SecurityFocus
1. TextPortal Undocumented Username / Password Weakness
BugTraq ID: 7673
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7673
Summary:
TextPortal is a web-based content management system implemented in PHP. It
is available for a variety of platforms including Microsoft Windows and
Linux and Unix variant operating environments.
A weakness has been reported for TextPortal that may allow an attacker to
obtain unauthorized access. The issue exists due to a weak, undocumented
password used for the default administrative user 'god2'.
TextPortal encrypts passwords using crypt and stores them in the
'db_ures\admin_pass.php' file. Specifically, the user 'god2' has a default
undocumented password of '12345'.
Access to the 'god2' account could grant unauthorized administrative
access to remote attackers.
Administrative privileges gained on target systems may allow attackers to
corrupt configuration settings. Other attacks are also possible.
3. UML_NET Integer Mismanagement Code Execution Vulnerability
BugTraq ID: 7676
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7676
Summary:
uml_utilities is a collection of packages designed to be used in
conjunction with the User Mode Linux (UML) kernel patch. The uml_net
program can be used by an administrator to configure various network
devices and system networking parameters.
A vulnerability has been discovered in uml_net. The problem lies in the
uml_net.c source file and occurs while handling user-supplied version
information.
The 'v' variable is declared as a signed integer, however it is used to
store an unsigned integer value returned by a call to the 'strtoul()'
function. This will result in 'v' being interpreted as a negative value.
As 'v' is later used in various bounds checking calculations, specifically
'if (v > CURRENT_VERSION)', it is possible to trigger an unexpected
calculation and bypass the check.
If all necessary calculation checks are passed, an attacker may be capable
of indexing into a malformed location within an array of function
pointers. Specifically, the 'v' variable is used as an index into the
(*handlers[])() array. When this occurs the negative value stored in 'v'
will allow the attacker to reference a supplied address lower in process
memory.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary commands with the privileges of uml_net, possibly root.
It has been confirmed that uml_net is installed suid root on at least one
Linux distribution.
4. BLNews Remote File Include Vulnerability
BugTraq ID: 7677
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7677
Summary:
BLNews is a web-based news application written in PHP. BLNews supports the
use of themes.
A vulnerability has been reported for BLNews 2.1.3-beta. The problem
occurs due to the 'objects.inc.php4' script failing to include the
'server.inc.php4' file. As a result, it is possible for a remote attacker
making a request to BLNews to control the 'Server' variable. This may
allow for the inclusion of attacker-supplied PHP header files,
specifically 'tools.inc.php4' and 'cmd.php4'.
Successful exploitation of this vulnerability would allow an attacker to
upload a malicious PHP file to BLNews. This could result in the execution
of arbitrary PHP code with the privileges of the web server.
It should be noted that, although this vulnerability is said to affect
BLNews 2.1.3-beta, previous versions may also affected.
5. Ultimate PHP Board admin_iplog.PHP Arbitrary PHP Execution Vulnerability
BugTraq ID: 7678
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7678
Summary:
Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.
UPB stores information about each connected user in the 'db' file, stored
in the 'iplog' directory. Information logged includes the users IP address
as well as the HTTP user agent information. An administrator is capable of
viewing this information by calling the 'admin_iplog.php' script.
A vulnerability has been reported for UPB 1.9. The problem is said to
occur due to insufficient sanitization of the HTTP 'User-Agent'
information before including it within the 'admin_iplog.php' script. As a
result, an attacker may be capable of embedding malicious PHP commands
within this field, which would in turn be interpreted by the web server.
The execution of these commands would only occur when an administrator
chooses to view the log of forum activity via the 'admin_iplog.php'
script. All commands executed would be run with the privileges of the web
server, typically httpd.
It should be noted that although unconfirmed this may also affect UPB
versions prior to 1.9.
6. Encrypted Virtual Filesystem Local Heap Overrun Vulnerability
BugTraq ID: 7679
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7679
Summary:
Encrypted Virtual Filesystem (EVFS) is a virtual filesystem that runs on
top of the Linux VFS. It allows multiple users to each mount their own
encrypted filesystems using individual keys. It is available for the Linux
operating system.
A vulnerability has been discovered in the 'efs' utility used by EVFS. The
problem occurs during the 'do_mount()' function within the efs.c source
file. During a call to salloc(), the size calculation fails to take the
size of the 'to' argument into account. Data greater then that allocated
may subsequently be written into the buffer. As a result, it may be
possible for an attacker to corrupt sensitive memory management
information.
Successful exploitation of this vulnerability could allow a legitimate
EVFS user to execute arbitrary commands with root privileges.
This vulnerability affects EVFS v0.2, however earlier versions may also be
affected.
9. D-Link DI-704P Syslog.HTM Denial Of Service Vulnerability
BugTraq ID: 7686
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7686
Summary:
The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P
provides a method to share a single broadband Internet connection and
share a single printer among systems connected to the local network.
D-Link DI-704P has been reported prone to a remote denial of service
vulnerability.
The issue presents itself in the 'Syslog.htm' page, a part of the router's
web management interface. It has been reported that when excessive is data
passed URI parameter in a request for the vulnerable page, the router
firmware the device behaves in an unstable manner. Although unconfirmed
this may be due to an attempted name resolution of the malicious data.
Subsequent malicious requests may result in corruption of device logs or
in a complete denial of service condition requiring a device reboot.
Although unconfirmed, it should be noted that other D-Link devices that
use related firmware might also be affected.
10. Ifenslave Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7682
Remote: No
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7682
Summary:
ifenslave is a tool designed to attach and detach slave network interfaces
to a bonding device. The bonding device will act like an Ethernet network
device to the Linux kernel, but will send out packets using the bound
slave devices using a scheduler.
ifenslave for Linux has been reported prone to a buffer overflow
vulnerability.
The issue is reportedly due to a lack of sufficient bounds checking
performed on user-supplied data before it is copied into an internal
memory space.
Specifically, excessive data passed as the first command line argument to
the vulnerable ifenslave executable, when copied into internal memory, may
overrun the boundary of the assigned buffer and corrupt adjacent memory.
Memory adjacent to this buffer has been confirmed to contain values that
are crucial to controlling program execution flow. It is therefore
possible for a local attacker to seize control of the vulnerable
application and have malicious arbitrary code executed in the context of
ifenslave. ifenslave is not installed setUID or setGID by default.
It should be noted that although this vulnerability has been reported to
affect ifenslave version 0.07 previous versions might also be affected.
11. Multiple Vignette Cross-Site Scripting Vulnerabilities
BugTraq ID: 7687
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7687
Summary:
Vignette distributes several products that include content management and
application portal software.
Vignette software has been reported prone to multiple cross-site scripting
vulnerabilities.
Reportedly the issue presents itself, because the Vignette software does
not sufficiently sanitize HTML characters (",&,<,>) from user-supplied
data. As a direct result of this, all vignette applications that do not
implement an explicit filters to sanitize user-supplied variables and
later generates dynamic content based on the supplied data, are
potentially affected.
An attacker may exploit these vulnerabilities by enticing a victim user to
follow a malicious link that contains malicious HTML code.
Attacker-supplied HTML and script code may be executed on a web client in
the context of the site hosting the affected Vignette software.
This may allow for theft of cookie-based authentication credentials and
other attacks.
This issue was reported for Vignette StoryServer version 4 to version 6;
it has been speculated that all current versions are vulnerable.
12. Vignette Unauthorized Legacy Tool Access Vulnerability
BugTraq ID: 7683
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7683
Summary:
Vignette distributes several products that include content management and
application portal software.
Vignette does not sufficiently restrict access to the Legacy Tool
application. This tool is accessible via the /vgn/legacy/edit template,
which requires authentication. However, it is also possible to access the
functions of the tool via the /vgn/legacy/save template, which does not
have the same level of access control. Cookie values are not sufficiently
checked when a remote user attempts to access the /vgn/legacy/save
template. A remote attacker may gain access to this template by
submitting a falsified cookie.
Unauthorized remote users may use the /vgn/legacy/save template to execute
database queries. This includes the ability to execute a SELECT query on
any tables which are accessible by the Vignette database user. This could
expose sensitive information to remote attackers.
13. Vignette Memory Disclosure Vulnerability
BugTraq ID: 7684
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7684
Summary:
Vignette distributes several products that include content management and
application portal software.
Vignette is prone to an issue which may expose the contents of memory to
remote attackers. This condition is due to a flaw in how Vignette
calculates the size of certain characters in URI variables. This
condition may occur when a request contains "-->". This will cause the
software to miscalculate the size of the request and random parts of
adjacent memory will be included in the response. This could result in
disclosure of sensitive information contained in memory and may also aid
in exploitation of other vulnerabilities.
This issue was reported for Vignette on IBM AIX. Other platforms may also
be affected, though this has not been confirmed. The issue affects some
of the default templates provided with Vignette.
This issue is similar to the vulnerability described in BID 7296.
14. Vignette SSI Injection Vulnerability
BugTraq ID: 7685
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7685
Summary:
Vignette distributes several products that include content management and
application portal software.
Under some circumstances, Vignette applications may be prone to injection
of Server-Side Includes (SSI). It may be possible to inject SSI through
URI variables and other input fields. This could allow remote attackers
to execute arbitrary commands with the privileges of Vignette. It is
believed that some of the default Vignette applications are prone to this
issue.
Exploitation is possible only if the SSI EXEC feature is enabled. This
issue could also affected third-party applications that are developed for
use with Vignette.
15. Vignette Style Template Information Leakage Vulnerability
BugTraq ID: 7688
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7688
Summary:
Vignette distributes several products that include content management and
application portal software.
A problem with Vignette software may make it possible to gain potentially
sensitive information.
It has been reported that some Vignette products install several
templates, including the style template, in the /vgn directory. Because
of this, it may be possible for a remote attacker to gain access to
potentially sensitive information.
The problem is in the style template. This template is by default
installed as /vgn/style on an affected system. When this template is
accessed by a remote user, the server leaks information that may include
variable names, paths, and other installation information. This could be
exploited to provide an attacker with information necessary in launching a
more organized attack against systems.
This problem has been reported to affect Vignette StoryServer and Vignette
V/5, though other products may also be affected.
16. Vignette Login Template User Information Leakage Vulnerability
BugTraq ID: 7691
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7691
Summary:
Vignette distributes several products that include content management and
application portal software.
A problem with Vignette software may make it possible to gain potentially
sensitive information.
It has been reported that some Vignette products install several
templates, including the login template, in the /vgn directory. Because
of this, it may be possible for a remote attacker to gain access to
potentially sensitive information.
The problem is in the login template. This template is by default
installed as /vgn/login on an affected system. When this template is
accessed by a remote user, the server leaks information when user names
are entered. Differing responses are given for existing users,
non-existing users, and disabled users. This could be exploited to
provide an attacker information necessary in launching a more organized
attack against systems.
This problem has been reported to affect Vignette StoryServer and Vignette
V/5, though other products may also be affected.
17. Vignette License Template Denial Of Service Vulnerability
BugTraq ID: 7694
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7694
Summary:
Vignette distributes several products that include content management and
application portal software.
A problem with Vignette software may make it possible to deny service to
web content.
It has been reported that some Vignette products install several
templates, including the license template, in the /vgn directory.
Because of this, it may be possible for a remote attacker to deny service
to a system using the software to manage web content.
The problem is in the license template. This template is by default
installed as /vgn/license on an affected system. When this template is
accessed by a remote user, the template allows the remote user to view and
alter license information. By altering the license data to invalid
values, the software could be made to not function. This could be
exploited by an attacker to prevent legitimate users from access content
on a site.
20. P-News Administrative Account Creation Vulnerability
BugTraq ID: 7689
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7689
Summary:
P-News is a web-based news management system. It is implemented in PHP
and available for Unix/Linux variants and Microsoft Windows operating
systems.
A vulnerability has been reported that could enable a P-News member to
create and access an administrative account. The flaw exists in the
'p-news.php' script. It is possible to inject malicious data into the
'Name' account editing input field. Exploitation could allow a member to
compromise P-News.
This issue was reported in P-News 1.16. Other versions may also be
affected.
21. Vignette VALID_PATHS Command TCL Code Injection Vulnerability
BugTraq ID: 7692
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7692
Summary:
Vignette distributes several products that include content management and
application portal software.
Under some circumstances Vignette applications that harness the Vignette
API, specifically the 'VALID_PATHS' command, may be prone to injection of
arbitrary TCL code. The issue presents itself due to a lack of sufficient
sanitization performed on a user-supplied variable parsed by the
'VALID_PATHS' command. This variable, HTTP_REFERER may be influenced by an
attacker to ultimately inject arbitrary TCL code.
This could allow remote attackers to execute arbitrary commands with the
privileges of the affected server. It has been reported that several of
the default Vignette applications are prone to this issue.
This issue could also affect third-party applications that are developed
for use with Vignette.
This issue was reported for Vignette StoryServer version 5 and version 6.
However it has been speculated that all current versions may be
vulnerable.
22. Vignette NEEDS Command TCL Code Injection Vulnerability
BugTraq ID: 7690
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7690
Summary:
Vignette distributes several products that include content management and
application portal software.
Under some circumstances Vignette applications that harness the Vignette
API, specifically a 'NEEDS' command that follows a certain code path, may
be prone to injection of arbitrary TCL code. The issue presents itself due
to a lack of sufficient sanitization performed on user-supplied variables
parsed by the 'NEEDS' command. These variables, HTTP_QUERY_STRING and
HTTP_COOKIE, may be influenced by an attacker to ultimately inject
arbitrary TCL code.
This could allow remote attackers to execute arbitrary commands with the
privileges of the affected server. It has been reported that several of
the default Vignette applications are prone to this issue.
This issue could also affect third-party applications that are developed
for use with Vignette.
This issue was reported for Vignette StoryServer version 5 and version 6.
However it has been speculated that all current versions may be
vulnerable.
Conflicting reports suggest that while SHOW HTTP_COOKIE and
HTTP_QUERY_STRING may be vulnerable to cross-site scripting attacks, only
the SET HTTP_COOKIE and HTTP_QUERY_STRING are vulnerable to TCL code
injection attacks.
23. Batalla Naval Remote Buffer Overflow Vulnerability
BugTraq ID: 7699
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7699
Summary:
Batalla Naval is graphical naval battle game that can be played over a
network. It is available for Unix/Linux variants and Microsoft Windows
operating systems.
Batalla Naval is prone to a remotely exploitable buffer overflow when
handling requests of excessive length. In particular, sending a string to
the game server (gbnserver) that is 500 or more bytes in length may cause
stack memory to be corrupted. This could allow for execution of malicious
instructions in the context of the game server.
The game server listens on port 1995 by default.
26. BNC IRC Proxy Multiple Session Denial of Service Vulnerability
BugTraq ID: 7701
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7701
Summary:
BNC IRC Proxy is an open source IRC proxying server that allows a system
without direct Internet access to relay through the BNC server.
It has been reported that the BNC IRC Proxy is prone to a denial of
service vulnerability.
This vulnerability appears to occur when two legitimate users of the
service connect from the same IP address. If the second connected user
disconnects before the first connected user, the service reportedly fails
when the first user disconnects.
Precise technical details of this vulnerability are not currently known.
This record will be updated when further details become available.
This vulnerability was reported to affect BNC IRC Proxy version 2.6.2 and
prior.
27. PostNuke Phoenix Glossary Module SQL Injection Vulnerability
BugTraq ID: 7697
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7697
Summary:
A vulnerability has been discovered in PostNuke Phoenix v0723 and earlier.
Specifically, the Glossary module fails to sufficiently sanitize
user-supplied input, making it prone to SQL injection attacks.
Exploitation may allow for modification of SQL queries, resulting in
information disclosure, or database corruption. The consequences depend on
the nature of specific queries. This issue may allow the attacker to
exploit latent vulnerabilities in the underlying database.
28. PostNuke Phoenix Main Modules Multiple Path Disclosure Vulnerabilities
BugTraq ID: 7693
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7693
Summary:
PostNuke is a web-based content management system. It is implemented in
PHP and available for Unix/Linux variants and Microsoft Windows platforms.
Path disclosure vulnerabilities have been reported in modules which are
included with PostNuke Phoenix. Affected modules include Downloads,
Web_Links, Sections, FAQ, Search, Reviews and Glossary. The nature of
these issues is poor handling of data supplied via URI parameters, causing
error pages to be generated that contain the path to the installation root
directory and other resources.
Exploitation of these issues may allow an attacker to gather sensitive
information.
Some of these issues may be previously reported or exist in other content
management systems such as PHP-Nuke or PHPBB, due to shared code.
