LinuxQuestions.org - LQ weekly security rep

Internet Security Systems

Date Reported: 04/07/2003
Brief Description: Vignette StoryServer TCL Interpreter information
disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, StoryServer 4.1, StoryServer
6.0, Unix Any version, Windows Any version
Vulnerability: storyserver-tcl-information-disclosure
X-Force URL: http://www.iss.net/security_center/static/11725.php

Date Reported: 04/07/2003
Brief Description: Samba and Samba-TNG call_trans2open() function
buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Conectiva Linux 6.0, Conectiva Linux 7.0, Conectiva
Linux 8.0, Debian Linux 2.2, Debian Linux 3.0,
FreeBSD Ports Collection prior to 2001-04-07, HP
CIFS/9000 Server A.01.09.02 & earlier, HP-UX 11.00,
HP-UX 11.11, HP-UX 11.22, Linux Any version, Red
Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux
7.3, Red Hat Linux 8.0, Red Hat Linux 9.0, Samba
2.2.5 through 2.2.8, Samba-TNG prior to 0.3.2,
Slackware Linux 8.1, Slackware Linux 9.0, SuSE
eMail Server 3.1, SuSE eMail Server III Any
version, SuSE Linux 7.1, SuSE Linux 7.2, SuSE Linux
7.3, SuSE Linux 8.0, SuSE Linux 8.1, SuSE Linux
8.2, SuSE Linux Connectivity Server Any version,
SuSE Linux Database Server Any version, SuSE Linux
Enterprise Server 7, SuSE Linux Enterprise Server
8, SuSE Linux Firewall Any version, SuSE Linux
Office Server Any version, Trustix Secure Linux 1.2,
Trustix Secure Linux 1.5, Unix Any version
Vulnerability: samba-calltrans2open-bo
X-Force URL: http://www.iss.net/security_center/static/11726.php

Date Reported: 04/01/2003
Brief Description: Red Hat Linux vsftpd FTP daemon tcp_wrapper could
allow an attacker to gain access to server
Risk Factor: Medium
Attack Type: Network Based
Platforms: Red Hat Linux 9.0
Vulnerability: vsftpd-tcpwrappers-gain-access
X-Force URL: http://www.iss.net/security_center/static/11729.php

Date Reported: 04/07/2003
Brief Description: SETI@home newline character (\n) buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Gentoo Linux Any version, Mac OS X Any version,
Macintosh Any version, SETI@home prior to 3.08,
Unix Any version, Windows Any version
Vulnerability: seti@home-newline-bo
X-Force URL: http://www.iss.net/security_center/static/11731.php

Date Reported: 04/05/2003
Brief Description: InterBase improper permissions could allow an
attacker to modify files
Risk Factor: Medium
Attack Type: Host Based / Network Based
Platforms: Firebird 1.0.2, InterBase 6.01, InterBase 6.5,
Linux Any version, Unix Any version, Windows Any
version
Vulnerability: interbase-permissions-modify-files
X-Force URL: http://www.iss.net/security_center/static/11732.php

Date Reported: 04/05/2003
Brief Description: Jpegx uses weak encryption algorithm
Risk Factor: Medium
Attack Type: Network Based
Platforms: Jpegx 1.00.6, Linux Any version, Unix Any version,
Windows Any version
Vulnerability: jpegx-weak-encryption
X-Force URL: http://www.iss.net/security_center/static/11733.php

Date Reported: 04/07/2003
Brief Description: metrics tmpfile symlink attack
Risk Factor: High
Attack Type: Host Based
Platforms: Debian Linux 2.2
Vulnerability: metrics-tmpfile-symlink
X-Force URL: http://www.iss.net/security_center/static/11734.php

Date Reported: 04/03/2003
Brief Description: ChiTeX chaddpfbname could allow an attacker to
modify files
Risk Factor: Medium
Attack Type: Host Based
Platforms: ChiTeX 6.1.2p7.8-1, Linux Any version
Vulnerability: chitex-chaddpfbname-modify-files
X-Force URL: http://www.iss.net/security_center/static/11735.php

Date Reported: 04/07/2003
Brief Description: Opera long URL buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Opera 7.02 build 2668, Unix Any
version, Windows Any version
Vulnerability: opera-long-url-bo
X-Force URL: http://www.iss.net/security_center/static/11740.php

Date Reported: 04/07/2003
Brief Description: AMaViS-ng could allow an attacker to perform mail
relaying
Risk Factor: Medium
Attack Type: Network Based
Platforms: AMaViS-ng 0.1.6.2, AMaViS-ng 0.1.6.3, Linux Any
version, Unix Any version
Vulnerability: amavis-ng-mail-relay
X-Force URL: http://www.iss.net/security_center/static/11741.php

Date Reported: 04/04/2003
Brief Description: Invision Power Board functions.php SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Invision Power Board 1.1.1, Linux Any version, Unix
Any version, Windows Any version
Vulnerability: invision-functions-sql-injection
X-Force URL: http://www.iss.net/security_center/static/11749.php

Date Reported: 04/02/2003
Brief Description: Apache HTTP Server could leak sensitive file
descriptors
Risk Factor: Medium
Attack Type: Network Based
Platforms: Apache HTTP Server prior to 2.0.45, Linux Any
version, Unix Any version, Windows Any version
Vulnerability: apache-descriptor-leak
X-Force URL: http://www.iss.net/security_center/static/11750.php

Date Reported: 04/05/2003
Brief Description: CVSps file name filtering shell command execution
Risk Factor: High
Attack Type: Network Based
Platforms: CVSps 2.0b6 to 2.0b9, Linux Any version, Unix Any
version
Vulnerability: cvsps-shell-command-execution
X-Force URL: http://www.iss.net/security_center/static/11753.php

Date Reported: 04/09/2003
Brief Description: PoPToP ctrlpacket.c code packet buffer overflow
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, PoPToP prior 1.1.3-20030409,
PoPToP prior to 1.1.4-b3
Vulnerability: poptop-ctrlpacket-packet-bo
X-Force URL: http://www.iss.net/security_center/static/11756.php

Date Reported: 04/09/2003
Brief Description: phPay multiple path disclosure
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, phPay 2.02, Unix Any version,
Windows Any version
Vulnerability: phpay-multiple-path-disclosures
X-Force URL: http://www.iss.net/security_center/static/11757.php

Date Reported: 04/09/2003
Brief Description: phPay phpinfo.php information disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, phPay 2.02, Unix Any version,
Windows Any version
Vulnerability: phpay-phpinfo-info-disclosure
X-Force URL: http://www.iss.net/security_center/static/11758.php

Date Reported: 04/09/2003
Brief Description: phPay search.php cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, phPay 2.02, Unix Any version,
Windows Any version
Vulnerability: phpay-search-xss
X-Force URL: http://www.iss.net/security_center/static/11759.php

Date Reported: 04/02/2003
Brief Description: NETGEAR FM114P bypass port blocking feature
Risk Factor: Medium
Attack Type: Network Based
Platforms: NETGEAR FM114P 1.4 Beta Release 21
Vulnerability: netgear-fm114p-port-bypass
X-Force URL: http://www.iss.net/security_center/static/11762.php
Date Reported: 04/09/2003
Brief Description: KDE PostScript (PS) and PDF shell command execution
Risk Factor: High
Attack Type: Host Based / Network Based
Platforms: Gentoo Linux Any version, KDE 2.0 through 3.1.1,
Turbolinux 7 Server, Turbolinux 7 Workstation,
Turbolinux 8 Server, Turbolinux 8 Workstation, Unix
Any version
Vulnerability: kde-ps-command-execution
X-Force URL: http://www.iss.net/security_center/static/11767.php

Date Reported: 04/10/2003
Brief Description: Oracle Report Review Agent (RRA) authentication
bypass
Risk Factor: Medium
Attack Type: Network Based
Platforms: Oracle 10.7, Oracle 11.0, Oracle E-Business Suite
11i Releases 1-8
Vulnerability: oracle-rra-authentication-bypass
X-Force URL: http://www.iss.net/security_center/static/11768.php

SecurityFocus

2. Multiple Vendor I/O System Call File Existence Weakness
BugTraq ID: 7279
Remote: No
Date Published: Apr 04 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7279
Summary:

A weakness has been discovered in the implementation of various I/O system
calls. The problem occurs due to varying error return times, when
accessing existent and non-existent files. This issue has been confirmed
to affect the open() system call, however it is likely that other similar
calls are also affected.

An attacker could exploit this vulnerability by calling the open() system
call on unreadable files. By making requests for various unreadable files,
it may be possible for an attacker to deduce a timing window that can be
used to verify the existence of the file.

It should be noted that a fix for this weakness might not be plausible, as
the kernel is meant to be as efficient as possible. However, the specific
problem may occur due to a differing sequence of events while attempting
to access non-existent files. A solution may be to have an identical
sequence of permission checking on directories, before checking for the
file.

It has been reported that this weakness has successfully been exploited on
various Linux and BSD releases. However, this weakness likely exists in
other operating systems including Sun Solaris and Microsoft Windows.
3. Buffalo WBRG54 Wireless Broadband Router Denial Of Service Vulnerability
BugTraq ID: 7282
Remote: Yes
Date Published: Apr 04 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7282
Summary:

Buffalo Wireless Broadband Router WBRG54 is a network device for wireless
networks.

A vulnerability has been reported for the WBRG54 device that may result in
a denial of service. It should be noted that the device must be set to
'peer-to-peer' connection mode if exploitation is to be possible. This
mode allows for two devices to specifically communicate with each other.
The vulnerability occurs when a vulnerable device receives numerous ICMP
packets.

An attacker can exploit this vulnerability by sending ICMP (type 8)
packets to a vulnerable device. In some cases, this will result in the
device behaving unpredictably and denying service.

This vulnerability may also result in the device rebooting spontaneously.

The problem was reported for the WBRG54 with firmware revisions 1.11 and
1.13. Other versions may also be affected.

7. PHPSysInfo Index.PHP LNG File Disclosure Vulnerability
BugTraq ID: 7286
Remote: No
Date Published: Apr 04 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7286
Summary:

PHPSysInfo is a PHP Script that parses the '/proc' filesystem and displays
information about system information in a web browser.

PHPSysInfo has been reported to be vulnerable to a file disclosure issue.

Local users may possibly influence the path for PHPSysinfo language
include files.

An arbitrary file may be included outside of the web root. Using directory
traversal sequences (../) the file may be included as a language resource
for the 'index.php' page. If the malicious include file is symlinked to an
arbitrary web server readable file, such as '/etc/passwd', the contents of
the linked file may be disclosed to the attacker. The file may also
contain PHP code which may be executed in the context of the webserver.

This attack may lead to confidential or sensitive information disclosure,
which could be used to launch other attacks. It may also be exploited to
execute arbitrary attacker supplied PHP code.

8. Abyss Web Server Incomplete HTTP Request Denial Of Service Vulnerability
BugTraq ID: 7287
Remote: Yes
Date Published: Apr 05 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7287
Summary:

Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.

A denial of service vulnerability has been reported for Abyss Web Server.
The vulnerability exists when Abyss attempts to parse certain incomplete
HTTP headers. Specifically, if the 'Connection:' and 'Range:' HTTP headers
are blank, the web server will crash.

An attacker can exploit this vulnerability by connecting to a vulnerable
server and sending blank 'Connection:' and 'Range:' HTTP headers. This
will result in a denial of service condition.

This vulnerability was reported for Abyss Web Server 1.1.2.

9. CVSps Unfiltered Escape Sequence Vulnerability
BugTraq ID: 7288
Remote: Yes
Date Published: Apr 05 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7288
Summary:

CVSps is a program to generate a diff/patch set for CVS repositories. It
is available for Linux and Unix variant operating systems.

A vulnerability has been reported for CVSps where some characters were
improperly filtered prior to sending them to the command shell.
Specifically, escape sequences are not properly filtered from filenames
when generating a diff/patch set.

This issue can be exploited by a malicious CVS contributor who names a
file with malicious escape and shell metacharacters. When CVSps is used to
process the malicious file, it may be possible to execute commands on the
underlying shell of the host.

This vulnerability was reported for CVSps 2.0b9 and earlier.

11. Invision Board functions.php SQL Injection Vulnerability
BugTraq ID: 7290
Remote: Yes
Date Published: Apr 05 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7290
Summary:

Invision Board is web forum software. It is implemented in PHP and is
available for Unix and Linux variants and Microsoft Windows operating
systems.

An input validation error has been reported in Invision Board which may
result in the manipulation of SQL queries. This vulnerability exists in
the load_skin() function of the functions.php script file. Specifically,
the value supplied for the 'skinid' variable is not properly cast as an
integer type.

An attacker may be able to exploit this vulnerability by manipulating
'skinid' URI parameter to include malicious SQL commands and queries which
may result in information disclosure, or database corruption. The
consequences depend on the nature of specific queries. This issue may
allow the attacker to exploit latent vulnerabilities in the underlying
database.

This vulnerability was reported for Invision Board 1.1.1.

12. Interbase External Table File Verification Vulnerability
BugTraq ID: 7291
Remote: Yes
Date Published: Apr 05 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7291
Summary:

Interbase is a database distributed and maintained by Borland. It is
available for Unix and Linux operating systems.

A vulnerability has been reported for Interbase that may result in the
corruption of arbitrary system files. The vulnerability exists due to
insufficient checks performed when creating or manipulating external
databases. Specifically, file existence checks are not made.

An attacker can exploit this vulnerability by creating an external table
pointing to an arbitrary system file. When the attacker attempts to modify
the external table, the system file will be corrupted with
attacker-supplied information. This may result in system instability.

This vulnerability is further exacerbated by the fact that the Interbase
service typically runs with root or SYSTEM level privileges.

Firebird is based on Borland/Inprise Interbase source code and is
therefore also prone to this issue.

13. SETI@home Client Program Remote Buffer Overflow Vulnerability
BugTraq ID: 7292
Remote: Yes
Date Published: Apr 06 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7292
Summary:

SETI@home is a client program designed to run on a computer when it is not
in use. The client receives data from a central server, which it later
analyzes in search of various information. It is available for a variety
of platforms including Linux, Unix, and the Microsoft Windows operating
system.

A vulnerability has been discovered in the SETI@home client program. Due
to insufficient bounds checking when processing server data, it may be
possible for a remote attacker to trigger a buffer overflow.

This issue could be exploited by forging an HTTP request which mimics a
server response handler. When a vulnerable client attempts to process the
malicious server response, a buffer overflow will be triggered.

Successful exploitatation of this issue may allow an attacker to execute
arbitrary commands on a target system, with the privileges of the user
invoking the software.

This vulnerability affects SETI@home clients prior to 3.08.

14. SETI@home Client Program Information Disclosure Vulnerability
BugTraq ID: 7281
Remote: Yes
Date Published: Apr 04 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7281
Summary:

SETI@home is a client program designed to run on a computer when it is not
in use. The client receives data from a central server, which it later
analyzes in search of various information. It is available for a variety
of platforms including Linux, Unix, and the Microsoft Windows operating
system.

A vulnerability has been reported in the SETI@home client program.
Specifically, sensitive information is transmitted from the client to the
server in plain text. As a result, sensitive operating system and
processor information may be disclosed to an attacker.

An attacker could exploit this system by sniffing network traffic
transmitted between the client and the server. Access to this type of
information may aid in launching attacks against the system running the
client.

This vulnerability was reported for SETI@home version 3.03.

15. Metrics Insecure Local File Creation Vulnerability
BugTraq ID: 7293
Remote: No
Date Published: Apr 07 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7293
Summary:

Metrics is an application designed to measure various software metrics. It
is available for the Linux operating system and is included with the
Debian 2.2 distribution.

A vulnerability has been discovered in Metrics which could allow an
attacker to corrupt sensitive system files. The problem occurs in the
'halstead' and 'gather_stats' scripts, included in the Metrics package.

The vulnerability exists due to the two scripts failing to carry out
sufficient security precautions when attempting to create temporary files.
As a result, it may be possible for a malicious local user to corrupt
sensitive system files.

This vulnerability was discovered in Metrics version 1.0 however, earlier
versions may also be affected.

16. Samba 'call_trans2open' Remote Buffer Overflow Vulnerability
BugTraq ID: 7294
Remote: Yes
Date Published: Apr 07 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7294
Summary:

Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.

A buffer overflow vulnerability has been reported for Samba that could
allow an anonymous remote attacker to execute arbitrary code.

The vulnerability occurs in the 'call_trans2open()' function when copying
data into a 1024 byte static buffer. Sufficient bounds checking is not
performed when a call to the 'Strncpy()' function is invoked. The length
argument supplied to 'Strncpy()' is exactly the length of the
user-supplied data. As a result, an attacker could exploit this
vulnerability by sending data in excess of 1024 bytes.

Successful exploitation of this vulnerability could allow an anonymous
attacker to overwrite sensitive stack variables, including the
'open_trans2open()' functions' saved return address. The ability to
influence sensitive memory could be leveraged by the attacker to execute
arbitrary code with the privileges of the Samba server process.

17. Samba Multiple Unspecified Remote Buffer Overflow Vulnerabilities
BugTraq ID: 7295
Remote: Yes
Date Published: Apr 07 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7295
Summary:

Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.

Multiple remote buffer overflow vulnerabilities have been reported for
Samba and Samba-TNG. The overflows are reported to occur in both stack and
heap-based memory. This issue occurs due to insufficient bounds checking
when copying user-supplied data to internal buffers.

Although it has not been confirmed, it is likely that these issues can be
exploited to execute arbitrary code, with the privileges of Samba (which
typically runs as root).

These issues are reported to affect Samba 2.2.8 and Samba-TNG 0.3.1.

The precise technical details regarding these vulnerabilities is currently
unknown. This BID will be updated as further information is made
available.

It should be noted that these vulnerabilities may be similar to the issue
described in BID 7294.

18. Vignette StoryServer Sensitive Stack Memory Information Disclosure
Vulnerability
BugTraq ID: 7296
Remote: Yes
Date Published: Apr 07 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7296
Summary:

Vignette StoryServer is a dynamic content management system. It allows the
use of TCL code to perform a wide range of functions. For example database
interaction and cookie creation.

It has been reported that Vignette StoryServer, under certain
circumstances, may reveal the contents of stack memory.

Specifically, a specially crafted HTTPS request containing '<' and '"'
characters passed as URI parameters to any page that accepts user-supplied
data will trigger an error state.

An error message containing the current contents of stack memory will be
returned to the attackers browser.

It should be noted that this vulnerability might be exploited in a
continuous manner without an impact on the Vignette StoryServer service
state. The attacker may use this condition to provide reconnaissance over
a period of time until sufficient information has been gathered to aid in
further activity against the vulnerable host.

19. JPEGX Wizard Password Bypass Vulnerability
BugTraq ID: 7298
Remote: No
Date Published: Apr 07 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7298
Summary:

JPEGX is steganography software for Microsoft Windows, it is designed to
embed encrypted data into JPEG files.

JpegX has been reported prone to a password bypass vulnerability.

It has been reported that when no password credentials are supplied if
using the JpegX wizard to decrypt data contained in JpegX JPEG files,
JpegX will decipher the file regardless.

This vulnerability may lead to sensitive information disclosure.

20. Coppermine Photo Gallery PHP Code Injection Vulnerability
BugTraq ID: 7300
Remote: Yes
Date Published: Apr 07 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7300
Summary:

Coppermine Photo Gallery is a web based picture gallery script that allows
users to upload pictures with a web browser, add comments, send e-cards
and view statistics about the pictures.

Coppermine Photo Gallery has been reported prone to PHP code injection
attacks.

Due to a lack of sufficient sanitization performed on user-supplied
filenames that are uploaded into the Photo Gallery, an attacker may upload
a malicious JPEG. The attacker may craft the file in such a way that PHP
code execution will occur when the image is viewed.

Specifically, the attacker may embed PHP code as a signature to a valid
JPEG image and name it 'Filename.jpg.php'. The attacker may then upload
the file to a vulnerable server. If the image is still considered a valid
JPEG file by the Coppermine photo gallery, when the JPEG image is viewed
the code contained within the JPEG file will be executed in the context of
the web server hosting the vulnerable application. The attacker may use
'shell_exec()' or similar functions as a conduit to execute arbitrary
shell commands remotely.

This attack may result in arbitrary PHP code execution in the security
context of the web server that is hosting the vulnerable application.

21. Py-Membres Remote SQL Injection Vulnerability
BugTraq ID: 7301
Remote: Yes
Date Published: Apr 07 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7301
Summary:

A vulnerability has been reported for Py-Membres 4.0 that allows remote
attackers to modify the logic of SQL queries.

It has been reported that an input validation error exists in the
login.php file included with Py-Membres. Because of this issue, remote
attackers may launch SQL injection attacks through the software.

This problem requires that the PHP configuration directive
'magic_quotes_gpc' be disabled, although it may also be present with
limited impact when the directive is enabled. Exploitation of this issue
will allow an attacker to inject SQL syntax into database queries via the
'login' variable for the login.php script. This may allow for a variety of
attacks.

24. Amavis Header Parsing Mail Relaying Weakness
BugTraq ID: 7306
Remote: Yes
Date Published: Apr 08 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/7306
Summary:

Amavis is a freely available, open source virus scanning software package.
It is available for the UNIX and Linux operating systems.

A problem with the software may make it possible to perform unauthorized
actions in vulnerable configurations.

It has been reported that some versions of Amavis-ng do not properly
interact with Postfix. Because of this, an attacker may be able to
circumvent relay restrictions.

The problem is in the handling of headers. Due to improper e-mail header
processing, Amavis may send e-mails to addresses specified in a To: field
in the message body rather than the RCPT TO: field specified via SMTP.
This could make it possible to relay e-mails through some configurations.