8. Geeklog Calendar Event Form Script Injection Vulnerability BugTraq ID: 4974
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4974
Summary:
Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL.
Geeklog does not sufficiently sanitize script code from form fields, making it prone to script injection attacks.
Attacker-supplied script code included in the Link field of a new Calendar Event submission form, may potentially end up in webpages generated by Geeklog and will execute in the browser of a user who views such pages, in the security context of the website.
It should be noted that new Calendar Event submissions are sent to the web site administrator for approval.
This issue may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.
9. W-Agora Remote File Include Vulnerability BugTraq ID: 4977
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4977
Summary:
W-Agora is a web publishing and forum software. It is implemented in PHP and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.
W-Agora is prone to an issue which may allow an attacker to include arbitrary files located on a remote server. In particular, the 'inc_dir' variable found in a number of W-Agora scripts defines the path to the configuration file. It is possible, under some configurations, for an attacker to specify an arbitrary value for the location of the configuration file which points to a file on a remote server.
If the included file is a PHP script, this may allow for execution of arbitrary attacker-supplied code.
Successful exploitation depends partly on the configuration of PHP on the host running the vulnerable software. If 'all_url_fopen' is set to 'off' then exploitation of this issue may be limited.
10. Datalex Bookit! Consumer Plaintext Authentication Credentials Vulnerability BugTraq ID: 4972
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4972
Summary:
Datalex Bookit! Consumer is web-based software for provided travel booking services. It will run on most Unix and Linux variants in addition to Microsoft Windows operating systems.
Datalex Bookit! Consumer may be configured to remember authentication credentials. If a user chooses to have their authentication credentials 'remembered', then the credentials will be stored in a cookie. However, these credentials are stored in plaintext. This becomes an issue if the authentication credentials ever become exposed to an attacker.
It should be also noted that in some cases form data is posted using the GET method. As a result, sensitive information (including plaintext authentication credentials) is sent in CGI parameters.
A number of situations exist where an attacker may be able to gain access to the plaintext credentials. For example, the authentication credentials may be cached on a proxy server. Also, this may be exploited by an attacker in an appropriate position to sniff network traffic between a user's web client and the server running the software. Lastly, cookie-based authentication credentials may potentially be exposed via cross-site scripting or HTML injection attacks.
11. BizDesign ImageFolio Authorized User Web Root Disclosure Vulnerability BugTraq ID: 4976
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4976
Summary:
ImageFolio Pro is a web based image archive package, including administrative support through a web interface. A vulnerability exists in versions of ImageFolio Pro prior to 2.27.
A remote user with sufficient access to the web administration page may create a new image category. It is possible for a malicious user to force this process to fail through the inclusion of "../" character strings in the supplied file name. When this operation fails, a displayed error message will include the full path to the attempted file.
Under most configurations, this path will include information on the web root. An attacker may be able to use this information to launch further, intelligent attacks against the server.
The remote user must have valid access to the administration page, and must have additional permissions to create a new category.
14. LPRNG Remote Print Submission Vulnerability BugTraq ID: 4980
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4980
Summary:
The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print spooler functionality.
Default configurations of LPRng accept all remote print submissions to the print queue. A malicious attacker may be able to submit many print requests to the existing print queue. It may be possible to exhaust resources and cause a denial of service condition.
15. Lokwa BB Multiple SQL Injection Vulnerabilities BugTraq ID: 4981
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4981
Summary:
Lokwa BB is a freely available message board forum. Versions of Lokwa are subject to SQL injection attacks.
Lokwa BB does not properly validate externally-supplied input when including arbitrary characters and additional SQL statements in an SQL query. As a result, attackers may be able to modify SQL queries performed by the application. The disclosure of sensitive information may be possible.
Under some circumstances, reports indicate that it may be possible to access and reply to arbitrary private messages.
This issue has been reported in the 'member.php', 'misc.php' and 'pm.php' scripts. The 'pm.php' script can be used to disclose and reply to arbitrary private messages. 'misc.php' and 'member.php can assist an attacker in gathering user information such as, identifying which users are administrators and which users have a specified password.
16. Belkin F5D5230-4 Router Internal Web Request Vulnerability BugTraq ID: 4982
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4982
Summary:
The Belkin F5D5230-4 4-Port Cable/DSL Gateway Router is a hardware router for a home or small office.
As a feature of the device, it is possible to designate a server on the internal network which will receive incoming traffic for a given port. For example, the internal web server may receive all port 80 traffic. A potential issue has been reported in this feature.
Reportedly, a malicious internal attacker may take advantage of this feature. If the attacker makes a request to the web server, it will appear to originate from the router's external interface. The web server will log the request as originating from this IP address.
A local attacker may be able to take advantage of this vulnerability to launch attacks against the web server. If detected, the attacks will not be traced back to the attacker.
17. AlienForm2 Directory Traversal Vulnerability BugTraq ID: 4983
Remote: Yes
Date Published: Jun 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4983
Summary:
AlienForm2 is an interface to the email gateway written in Perl and is maintained by Jon Hedley.
Due to a reported directory traversal issue, it is possible for users to access arbitrary files residing on a host and potentially modify file contents.
Reportedly, in an attempt to sanitize user supplied input, some questionable characters are stripped from incoming HTTP requests. As a result, the character string '.|.' is translated into the string '..'.
It has been reported that it is possible to exploit this vulnerability to access arbitrary files on the server through a directory traversal attack.
This may be accomplished by a GET request including the string '.|.%2F' repeatedly.
It may be possible to use this vulnerability in conjunction with a feature which forwards user supplied data to a file. In this case, it may be possible for a remote user to append arbitrary data to an arbitrary system file, with the permissions of the script user.
Successful exploitation of this vulnerability could reveal sensitive data which may be used to assist in further attacks against the host.
18. RHMask Local File Overwrite Vulnerability BugTraq ID: 4984
Remote: No
Date Published: Jun 11 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4984
Summary:
rhmask is a is a Red Hat Linux utility for distributing files as masks against other files.
rhmask does not sufficiently validate the output filename supplied in mask files. Attackers may potentially exploit this issue to create a mask file which may cause other system files to be overwritten via symlinks when the mask is applied. Under normal circumstances, the user is prompted with the name of the target file. However, rhmask does not check if the target filename is a symbolic link.
rhmask is not installed by default in recent versions of Red Hat Linux.