LQ weekly security rep

unSpawn · 03-04-2003, 07:42 AM

Mar 7th 2003
11 issues handled (LAW)
php
slocate
sendmail
mhc
eterm
tcpdump
snort
openssl
tg3
squirrelmail
im

Mar 03rd 2003
2 issues handled (SANS)
DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing Vulnerability
DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability

Mar 03rd 2003
43 of 55 issues handled (ISS)
PHP-Nuke auth.php SQL injection
phpBB auth.php script file disclosure
MyGuestbook form.php HTML injection
MyGuestbook authentication cookie unauthorized
MyGuestbook user_modif.php allows attacker to
Nuked-Klan cross-site scripting in Team, News, and
Nuked-Klan information disclosure
Webmin and Usermin session ID spoofing root access
glFtpD username overwrite files
moxftp FTP welcome banner buffer overflow
GOsa PHP plugin variable file include
SIRCD reverse DNS lookup buffer overflow
glFtpD oneliners file modification could allow
Wihphoto sendphoto.php file disclosure
FreeBSD SYN cookie brute force attack
Mambo Site Server MD5 hash session ID could allow
QuickTime and Darwin Streaming Server parse_xml.cgi
QuickTime and Darwin Streaming Server RTSP DESCRIBE
QuickTime and Darwin Streaming Server MP3
Apache HTTP Server error log terminal escape
Multiple vendor terminal emulator screen dump file
Multiple vendor terminal emulator window title
Multiple vendor terminal emulator DEC UDK denial of
Multiple vendor terminal emulator menuBar
ClarkConnect clarkconnectd daemon information
Netscape Cascading Style-Sheet (CSS) overflow set
CuteNews shownews.php, search.php, and comments.php
VERITAS BMR for IBM TSM could allow root access to
nCipher could import duplicate keys
Apache HTTP Server MIME message boundaries
Opera "Enable Automatic Redirection" option cross-
AMX amx_say format string attack
AMX transmits rcon password in plain text
Ecartis password reset
tcpdump ISAKMP parsing denial of service
Invision Power Board ipchat.php file include
Sun Solaris ftp -d plaintext password
mhc-utils adb2mhc creates an insecure temporary
WEB-ERP logicworks.ini unauthorized configuration
PY-Livredor guest book field cross-site scripting

(old, just in case someone noticed me skipping it)
Feb 28th 2003
21 issues handled (LAW)
slocate
nanog
tcpdump
kde
openssl
WebTool
snycookie
webmin
acupsd
tightvnc
vnc
vte
hypermail
libmcrypt
openldap
mysql
postgresql
initscripts
krb5
lynx
shadow-utils

unSpawn · 03-04-2003, 07:43 AM

Linux Advisory Watch

Package: slocate
Date: 02-21-2003
Description:
A problem has been discovered in slocate, a secure locate replacement. A
buffer overflow in the setuid program slocate can be used to execute
arbitrary code as superuser.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2880.html

Package: nanog
Date: 02-27-2003
Description:
A vulnerability has been discovered in NANOG traceroute, an enhanced
version of the Van Jacobson/BSD traceroute program. A buffer overflow
occurs in the 'get_origin()' function. Due to insufficient bounds
checking performed by the whois parser, it may be possible to corrupt
memory on the system stack. This vulnerability can be exploited by a
remote attacker to gain root privileges on a target host. Though, most
probably not in Debian.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2906.html

Package: tcpdump
Date: 02-27-2003
Description:
Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a
powerful tool for network monitoring and data acquisition. An attacker is
able to send a specially crafted network packet which causes tcpdump to
enter an infinite loop.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2909.html

Package: kde
Date: 02-20-2003
Description:
This is a full update of the KDE desktop to the 3.0.5a version, the latest
3.0.x release from the KDE project[1]. Besides containing several bugfixes
and enhancements, this update also fixes several security
vulnerabilities[2] found during an internal code audit organized by the
KDE team.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2879.html

Package: openssl
Date: 02-21-2003
Description:
Vulnerable[2][3] openssl versions do not perform a MAC computation if an
incorrect block cipher padding is used. An active attacker who can insert
data into an existing encrypted connection is then able to measure time
differences between the error messages the server sends. This information
can make it easier to launch cryptographic attacks that rely on
distinguishing between padding and MAC verification errors, possibly
leading to extraction of the original plaintext.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2893.html
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2887.html
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2903.html
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2904.html
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2885.html
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2896.html

Package: WebTool
Date: 02-21-2003
Description:
Keigo Yamazaki discovered a vulnerability in miniserv.pl (the webserver
program at the core of the WebTool) which may allow an attacker to spoof a
session ID by including special metacharacters in the BASE64 encoded
string using during the authentication process. This may allow a remote
attacker to gain full administrative privileges over the WebTool. All
users are recommended to upgrade immediately.
EnGarde Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2898.html

Package: snycookie
Date: 02-24-2003
Description:
Once a syncookie key has been recovered, an attacker may construct valid
ISNs until the key is rotated (typically up to four seconds). The ability
to construct a valid ISN may be used to spoof a TCP connection in exactly
the same way as in the well-known ISN prediction attacks (see
`References'). Spoofing may allow an attacker to bypass IP-based access
control lists such as those implemented by tcp_wrappers and many
firewalls. Similarly, SMTP and other connections may be forged,
increasing the difficulty of tracing abusers. Recovery of a syncookie key
will also allow the attacker to reset TCP connections initiated within the
same 31.25ms window.
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2888.html

Package: webmin
Date: 02-22-2003
Description:
Due to a remotely exploitable security hole being discovered that effects
all previous Webmin releases, version 1.070 is now available for download.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2886.html
http:http://www.linuxsecurity.com/advisor...sory-2890.html
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2908.html

Package: acupsd
Date: 02-22-2003
Description:
A remote root vulnerability in slave setups and some buffer overflows in
the network information server code were discovered by the apcupsd
developers.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2889.html

Package: tightvnc
Date: 02-24-2003
Description:
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2891.html

Package: vnc
Date: 02-24-2003
Description:
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2892.html
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2894.html
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2900.html

Package: vte
Date: 02-24-2003
Description:
One feature that most terminal emulators support is the ability for the
shell to set the title of the window using an escape sequence. Certain
xterm variants also provide an escape sequence for reporting the current
window title. This essentially takes the current title and places it
directly on the command line. This feature could be potentially exploited
if an attacker can cause carefully crafted escape sequences to be
displayed on a vulnerable terminal emulator used by their victim.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2901.html

Package: hypermail
Date: 02-24-2003
Description:
During an internal source code review done by Thomas Biege several bugs
where found in hypermail and its tools. These bugs allow remote code
execution, local tmp race conditions, denial-of-service conditions and
read access to files belonging to the host hypermail is running on.
Additionally the mail CGI program can be abused by spammers as email-relay
and should thus be disabled.
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2905.html

Package: libmcrypt
Date: 02-26-2003
Description:
Versions of libmcrypt prior to 2.5.5 include several buffer overflows that
can be triggered by passing very long input to the mcrypt functions.
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2902.html

Package: openldap
Date: 02-20-2003
Description:
Several minor security issues where fixed in the new upstream version
1.2.13
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2882.html

Package: mysql
Date: 02-20-2003
Description:
The new upstream version of mysql, 3.23.55, included several minor
security fixes.
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2883.html

Package: postgresql
Date: 02-20-2003
Description:
The new upstream version of postgresql, 7.1.3, included several minor
security fixes.
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2884.html

Package: initscripts
Date: 02-20-2003
Description:
A dependency loop exists between several package including initscripts,
pam and SysVinit, that causes the installer to complaint. This update
removes the loop, as it was not needed.
Trustix Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2881.html

Package: krb5
Date: 02-21-2003
Description:
A vulnerability was discovered in the Kerberos FTP client. When the
client retrieves a file that has a filename beginning with a pipe
character, the FTP client will pass that filename to the command shell in
a system() call. This could allow a malicious remote FTP server to write
to files outside of the current directory or even execute arbitrary
commands as the user using the FTP client.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2895.html

Package: lynx
Date: 02-21-2003
Description:
A vulnerability was discovered in lynx, a text-mode web browser. The HTTP
queries that lynx constructs are from arguments on the command line or the
$WWW_HOME environment variable, but lynx does not properly sanitize
special characters such as carriage returns or linefeeds. Extra headers
can be inserted into the request because of this, which can cause scripts
that use lynx to fetch data from the wrong site from servers that use
virtual hosting.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2899.html

Package: shadow-utils
Date: 02-21-2003
Description:
The shadow-utils package contains the tool useradd, which is used to
create or update new user information. When useradd creates an account, it
would create it with improper permissions; instead of having it owned by
the group mail, it would be owned by the user's primary group. If this is
a shared group (ie. "users"), then all members of the shared group would
be able to obtain access to the mail spools of other members of the same
group. A patch to useradd has been applied to correct this problem.
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2907.html

unSpawn · 03-04-2003, 07:45 AM

Internet Security Systems

Date Reported: 02/18/2003
Brief Description: PHP-Nuke auth.php SQL injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, PHP-Nuke 5.6, PHP-Nuke 6.0
Vulnerability: phpnuke-auth-sql-injection
X-Force URL: http://www.iss.net/security_center/static/11385.php

Date Reported: 02/18/2003
Brief Description: phpBB auth.php script file disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, phpBB 1.4.x
Vulnerability: phpbb-auth-read-files
X-Force URL: http://www.iss.net/security_center/static/11407.php

Date Reported: 02/21/2003
Brief Description: MyGuestbook form.php HTML injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, MyGuestbook 3.0
Vulnerability: myguestbook-form-html-injection
X-Force URL: http://www.iss.net/security_center/static/11391.php

Date Reported: 02/21/2003
Brief Description: MyGuestbook authentication cookie unauthorized
access
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, MyGuestbook 3.0
Vulnerability: myguestbook-cookie-unauth-access
X-Force URL: http://www.iss.net/security_center/static/11392.php

Date Reported: 02/21/2003
Brief Description: MyGuestbook user_modif.php allows attacker to
modify data
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, MyGuestbook 3.0
Vulnerability: myguestbook-usermodif-modify-data
X-Force URL: http://www.iss.net/security_center/static/11393.php

Date Reported: 02/21/2003
Brief Description: Nuked-Klan cross-site scripting in Team, News, and
Liens modules
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Nuked-Klan b1.3 and earlier
Vulnerability: nuked-klan-team-xss
X-Force URL: http://www.iss.net/security_center/static/11420.php

Date Reported: 02/21/2003
Brief Description: Nuked-Klan information disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Nuked-Klan b1.3 and earlier
Vulnerability: nukedklan-information-disclosure
X-Force URL: http://www.iss.net/security_center/static/11424.php

Date Reported: 02/22/2003
Brief Description: Webmin and Usermin session ID spoofing root access
Risk Factor: High
Attack Type: Network Based
Platforms: Unix Any version, Mandrake Linux 7.2, Mandrake
Linux 8.0, Mandrake Single Network Firewall 7.2,
Mandrake Linux 8.1, Mandrake Linux 8.2, Gentoo
Linux Any version, Mandrake Linux 9.0, Webmin prior
to 1.070, Usermin prior to 1.000
Vulnerability: webmin-usermin-root-access
X-Force URL: http://www.iss.net/security_center/static/11390.php

Date Reported: 02/23/2003
Brief Description: glFtpD username overwrite files
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, FreeBSD Any
version, glFtpD 1.28 and earlier
Vulnerability: glftpd-username-file-overwrite
X-Force URL: http://www.iss.net/security_center/static/11396.php

Date Reported: 02/23/2003
Brief Description: moxftp FTP welcome banner buffer overflow
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, FreeBSD Ports Collection Any
version, moxftp 2.2
Vulnerability: moxftp-welcome-banner-bo
X-Force URL: http://www.iss.net/security_center/static/11399.php

Date Reported: 02/23/2003
Brief Description: GOsa PHP plugin variable file include
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, GOsa 1.0.0
Vulnerability: gosa-plugin-file-include
X-Force URL: http://www.iss.net/security_center/static/11408.php

Date Reported: 02/23/2003
Brief Description: SIRCD reverse DNS lookup buffer overflow
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, Windows NT
Any version, Windows 2000 Any version, FreeBSD
Ports Collection Any version, SIRCD 0.4.0, SIRCD
0.4.4
Vulnerability: sircd-reverse-dns-bo
X-Force URL: http://www.iss.net/security_center/static/11409.php

Date Reported: 02/23/2003
Brief Description: glFtpD oneliners file modification could allow
unauthorized root privileges
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, FreeBSD Any
version, glFtpD 1.28 and earlier
Vulnerability: glftpd-oneliners-root-privileges
X-Force URL: http://www.iss.net/security_center/static/11410.php

Date Reported: 02/23/2003
Brief Description: Wihphoto sendphoto.php file disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Unix Any version, Wihphoto 0.86-dev
Vulnerability: wihphoto-sendphoto-file-disclosure
X-Force URL: http://www.iss.net/security_center/static/11429.php

Date Reported: 02/24/2003
Brief Description: FreeBSD SYN cookie brute force attack
Risk Factor: Low
Attack Type: Network Based
Platforms: FreeBSD 4.7-STABLE, FreeBSD 5.0-RELEASE, FreeBSD
4.5-RELEASE, FreeBSD 4.6-RELEASE, FreeBSD 4.7-
RELEASE
Vulnerability: freebsd-syncookie-brute-force
X-Force URL: http://www.iss.net/security_center/static/11397.php

Date Reported: 02/24/2003
Brief Description: Mambo Site Server MD5 hash session ID could allow
elevated privileges
Risk Factor: High
Attack Type: Network Based
Platforms: lftpd Any version, Linux Any version, Solaris Any
version, Windows Any version, Mac OS X Any version,
Mambo Site Server 4.0.12 RC2
Vulnerability: mambo-sessionid-gain-privileges
X-Force URL: http://www.iss.net/security_center/static/11398.php

Date Reported: 02/24/2003
Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi
command execution
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, Windows Any
version, Mac OS X Server 10.2, Mac OS X Server
10.2.1, Mac OS X Server 10.2.2, Mac OS X Server
10.2.3, QuickTime Streaming Server 4.1.1, Darwin
Streaming Server 4.1.2
Vulnerability: quicktime-darwin-command-execution
X-Force URL: http://www.iss.net/security_center/static/11401.php

Date Reported: 02/24/2003
Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi
path disclosure
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, Windows Any
version, Mac OS X Server 10.2, Mac OS X Server
10.2.1, Mac OS X Server 10.2.2, Mac OS X Server
10.2.3, QuickTime Streaming Server 4.1.1, Darwin
Streaming Server 4.1.2
Vulnerability: quicktime-darwin-path-disclosure
X-Force URL: http://www.iss.net/security_center/static/11402.php

Date Reported: 02/24/2003
Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi
directory disclosure
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, Windows Any
version, Mac OS X Server 10.2, Mac OS X Server
10.2.1, Mac OS X Server 10.2.2, Mac OS X Server
10.2.3, QuickTime Streaming Server 4.1.1, Darwin
Streaming Server 4.1.2
Vulnerability: quicktime-darwin-directory-disclosure
X-Force URL: http://www.iss.net/security_center/static/11403.php

Date Reported: 02/24/2003
Brief Description: QuickTime and Darwin Streaming Server parse_xml.cgi
cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, Windows Any
version, Mac OS X Server 10.2, Mac OS X Server
10.2.1, Mac OS X Server 10.2.2, Mac OS X Server
10.2.3, QuickTime Streaming Server 4.1.1, Darwin
Streaming Server 4.1.2
Vulnerability: quicktime-darwin-parsexml-xss
X-Force URL: http://www.iss.net/security_center/static/11404.php

Date Reported: 02/24/2003
Brief Description: QuickTime and Darwin Streaming Server RTSP DESCRIBE
cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Solaris Any version, Windows Any
version, Mac OS X Server 10.2, Mac OS X Server
10.2.1, Mac OS X Server 10.2.2, Mac OS X Server
10.2.3, QuickTime Streaming Server 4.1.1, Darwin
Streaming Server 4.1.2
Vulnerability: quicktime-darwin-describe-xss
X-Force URL: http://www.iss.net/security_center/static/11405.php

Date Reported: 02/24/2003
Brief Description: QuickTime and Darwin Streaming Server MP3
broadcasting buffer overflow
Risk Factor: High
Attack Type: Host Based / Network Based
Platforms: Linux Any version, Solaris Any version, Windows Any
version, Mac OS X Server 10.2, Mac OS X Server
10.2.1, Mac OS X Server 10.2.2, Mac OS X Server
10.2.3, QuickTime Streaming Server 4.1.1, Darwin
Streaming Server 4.1.2
Vulnerability: quicktime-darwin-mp3-bo
X-Force URL: http://www.iss.net/security_center/static/11406.php

Date Reported: 02/24/2003
Brief Description: Apache HTTP Server error log terminal escape
sequence injection
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Apache HTTP Server Any version
Vulnerability: apache-esc-seq-injection
X-Force URL: http://www.iss.net/security_center/static/11412.php

Date Reported: 02/24/2003
Brief Description: Multiple vendor terminal emulator screen dump file
overwrite
Risk Factor: Medium
Attack Type: Host Based / Network Based
Platforms: BSD Any version, Linux Any version, Unix Any
version, Eterm 0.9.1 and earlier, rxvt 2.7.8
Vulnerability: terminal-emulator-screen-dump
X-Force URL: http://www.iss.net/security_center/static/11413.php

Date Reported: 02/24/2003
Brief Description: Multiple vendor terminal emulator window title
command execution
Risk Factor: Medium
Attack Type: Host Based / Network Based
Platforms: BSD Any version, Linux Any version, Windows Any
version, Unix Any version, Eterm 0.9.1 and earlier,
rxvt 2.7.8, XFree86 4.2.0, dtterm Any version,
uxterm Any version, aterm 0.4.2, PuTTY 0.53, gnome-
terminal 2.0.2, hanterm-xf 2.0
Vulnerability: terminal-emulator-window-title
X-Force URL: http://www.iss.net/security_center/static/11414.php

Date Reported: 02/24/2003
Brief Description: Multiple vendor terminal emulator DEC UDK denial of
service
Risk Factor: Low
Attack Type: Host Based / Network Based
Platforms: Linux Any version, Unix Any version, XFree86 4.2.0,
hanterm-xf 2.0
Vulnerability: terminal-emulator-dec-udk
X-Force URL: http://www.iss.net/security_center/static/11415.php

Date Reported: 02/24/2003
Brief Description: Multiple vendor terminal emulator menuBar
modification command execution
Risk Factor: Medium
Attack Type: Host Based / Network Based
Platforms: Linux Any version, Unix Any version, rxvt 2.7.8,
aterm 0.4.2
Vulnerability: terminal-emulator-menu-modification
X-Force URL: http://www.iss.net/security_center/static/11416.php

Date Reported: 02/24/2003
Brief Description: ClarkConnect clarkconnectd daemon information
disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: ClarkConnect 1.2, Linux Any version
Vulnerability: clarkconnect-clarkconnectd-info-disclosure
X-Force URL: http://www.iss.net/security_center/static/11419.php

Date Reported: 02/24/2003
Brief Description: Netscape Cascading Style-Sheet (CSS) overflow set
to scroll denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Netscape 7.0, Netscape 6.0
Vulnerability: netscape-css-overflow-dos
X-Force URL: http://www.iss.net/security_center/static/11433.php

Date Reported: 02/25/2003
Brief Description: CuteNews shownews.php, search.php, and comments.php
file include
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, CuteNews .088
Vulnerability: cutenews-php-file-include
X-Force URL: http://www.iss.net/security_center/static/11417.php

Date Reported: 02/25/2003
Brief Description: VERITAS BMR for IBM TSM could allow root access to
BMR Main Server
Risk Factor: High
Attack Type: Network Based
Platforms: Windows NT Any version, AIX 4.2.1, Solaris 2.6, HP-
UX 11.00, HP-UX 10.20, Solaris 7, AIX 4.3, AIX
4.3.2, Solaris 8, Windows 2000 Server, HP-UX 11.11,
Windows 2000 Advanced Server, AIX 5.1, AIX 4.3.3,
Windows 2000 Professional, AIX 4.3.1, VERITAS Bare
Metal Restore for TSM 3.1.0, VERITAS Bare Metal
Restore for TSM 3.1.1, VERITAS Bare Metal Restore
for TSM 3.2.0, VERITAS Bare Metal Restore for TSM
3.2.1, AIX 4.3.3.10
Vulnerability: veritas-bmr-root-access
X-Force URL: http://www.iss.net/security_center/static/11418.php

Date Reported: 02/25/2003
Brief Description: nCipher could import duplicate keys
Risk Factor: Medium
Attack Type: Host Based / Network Based
Platforms: Linux Any version, Windows NT 4.0, Solaris 2.6, HP-
UX 11.00, HP-UX 10.20, Solaris 7, Windows 2000 Any
version, AIX 4.3.3, AIX 5L, nCipher support
software prior to 7.00
Vulnerability: ncipher-duplicate-keys
X-Force URL: http://www.iss.net/security_center/static/11422.php

Date Reported: 02/25/2003
Brief Description: Apache HTTP Server MIME message boundaries
information disclosure
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, OpenBSD 3.2, Apache HTTP Server 1.3.22 -
1.3.27
Vulnerability: apache-mime-information-disclosure
X-Force URL: http://www.iss.net/security_center/static/11438.php

Date Reported: 02/26/2003
Brief Description: Opera "Enable Automatic Redirection" option cross-
site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Opera 7.02,
Opera 6.x
Vulnerability: opera-automatic-redirection-xss
X-Force URL: http://www.iss.net/security_center/static/11423.php

Date Reported: 02/26/2003
Brief Description: AMX amx_say format string attack
Risk Factor: High
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, AMX 0.9.2
and earlier
Vulnerability: amx-amxsay-format-string
X-Force URL: http://www.iss.net/security_center/static/11427.php

Date Reported: 02/26/2003
Brief Description: AMX transmits rcon password in plain text
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, AMX 0.9.2
and earlier
Vulnerability: amx-rcon-password-plaintext
X-Force URL: http://www.iss.net/security_center/static/11428.php

Date Reported: 02/27/2003
Brief Description: Ecartis password reset
Risk Factor: Medium
Attack Type: Host Based
Platforms: Linux Any version, Unix Any version, Ecartis 1.0.0
Vulnerability: ecartis-password-reset
X-Force URL: http://www.iss.net/security_center/static/11431.php

Date Reported: 02/27/2003
Brief Description: tcpdump ISAKMP parsing denial of service
Risk Factor: Low
Attack Type: Network Based
Platforms: Linux Any version, FreeBSD Any version, Debian
Linux 3.0, tcpdump 3.7.1, tcpdump 3.6.3
Vulnerability: tcpdump-isakmp-dos
X-Force URL: http://www.iss.net/security_center/static/11434.php

Date Reported: 02/27/2003
Brief Description: Invision Power Board ipchat.php file include
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, Invision Power Board 1.1.1
Vulnerability: invision-ipchat-file-include
X-Force URL: http://www.iss.net/security_center/static/11435.php

Date Reported: 02/27/2003
Brief Description: Sun Solaris ftp -d plaintext password
Risk Factor: Medium
Attack Type: Host Based
Platforms: Solaris 2.6, Solaris 7, Solaris 8
Vulnerability: solaris-ftp-plaintext-password
X-Force URL: http://www.iss.net/security_center/static/11436.php

Date Reported: 02/28/2003
Brief Description: mhc-utils adb2mhc creates an insecure temporary
directory
Risk Factor: Medium
Attack Type: Host Based
Platforms: Debian Linux 3.0, mhc-utils Any version
Vulnerability: mhc-adb2mhc-insecure-tmp
X-Force URL: http://www.iss.net/security_center/static/11439.php

Date Reported: 02/28/2003
Brief Description: WEB-ERP logicworks.ini unauthorized configuration
access
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Unix Any version, Windows NT Any
version, Windows 2000 Any version, Windows XP Any
version, WEB-ERP 0.1.4 and prior
Vulnerability: weberp-logicworks-ini-access
X-Force URL: http://www.iss.net/security_center/static/11443.php

Date Reported: 03/02/2003
Brief Description: PY-Livredor guest book field cross-site scripting
Risk Factor: Medium
Attack Type: Network Based
Platforms: Linux Any version, Windows Any version, Unix Any
version, PY-Livredor 1.0
Vulnerability: pylivredor-guestbook-xss
X-Force URL: http://www.iss.net/security_center/static/11448.php

unSpawn · 03-04-2003, 07:46 AM

SANS

DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing Vulnerability
Remote Sendmail Header Processing Vulnerability

SUMMARY:
The Department of Homeland Security (DHS), National Infrastructure
Protection Center (NIPC) is issuing this advisory to heighten
awareness of the recently discovered Remote Sendmail Header Processing
Vulnerability (CAN-2002-1337). NIPC has been working closely with
the industry on vulnerability awareness and information dissemination.

The Remote Sendmail Header Processing Vulnerability allows local and
remote users to gain almost complete control of a vulnerable Sendmail
server. Attackers gain the ability to execute privileged commands using
super-user (root) access/control. This vulnerability can be exploited
through a simple e-mail message containing malicious code. Sendmail is
the most commonly used Mail Transfer Agent and processes an estimated
50 to 75 percent of all Internet e-mail traffic. System administrators
should be aware that many Sendmail servers are not typically shielded
by perimeter defense applications. A successful attacker could install
malicious code, run destructive programs and modify or delete files.

Additionally, attackers may gain access to other systems
thru a compromised Sendmail server, depending on local
configurations. Sendmail versions 5.2 up to 8.12.8 are known to be
vulnerable at this time.

DESCRIPTION:
The Remote Sendmail Header Processing Vulnerability is exploited
during the processing and evaluation of e-mail header fields collected
during an SMTP transaction. Examples of these header fields are the
"To", "From" and "CC" lines. The crackaddr() function in the Sendmail
headers.c file allows Sendmail to evaluate whether a supplied address
or list of addresses contained in the header fields is valid. Sendmail
uses a static buffer to store processed data. It detects when the
static buffer becomes full and stops adding characters. However,
Sendmail continues processing data and several security checks are
used to ensure that characters are parsed correctly. The vulnerability
allows a remote attacker to gain access to the Sendmail server by
sending an e-mail containing a specially crafted address field which
triggers a buffer overflow.

RECOMMENDATION:
Due to the seriousness of this vulnerability, the NIPC is strongly
recommending that system administrators who employ Sendmail take this
opportunity to review the security of their Sendmail software and to
either upgrade to Sendmail 8.12.8 or apply the appropriate patch for
older versions as soon as possible.
Patches for the vulnerability are available from Sendmail, from ISS who
discovered the vulnerability and from vendors whose applications
incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other
vendors will release patches in the near future.
The primary distribution site for Sendmail is: http://www.sendmail.org
Patches and information are also available from the following sites:
The ISS Download center http://www.iss.net/download
IBM Corporation http://www.ibm.com/support/us/
Hewlett-Packard , Co. http://www.hp.com
Silicon Graphics Inc. http://www.sgigate.sgi.com
Apple Computer, Inc. http://www.apple.com/
Sun Microsystems, Inc. http://www.sun.com/service/support/
Common Vulnerabilities and Exposure (CVE) Project http://CVE.mitre.org

As always, computer users are advised to keep their anti-virus and
systems software current by checking their vendor's web sites frequently
for new updates and to check for alerts put out by the DHS/NIPC,
CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages
recipients of this advisory to report computer intrusions to their local
FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate
authorities. Recipients may report incidents online to
http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning
Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.

DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability

The Department of Homeland Security (DHS), National Infrastructure
Protection Center (NIPC) has been informed of a recently discovered
serious vulnerability in Snort, a widely used Intrusion Detection
System, IDS. DHS/NIPC has been working closely with the Internet
security industry on vulnerability awareness and is issuing this
advisory in conjunction with public announcements.

Snort is available in open source and commercial versions form
Sourcefire, a privately held company headquartered in Columbia, MD.
Details are available from Sourcefire. See Snort Vulnerability
Advisory [SNORT-2003-001]. The affected Snort versions include all
version of Snort from version 1.8 through current. Snort 1.9.1 has
been released to resolve this issue.

The vulnerability was discovered by Internet Security Systems (ISS),
and is a buffer overflow in the Snort Remote Procedure Call, RPC,
normalization routines. This buffer overflow can cause snort to
execute arbitrary code embedded within sniffed network packets.
Depending upon the particular implementation of Snort this may give
local and remote users almost complete control of a vulnerable machine.
The vulnerability is enabled by default. Mitigation instructions
for immediate protections prior to installing patches or upgrading
are described in the Snort Vulnerability Advisory.

Due to the seriousness of this vulnerability, the DHS/NIPC strongly
recommends that system administrators or security managers who employ
Snort take this opportunity to review their security procedures and
patch or upgrade software with known vulnerabilities.

Sourcefire has acquired additional bandwidth and hosting to aid users
wishing to upgrade their Snort implementation. Future information
can be found at:
http://www.sourcefire.com/

As always, computer users are advised to keep their anti-virus
and systems software current by checking their vendor's web sites
frequently for new updates and to check for alerts put out by the
DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC
encourages recipients of this advisory to report computer intrusions to
their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other
appropriate authorities. Recipients may report incidents online to
http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning
Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.

unSpawn · 03-09-2003, 11:31 AM

Linux Advisory Watch

Package: php
Date: 03-04-2003
Description:
Two vulnerabilities exists in the mail() PHP function. The first one
allows execution of any program/script, bypassing the safe_mode
restriction. The second one may allow an open-relay if the mail() function
is not carefully used in PHP scripts.
Caldera Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2931.html

Package: slocate
Date: 03-06-2003
Description:
The proper solution is to install the latest packages. Many customers
find it easier to use the Caldera System Updater, called cupdate (or
kcupdate under the KDE environment), to update these packages rather
than downloading and installing them by hand.
Caldera Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2931.html

Package: sendmail
Date: 03-03-2003
Description:
This vulnerability can be exploited by creating and sending to a
vulnerable sendmail server a carefully crafted email message. This
message will trigger the vulnerability and arbitrary commands can be
executed with administrative privileges.
Conectiva Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2913.html
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2918.html
http:http://www.linuxsecurity.com/advisor...sory-2932.html
FreeBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2919.html
http:http://www.linuxsecurity.com/advisor...sory-2930.html
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2920.html
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2916.html
NetBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2922.html
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2914.html
Slackware Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2923.html
SuSE Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2915.html
YellowDog Vendor Advisory:

http:http://www.linuxsecurity.com/advisor...sory-2935.html

Package: mhc
Date: 02-28-2003
Description:
It has been discovered that adb2mhc from the mhc-utils package. The
default temporary directory uses a predictable name. This adds a
vulnerability that allows a local attacker to overwrite arbitrary
files the users has write permissions for.
Debian Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2910.html

Package: eterm
Date: 03-03-2003
Description:
Many of the features supported by popular terminal emulator software
can be abused when un-trusted data is displayed on the screen. The
impact of this abuse can range from annoying screen garbage to a
complete system compromise. All of the issues below are actually
documented features, anyone who takes the time to read over the man
pages or source code could use them to carry out an attack.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2911.html
http:http://www.linuxsecurity.com/advisor...sory-2912.html

Package: tcpdump
Date: 03-05-2003
Description:
A vulnerability exists in the parsing of ISAKMP packets (UDP port
500) that allows an attacker to force TCPDUMP into an infinite loop
upon receipt of a specially crafted packet.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2933.html
Mandrake Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2917.html

Package: snort
Date: 03-06-2003
Description:
Remote attackers may exploit the buffer overflow condition to run
arbitrary code on a Snort sensor with the privileges of the Snort IDS
process, which typically runs as the superuser. The vulnerable
preprocessor is enabled by default. It is not necessary to establish
an actual connection to a RPC portmapper service to exploit this
vulnerability.
Gentoo Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2936.html
Package: openssl
Date: 03-06-2003
Description:
Block cipher padding errors and MAC verification errors were handled
differently in the SSL/TLS parts of the OpenSSL library. This leaks
information in the case of incorrect SSL streams and allows for an
adaptive timing attack.
NetBSD Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2921.html
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2939.html

Package: tg3
Date: 03-03-2003
Description:
Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are
now available that fix a deadlock with the tg3 driver on certain
revisions of the Broadcom 570x gigabit ethernet series.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2934.html

Package: squirrelmail
Date: 03-06-2003
Description:
SquirrelMail is a webmail package written in PHP. Two
vulnerabilities have been found that affect versions of SquirrelMail
shipped with Red Hat Linux 8.0.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2937.html

Package: im
Date: 03-06-2003
Description:
A vulnerability has been discovered by Tatsuya Kinoshita in the way
two IM utilities create temporary files. By anticipating the names
used to create files and directories stored in /tmp, it may be
possible for a local attacker to corrupt or modify data as another
user.
Red Hat Vendor Advisory:
http:http://www.linuxsecurity.com/advisor...sory-2938.html