SecurityFocus
1. cPanel/Formail-Clone E-Mail Restriction Bypass Vulnerability
BugTraq ID: 7758
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7758
Summary:
cPanel is a multi-platform web hosting control panel that allows a user to
manage their hosted account through a web-based interface.
cPanel includes a Formail-clone/scripts.
It has been reported that cPanel is prone to an issue where a remote
attacker may bypass cPanel Formail-clone local domain checks and have
untrusted e-mail delivered in the context of the vulnerable host.
The issue is reportedly due to a lack of input sanitization performed on
the cPanel recipient field, used by the cPanel Formmail-clone.
Reportedly, if an attacker appends a reference to the local domain in
parenthesis, e.g. 'recipient@example.(localdomain)com' as a part of an
e-mail address passed to cPanel. When the cPanel mailer invokes sendmail
to handle this address sendmail will strip out the parenthesis and the
data contained therein and send the e-mail to the attacker-supplied
address.
This issue may be exploited by an attacker to use the vulnerable host as
an open relay.
3. Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability
BugTraq ID: 7760
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7760
Summary:
The /bin/mail utility is a mail processing system which can be used to
send and receive e-mail messages. It is available for the Unix and Linux
operating systems.
A vulnerability has been discovered in /bin/mail on the Linux operating
system. The problem occurs when processing the 'CC:' field within an
e-mail message. Due to insufficient bounds checking, handling
approximately 8824 bytes of data will trigger a buffer overrun.
Successful exploitation of this issue could allow an attacker to execute
arbitrary commands with the privileges of /bin/mail. It should be noted
that local exploitation of this vulnerability may be inconsequential.
However, a malicious e-mail message referenced by the vulnerability
utility or a remote CGI interface may both be sufficient conduits for
remote exploitation.
4. PHP-Nuke User/Admin Cookie SQL Injection Vulnerability
BugTraq ID: 7762
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7762
Summary:
PHP-Nuke is a popular web based Portal system. It allows users to create
accounts and contribute content to the site.
PHP-Nuke is reported to be prone to SQL injection attacks during
authentication. This is due to insufficient sanitization of cookie values,
which will be used in database queries. This could permit an attacker to
inject SQL code.
It has been demonstrated that this vulnerability may allow a remote
attacker to modify query logic and disclose administrator and user
password hashes through a sequential brute force method. Although
unconfirmed, it may also be possible, depending on the database
implementation and other factors, to launch attacks against the database.
This may result in the disclosure of sensitive information.
Having the Web_Links module installed and one link active, is a
prerequisite for exploitation of the admin password hash recovery issue.
It should be noted that although this vulnerability has been reported to
affect PHP-Nuke version 5.6 and 6.5 all other versions may potentially be
affected.
6. PHP Transparent Session ID Cross Site Scripting Vulnerability
BugTraq ID: 7761
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7761
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
PHP contains an option known as transparent session IDs. This feature
allows session IDs to be embedded with a URL.
A cross-site scripting vulnerability has been discovered in PHP version
4.3.1 and earlier. The problem occurs when the 'session.use_trans_sid'
global parameter has been enabled.
Due to insufficient sanitization of the PHPSESSID URI parameter, it is
possible for an attacker to embed malicious script code within a link. By
embedding malicious code in such a way that an HTML tag will be
prematurely terminated, it may be possible to execute arbitrary script
code.
Successful exploitation of this issue would allow an attacker to execute
arbitrary script code in a victim's browser within the context of the
visited website. This may allow for the theft of sensitive information,
such as session ID's, or possibly other attacks.
It should be noted that PHP versions prior to release 4.2.0 do not support
transparent session IDs by default. Support must be specified during
initial compilation.
7. JBoss Null Byte Request JSP Source Disclosure Vulnerability
BugTraq ID: 7764
Remote: Yes
Date Published: May 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7764
Summary:
JBoss is a freely available, open source Java Application server. It is
distributed and maintained by JBoss Group.
A problem in the software may make it possible to gain unauthorized access
to potentially sensitive information.
A problem has been reported in the handling of unexpected characters by
the JBoss program. Because of this, an attacker may gain access to
potentially sensitive information.
The problem is in the input of null characters with some requests. By
placing a valid request, and appending a null byte to the end of the
request, it is possible to see the source of the Java Server Page (JSP)
requested from JBoss. This could yield potentially sensitive information
such as passwords.
It should be noted that this problem occurs when JBoss is used with Jetty.
It is not known what affect this problem has on JBoss with other servers.
11. Apache Tomcat Insecure Directory Permissions Vulnerability
BugTraq ID: 7768
Remote: No
Date Published: Jun 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7768
Summary:
Tomcat is a web server and JSP/Servlet container that is developed by
Apache as part of the Jakarta project.
Apache Tomcat may be installed with world-readable permissions for the
/opt/tomcat/ directory. Files in this directory may contain sensitive
information, such as authentication credentials. Local users may
potentially gain unauthorized access to these files as a result.
This issue was reported for Apache Tomcat versions prior to 4.1.24 on
Gentoo Linux. It is not known if other distributions are similarly
affected.
12. Multiple Mod_Gzip Debug Mode Vulnerabilities
BugTraq ID: 7769
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7769
Summary:
Mod_gzip is an Apache web server module that compresses web content before
sending it to the client. Mod_gzip is not a standard module for Apache.
Multiple vulnerabilities were reported in Mod_gzip. The following issues
exist when the software is run in debug mode:
Insufficient bounds checking of request data may lead to a stack overflow.
If a remote user passes an excessive request for a file type (such as
gzip) handled by the module, it may be possible to corrupt stack variables
with specific values. This could lead to execution of malicious
attacker-supplied instructions.
Mod_gzip is prone to a format string vulnerability when Apache logging
facilities are used. This is due to missing format specifiers in the code
responsible for logging requests for file types handled by the module.
Exploitation could permit a remote attacker to overwrite arbitrary
locations in memory with malicious data, potentially allowing for code
execution.
Mod_gzip logs debugging information in files using predictable names.
The following naming scheme is used when log files are created:
/tmp/t<PID>.log
By anticipating the value of the process ID, a local attacker could launch
symlink attacks against other system files. It has been reported that
some debugging information is logged as the superuser. This could allow
for corruption of arbitrary files. If these files can be corrupted with
custom data, then it will be possible to gain elevated privileges.
Exploitation of these issues could result in execution of malicious
instructions or corruption of critical or sensitive files.
This record will be divided into multiple BIDs when further analysis of
these issues is complete.
13. Webfroot Shoutbox Expanded.PHP Remote Command Execution Vulnerability
BugTraq ID: 7772
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7772
Summary:
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.
Shoutbox is prone to an issue that may result in the execution of
attacker-supplied code. The vulnerability exists due to insufficient
sanitization of input into the expanded.php script.
An attacker can exploit this vulnerability to insert malicious PHP code
into the web server logs which can then be executed by the PHP interpreter
when the logs are requested. This will allow an attacker to execute
arbitrary commands on a vulnerable system in the context of the web
server.
This vulnerability was reported to affect Webfroot Shoutbox 2.32 and
earlier.
15. myServer HTTP GET Argument Buffer Overflow Vulnerability
BugTraq ID: 7770
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7770
Summary:
myServer is an application and web server for Microsoft Windows and Linux
operating systems.
myServer has been reported prone to a remote buffer overflow
vulnerability. The vulnerability exists when the web server attempts to
process HTTP requests of excessive length. Specifically, when the web
server processes an argument passed to a malicious HTTP GET request that
consists of more than 4100+ bytes, the web server will crash. This will
result in a denial of service condition.
It is possible that this vulnerability may also allow the execution of
arbitrary instructions. Any instructions carried out through this
vulnerability would be with the privileges of the web server process.
However, the possibility of code execution has not been confirmed.
This vulnerability was reported for myServer version 0.4.1 It is likely
that other versions are also affected.
16. XMame Lang Local Buffer Overflow Vulnerability
BugTraq ID: 7773
Remote: No
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7773
Summary:
Xmame is a port of the MAME arcade emulator. It is available for Linux
and Unix systems.
Xmame is prone to a locally exploitable buffer overflow. The issue exists
in the xmame.x11 executable. This is due to insufficient bounds checking
of the command line parameter used to specify language settings (--lang).
By specifying an excessively long language parameter, it is possible to
corrupt stack memory with attacker-supplied values. This could be
exploited to control execution flow and cause execution of malicious
instructions.
Some builds of Xmame require setuid root privileges to operate properly,
particularly those builds with svgalib/xf86_dga support enabled.
Successful exploitation on some systems could result in execution of
arbitrary code with elevated privileges.
17. Webchat Module Path Disclosure Weakness
BugTraq ID: 7774
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7774
Summary:
Webchat is a web based chat module designed for use with PHP-Nuke.
Webchat has been reported prone to a path disclosure weakness.
Reportedly an attacker may make a malicious HTTP request for the 'out.php'
script to trigger the condition; alternatively the attacker may pass a
non-numeric 'roomid' URI parameter to the Webchat module. Under some
circumstances either request will trigger an exception, causing Webchat to
display an error message containing the path to an internal PHP include
file embedded in the source of the error.
An attacker may use the information gathered in this manner to aid in
further attacks launched against the host.
This weakness was reported to affect Webchat version 2.0 other versions
may also be affected.
18. Webfroot Shoutbox Expanded.PHP Remote Directory Traversal Vulnerability
BugTraq ID: 7775
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7775
Summary:
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.
A problem in Shoutbox may result in traversal attacks. The vulnerability
exists due to insufficient sanitization of user-supplied values to the
expanded.php script, and could allow the viewing of potentially sensitive
files by attackers.
An attacker can exploit this vulnerability by manipulating the value of
the 'conf' URI parameter submitted to the expanded.php script to obtain
any files readable by the web server.
Information obtained in this manner may allow an attacker to launch
further, potentially destructive attacks against a vulnerable system.
This vulnerability was reported to affect Webfroot Shoutbox 2.32 and
earlier.
19. WebChat Users.PHP Database Username Disclosure Weakness
BugTraq ID: 7777
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7777
Summary:
WebChat is a web based chat module designed for use with PHP-Nuke.
WebChat has been reported prone to a database username disclosure
weakness.
The issue presents itself when a malicious request is made for the WebChat
'users.php' page. An attacker may pass a guessed username as the
'username' URI parameter to the affected page. Although unconfirmed, it is
likely that this action will return some indication of whether the
submitted username exists or not. An attacker may exploit this weakness to
enumerate database passwords.
An attacker may use the information gathered in this manner to aid in
further attacks launched against the host.
This weakness was reported to affect Webchat version 2.0 other versions
may also be affected.
20. WebChat Users.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 7779
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7779
Summary:
WebChat is a web based chat module designed for use with PHP-Nuke.
WebChat has been reported prone to a cross-site scripting vulnerability.
WebChat does not adequately filter script code from URI parameters, making
it prone to cross-site scripting attacks. Attacker-supplied script code
may be included in a malicious link to the WebChat 'users.php' script. The
code contained in the 'username' URI parameter may be executed in the
browser of the web user who visits the link. Code will be executed in the
security context of the system running the WebChat Module.
This may enable a remote attacker to steal cookie-based authentication
credentials from legitimate users. Other attacks are also possible.
This vulnerability was reported to affect WebChat version 2.0 other
versions may also be affected.
23. Sun Management Center Change Manager PamVerifier Buffer Overflow Vulnerability
BugTraq ID: 7781
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7781
Summary:
Sun Management Center Change Manager is a software package available for
the Sun Solaris operating system. It is distributed and maintained by
Sun.
A problem with Sun Management Center Change Manager may give a remote user
unauthorized access to the system.
It has been reported that Sun Management Center (SunMC) Change Manager is
vulnerable to a remote boundary condition error. Because of this, it may
be possible for an attacker to gain administrative access to a system
remotely.
The problem is in the pamverifier program. A buffer overrun in this
program can result in the execution of code with the privileges of the
administrative user. Because of this, an attacker could exploit this
issue to compromise the administrative integrity of a vulnerable system.
It should be noted that SunMC Change Manager is an add-on component of
SunMC, and is not installed with SunMC or on Solaris by default.
24. SPChat Module Remote File Include Vulnerability
BugTraq ID: 7780
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7780
Summary:
SPChat is a web based chat module designed for use with PHP-Nuke.
SPChat has been reported prone to a remote file include vulnerability.
The issue presents itself due to insufficient sanitization performed on
the user-supplied URI variable 'statussess' by the SPChat module. An
attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'statussess' URI parameter.
If the remote file is a malicious script, this may allow for execution of
attacker-supplied code in the context of the affected SPChat module.
This vulnerability was reported to affect SPChat version 0.8 other
versions may also be affected.
25. Cafelog b2 B2Functions Script B2INC Variable Include Vulnerability
BugTraq ID: 7782
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7782
Summary:
CafeLog b2 WebLog Tool allows users to generate news pages and weblogs
dynamically. It is implemented in PHP and is available for the Unix,
Linux, and Microsoft Windows platforms.
A remote file include vulnerability has been reported in Cafelog b2. Due
to insufficient sanitization of user-supplied values by the
b2functions.php script, it is possible for a remote attacker to influence
the location of included files.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$b2inc'
parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the web server.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for Cafelog 0.6.1.
26. CafeLog b2 Blog.Header Script SQL Injection Vulnerability
BugTraq ID: 7783
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7783
Summary:
Cafelog b2 WebLog Tool allows users to generate news pages and weblogs
dynamically. It is implemented in PHP and is available for the Unix,
Linux, and Microsoft Windows platforms.
The Cafelog b2 tool does not properly sanitize user input sent to the
blog.header.php script. Because of this, it is possible for an attacker
to pass malicious SQL code to the underlying database.
The problems is in the checking of the $posts variable of the script.
SQL code may be inserted into the variable, and will in turn be executed
by the database server. Requests could include adding, deleting, and
modifying data. Additionally, this may allow a remote attacker to exploit
vulnerabilities that exist in the underlying database.
27. Wordpress Posts SQL Injection Vulnerability
BugTraq ID: 7784
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7784
Summary:
Wordpress allows users to generate news pages and weblogs dynamically. It
uses PHP and a MySQL database to generate dynamic pages.
Wordpress has been reported prone to an SQL injection vulnerability.
Wordpress does not properly sanitize user input that is passed to the
'posts' variable. Specifically, data contained in the 'posts' variable is
not converted to an integer before it is passed to an SQL query. An
attacker may exploit this vulnerability to insert SQL code into requests
and have the SQL code executed by the underlying database server. These
requests could include adding, deleting, and modifying data. Additionally,
this may allow a remote attacker to exploit vulnerabilities that exist in
the underlying database.
It should be noted that although this vulnerability has been reported to
affect Wordpress version 0.7, other versions might also be affected.
28. Cafelog b2 B2MenuTop Script B2INC Variable Include Vulnerability
BugTraq ID: 7786
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7786
Summary:
CafeLog b2 allows users to generate news pages and weblogs dynamically. It
is implemented in PHP and is available for the Unix, Linux, and Microsoft
Windows platforms.
A remote file include vulnerability has been reported in Cafelog b2. Due
to insufficient sanitization of user-supplied values in the b2menutop.php
script, it is possible for a remote attacker to influence the location of
included files.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$b2inc'
parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the web server.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for Cafelog 0.6.2.
29. Wordpress Remote PHP File Include Vulnerability
BugTraq ID: 7785
Remote: Yes
Date Published: Jun 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7785
Summary:
Wordpress allows users to generate news pages and weblogs dynamically. It
uses PHP and a MySQL database to generate dynamic pages.
A vulnerability has been reported for Wordpress. The problem is said to
occur due to insufficient sanitization of user-supplied URI parameters.
Specifically the '$abspath' variable, which is used as an argument to the
PHP require() function, is not sufficiently sanitized of malicious input.
As a result, an attacker may be capable of including a malicious
'blog.header.php' from a controlled web server. This may result in the
execution of PHP commands located within the script.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary PHP commands on a target server, with the privileges of
Wordpress.