SecurityFocus
1. Xinetd Rejected Connection Memory Leakage Denial Of Service Vulnerability
BugTraq ID: 7382
Remote: Yes
Date Published: Apr 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7382
Summary:
Xinetd is intended as a secure replacement for inetd. It is designed for
use with Linux and Unix variant operating environments.
A denial of service vulnerability has been reported for Xinetd. The
vulnerability exists due to memory leaks occuring when connections are
rejected. This issue was reported to occur in the svc_request() function
of the service.c source file where some allocated memory is not properly
freed when a connection is rejected.
An attacker can exploit this vulnerability by repeatedly connecting to a
Xinetd server and having the connection rejected. This will result in a
memory exhaustion issue that will result in a denial of service condition.
This vulnerability was reported for Xinted prior to 2.3.11.
2. Central Command Vexira Antivirus Buffer Overflow Vulnerability
BugTraq ID: 7383
Remote: No
Date Published: Apr 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7383
Summary:
Vexira Antivirus is an antivirus solution for Linux variant systems
distributed by Central Command.
A buffer overflow vulnerability has been reported for Vexira Antivirus
which may result in privilege escalation.
A local attacker can exploit this vulnerability by supplying an overly
long commandline argument to the /usr/lib/Vexira/vexira binary, consisting
of at least 280 characters. When the binary attempts to process this
input, it will trigger the buffer overflow condition and cause the
application to crash.
Although unconfirmed, it may be possible to exploit this vulnerability to
execute malicious attacker-supplied code.
This vulnerability was reported for Vexira Antivirus 2.1.7 for Linux.
11. Mod_NTLM Authorization Heap Overflow Vulnerability
BugTraq ID: 7388
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7388
Summary:
mod_ntlm is an Apache module, which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.
The mod_ntlm Apache module has been reported prone to a heap overflow
vulnerability.
The vulnerability is due to a lack of sufficient bounds checking performed
on user-supplied data, stored in a 2048 byte buffer within heap memory.
Specifically, an insecure 'vsprintf()' function call is made within the
mod_ntlm 'log()' function. The call to 'vsprintf()' copies user-supplied
authorization data without carrying out sufficient bounds checking. As a
result, excessive data may be copied into the 2048 byte buffer, resulting
in the corruption of sensitive memory management information.
By modifying an adjacent malloc header to contain malicious values, it may
be possible for an attacker to overwrite sensitive locations in memory
when a subsequent call to free() is made. As a result, it may be possible
for an attacker to execute arbitrary instructions, with the privileges of
the Apache server.
This vulnerability is reported to affect mod_ntlm v0.4 for Apache 1.3 and
mod_ntlmv2 version 0.1 for Apache 2.0. Although unconfirmed, previous
versions may also be affected.
12. Mod_NTLM Authorization Format String Vulnerability
BugTraq ID: 7393
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7393
Summary:
mod_ntlm is an Apache module which implements NLTM authentication. It is
available for Apache 2.0.x and 1.3.x on the Linux operating system.
A format string vulnerability has been discovered in the mod_ntlm Apache
module. The issue occurs when processing authorization information located
in HTTP headers.
The problem occurs in a call to ap_log_rerror(), by the log() function,
without including format specifier arguments. As a result, it may be
possible for a remote attacker to embed their own specifiers within
authorization data. This may allow for an attacker to write to sensitive
locations in memory.
It should be noted that the exploitability of this issue to execute
arbitrary code may be hindered by various system specific limitations. As
a result, exploitation may only result in a denial of service.
This vulnerability was reported in mod_ntlm <= 0.4 and mod_ntlm2 0.1.
13. PT News Unauthorized Administrative Access Vulnerability
BugTraq ID: 7394
Remote: Yes
Date Published: Apr 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7394
Summary:
PT News is a web based news system. It is implemented in PHP and
available for Microsoft Windows operating systems and Linux/Unix variants.
PT News does not adequately prevent remote users from gaining unauthorized
access to administrative functions. The source of this issue is that the
'index.php' script includes the 'news.inc' file, which contains various
administrative functions for PT News. Remote users may access the
administrative functions of 'news.inc' through the 'index.php' script.
Exploitation could allow remote attackers to manipulate content.
17. YaBB SE Language Remote File Include Vulnerability
BugTraq ID: 7399
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7399
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
YaBB may allow malicious bulletin board users to influence the include
path for language files. Registered users may influence the include path
of language files through the "Change Profile" option. A malicious user
could set an include path that points to a malicious PHP script on an
external host. This could result in execution of commands in the context
of the web server.
19. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 7401
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7401
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'index.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
20. OpenBB Board.PHP Remote SQL Injection Vulnerability
BugTraq ID: 7404
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7404
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'board.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
21. OpenBB Member.PHP Remote SQL Injection Vulnerability
BugTraq ID: 7405
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7405
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'member.php' script. Because of this, it may be possible for a remote
user to inject malicious arbitrary SQL queries in the context of the
database user for the bulletin board software. The consequences of
successful exploitation will vary depending on the underyling database
implementation, but may allow for disclosure of sensitive information or
remote compromise of the bulletin board or database itself.
This vulnerability has been reported in OpenBB version 1.1.0. The
currently available version reported by the vendor is 1.0.5. This
vulnerability may affect the reported version, and previous versions of
the affected software.
22. MIME-Support Package Insecure Temporary File Creation Vulnerability
BugTraq ID: 7403
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7403
Summary:
The mime-support package contains a variety of MIME applications and
tools. It is available for the Linux operating system.
A vulnerability has been discovered in the run-mailcap application
included with mime-support. The problem occurs due to invalid sanity
checks when creating temporary files.
By populating the /tmp directory with symbolic links which point to
sensitive system files, it may be possible for an unprivileged user to
corrupt arbitrary files. As a result, an unprivileged user may be capable
of rendering a target system unusable or possibly gain elevated
privileges.
This vulnerability affects run-mailcap included in mime-support verison
3.21 and earlier.
23. XMB Forum Members.PHP SQL Injection Vulnerability
BugTraq ID: 7406
Remote: Yes
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7406
Summary:
XMB Forum is a web based discussion forum implemented in PHP.
An SQL injection vulnerability has been reported to affect the
'members.php' page of XMB Forum. The vulnerability may be exploited if the
web server hosting XMB has activated 'register_globals' in the php.ini
configuration file.
The condition is reportedly due to insufficient sanitization of externally
supplied data that is used to construct SQL queries. This data may be
supplied via the '$email1' and '$email2' URI parameters during the
registration process. A remote attacker may take advantage of this issue
to inject malicious data into SQL queries, possibly resulting in
modification of query logic.
The consequences may vary depending on the particular database
implementation and the nature of the specific queries. One scenario
reported was revealing registered users password hashes. SQL injection
also makes it possible, under some circumstances, to exploit latent
vulnerabilities that may exist in the underlying database.
It should be noted that although this vulnerability has been reported to
affect XMB Forum version 1.8 previous versions might also be affected.
24. SAP Database Development Tools INSTDBMSRV INSTROOT Environment Variable Vulnerability
BugTraq ID: 7407
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7407
Summary:
SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.
It has been reported that a vulnerability exists in the SAP Database
program instdbmsrv. Because of this, a local attacker may be able to gain
elevated privileges.
The problem is in the handling of input from untrusted sources. When
executed, the instdbmsrv program checks the INSTROOT environment variable
for the location of the pgm/dbmsrv program. The permissions of the dbmsrv
program are changed to give the program setuid root privileges when the
instdbmsrv is executed. An attacker could modify the INSTROOT environment
variable locally to point to an arbitrary directory. When the instdbmsrv
program is executed, an attacker-supplied version of the dbmsrv program
would be changed to setuid root.
This could result in an attacker gaining local administrative privileges.
25. SAP Database Development Tools INSTLSERVER INSTROOT Environment Variable Vulnerability
BugTraq ID: 7408
Remote: No
Date Published: Apr 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7408
Summary:
SAP DB is a free database software package for Unix, Linux, and Microsoft
Operating Systems.
It has been reported that a vulnerability exists in the SAP Database
program instlserver. Because of this, a local attacker may be able to gain
elevated privileges.
The problem is in the handling of input from untrusted sources. When
executed, the instlserver program checks the INSTROOT environment variable
for the location of the pgm/lserver program. The permissions of the
lserver program are changed to give the program setuid root privileges
when the instlserver is executed. An attacker could modify the INSTROOT
environment variable locally to point to an arbitrary directory. When the
instlserver program is executed, an attacker-supplied version of the
lserver program would be changed to setuid root.
This could result in an attacker gaining local administrative privileges.
