SecurityFocus
1. LinuxNode Remote Buffer Overflow Vulnerability
BugTraq ID: 8512
Remote: Yes
Date Published: Aug 29 2003
Relevant URL:
http://www.securityfocus.com/bid/8512
Summary:
LinuxNode is an amateur packet radio node program.
It has been reported that LinuxNode is prone to a remote buffer overflow
condition. The issue presents itself due to insufficient bounds checking.
A remote attacker may ultimately exploit this issue remotely and execute
arbitrary code in the context of the user who is running the vulnerable
software. Successful exploitation may allow a attacker to gain
unauthorized access to the vulnerable host.
Explicit technical details regarding this vulnerability are not currently
available. This BID will be updated, as further details regarding this
issue are made public.
Although LinuxNode 0.3.0 has been reported to be vulnerable to this
problem, other versions may be affected as well.
3. XFree86 Multiple Unspecified Integer Overflow Vulnerabilities
BugTraq ID: 8514
Remote: Yes
Date Published: Aug 30 2003
Relevant URL:
http://www.securityfocus.com/bid/8514
Summary:
Multiple integer overflow vulnerabilities have been discovered in XFree86
4.3.0. The problem specifically occurs due to insufficient sanity checks
within font libraries. As a result, a malicious font server that transmits
font data to a target client may include a malformed integer value
designed to unexpectedly pass a bounds checking calculation and trigger a
buffer overrun. This could cause memory corruption within stack or heap
process space, ultimately allowing for the execution of arbitrary code
with the privileges of the client program.
It should be noted that under some non-default XFree86 configurations, it
has been reported that the Xserver and XFS daemons may act as a client to
the font server, making it possible for these services to be exploited
remotely.
Although unconfirmed, these integer overflow vulnerabilities may be
present in earlier versions of XFree86.
Precise technical details regarding these vulnerabilities are currently
unavailable, however as further information is released this BID will be
updated accordingly.
7. Exim EHLO/HELO Remote Heap Corruption Vulnerability
BugTraq ID: 8518
Remote: Yes
Date Published: Sep 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8518
Summary:
Exim is a message transfer agent (MTA) developed at the University of
Cambridge and available under the GNU Public License. It is available for
the Linux operating system.
A heap buffer overflow vulnerability has been discovered in Exim. The
problem is said to affect all Exim3 and Exim4 versions prior to Exim 4.21.
I
This issue occurs due to insufficient bounds checking performed when
handling user-supplied SMTP EHLO/HELO command data. The vulnerability
specifically occurs within the 'smtp_in.c' source file when handling
invalid EHLO/HELO arguments. If EHLO/HELO arguments contain 506 leading
spaces followed by a NUL byte and a CRLF, a static string intended for a
syntax error message will be appended to the command argument data. The
interpolated string will now exceed the size of the reserved buffer in
heap-based memory. The entire string will be copied, without the spaces
being stripped, into the affected command buffer, this will result in heap
memory management structures adjacent to the affected buffer being
corrupted with superfluous data.
It has been reported that this vulnerability is unlikely to be exploitable
to execute arbitrary code. This is because a free() call is never made on
the attacker-controlled malloc chunk. Exploitation attempts will also be
hindered because the uncontrollable static string 'o argument given)\0' is
appended to attacker-supplied data, and will complicate the valid
corruption of the adjacent malloc header.
8. Ezboard 'invitefriends.php3' Cross Site Scripting Vulnerabilerability
BugTraq ID: 8519
Remote: Yes
Date Published: Sep 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8519
Summary:
The 'invitefriends.php3' script of Ezboard has been reported prone to
cross-site scripting attacks. The issue occurs due to a lack of sufficient
sanitization performed on user-supplied URI parameters. Specifically, the
'action' parameter is not sufficiently parsed for embedded script code.
This issue could be exploited to cause hostile HTML and script code to be
rendered in the browser of a user who is enticed to visit a malicious link
to the vulnerable script. The code would be interpreted in the context of
the vulnerable site. Exploitation could allow theft of cookie-based
authentication credentials or other attacks.
It should be noted that it is currently unknown which versions of Ezboard
are affected by this vulnerability. This bid will be updated as further
information is made available.
9. TSguestbook Message Field HTML Injection Vulnerability
BugTraq ID: 8520
Remote: Yes
Date Published: Sep 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8520
Summary:
TSguestbook is an object-oriented guestbook program implemented in the PHP
programming language.
It has been reported that TSguestbook may be prone to HTML injection
attacks. The problem is said to occur due to insufficient sanization of
user-supplied input within the 'message' field. As a result, an attacker
may post a guestbook entry including malicious HTML or script code within
the said field. When the entry is later viewed by unsuspecting users, the
injected code will be interpreted within the browser of the user.
This could ultimately result in the theft of sensitive information, such
as cookie-based authentication credentials, or other attacks.
This vulnerability is said to affect TSguestbook 2.1 and possibly earlier.
10. Sitebuilder 'sitebuilder.cgi' Directory Traversal File Disclosure
BugTraq ID: 8521
Remote: Yes
Date Published: Sep 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8521
Summary:
Sitebuilder is said to be prone to a directory traversal vulnerability,
potentially allowing users to disclose the contents of system files. The
problem occurs due to the application failing to parse user-supplied input
for directory traversal sequences (../) supplied to the 'sitebuilder.cgi'
script, thus making it possible to access files outside of the established
web root.
This could potentially allow an attacker to obtain information that could
be used in launching further attacks, such as passwords or sensitive user
information.
This vulnerability is said to affect Sitebuilder 1.4.
11. Multiple Vendor PC2Phone Software Remote Denial of Service Vulnerability
BugTraq ID: 8523
Remote: Yes
Date Published: Sep 01 2003
Relevant URL:
http://www.securityfocus.com/bid/8523
Summary:
It has been reported that multiple PC2Phone products are prone to a remote
denial of service condition. The problem is said to occur when processing
excessive data passed to the programs via a UDP packet and could result in
the product crashing. This could result in an established conversation
prematurely ending, or potentially other attacks.
This vulnerability has been triggered by transmitting the UDP packet to
port 5000 on Go2Call Cash Calling, as well as Net2Phone Dialer. However,
to trigger the issue Yahoo! Messenger the packet must be sent via UDP port
6801.
It should be noted that reports indicate that the problem may in fact lie
within the Go2Call Cash Calling program, and other products derived from
its source code are also affected. However, this information has not yet
been confirmed.
The precise technical details regarding this issue are currently unknown,
however as further information is made available this bid will be updated
accordingly.
22. PADL Software PAM_LDAP PAM Filter Access Restriction Failure
BugTraq ID: 8535
Remote: Yes
Date Published: Sep 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8535
Summary:
PAM_LDAP is the PAM module package designed to allow authentication with
LDAP servers via PAM-compliant authentication mechanisms. It is available
for the Unix and Linux platforms.
A problem in the PAM filter portion of PAM_LDAP has been identified that
may fail to restrict access to certain systems. This may allow
unauthorized access to network resources.
The problem is in the handling of values supplied to PAM filter. When PAM
filter is used to restrict the ability of users logging in from
unauthorized hosts, PAM filter may fail to restrict access by the user.
This could result in a user gaining access to a system from an
unauthorized host. This will also create a false sense of security, as
the PAM filter has been configured to restrict access and is not
performing as expected.
24. Stunnel Leaked File Descriptor Vulnerability
BugTraq ID: 8537
Remote: No
Date Published: Sep 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8537
Summary:
Stunnel is a freely available, open source cryptography wrapper. It is
designed to wrap arbitrary protocols that may or may not support
cryptography. It is maintained by the Stunnel project.
Stunnel has been reported prone to a file descriptor leakage
vulnerability. The issue reportedly presents itself due to an fcntl() call
made without a CLOEXEC flag in the source of Stunnel. It has been reported
that because of this, file descriptors returned by a listen() call are
made available to unprivileged processes.
If Stunnel is used to tunnel an application or service that provides shell
access, such as telnet, the shell will have the affected file descriptor
leaked to it. As a result, an unprivileged attacker may exploit this issue
to hijack the Stunnel Server.
Other file descriptors are also reportedly leaked, which may also be
potentially exploited in a similar manner.
It should be noted that this issue has been reported to affect Stunnel
versions 3.24, 4.00 and previous.
26. WebCalendar Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 8539
Remote: Yes
Date Published: Sep 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8539
Summary:
WebCalendar is a PHP based application, used as a calendar for one or more
clients. WebCalendar can be used with MySQL, Oracle, PostgreSQL or ODBC.
Multiple cross-site scripting vulnerabilities have been reported in
various modules of WebCalendar. The vulnerabilities may allow an attacker
to execute malicious script code on a legitimate user's browser due to
unsanitized user input.
The issues have been reported to exist in the $color parameter of
includes/js/colors.php module, $user parameter of week.php module, and
$eventinfo paremeter of week.php, day.php, month.php, week_details.php,
view_l.php, view_m.php, view_t.php, view_v.php, view_w.php, and
week_details.php modules of the software.
HTML and script code may not be filtered from user supplied input before
being displayed. Therefore it may be possible to construct a malicious
link containing script code that may be executed in the browser of a user
who visits the link. This would occur in the context of the vulnerable
site.
Successful exploitation could allow for theft of cookie-based
authentication credentials from users. Other attacks are also possible.
27. WebCalendar Multiple Module SQL Injection Vulnerabilities
BugTraq ID: 8540
Remote: Yes
Date Published: Sep 03 2003
Relevant URL:
http://www.securityfocus.com/bid/8540
Summary:
WebCalendar is a PHP based application, used as a calendar for one or more
clients. WebCalendar can be used with MySQL, Oracle, PostgreSQL or ODBC.
Multiple SQL injection vulnerabilities have reported in various modules of
the software. The issues may allow an attacker to inject malicious SQL
syntax into database queries. The source of these issues is insufficient
sanitization of user-supplied input before including this input in
database queries. A remote attacker may exploit this issue to influence
SQL query logic.
The vulnerabilies have been reported to exist in the view_t.php,
view_w.php, view_v.php, and login.php modules of the software.
This issue may allow an attacker to gain access to sensitive data stored
in the database. Other attacks on the underlying database are possible as
well.
28. Leafnode fetchnews Remote Denial of Service Vulnerability
BugTraq ID: 8541
Remote: Yes
Date Published: Sep 04 2003
Relevant URL:
http://www.securityfocus.com/bid/8541
Summary:
Leafnode is a Usenet news proxy. It allows online news readers to read
news offline. Fetchnews is a NNTP client software used with Leafnode.
Fetchnews is reported to be prone to a remote denial of service
vulnerability that may allow a remote attacker to cause the software to
hang.
The vulnerability may occur if an attacker sends certain non-RFC-1036
compliant Usenet news articles to the server. As fetchnews attempts to
retrieve the articles it may cause the software to wait for input that
never arrives. It has been reported that only one fetchnews process is
allowed to run at a time, therefore any fetchnews processes started
afterwards would fail immediately. This issue does not exhaust CPU
resources but limits the availability of the client while the condition is
occurring.
Successful exploitation of this issue may allow an attacker to cause a
denial of service attack on a vulnerable version of the software by
posting malformed news articles. This problem would result in news bases
not being updated.
This vulnerability affects Leafnode 1.9.3 to 1.9.41. The default
installation of Leafnode is also affected by this vulnerability. The
vendor has advised that versions 1.9.42 and newer are not vulnerable to
this issue.
32. EZ-WEB Site Builder Advanced Editor Selectedpage Parameter Disclosure
BugTraq ID: 8545
Remote: Yes
Date Published: Sep 04 2003
Relevant URL:
http://www.securityfocus.com/bid/8545
Summary:
EZ-WEB Site Builder is a software that allows users to create personal and
business web pages. Advanced editor is a text editor included with the
software package.
A vulnerability has been reported in EZ-WEB that may allow remote users to
access restricted data from the server outside the server root directory.
The issue is reported to exist in the 'selectedpage' parameter. It has
been reported that the 'selectedpage' parameter is not sanitized when used
to open a file using the advanced editor.
The vulnerability is due to an access validation error that allows clients
to traverse outside of the root directory using '../' directory traversal
character sequences as a value for the 'selectedpage' parameter.
This may allow the attacker to disclose arbitrary web server readable
files. Successful exploitation of this vulnerability may disclose
sensitive information to an attacker that may be used to launch further
attacks against a vulnerable host.
It has been reported that EZ-WEB Site Builder v1.5 is vulnerable to this
issue, however other versions may be affected as well.
33. Asterisk SIP Request Buffer Overrun Vulnerability
BugTraq ID: 8546
Remote: Yes
Date Published: Sep 04 2003
Relevant URL:
http://www.securityfocus.com/bid/8546
Summary:
Asterisk is a software-based PBX system, which is available for Linux
operating systems. Asterisk includes support for the SIP (Session
Initiation Protocol).
Asterisk is prone to a remote exploitable buffer overrun. This is due to
insufficient bounds checking of SIP MESSAGE and INFO requests.
In particular, due to a programming error in the chan_sip.c source file,
data supplied via either of these requests is used as a size argument for
a strncat() operation. By passing 1024 bytes in the request body,
strncat() will be invoked with a negative number for the size argument,
causing memory to be corrupted. A null is included in the affected page
of memory, limiting the amount of memory that is corrupted in the
operation and preventing a page fault, which will permit the saved return
address to be overwritten with attacker-supplied data. As a result, it
will be possible to control execution flow of the program and execute
arbitrary code.
This issue may be exploited by an unauthenticated remote attacker to
execute arbitrary code in the context of the software.
