LQ weekly security rep - monday may 21st
This week's report starts off with 15 vulnerabilities as reported on SF's list. This is the index, content follows RSN(tm).
- Phorum Reply Email Address Script Injection Vulnerability - Opera Frame Location Same Origin Policy Circumvention Vulnerability - SonicWall SOHO3 Content Blocking Script Injection Vulnerability - NOCC Webmail Script Injection Vulnerability - GNU SharUtils UUDecode Symbolic Link Attack Vulnerability - SuSE AAA_Base_Clean_Core Script RM Race Condition Vulnerability - tinyproxy HTTP Proxy Memory Corruption Vulnerability - SuSE Shadow File Truncation Vulnerability - CGIScript.net Information Disclosure Vulnerability - LevCGI NetPad Unauthorized File Access Vulnerability - Swatch Throttled Event Reporting Vulnerability - Phorum Remote Command Execution Vulnerability - GRSecurity Linux Kernel Memory Protection Weakness - Gaim Sensitive World Readable Temporary File Vulnerability - NetWin DNews Remote Access Vulnerability Please only add security bulletin news to this thread, no discussions. |
LQ weekly security rep - monday may 21st pt 1
------------------------------
SecurityFocus Newsletter 2. Phorum Reply Email Address Script Injection Vulnerability BugTraq ID: 4739 Remote: Yes Date Published: May 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4739 Summary: Phorum is a PHP based web forums package. A script injection issue has been reported in Phorum. Attackers may potentially exploit this issue to hijack web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user, including posting or deleting content. 4. Opera Frame Location Same Origin Policy Circumvention Vulnerability BugTraq ID: 4745 Remote: Yes Date Published: May 15 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4745 Summary: Opera is a web browser product created by Opera Software, and is available for a range of operating systems including Windows and Linux. A vulnerability has been reported in some versions of the Opera Browser. Exploitation of this vulnerability results in arbitrary Javascript code executing within an arbitrary context. The consequences can be severe. It may be possible to access cookie data, including auhentication credentials, or to take actions as an authenticated user. 5. SonicWall SOHO3 Content Blocking Script Injection Vulnerability BugTraq ID: 4755 Remote: No Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4755 Summary: The Sonicwall SOHO3 is an Internet security appliance that provides firewall security solutions. Reportedly, a vulnerability exists in the product that allows for a script injection attack to be launched from a malicious user within the internal LAN. The vulnerability has been reported in Sonicwall SOHO3 firmware revision 6.3.0.0 and ROM version 5.0.1.0. A malicious user may be able to inject script code as part of a URL of a blocked domain. Attempts to access blocked domains will be entered into the log files of Sonicwall. An administrator viewing the log files will automatically cause the malicious script code execute. 8. NOCC Webmail Script Injection Vulnerability BugTraq ID: 4740 Remote: Yes Date Published: May 14 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4740 Summary: NOCC is a web based email client implemented in PHP4. It includes support for POP3, SMTP and IMAP servers, MIME attachments and multiple languages. NOCC webmail displays all email, including text only email, as HTML. NOCC does not make any attempt to escape potentially harmful data in email messages. As a result, a malicious user may be able to craft an email containing script code and then send it to any NOCC webmail user. This attack may result in the adversary gaining access to the victim's mailbox. 9. GNU SharUtils UUDecode Symbolic Link Attack Vulnerability BugTraq ID: 4742 Remote: No Date Published: May 14 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4742 Summary: Sharutils is a freely available, open source suite of tools maintained by the GNU. A problem with sharutils may make it possible to exploit symbolic link attacks. The problem is in the uudecode program. In the event of the temporary file being a symbolic link, the file at the end of the symbolic link would be overwritten. This could result in a corruption or loss of data. This problem makes it possible to exploit a symbolic link attack, and potentially overwrite files. It could additionally lead to elevated privileges. 10. SuSE AAA_Base_Clean_Core Script RM Race Condition Vulnerability BugTraq ID: 4758 Remote: No Date Published: May 16 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4758 Summary: SuSE Linux is a freely available, open source operating system. It is maintained by SuSE. A problem in the operating system could result in a denial of service. The problem is in the creation of temporary directories. This problem could make it possible for a local user to deny service to legitimate users of the system. This vulnerability based on the problem described in Bugtraq ID 4266, though the problem in this case is insecure creation of a temporary directory by the aaa_base_clean_core script. 12. tinyproxy HTTP Proxy Memory Corruption Vulnerability BugTraq ID: 4731 Remote: Yes Date Published: May 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4731 Summary: tinyproxy HTTP Proxy is a small HTTP proxy. A vulnerability has been reported in the handling of some invalid proxy requests by TinyProxy. Under some circumstances, an invalid request may result in allocated memory being freed twice. Arbitrary code may be executed if critical values such as function return addresses, GOT entries, etc., are overwritten. 14. SuSE Shadow File Truncation Vulnerability BugTraq ID: 4757 Remote: No Date Published: May 16 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4757 Summary: SuSE Linux is a freely available, open source distribution of the Linux operating system. It is maintained by SuSE. shadow is a set of utilities for maintaining entries in the /etc/passwd and /etc/shadow files. A vulnerability has been discovered in the shadow package that ships with SuSE Linux. It has been reported that a local attacker may be able to cause data in /etc/passwd and /etc/shadow to be truncated or possibly even appended to with attacker-supplied data. At the very least, local users can corrupt vital files. This may result in a denial of service. Under some circumstances successful exploitation of this vulnerability may enable a local attacker to elevate privileges, possibly even gaining root privileges. SuSE has stated that it is not possible for local attackers to obtain root privileges with the default configuration of SuSE Linux. |
LQ weekly security rep - monday may 21st pt 2
15. CGIScript.net Information Disclosure Vulnerability
BugTraq ID: 4764 Remote: Yes Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4764 Summary: CGIScript.net provides various webmaster related tools and is maintained by Mike Barone and Andy Angrick. It is possible to cause numerous scripts provided by CGIScript.net to disclose sensitive system information. A malformed POST request will cause the host to display debug data in an error page. As a result, server path information, form input, and environment variables could be revealed to remote users. Other types of malformed web requests may also cause this condition to occur. Path, form input, and environment variable information may aid the attacker in making further attacks against the host. 16. LevCGI NetPad Unauthorized File Access Vulnerability BugTraq ID: 4741 Remote: Yes Date Published: May 14 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4741 Summary: LevCGI NetPad is a web-based text editor. It is available for Linux and Unix variants as well as Microsoft Windows operating systems. Write access to NetPad documents is password-protected. However, authentication is not required to read the contents of NetPad documents. Arbitrary web users may request existing documents and view their contents, causing sensitive information in the documents to be disclosed. 17. Swatch Throttled Event Reporting Vulnerability BugTraq ID: 4746 Remote: Yes Date Published: May 15 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4746 Summary: Swatch is a freely available, open source log watching utility. It is available for the Unix and Linux platforms. Swatch may fail to report activities. The problem is in the design of the program. This problem could allow an attacker with knowledge of an event that has previously occurred and been throttled on a system to reproduce the event without being noticed by swatch. 22. Phorum Remote Command Execution Vulnerability BugTraq ID: 4763 Remote: Yes Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4763 Summary: Phorum is a PHP based web forums package designed for most UNIX variants, Linux, and Microsoft Windows operating systems. A vulnerability has been reported in Phorum that will allow remote attackers to specify external PHP scripts and potentially execute commands. The vulnerability exists in 'plugin.php', 'admin.php' and 'del.php' files found in the distribution of Phorum version 3.3.2a. As a consequence, the vulnerable system will interpret the arbitrary attacker-supplied remote file (such as a PHP script). The remote file may potentially contain destructive commands that will be executed by the vulnerable system. 25. GRSecurity Linux Kernel Memory Protection Weakness BugTraq ID: 4762 Remote: No Date Published: May 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4762 Summary: The grsecurity Linux Kernel patch is a source-code patch developed and maintained by the grsecurity development team. A design error may allow for attackers to bypass the protection of the patch. The patch operates by redirecting the write() system call when it is being used to write to a memory device. Unfortunately, there are other methods that can be used to write to system memory (such as mapping the device to memory using mmap()). Local attackers with root access may exploit this weakness to modify kernel data structures or inject backdoor code, evading the protection of the patch. 26. Gaim Sensitive World Readable Temporary File Vulnerability BugTraq ID: 4730 Remote: No Date Published: May 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4730 Summary: Gaim is a chat client which supports AOL Instant Messenger, ICQ, MSN Instant Messenger, Yahoo Instant Messenger, Jabber and IRC. Gaim runs on a number of Unix-based platforms, including Linux. An issue has been reported in versions of Gaim, which could enable an unauthorized user to gain access to sensitive files. A feature exists which enables a user to configure Gaim to check for new email messages from configured web mail services. This feature runs when Gaim is started, and creates two /tmp files which are world readable. Reportedly, these temporary files may include sensitive information, including authentication credentials for the specified mail service. This issue has been known to specifically affect Hotmail accounts, although other configured email web services may be affected. There may be a limited time window in which this information may be used to authenticate to Hotmail, possibly based on timeout mechanisms inherent in Hotmail. 27. NetWin DNews Remote Access Vulnerability BugTraq ID: 4737 Remote: Yes Date Published: May 14 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4737 Summary: DNews is a commercially available NNTP server. It is available for various operating systems, including Linux, Unix, and Microsoft Windows. A vulnerability has been announced by the distributors of DNews. Information concerning this vulnerability is not readily available. It is, however, possible that this vulnerability is remotely exploitable, as the distributors of DNews recommend the placement of access control entries in dnews.conf configuration file. Successful exploitation may allow for remote attackers to gain access to target servers. It has been suggested that this vulnerability affects the management interface on port 7119, and could result in DNews system reconfiguration. This is yet unconfirmed. |
All times are GMT -5. The time now is 03:06 PM. |