SecurityFocus
1. SILC Server SSH2 Authentication Password Persistence Weakness
BugTraq ID: 6743
Remote: No
Date Published: Feb 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6743
Summary:
SILC (Secure Internet Live Conferencing) is a protocol which provides
secure conferencing services in the Internet.
A problem with SILC may allow the recovery of sensitive information.
It has been reported that SILC does not safely handle password
information. As a result, a local user may be able to recover
authentication passwords.
The problem is in the handling of authentication passwords after
authentication has been negotiated. Correct behavior of such applications
is to remove passwords from memory immediately after authentication has
occurred. However, SILC retains password information in memory, which may
result in recovery by another user with sufficient privileges. In addition
to being present in process memory space, this information may also be
retrieved from memory dumps of processes.
2. myphpPageTool Remote File Include Vulnerability
BugTraq ID: 6744
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6744
Summary:
myphpPagetool is an application used to maintain a web site using a mysql
database, which stores and manage all web pages and their contents.
myphpPagetool is written in PHP and is available for a variety of
platforms.
myphpPageTool is prone to an issue which may allow remote attackers to
include files located on remote servers. This issue is present in the
index.php, help1.php, help2.php, help3.php, help4.php, help5.php,
help6.php, help7.php, help8.php and help9.php pages existing in the
/doc/admin folder.
Under some circumstances, it is possible for remote attackers to influence
the include path for 'pt_config.inc' to point to an external file on a
remote server by manipulating the $ptinclude URI parameter.
If the remote file is a malicious file, this may be exploited to execute
arbitrary system commands in the context of the webserver.
This vulnerability was reported for myphpPageTool 0.43-1. It is not known
whether other versions are affected.
3. Bladeenc Signed Integer Memory Corruption Vulnerability
BugTraq ID: 6745
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6745
Summary:
Bladeenc is an open-source MP3 encoder and is available for a variety of
platforms including Microsoft Windows and Linux and Unix variant operating
systems.
A memory corruption vulnerability has been reported for Bladeenc. Bladeenc
encodes WAV files in 'chunks' of data. The vulnerability exists when
Bladeenc is seeking a WAV file chunk. Specifically, in the function
__myfseek() in the samplein.c source file, an integer value is not
properly verified. When this function is given a negative value, it will
result in the corruption of sensitive areas of memory with
attacker-supplied values.
An attacker can exploit this vulnerability by creating a malicious WAV
file with carefully crafted headers that will cause Bladeenc to execute
malicious attacker-supplied code.
This vulnerability was reported for Bladeenc 0.94.2 and earlier.
4. phpMyShop compte.php SQL Injection Vulnerability
BugTraq ID: 6746
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6746
Summary:
phpMyShop is an application written in PHP that makes it possible to
manage a web based electronic shop.
phpMyShop, in some cases, does not sufficiently sanitize user-supplied
input which is used when constructing SQL queries. As a result, attackers
may supply malicious parameters to manipulate the structure and logic of
SQL queries. This may result in unauthorized operations being performed on
the underlying database.
This vulnerability was reported to exist in the compte.php script file
distributed with phpMyShop. A remote attacker may exploit this
vulnerability to bypass the authentication/registration process used by
phpMyShop sites.
SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.
This vulnerability was reported for phpMyShop 1.00. It is not known
whether other versions are affected.
5. OpenBSD CHPass Temporary File Link File Content Revealing Vulnerability
BugTraq ID: 6748
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6748
Summary:
OpenBSD is a freely available version of the BSD Unix operating system.
A problem in OpenBSD may result in the disclosure of the contents of
specific files.
It has been reported that a vulnerability in chpass may allow local users
to gain access to the content of specific files. This vulnerability
requires that lines in the target file be constructed in a specific
format. The issue also affects the chfn and chsh programs which are hard
links to the chpass binary.
While chpass executes, it is possible for a user to halt the executing
process by sending a SIGSTOP signal to the process via the shell. While
the process is stopped, it is possible for the user to manipulate the
temporary file created by the process, and change the file to a symbolic
link to an arbitrary file. When the process resumes execution, it will
read the content of the linked file. Since the chpass program is a setuid
root executable, this may result in the display of some lines contained in
the file to standard output.
This could allow a local user to read the contents of restricted files,
and may result in further attack against the vulnerable system.
8. PHP-Nuke Avatar HTML Injection Vulnerability
BugTraq ID: 6750
Remote: Yes
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6750
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
A vulnerability has been reported in PHP-Nuke that may result in HTML
injection. The vulnerability occurs because PHP-Nuke does not sanitize
some user-supplied input submitted to a site when selecting 'avatar'
images. Due to this condition, a malicious user may be able to insert
malicious HTML code which will then be displayed to unsuspecting users of
PHP-Nuke forums. Any attacker-supplied code will be interpreted in a
victim user's web browser in the security context of the site hosting the
software.
It may be possible to steal the unsuspecting user's cookie-based
authentication credentials, as well as other sensitive information. It is
also possible to modify or corrupt other user's Avatars. Other attacks are
also possible.
This vulnerability was reported for PHP-Nuke 6.0 and earlier.
9. PAM pam_xauth Module Unintended X Session Cookie Access Vulnerability
BugTraq ID: 6753
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6753
Summary:
Pluggable Authentication Modules (PAM) is shipped with RedHat Linux 8.0
and earlier, by default. PAM comes with the pam_xauth module which can be
used in conjuction with the su utility to pass X MIT-Magic-Cookies to
newly created sessions.
A vulnerability has been discovered when the pam_xauth module is used in
conjunction with the su utility within an X session. When a user (user1)
runs the su utility to assume the identity of another user (user2),
pam_xauth will create a temporary .xauth cookie file located in the
assumed users (user2) home directory. The file is created with read-write
only permissions for the assumed user and contains sensitive information
regarding the suing users X session.
This poses a security risk when a user (user1) runs the su utility to
assume the identity of another user. The real user (user2) is able to read
the contents of the cookie file. The vulnerability lies in the fact that
the cookie file contains sensitive information pertaining to the suing
users X session. This issue could be exploited by the real user (user2)
to connect to the X server with the credentials of the suing user (user1).
Accessing another users X session may allow an attacker to obtain
sensitive information otherwise restricted. It may also grant the ability
to run commands with the privileges of the victim user.
This vulnerability could result in elevated privileges in the event that a
higher privileged user made use of the su program to log into the account
of a lower-privileged user. The lower-privileged user could exploit this
issue to gain administrative access to the local system.
It has been reported that this issue does not affect RedHat 7.0.
14. IBM WebSphere Exported XML Password Encoding Weakness
BugTraq ID: 6758
Remote: No
Date Published: Feb 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6758
Summary:
IBM WebSphere is a commercial web application server which runs on a
number of platforms including Linux and Unix variants and Microsoft
Windows operating environments.
IBM WebSphere allows administrators to export configuration files to XML.
When the WebSphere configuration file is exported in this manner,
passwords are obfuscated using an easily reversible algorithm.
The algorithm used to obfuscate the password is as follows:
CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_")
where n is the position of the character.
The obfuscated password is then Base64 encoded.
If an attacker gains access to an exported XML configuration file, it is a
trivial task to decode the password.
To exploit this weakness, an administrator must first export the
configuration to XML and then the attacker may gain unauthorized access to
the exported file.
The WebSphere documentation states that exported configurations will
contain encoded (and not encrypted) passwords. Administrators should be
cautious when exporting configuration files.
This issue was reported in IBM WebSphere Advanced Server Edition 4.0.4.
It is not known if the same encoding is used in other versions. Though
the core weakness is that passwords are encoded and may be easier to
reverse than if encrypted using a strong algorithm, so all current
versions should be considered prone to this weakness to some degree.
15. Majordomo Default Configuration Remote List Subscriber Disclosure Vulnerability
BugTraq ID: 6761
Remote: Yes
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6761
Summary:
Majordomo is a freely available, open source mailing list management
software package. It is available for Unix, Linux, and Microsoft Windows
platforms.
A problem with Majordomo may allow remote users to gain access to
sensitive information.
It has been reported that Majordomo does not sufficiently guard list
subscriber information. By sending specific commands to a default
implementation, a remote user may be able to gain access to the list of
mailing list subscribers. This issue is documented in the Majordomo
documentation.
The problem is in the default configuration of the mailing list manager.
The software does not place sufficient access controls on the ability of
users to execute the which command. By sending the command "which @",
remote users may be able to list the entire member base of the list,
resulting in a loss of privacy.
It should be noted that in the Majordomo 2 branch, this vulnerability is
limited to gaining access to one address per submission per list.
17. Linux O_DIRECT Direct Input/Output Information Leak Vulnerability
BugTraq ID: 6763
Remote: No
Date Published: Feb 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6763
Summary:
The Linux Kernel is the core of the Linux operating system. It is
distributed by various Linux distributions.
A problem with the O_DIRECT flag could make it possible for local users to
gain access to potentially sensitive information.
It has been reported that some Linux Kernels do not properly handle
O_DIRECT, which is used for direct input and output. Any user with system
write privileges may be able to read limited information from other files.
This problem could allow a local user to read limited data from current
files, and may be able to read data from previously deleted files. The
ability of an attacker to exploit this issue at will is not known.
Additionally, exploitation could result in minor corruption of the file
system, which would require repair with the fsck utility.
It should be noted that this vulnerability can not be exploited on systems
using a vulnerable kernel and the EXT3 file system.
22. Epic Games Unreal Engine Memory Consumption Denial Of Service Vulnerability
BugTraq ID: 6770
Remote: Yes
Date Published: Feb 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6770
Summary:
Epic Games' Unreal Engine is a 3D game engine used by Unreal and many
other games.
A memory exhaustion vulnerability has been reported for several games
using some versions of the Unreal Engine.
The Unreal Engine includes a facility to provide networked gaming to its
users and uses a method known as 'Compact Indices' in an attempt to save
some network bandwidth. Unreal Engine allocates memory based on the index
value included in client-supplied packets. Due to inconsistent
interpretation of integers, it is possible for attackers to cause the
server to allocate large amounts of memory by sending a packet with a
negative index value.
This likely occurs due to maximum index checks being performed on the
index value as a signed integer.
There are currently no fixes available.
