LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-05-2004, 04:36 AM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
LQ security report - Jun 05th 2004


Jun 4th 2004
10 issues handled (LAW)
apache
heimdal
kdelibs
kolab-server
lha
mailman
mc
mysql
tcpdump,libpcap,arpwatch
utempter

Jun 01st 2004
16 of 27 issues handled (ISS)
Liferay Enterprise Portal message cross-site
PimenGest2 rowLatex.inc.php view database password
xpcd xpcd-svga pcd_open buffer overflow
NETGEAR RP114 long URL filter bypass
cPanel mod_phpsuexec allows command execution
e107 user.php cross-site scripting
F-Secure Anti-Virus bypass Sober.D and Sober.G
UCD-SNMPD command buffer overflow
BigIP TCP SYN cookie denial of service
FreeBSD msync allows elevated privileges
GNU Mailman obtain password
3Com OfficeConnect Telnet escape sequence buffer
F-Secure Anti-Virus LHA archive buffer overflow
Isoqlog parcer.c allows elevated privileges
xdm open socket allows access
3com OfficeConnect allows elevated access

Jun 1st 2004
16 of 28 issues handled (SF)
1. BNBT BitTorrent Tracker Denial of Service Vulnerability
4. Liferay Enterprise Portal Multiple XSS Vulnerabilities
5. XPCD XPCD-SVGA Buffer Overflow Vulnerability
6. Netgear RP114 Content Filter Bypass Vulnerability
7. e107 Website System User.PHP HTML Injection Vulnerability
9. cPanel Local Privilege Escalation Vulnerability
10. Pimentech PimenGest2 RowLatex.inc.PHP Information Disclosure...
13. GNU Mailman Unspecified Password Retrieval Vulnerability
16. FreeBSD Msync(2) System Call Buffer Cache Implementation Vul...
19. 3Com OfficeConnect Remote 812 ADSL Router Telnet Buffer Over...
21. XFree86 XDM RequestPort Random Open TCP Socket Vulnerability
22. Sun Java System Application Server Remote Installation Path ...
24. 3Com OfficeConnect Remote 812 ADSL Router Web Interface Auth...
25. PHP Input/Ouput Wrapper Remote Include Function Command Exec...
26. Subversion Pre-Commit-Hook Template Undisclosed Vulnerabilit...
28. JPortal Print.php SQL Injection Vulnerability

Last edited by unSpawn; 06-06-2004 at 01:51 PM.
 
Old 06-05-2004, 04:37 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415

Original Poster
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Jun 01st 2004 (ISS)

Internet Security Systems


Date Reported: 05/22/2004
Brief Description: Liferay Enterprise Portal message cross-site
scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, Liferay
Enterprise Portal Any version
Vulnerability: liferay-message-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/16232

Date Reported: 05/23/2004
Brief Description: PimenGest2 rowLatex.inc.php view database password
Risk Factor: Medium
Attack Type: Network Based
Platforms: Debian Linux Any version
Vulnerability: pimengest2-rowlatex-view-password
X-Force URL: http://xforce.iss.net/xforce/xfdb/16234

Date Reported: 05/22/2004
Brief Description: xpcd xpcd-svga pcd_open buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Debian Linux 3.0, xpcd Any version
Vulnerability: xpcd-svga-pcdopen-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/16236

Date Reported: 05/24/2004
Brief Description: NETGEAR RP114 long URL filter bypass
Risk Factor: Medium
Attack Type: Network Based
Platforms: NETGEAR RP114 any version
Vulnerability: netgearrp114-long-url-filter-bypass
X-Force URL: http://xforce.iss.net/xforce/xfdb/16238

Date Reported: 05/23/2004
Brief Description: cPanel mod_phpsuexec allows command execution
Risk Factor: High
Attack Type: Host Based
Platforms: cPanel any version, Linux Any version, Unix Any
version
Vulnerability: cpanel-modphpsuexec-execute-commands
X-Force URL: http://xforce.iss.net/xforce/xfdb/16239

Date Reported: 05/25/2004
Brief Description: e107 user.php cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, e107 Any version
Vulnerability: e107-user-xss
X-Force URL: http://xforce.iss.net/xforce/xfdb/16241

Brief Description: F-Secure Anti-Virus bypass Sober.D and Sober.G
detection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Any operating system Any version, F-Secure Anti-
Virus 5.41, F-Secure Anti-Virus 5.42, F-Secure
Anti-Virus Client Security 5.50 and 5.52
Vulnerability: fsecure-sober-detection-bypass
X-Force URL: http://xforce.iss.net/xforce/xfdb/16243

Date Reported: 05/21/2004
Brief Description: UCD-SNMPD command buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, UCD-SNMPD 4.2.6 and earlier,
Unix Any version
Vulnerability: ucd-snmpd-command-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/16245

Date Reported: 05/24/2004
Brief Description: BigIP TCP SYN cookie denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: BigIP 4.5 through 4.5.10, BSD Any version
Vulnerability: bigip-syn-cookie-dos
X-Force URL: http://xforce.iss.net/xforce/xfdb/16253

Date Reported: 05/26/2004
Brief Description: FreeBSD msync allows elevated privileges
Risk Factor: High
Attack Type: Host Based
Platforms: FreeBSD 4.10-RELEASE, FreeBSD 4.10-STABLE, FreeBSD
4.8-RELEASE-p22, FreeBSD 4.9-RELEASE-p9, FreeBSD
5.2.1-RELEASE-p8, FreeBSD RELENG_4, FreeBSD
RELENG_4_10, FreeBSD RELENG_4_8, FreeBSD
RELENG_4_9, FreeBSD RELENG_5_2
Vulnerability: freebsd-msync-gain-privileges
X-Force URL: http://xforce.iss.net/xforce/xfdb/16254

Date Reported: 05/26/2004
Brief Description: GNU Mailman obtain password
Risk Factor: Medium
Attack Type: Network Based
Platforms: Conectiva Linux 8.0, Conectiva Linux 9.0, GNU
Mailman prior to 2.1.5
Vulnerability: mailman-obtain-password
X-Force URL: http://xforce.iss.net/xforce/xfdb/16256

Date Reported: 05/26/2004
Brief Description: 3Com OfficeConnect Telnet escape sequence buffer
overflow
Risk Factor: Low
Attack Type: Network Based
Platforms: 3Com OfficeConnect 812 ADSL Router 1.1.9
Vulnerability: 3com-officeconnect-telnet-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/16257

Date Reported: 05/26/2004
Brief Description: F-Secure Anti-Virus LHA archive buffer overflow
Risk Factor: Low
Attack Type: Network Based
Platforms: Any operating system Any version, F-Secure Anti-
Virus 2004 and earlier, F-Secure Anti-Virus Client
Security 5.52 and earlier, F-Secure Anti-Virus for
Linux 4.52 and earlier, F-Secure Anti-Virus for
MIMEsweeper 5.42 and earlier, F-Secure Anti-Virus
for MS Exchange 6.21 and earlier, F-Secure Anti-
Virus for Samba Servers 4.60, F-Secure Anti-Virus
for Windows Servers 5.42 and earlier, F-Secure
Anti-Virus for Workstations 5.42 and earlier, F-
Secure for Firewalls 6.20 and earlier, F-Secure
Internet Gatekeeper 6.32 and earlier, F-Secure
Internet Security 2004 and earlier
Vulnerability: fsecure-lha-archive-bo
X-Force URL: http://xforce.iss.net/xforce/xfdb/16258

Date Reported: 05/26/2004
Brief Description: Isoqlog parcer.c allows elevated privileges
Risk Factor: High
Attack Type: Host Based
Platforms: Isoqlog 2.2-BETA, Linux Any version, Unix Any
version
Vulnerability: isoqlog-parcer-gain-privileges
X-Force URL: http://xforce.iss.net/xforce/xfdb/16262

Date Reported: 05/27/2004
Brief Description: xdm open socket allows access
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, xdm Any
version
Vulnerability: xdm-socket-gain-access
X-Force URL: http://xforce.iss.net/xforce/xfdb/16264

Date Reported: 05/27/2004
Brief Description: 3com OfficeConnect allows elevated access
Risk Factor: High
Attack Type: Network Based
Platforms: 3Com OfficeConnect 812 ADSL Router Any version
Vulnerability: 3com-officeconnect-gain-access
X-Force URL: http://xforce.iss.net/xforce/xfdb/16267
 
Old 06-05-2004, 04:38 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415

Original Poster
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Jun 1st 2004 (SF)

SecurityFocus


1. BNBT BitTorrent Tracker Denial of Service Vulnerability
BugTraq ID: 10399
Remote: Yes
Date Published: May 22 2004
Relevant URL: http://www.securityfocus.com/bid/10399
Summary:
BNBT BitTorrent Tracker versions Beta 7.5 release 2 and prior are affected by a flaw related to decoding of HTTP Basic Authentication credentials (util.cpp). If a client transmits to the server the credential string "A==", the server will crash. A check has been introduced in version 73_20040521 that will log exploitation attempts and return prematurely if a request is made with credentials "A==". This may not be enough to eliminate the vulnerability entirely. Version Beta 7.5 Release 3 removes the likely vulnerable code, but may break authentication on Big Endian systems.

4. Liferay Enterprise Portal Multiple XSS Vulnerabilities
BugTraq ID: 10402
Remote: Yes
Date Published: May 22 2004
Relevant URL: http://www.securityfocus.com/bid/10402
Summary:
It has been reported that Liferay Enterprise Portal is susceptible to multiple cross-site scripting and HTML injection vulnerabilities. User-supplied data from many input fields is included in server generated content without appropriate validation/encoding. This may allow for typical cross-site scripting attacks against other users of the portal.

5. XPCD XPCD-SVGA Buffer Overflow Vulnerability
BugTraq ID: 10403
Remote: No
Date Published: May 23 2004
Relevant URL: http://www.securityfocus.com/bid/10403
Summary:
The xpcd-svga utility is susceptible to a locally exploitable buffer overflow condition. According to the report, xpcd-svga copies untrusted data into a buffer of predefined size without bounds checking. The procedure where this occurs is "pcd_open()", suggesting that the source of the data may be in the image file or photo disk.

6. Netgear RP114 Content Filter Bypass Vulnerability
BugTraq ID: 10404
Remote: Yes
Date Published: May 24 2004
Relevant URL: http://www.securityfocus.com/bid/10404
Summary:
It is reported that users may bypass Netgear RP114 content filter functionality. This can be accomplished by making a URI request string that is over 220 bytes in length.
This vulnerability may result in a false sense of security for a network administrator, where a malicious website is believed to be unreachable. In reality any host may contact blacklisted websites.

7. e107 Website System User.PHP HTML Injection Vulnerability
BugTraq ID: 10405
Remote: Yes
Date Published: May 24 2004
Relevant URL: http://www.securityfocus.com/bid/10405
Summary:
It is reported that e107 website system is prone to a remote HTML injection vulnerability in user account profiles. This issue is due to a failure by the application to properly sanitize user-supplied input.
An attacker may exploit the aforementioned vulnerability to execute arbitrary script code in the browser of an unsuspecting user. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks may also be possible.

9. cPanel Local Privilege Escalation Vulnerability
BugTraq ID: 10407
Remote: No
Date Published: May 24 2004
Relevant URL: http://www.securityfocus.com/bid/10407
Summary:
cPanel is reported prone to a privilege escalation vulnerability. It is reported that the options used by cPanel to compile Apache 1.3.29 and PHP using the mod_phpsuexec option are insecure. These settings will reportedly permit a local attacker to execute arbitrary code as any user who possesses a PHP file that is published to the Apache web server.

10. Pimentech PimenGest2 RowLatex.inc.PHP Information Disclosure...
BugTraq ID: 10408
Remote: Yes
Date Published: May 24 2004
Relevant URL: http://www.securityfocus.com/bid/10408
Summary:
A vulnerability has been reported in Pimentech PimenGest2 that may allow a remote attacker to disclose sensitive information. This issue is reported to allow an attacker to view debug information that contains a database password.

13. GNU Mailman Unspecified Password Retrieval Vulnerability
BugTraq ID: 10412
Remote: Yes
Date Published: May 25 2004
Relevant URL: http://www.securityfocus.com/bid/10412
Summary:
Mailman is prone to an unspecified password retrieval vulnerability. This vulnerability was disclosed by the vendor. Reportedly, a remote attacker can gain access to user passwords, when the users subscribe to a mailing list.
A remote attacker can use the sensitive information to hijack user accounts or carry out other attacks.
Mailman versions 2.1.4 and prior are prone to this issue.
Due to a lack of details further information is not available at the moment. This BID will be updated as more information becomes available.

16. FreeBSD Msync(2) System Call Buffer Cache Implementation Vul...
BugTraq ID: 10416
Remote: No
Date Published: May 26 2004
Relevant URL: http://www.securityfocus.com/bid/10416
Summary:
FreeBSD msync(2) system call is prone to a vulnerability that can allow a local attacker to prevent modifications made to a file from being written to disk.
Under certain circumstances, a local user with read access to a file can prevent modifications made to a file from being written to disk. It is conjectured that an attacker can potentially cause a denial of service, if the attacker can influence a sensitive configuration file. Other attacks are possible as well. The attack would depend on the privileges held by the attacker.

19. 3Com OfficeConnect Remote 812 ADSL Router Telnet Buffer Over...
BugTraq ID: 10419
Remote: Yes
Date Published: May 26 2004
Relevant URL: http://www.securityfocus.com/bid/10419
Summary:
3Com OfficeConnect Remote 812 ADSL Router is prone to a remotely exploitable buffer overflow through the telnet port. Exploitation of this vulnerability will likely result in a denial of service.

21. XFree86 XDM RequestPort Random Open TCP Socket Vulnerability
BugTraq ID: 10423
Remote: Yes
Date Published: May 27 2004
Relevant URL: http://www.securityfocus.com/bid/10423
Summary:
xdm is reported prone to a potential security vulnerability that may lead to a false sense of security. A problem reported in xdm, is reported to result in a false sense of security because even though DisplayManager.requestPort is set to 0, xdm will open a chooserFd TCP socket on all interfaces.

22. Sun Java System Application Server Remote Installation Path ...
BugTraq ID: 10424
Remote: Yes
Date Published: May 27 2004
Relevant URL: http://www.securityfocus.com/bid/10424
Summary:
It is reported that Java System Application Server is prone to a remote installation path disclosure vulnerability. This issue is due to a failure of the application to properly filter user requests.
Successful exploitation of this issue may allow an attacker to gain sensitive information about the file system that may aid in launching more direct attacks against the system.

24. 3Com OfficeConnect Remote 812 ADSL Router Web Interface Auth...
BugTraq ID: 10426
Remote: Yes
Date Published: May 27 2004
Relevant URL: http://www.securityfocus.com/bid/10426
Summary:
3Com OfficeConnect Remote 812 ADSL Router is reportedly affected by an authentication bypass vulnerability through its web configuration interface.
Successful exploitation of this issue would allow an attacker to gain administrative access to the affected device.

25. PHP Input/Ouput Wrapper Remote Include Function Command Exec...
BugTraq ID: 10427
Remote: Yes
Date Published: May 27 2004
Relevant URL: http://www.securityfocus.com/bid/10427
Summary:
PHP is reportedly affected by an arbitrary command execution weakness through the PHP include() function. This issue is due to a design error that allows the execution of attacker supplied POST PHP commands when URI data is used as an argument to an 'include()' function.
This issue affect the PHP module itself; however the problem only presents itself when an application uses a user-supplied URI parameter as an argument to the 'include()' function.
This issue is reported to affect all version of PHP since 3.0.13. Furthermore this issue is not resolved by setting the 'php.ini' variable 'allow_url_fopen' to off.
Successful exploitation of this issue will allow an attacker to execute arbitrary PHP code on the affected computer; this will allow the execution of commands to the underlying operating system with the privileges of the affected web server process.

26. Subversion Pre-Commit-Hook Template Undisclosed Vulnerabilit...
BugTraq ID: 10428
Remote: No
Date Published: May 27 2004
Relevant URL: http://www.securityfocus.com/bid/10428
Summary:
Subversion is reported prone to an undisclosed vulnerability. The issue is reported to present itself due to an insecure implementation of the pre-commit-hook template.
This BID will be updated as soon as further information regarding this vulnerability becomes available.

28. JPortal Print.php SQL Injection Vulnerability
BugTraq ID: 10430
Remote: Yes
Date Published: May 28 2004
Relevant URL: http://www.securityfocus.com/bid/10430
Summary:
JPortal is reportedly affected by a remote SQL injection vulnerability in the print.inc.php script. This issue is due to a failure of the application to properly sanitize user-supplied URI input before using it in an SQL query.
As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
 
Old 06-06-2004, 01:51 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415

Original Poster
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Jun 4th 2004 (LAW)

Linux Advisory Watch


Distribution: Conectiva

5/27/2004 - mailman
Multiple vulnerabilities
Fixes cross site scripting and remote password retrieval
vulnerabilities, plus a denial of service.
http://www.linuxsecurity.com/advisor...sory-4409.html

5/27/2004 - kde
Insufficient input sanitation
The telnet, rlogin, ssh and mailto URI handlers in KDE do not
check for '-' at the beginning of the hostname passed.
http://www.linuxsecurity.com/advisor...sory-4410.html


Distribution: FreeBSD

5/27/2004 - core:sys Buffer cache invalidation vulnerability
Insufficient input sanitation
In some situations, a user with read access to a file may be able
to prevent changes to that file from being committed to disk.
http://www.linuxsecurity.com/advisor...sory-4408.html


Distribution: Gentoo

5/27/2004 - MySQL
Symlink vulnerability
Two MySQL utilities create temporary files with hardcoded paths,
allowing an attacker to use a symlink to trick MySQL into
overwriting important data.
http://www.linuxsecurity.com/advisor...sory-4404.html

5/27/2004 - mc
Multiple vulnerabilities
Multiple security issues have been discovered in Midnight
Commander including several buffer overflows and string format
vulnerabilities.
http://www.linuxsecurity.com/advisor...sory-4405.html

5/27/2004 - Apache
1.3 Multiple vulnerabilities
Several security vulnerabilites have been fixed in the latest
release of Apache 1.3.
http://www.linuxsecurity.com/advisor...sory-4406.html

5/27/2004 - Heimdal
Buffer overflow vulnerability
A possible buffer overflow in the Kerberos 4 component of Heimdal
has been discovered.
http://www.linuxsecurity.com/advisor...sory-4407.html


Distribution: Mandrake

5/27/2004 - mailman
Password leak vulnerability
Mailman versions >= 2.1 have an issue where 3rd parties can
retrieve member passwords from the server.
http://www.linuxsecurity.com/advisor...sory-4402.html

5/27/2004 - kolab-server Plain text passwords
Password leak vulnerability
The affected versions store OpenLDAP passwords in plain text.
http://www.linuxsecurity.com/advisor...sory-4403.html


Distribution: Red Hat

5/27/2004 - utempter
Symlink vulnerability
An updated utempter package that fixes a potential symlink
vulnerability is now available.
http://www.linuxsecurity.com/advisor...sory-4399.html

5/27/2004 - LHA
Multiple vulnerabilities
Ulf Harnhammar discovered two stack buffer overflows and two
directory traversal flaws in LHA.
http://www.linuxsecurity.com/advisor...sory-4400.html

5/27/2004 - tcpdump,libpcap,arpwatch Denial of service vulnerability
Multiple vulnerabilities
Upon receiving specially crafted ISAKMP packets, TCPDUMP would
crash.
http://www.linuxsecurity.com/advisor...sory-4401.html


Distribution: SuSE

5/27/2004 - kdelibs/kdelibs3 Insufficient input sanitation
Multiple vulnerabilities
The URI handler of the kdelibs3 and kdelibs class library contains
a flaw which allows remote attackers to create arbitrary files as
the user utilizing the kdelibs3/kdelibs package.
http://www.linuxsecurity.com/advisor...sory-4398.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LQ Security Report - June 27 2004 Capt_Caveman Linux - Security 3 06-27-2004 01:37 AM
LQ security report - Jun 08th 2004 unSpawn Linux - Security 2 06-08-2004 06:02 PM
LQ Security Report May 28th 2004 Capt_Caveman Linux - Security 4 05-28-2004 01:26 PM
LQ Security Report - May 22nd 2004 Capt_Caveman Linux - Security 3 05-22-2004 02:41 AM
LQ security report - Jan 05th 2004 unSpawn Linux - Security 5 01-05-2004 06:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration