SecurityFocus
1. IKE-Scan Local Logging Format String Vulnerability
BugTraq ID: 7897
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7897
Summary:
ike-scan is a utility designed to discover IPsec VPN hosts running IKE
(Internet Key Exchange). It is maintained by NTA and is available for Unix
variant operating systems.
A vulnerability has been discovered in ike-scan. The problem is said to
occur due to insufficient format specifiers being supplied to the syslog()
function. As a result, by passing a command-line argument to ike-scan it
may be possible for a malicious local user to corrupt process memory.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary code with the privileges of ike-scan. It should be noted
that ike-scan is not installed suid by default.
2. PostNuke Modules.PHP Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 7898
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7898
Summary:
PostNuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
The PostNuke 'modules.php' script does not sufficiently sanitize data
supplied via URI parameters, making it prone to cross-site scripting
attacks. In particular, the 'categories' and 'letter' URI parameters are
not properly sanitized of HTML tags. This could allow for execution of
hostile HTML and script code in the web client of a user who visits a web
page that contains the malicious code. This would occur in the security
context of the site hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
It should be noted, that although this vulnerability has been reported to
affect PostNuke version 0.7.2.3, other versions might also be affected.
3. PostNuke User.PHP UNAME Cross-Site Scripting Vulnerability
BugTraq ID: 7901
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7901
Summary:
PostNuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
The PostNuke 'user.php' script does not sufficiently sanitize data
supplied via URI parameters, making it prone to cross-site scripting
attacks. In particular, the 'uname' URI parameter is not properly
sanitized of HTML tags. This could allow for execution of hostile HTML and
script code in the web client of a user who visits a web page that
contains the malicious code. This would occur in the security context of
the site hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
It should be noted, that although this vulnerability has been reported to
affect PostNuke version 0.7.2.3, other versions might also be affected.
4. Sphera HostingDirector VDS Control Panel Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 7899
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7899
Summary:
Sphera HostingDirector is software designed to provide centralized
administration of a dedicated environment. ServerDirector/Virtual
Dedicated Server(VDS) technology is a component that is shipped with
HostingDirector; it is designed to simulate multiple virtual dedicated
servers on a single system.
Sphera HostingDirector VDS Control Panel has been reported prone to
several cross-site scripting attacks. The vulnerabilities exist due to
insufficient sanitization of user-supplied input for certain URI
parameters.
Specifically, the 'uid', 'error' and 'vds_ip' URI parameters, of the
login_screen.php and sm_login_screen.php scripts, are not sanitized of
malicious HTML code.
An attacker can exploit this by crafting a link that includes malicious
HTML code. If a web user follows a malicious link to a site hosting the
vulnerable software that includes hostile HTML or script code. This code
would be executed in the context of the site hosting the software.
Successful exploitation could permit theft of cookie-based authentication
credentials from legitimate users of the HostingDirector Control Panel,
which may in turn permit unauthorized access to resources that are managed
by the software. Other attacks may also be possible.
5. ATFTP Timeout Command Line Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7902
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7902
Summary:
atftp is a TFTP client/server implementation for Linux and Unix variants.
atftp is prone to a locally exploitable buffer overflow condition. This
issue is due to insufficient bounds checking performed on input supplied
to the command line parameter (-t) for "timeout". By providing a string of
excessive length (9000 bytes) as a value for the command line parameter,
it is possible to trigger this condition to corrupt stack variables. Local
attackers may leverage the resulting memory corruption to execute
arbitrary instructions.
If atftp is installed setuid/setgid, an attacker may potentially exploit
this condition to execute arbitrary instructions with elevated privileges.
It should be noted that although this vulnerability has been reported to
affect atftp version 0.7cvs, other versions might also be vulnerable.
6. Sphera HostingDirector Session ID Random Generator Weakness
BugTraq ID: 7904
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7904
Summary:
HostingDirector is a commercially available system administration package
distributed by Sphera. It is available for the Linux and Microsoft
Windows platforms.
A problem with the software may increase the possibility of a user gaining
unauthorized access to the system.
It has been reported that Sphera HostingDirector uses a weak method of
generating session IDs. This problem may increase the possibility of an
attacker brute-force guessing a valid session ID.
The problem is in the method used to generate session IDs. Upon session
ID generation, each new session ID may be a total of 11 bytes in length,
of which five bytes vary from a previously generated session ID. Of these
five bytes, one is incremented sequentially in a predictable location.
This value is stored in a cookie on the system of the authenticated user.
It, and the session ID, is persistent until the user logs out.
To gain access to a vulnerable implementation, an attacker still must know
a valid user name to place in the authentication cookie.
7. ATFTP Blocksize Command Line Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7907
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7907
Summary:
atftp is a TFTP client/server implementation for Linux and Unix variants.
atftp is prone to a locally exploitable buffer overflow condition. This
issue is due to insufficient bounds checking performed on input supplied
to the command line parameter (-b) for "blocksize". By providing a string
of excessive length as a value for the command line parameter, it is
possible to trigger this condition to corrupt stack variables. Local
attackers may leverage the resulting memory corruption to execute
arbitrary instructions.
If atftp is installed setuid/setgid, an attacker may potentially exploit
this condition to execute arbitrary instructions with elevated privileges.
It should be noted that although this vulnerability has been reported to
affect atftp version 0.7cvs, other versions might also be vulnerable.
It should also be noted that atftp is not installed setuid/setgid by
default.
8. ATFTP TFTP-Timeout Command Line Argument Local Buffer Overflow Vulnerability
BugTraq ID: 7906
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7906
Summary:
atftp is a TFTP client/server implementation for Linux and Unix variants.
atftp is prone to a locally exploitable buffer overflow condition. This
issue is due to insufficient bounds checking performed on input supplied
to the command line parameter (-T) for "tftp-timeout". By providing a
string of excessive length as a value for the command line parameter, it
is possible to trigger this condition to corrupt stack variables. Local
attackers may leverage the resulting memory corruption to execute
arbitrary instructions.
If atftp is installed setuid/setgid, an attacker may potentially exploit
this condition to execute arbitrary instructions with elevated privileges.
It should be noted that although this vulnerability has been reported to
affect atftp version 0.7cvs, other versions might also be vulnerable.
It should also be noted that atftp is not installed setuid/setgid by
default.
12. Multiple Vendor PDF Hyperlinks Arbitrary Command Execution Vulnerability
BugTraq ID: 7912
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7912
Summary:
A vulnerability has been reported for multiple viewers for Unix variant
operating systems. Both Adobe Acrobat Reader and Xpdf are said to be
affected.
The vulnerability allegedly occurs when following a malicious hyperlink.
When the hyperlink is followed the PDF viewer externally calls the 'sh -c'
command to invoke a utility to handle the request. Supposedly, when the
link is followed it is possible to execute arbitrary code by placing shell
metacharacters designed to escape the command. This can be accomplished by
placing (`) characters within the hyperlink.
Successful exploitation of this vulnerability could potentially allow an
attacker to execute arbitrary commands on a target system with the
privileges of the user invoking the PDF document. This would occur
externally to the program and the utility invoked to handle the link would
still be called.
The exploitability of this issue is said to vary between PDF viewers, as
some do not support the use of external hyperlinks. If a viewer is
currently invoked within a browser, the call to 'sh -c' may not be made.
This vulnerability is said to affect Adobe Acrobat Reader 5.06 and Xpdf
1.01, however, other versions may also be affected.
It should be noted that this vulnerability may be similar to that
described in BID 1624. If it is concluded that this is in fact the case,
the older BID will be updated and this BID will be retired.
13. MikMod Long File Name Local Buffer Overflow Vulnerability
BugTraq ID: 7914
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7914
Summary:
mikmod is a freely available, open source sound library and module player.
It is available for Unix, Linux, and Microsoft platforms.
A problem with the program may make it possible for users to gain
unauthorized privileges.
It has been reported that mikmod does not properly handle some types of
input. Because of this, an attacker may be able to gain unauthorized
privileges on a system using the program.
mikmod does not properly handle file names of arbitrary length. Long file
names inside archive files can cause the corruption of sensitive process
memory that may potentially be exploited to execute code with the
privileges of the process.
14. Progress Database DBAgent InstallDir Local Privilege Elevation Vulnerability
BugTraq ID: 7915
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7915
Summary:
Progress Database is a commercial database for Microsoft Windows, Linux, and Unix systems.
A problem with the software may grant unauthorized privileges.
It has been reported that dbagent packaged with Progress does not properly
handle untrusted input in some command line arguments. Because of this,
an attacker may be able to gain unauthorized privileges.
The problem is in the installdir option. The dbagent program does not
perform sufficient checks or sanitizing of values passed with this
argument when executed. This could lead to an attacker supplying a
directory in an arbitrary location on the system, and potentially loading
a malicious library into the program.
Any library code loaded and executed through the installdir argument would
be with the privileges of the dbagent program. dbagent is typically
installed with privileges.
15. Progress Database Environment Variable Local Privilege Escalation Vulnerability
BugTraq ID: 7916
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7916
Summary:
Progress Database is a commercial database for Microsoft Windows, Linux, and Unix systems.
A problem with the software may grant unauthorized privileges.
It has been reported that Progress database does not properly handle
untrusted input when opening shared libraries. Specifically, the dlopen()
function, used by several Progress utilities in /usr/dlc/bin/, checks the
user's PATH environment variable when including shared object libraries.
If any shared objects are found, Progress will load and execute them. Due
to this, an attacker may be able to gain unauthorized privileges.
An attacker can exploit this vulnerability by creating a malicious shared
object and setting the PATH environment variable to include the directory
containing the shared object. When certain utilities in the /usr/dlc/bin/
directory are executed, the malicious shared library will be loaded.
Any library code loaded will execute with elevated privileges.
16. myServer Signal Handling Denial Of Service Vulnerability
BugTraq ID: 7917
Remote: Yes
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7917
Summary:
myServer is an application and web server for Microsoft Windows and Linux operating systems.
A vulnerability has been reported for myServer that may result in a denial
of service condition. The vulnerability exists when myServer receives
certain signals. Specifically, when myServer receives the SIGINT signal,
it will crash.
This vulnerability was reported to affect myServer 0.4.1.
17. FreeWnn JServer Logging Option Data Corruption Vulnerability
BugTraq ID: 7918
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7918
Summary:
FreeWnn 1.1.0 is a kana-kanji (japanese) translation system. This software
is a client-server type application, with the jserver portion acting as a
server and performing translations for clients.
A vulnerability has been reported for FreeWnn that may result in an
attacker obtaining elevated privileges. Specifically, when
/usr/bin/Wnn4/jserver is invoked with the '-s' commandline option to
indicate a log file, it does not perform proper file existence checks. Due
to this, an attacker may be able to overwrite system files, and
potentially gain elevated privileges.
If the jserver process is executed as a user with elevated privileges,
this could allow an attacker to gain privileges equal to the jserver user.
It should be noted that this program might also be installed with setuid
or setgid privileges on some systems. This would allow an attacker to
execute and exploit the program at will.
18. PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability
BugTraq ID: 7919
Remote: Yes
Date Published: Jun 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7919
Summary:
PMachine is a web content management system. It is available for the Unix
and Linux platforms.
A problem with the software may make unauthorized access possible.
It has been reported that PMachine does not properly handle include files
under some circumstances. Because of this, an attacker may be able to
remotely execute commands.
The problem is in the lib.inc.php file. This file does not adequately
check the input of an include() function. Because of this, an attacker
can supply a value to a remote include file containing malicious commands
to be executed in a shell on the local host. This could allow an attacker
to gain access to the host with the privileges of the web server process.
19. LedNews Post Script Code Injection Vulnerability
BugTraq ID: 7920
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7920
Summary:
LedNews is a freely available, open source news posting script. It is
available for the Unix and Linux platforms.
A problem with the software may make script injection attacks possible.
It has been reported that LedNews does not properly filter input from news
posts. Because of this, it may be possible for an attacker to steal
authentication cookies or perform other nefarious activities.
The problem is in filtering of input. The program does not properly
sanitize input, allowing HTML and script code to be posted as news. This
could be abused to execute code in the browser of site users.
It should be noted that it may also be possible to execute arbitrary
commands through server-side includes on a host using the vulnerable
software.
26. Xoops/E-Xoops Tutorials Module Remote Command Execution Vulnerability
BugTraq ID: 7927
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7927
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
The Tutorials module allows remote users to upload various content to a
site, including image MIME type. All images are uploaded to the images
directory. This module is also available for E-Xoops.
A vulnerability has been discovered in the function used by Tutorials to
upload images to a site. The problem occurs due to the module failing to
verify that the file being uploaded is indeed an image MIME type.
Due to this lack of input validation, a remote attacker may be capable of
uploading malicious script files to the images directory or possibly other
locations on the system. If a script file were successfully uploaded, an
attacker could subsequently trigger its execution by issuing an HTTP
request for the file.
This would effectively result in the execution of arbitrary system
commands with the privileges of the httpd server, possibly root.
27. Linux-PAM Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability
BugTraq ID: 7929
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7929
Summary:
Linux-PAM (Pluggable Authentication Modules for Linux) is an
authentication system used to enforce various access restrictions and
security mechanisms. The pam_wheel module can be used to enforce access
restrictions to various utilities, such as 'su', using the 'wheel' group.
When the "trust" configuration option is implemented, users of the trusted
group are not required to supply a password when running the 'su' utility.
A configuration option "use_uid" is also available which specifies whether
a user of the trusted group should be verified using the login name or
user id.
A vulnerability has been discovered in the pam_wheel module when running a
configuration with the "trust" option enabled and the "use_uid" option
disabled. The vulnerability occurs due to the insecure use of the
getlogin() function when verifying user login names against a list of
trusted users. It should be noted that the said configuration is not used
by default.
Due to the insecure use of getlogin() a local attacker may be capable of
gaining unauthorized 'root' privileges without supplying a password. This
can be accomplished by spoofing the 'logname' return value, effectively
making the getlogin() function to return a value of another logged in
user. The spoofed user would have to be logged in to the system and also
be part of the trusted group for this to attack take place.
Successful exploitation of this issue would allow an attacker to invoke
the 'su' utility and gain unauthorized superuser privileges.
29. Dantz Retrospect Client StartupItems Insecure Default Permissions Vulnerability
BugTraq ID: 7934
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7934
Summary:
Retrospect is a backup software package distributed by Dantz.
A problem with the software may make local data destruction or privilege
elevation possible.
It has been reported that Retrospect does not create some directories and
files with secure permissions. Because of this, an attacker may be able
to launch symbolic link or other types of attacks.
The problem is in the creation of the directories and files below the
/Library/StartupItems/ directory. These files are created by Retrospect
with world-read and world-write permissions. These files could be changed
to symbolic links, replaced with files of malicious content, or other
scenarios.
30. Pod.Board Forum_Details.PHP Multiple HTML Injection Vulnerabilities
BugTraq ID: 7933
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7933
Summary:
pod.board is a web-based portal/forum system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.
The pod.board 'forum_details.php' script does not sufficiently sanitize
data supplied via URI parameters or web-based input fields, making it
prone to HTML injection attacks. In particular, the 'user_homepage',
'user_location', 'user_nick' and 'user_signature' URI parameters and
corresponding input fields are not properly sanitized of HTML tags. This
could allow for execution of hostile HTML and script code in the web
client of a user who visits a web page that contains the malicious
injected code. This would occur in the security context of the site
hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
It should be noted, that although this vulnerability has been reported to
affect pod.board version 1.1, other versions might also be affected.
