SecurityFocus
1. W3M Frame Enabled Browsing Cross Site Scripting Vulnerability
BugTraq ID: 6793
Remote: Yes
Date Published: Feb 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6793
Summary:
W3M is a text-based Web browser. It is developed for several platforms
including Linux and Unix variant operating systems.
A cross site scripting vulnerability has been reported for W3M if frames
support is enabled. Due to inadequate sanitization of some HTML tags, it
is possible for an attacker to steal another user's cookie information or
other sensitive data. Specifically, W3M does not fully sanitize malicious
HTML code from FRAME tags.
It should be noted that this vulnerability is exploitable only if W3M is
executed with the '-F' commandline option.
This vulnerability has been reported to affect W3M 0.3.2. It is likely
that earlier versions are affected.
2. W3M Image Attribute Cross Site Scripting Vulnerability
BugTraq ID: 6794
Remote: Yes
Date Published: Feb 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6794
Summary:
W3M is a text-based Web browser. It is developed for several platforms
including Linux and Unix variant operating systems.
A cross site scripting vulnerability has been reported for W3M. Due to
inadequate sanitization of some HTML tags, it is possible for an attacker
to steal another user's cookie information or other sensitive data.
Specifically, W3M does not fully sanitize malicious HTML code from IMAGE
tags.
This vulnerability has been reported to affect W3M 0.3.2.2 and earlier.
4. Red Hat Linux User Mode Linux SetUID Installation Vulnerability
BugTraq ID: 6801
Remote: No
Date Published: Feb 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6801
Summary:
Red Hat Linux is a freely available, open source operating system
distributed by Red Hat Incorporated.
A problem with a component of the kernel-utils package may make it
possible for local users to perform unauthorized activities.
It has been reported that under some circumstances, Red Hat Linux may
allow unauthorized actions through User-Mode-Linux compatibility. Due to
permissions on some components installed with the User-Mode-Linux
utilities, a local user could perform actions on the system that require
privilege, potentially affecting local host security.
The problem is in the setuid bit given to the uml_net program. When
installed with the kernel-utils package, the program is installed setuid
root. A local user could execute this program to control network
interfaces, or manipulate some network settings.
7. Netgear FM114P Wireless Firewall File Disclosure Vulnerability
BugTraq ID: 6807
Remote: Yes
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6807
Summary:
Netgear FM114P Cable/DSL Prosafe 802.11b Wireless Firewall is a hardware
appliance that can allow several systems to share a single broadband
Internet connection. The device also includes a firewall and is managed
through a web interface.
A directory traversal vulnerability exists in the FM114P's web
administration interface.
The firewall does not properly sanitize URL requests. Starting from the
upnp/service directory on the firewall, it is possible for an
unauthenticated user to traverse out of this directory using escaped
character sequences. Submitting the following request to the firewall
would retrieve the configuration file:
http://<ip-or-hostname>:<port>/upnp/service/%2e%2e%2fnetgear.cfg
This could allow an unauthenticated user to retrieve the firewall's
configuration file and possibly other sensitive information.
This vulnerability was reported to affect firmware version 1.4 Beta 17.
Other versions may also be affected.
8. Nethack Local Buffer Overflow Vulnerability
BugTraq ID: 6806
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6806
Summary:
Nethack is a game included with several distributions of Linux including
RedHat Linux. It has been reported that Nethack fails to drop privileges,
potentially resulting in privilege escalation.
A buffer overflow has been discovered in Nethack when invoked with the
'-s' command line option. By passing an overly large string, consisting of
at least 1000 characters, to the '-s' command line option of
/usr/games/lib/nethackdir/nethack, it is possible to corrupt memory.
By exploiting this issue it may be possible for an attacker to overwrite
values in sensitive areas of memory, resulting in the execution of
arbitrary attacker-supplied code.
Nethack distributed with RedHat Linux is shipped with setgid 'games'
privileges. Successful exploitation would result in the escalation of
privileges to the 'games' group, which could result in the corruption of
saved game data, as well as storage consumption.
10. Opera Username URI Warning Dialog Buffer Overflow Vulnerability
BugTraq ID: 6811
Remote: Yes
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6811
Summary:
Opera is a web client available for a number of platforms including Unix
and Linux variants, and Microsoft Windows operating systems.
For security purposes, Opera will display a warning any time a user of the
client visits a link containing a username as part of the URI. Bounds
checking is not performed on the length of the username when it is copied
into a local buffer for display in the warning message.
An excessively long username in a link will trigger a buffer overflow
condition that may overwrite the stack frame of the affected function.
Attackers may exploit this vulnerability to execute instructions on client
systems. This condition may be exploited from a malicious webpage.
Exploitation may occur through links, image tags, frames or other means.
This issue was reported for Opera on Microsoft Windows platforms. It is not known if other platforms are affected.
11. Gallery Insecure File Permissions Vulnerability
BugTraq ID: 6809
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6809
Summary:
Gallery is a web based photo album written using PHP. Gallery is used to
create and maintain albums of photos via a web-based interface.
A problem has been reported in the Gallery application. When creating
'temp' and 'albums' directories and managing image files, Gallery uses
unsafe file permissions. Specifically, Gallery creates these folders with
the same group and owner permissions of the web server.
As a result anyone who may have access to local web server resources may
gain access to other users' Gallery albums.
This vulnerability could lead to local users obtaining unauthorized access
to sensitive files by causing the web server to execute a malicious
script.
This vulnerability was reported for Gallery version 1.3.3. It is not known
if earlier versions are affected by this vulnerability.
14. Opera opera.PluginContext Native Method Buffer Overflow Vulnerability
BugTraq ID: 6814
Remote: Yes
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6814
Summary:
Opera is a web client available for a number of platforms including Unix
and Linux variants, and Microsoft Windows operating systems.
Opera ships with a trusted Java class ('opera.PluginContext') that
includes a native method that is reportedly vulnerable to a buffer
overflow condition. This issue exists in the 'showDocument' method of the
'opera.PluginContext' class. If a URL object containing a URL String of
excessive length is passed to the method, the JVM and browser will crash.
This may be due to a buffer overflow condition in the native method
(native methods can be written in C).
This issue was reported in versions of Opera for Microsoft Windows
operating systems. It is not known if other platforms are also affected.
Java support must enabled for this issue to be present and can be disabled
to prevent attacks.
15. Eset Software NOD32 Antivirus Local Buffer Overflow Vulnerability
BugTraq ID: 6803
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6803
Summary:
Eset Software's NOD32 Antivirus System is a cross-platform anti-virus
application. It is available for a variety of platforms including the
Microsoft Windows, Linux, and BSD-derived operating systems.
A vulnerability has been discovered in NOD32 for the Linux and Unix
platforms. Due to insufficient bounds checking a buffer overflow occurs
when NOD32 processes file system paths of excessive length. Specifically,
a path name containing 500, or more, bytes of data will trigger memory
corruption.
This vulnerability could be exploited by coaxing a user to scan a
malicious location with the NOD32 Antivirus software. When the path of
excessive length is processed by NOD32, sensitive memory will be
corrupted. By exploiting this issue to execute code it is possible run
arbitrary commands with the privileges of the user running NOD32.
This issue affects NOD32 versions 1.012 and earlier.
17. Cedric Email Reader Global Configuration Script Remote File Include Vulnerability
BugTraq ID: 6820
Remote: Yes
Date Published: Feb 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6820
Summary:
Cedric Email Reader is a web mail application. It is implemented in PHP
and available for Unix and Linux variants as well as Microsoft Windows
operating systems.
It has been reported that Cedric Email Reader is prone to an issue that
may allow remote attackers to include files located on remote servers.
This issue is present in the 'emailreader_execute_on_each_page.inc.php'
script.
Under some circumstances, it is possible for remote attackers to influence
the include path for a configuration file to point to an external file on
a remote server. The attacker may cause this to occur by submitting a
path to an external file as the '$emailreader_ini' URI parameter.
If the remote file is a PHP script, this may be exploited to execute
arbitrary system commands in the context of the web server.
It has also been reported that it is possible to cause local files to be
included, resulting in disclosure of webserver readable files to the
attacker. This has not been confirmed.
18. Cedric Email Reader Skin Configuration Script Remote File Include Vulnerability
BugTraq ID: 6818
Remote: Yes
Date Published: Feb 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6818
Summary:
Cedric Email Reader is a web mail application. It is implemented in PHP
and available for Unix and Linux variants as well as Microsoft Windows
operating systems.
It has been reported that Cedric Email Reader is prone to an issue that
may allow remote attackers to include files located on remote servers.
This issue is present in the 'email.php' script.
Under some circumstances, it is possible for remote attackers to influence
the include path for a configuration file to point to an external file on
a remote server. The attacker may cause this to occur by submitting a
path to an external file as the '$cer_skin' URI parameter.
If the remote file is a PHP script, this may be exploited to execute
arbitrary system commands in the context of the web server.
It has also been reported that it is possible to cause local files to be
included, resulting in disclosure of webserver readable files to the
attacker. This has not been confirmed.
20. Cisco IOS ICMP Redirect Routing Table Modification Vulnerability
BugTraq ID: 6823
Remote: Yes
Date Published: Feb 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6823
Summary:
Internet Operating System (IOS) is the firmware used on Cisco routers. It
is distributed and maintained by Cisco.
It has been reported that it is possible to make arbitrary remote
modifications to the Cisco IOS routing table.
If IP routing is disabled on a vulnerable router, the router will accept
malicious ICMP redirect packets and modify its routing table accordingly.
ICMP redirect messages are normally sent to indicate inefficient routing,
a new route or a routing change. An attacker may specify a default gateway
on the local network that does not exist this would effectively deny
service to any destination that is outside the local subnet. This
vulnerability requires that IP routing be explicitly disabled on the
system using an affected version of Cisco IOS, thus making the router a
host on the network.
The attacker may also intercept network data by making routing table
modifications to redirect network communications through the attacker's
machine.
21. Ericsson HM220dp DSL Modem World Accessible Web Administration Interface Vulnerability
BugTraq ID: 6824
Remote: Yes
Date Published: Feb 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6824
Summary:
The Ericsson HM220dp DSL Modem is a broadband modem used in homes and
small office environments.
The modem uses a web interface to allow remote administration and
configuration. This interface does not require users to authenticate in
any way in order to access it. The modem also does not allow users to
enable any form of authentication.
Remote attackers may connect to the interface and change configuration
settings to render the modem unusable until it is reset or reconfigured.
22. APC apcupsd Client Syslog Format String Vulnerability
BugTraq ID: 6828
Remote: Unknown
Date Published: Feb 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6828
Summary:
Apcupsd provides UPS power management under Linux and BSD systems for APC
Products.
A vulnerability has been reported for apcupsd client that may result in an
attacker obtaining elevated privileges on the vulnerable system.
The 'log_event' function in 'apclog.c' contains an insecure instance of a
syslog() call. Due to this programming error, it may be possible to
exploit a format string vulnerability in the apcupsd 'log_event' function.
When the program is invoked using the vulnerable function, it may be
possible to exploit a format string vulnerability through the generation
of a malicious log event that contains attacker-supplied format strings.
In the event that this vulnerability is exploited, an attacker could cause
arbitrary locations in memory to be corrupted with attacker-specified data
and execute code with the privileges of the apcupsd user.
24. CGI Lite Perl Module Metacharacter Input Validation Vulnerability
BugTraq ID: 6833
Remote: Yes
Date Published: Feb 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6833
Summary:
CGI Lite is a freely available Perl module that is used to decode form and
query information, including file uploads and cookies.
A vulnerability has been reported in the escape_dangerous_chars()
function, which is a part of the CGI Lite Perl module.
The function does not sufficiently sanitize all instances of potentially
dangerous characters. As the end result, externally supplied input may not
be adequately sanitized before being used in other Perl functions. This
will create a false sense of security and may allow an attacker to execute
arbitrary commands via a CGI program which depends on the vulnerable
function.
The following characters are not sanitized by the function:
\, ?, ~, ^, \n, \r
If the function is used as part of a CGI application to sanitize
externally supplied input before passing it to Perl functions such as
system() or open(), it may be possible to execute commands on the
underlying shell of the host. It should be noted that these other
functions would need to be called in an unsafe manner for this issue to be
exploited.
Commands executed as a consequence of exploiting this issue will be in the
context of the webserver process.
