of a request via HTTP referer. Due to improper validation performed in the 'check_referer()' function, an attacker can bypass the checks by supplying an empty value for HTTP referer. This issue may then allow an attacker to upload a file via the 'css' variable of 'file.php' script. Successful exploitation of this issue may allow an attacker to save malicious files to the system or potentially overwrite sensitive files. Although unconfirmed, Formmail.php versions 5.0 and prior may be affected by this issue. 6. Linux VServer Project CHRoot Breakout Vulnerability BugTraq ID: 9596 Remote: No Date Published: Feb 06 2004 Relevant URL: http://www.securityfocus.com/bid/9596 Summary: The Linux VServer Project is implemented with a linux kernel patch and a group of tools that facilitate the partition of a single linux server into multiple virtual servers. It is implemented with a combination of "security contexts", chroot, segmented routing, extended quotas and other standard tools. It has been reported that VServer is prone to a breakout vulnerability that would allow a malicious user to escape from the context of the virtual server. This issue is due to the VServer application failing to secure itself against a "chroot-again" style vulnerability. Successful exploitation of this issue may allow an attacker to gain access to the file system outside of the chrooted root directory. This issue is leveraged when processes running in the context of the virtual server utilize the chroot function. The process would change its current directory to the root directory of the virtual server. It would then create a temporary directory and chroot itself to the temporary directory. The process, however still resides in the directory that is outside of the one that it has chrooted itself to, and so, by making multiple calls to chdir( ".." ) it is able to move to the true root directory of the vulnerable system. This problem makes it possible for a local user with superuser access in the virtual server environment to execute commands outside of the VServer context, and possibly gain unrestricted access to the system. 7. OpenJournal Authentication Bypassing Vulnerability BugTraq ID: 9598 Remote: Yes Date Published: Feb 06 2004 Relevant URL: http://www.securityfocus.com/bid/9598 Summary: OpenJournal is a web-based application implemented using PERL that features automated file creation, automated index updating, editing of files through a Web-based interface and automated archiving. It has been reported that OpenJournal is prone to an authentication bypass vulnerability. This issue is caused by the application failing to properly sanitize URI specified parameters. Successful exploitation of this issue may lead to remote attackers gaining unauthorized access to online journal files associated with the application, adding new users to the database as well as a number of other possibilities. The issue is due to the URI parameter 'uid'. A malevolent user may gain access to the OpenJournal control panel by assigning a specially crafted value to the 'uid' parameter in a URI and submitting it to the application. 8. Apache mod_php Global Variables Information Disclosure Weakn... BugTraq ID: 9599 Remote: Yes Date Published: Feb 07 2004 Relevant URL: http://www.securityfocus.com/bid/9599 Summary: Apache is a freely available, open source web server software package. It is distributed and maintained by the Apache Group. Mod_PHP is an Apache module which allows for PHP functionality in websites. A weakness has been reported to exist in Apache mod_php module that may allow remote attackers to disclose sensitive information via influencing global variables. The issue reportedly presents itself when the php.ini configuration file has the parameter setting 'register_globals = on'. If a request is made to a virtual host which has the setting 'php_admin_flag register_globals off' and another request is made to a different virtual host which does not have "php_admin_flag register_globals off", the original setting may continue to exist. This issue could lead to other vulnerabilities such as php file include, due to an attacker's ability to influence global variables. An attacker may also be able to disclose sensitive information in order to gain unauthorized access. 10. Brad Fears PHPCodeCabinet comments.php HTML Injection Vulner... BugTraq ID: 9601 Remote: Yes Date Published: Feb 07 2004 Relevant URL: http://www.securityfocus.com/bid/9601 Summary: PHPCodeCabinet is a web based application that allows software developers to store code snippets from any language. A vulnerability has been reported in the software that may allow a remote attacker to execute HTML and script code in a user's browser. The problem is reported to exist due to improper sanitizing of user-supplied data via the 'sid' parameter of 'comments.php' script. It may be possible for an attacker to include malicious HTML code in the vulnerable parameter. The injected code could then be interpreted by the browser of a user visiting the vulnerable site. This attack would occur in the security context of the affected site. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication credentials. Other attacks are also possible. PHPCodeCabinet versions 0.4 and prior have been reported to be vulnerable to this issue. 11. The Palace Graphical Chat Client Remote Buffer Overflow Vuln... BugTraq ID: 9602 Remote: Yes Date Published: Feb 07 2004 Relevant URL: http://www.securityfocus.com/bid/9602 Summary: The Palace is a graphical chat client application. A vulnerability has been reported to exist in the software that may allow a remote attacker to execute arbitrary code on a vulnerable system in order to gain unauthorized access. The condition is present due to insufficient boundary checking. It has been reported that The Palace chat client allows users to join a chat server via specially crafted hyperlinks that automatically load the application and connect to a server: palace://example:9998/ The issue presents itself when a user attempts to follow a link that is excessively long such as: palace://('a'x118)('BBBB')('XXXX') Immediate consequences of an attack may result in a denial of service condition. An attacker may leverage the issue by exploiting an unbounded memory copy operation to overwrite the saved return address/base pointer, causing an affected procedure to return to an address of their choice. Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the vulnerable user in order to gain unauthorized access, however, this has not been confirmed at the moment. The Palace chat client versions 3.5 and prior have been reported to be prone to this issue. 13. Nadeo Game Engine Remote Denial of Service Vulnerability BugTraq ID: 9604 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9604 Summary: Nadeo Game Engine is a multiplayer game engine used in several Nadeo titles. A vulnerability has been reported to exist in the software that may allow a remote attacker to cause a denial of service condition. It has been reported that Trackmania uses TCP port 2350 for communication. A denial of service condition may be caused by sending arbitrary data on this port. Successful exploitation may allow an attacker to cause the software to crash or hang affectively denying server to users. 14. PHP-Nuke 'News' Module Cross-Site Scripting Vulnerability BugTraq ID: 9605 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9605 Summary: PHP-Nuke is a freeware content management system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows. It has been reported that the PHP-Nuke 'News' module is prone to a cross-site scripting vulnerability. The issue arises due to the module failing to properly sanitize user-supplied information. The URI parameter 'title' is not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a vulnerable web page. This would occur in the security context of the site hosting the software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. It has been reported that this issue affects versions 6.x - 7.x of the software, however earlier versions may also be vulnerable. 15. Eggdrop Share Module Arbitrary Share Bot Add Vulnerability BugTraq ID: 9606 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9606 Summary: Eggdrop is an Open Source multi-platform IRC (Internet Relay Chat) robot, designed for IRC channel administration and maintenance. Eggdrop may be configured as a share Bot, which means that two or more Bots share user records. Share.mod, a component of Eggdrop, has been reported prone to a vulnerability that may result in the compromise of an entire Bot Network. The issue presents itself due to a programming error in the check_expired_tbufs() function that results in a failure to implement intended program logic. This failure will result in every Bot that is processed by check_expired_tbufs() receiving STAT_OFFERED status. The attacker may further leverage this issue by employing the share_ufyes() function, which only checks the STAT_OFFERED status of a prospective Bot, before granting STAT_SHARE status to a malicious Bot. If the aforementioned status is obtained, the malicious Bot will be recognized as a Share Bot and will therefore have the ability to perform administrative tasks, for example adduser, deluser, chattr, that will be distributed through the entire Bot network. An attacker may exploit this condition to gain control of an Eggdrop Bot network. 18. JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerab... BugTraq ID: 9609 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9609 Summary: JShop E-Commerce Suite is a web based E-Commerce system implemented in PHP. It is back-ended by a MySQL database. A vulnerability has been reported to exist in JShop E-Commerce that may allow a remote user to execute HTML or script code in a user's browser. The issue is reported to exist due to improper sanitizing of user-supplied data. It has been reported that HTML and script code may be parsed via the 'xSearch' URI parameter of the 'search.php' script. This vulnerability makes it possible for an attacker to construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication credentials. Other attacks are also possible. 19. ClamAV Daemon Malformed UUEncoded Message Denial Of Service ... BugTraq ID: 9610 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9610 Summary: ClamAV is a freely available, open source virus scanning utility. It is available for the Unix and Linux platforms. A problem in the handling of specially crafted UUEncoded messages has been identified in ClamAV. Because of this, an attacker may prevent the delivery of e-mail to users. The problem is in the handling of malformed UUEncoded messages. When an attacker sends an e-mail containing UUEncoded content and the line length is a value that does not conform to UUEncoding conventions, the ClamAV program terminates. Because of this, mail delivered to the system that is routed through the scanner will not arrive at its destination, resulting in a denial of service. It should be noted that earlier versions of the software may also be affected, though no information concerning the scope of the issue is available. 21. PHP-Nuke 'Reviews' Module Cross-Site Scripting Vulnerability BugTraq ID: 9613 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9613 Summary: PHP-Nuke is a freeware content management system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows. It has been reported that the PHP-Nuke 'Reviews' module is prone to a cross-site scripting vulnerability. The issue arises due to the module failing to properly sanitize user-supplied information. The URI parameter 'title' is not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a vulnerable web page. This would occur in the security context of the site hosting the software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. It has been reported that this issue affects versions 6.x - 7.x of the software, however earlier versions may also be vulnerable. 23. PHP-Nuke Public Message SQL Injection Vulnerability BugTraq ID: 9615 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9615 Summary: PHP-Nuke is a freeware content management system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows. It has been reported that the 'public message' feature of PHP-Nuke is vulnerable to an SQL injection vulnerability. The issue is due to a failure to properly sanitize the '$p_msg' parameter in the 'public_message()' function of the '/mainfile.php' script. As PHP-Nuke forces all variables to be global within the context of the application, the '$p_msg' parameter may be specified in either POST, GET or COOKIE data. Within the 'public_message()' function, the '$p_msg' parameter is decoded into the '$c_mid' parameter, which is directly used in the generation of the SQL query. An attacker could use an SQL Union command passed via the '$p_msg' parameter to mine data from the database. As a result of this issue an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information. It has been reported that this issue affects versions 6.x - 7.x of the software, however earlier versions may also be vulnerable. 24. Computer Associates eTrust InoculateIT For Linux Vulnerabili... BugTraq ID: 9616 Remote: No Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9616 Summary: Multiple vulnerabilities have been reported in eTrust InoculateIT for Linux operating systems, including issues with temporary files that could allow for symbolic link attacks and permissions problems that could permit local attackers to modify sensitive information. The following specific vulnerabilities were reported: The insecure temporary file issues are reported to exist in the following scripts: ino/scripts/inoregupdate scripts/uniftest scripts/unimove Due to the way in which these scripts create temporary files, it will be possible to for a remote attacker to create a symbolic link in the location that temporary files will be created. This will cause operations that are intended to be performed on temporary files to be performed on files pointed to by the malicious symbolic link. The most likely consequences will be destruction of sensitive files, though in some circumstances, if the attacker can control the data written in the attack, it may be possible to gain elevated privileges. There are insecure permissions on the eTrustAE.lnx/tmp/.caipcs/.sem directory, allowing local attackers to modify sensitive configuration files for the software. The software installs several registry files that contain various software settings. These registry files are included to simulate software settings in the Windows Registry on Linux installations of the software. Some of these files are reported to allow modification by unprivileged local users, which could be exploited to lower security settings for the software, such as removing scanned file types from the current user's registry setting. Hard-coded search paths for executables may also be embedded in user-modifiable registry files, allowing for execution of arbitrary code with elevated privileges in some circumstances. |
Feb 17th 2004 (SF) pt. 2/2
SecurityFocus
26. Multiple Red-M Red-Alert Remote Vulnerabilities BugTraq ID: 9618 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9618 Summary: Red-Alert is an airspace monitor for unauthorized wireless network activity. It is distributed and maintained by Red-M. Problems in various features have been identified in the Red-M Red-Alert network monitors. Because of this issues, an attacker may be able to crash a vulnerable device and eliminate logs, gain unauthorized access to the administrative interface, or partially evade detection by an affected device. The first problem makes it possible for a remote attacker to crash the device. By requesting an URI from the device web server with a length of 1230 or greater bytes, an attacker could force the host to become unstable and crash. During the reboot process, the system is not able to log any activity. Additionally, the reboot results in the loss of any locally stored logs. The second problem makes it possible for an unauthorized user to gain access to the Red-Alert administration interface. Red-Alert does not properly handle authentication, restricting administrative access solely on the basis of IP address. In circumstances where network address translation is performed, a user behind the NAT interface could potentially gain unauthorized access to the device. The third problem is in the parsing of Server Set IDs (SSIDs). Systems with SSIDs that contain one or more space characters (ASCII character 32) in the name are logged as a single space character. This problem could allow an attacker to evade location through misrepresentation in log files. 27. Linux Kernel Samba Share Local Privilege Elevation Vulnerabi... BugTraq ID: 9619 Remote: No Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9619 Summary: A local privilege escalation vulnerability has been reported to affect the 2.6 Linux kernel. The issue appears to exist due to a lack of sufficient sanity checks performed when executing a file that is hosted on a remote Samba share. This issue has been reported to occur when a setuid or setgid file is made available as a shared network resource through the samba service. An attacker, who has local interactive access to an affected host, may mount the remote share and execute the remote setuid/setgid application. This will reportedly result in elevated privileges, as the setuid/setgid bit of the remote file is honored on the local system. The problem exist because smb file system is not mounted using mount and ignores the setuid/setgid permissions from smbmnt. It should be noted that although this vulnerability has been reported to affect 2.6 versions of the Linux kernel, other versions might also be affected. Conflicting reports suggest that this is expected behavior that results from the smbmnt utility being setuid root. It has been reported that the attacker does not have to mount the file system as a local user. The vulnerability still exists if root mounts the file system and the attacker can execute a setuid binary on the server. Unix extensions have to be enabled on both the client and the server for this issue to occur. 28. GNU Mailman Malformed Message Remote Denial Of Service Vulne... BugTraq ID: 9620 Remote: Yes Date Published: Feb 09 2004 Relevant URL: http://www.securityfocus.com/bid/9620 Summary: GNU Mailman is a web integrated software package used for managing electronic mail discussion and e-newsletter lists. It is freely distributed under the GNU Public License. It has been reported that GNU Mailman is prone to a denial of service vulnerability. An attacker could send a carefully crafted message that would cause the Mailman process to crash. Successful exploitation of this issue could deny service to legitimate users. 35. PHPNuke Category Parameter SQL Injection Vulnerability BugTraq ID: 9630 Remote: Yes Date Published: Feb 10 2004 Relevant URL: http://www.securityfocus.com/bid/9630 Summary: PHPNuke is a freely available, open source web content management system. It is maintained by Francisco Burzi, and available for the Unix, Linux, and Microsoft Operating Systems. A vulnerability has been reported to exist in PHPNuke that may allow a remote attacker to inject malicious SQL syntax into database queries. The source of this issue is insufficient sanitization of user-supplied input. The problem is reported to exist in the $category variable contained within the 'index.php' page. It has been reported that $category is not sanitized for user-supplied input before it is included in SQL queries that are later executed by the database. A remote attacker may exploit this issue while performing a search in 'index.php' to influence SQL query logic. A malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It has been reported that an attacker may be able to disclose the administrator password hash by exploiting this issue. PHPNuke versions 6.9 and prior have been reported to be prone to this issue, however other versions may be affected as well. 41. XFree86 Font Information File Buffer Overflow Vulnerability BugTraq ID: 9636 Remote: No Date Published: Feb 10 2004 Relevant URL: http://www.securityfocus.com/bid/9636 Summary: XFree86 is a freely available open-source implementation of the X Window System. It has been reported that the XFree86 X Windows system is prone to a local buffer overflow vulnerability. The issue arises from improper bounds checking when parsing the font.alias file. The issue occurs in the 'ReadFontAlias()' function in the 'dirfile.c' file and surrounds the 'alias[1024]' buffer. The function reads arbitrary length tokens from the 'font.alias' file without performing any bounds checking. The function stops reading the file once white spaces are reached. It then uses the 'strcpy()' function to copy the input into the 'alias[1024]' buffer. An attacker may exploit this issue to execute arbitrary code within the context of the XFree86 process, potentially gaining root privileges on the affected system. This issue has been reported to affect version 4.1.0 through 4.3.0 inclusive, it is likely however that this issue affects earlier versions of the software as well. 42. Samba Mksmbpasswd.sh Insecure User Account Creation Vulnerab... BugTraq ID: 9637 Remote: Yes Date Published: Feb 10 2004 Relevant URL: http://www.securityfocus.com/bid/9637 Summary: Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms. Samba ships with several helper scripts, one of these scripts is mksmbpasswd.sh, which is used to aid in user account creation. The mksmbpasswd.sh shell script is reported prone to a vulnerability. The issue results in the creation of insecure user accounts. Specifically it has been reported that a password initialization problem in the mksmbpasswd.sh shell script results in user accounts being created with insecure passwords. The issue surrounds the passwords for disabled user accounts. In some cases the affected script may overwrite these passwords with uninitialized memory. If an attacker were able to ascertain the contents of memory used to overwrite disabled account passwords they may be able to gain unauthorized access. A remote attacker may exploit this issue by accessing a Samba share using an insecure account that was created using the affected script. 43. VisualShapers ezContents Multiple Module File Include Vulner... BugTraq ID: 9638 Remote: Yes Date Published: Feb 11 2004 Relevant URL: http://www.securityfocus.com/bid/9638 Summary: VisualShapers ezContents is a website content management system based on PHP and MySQL. It allows multiple users to update and maintain a website. A vulnerability has been reported to exist in the software that may allow an attacker to include malicious files containing arbitrary code to be executed on a vulnerable system. The problem reportedly exists because remote users may influence the 'GLOBALS[rootdp]' and 'GLOBALS[language_home]' variables in the 'db.php' and 'archivednews.php' modules. Remote attackers could potentially exploit this issue via by influencing the include path to specify a remote malicious PHP script, which will be executed in the context of the web server hosting the vulnerable software. This vulnerability is reported to affect ezContents 2.0.2 and prior running on PHP 4.3.0 or above. 44. BosDev BosDates SQL Injection Vulnerability BugTraq ID: 9639 Remote: Yes Date Published: Feb 11 2004 Relevant URL: http://www.securityfocus.com/bid/9639 Summary: BosDates is a commercially available web based event calendar organization system. It is implemented using PHP with a MySQL database backend for Unix and Unix like operating systems as well as Windows. An SQL injection vulnerability has been reported to affect BosDates calendar system. The issue arises due to insufficient sanitization of user-supplied data. The vulnerability surrounds the 'calendar' parameter passed via the URI of the 'calendar_download.php' script. The 'calendar' parameter is used in an SQL statement without being properly sanitized. A malevolent user may craft an SQL statement and assign it to the improperly sanitized parameter. As a result of this issue an attacker may be able to modify the logic and structure of database queries. This may provide for other attacks, such as gaining access to sensitive information. 46. Mutt Menu Drawing Remote Buffer Overflow Vulnerability BugTraq ID: 9641 Remote: Yes Date Published: Feb 11 2004 Relevant URL: http://www.securityfocus.com/bid/9641 Summary: Mutt is a freely available, open source mail user agent (MUA). It is available for the Unix and Linux platforms. A problem in the handling of some types of input has been identified in Mutt. Because of this, a remote attacker may be able to crash a vulnerable client. The problem is in the handling of specially-crafted strings. Upon embedding particular strings of arbitrary length in an e-mail, a remote user can force a buffer overflow in the menu drawing function of mutt. This problem could potentially also be exploited to overwrite arbitrary structures in process memory, and potentially execute code with the privileges of the mutt user. Specifics concerning the mechanics of this bug are not currently available. 47. Monkey HTTP Daemon Missing Host Field Denial Of Service Vuln... BugTraq ID: 9642 Remote: Yes Date Published: Feb 11 2004 Relevant URL: http://www.securityfocus.com/bid/9642 Summary: Monkey is an open source Web server written in C, based on the HTTP/1.1 protocol. It is available for Linux platforms. Monkey HTTP Daemon is prone to a denial of service attacks. HTTP GET requests, which do not include a ?Host? header field, will trigger this condition. This issue is reportedly due a programming error in the get_real_string() function. The server will need to be restarted to regain normal functionality. 50. PHPCodeCabinet Multiple Cross-Site Scripting Vulnerabilities BugTraq ID: 9645 Remote: Yes Date Published: Feb 11 2004 Relevant URL: http://www.securityfocus.com/bid/9645 Summary: The phpCodeCabinet scripts are designed to be a reference library for personal and professional use. They are implemented in PHP and are freely distributable under the GNU Public License. It has been reported that a number of phpCodeCabinet scripts are prone to cross site scripting vulnerabilities. These issues are reportedly due to a failure to sanitize user input and so allow HTML and script code that may facilitate cross-site scripting attacks. These issue are reported to affect the 'sid' parameter of the 'comments.php' script, the 'cid' parameter of the 'input.php' script, the 'cid' parameter of the 'browser.php' script and the 'cid', 'cf', and 'rfd' parameters of the 'category.php' script. This could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the web server and may allow for theft of cookie-based authentication credentials or other attacks. 52. SandSurfer Unspecified User Authentication Vulnerability BugTraq ID: 9647 Remote: Yes Date Published: Feb 08 2004 Relevant URL: http://www.securityfocus.com/bid/9647 Summary: SandSurfer is a web-based time keeping application. It is available for Unix/Linux variants. An unspecified vulnerability related to user authentication was reported in SandSurfer that may allow remote attackers to gain unauthorized access to the software. There are no further technical details at the time of writing. 53. Sophos Anti-Virus MIME Header Handling Denial Of Service Vul... BugTraq ID: 9648 Remote: Yes Date Published: Feb 12 2004 Relevant URL: http://www.securityfocus.com/bid/9648 Summary: Sophos Anti-Virus is multi platform computer virus detection software. Sophos Anti-Virus has been reported prone to a remote denial of service vulnerability. The issue presents itself when a malicious MIME header that is terminated at the end of the file in an unexpected manner is encountered. Because the virus detection engine erroneously continues to read beyond the end of the file, it will fall into an infinite loop. It has been conjectured that this will result in a denial of service to the affected Sophos virus detection software. This issue has been reported to affect SAVI-compliant Sophos products. It should be noted that although this issue has been reported to affect Sophos Anti-Virus version 3.78, other versions might also be affected. 54. JelSoft VBulletin Cross-Site Scripting Vulnerability BugTraq ID: 9649 Remote: Yes Date Published: Feb 12 2004 Relevant URL: http://www.securityfocus.com/bid/9649 Summary: VBulletin is a commercially available web based bulletin board application. It is implemented in PHP and may be run on Unix and Unix like operating systems as well as Windows. It has been reported that VBulletin is prone to a cross-site scripting vulnerability. This issue is reportedly due to a failure to sanitize user input and so allow HTML and script code that may facilitate cross-site scripting attacks. This issue is reported to affect the 'url' parameter of the 'register.php' script, which is passed through a URI. This could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the web server and may allow for theft of cookie-based authentication credentials or other attacks. 55. Sophos Anti-Virus Delivery Status Notification Handling Scan... BugTraq ID: 9650 Remote: Yes Date Published: Feb 12 2004 Relevant URL: http://www.securityfocus.com/bid/9650 Summary: Sophos Anti-Virus is multi platform computer virus detection software. Sophos Anti-Virus has been reported prone to a scanner bypass vulnerability. The issue presents itself when certain types of Delivery Status Notification (DSN) are encountered. The vendor has reported that qmail servers generate this DSN type when they are configured to include the original email message in a bounce notification. It is reported that the vulnerability results because the aforementioned DSN will not include MIME boundary definitions. An attacker may exploit this condition, to bypass virus scans. This may result in a false sense of security and malicious code completely bypassing detection. It should be noted that although this issue has been reported to affect Sophos Anti-Virus version 3.78, other versions might also be affected. 57. XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulne... BugTraq ID: 9652 Remote: No Date Published: Feb 12 2004 Relevant URL: http://www.securityfocus.com/bid/9652 Summary: XFree86 is a freely available open-source implementation of the X Window System. It has been reported that the XFree86 X Windows system is prone to a local buffer overflow vulnerability. The issue arises from improper bounds checking performed in the CopyISOLatin1Lowered() function on data before it is copied into a 1024 byte buffer. Specifically, the size of data that is permitted to be copied is taken from the size of the user-supplied string, rather than the size of the intended buffer. It has been reported that excessive data (2048 bytes) read from the font.alias file, as a value for the lexToken argument of CopyISOLatin1Lowered(), will overrun the bounds of the font_name buffer. An attacker may exploit this issue to execute arbitrary code within the context of the XFree86 process, potentially gaining root privileges on the affected system. This issue has been reported to affect version 4.1.0 through 4.3.0 inclusive; it is likely however that this issue affects earlier versions of the software as well. 58. AIM Sniff Temporary File Symlink Attack Vulnerability BugTraq ID: 9653 Remote: No Date Published: Feb 12 2004 Relevant URL: http://www.securityfocus.com/bid/9653 Summary: AIM Sniff is a network reconnaissance tool that is used to specifically target AIM traffic. AIM Sniff has been reported prone to a Symbolic link vulnerability. The issue presents itself, because the aimSniff.pl script creates temporary files in an insecure manner. Specifically, when the aimSniff.pl script is invoked (And debugging mode is enabled) a temporary file "/tmp/AS.log" is created. To exploit this issue, a local attacker may create a symbolic link in the "tmp" directory in place of the "/tmp/AS.log" file. The link will point to an arbitrary file that the attacker wishes to target. When the vulnerable script is invoked, operations that were supposed for the temporary file will be carried out on the file that is linked by the malicious symbolic link. An attacker may exploit this issue to corrupt arbitrary files. This corruption may potentially result in the elevation of privileges, or in a system wide denial of service. It has been reported that a user will require root privileges to invoke the affected script; this may magnify the impact of this vulnerability. 59. Mailmgr Insecure Temporary File Creation Vulnerabilities BugTraq ID: 9654 Remote: No Date Published: Feb 12 2004 Relevant URL: http://www.securityfocus.com/bid/9654 Summary: Mailmgr is an application for analyzing Sendmail logs and generating reports in HTML. It is available for Unix/Linux variants. Mailmgr is reportedly to be prone to a vulnerability related to temporary file handling. The specific issue is that a number of temporary files are created in an insecure manner, potentially providing malicious local users with an opportunity to launch symbolic link attacks and cause files to be corrupted. The following temporary files are created in an insecure manner: /tmp/mailmgr.unsort /tmp/mailmgr.tmp /tmp/mailmgr.sort It is possible to create a symbolic link that is named after one of these files. When the program is run by another user, any operations that were intended to be performed on these files (such as creating them or appending to them), would actually be performed on the file pointed to by the symbolic link. The only caveat is that the user running the application must have permission to write to the file pointed to by the symbolic link. This would most likely result in a denial of service or destruction of data as critical or sensitive files may be corrupted, but under some circumstances this type of vulnerability could lead to elevated privileges. The possibility of exploiting these particular issues to gain elevated privileges has not been confirmed. This issue was reported to exist in Mailmgr 1.2.3. Other versions are also likely affected. 60. XFree86 Unspecified Vulnerability BugTraq ID: 9655 Remote: Unknown Date Published: Feb 12 2004 Relevant URL: http://www.securityfocus.com/bid/9655 Summary: XFree86 is a freely available open-source implementation of the X Window System. XFree86 has been reported prone to an unspecified vulnerability (CAN-2004-0106). It is likely that this issue is related to BID 9652 (XFree86 CopyISOLatin1Lowered Font_Name Buffer Overflow Vulnerability) and BID 9636 (XFree86 Font Information File Buffer Overflow Vulnerability), although this has not been confirmed. The issue is reported to present itself due to programming flaws in procedures used to parse or read font files. It is believed that this issue affects version 4.1.0 through 4.3.0 inclusive, just like BIDs 9652 and 9636; it is likely however that this issue also affects earlier versions of the software as well. This BID will be updated as further details regarding this issue are disclosed. |
All times are GMT -5. The time now is 11:25 PM. |