LQ weekly security rep - Jun 09th 2003
Jun 09th 2003
40 of 67 issues handled (ISS) P-Synch multiple script path disclosure P-Synch nph-psf.exe and nph-psa.exe script P-Synch could allow an attacker to include PHP files UpClient -p command line buffer overflow SunMC Change Manager pamverifier program buffer JBoss ServerInfo.jsp source code disclosure Sun Solaris in.telnetd(1M) process denial of SPChat modules.php cross-site scripting PHPWebChat users.php path disclosure KON command-line buffer overflow PHPWebChat multiple scripts path disclosure PHPWebChat users.php cross-site scripting Newsscript administrative account creation Linux kernel TTY denial of service Linux kernel mxcsr routine denial of service Linux kernel hash table collision packets denial of mod_gzip HTTP GET request buffer overflow mod_gzip format string mod_gzip race condition Pi3Web Server ?SortName buffer overflow b2 b2functions.php could allow an attacker to b2 blogger-2-b2.php and gm-2-b2.php scripts in b2- b2 ./blog.header.php script SQL injection b2 b2menutop.php could allow an attacker to man catalog file format string PostNuke modules.php script denial of service PostNuke Glossary SQL injection PostNuke multiple modules in modules.php script Sun JRE/SDK untrusted Applet could access D-Link administrative Web page denial of service atftpd long file name buffer overflow Sun Solaris syslogd buffer overflow OpenSSH could allow an attacker to bypass login ImageFolio admin.cgi script directory traversal Eterm path_env variable buffer overflow Debian Linux XaoS allows an attacker to gain zblast buffer overflow WordPress blog.header.php SQL injection WordPress links.all.php could allow an attacker Apache Tomcat /opt/tomcat directory insecure Jun 9th 2003 28 of 43 issues handled (SF) 1. cPanel/Formail-Clone E-Mail Restriction Bypass Vulnerability 3. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability 4. PHP-Nuke User/Admin Cookie SQL Injection Vulnerability 6. PHP Transparent Session ID Cross Site Scripting Vulnerability 7. JBoss Null Byte Request JSP Source Disclosure Vulnerability 11. Apache Tomcat Insecure Directory Permissions Vulnerability 12. Multiple Mod_Gzip Debug Mode Vulnerabilities 13. Webfroot Shoutbox Expanded.PHP Remote Command Execution Vulnerability 15. myServer HTTP GET Argument Buffer Overflow Vulnerability 16. XMame Lang Local Buffer Overflow Vulnerability 17. Webchat Module Path Disclosure Weakness 18. Webfroot Shoutbox Expanded.PHP Remote Directory Traversal Vulnerability 19. WebChat Users.PHP Database Username Disclosure Weakness 20. WebChat Users.PHP Cross-Site Scripting Vulnerability 23. Sun Management Center Change Manager PamVerifier Buffer Overflow Vulnerability 24. SPChat Module Remote File Include Vulnerability 25. Cafelog b2 B2Functions Script B2INC Variable Include Vulnerability 26. CafeLog b2 Blog.Header Script SQL Injection Vulnerability 27. Wordpress Posts SQL Injection Vulnerability 28. Cafelog b2 B2MenuTop Script B2INC Variable Include Vulnerability 29. Wordpress Remote PHP File Include Vulnerability 30. Pi3Web SortName Buffer Overflow Vulnerability 33. Multiple Vendor kon2 Local Buffer Overflow Vulnerability 35. Red Hat Linux TTY Layer Kernel Panic Denial Of Service Vulnerability 36. Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability 37. Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability 38. Sun Solaris Telnet Daemon Remote Denial Of Service Vulnerability 40. Linux Kernel Fragment Reassembly Remote Denial Of Service Vulnerability |
Jun 9th 2003 (SF) pt 1/2
SecurityFocus
1. cPanel/Formail-Clone E-Mail Restriction Bypass Vulnerability BugTraq ID: 7758 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7758 Summary: cPanel is a multi-platform web hosting control panel that allows a user to manage their hosted account through a web-based interface. cPanel includes a Formail-clone/scripts. It has been reported that cPanel is prone to an issue where a remote attacker may bypass cPanel Formail-clone local domain checks and have untrusted e-mail delivered in the context of the vulnerable host. The issue is reportedly due to a lack of input sanitization performed on the cPanel recipient field, used by the cPanel Formmail-clone. Reportedly, if an attacker appends a reference to the local domain in parenthesis, e.g. 'recipient@example.(localdomain)com' as a part of an e-mail address passed to cPanel. When the cPanel mailer invokes sendmail to handle this address sendmail will strip out the parenthesis and the data contained therein and send the e-mail to the attacker-supplied address. This issue may be exploited by an attacker to use the vulnerable host as an open relay. 3. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability BugTraq ID: 7760 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7760 Summary: The /bin/mail utility is a mail processing system which can be used to send and receive e-mail messages. It is available for the Unix and Linux operating systems. A vulnerability has been discovered in /bin/mail on the Linux operating system. The problem occurs when processing the 'CC:' field within an e-mail message. Due to insufficient bounds checking, handling approximately 8824 bytes of data will trigger a buffer overrun. Successful exploitation of this issue could allow an attacker to execute arbitrary commands with the privileges of /bin/mail. It should be noted that local exploitation of this vulnerability may be inconsequential. However, a malicious e-mail message referenced by the vulnerability utility or a remote CGI interface may both be sufficient conduits for remote exploitation. 4. PHP-Nuke User/Admin Cookie SQL Injection Vulnerability BugTraq ID: 7762 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7762 Summary: PHP-Nuke is a popular web based Portal system. It allows users to create accounts and contribute content to the site. PHP-Nuke is reported to be prone to SQL injection attacks during authentication. This is due to insufficient sanitization of cookie values, which will be used in database queries. This could permit an attacker to inject SQL code. It has been demonstrated that this vulnerability may allow a remote attacker to modify query logic and disclose administrator and user password hashes through a sequential brute force method. Although unconfirmed, it may also be possible, depending on the database implementation and other factors, to launch attacks against the database. This may result in the disclosure of sensitive information. Having the Web_Links module installed and one link active, is a prerequisite for exploitation of the admin password hash recovery issue. It should be noted that although this vulnerability has been reported to affect PHP-Nuke version 5.6 and 6.5 all other versions may potentially be affected. 6. PHP Transparent Session ID Cross Site Scripting Vulnerability BugTraq ID: 7761 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7761 Summary: PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems. PHP contains an option known as transparent session IDs. This feature allows session IDs to be embedded with a URL. A cross-site scripting vulnerability has been discovered in PHP version 4.3.1 and earlier. The problem occurs when the 'session.use_trans_sid' global parameter has been enabled. Due to insufficient sanitization of the PHPSESSID URI parameter, it is possible for an attacker to embed malicious script code within a link. By embedding malicious code in such a way that an HTML tag will be prematurely terminated, it may be possible to execute arbitrary script code. Successful exploitation of this issue would allow an attacker to execute arbitrary script code in a victim's browser within the context of the visited website. This may allow for the theft of sensitive information, such as session ID's, or possibly other attacks. It should be noted that PHP versions prior to release 4.2.0 do not support transparent session IDs by default. Support must be specified during initial compilation. 7. JBoss Null Byte Request JSP Source Disclosure Vulnerability BugTraq ID: 7764 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7764 Summary: JBoss is a freely available, open source Java Application server. It is distributed and maintained by JBoss Group. A problem in the software may make it possible to gain unauthorized access to potentially sensitive information. A problem has been reported in the handling of unexpected characters by the JBoss program. Because of this, an attacker may gain access to potentially sensitive information. The problem is in the input of null characters with some requests. By placing a valid request, and appending a null byte to the end of the request, it is possible to see the source of the Java Server Page (JSP) requested from JBoss. This could yield potentially sensitive information such as passwords. It should be noted that this problem occurs when JBoss is used with Jetty. It is not known what affect this problem has on JBoss with other servers. 11. Apache Tomcat Insecure Directory Permissions Vulnerability BugTraq ID: 7768 Remote: No Date Published: Jun 01 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7768 Summary: Tomcat is a web server and JSP/Servlet container that is developed by Apache as part of the Jakarta project. Apache Tomcat may be installed with world-readable permissions for the /opt/tomcat/ directory. Files in this directory may contain sensitive information, such as authentication credentials. Local users may potentially gain unauthorized access to these files as a result. This issue was reported for Apache Tomcat versions prior to 4.1.24 on Gentoo Linux. It is not known if other distributions are similarly affected. 12. Multiple Mod_Gzip Debug Mode Vulnerabilities BugTraq ID: 7769 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7769 Summary: Mod_gzip is an Apache web server module that compresses web content before sending it to the client. Mod_gzip is not a standard module for Apache. Multiple vulnerabilities were reported in Mod_gzip. The following issues exist when the software is run in debug mode: Insufficient bounds checking of request data may lead to a stack overflow. If a remote user passes an excessive request for a file type (such as gzip) handled by the module, it may be possible to corrupt stack variables with specific values. This could lead to execution of malicious attacker-supplied instructions. Mod_gzip is prone to a format string vulnerability when Apache logging facilities are used. This is due to missing format specifiers in the code responsible for logging requests for file types handled by the module. Exploitation could permit a remote attacker to overwrite arbitrary locations in memory with malicious data, potentially allowing for code execution. Mod_gzip logs debugging information in files using predictable names. The following naming scheme is used when log files are created: /tmp/t<PID>.log By anticipating the value of the process ID, a local attacker could launch symlink attacks against other system files. It has been reported that some debugging information is logged as the superuser. This could allow for corruption of arbitrary files. If these files can be corrupted with custom data, then it will be possible to gain elevated privileges. Exploitation of these issues could result in execution of malicious instructions or corruption of critical or sensitive files. This record will be divided into multiple BIDs when further analysis of these issues is complete. 13. Webfroot Shoutbox Expanded.PHP Remote Command Execution Vulnerability BugTraq ID: 7772 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7772 Summary: Webfroot Shoutbox is a web application designed to allow web site visitors a chance to leave messages. It is implemented in PHP and is available for the Unix, Linux, and Microsoft Windows platforms. Shoutbox is prone to an issue that may result in the execution of attacker-supplied code. The vulnerability exists due to insufficient sanitization of input into the expanded.php script. An attacker can exploit this vulnerability to insert malicious PHP code into the web server logs which can then be executed by the PHP interpreter when the logs are requested. This will allow an attacker to execute arbitrary commands on a vulnerable system in the context of the web server. This vulnerability was reported to affect Webfroot Shoutbox 2.32 and earlier. 15. myServer HTTP GET Argument Buffer Overflow Vulnerability BugTraq ID: 7770 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7770 Summary: myServer is an application and web server for Microsoft Windows and Linux operating systems. myServer has been reported prone to a remote buffer overflow vulnerability. The vulnerability exists when the web server attempts to process HTTP requests of excessive length. Specifically, when the web server processes an argument passed to a malicious HTTP GET request that consists of more than 4100+ bytes, the web server will crash. This will result in a denial of service condition. It is possible that this vulnerability may also allow the execution of arbitrary instructions. Any instructions carried out through this vulnerability would be with the privileges of the web server process. However, the possibility of code execution has not been confirmed. This vulnerability was reported for myServer version 0.4.1 It is likely that other versions are also affected. 16. XMame Lang Local Buffer Overflow Vulnerability BugTraq ID: 7773 Remote: No Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7773 Summary: Xmame is a port of the MAME arcade emulator. It is available for Linux and Unix systems. Xmame is prone to a locally exploitable buffer overflow. The issue exists in the xmame.x11 executable. This is due to insufficient bounds checking of the command line parameter used to specify language settings (--lang). By specifying an excessively long language parameter, it is possible to corrupt stack memory with attacker-supplied values. This could be exploited to control execution flow and cause execution of malicious instructions. Some builds of Xmame require setuid root privileges to operate properly, particularly those builds with svgalib/xf86_dga support enabled. Successful exploitation on some systems could result in execution of arbitrary code with elevated privileges. 17. Webchat Module Path Disclosure Weakness BugTraq ID: 7774 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7774 Summary: Webchat is a web based chat module designed for use with PHP-Nuke. Webchat has been reported prone to a path disclosure weakness. Reportedly an attacker may make a malicious HTTP request for the 'out.php' script to trigger the condition; alternatively the attacker may pass a non-numeric 'roomid' URI parameter to the Webchat module. Under some circumstances either request will trigger an exception, causing Webchat to display an error message containing the path to an internal PHP include file embedded in the source of the error. An attacker may use the information gathered in this manner to aid in further attacks launched against the host. This weakness was reported to affect Webchat version 2.0 other versions may also be affected. 18. Webfroot Shoutbox Expanded.PHP Remote Directory Traversal Vulnerability BugTraq ID: 7775 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7775 Summary: Webfroot Shoutbox is a web application designed to allow web site visitors a chance to leave messages. It is implemented in PHP and is available for the Unix, Linux, and Microsoft Windows platforms. A problem in Shoutbox may result in traversal attacks. The vulnerability exists due to insufficient sanitization of user-supplied values to the expanded.php script, and could allow the viewing of potentially sensitive files by attackers. An attacker can exploit this vulnerability by manipulating the value of the 'conf' URI parameter submitted to the expanded.php script to obtain any files readable by the web server. Information obtained in this manner may allow an attacker to launch further, potentially destructive attacks against a vulnerable system. This vulnerability was reported to affect Webfroot Shoutbox 2.32 and earlier. 19. WebChat Users.PHP Database Username Disclosure Weakness BugTraq ID: 7777 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7777 Summary: WebChat is a web based chat module designed for use with PHP-Nuke. WebChat has been reported prone to a database username disclosure weakness. The issue presents itself when a malicious request is made for the WebChat 'users.php' page. An attacker may pass a guessed username as the 'username' URI parameter to the affected page. Although unconfirmed, it is likely that this action will return some indication of whether the submitted username exists or not. An attacker may exploit this weakness to enumerate database passwords. An attacker may use the information gathered in this manner to aid in further attacks launched against the host. This weakness was reported to affect Webchat version 2.0 other versions may also be affected. 20. WebChat Users.PHP Cross-Site Scripting Vulnerability BugTraq ID: 7779 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7779 Summary: WebChat is a web based chat module designed for use with PHP-Nuke. WebChat has been reported prone to a cross-site scripting vulnerability. WebChat does not adequately filter script code from URI parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to the WebChat 'users.php' script. The code contained in the 'username' URI parameter may be executed in the browser of the web user who visits the link. Code will be executed in the security context of the system running the WebChat Module. This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users. Other attacks are also possible. This vulnerability was reported to affect WebChat version 2.0 other versions may also be affected. 23. Sun Management Center Change Manager PamVerifier Buffer Overflow Vulnerability BugTraq ID: 7781 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7781 Summary: Sun Management Center Change Manager is a software package available for the Sun Solaris operating system. It is distributed and maintained by Sun. A problem with Sun Management Center Change Manager may give a remote user unauthorized access to the system. It has been reported that Sun Management Center (SunMC) Change Manager is vulnerable to a remote boundary condition error. Because of this, it may be possible for an attacker to gain administrative access to a system remotely. The problem is in the pamverifier program. A buffer overrun in this program can result in the execution of code with the privileges of the administrative user. Because of this, an attacker could exploit this issue to compromise the administrative integrity of a vulnerable system. It should be noted that SunMC Change Manager is an add-on component of SunMC, and is not installed with SunMC or on Solaris by default. 24. SPChat Module Remote File Include Vulnerability BugTraq ID: 7780 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7780 Summary: SPChat is a web based chat module designed for use with PHP-Nuke. SPChat has been reported prone to a remote file include vulnerability. The issue presents itself due to insufficient sanitization performed on the user-supplied URI variable 'statussess' by the SPChat module. An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the 'statussess' URI parameter. If the remote file is a malicious script, this may allow for execution of attacker-supplied code in the context of the affected SPChat module. This vulnerability was reported to affect SPChat version 0.8 other versions may also be affected. 25. Cafelog b2 B2Functions Script B2INC Variable Include Vulnerability BugTraq ID: 7782 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7782 Summary: CafeLog b2 WebLog Tool allows users to generate news pages and weblogs dynamically. It is implemented in PHP and is available for the Unix, Linux, and Microsoft Windows platforms. A remote file include vulnerability has been reported in Cafelog b2. Due to insufficient sanitization of user-supplied values by the b2functions.php script, it is possible for a remote attacker to influence the location of included files. An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the '$b2inc' parameter. If the remote file is a malicious PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the web server. Successful exploitation may provide local access to the attacker. This vulnerability was reported for Cafelog 0.6.1. 26. CafeLog b2 Blog.Header Script SQL Injection Vulnerability BugTraq ID: 7783 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7783 Summary: Cafelog b2 WebLog Tool allows users to generate news pages and weblogs dynamically. It is implemented in PHP and is available for the Unix, Linux, and Microsoft Windows platforms. The Cafelog b2 tool does not properly sanitize user input sent to the blog.header.php script. Because of this, it is possible for an attacker to pass malicious SQL code to the underlying database. The problems is in the checking of the $posts variable of the script. SQL code may be inserted into the variable, and will in turn be executed by the database server. Requests could include adding, deleting, and modifying data. Additionally, this may allow a remote attacker to exploit vulnerabilities that exist in the underlying database. 27. Wordpress Posts SQL Injection Vulnerability BugTraq ID: 7784 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7784 Summary: Wordpress allows users to generate news pages and weblogs dynamically. It uses PHP and a MySQL database to generate dynamic pages. Wordpress has been reported prone to an SQL injection vulnerability. Wordpress does not properly sanitize user input that is passed to the 'posts' variable. Specifically, data contained in the 'posts' variable is not converted to an integer before it is passed to an SQL query. An attacker may exploit this vulnerability to insert SQL code into requests and have the SQL code executed by the underlying database server. These requests could include adding, deleting, and modifying data. Additionally, this may allow a remote attacker to exploit vulnerabilities that exist in the underlying database. It should be noted that although this vulnerability has been reported to affect Wordpress version 0.7, other versions might also be affected. 28. Cafelog b2 B2MenuTop Script B2INC Variable Include Vulnerability BugTraq ID: 7786 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7786 Summary: CafeLog b2 allows users to generate news pages and weblogs dynamically. It is implemented in PHP and is available for the Unix, Linux, and Microsoft Windows platforms. A remote file include vulnerability has been reported in Cafelog b2. Due to insufficient sanitization of user-supplied values in the b2menutop.php script, it is possible for a remote attacker to influence the location of included files. An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the '$b2inc' parameter. If the remote file is a malicious PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the web server. Successful exploitation may provide local access to the attacker. This vulnerability was reported for Cafelog 0.6.2. 29. Wordpress Remote PHP File Include Vulnerability BugTraq ID: 7785 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7785 Summary: Wordpress allows users to generate news pages and weblogs dynamically. It uses PHP and a MySQL database to generate dynamic pages. A vulnerability has been reported for Wordpress. The problem is said to occur due to insufficient sanitization of user-supplied URI parameters. Specifically the '$abspath' variable, which is used as an argument to the PHP require() function, is not sufficiently sanitized of malicious input. As a result, an attacker may be capable of including a malicious 'blog.header.php' from a controlled web server. This may result in the execution of PHP commands located within the script. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary PHP commands on a target server, with the privileges of Wordpress. |
Jun 9th 2003 (SF) pt 2/2
SecurityFocus
30. Pi3Web SortName Buffer Overflow Vulnerability BugTraq ID: 7787 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7787 Summary: Pi3Web is a free, multi platform, configurable HTTP server and development environment. It is available for Unix/Linux variants and Microsoft Windows operating systems. Pi3Web is prone to a buffer overflow vulnerability. This is due to insufficient bounds checking of URI parameters. It is possible to trigger this condition by specifying a 'SortName' URI parameter of excessive length. Excess data will overrun adjacent regions of memory. This condition could be exploited to cause a denial of service or possibly to execute malicious instructions in the context of the server. This issue was reported for Pi3Web 2.0.2 Beta 1 on Windows platforms. It was originally believed that this condition only existed with certain indexing configurations but additional reports indicate that this is not the case. 33. Multiple Vendor kon2 Local Buffer Overflow Vulnerability BugTraq ID: 7790 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7790 Summary: kon2 is a Kanji emulator for the Linux console. A buffer overflow vulnerability has been reported for the kon2 utility shipped with various Linux distributions. Exploitation of this vulnerability may result in a local attacker obtaining elevated privileges on a vulnerable system. The vulnerability exists due to insufficient bounds checking performed on some commandline options passed to the vulnerable utility. A local attacker can exploit this vulnerability by invoking kon2 with overly long commandline options. This will trigger the overflow condition and may result in an attacker obtaining root privileges. This vulnerability was reported for kon2 0.3.9b and earlier. 35. Red Hat Linux TTY Layer Kernel Panic Denial Of Service Vulnerability BugTraq ID: 7791 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7791 Summary: The TTY layer is used to process input and output supplied to and from the console. A vulnerability has been reported in the TTY layer that may result in a kernel panic. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. 36. Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability BugTraq ID: 7793 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7793 Summary: The Intel MXCSR register contains control/status information for the SSE registers. The Red Hat Linux Kernel MXCSR handler code has been reported prone to an unspecified vulnerability. The issue presents itself when low-level MXCSR kernel code encounters a malformed address. It has been reported that the MXCSR code fails to sufficiently handle malformed address data and will leave garbage in the CPU state registers. Although speculative, it has been conjectured that this issue may allow an attacker to corrupt CPU state registers and trigger a denial of service condition if the kernel relies on current register contents. Although unconfirmed other attacks may also be possible. It should be noted that this vulnerability will only affect systems running on the Intel architectures. This BID will be updated as further technical details are released. 37. Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability BugTraq ID: 7795 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7795 Summary: A potential data corruption vulnerability has been identified in the Red Hat Linux kernel. The potential issue may be exploitable under very restrictive circumstances. In an ext3 file-system environment where the system is processing heavy complex memory mapped file I/O loads, if the mapped writes are to a partial page at the end of a file, a file may be simultaneously unlinked and the corresponding mapped file blocks reallocated. This action may potentially cause the corruption of arbitrary files. If an attacker can recreate the necessary environment, it may be possible to create a condition where arbitrary files are corrupted. 38. Sun Solaris Telnet Daemon Remote Denial Of Service Vulnerability BugTraq ID: 7794 Remote: Yes Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7794 Summary: Solaris is the UNIX variant operating system distributed and maintained by Sun Microsystems. A problem with Solaris may make it possible for a remote user to deny service to legitimate users of the system. It has been reported that a vulnerability exists in the telnet daemon of Solaris systems. An attacker may be able to exploit this issue to consume system resources, making the system unusable by legitimate users. Specific technical details of the vulnerability are not known. However, it is known that the vulnerable daemon can be forced into a loop in execution. When the daemon enters the loop, considerable resources are consumed by the process. Multiple instances of the software entering a loop can cause excessive consumption of system resources, leading to denial of service. 40. Linux Kernel Fragment Reassembly Remote Denial Of Service Vulnerability BugTraq ID: 7797 Remote: Yes Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7797 Summary: The Linux kernel is the core of all Linux operating systems. It is community-maintained. A problem in the kernel network code could make a remote denial of service possible. It has been reported that the Linux kernel does not properly handle some specific types of network traffic. Because of this, an attacker may be able to cause excessive consumption of resources with malicious TCP/IP packets, resulting in a denial of service. The problem is in the handling packet reassembly. By sending maliciously crafted packet fragments to a system using the vulnerable kernel, it would be possible to consume an excessive amount of resources during the packet reassembly phase. This could cause the system to become unstable. This vulnerability has been reported to be similar to the issue described in 7601. |
Jun 09th 2003 (ISS)
Internet Security Systems
Date Reported: 05/29/2003 Brief Description: P-Synch multiple script path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, P-Synch Any version, Unix Any version, Windows Any version Vulnerability: psynch-multiple-path-disclosure X-Force URL: http://www.iss.net/security_center/static/12125.php Date Reported: 05/29/2003 Brief Description: P-Synch nph-psf.exe and nph-psa.exe script injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, P-Synch Any version, Unix Any version, Windows Any version Vulnerability: psynch-multiple-script-injection X-Force URL: http://www.iss.net/security_center/static/12126.php Date Reported: 05/29/2003 Brief Description: P-Synch could allow an attacker to include PHP files Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, P-Synch Any version, Unix Any version, Windows Any version Vulnerability: psynch-file-include X-Force URL: http://www.iss.net/security_center/static/12127.php Date Reported: 05/27/2003 Brief Description: UpClient -p command line buffer overflow Risk Factor: High Attack Type: Host Based Platforms: FreeBSD Any version, UpClient 5.0b7 Vulnerability: upclient-command-line-bo X-Force URL: http://www.iss.net/security_center/static/12131.php Date Reported: 05/30/2003 Brief Description: SunMC Change Manager pamverifier program buffer overflow Risk Factor: High Attack Type: Host Based / Network Based Platforms: Solaris 8, Solaris 9, SunMC Change Manager 1.0 Vulnerability: sunmc-pamverifier-bo X-Force URL: http://www.iss.net/security_center/static/12132.php Date Reported: 05/30/2003 Brief Description: JBoss ServerInfo.jsp source code disclosure Risk Factor: Medium Attack Type: Network Based Platforms: JBoss 3.2.1 with jetty, Linux Any version, Unix Any version, Windows Any version Vulnerability: jboss-jsp-source-disclosure X-Force URL: http://www.iss.net/security_center/static/12133.php Date Reported: 06/02/2003 Brief Description: Sun Solaris in.telnetd(1M) process denial of service Risk Factor: Low Attack Type: Host Based / Network Based Platforms: Solaris 2.6, Solaris 7, Solaris 8, Solaris 9 Vulnerability: sun-intelnetd-dos X-Force URL: http://www.iss.net/security_center/static/12140.php Date Reported: 05/30/2003 Brief Description: SPChat modules.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, SPChat 0.8.0, Unix Any version, Windows Any version Vulnerability: spchat-modules-xss X-Force URL: http://www.iss.net/security_center/static/12141.php Date Reported: 05/31/2003 Brief Description: PHPWebChat users.php path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, PHPWebChat 2.0, Unix Any version, Windows Any version Vulnerability: phpwebchat-users-path-disclosure X-Force URL: http://www.iss.net/security_center/static/12142.php Date Reported: 06/03/2003 Brief Description: KON command-line buffer overflow Risk Factor: High Attack Type: Host Based Platforms: KON 0.3.9b and earlier, Mandrake Linux 8.2, Mandrake Linux 9.0, Mandrake Linux 9.1, Mandrake Linux Corporate Server 2.1, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9 Vulnerability: kon-command-line-bo X-Force URL: http://www.iss.net/security_center/static/12143.php Date Reported: 05/31/2003 Brief Description: PHPWebChat multiple scripts path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, PHPWebChat 2.0, Unix Any version, Windows Any version Vulnerability: phpwebchat-multiple-path-disclosure X-Force URL: http://www.iss.net/security_center/static/12144.php Date Reported: 05/31/2003 Brief Description: PHPWebChat users.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PHPWebChat 2.0, Unix Any version, Windows Any version Vulnerability: phpwebchat-users-xss X-Force URL: http://www.iss.net/security_center/static/12145.php Date Reported: 05/27/2003 Brief Description: Newsscript administrative account creation Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Newsscript 1.0, Unix Any version, Windows Any version Vulnerability: newsscript-admin-account-creation X-Force URL: http://www.iss.net/security_center/static/12147.php Date Reported: 06/03/2003 Brief Description: Linux kernel TTY denial of service Risk Factor: Low Attack Type: Network Based Platforms: Debian Linux 3.0, Linux kernel Any version, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9 Vulnerability: linux-kernel-tty-dos X-Force URL: http://www.iss.net/security_center/static/12158.php Date Reported: 06/03/2003 Brief Description: Linux kernel mxcsr routine denial of service Risk Factor: Low Attack Type: Network Based Platforms: Debian Linux 3.0, Linux kernel Any version, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9 Vulnerability: linux-kernel-mxcsr-dos X-Force URL: http://www.iss.net/security_center/static/12159.php Date Reported: 06/03/2003 Brief Description: Linux kernel hash table collision packets denial of service Risk Factor: Low Attack Type: Network Based Platforms: Debian Linux 3.0, Linux kernel Any version, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux 7.3, Red Hat Linux 8.0, Red Hat Linux 9 Vulnerability: linux-kernel-packets-dos X-Force URL: http://www.iss.net/security_center/static/12160.php Date Reported: 06/01/2003 Brief Description: mod_gzip HTTP GET request buffer overflow Risk Factor: High Attack Type: Network Based Platforms: mod_gzip 1.3.26.1a - earlier, Windows Any version Vulnerability: mod-gzip-request-bo X-Force URL: http://www.iss.net/security_center/static/12161.php Date Reported: 06/01/2003 Brief Description: mod_gzip format string Risk Factor: Low Attack Type: Network Based Platforms: mod_gzip 1.3.26.1a - earlier, Windows Any version Vulnerability: mod-gzip-format-string X-Force URL: http://www.iss.net/security_center/static/12163.php Date Reported: 06/01/2003 Brief Description: mod_gzip race condition Risk Factor: Medium Attack Type: Host Based Platforms: mod_gzip 1.3.26.1a - earlier, Windows Any version Vulnerability: mod-gzip-race-condition X-Force URL: http://www.iss.net/security_center/static/12164.php Date Reported: 06/02/2003 Brief Description: Pi3Web Server ?SortName buffer overflow Risk Factor: Low Attack Type: Network Based Platforms: pi3Web 2.0.2 Beta 1, Unix Any version, Windows Any version Vulnerability: pi3web-sortname-bo X-Force URL: http://www.iss.net/security_center/static/12167.php Date Reported: 06/02/2003 Brief Description: b2 b2functions.php could allow an attacker to include PHP files Risk Factor: Medium Attack Type: Network Based Platforms: b2 0.6.1, Linux Any version, Unix Any version, Windows Any version Vulnerability: b2-b2functions-file-include X-Force URL: http://www.iss.net/security_center/static/12170.php Date Reported: 05/29/2003 Brief Description: b2 blogger-2-b2.php and gm-2-b2.php scripts in b2- tools directory could allow an attacker to include PHP files Risk Factor: Medium Attack Type: Network Based Platforms: b2 0.6.1, Linux Any version, Unix Any version, Windows Any version Vulnerability: b2-b2toolsdirectory-file-include X-Force URL: http://www.iss.net/security_center/static/12173.php Date Reported: 06/02/2003 Brief Description: b2 ./blog.header.php script SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: b2 0.6.2 and earlier, Linux Any version, Unix Any version, Windows Any version Vulnerability: b2-blogheader-sql-injection X-Force URL: http://www.iss.net/security_center/static/12175.php Date Reported: 06/02/2003 Brief Description: b2 b2menutop.php could allow an attacker to include files Risk Factor: Medium Attack Type: Network Based Platforms: b2 0.6.2 and earlier, Linux Any version, Unix Any version, Windows Any version Vulnerability: b2-b2menutop-file-include X-Force URL: http://www.iss.net/security_center/static/12176.php Date Reported: 06/03/2003 Brief Description: man catalog file format string Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, man 1.5l Vulnerability: man-catalog-format-string X-Force URL: http://www.iss.net/security_center/static/12182.php Date Reported: 05/26/2003 Brief Description: PostNuke modules.php script denial of service Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, PostNuke Phoenix 0.7.2.3 and earlier, Unix Any version, Windows Any version Vulnerability: postnuke-modules-dos X-Force URL: http://www.iss.net/security_center/static/12185.php Date Reported: 05/26/2003 Brief Description: PostNuke Glossary SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PostNuke Phoenix 0.7.2.3 and earlier, Unix Any version, Windows Any version Vulnerability: postnuke-glossary-sql-injection X-Force URL: http://www.iss.net/security_center/static/12186.php Date Reported: 05/26/2003 Brief Description: PostNuke multiple modules in modules.php script path disclosure Risk Factor: Low Attack Type: Network Based Platforms: Linux Any version, PostNuke Phoenix 0.7.2.3 and earlier, Unix Any version, Windows Any version Vulnerability: postnuke-multiple-path-disclosure X-Force URL: http://www.iss.net/security_center/static/12188.php Date Reported: 06/04/2003 Brief Description: Sun JRE/SDK untrusted Applet could access information Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Solaris Any version, Sun JRE 1.2.2_012 - earlier, Sun JRE 1.3.0_05 and earlier, Sun JRE 1.3.1_04 and earlier, Sun JRE 1.4.0_01 and earlier, Sun SDK 1.2.2_012 and prior, Sun SDK 1.3.0_05 and earlier, Sun SDK 1.3.1_04 and earlier, Sun SDK 1.4.0_01 and earlier, Windows Any version Vulnerability: sun-applet-access-information X-Force URL: http://www.iss.net/security_center/static/12189.php Date Reported: 05/26/2003 Brief Description: D-Link administrative Web page denial of service Risk Factor: Low Attack Type: Network Based Platforms: D-Link DI704P Any version Vulnerability: dlink-administrative-page-dos X-Force URL: http://www.iss.net/security_center/static/12191.php Date Reported: 06/04/2003 Brief Description: atftpd long file name buffer overflow Risk Factor: Low Attack Type: Network Based Platforms: atftp Any version, Debian Linux 3.0 Vulnerability: atftpd-long-filename-bo X-Force URL: http://www.iss.net/security_center/static/12192.php Date Reported: 06/04/2003 Brief Description: Sun Solaris syslogd buffer overflow Risk Factor: Medium Attack Type: Network Based Platforms: Solaris 8 Vulnerability: sun-syslogd-bo X-Force URL: http://www.iss.net/security_center/static/12194.php Date Reported: 06/04/2003 Brief Description: OpenSSH could allow an attacker to bypass login restrictions Risk Factor: Medium Attack Type: Network Based Platforms: OpenSSH 3.6.1p1 and earlier Vulnerability: openssh-login-restrictions-bypass X-Force URL: http://www.iss.net/security_center/static/12196.php Date Reported: 06/04/2003 Brief Description: ImageFolio admin.cgi script directory traversal Risk Factor: Medium Attack Type: Network Based Platforms: ImageFolio 3.1 and earlier, Unix Any version Vulnerability: imagefolio-admin-directory-traversal X-Force URL: http://www.iss.net/security_center/static/12197.php Date Reported: 05/27/2003 Brief Description: Eterm path_env variable buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Debian Linux 3.0, Eterm 0.9.1, Eterm 0.9.2, Linux Any version, Unix Any version Vulnerability: eterm-pathenv-bo X-Force URL: http://www.iss.net/security_center/static/12198.php Date Reported: 06/05/2003 Brief Description: Debian Linux XaoS allows an attacker to gain privileges Risk Factor: High Attack Type: Host Based Platforms: Debian Linux 2.2, Debian Linux 3.0, XaoS 3.0-23 and earlier Vulnerability: xaos-gain-privileges X-Force URL: http://www.iss.net/security_center/static/12201.php Date Reported: 06/05/2003 Brief Description: zblast buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, zblast 1.2 Vulnerability: zblast-bo X-Force URL: http://www.iss.net/security_center/static/12202.php Date Reported: 06/02/2003 Brief Description: WordPress blog.header.php SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, Windows Any version, WordPress 0.7 Vulnerability: wordpress-blogheader-sql-injection X-Force URL: http://www.iss.net/security_center/static/12204.php Date Reported: 06/02/2003 Brief Description: WordPress links.all.php could allow an attacker to include PHP files Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Unix Any version, Windows Any version, WordPress 0.7 Vulnerability: wordpress-linksall-file-include X-Force URL: http://www.iss.net/security_center/static/12205.php Date Reported: 06/01/2003 Brief Description: Apache Tomcat /opt/tomcat directory insecure permissions Risk Factor: Low Attack Type: Host Based Platforms: Gentoo Linux Any version, Tomcat prior to 4.1.24, Unix Any version, Windows Any version Vulnerability: tomcat-directory-insecure-permissions X-Force URL: http://www.iss.net/security_center/static/12206.php |
All times are GMT -5. The time now is 07:23 PM. |