Jan 26th 2004 (SF)
SecurityFocus
1. QMail-SMTPD Long SMTP Session Integer Overflow Denial of Service Vulnerability
BugTraq ID: 9432
Remote: Yes
Date Published: Jan 16 2004
Relevant URL:
http://www.securityfocus.com/bid/9432
Summary:
qmail is a popular Mail Transfer Agent (MTA).
A vulnerability has been reported to exist in qmail-smtpd that may
allow a remote attacker to cause a denial of service condition in the
software. It has been reported that an attacker may be able to crash
the current qmail-smtpd session via a long SMTP request. The problem
is reported to exist due to an integer-handling bug. It has reported that
the excessive SMTP session data causes a signed integer to wrap; this
negative value is then employed as an array subscript. A subsequent
attempt to access the out-of-bounds address based on the wrapped
integer will trigger a segment violation. This may be leveraged by a
remote attacker to consume resources and thereby deny service to
legitimate users.
A remote attacker may potentially exploit this vulnerability to crash or
hang a qmail SMTP session. qmail 1.03 running on a Linux platform
has been reported to be prone to this issue, however, other versions may
be affected as well.
2. SuSE 3Ddiag Insecure Temporary File Handling Symbolic Link Vulnerability
BugTraq ID: 9434
Remote: No
Date Published: Jan 15 2004
Relevant URL:
http://www.securityfocus.com/bid/9434
Summary:
3Ddiag is a 3D diagnosis tool designed to evaluate the 3D hardware,
software libraries and hardware driver configuration on SuSE Linux
7.3 and greater.
A vulnerability has been found in the handling of temporary files by
the 3Ddiag tool in the SuSE Linux distribution. This issue may allow
local destruction of data on affected systems potentially leading to a
loss of sensitive data or denial of service.
This issue is due to the 3Ddiag tool failing to properly handle the
creation and state of temporary files in the /usr/bin/switch2nv,
/usr/bin/switch2nvdia and /usr/bin/3Ddiag.ignoredb applications.
The switch2nv and switch2nvidia scripts, which are used by the 3Ddiag
utility, create a file in the /tmp directory named XF86Config. An
attacker would be able to remove the temporary file and replace it with a
malicious symbolic link pointing to a target file. When either application
is activated it will write to the link with root privileges and without
verifying the files validity, causing the target file to be overwritten.
The 3Ddiag.ignoredb application creates a temporary file in the /tmp/
directory named 3Ddiag.ignoredb. An attacker can create a symbolic
link with a name corresponding to the temporary file. When the 3Ddiag
application is activated, the target file will be overwritten with root
privileges thus causing loss of sensitive data or denial of service
against the vulnerable system.
This issue is likely only to affect personal desktop machines and
poorly configured servers as this tool is implemented to update software
libraries and hardware configurations, and is not intended for use by
remote users. Furthermore this tool is only available for SuSE Linux 7.3
and greater.
3. Invision Power Board Index.php Cross-Site Scripting Vulnerability
BugTraq ID: 9447
Remote: Yes
Date Published: Jan 19 2004
Relevant URL:
http://www.securityfocus.com/bid/9447
Summary:
Invision Power Board is web forum software. It is implemented in PHP
and is available for Unix and Linux variants and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in Invision Power Board
that may allow a remote user to launch cross-site scripting attacks.
The issue is reported to exist due to improper sanitizing of
user-supplied data. It has been reported that HTML and script code may
be parsed via the 'act' URI parameter of 'Index.php' script. This
vulnerability makes it possible for an attacker to construct a malicious
link containing HTML or script code that may be rendered in a user's
browser upon visiting that link. This attack would occur in the security
context of the site.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also
possible.
All versions of Invision Power Board have been reported to be
vulnerable to this issue.
4. YABB SE SSI.PHP ID_MEMBER SQL Injection Vulnerability
BugTraq ID: 9449
Remote: Yes
Date Published: Jan 19 2004
Relevant URL:
http://www.securityfocus.com/bid/9449
Summary:
YaBB SE is a freely available, open source port of Yet Another
Bulletin Board (YaBB). It is available for Unix, Linux, and Microsoft
Operating Systems.
A problem with YaBB SE could make it possible for a remote user to
launch SQL injection attacks.
It has been reported that a problem exists in the SSI.php script
distributed as part of YaBB SE. Due to insufficient sanitizing of the
user-supplied ID_MEMBER URI parameter, it is possible for a remote
user to inject arbitrary SQL queries into the database used by YaBB SE.
This could permit remote attackers to pass malicious input to database
queries, resulting in modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
5. GoAhead WebServer Directory Management Policy Bypass Vulnerability
BugTraq ID: 9450
Remote: Yes
Date Published: Jan 19 2004
Relevant URL:
http://www.securityfocus.com/bid/9450
Summary:
GoAhead WebServer is an embedded web server implementation that
is available for a number of operating systems, including Microsoft
Windows and Unix/Linux derivatives.
GoAhead WebServer allows users to configure a policy for how
requests for resources in certain directories are handled, such as defining
default actions for resources in cgi-bin or other directories. This is
handled internally via the websUrlHandlerRequest() server function.
GoAhead WebServer is prone to a vulnerability that may permit remote
attackers to bypass directory management policy.
It is reported that certain syntax may be used in HTTP GET requests to
bypass the policy for how certain requests should be handled, for
example, a script that should be interpreted may be downloaded by the
attacker instead. The following example requests are reported to
reproduce this behavior:
GET cgi-bin/cgitest.c HTTP/1.0
GET \cgi-bin/cgitest.c HTTP/1.0
GET %5ccgi-bin/cgitest.c HTTP/1.0
By omitting the initial forward-slash (/) or substituting a back-slash (/)
for the initial forward-slash, it is possible to bypass directory management
policy. A URL-encoded back-slash (%5c) at the beginning of the
request may also bypass the policy. Other variations also exist.
This could allow for unauthorized access to resources hosted on the
server, likely resulting in disclosure of sensitive information such as
script source code. The exact consequences will depend on what sort
of directory management policy is in place and also the nature of
information included in scripts or other sensitive resources hosted on
the server.
6. GoAhead WebServer Post Content-Length Remote Resource Consumption Vulnerability
BugTraq ID: 9452
Remote: Yes
Date Published: Jan 19 2004
Relevant URL:
http://www.securityfocus.com/bid/9452
Summary:
GoAhead WebServer is an embedded web server implementation that
is available for a number of operating systems, including Microsoft
Windows and Unix/Linux derivatives.
A vulnerability in the handling of unusual HTTP requests and content-length
sizes may cause a vulnerable GoAhead WebServer to become unstable.
Because of this, a remote attacker may be able consume excessive
resources on the underlying host, resulting in a denial of service condition.
The problem is in the handling of remote POST requests. By specifying
a content-length of a specific size in a POST request, and sending data of
a lesser size then breaking the connection, it is possible to send the service
into an infinite loop. The program does not sufficiently handle the
condition of a broken connection, and can consume excessive system
resources, potentially taking down the system with the service.
7. SuSE Multiple Scripts Insecure Temporary File Handling Symbolic Link Vulnerabilities
BugTraq ID: 9457
Remote: No
Date Published: Jan 20 2004
Relevant URL:
http://www.securityfocus.com/bid/9457
Summary:
fvwmbug is a helper shell script to allow a user to compose and email
bug-reports that concern FVWM. wm-oldmenu2new is used to convert
from an old-style WindowMaker menu file to the new PropertyList style.
X11perfcomp is a script that merges and formats the output of x11perf.
Xf86debug is a script used to debug X server, it must be invoked by a root
user. winpopup-send.sh is a script that is shipped as a part of the kopete
package. lvmcreate_initrd is used to create a new compressed initial ramdisk.
Multiple scripts that are shipped with SuSE 9.0 have been reported prone
to insecuretemporary file creation and symbolic link vulnerabilities. The
following scripts have been reported vulnerable:
/usr/X11R6/bin/fvwm-bug
/usr/X11R6/bin/wm-oldmenu2new
/usr/X11R6/bin/x11perfcomp
/usr/X11R6/bin/xf86debug
/opt/kde3/bin/winpopup-send.sh
/sbin/lvmcreate_initrd
The issues are present, because the vulnerable scripts create temporary
files in an insecure manner. Specifically, when a script is invoked a
predictable temporary file is created. To exploit this issue, a local attacker
may create many symbolic links in the "tmp" directory with incremental
values representing the variable part of the vulnerable temporary filename.
Each of these links will point to an arbitrary file that the attacker wishes to
target. When the vulnerable script is invoked, operations that were
supposed for the temporary file will be carried out on the file that is linked
by the malicious symbolic link.
An attacker may exploit these issues to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or
in a system wide denial of service.
Each issue described in this BID will be given individual BID's once
further analysis is complete.
8. WebTrends Reporting Center Management Interface Path Disclosclosure Vulnerability
BugTraq ID: 9460
Remote: Yes
Date Published: Jan 20 2004
Relevant URL:
http://www.securityfocus.com/bid/9460
Summary:
WebTrends Reporting Center is used to organize and present usage
information for multiple server web environments. Reporting Center is
available for Microsoft Windows, Linux and Solaris.
The WebTrends Reporting Center management interface discloses
installation path information when a non-existent resource is requested.
The management interface is accessible via HTTP on TCP port 1099.
This issue exists in the 'viewreport.pl' script included with the interface
and may be triggering by specifying a non-existent ID for the 'profileid'
parameter. The absolute physical path of the software installation will be
disclosed in the error response to such a request. This information may permit
an attacker to enumerate the layout of the underlying file system of the host.
This issue was reported for version 6.1a of the software running on Microsoft
Windows.Other platforms and versions may also be affected.
9. Honeyd Remote Virtual Host Detection Vulnerability
BugTraq ID: 9464
Remote: Yes
Date Published: Jan 18 2004
Relevant URL:
http://www.securityfocus.com/bid/9464
Summary:
Honeyd is honeypot software that simulates virtual hosts on IP addresses
that are not in use. It is available for various Unix/Linux derivatives.
Honeyd is prone to a vulnerability that may permit remote users to detect
the presence of the server. This is due to a flaw in how Honeyd responds
to certain TCP SYN packets, effectively allowing a remote user to determine
if a scanned address is a virtual Honeyd host. Upon receipt of such a
packet, the daemon will respond with a packet that has the SYN and RST
flags set. The consequence is that a remote attacker could enumerate the
existence of simulated Honeyd hosts and then either target specific attacks
against these hosts or avoid them altogether.
10. Acme thttpd CGI Test Script Cross-Site Scripting Vulnerability
BugTraq ID: 9474
Remote: Yes
Date Published: Jan 22 2004
Relevant URL:
http://www.securityfocus.com/bid/9474
Summary:
thttpd is an HTTP server implementation that is maintained by Acme.
It is intended to run on Unix/Linux variants.
thttpd is prone to a cross-site scripting vulnerability in the CGI
test script. This could permit a remote attacker to create a malicious
link to the web server that includes hostile HTML and script code. If
this link were followed, the hostile code may be rendered in the web
browser of the victim user. This would occur in the security context
of the web server and may allow for theft of cookie-based authentication
credentials or other attacks.
It should be noted that FREESCO includes an embedded version of thttpd
and is also prone to this vulnerability due to their inclusion of the vulnerable
component.
