LQ weekly security rep

unSpawn · 12-16-2002, 06:35 PM

Dec 20th 2002
15 issues handled (LAW)
wget
kernel
fetchmail
mysql
openldap
lynx
micq
libpng
squirrelmail
exim
net-SNMP
apache
lynx-ssl
perl
tcpdump

Dec 16th 2002
21 of 25 issues handled (SF)
2. OpenLDAP Multiple Buffer Overflow Vulnerabilities
3. SuSE GNUPlot French Documentation Buffer Overflow Vulnerability
4. APBoard Unauthorized Thread Reading Vulnerability
5. Apple Mac OS X Directory Kernel Panic Denial Of Service Vulnerability
6. Ultimate PHP Board Add.PHP Path Disclosure Vulnerability
7. Ultimate PHP Board ViewTopic.PHP Directory Contents Browsing Vulnerability
8. Ultimate PHP Board ViewTopic.PHP Cross Site Scripting Vulnerability
9. vBulletin HTML Injection Vulnerability
11. apt-www-proxy NULL HTTP Request Denial Of Service Vulnerability
12. apt-www-proxy Format String Vulnerability
13. ProFTPD STAT Command Denial Of Service Vulnerability
14. Ikonboard User Profile Photo URI HTML Injection Vulnerability
15. Ikonboard X-Forwarded-For: Proxy Header Field HTML Injection Vulnerability
16. Xoops Private Message System Font Attributes HTML Injection Vulnerability
18. Cyrus SASL Library Username Heap Corruption Vulnerability
19. Cyrus SASL Library LDAP Heap Corruption Vulnerability
20. Cyrus SASL Library Logging Memory Corruption Vulnerability
21. Trend Micro PC-cillin Mail Scanner Buffer Overflow Vulnerability
22. Canna Server Local Buffer Overflow Vulnerability
23. Canna Server Denial Of Service Vulnerability
24. WGet NLST Client Side File Overwriting Vulnerability

Dec 16th 2002
43 of 60 issues handled (ISS)
Linksys EtherFast Web management interface multiple
Linksys EtherFast Web management interface multiple
Canna irw_through() buffer overflow
Canna improper user request validation
Netscape/iPlanet/Sun ONE Web Server log file script
akfingerd remote connection denial of service
akfingerd .plan symlink denial of service
akfingerd could allow an attacker to read local
OpenLDAP multiple buffer overflows
Gnuplot French documentation buffer overflow
UW IMAP (wu-imapd) authenticated user buffer
XOOPS HTML attribute tags cross-site scripting
vBulletin forum message cross-site scripting
Ikonboard HTML tags photo URL cross-site scripting
Ikonboard X-Forwarded-For: header cross-site
Cyrus-SASL library username buffer overflow
Cyrus-SASL library saslauthd daemon escape
Cyrus-SASL library log writer buffer overflow
apt-www-proxy awp_log() function format string
apt-www-proxy NULL client->get denial of service
wget utility malicious file name directory
Multiple FTP client malicious file name directory
Cisco Catalyst Optical Service Module (OSM) Line
Macromedia ColdFusion and JRun Web services SOAP
VIM text file modelines could be used to execute
MySQL COM_TABLE_DUMP unsigned integer denial of
MySQL COM_CHANGE_USER command password
MySQL COM_CHANGE_USER password buffer overflow
MySQL libmysql client read_rows buffer overflow
MySQL libmysql client read_one_row buffer overflow
wget long URL file name buffer overflow
Mambo Site Server phpinfo.php[/url] script could disclose
Mambo Site Server search.php[/url] script cross-site
Mambo Site Server special characters could lock
Mambo Site Server index.php[/url] script could disclose
Mambo Site Server default administrative password
Mambo Site Server could allow an attacker to gain
Mambo Site Server name field cross-site scripting
Instant ASP (iASP) "dot dot" directory traversal
Macromedia Flash Player malformed SWF header buffer
Fetchmail address header heap buffer overflow
Symantec Enterprise Firewall (SEF) buffer overflow
MyPHPLinks index.php[/url] script SQL injection

unSpawn · 12-16-2002, 06:38 PM

Internet Security Systems

Date Reported: 12/02/2002
Brief Description: Linksys EtherFast Web management interface multiple
stack buffer overflows
Risk Factor: High
Attack Type: Network Based
Platforms: Linksys EtherFast BEFSR41 1.42.7, Linksys EtherFast
BEFSR11 1.42.7, Linksys EtherFast BEFSRU31 1.42.7,
Linksys EtherFast BEFW11S4 v2 1.42.7, Linksys
EtherFast BEFW11S4 v2 1.43, Linksys EtherFast
BEFW11S4 v2 1.43.3, Linksys EtherFast BEFSR41 1.43,
Linksys EtherFast BEFSR11 1.43, Linksys EtherFast
BEFSRU31 1.43, Linksys EtherFast BEFSR81 2.42.7.1,
Linksys EtherFast BEFN2PS4 1.42.7, Linksys
EtherFast BEFSX41 1.43, Linksys EtherFast BEFSX41
1.43.3, Linksys EtherFast BEFSX41 1.43.4, Linksys
EtherFast BEFVP41 1.40.2, Linksys EtherFast BEFVP41
1.40.3, Linksys EtherFast BEFSR41 1.43.3, Linksys
EtherFast BEFSR11 1.43.3, Linksys EtherFast
Vulnerability: linksys-etherfast-stack-bo
X-Force URL: http://www.iss.net/security_center/static/10792.php

Date Reported: 12/02/2002
Brief Description: Linksys EtherFast Web management interface multiple
heap buffer overflows
Risk Factor: High
Attack Type: Network Based
Platforms: Linksys EtherFast BEFSR41 1.42.7, Linksys EtherFast
BEFSR11 1.42.7, Linksys EtherFast BEFSRU31 1.42.7,
Linksys EtherFast BEFW11S4 v2 1.42.7, Linksys
EtherFast BEFW11S4 v2 1.43, Linksys EtherFast
BEFW11S4 v2 1.43.3, Linksys EtherFast BEFSR41 1.43,
Linksys EtherFast BEFSR11 1.43, Linksys EtherFast
BEFSRU31 1.43, Linksys EtherFast BEFSR81 2.42.7.1,
Linksys EtherFast BEFN2PS4 1.42.7, Linksys
EtherFast BEFSX41 1.43, Linksys EtherFast BEFSX41
1.43.3, Linksys EtherFast BEFSX41 1.43.4, Linksys
EtherFast BEFVP41 1.40.2, Linksys EtherFast BEFVP41
1.40.3, Linksys EtherFast BEFSR41 1.43.3, Linksys
EtherFast BEFSR11 1.43.3, Linksys EtherFast
Vulnerability: linksys-etherfast-heap-bo
X-Force URL: http://www.iss.net/security_center/static/10793.php

Date Reported: 12/02/2002
Brief Description: Canna irw_through() buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux
7.3, Red Hat Linux 8.0, Canna 3.6 and earlier
Vulnerability: canna-irwthrough-bo
X-Force URL: http://www.iss.net/security_center/static/10831.php

Date Reported: 12/02/2002
Brief Description: Canna improper user request validation
Risk Factor: Medium
Attack Type: Network Based
Platforms: Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat Linux
7.3, Red Hat Linux 8.0, Canna 3.6 and earlier
Vulnerability: canna-improper-request-validation
X-Force URL: http://www.iss.net/security_center/static/10832.php

Date Reported: 12/04/2002
Brief Description: Netscape/iPlanet/Sun ONE Web Server log file script
execution
Risk Factor: High
Attack Type: Network Based
Platforms: Solaris Any version, Windows NT Any version,
Netscape Enterprise Server 4.1 SP11 and earlier,
Sun ONE Web Server 6.0 SP1 and earlier, iPlanet Web
Server, Enterprise Edition 4.1 SP11 and earlier
Vulnerability: netscape-enterprise-log-script
X-Force URL: http://www.iss.net/security_center/static/10808.php

Date Reported: 12/05/2002
Brief Description: akfingerd remote connection denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, akfingerd 0.5
Vulnerability: akfingerd-connect-dos
X-Force URL: http://www.iss.net/security_center/static/10794.php

Date Reported: 12/05/2002
Brief Description: akfingerd .plan symlink denial of service
Risk Factor: Low
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, akfingerd 0.5
Vulnerability: akfingerd-plan-symlink-dos
X-Force URL: http://www.iss.net/security_center/static/10795.php

Date Reported: 12/05/2002
Brief Description: akfingerd could allow an attacker to read local
files
Risk Factor: Medium
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, akfingerd 0.5
Vulnerability: akfingerd-read-files
X-Force URL: http://www.iss.net/security_center/static/10796.php

Date Reported: 12/06/2002
Brief Description: OpenLDAP multiple buffer overflows
Risk Factor: High
Attack Type: Network Based
Platforms: SuSE Linux 7.1, SuSE Linux 7.2, SuSE Linux 7.3,
SuSE eMail Server III Any version, SuSE Linux
Connectivity Server Any version, SuSE Linux
Enterprise Server 7, SuSE Linux 8.0, SuSE Linux
Office Server Any version, SuSE eMail Server 3.1,
OpenLDAP 2.0.0 through 2.0.23
Vulnerability: openldap-multiple-bo
X-Force URL: http://www.iss.net/security_center/static/10800.php

Date Reported: 12/06/2002
Brief Description: Gnuplot French documentation buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: SuSE Linux prior to 8.0, Gnuplot 3.7
Vulnerability: gnuplot-french-documentation-bo
X-Force URL: http://www.iss.net/security_center/static/10801.php

Date Reported: 12/06/2002
Brief Description: UW IMAP (wu-imapd) authenticated user buffer
overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, UW IMAP 2000c
and earlier
Vulnerability: wuimapd-authenticated-user-bo
X-Force URL: http://www.iss.net/security_center/static/10803.php

Date Reported: 12/06/2002
Brief Description: XOOPS HTML attribute tags cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, XOOPS 1.3.5
Vulnerability: xoops-html-attribute-xss
X-Force URL: http://www.iss.net/security_center/static/10806.php

Date Reported: 12/07/2002
Brief Description: vBulletin forum message cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, vBulletin 2.2.7, vBulletin 2.2.8
Vulnerability: vbulletin-forum-msg-xss
X-Force URL: http://www.iss.net/security_center/static/10841.php

Date Reported: 12/09/2002
Brief Description: Ikonboard HTML tags photo URL cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Ikonboard 3.1.1
Vulnerability: ikonboard-html-photo-xss
X-Force URL: http://www.iss.net/security_center/static/10797.php

Date Reported: 12/09/2002
Brief Description: Ikonboard X-Forwarded-For: header cross-site
scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Ikonboard 3.1.1
Vulnerability: ikonboard-xforwardedfor-header-xss
X-Force URL: http://www.iss.net/security_center/static/10799.php

Date Reported: 12/09/2002
Brief Description: Cyrus-SASL library username buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, Cyrus-SASL
2.1.9
Vulnerability: cyrus-sasl-username-bo
X-Force URL: http://www.iss.net/security_center/static/10810.php

Date Reported: 12/09/2002
Brief Description: Cyrus-SASL library saslauthd daemon escape
character buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, Cyrus-SASL
2.1.9
Vulnerability: cyrus-sasl-saslauthd-bo
X-Force URL: http://www.iss.net/security_center/static/10811.php

Date Reported: 12/09/2002
Brief Description: Cyrus-SASL library log writer buffer overflow
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, Cyrus-SASL
2.1.9
Vulnerability: cyrus-sasl-logwriter-bo
X-Force URL: http://www.iss.net/security_center/static/10812.php

Date Reported: 12/10/2002
Brief Description: apt-www-proxy awp_log() function format string
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, apt-www-proxy 0.1
Vulnerability: apt-www-proxy-format-string
X-Force URL: http://www.iss.net/security_center/static/10815.php

Date Reported: 12/10/2002
Brief Description: apt-www-proxy NULL client->get denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, apt-www-proxy 0.1
Vulnerability: apt-www-proxy-dos
X-Force URL: http://www.iss.net/security_center/static/10816.php

Date Reported: 12/10/2002
Brief Description: wget utility malicious file name directory
traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Red Hat Linux 6.2, Debian Linux 2.2, Red Hat Linux
7.0, Red Hat Linux 7.1, Red Hat Linux 7.2, Red Hat
Linux 7.3, Debian Linux 3.0, Red Hat Linux 8.0, Red
Hat Advanced Server 2.1AS, wget prior to 1.8.2-4
Vulnerability: wget-ftp-filename-traversal
X-Force URL: http://www.iss.net/security_center/static/10820.php

Date Reported: 12/10/2002
Brief Description: Multiple FTP client malicious file name directory
traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, FTP Any version
Vulnerability: ftp-client-filename-traversal
X-Force URL: http://www.iss.net/security_center/static/10821.php

Date Reported: 12/11/2002
Brief Description: Cisco Catalyst Optical Service Module (OSM) Line
Card denial of service
Risk Factor: Medium
Attack Type: Network Based
Platforms: Cisco IOS prior to 10.3(2), Cisco Catalyst 6500 Any
version, Cisco IOS 12.1(8)E or later
Vulnerability: cisco-catalyst-osm-dos
X-Force URL: http://www.iss.net/security_center/static/10823.php

Date Reported: 12/11/2002
Brief Description: Macromedia ColdFusion and JRun Web services SOAP
denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Windows NT Any
version, Windows 2000 Any version, ColdFusion MX
Any version, JRun 4.0
Vulnerability: coldfusion-jrun-soap-dos
X-Force URL: http://www.iss.net/security_center/static/10826.php

Date Reported: 12/11/2002
Brief Description: VIM text file modelines could be used to execute
commands
Risk Factor: High
Attack Type: Host Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, VIM 6.0, VIM 6.1
Vulnerability: vim-modeline-command-execution
X-Force URL: http://www.iss.net/security_center/static/10835.php

Date Reported: 12/12/2002
Brief Description: MySQL COM_TABLE_DUMP unsigned integer denial of
service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, EnGarde
Secure Linux Community Edition, FreeBSD Any
version, MySQL 3.23.53a and earlier, MySQL 4.0.5a
and earlier
Vulnerability: mysql-comtabledump-dos
X-Force URL: http://www.iss.net/security_center/static/10846.php

Date Reported: 12/12/2002
Brief Description: MySQL COM_CHANGE_USER command password
authentication bypass
Risk Factor: High
Attack Type: Host Based / Network Based
Platforms: Linux Any version, Windows Any version, FreeBSD Any
version, MySQL 3.23.53a and earlier, MySQL 4.0.5a
and earlier
Vulnerability: mysql-comchangeuser-password-bypass
X-Force URL: http://www.iss.net/security_center/static/10847.php

Date Reported: 12/12/2002
Brief Description: MySQL COM_CHANGE_USER password buffer overflow
Risk Factor: High
Attack Type: Host Based / Network Based
Platforms: Linux Any version, Windows Any version, EnGarde
Secure Linux Community Edition, FreeBSD Any
version, MySQL 3.23.53a and earlier, MySQL 4.0.5a
and earlier
Vulnerability: mysql-comchangeuser-password-bo
X-Force URL: http://www.iss.net/security_center/static/10848.php

Date Reported: 12/12/2002
Brief Description: MySQL libmysql client read_rows buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, EnGarde
Secure Linux Community Edition, FreeBSD Any
version, MySQL 3.23.53a and earlier, MySQL 4.0.5a
and earlier
Vulnerability: mysql-libmysqlclient-readrows-bo
X-Force URL: http://www.iss.net/security_center/static/10849.php

Date Reported: 12/12/2002
Brief Description: MySQL libmysql client read_one_row buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, EnGarde
Secure Linux Community Edition, FreeBSD Any
version, MySQL 3.23.53a and earlier, MySQL 4.0.5a
and earlier
Vulnerability: mysql-libmysqlclient-readonerow-bo
X-Force URL: http://www.iss.net/security_center/static/10850.php

Date Reported: 12/12/2002
Brief Description: wget long URL file name buffer overflow
Risk Factor: Low
Attack Type: Host Based / Network Based
Platforms: Debian Linux 2.2, Debian Linux 3.0, wget Any
version
Vulnerability: wget-url-filename-bo
X-Force URL: http://www.iss.net/security_center/static/10851.php

Date Reported: 12/12/2002
Brief Description: Mambo Site Server phpinfo.php[/url] script could disclose
physical path
Risk Factor: Low
Attack Type: Network Based
Platforms: AIX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, Windows 98,
Windows 2000 Any version, Mac OS X Any version,
Cobalt RaQ 4, FreeBSD Any version, Windows XP Any
version, Mambo Site Server 4.0.11
Vulnerability: mambo-phpinfo-disclose-path
X-Force URL: http://www.iss.net/security_center/static/10853.php

Date Reported: 12/12/2002
Brief Description: Mambo Site Server search.php[/url] script cross-site
scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: AIX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, Windows 98,
Windows 2000 Any version, Mac OS X Any version,
Cobalt RaQ 4, FreeBSD Any version, Windows XP Any
version, Mambo Site Server 4.0.11
Vulnerability: mambo-search-xss
X-Force URL: http://www.iss.net/security_center/static/10854.php

Date Reported: 12/12/2002
Brief Description: Mambo Site Server special characters could lock
account
Risk Factor: Low
Attack Type: Host Based
Platforms: AIX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, FreeBSD Any
version, Windows 98, Windows 2000 Any version, Mac
OS X Any version, Cobalt RaQ 4, Windows XP Any
version, Mambo Site Server 4.0.11
Vulnerability: mambo-character-account-locked
X-Force URL: http://www.iss.net/security_center/static/10855.php

Date Reported: 12/12/2002
Brief Description: Mambo Site Server index.php[/url] script could disclose
physical path
Risk Factor: Low
Attack Type: Network Based
Platforms: AIX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, FreeBSD Any
version, Windows 98, Windows 2000 Any version, Mac
OS X Any version, Cobalt RaQ 4, Windows XP Any
version, Mambo Site Server 4.0.11
Vulnerability: mambo-index-path-disclosure
X-Force URL: http://www.iss.net/security_center/static/10856.php

Date Reported: 12/12/2002
Brief Description: Mambo Site Server default administrative password
and username
Risk Factor: High
Attack Type: Network Based
Platforms: AIX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, FreeBSD Any
version, Windows 98, Windows 2000 Any version, Mac
OS X Any version, Cobalt RaQ 4, Windows XP Any
version, Mambo Site Server 4.0.11
Vulnerability: mambo-default-admin-password
X-Force URL: http://www.iss.net/security_center/static/10857.php

Date Reported: 12/12/2002
Brief Description: Mambo Site Server could allow an attacker to gain
access to the backend database
Risk Factor: Medium
Attack Type: Network Based
Platforms: AIX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, FreeBSD Any
version, Windows 98, Windows 2000 Any version, Mac
OS X Any version, Cobalt RaQ 4, Windows XP Any
version, Mambo Site Server 4.0.11
Vulnerability: mambo-phpmyadmin-gain-access
X-Force URL: http://www.iss.net/security_center/static/10858.php

Date Reported: 12/12/2002
Brief Description: Mambo Site Server name field cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: AIX Any version, Linux Any version, Solaris Any
version, Windows NT Any version, FreeBSD Any
version, Windows 98, Windows 2000 Any version, Mac
OS X Any version, Cobalt RaQ 4, Windows XP Any
version, Mambo Site Server 4.0.11
Vulnerability: mambo-name-field-xss
X-Force URL: http://www.iss.net/security_center/static/10859.php

Date Reported: 12/12/2002
Brief Description: Instant ASP (iASP) "dot dot" directory traversal
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Instant ASP (iASP) 1.0.9 and earlier
Vulnerability: iasp-dotdot-directory-traversal
X-Force URL: http://www.iss.net/security_center/static/10860.php

Date Reported: 12/12/2002
Brief Description: Macromedia Flash Player malformed SWF header buffer
overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Macromedia Flash Player prior to 6.0.65.0
Vulnerability: flash-swf-bo
X-Force URL: http://www.iss.net/security_center/static/10861.php

Date Reported: 12/13/2002
Brief Description: Fetchmail address header heap buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Fetchmail
6.1.3 and earlier
Vulnerability: fetchmail-address-header-bo
X-Force URL: http://www.iss.net/security_center/static/10839.php

Date Reported: 12/13/2002
Brief Description: Symantec Enterprise Firewall (SEF) buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Symantec VelociRaptor 500/700/1000, Symantec
VelociRaptor 1100/1200/1300, Symantec Gateway
Security 5110/5200/5300, Solaris Any version,
Windows NT Any version, Windows 2000 Any version,
Raptor Firewall 6.5, Symantec Enterprise Firewall
(SEP) 7.0, Symantec Enterprise Firewall (SEP)
6.5.2, Raptor Firewall 6.5.3
Vulnerability: sef-realaudio-proxy-bo
X-Force URL: http://www.iss.net/security_center/static/10862.php

Date Reported: 12/14/2002
Brief Description: MyPHPLinks index.php[/url] script SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Windows Any version, MyPHPLinks 2.1.9, MyPHPLinks
2.2.0CVS
Vulnerability: myphplinks-index-sql-injection
X-Force URL: http://www.iss.net/security_center/static/10864.php

unSpawn · 12-16-2002, 06:40 PM

SecurityFocus

2. OpenLDAP Multiple Buffer Overflow Vulnerabilities
BugTraq ID: 6328
Remote: Yes
Date Published: Dec 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6328
Summary:

OpenLDAP is an open-source implementation of the LDAP protocol.

Several buffer overflow vulnerabilities have been reported for OpenLDAP.

Precise technical details about the nature of the vulnerabilities are
currently unknown. This BID will be updated as more information becomes
available.

An attacker may be able to exploit these vulnerabilities to gain control
over the execution of the vulnerable OpenLDAP process. Although
unconfirmed, an attacker may be able to execute malicious
attacker-supplied code with the privileges of the OpenLDAP process.

3. SuSE GNUPlot French Documentation Buffer Overflow Vulnerability
BugTraq ID: 6329
Remote: No
Date Published: Dec 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6329
Summary:

GNUPlot is an interactive function plotting program. It is used to plot
data and functions in a graphical format.

A buffer overflow vulnerability has been reported for GNUPlot shipped with
SuSE Linux. Reportedly, the vulnerability exists in the French
documentation and may allow an attacker to gain control over the execution
of the gnuplot process.

This vulnerability is exacerbated by the fact that gnuplot is typically
installed setuid root on some SuSE distributions.

Precise technical details about the nature of the vulnerability are
currently unknown. This BID will be updated as more information becomes
available.

4. APBoard Unauthorized Thread Reading Vulnerability
BugTraq ID: 6330
Remote: Yes
Date Published: Dec 06 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6330
Summary:

APBoard is a web-based bulletin board package based on PHP and MySQL from
Another PHP Product.

A vulnerability has been reported for APBoard that may allow unauthorized
users to read postings in internal forums. The vulnerability is a result
of the 'useraction.php' script failing to properly check user credentials.

An attacker can exploit this vulnerability to subscribe to a thread in an
internal forum. This may expose sensitive information not intended to be
viewed by the attacker.

This vulnerability was reported for APBoard 2.02. It is not known whether
other versions are affected.

5. Apple Mac OS X Directory Kernel Panic Denial Of Service Vulnerability
BugTraq ID: 6331
Remote: No
Date Published: Dec 07 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6331
Summary:

Mac OS X is the BSD-derived operating system distributed and maintained by
Apple Sofware.

A problem with Mac OS X may make possible a local denial of service
attack.

It has been reported that OS X may crash under some conditions. When a
user creates a directory, descends it, creates another directory of the
same name, then attempts to move the directory up one level in the
hierarchy, the system reacts unpredictably. It has been reported that
this can cause a crash of the system.

This vulnerability could be exploited by a local user to deny service to
legitimate users of the host. This vulnerability requires that an
attacker have the ability to execute the command in a Terminal
application.

6. Ultimate PHP Board Add.PHP Path Disclosure Vulnerability
BugTraq ID: 6333
Remote: Yes
Date Published: Dec 07 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6333
Summary:

Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.

A problem has been discovered in UPB that could lead to the disclosure of
potentially sensitive information.

Under some circumstances, it may be possible to gain access to sensitive
information, such as the installation path of UPB. By passing an
erroneous request to the add.php script, UPB may return the full path to
the installation. This could lead to the disclosure of sensitive
information, and potentially lead to further attack.

7. Ultimate PHP Board ViewTopic.PHP Directory Contents Browsing Vulnerability
BugTraq ID: 6334
Remote: Yes
Date Published: Dec 08 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6334
Summary:

Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.

A problem has been discovered in UPB that could lead to the disclosure of
the contents of directoires.

Under some circumstances, it may be possible to disclose the contents of
directories. By passing a malicious request to the viewtopic.php script,
UPB may return a listing of the directory. This could be futher refined
to disclose the contents of selected files.

This could lead to the disclosure of sensitive information, and
potentially lead to further attack. It should be noted that the ability
of the attacker to read information is limited to the privileges of the
web server. Additionally, it is thought that an attacker may not read
directories above the data_dir directory used by UPB.

8. Ultimate PHP Board ViewTopic.PHP Cross Site Scripting Vulnerability
BugTraq ID: 6335
Remote: Yes
Date Published: Dec 08 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6335
Summary:

Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin
Board. It is available for the Unix and Linux operating systems.

A problem has been discovered in UPB that could lead to cross site
scripting attacks.

By passing a malicious script code to the viewtopic.php script, UPB may
return the script code to the browser of the user visiting the malicious
URL. This could lead to the execution of HTML and script code in the
security context of the UPB site.

9. vBulletin HTML Injection Vulnerability
BugTraq ID: 6337
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6337
Summary:

vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.

Problems with vBulletin could make it possible for an attacker to inject
arbitrary HTML in vBulletin forum messages.

vBulletin does not sufficiently filter potentially malicious HTML code
from posted messages. As a result, when a user chooses to view a message
posting that contains malicious HTML code, the code contained in the
message would be executed in the browser of the vulnerable user. This will
occur in the context of the site hosting the vBulletin forum software.

Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.

This vulnerability was reported for vBulletin 2.2.7 and 2.2.8. It is not
known whether other versions are affected.

11. apt-www-proxy NULL HTTP Request Denial Of Service Vulnerability
BugTraq ID: 6339
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6339
Summary:

apt-www-proxy is a proxy server designed for use with web-based apt-get
repositories.

A denial of service vulnerability has been reported for apt-www-proxy. The
'parse_get()' function in 'utils.c' will fail when attempting to parse
HTTP requests. This will cause the process to crash thus resulting in a
denial of service condition.

To restore functionality, the apt-www-proxy service must be restarted.

This vulnerability has been reported for apt-www-proxy 0.1.

12. apt-www-proxy Format String Vulnerability
BugTraq ID: 6340
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6340
Summary:

apt-www-proxy is a proxy server designed for use with web-based apt-get
repositories.

apt-www-proxy is prone to a format string vulnerability. This problem is
due to incorrect use of the 'syslog()' function to log error messages. It
is possible to corrupt memory by passing format strings through the
vulnerable logging function. This may potentially be exploited to
overwrite arbitrary locations in memory with attacker-specified values.

The vulnerability exists due to inadequate checks performed in the
'awp_log()' function in the 'utils.c' source file.

Successful exploitation of this issue may allow the attacker to execute
arbitrary instructions with the privileges of the vulnerable process.

This vulnerability has been reported for apt-www-proxy 0.1.

13. ProFTPD STAT Command Denial Of Service Vulnerability
BugTraq ID: 6341
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6341
Summary:

ProFTPD is a popular FTP server that ships with numerous Unix and Linux
variants.

A denial of service vulnerability has been reported for ProFTPD. It is
possible to cause ProFTPD from responding to legitimate requests for
service by issuing specially crafted STAT commands. This will result in a
denial of service condition.

An attacker can exploit this vulnerability by logging on to a vulnerable
FTP server and issuing a STAT command composed of several '/*' characters.
When the FTP server receives this command, it will result in a denial of
service condition.

This vulnerability has been reported to affect ProFTPD 1.2.7rc3 and
earlier.

** This issue is closely related to the vulnerability described in BID
2496.

14. Ikonboard User Profile Photo URI HTML Injection Vulnerability
BugTraq ID: 6342
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6342
Summary:

Ikonboard is a web-based bulletin board system implemented in Perl. It may
be installed under Linux, Windows, or many Unix platforms.

Ikonboard is prone to a vulnerability which may enable an attacker to
cause arbitrary HTML and script code to be interpreted by the web client
of other Ikonboard users.

Ikonboard allows users to post a link in their user profile to an external
picture. Ikonboard does not sufficiently sanitize HTML from these photo
URIs in user profiles. An attacker may take advantage of this issue to
embed malicious script code into their user profile. When the profile is
viewed by other users, the attacker-supplied script code will execute in
the security context of the site hosting the Ikonboard software.

Exploitation may allow an attacker to steal cookie-based authentication
credentials or to manipulate web content.

This issue was reported in Ikonboard 3.1.1. Other versions may also be
affected.

15. Ikonboard X-Forwarded-For: Proxy Header Field HTML Injection Vulnerability
BugTraq ID: 6343
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6343
Summary:

Ikonboard is a web-based bulletin board system implemented in Perl. It may
be installed under Linux, Windows, or many Unix platforms.

Ikonboard is prone to HTML injection attacks via X-Forwarded-For: HTTP
header fields for proxies. The HTTP X-Forwarded-For: header field is used
by many proxy server implementations to indicate the original source of a
request that has been forwarded by the proxy. When Ikonboard is accessed
via a proxy, it will log the user's IP address as the address that appears
in the X-Forwarded-For: HTTP header field. HTML will not be sanitized
when this information in the HTTP header field is logged. When an
administrator views the logged IP address, script code supplied via a
malicious X-Forwarded-For: HTTP header field will be executed in the web
client of the administrator.

While the data in the header field is limited to 16 characters, it may be
possible to embed malicious script code or HTML over multiple requests.

Successful exploitation may enable a remote attacker to steal cookie-based
authentication credentials from an administrative user.

This issue was reported in Ikonboard 3.1.1. Other versions may also be
affected.

16. Xoops Private Message System Font Attributes HTML Injection Vulnerability
BugTraq ID: 6344
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6344
Summary:

Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.

Xoops includes a Private Message System for users, so that they may send
messages to one another. HTML tags used for font attributes, including
bold, italic and underline tags, are not sufficiently filtered of HTML
code. This makes it possible for an attacker to supply malicious input in
the HTML font tags that contain arbitrary script code. When another user
receives the attacker's private message, the malicious script code will be
executed on that user in the context of the site running Xoops.

This issue may be exploited by an attacker to steal a legitimate user's
cookie-based authentication credentials, potentially making it possible to
hijack the users session.

This vulnerability has been reported for Xoops 1.3.5.

18. Cyrus SASL Library Username Heap Corruption Vulnerability
BugTraq ID: 6347
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6347
Summary:

SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.

A heap corruption vulnerability has been discovered in Cyrus SASL library.
The overflow occurs in the 'user_buf' and 'authid_buf' buffers while
sanitizing usernames. It is possible to trigger this condition by passing
an overly long string as the 'myhostname' parameter.

Exploiting this vulnerability will give an attacker the ability to
overflow a sensitive buffer in heap memory by 19 bytes. This may allow the
corruption of malloc headers, which could later result in an arbitrary
location in memory being overwritten.

It should be noted that this issue only exists if the default realm is
set.

It should also be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.

19. Cyrus SASL Library LDAP Heap Corruption Vulnerability
BugTraq ID: 6348
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6348
Summary:

SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.

A heap corruption vulnerability has been discovered in Cyrus SASL library.
It has been discovered that saslauthd utility fails to allocate sufficient
memory when required to escape various characters, including '*', '(',
')', '\' and '\0'. By passing a malicious string as a 'username' or
'realm' value, it may be possible for an attacker to cause insufficient
memory to be allocated for user-supplied input.

Exploiting this issue may allow an attacker to corrupt malloc headers,
which could later result in an arbitrary location in memory being
overwritten. Successful exploitation of this vulnerability would result in
the execution of arbitrary code with the privileges of the vulnerable
application.

It should be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.

20. Cyrus SASL Library Logging Memory Corruption Vulnerability
BugTraq ID: 6349
Remote: Yes
Date Published: Dec 09 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6349
Summary:

SASL is the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.

A memory corruption vulnerability has been discovered in SASL when
generating logs files. It has been reported that under some circumstances
SASL fails to allocate sufficient memory for the '\0' character for a
string used in log entries. By causing Cyrus to generate a malicious log
it may be possible for an attacker to write the '\0' character to a
sensitive location in memory.

This could potentially be exploited to overwrite the LSB of a sensitive
variable or possibly cause inaccurate logs to be created.

It should be noted that under rare circumstances a string that is not NULL
terminated can cause a situation that may be exploited to execute
arbitrary code. It is not known whether this situation occurs in the SASL
library.

It should also be noted that although this vulnerability was discovered in
Cyrus, it may also affect other programs that utilize the SASL library.

21. Trend Micro PC-cillin Mail Scanner Buffer Overflow Vulnerability
BugTraq ID: 6350
Remote: No
Date Published: Dec 10 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6350
Summary:

Trend Micro is a provider of desktop and network antivirus products.

A buffer overflow vulnerability has been reported for PC-cillin's mail
scanning utility. The mail scanning utility is a service that acts as a
proxy to mail clients and runs as 'pop3trap.exe'.

An attacker can exploit this vulnerability by connecting to a vulnerable
pop3trap.exe service and sending an overly long string, consisting of at
least 1100 characters. This will result in the process crashing and
allowing the attacker to gain control over the execution of the process.

Any code to be executed will run with the privileges of the pop3trap.exe
process.

This vulnerability affects PC-cillin 2000, 2002, 2003 and OfficeScan
Corporate Edition 5.02.

22. Canna Server Local Buffer Overflow Vulnerability
BugTraq ID: 6351
Remote: No
Date Published: Dec 10 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6351
Summary:

Canna is a kana-kanji conversion server which is necessary for Japanese
language character input. It is available for the Linux operating system.

A buffer overflow vulnerability has been discovered in Canna. Exploiting
this issue may allow an attacker to overwrite sensitive locations in
memory. It may be possible to run arbitrary system commands, with 'bin'
level privileges, by redirecting program flow to execute attacker-supplied
instructions.

It should be noted that Canna is typically installed only when Japanese
language support is enabled.

Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.

23. Canna Server Denial Of Service Vulnerability
BugTraq ID: 6354
Remote: Yes
Date Published: Dec 10 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6354
Summary:

Canna is a kana-kanji conversion server which is necessary for Japanese
language character input. It is available for the Linux operating system.

A vulnerability has been discovered in Canna. It has been reported that
due to insufficient request validation it is possible for a remote
attacker to crash the Canna server. Under some circumstances it may also
be possible to cause information leakage.

It should be noted that Canna is typically installed only when Japanese
language support is enabled.

Precise technical details regarding this vulnerability are not yet known.
This BID will be updated as more information becomes available.

24. WGet NLST Client Side File Overwriting Vulnerability
BugTraq ID: 6352
Remote: Yes
Date Published: Dec 10 2002 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6352
Summary:

wget is a freely available, open source FTP utility. It is included with
many Unix and Linux operating systems.

A problem with wget may result in the overwriting of arbitrary files.

wget does not properly handle some types of server responses. When a NLST
response is received from an FTP server, RFC specifications require that
clients check the input to see if it contains directory information.
wget does not properly check this information, which may allow a remote
FTP server to overwrite files on the client system.

It should be noted that this vulnerability requires an FTP server to know
the path to the file to be overwritten. Additionally, this vulnerability
may be exploited to overwrite only those files which are write-permissible
by the FTP client user.

unSpawn · 12-22-2002, 08:24 AM

Linux Advisory Watch

Package: wget
Date: 12-13-2002
Description:
The vulnerability resides in the way wget handles server answers to LIST
and multiple GET requests. If the filenames in the answer begin with
characters pointing to parent directories (like "../" or "/"), wget can
download files to that location, thus overwritting arbitrary files.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2664.html
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2661.html
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2689.html

Package: kernel
Date: 12-13-2002
Description:
Christophe Devine reported[1] a vulnerability in versions prior to 2.4.20
of the linux kernel that could be exploited by a local non-root user to
completely "freeze" the machine. A local attacker could exploit this
vulnerability to cause a Denial of Service (DoS) condition. This update
fixes this problem.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2673.html
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2685.html

Package: fetchmail
Date: 12-16-2002
Description:
Stefan Esser discovered[1] a buffer overflow vulnerability in fetchmail
versions prior to 6.1.3 (inclusive) that can be exploited remotelly with
the use of specially crafted mail messages. By exploiting this the
attacker can crash fetchmail or execute arbitrary code with the privileges
of the user running it.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2674.html
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2666.html
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2676.html

Package: mysql
Date: 12-17-2002
Description:
The server vulnerabilities can be exploited to crash the MySQL server,
bypass password restrictions or even execute arbitrary code with the
privileges of the user running the server process. The library ones
consist in an arbitrary size heap overflow and a memory addressing problem
that can be both exploited to crash or execute arbitrary code in programs
linked against libmysql.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2678.html
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2675.html
EnGarde Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2660.html
Mandrake Vendor Adivsory:
http:http://www.linuxsecurity.com/advisor...sory-2681.html
OpenPKG:
http:http://www.linuxsecurity.com/advisor...sory-2670.html
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2665.html

Package: openldap
Date: 12-19-2002
Description:
The vulnerabilities consists mainly in buffer overflows in both the
OpenLDAP server and in the libraries provided with the OpenLDAP package.
Some of these vulnerabilities can be exploited by attackers remotely or
locally to compromise the OpenLDAP server or applications linked against
the vulnerable libraries.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2682.html

Package: lynx
Date: 12-19-2002
Description:
lynx (a text-only web browser) did not properly check for illegal
characters in all places, including processing of command line options,
which could be used to insert extra HTTP headers in a request.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2662.html

Package: micq
Date: 12-13-2002
Description:
Rdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types that do
not contain the required 0xFE seperator causes all versions to crash.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2663.html

Package: libpng
Date: 12-19-2002
Description:
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG (Portable
Network Graphics) format files. The starting offsets for the loops are
calculated incorrectly which causes a buffer overrun beyond the beginning
of the row buffer.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2683.html

Package: squirrelmail
Date: 12-15-2002
Description:
read_body.php didn't filter out user input for 'filter_dir' and 'mailbox',
making a xss attack possible.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2668.html

Package: exim
Date: 12-16-2002
Description:
There is a format string bug in daemon.c.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2669.html

Package: net-SNMP
Date: 12-16-2002
Description:
The Net-SNMP packages shipped with Red Hat Linux 8.0 contain several bugs
including a remote denial of service vulnerability. This errata release
corrects those problems.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2677.html

Package: apache
Date: 12-18-2002
Description:
A number of vulnerabilities were discovered in Apache versions prior to
1.3.27. The first is regarding the use of shared memory (SHM) in Apache.
An attacker that is able to execute code as the UID of the webserver
(typically "apache") is able to send arbitrary processes a USR1 signal as
root. Using this vulnerability, the attacker can also cause the Apache
process to continously span more children processes, thus causing a local
DoS. Another vulnerability was discovered by Matthew Murphy regarding a
cross site scripting vulnerability in the standard 404 error page.
Finally, some buffer overflows were found in the "ab" benchmark program
that is included with Apache.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2680.html

Package: lynx-ssl
Date: 12-19-2002
Description:
This SSL patch package for Lynx provides the ability to make use of SSL
over HTTP for secure access to web sites (HTTPS) and over NNTP for secure
access to news servers (SNEWS). SSL is handled transparently, allowing
users to continue accessing web sites and news services from within Lynx
through the same interface for both secure and standard transfers.
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2686.html

Package: perl
Date: 12-19-2002
Description:
Perl allows for socalled "safe compartmemts" where code can be evalutated
without access to variables outside this environment. There was, however,
a bug with regards to applications using this safe compartment more than
once.
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2687.html

Package: tcpdump
Date: 12-19-2002
Description:
Tcpdump tries to decode packages it sees on the network to provide some
information to the user. In the decoding of BGP packages, it failed to do
proper bounds checking. The impact is not known, but it could at least be
used to crash tcpdump. This is fixed in the 3.7.1 release of tcpdump.
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2688.html