June 20th 2002
Apache Chunked encoding vulnerability

Kicking off with 27 entries for starters this week.
This is the index.

June 19th 2002
1. X Window System Oversized Font Denial Of Service Vulnerability BugTraq ID: 4966
2. Geeklog pid CGI Variable SQL Injection Vulnerability BugTraq ID: 4968
3. Geeklog Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 4969
4. MyHelpDesk HTML Injection Vulnerability BugTraq ID: 4967
5. MyHelpDesk Cross-Site Scripting Vulnerability BugTraq ID: 4970
6. MyHelpDesk SQL Injection Vulnerability BugTraq ID: 4971
7. ZenTrack Ticket.PHP Information Disclosure Vulnerability BugTraq ID: 4973
8. Geeklog Calendar Event Form Script Injection Vulnerability BugTraq ID: 4974
9. W-Agora Remote File Include Vulnerability BugTraq ID: 4977
10. Datalex Bookit! Consumer Plaintext Authentication Credentials Vulnerability BugTraq ID: 4972
11. BizDesign ImageFolio Authorized User Web Root Disclosure Vulnerability BugTraq ID: 4976
14. LPRNG Remote Print Submission Vulnerability BugTraq ID: 4980
15. Lokwa BB Multiple SQL Injection Vulnerabilities BugTraq ID: 4981
16. Belkin F5D5230-4 Router Internal Web Request Vulnerability BugTraq ID: 4982
17. AlienForm2 Directory Traversal Vulnerability BugTraq ID: 4983
18. RHMask Local File Overwrite Vulnerability BugTraq ID: 4984
20. LinkSys EtherFast Router Remote Administration Enabled Vulnerability BugTraq ID: 4987
21. Pinboard Task List HTML Injection Vulnerability BugTraq ID: 4988
22. MMFTPD SysLog Format String Vulnerability BugTraq ID: 4990
23. BBGallery Image Tag HTML Injection Vulnerability BugTraq ID: 4992
24. CGIScript.net csNews Double URL Encoding Unauthorized Administrative Access Vulnerability BugTra25. CGIScript.net csNews Header File Type Restriction Bypass Vulnerability BugTraq ID: 4994
26. CGIScript.net CSNews Sensitive File Disclosure Vulnerability BugTraq ID: 4991
27. Apache Tomcat JSP Engine Denial of Service Vulnerability BugTraq ID: 4995
30. CGIForum Infinite Recursion Denial of Service Vulnerability BugTraq ID: 4960
31. WebCalendar Include Files Information Disclosure Vulnerability BugTraq ID: 4961
32. Pine Unix Username Account Information Leakage Vulnerability BugTraq ID: 4963
33. Multiple Bugzilla Security Vulnerabilities BugTraq ID: 4964

This one slipped tru, slightly older but anyway:
mozilla, mailman, LPRng and ghostscript

------------------------------
SecurityFocus Newsletter 149

1. X Window System Oversized Font Denial Of Service Vulnerability BugTraq ID: 4966
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4966
Summary:

A problem has been reported in X Window System, which may be exploited to crash the browser and cause system-wide instability.

X Window System is prone to a denial of service condition when attempting to handle an overly large font size (font-size: 1666666px). X Window System reportedly produces an exception when handling the overly large font size. Instead of handling the exception gracefully, this may cause X Window System components to behave unpredictably, potentially requiring X Window System to be restarted to regain normal functionality. Other reports indicate that this may crash X outright. The results may vary depending on the environment.

This is reported to be a problem with xfs (X Font Server) and the libXfont component.

Remote exploitation of this issue is possible via web clients or other applications which do not check that the font size is sane before passing it to the X Window System.

This is reported to affect various X Window System implementations, including XFree86. Implementations that bundle variations of xfs (X Font Server) and libXfont are believed to be prone to this issue.

2. Geeklog pid CGI Variable SQL Injection Vulnerability BugTraq ID: 4968
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4968
Summary:

Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL. Geeklog version 1.3.5 and prior are subject to SQL injection attacks.

Geeklog does not properly validate externally-supplied input when including arbitrary characters and additional SQL statements in the 'pid' variable of some CGI requests. As a result, attackers may be able to modify SQL queries performed by the application.

This issue has been reported in the comment.php script, and the following URL has been supplied as an example:


/comment.php?mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs

It should be noted that if the 'Magic Quotes' PHP feature is enabled, it may be difficult for attackers to obtain user information from SQL tables.
This feature may, however, not be sufficient to remove all possibilities of exploitation.

Exploitation of this vulnerability may result in data corruption, disclosure of sensitive information and intrusion into the database server.

3. Geeklog Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 4969
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4969
Summary:

Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL.

Geeklog does not filter script code from URL parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to the 'index.php' or 'comment.php' script.
The attacker-supplied script code will be executed in the browser of a web user who visits this link, in the security context of the host running Geeklog. Such a link might be included in a HTML e-mail or on a malicious webpage.

This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users of a host running Geeklog.

This issue has been reported to exist in Geeklog 1.3.5, earlier versions may also be susceptible to this issue.

4. MyHelpDesk HTML Injection Vulnerability BugTraq ID: 4967
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4967
Summary:

MyHelpDesk is a web-based helpdesk system written in PHP. It is freely available and will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

A vulnerability has been reported for MyHelpDesk (version 20020509 and earlier) that will allow attackers to inject malicious HTML code.

MyHelpDesk does not properly sanitize HTML tags from form fields.
Attackers may pass arbitrary HTML code through the unsanitized form fields. The attacker-supplied HTML code will end up being displayed in MyHelpDesk webpages and will be executed by the web client of users who visit such pages, in the security context of the site running the vulnerable software.

The 'Title', 'Description' and 'Update' fields are not properly santized for malicious HTML input. Additionally, an opportunity for HTML injection exists when a new ticket is created or edited.

This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

5. MyHelpDesk Cross-Site Scripting Vulnerability BugTraq ID: 4970
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4970
Summary:

MyHelpDesk is a web-based helpdesk system written in PHP. It is freely available and will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

It is reported that MyHelpDesk (version 20020509 and earlier) are vulnerable to cross site scripting attacks.

The vulnerability is present in the 'index.php' script. MyHelpDesk does not properly sanitize HTML from the 'id' CGI parameter prior to output.

Attackers may exploit this vulnerability by constructing a link to a vulnerable scripts, passing malicious HTML code as a value for unsanitized CGI parameters. If the link is sent to a MyHelpDesk user and clicked on, the attacker-supplied HTML code will run in the context of the site running the vulnerable software.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of MyHelpDesk.

6. MyHelpDesk SQL Injection Vulnerability BugTraq ID: 4971
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4971
Summary:

MyHelpDesk is a web-based helpdesk system written in PHP. It is freely available and will run on most Unix and Linux variants as well as Microsoft Windows operating systems. MyHelpDesk is back-ended by a MySQL database.

It is reported that MyHelpDesk (version 20020509 and earlier) are vulnerable to an SQL injection attack.

A SQL injection vulnerability has been reported within the index.php script. Data supplied by the remote user, via CGI parameters, is used directly as part of SQL statements. As input sanitization is not properly performed, it is possible to modify the logic of a SQL query.

Cleverly executed SQL injection attacks may potentially allow a malicious party to view or modify sensitive information. Additionally, an attacker might potentially use this issue to exploit any existing vulnerabilities in the underlying database.

7. ZenTrack Ticket.PHP Information Disclosure Vulnerability BugTraq ID: 4973
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4973
Summary:

ZenTrack is designed to be a complete project management, bug tracking, and ticketing system. It is implemented in PHP and is able to run on Unix and Linux variants as well as Windows operating systems.

A path disclosure vulnerability has been reported in ZenTrack version 2.0.3 and earlier.

By requesting a ticket that doesn't exist, an attacker is able to cause ZenTrack to reveal the absolute path to the web root in the error output.
It may also cause ZenTrack to reveal other sensitive information to the attacker.

This information may be used by attackers to mount further attacks against a vulnerable system.

8. Geeklog Calendar Event Form Script Injection Vulnerability BugTraq ID: 4974
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4974
Summary:

Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL.

Geeklog does not sufficiently sanitize script code from form fields, making it prone to script injection attacks.

Attacker-supplied script code included in the Link field of a new Calendar Event submission form, may potentially end up in webpages generated by Geeklog and will execute in the browser of a user who views such pages, in the security context of the website.

It should be noted that new Calendar Event submissions are sent to the web site administrator for approval.

This issue may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

9. W-Agora Remote File Include Vulnerability BugTraq ID: 4977
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4977
Summary:

W-Agora is a web publishing and forum software. It is implemented in PHP and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

W-Agora is prone to an issue which may allow an attacker to include arbitrary files located on a remote server. In particular, the 'inc_dir' variable found in a number of W-Agora scripts defines the path to the configuration file. It is possible, under some configurations, for an attacker to specify an arbitrary value for the location of the configuration file which points to a file on a remote server.

If the included file is a PHP script, this may allow for execution of arbitrary attacker-supplied code.

Successful exploitation depends partly on the configuration of PHP on the host running the vulnerable software. If 'all_url_fopen' is set to 'off' then exploitation of this issue may be limited.

10. Datalex Bookit! Consumer Plaintext Authentication Credentials Vulnerability BugTraq ID: 4972
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4972
Summary:

Datalex Bookit! Consumer is web-based software for provided travel booking services. It will run on most Unix and Linux variants in addition to Microsoft Windows operating systems.

Datalex Bookit! Consumer may be configured to remember authentication credentials. If a user chooses to have their authentication credentials 'remembered', then the credentials will be stored in a cookie. However, these credentials are stored in plaintext. This becomes an issue if the authentication credentials ever become exposed to an attacker.

It should be also noted that in some cases form data is posted using the GET method. As a result, sensitive information (including plaintext authentication credentials) is sent in CGI parameters.

A number of situations exist where an attacker may be able to gain access to the plaintext credentials. For example, the authentication credentials may be cached on a proxy server. Also, this may be exploited by an attacker in an appropriate position to sniff network traffic between a user's web client and the server running the software. Lastly, cookie-based authentication credentials may potentially be exposed via cross-site scripting or HTML injection attacks.

11. BizDesign ImageFolio Authorized User Web Root Disclosure Vulnerability BugTraq ID: 4976
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4976
Summary:

ImageFolio Pro is a web based image archive package, including administrative support through a web interface. A vulnerability exists in versions of ImageFolio Pro prior to 2.27.

A remote user with sufficient access to the web administration page may create a new image category. It is possible for a malicious user to force this process to fail through the inclusion of "../" character strings in the supplied file name. When this operation fails, a displayed error message will include the full path to the attempted file.

Under most configurations, this path will include information on the web root. An attacker may be able to use this information to launch further, intelligent attacks against the server.

The remote user must have valid access to the administration page, and must have additional permissions to create a new category.


14. LPRNG Remote Print Submission Vulnerability BugTraq ID: 4980
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4980
Summary:

The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print spooler functionality.

Default configurations of LPRng accept all remote print submissions to the print queue. A malicious attacker may be able to submit many print requests to the existing print queue. It may be possible to exhaust resources and cause a denial of service condition.

15. Lokwa BB Multiple SQL Injection Vulnerabilities BugTraq ID: 4981
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4981
Summary:

Lokwa BB is a freely available message board forum. Versions of Lokwa are subject to SQL injection attacks.

Lokwa BB does not properly validate externally-supplied input when including arbitrary characters and additional SQL statements in an SQL query. As a result, attackers may be able to modify SQL queries performed by the application. The disclosure of sensitive information may be possible.

Under some circumstances, reports indicate that it may be possible to access and reply to arbitrary private messages.

This issue has been reported in the 'member.php', 'misc.php' and 'pm.php' scripts. The 'pm.php' script can be used to disclose and reply to arbitrary private messages. 'misc.php' and 'member.php can assist an attacker in gathering user information such as, identifying which users are administrators and which users have a specified password.

16. Belkin F5D5230-4 Router Internal Web Request Vulnerability BugTraq ID: 4982
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4982
Summary:

The Belkin F5D5230-4 4-Port Cable/DSL Gateway Router is a hardware router for a home or small office.

As a feature of the device, it is possible to designate a server on the internal network which will receive incoming traffic for a given port. For example, the internal web server may receive all port 80 traffic. A potential issue has been reported in this feature.

Reportedly, a malicious internal attacker may take advantage of this feature. If the attacker makes a request to the web server, it will appear to originate from the router's external interface. The web server will log the request as originating from this IP address.

A local attacker may be able to take advantage of this vulnerability to launch attacks against the web server. If detected, the attacks will not be traced back to the attacker.

17. AlienForm2 Directory Traversal Vulnerability BugTraq ID: 4983
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4983
Summary:

AlienForm2 is an interface to the email gateway written in Perl and is maintained by Jon Hedley.

Due to a reported directory traversal issue, it is possible for users to access arbitrary files residing on a host and potentially modify file contents.

Reportedly, in an attempt to sanitize user supplied input, some questionable characters are stripped from incoming HTTP requests. As a result, the character string '.|.' is translated into the string '..'.

It has been reported that it is possible to exploit this vulnerability to access arbitrary files on the server through a directory traversal attack.
This may be accomplished by a GET request including the string '.|.%2F' repeatedly.

It may be possible to use this vulnerability in conjunction with a feature which forwards user supplied data to a file. In this case, it may be possible for a remote user to append arbitrary data to an arbitrary system file, with the permissions of the script user.

Successful exploitation of this vulnerability could reveal sensitive data which may be used to assist in further attacks against the host.

18. RHMask Local File Overwrite Vulnerability BugTraq ID: 4984
Remote: No
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4984
Summary:

rhmask is a is a Red Hat Linux utility for distributing files as masks against other files.

rhmask does not sufficiently validate the output filename supplied in mask files. Attackers may potentially exploit this issue to create a mask file which may cause other system files to be overwritten via symlinks when the mask is applied. Under normal circumstances, the user is prompted with the name of the target file. However, rhmask does not check if the target filename is a symbolic link.

rhmask is not installed by default in recent versions of Red Hat Linux.

20. LinkSys EtherFast Router Remote Administration Enabled Vulnerability BugTraq ID: 4987
Remote: Yes
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4987
Summary:

Linksys EtherFast routers are small four port routers designed to optimize the use of DSL or Cable connections. EtherFast routers provide advanced features such as Network Address Translation, and DHCP support.

A vulnerability has been introduced into the current version of the firmware (1.42.7) released May 1, 2002. Reportedly, the firmware does not respect existing rules that deny remote administration of the router. The current version of the firmware opens TCP port 5678 for remote administration.

The firmware opens up a TCP port for remote administration even though "Block WAN" and "Remote Admin" options are disabled.

An attacker may be able to exploit this vulnerability to mount further attacks against a vulnerable device.

Earlier versions of the firmware are not affected by this issue.

21. Pinboard Task List HTML Injection Vulnerability BugTraq ID: 4988
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4988
Summary:

Pinboard is a web-based task list manager written in PHP.

Pinboard does not sufficiently filter HTML tags from form fields. This may allow users of Pinboard to inject arbitrary HTML and script code into tasklists. HTML and script code injected in this manner will be executed in the browser of a web user who views the task list, in the context of the site running the task list software.

This may enable malicious users to hijack web content or potentially steal cookie-based authentication credentials.

22. MMFTPD SysLog Format String Vulnerability BugTraq ID: 4990
Remote: Yes
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4990
Summary:

mmftpd is a freely available, open source FTP server for Linux operating systems.

A problem with the daemon could make it possible for a remote attacker to execute arbitrary code.

Due to improper use of the syslog call, a problem exists which could make the execution of arbitrary code possible. A syslog call in the program which logs user-supplied information could be exploited to print to specified places in memory, including potentially overwriting the return address of a function and executing arbitrary code.

This problem could allow an attacker to send a malicious format string to the syslog function of the program. The malicious format string, and any code supplied with it, would be executed with the privileges of the mmftpd user.

23. BBGallery Image Tag HTML Injection Vulnerability BugTraq ID: 4992
Remote: Yes
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4992
Summary:

BBGallery is a Perl script which generates HTML files from jpeg images, the thumbnail images make up an image gallery which can be viewed in any web browser. BBGallery is maintained by Bodo Bauer.

Versions of BBGallery prior to 1.1.0 does not filter HTML from image tags.
This may allow an attacker to inject arbitrary script code in BBGallery images. Injected script code will be executed in the browser of an arbitrary web user who views the malicious image, in the context of the website running BBGallery.

This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

24. CGIScript.net csNews Double URL Encoding Unauthorized Administrative Access Vulnerability BugTraq ID: 4993
Remote: Yes
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4993
Summary:

csNews is a script for managing news items on a website. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

csNews may be configured through a web interface. Different users may be defined with varying levels of access. Users with "public" access may modify page content, while admin users are able to configure the script.

Reportedly, users with public access may view and modify some configuration pages normally restricted to admin level users. This may be accomplished by double url encoding metacharacters in the database name provided as a CGI parameter.

Users will be able to view and modify options on the 'Advanced Settings' page, as well as view 'Admin Options'.

This may be exploited by submitting URLs with database names such as default%2edb.

25. CGIScript.net csNews Header File Type Restriction Bypass Vulnerability BugTraq ID: 4994
Remote: Yes
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4994
Summary:

csNews is a script for managing news items on a website. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

It is possible for an administrator to define a header and footer displayed by csNews. Normally this is restricted to txt, html and htm files. However, it is possible for a malicious adminstrator to bypass this restriction and specify an arbitrary file type.

Reportedly, this may be done simply by submitting a manually constructed HTTP request with the new configuration information.

Exploitation of this vulnerability allows an attacker to display any system file as a header or footer. An attacker may, for example, specify a CGI script file which include authentication information.

The ability to exploit this vulnerability may only require "public" access to csNews if used in conjunction with issues discussed in BID 4993.

26. CGIScript.net CSNews Sensitive File Disclosure Vulnerability BugTraq ID: 4991
Remote: Yes
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4991
Summary:

csNews is a script for managing news items on a website. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

A number of sensitive csNews files may be accessed by unauthorized users.
Database files may be accessed in this manner, potentially exposing database authentication credentials and other sensitive information.

Metacharacters in requests for database files must be double URL encoded.
For example:

default%2edb

27. Apache Tomcat JSP Engine Denial of Service Vulnerability BugTraq ID: 4995
Remote: Yes
Date Published: Jun 12 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4995
Summary:

Apache Tomcat is a freely available, open source servlet container that is used to display and interpret Java Servlet and JavaServer Pages (JSP) technologies. Apache Tomcat is available for Unix and Linux variants as well as the Microsoft Windows operating environments.

A vulnerability has been reported in Apache Tomcat for Windows that results in a denial of service condition. The vulnerability occurs when Tomcat encounters a malicious JSP page.

The following snippet of code is reported to crash the Tomcat JSP engine: new WPrinterJob().pageSetup(null,null);

An attacker may exploit this vulnerability by creating a malicious page on vulnerable systems and by requesting the page from the server. This would result in the Tomcat JSP engine to attempt to interpret the page and subsequently crash leading to the denial of service condition.

30. CGIForum Infinite Recursion Denial of Service Vulnerability BugTraq ID: 4960
Remote: Yes
Date Published: Jun 07 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4960
Summary:

CGIForum is a freely available cgi script from Markus Triska which is designed to facilitate web-based threaded discussion forums.

CGIForum fails to properly handle malformed user supplied data. Under some conditions, an infinite recursion may occur, consuming system resources.
The server may stop responding to new requests, resulting in a denial of service condition.

Versions of CGIForum prior to 1.06 are susceptible to this issue.

A restart of the service may be required in order to regain normal functionality.

31. WebCalendar Include Files Information Disclosure Vulnerability BugTraq ID: 4961
Remote: Yes
Date Published: Jun 07 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4961
Summary:

WebCalendar is a web application used to maintain a calendar for a single or multiple users. It is implemented in PHP, and should function under any system supporting the language, including Windows and Linux.

A vulnerability has been reported in WebCalendar that may allow attackers to view potentially sensitive information.

The vulnerability exists in the naming convention of include files.
Typically include files end with an extension of '.inc' so that they are easily distinguishable from other files. However, these files aren't parsed as PHP code by the PHP interpreter and an attacker can easily get access to the source code. This is a real problem when sensitive configuration data (e.g database credentials) is placed in these PHP files.

This information can then be used to mount further attacks against a vulnerable system.

32. Pine Unix Username Account Information Leakage Vulnerability BugTraq ID: 4963
Remote: Yes
Date Published: Jun 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4963
Summary:

Pine is a freely available, open source mail user agent (MUA). It is available for most Unix and Linux operating systems.

A problem with pine may make it possible for remote users to gain information about accounts on a system.

Pine allows users to specify their own From: field. This feature can be used to mask individual user accounts in such a scenario as a role email account. This feature can also be used to obscure user accounts to prevent third parties from gaining information about local system accounts.

Pine will leak the Unix username of the original sender. When a mail is sent, pine adds headers to the email in the form of either the "Sender:" field or the "X-X-Sender:" field. This could allow a remote attacker to discover the username of the user sending an email, and could be used in an information gathering attack.

33. Multiple Bugzilla Security Vulnerabilities BugTraq ID: 4964
Remote: Yes
Date Published: Jun 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4964
Summary:

Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Operating Systems.

Several problems have been discovered in Bugzilla that may allow remote users to gain information through information leakage, or unauthorized access to Bugzilla.

The queryhelp.cgi script distributed with Bugzilla could allow remote users to gain access to information products that set as confidential in the Bugzilla database.

An attacker may be able to hijack user sessions provided the attacker has reverse resolution authority for an IP address, and is able to steal a user's authentication cookie.

When a directory does not exist, Mozilla will attempt to create it.
However, by default, the directory is usually created with world-writeable permissions.

It is possible for any user with permissions to edit any other user's details to delete any other user of the board through the edituser.cgi script.

The Real Names field does not filter HTML. An attacker may be able to input malicious HTML in the field, resulting in a cross-site scripting attack.

When performing a mass change, the groupset of all bugs are set to the groupset of the first bug in the mass change sequence.

Bugzilla did not handle encoding from some browsers, which could lead to unintended consequences, such as setting private or confidential information to a publicly displayed mode.

The syncing of the shadow database was done insecurely. Under some circumstances, this could output sensitive data to a user of Bugzilla at random.

------------------------------
Linux Advisory Watch June 14th 2002

mozilla
When loading pages with a specially prepared (or erroneous) stylesheet,
mozilla and X windows (not restricted to XFree) exhibit any of two
undesireable behaviours. This seems to depend on the local system
configuration, especially to the presence of xfs, but bug reports so far
are inconclusive.
Mozilla Vendor Advisory: http://www.linuxsecurity.com/advisor...sory-2128.html

mailman
Updated mailman packages are now available for Red Hat Power Tools 7 and
7.1. These updates resolve a cross-site scripting vulnerability present
in versions of Mailman prior to 2.0.1
Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisor...sory-2129.html

LPRng
With its default configuration, LPRng will accept job submissions from any
host, which is not appropriate in a workstation environment. We are
grateful to Matthew Caron for pointing out this configuration problem.
Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisor...sory-2131.html

ghostscript
An untrusted PostScript file that uses .locksafe or .setsafe to reset the
current page device can force the ghostscript program to execute arbitrary
commands.
Caldera Vendor Advisory: http://www.linuxsecurity.com/advisor...sory-2133.html

Apacheweek.com
Apache Chunked encoding vulnerability

A security vulnerability has been found in the Apache Web server that affects all versions of Apache 1.2 since Apache 1.2.2, all versions of Apache 1.3 prior to Apache 1.3.26, and versions of Apache 2.0 prior to Apache 2.0.39. The severity of the vulnerability varies across different versions of Apache and which platform is used; extending from a relatively harmless increase in system resources through to denial of service attacks. In some cases a remote exploit may be possible. The Apache Software Foundation has released an Official Security Advisory which can also be found (PGP signed) at BugTraq. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue.

Our summary of the issue:

-If you are using Apache 1.3 on 32-bit Unix platforms then the effects of this vulnerability are minor. A remote attacker can cause the child process that is processing their request to die. The Apache parent process will eventually get around to replacing the child when required.
-If you are using Apache 1.3 on 64-bit Unix platforms then the effects depend on the platform. It may be possible on some 64-bit platforms for a remote attacker to remotely exploit the vulnerability and run arbitrary commands as the Apache user.
-Apache 1.3 on Windows is remotely exploitable. An attacker can remotely exploit the vulnerability and run arbitrary commands on the server
-Apache 2.0 is not remotely exploitable, but the effects can range from the minimal child replacement to more severe denial of service attacks depending on the platform and process model in use

All users of Apache are advised to upgrade to either Apache 1.3.26 or Apache 2.0.39 available from httpd.apache.org