SecurityFocus
1. Util-Linux mcookie Cookie Generation Weakness
BugTraq ID: 6855
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6855
Summary:
util-linux is a freely available, open source software package that
provides some implementations of standard UNIX utilities, such as login.
Included with util-linux is the mcookie utility that is used to generate
random cookies for use with X authentication.
A weakness has been reported for the mcookie utility where cookies may be
generated in a predictable manner. The weakness occurs because mcookie
uses /dev/urandom to generate cookies.
This may be exploited by an attacker to guess cookie values to steal
credentials of users who use X authentication.
Information obtained in this manner may be used by the attacker to launch
further attacks against vulnerable systems and users.
2. IndyNews delMediaFile() File Deletion Vulnerability
BugTraq ID: 6856
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6856
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the delMediaFile() function and may allow
an unauthorized attacker to delete media files. The susceptible files are
only those that have been included in an approved article. This issue
could be exploited to obstruct a website's ability to distribute various
files.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
3. IndyNews manageMedia() File Deletion Vulnerability
BugTraq ID: 6857
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6857
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the manageMedia() function and may allow
an unauthorized attacker to delete or modify various files.
Exploitation of this issue may allow an attacker to influence the upload
location of remote PHP files, potentially making it possible to execute
arbitrary PHP commands.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
4. IndyNews HTML Injection Vulnerability
BugTraq ID: 6858
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6858
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. Due to insufficient sanitization of HTML tags it is possible to
embed HTML code within the 'alt' tags of a news article. When the news
article is viewed by an unsuspecting user the embedded code will be
executed within the context of the site visited.
This issue could be exploited by taking advantage of a bug found in the
editMediaDescr() and editMediaTempDescr() functions. Through the malicious
use of these functions it is possible for an unauthorized user to modify
the 'alt' tags of a proposed or already displayed news article.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
7. PHP-Board User Password Disclosure Vulnerability
BugTraq ID: 6862
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6862
Summary:
php-board is web forum software.
A vulnerability has been reported in php-board which may disclose
sensitive information to remote attackers. This flaw exists in the
'login.php' script.
php-board user information is stored in flat files on the system hosting
the software. Access to the files via the web is not sufficiently
restricted. Remote attackers may request user files and gain access to
php-board user and administrative passwords. The attacker must know the
name of the user whose file they are requesting.
The attacker may use the disclosed credentials to perform actions on the
php-board system as the user.
8. Kietu Hit.PHP Remote File Inclusion Vulnerability
BugTraq ID: 6863
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6863
Summary:
Kietu is web-based software to tracking web site usage statistics. It is
implemented in PHP.
A flaw exists in the Kietu 'hit.php' script may permit remote attackers to
include malicious remote files. Remote users may influence the include
path for the 'config.php' configuration file. An attacker may exploit
this to include a malicious PHP script named 'config.php' from a remote
host, resulting in execution of arbitrary commands with the privileges of
the webserver process.
9. DotBr PHPInfo Environment Information Disclosure Vulnerability
BugTraq ID: 6864
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6864
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host a poll.
DotBr may disclose sensitive information to remote attackers about the
environment of the system hosting the software. This is due to the use of
the PHP phpinfo() function in the 'foo.php3' script. This may disclose
version information and path information to the attacker.
This information may be helpful in mounting further attacks against the
system.
10. DotBr Config.Inc Information Disclosure Vulnerability
BugTraq ID: 6865
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6865
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls. DotBr is backended by a MySQL database.
The DotBr configuration file (config.inc) may potentially disclose
sensitive information to remote attackers. This issue occurs because the
configuration file does not have the proper PHP file extension in the
default installation, and may be displayed by the webserver instead of
handled by the PHP interpreter. Database authentication credentials and
other information may be disclosed as a result.
The attacker may use this information in attempts to gain unauthorized
access to other resources.
11. DotBr Exec.PHP3 Remote Command Execution Vulnerability
BugTraq ID: 6867
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6867
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'exec.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP passthru() function. If
exploited, the function will invoke the underlying shell with
attacker-supplied parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
12. DotBr System.PHP3 Remote Command Execution Vulnerability
BugTraq ID: 6866
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6866
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'system.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP system() function. If exploited,
the function will invoke the underlying shell with attacker-supplied
parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
19. PHP CGI SAPI Code Execution Vulnerability
BugTraq ID: 6875
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6875
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
An unspecified vulnerability has been reported in the CGI SAPI of PHP
version 4.3.0.
Direct access to the CGI binary can be prevented by using the
configuration option '--enable-force-cgi-redirect' and the php.ini option
'cgi.force_redirect'.
The report states that an unspecified bug could render these options
useless, allowing a remote user to directly access the CGI binary. This
could allow an attacker to read any file that is readable by the web
server user, or to potentially execute arbitrary PHP code. The attacker
would have to be able to inject the PHP code into a file accessible by the
CGI binary, such as the web server access logs.
20. Netcharts Server Chunked Encoding Information Leakage Vulnerability
BugTraq ID: 6877
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6877
Summary:
NetCharts Server provides multi-platform data connectivity. Combined
servlet engine, graphics engine and scheduling features.
It has been reported that Netcharts Server is unable to sufficiently
handle invalid chunked encoded HTTP requests.
Although Query-Response communication timing is reportedly difficult to
predict, One scenario may be; An attacker attempting to desynchronize the
Netcharts server in an attempt to lead valid Netcharts Server users to a
specified response. The attacker may achieve this condition by flooding
the Netcharts Server communication channels with an attacker-supplied
response.
This may lead to sensitive information leakage or network performance
degradation as a result of the attackers attempts to exploit this
condition.
21. D-Forum Remote File Include Vulnerability
BugTraq ID: 6879
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6879
Summary:
D-Forum is a freely available discussion forum written in PHP.
D-Forum is prone to an issue which may allow remote attackers to include
files located on remote servers. This issue is present in the header.php3
and footer.php3 pages existing in the /includes folder.
Under some circumstances, it is possible for remote attackers to influence
the include path for these scripts to point to an external file on a
remote server by manipulating the '$my_header' and '$my_footer' URI
parameters.
If the remote file is a malicious file, this may be exploited to execute
arbitrary system commands in the context of the webserver.
22. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
BugTraq ID: 6880
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6880
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A problem with BitchX could make it possible for a malicious IRC server to
crash a vulnerable client.
It has been reported that BitchX does not properly handle some types of
replies contained in the RPL_NAMREPLY numeric. When a malformed reply is
received by the client, the client crashes, resulting in a denial of
service.
The problem occurs through the handling of the 353 IRC numeric. It is
suspected that this vulnerability may also make possible the execution of
arbitrary code. In the event that this is possible, code executed through
this vulnerability would be in the context of the BitchX user. This could
allow a remote attacker access to the system on which the affected client
is running with the privileges of the BitchX user.
