SecurityFocus
1. Truegalerie Unauthorized Administrative Access Vulnerability
BugTraq ID: 7427
Remote: Yes
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7427
Summary:
Truegalerie is web-based photo album software implemented in PHP and is
available for a variety of platforms including Microsoft Windows and Linux
variant systems.
A vulnerability has been reported for Truegalerie that may result in
unauthorized administrative access. The vulnerability exists due to
insufficient sanitization of some URI values. Specifically, the values for
the URI parameter 'loggedin' are not properly verified.
An attacker can exploit this vulnerability by manipulating the 'loggedin'
URI parameter to obtain administrative access to the site hosting
Truegalerie.
This vulnerability was reported for Truegalerie 1.0.
4. Xoops MyTextSanitizer HTML Injection Vulnerability
BugTraq ID: 7434
Remote: Yes
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7434
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.
The MyTextSanitizer script is used by Xoops to filter unsupported and
malicious characters. It is also capable of filtering malicious scripts.
A script code injection vulnerability has been discovered in the
MyTextSanitizer script. The problem occurs due to insufficient filtering
of script code embedded within HTML 'img' tags. As a result, an attacker
may be capable of placing malicious HTML or script code within 'newbb'
posts, private messages, and news posts.
Successful exploitation of this vulnerability may allow a malicious Xoops
user to execute arbitrary HTML or script code within the browser of a
legitimate user. This may allow for the theft of cookie-based
authentication credentials that may escalate to session hijacking. Other
attacks are also possible.
This vulnerability affects Xoops releases prior to 1.3.10 and 2.0.1.
5. Linux-ATM LES Command Line Argument Buffer Overflow Vulnerability
BugTraq ID: 7437
Remote: No
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7437
Summary:
Linux-atm is a set of drivers and tools designed to support ATM networking
under Linux.
The linux-atm 'les' executable has been reported prone to a buffer
overflow vulnerability.
This issue is due to a lack of sufficient bounds checking performed on
data supplied via the '-f' command line argument to the 'les' executable.
Excessive supplied data may overrun the bounds of an internal memory
buffer (of approximately 244 bytes in size) and corrupt adjacent memory.
Because adjacent memory may contain values that are crucial to the control
of execution flow, arbitrary code execution is possible.
Although this vulnerability reportedly affects linux-atm 2.4.0, previous
versions may also be affected.
It should be noted that it is not currently known whether this application
requires elevated privileges to run. No distributions are currently known
which install LES setuid.
8. Invision Board Restricted Forum Plaintext Password Vulnerability
BugTraq ID: 7440
Remote: No
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7440
Summary:
Invision Board is an online bulletin board designed to facilitate
forum-based conversation.
Invision Board has been reported to store restricted forum credentials as
plain text embedded in cookie data.
If the Invision Board admin 'pass protected' option is activated for a
specific forum, on attempted access to the controlled area, the restricted
forum password is reportedly stored as plaintext in a local cookie. The
plaintext password may be recovered from the local cookie and used to
bypass the authentication method used to restrict the private areas of the
board.
It should be noted that although unconfirmed this vulnerability was
reported to affect all versions of Invision Power Board.
9. Onecenter Forum IMG Tag Script Injection Vulnerability
BugTraq ID: 7441
Remote: Yes
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7441
Summary:
OneCenter ForumOne 4.0 is a full-featured, web-based group discussion
forum.
A problem with Onecenter ForumOne could allow remote users to execute
arbitrary code in the context of the web site hosting ForumOne. The
problem occurs due to the lack of sanitization performed on data embedded
within HTML tags.
Specifically, Onecenter ForumOne does not sanitize code embedded within
HTML IMG tags. As a result, a malicious user may be able to submit a post
to the site containing embedded script code. This code would be executed
by a user's browser in the context of the site.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.
Altough this vulnerability was reported to affect OneCenter ForumOne
version 4.0, previous version may also be affected.
11. Macromedia ColdFusion MX Error Message Path Disclosure Vulnerability
BugTraq ID: 7443
Remote: Yes
Date Published: Apr 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7443
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
A vulnerability has been reported for Macromedia ColdFusion MX that may
reveal the physical path information to attackers.
When certain malformed URL requests are received by the server, an error
message is returned containing the full path of the ColdFusion
installation. Specifically, when a request for the /CFIDE/probe.cfm page
is made on the server process on port 8500, an error message is returned
which contains path information.
Information obtained in this manner may be used by an attacker to launch
further attacks against a vulnerable system.
12. Mike Bobbit Album.PL Remote Command Execution Vulnerability
BugTraq ID: 7444
Remote: Yes
Date Published: Apr 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7444
Summary:
Mike Bobbit Album.pl is a web-based photo album implemented in Perl. It is
available for a variety of platforms including Windows and Linux variant
operating systems.
A remote command execution vulnerability has been reported for Album.pl.
The vulnerability reportedly exists when alternate configuration files are
used. Thus, it may be possible for a remote attacker to execute arbitrary
commands in the context of the web server process.
A remote attacker may exploit this condition to gain local, interactive
access to the underlying host.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
15. Qualcomm Qpopper Poppassd Local Arbitrary Command Execution Vulnerability
BugTraq ID: 7447
Remote: No
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7447
Summary:
Qualcomm Qpopper poppassd is a daemon that facilitates the modification of
email account passwords.
Qualcomm Qpopper poppassd has been reported prone to a local arbitrary
command execution vulnerability.
poppassd is installed with setUID root permissions set by default and is
executable by all local system users. There has been an issue reported in
poppassd that may allow a local user to execute arbitrary commands in the
context of the root user. An attacker may specify a path to the
'smbpasswd' executable via the '-s' poppassd command line switch. A
malicious executable may be supplied via the path to 'smbpasswd' option,
for example '-s /tmp/smbpasswd' and the executable will be called as
poppassd is run.
An attacker may exploit this condition to elevate privileges on the local
system. Because poppassd is by default setUID root, privileges attained
may be root.
16. Apache Mod_Auth_Any Remote Command Execution Vulnerability
BugTraq ID: 7448
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7448
Summary:
mod_auth_any is an Apache module designed to carry out user authentication
using any program via the command-line.
A vulnerability has been discovered in the mod_auth_any Apache module.
When running commands which require user-supplied arguments, mod_auth_any
fails to sufficiently escape various user-supplied data. As a result, it
may be possible for a remote attacker to embed malicious shell
metacharacters, such as (`) or (;) within command-line arguments. These
metacharacters may result in the authentication procedure prematurely
ending and may cause attacker-supplied commands to be executed.
Successful exploitation of this vulnerability could allow an attacker to
gain access to a host using the vulnerable software with the privileges of
the Apache HTTPD server.
22. Oracle Net Services Link Buffer Overflow Vulnerability
BugTraq ID: 7453
Remote: Yes
Date Published: Apr 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7453
Summary:
Oracle has announced a buffer overflow vulnerability in Oracle Net
Services for the Oracle Database Server.
The vulnerability exists due to insufficient boundary checks performed by
the Oracle server for values supplied to the 'CREATE DATABASE LINK' query.
The 'CREATE DATABASE LINK' privileges are assigned to the CONNECT role
thus low privileged accounts are able to create database links.
A malicious attacker with CONNECT privileges can exploit this
vulnerability to create a specially crafted database link and then
executing a select query from the link. Once the link is selected the
buffer overflow condition will be triggered resulting in the corruption of
sensitive stack memory. Successful exploitation will result in the
execution of attacker-supplied code with the privileges of the database
server. On Windows systems, the Oracle Database Server is executed with
SYSTEM privileges and on Unix and Linux systems, the Database Server runs
as the 'oracle' user.
23. Netscape Navigator Directory Cross-Domain Scripting Vulnerability
BugTraq ID: 7456
Remote: Yes
Date Published: Apr 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7456
Summary:
Netscape is a web browser which is available for a number of platforms,
including Microsoft Windows and Unix and Linux variants.
A vulnerability has been reported that could allow an attacker to fool
Netscape into running script in a foreign domain. If a dot (.) is
appended to the end of the hostname in a URI, Netscape may accept the
directory name as the actual domain. This could permit a malicious web
page to access the DOM (Document Object Model) of another foreign domain.
An attacker could exploit this by enticing a user to visit a malicious URI
and then running malicious script code which can access the properties of
a foreign domain. This could lead to theft of cookie-based authentication
credentials, information disclosure or other attacks.
This issue was reported for Netscape Navigator 7.02. It is likely that
other versions of Netscape are vulnerable to this issue. As well, browsers
based on Mozilla may be vulnerable too.
28. Worker Filemanager Directory Creation Race Condition Vulnerability
BugTraq ID: 7460
Remote: No
Date Published: Apr 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7460
Summary:
Worker is a file management utility for the Unix X windowing system. It is
modeled after the Directory Opus 4 application and is available for
Unix-based operating systems.
A vulnerability has been discovered in Worker Filemanager 2.7. The problem
lies in a destination directory that is given world-readable and
executable permissions during data transfer. As a result, during a
specific time window, an attacker may be capable of modifying or accessing
sensitive files located in the directory. Permissions are changed to a
secure setting after the data transfer has completed.
Files located in this directory may contain sensitive data, which may aid
an attacker in launching further attacks against a target system. Though
unconfirmed, if these temporarily accessible files are writeable and later
used by a user or some application to carry out an operation, an attacker
may be capable of corrupting data or executing malicious commands. All
actions carried out would be done with the privileges of the user running
Worker Filemanager, possibly root.
