SecurityFocus
1. Geeklog HTML Attribute Cross Site Scripting Vulnerability
BugTraq ID: 5270
Remote: Yes
Date Published: Jul 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5270
Summary:
Geeklog is freely available, open-source weblog software. It is written in
PHP and will run on most Unix and Linux variants, as well as Microsoft
Windows NT/2000. Geeklog is backended by MySQL.
A cross site scripting vulnerability has been reported for Geeklog
1.3.5sr1. Reportedly, Geeklog does not properly sanitize user supplied
input before being included when posting comments or writing stories.
Geeklog makes efforts to sanitize some malicious user supplied input by
stripping out HTML elements that are used for scripting. However, Geeklog
does not properly remove HTML attributes that are used for the same
purpose.
It is possible for an attacker to include malicious HTML code using the
HTML attributes. As an example, if an attacker were to supply malicious
HTML code as part of an onMouseOver JavaScript event, the malicious code
would not be properly sanitized.
An attacker may construct a link containing dangerous HTML code and send
it to a vulnerable user. If a user of the site follows this link, the
script code will be rendered, and execute within the context of the
vulnerable site. It may be possible to access sensitive data such as
authentication credentials, or to take actions as a validated user on the
hosted forum.
This issue may potentially be exploited to hijack web content or steal
cookie-based authentication credentials from legitimate users.
2. Geeklog Email Composition CRLF Injection Vulnerability
BugTraq ID: 5271
Remote: Yes
Date Published: Jul 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5271
Summary:
Geeklog is freely available, open-source weblog software. It is written in
PHP and will run on most Unix and Linux variants, as well as Microsoft
Windows NT/2000. Geeklog is backended by MySQL.
A vulnerability has been reported for Geeklog that may allow an attacker
to include extra email headers when composing email to other Geeklog
users.
Geeklog prevents the disclosure of a user's real email address for privacy
reasons. However an attacker is able to obtain a user's real email address
by including extra headers when composing an email using Geeklog's 'Send
Email' facility.
It is possible for an attacker to include extra email header fields when
composing an email. An attacker does this by appending a CRLF sequence
followed by an email header field to the subject field.
An attacker can use this method to obtain a user's real email address.
9. PHP HTTP POST Incorrect MIME Header Parsing Vulnerability
BugTraq ID: 5278
Remote: Yes
Date Published: Jul 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5278
Summary:
PHP is a general purpose scripting language that is used for Web
development. It is available for various platforms including Linux and
Unix variants as well as Microsoft Windows operating systems.
A vulnerability has been reported for PHP versions 4.2.0 and 4.2.1. It is
possible for a remote attacker to cause the PHP interpreter to crash the
web server on a vulnerable system and execute malicious, attacker supplied
code.
The vulnerability is the result of the PHP interpreter incorrectly parsing
MIME headers when HTTP POST commands are received. When PHP receives a
malformed POST request, it generates an error condition that is improperly
handled.
When a HTTP POST command is received, a memory structure is appended to a
linked list of MIME headers. The memory allocated for this structure is
freed when the POST command is successful. When a malformed POST request
is made, an uninitialised memory structure is appended to the list of MIME
headers. Attempting to free this memory will have negative consequences
for a vulnerable system.
This vulnerability has different effects on different architectures. It
has been reported that PHP will crash when it tries to free the memory
structure on an IA32 (x86) architecture. The IA32 architecture has been
verified to be safe from the execution of arbitrary code. However, it is
still possible to crash PHP as well as the web server on vulnerable
systems.
It has also been reported that on Sparc architectures, an attacker may
have greater control about how memory is freed. Arbitrary code execution
on the Sparc architecture is possible.
An attacker may take advantage of this vulnerability to cause the PHP
interpreter to crash leading to a denial of service or cause the
vulnerable web server to execute malicious, attacker supplied code. It may
also be possible for the attacker to gain elevated privileges.
10. Pyramid BenHur Default Firewall Weakness
BugTraq ID: 5279
Remote: Yes
Date Published: Jul 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5279
Summary:
Pyramid BenHur is a firewall appliance. It is based on Debian Linux using
Linux kernel 2.2.x and ipchains firewalling capabilites.
A vulnerability has been reported for the BenHur device. Reportedly, the
device has a weak default firewall configuration ruleset. It is possible
for an attacker to connect to any port between 1024 and 65096 on the
device provided the source port is TCP port 20. This is due to a poorly
designed rule that was put in place to support FTP data connections.
Attackers may exploit this vulnerability to connect to potentially
sensitive/vulnerable ports on the device such as the administration port
(8888) or the the web proxy server.
11. PHP Interpreter Direct Invocation Denial Of Service Vulnerability
BugTraq ID: 5280
Remote: Yes
Date Published: Jul 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5280
Summary:
It is possible, under some circumstances, for remote attackers to invoke
the PHP interpreter from the web.
When PHP is installed with Apache, an alias/virtual path is created for
the PHP interpreter and this alias is used internally when a CGI path is
resolved. To prevent the interpreter from being invoked remotely for
malicious purposes the cgi.force_redirect directive was introduced, and it
is enabled by default. However, it is still possible to invoke the
interpreter by name without command line arguments from the web despite
the cgi.force_redirect directive.
When the interpreter is invoked with no command line options, it will
hang. Attackers may repeatedly request the PHP interpreter to cause a
denial of service via resource exhaustion.
This is reported to be a problem with PHP and Apache on Microsoft Windows
platforms. It may be possible to reproduce this condition in other
environments as well.
14. Multiple SSH Client Protocol Change Default Warning Weakness
BugTraq ID: 5284
Remote: Yes
Date Published: Jul 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5284
Summary:
A weakness has been reported in multiple SSH clients which may allow a
man-in-the-middle attack to occur. SSH servers commonly support
compatibility mode, which allows negotiation between the protocols SSH1
and SSH2 with a client when a connection is initiated.
SSH communication with a given server normally occurs using a given
protocol such as SSH2. A given client will record the server's public key.
If a new key is ever reported, the client software will report to the end
user that the event should be viewed with extreme suspicion.
However, if the server negotiates an SSH connection with a protocol such
as SSH1 which has not previously been used with a given client, the
displayed message will only report that a new key is being presented. The
fact that the host is already associated with a specific key under a
different protocol is not mentioned. The end user can not be expected to
understand the security implications of this event.
This may allow a man-in-the-middle attack to pass undetected by the client
user.
A similar attack may be possible based on the SSH2 negotiation for a MAC
algorithm. In this case, choosing an unusual algorithm may again fail to
produce a warning on the client system, allowing a man-in-the-middle
attack.
