LQ weekly security report - Nov 11th 2003
Nov 10th 2003
27 of 47 issues handled (SF) 1. Sun Java Installation File Corruption Vulnerability 2. BEA WebLogic InteractiveQuery.jsp Cross-Site Scripting Vulne... 7. Tritanium Scripts Tritanium Bulletin Board Unauthorized Acce... 9. Mldonkey Web Interface Error Message Cross-site Scripting Vu... 13. DATEV Nutzungskontrolle Unauthorized Access Vulnerability 14. Multiple Ethereal Protocol Dissector Vulnerabilities 15. Cups Internet Printing Protocol Job Loop Denial Of Service V... 16. Bugzilla Multiple Vulnerabilities 18. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability 19. Web Wiz Forum Unauthorized Private Forum Access Vulnerabilit... 20. MPM Guestbook Cross-Site Scripting Vulnerability 21. ThWboard Cross-Site Scripting Vulnerability 22. PHPKit Include.PHP Cross-Site Scripting Vulnerability 23. ThWboard SQL Injection Vulnerability 25. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio... 26. OpenBSD isakmpd Multiple IKE Payload Handling Security Weakn... 28. Oracle9iAS Portal Component SQL Injection Vulnerability 32. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne... 34. OpenAutoClassifieds Listing Parameter Cross-Site Scripting V... 35. CDE LibDTHelp DTHelpUserSearchPath Local Buffer Overflow Vul... 36. John Beatty Easy PHP Photo Album dir Parameter HTML Injectio... 37. OpenBSD Local Malformed Binary Execution Denial of Service V... 40. Multiple Vendor S/MIME ASN.1 Parsing Denial of Service Vulne... 41. Clearswift MAILsweeper for SMTP Zip Archive Filtering Bypass... 42. X-CD-Roast Local Insecure File Creation Symlink Vulnerabilit... 46. Linux Kernel Trojan Horse Vulnerability 47. Ganglia gmond Malformed Packet Remote Denial of Service Vuln... Nov 10th 2003 37 of 56 issues handled (ISS) PHPRecipeBook recipe cross-site scripting MPM Guestbook Ing parameter cross-site scripting Ethereal GTP MSISDN buffer overflow Ethereal ISAKMP and MEGACO packet buffer overflow Ethereal SOCKS protocol dissector heap overflow frox FTP Proxy port scan denial of service ThWboard multiple fields cross-site scripting ThWboard multiple SQL injection Tritanium Bulletin Board thread_id could allow an Nutzungskontrolle imported registry key could PHPKIT include.php cross-site scripting Oracle Application Server Portal components SQL Bugzilla product name SQL injection OpenSSL ASN.1 sequence denial of service Bugzilla URL SQL injection Bugzilla group ID allows attacker to gain Bugzilla allows attacker to obtain summary of bug Multiple vendor X.400 protocol implementations Bugzilla describecomponents.cgi script allows Multiple vendor S/MIME protocol implementation OpenAutoClassifieds friendmail.php script cross- Unichat non-alphanumeric characters denial of X-CD-Roast symlink attack OpenBSD ibcs2_exec.c and exec_elf.c denial of MLdonkey cross-site scripting MLdonkey administrative interface allows attacker OpenBSD isakmpd daemon does not apply encryption to OpenBSD ISAKMP daemon encryption failure Sympoll index.php cross-site scripting Ganglia gmond denial of service DB2 db2start, db2stop, and db2govd binaries contain PowerPortal search forum cross-site scripting terminatorX buffer overflows in parse_arg function termintorX tX_ladspa.cc buffer overflow terminatorX tx_note function format string Conquest long environment variable buffer overflow phpBB profile.php SQL injection |
Nov 10th 2003 (ISS)
Internet Security Systems
Date Reported: 11/03/2003 Brief Description: PHPRecipeBook recipe cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Mac OS X Any version, PHPRecipeBook prior to 2.18, Windows 2000 Any version, Windows NT Any version Vulnerability: phprecipebook-recipe-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13574 Date Reported: 11/03/2003 Brief Description: MPM Guestbook Ing parameter cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: MPM Guestbook 1.2, Unix Any version Vulnerability: mpmguestbook-ing-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13575 Date Reported: 11/03/2003 Brief Description: Ethereal GTP MSISDN buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Ethereal 0.9.15, Linux Any version, Unix Any version, Windows Any version Vulnerability: ethereal-gtp-msisdn-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13576 Date Reported: 11/03/2003 Brief Description: Ethereal ISAKMP and MEGACO packet buffer overflow Risk Factor: Medium Attack Type: Network Based Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Ethereal 0.9.15, Linux Any version, Unix Any version, Windows Any version Vulnerability: ethereal-isakmp-megaco-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13577 Date Reported: 11/03/2003 Brief Description: Ethereal SOCKS protocol dissector heap overflow Risk Factor: High Attack Type: Network Based Platforms: Conectiva Linux 7.0, Conectiva Linux 8.0, Conectiva Linux 9.0, Ethereal 0.9.15, Linux Any version, Unix Any version, Windows Any version Vulnerability: ethereal-socks-heap-overflow X-Force URL: http://xforce.iss.net/xforce/xfdb/13578 Date Reported: 11/01/2003 Brief Description: frox FTP Proxy port scan denial of service Risk Factor: Low Attack Type: Network Based Platforms: frox 0.7.8 and earlier, Linux Any version Vulnerability: frox-ftp-portscan-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13579 Date Reported: 11/02/2003 Brief Description: ThWboard multiple fields cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, ThWboard prior to Beta 2.82, Unix Any version, Windows Any version Vulnerability: thwboard-multiple-fields-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13582 Date Reported: 11/02/2003 Brief Description: ThWboard multiple SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, ThWboard prior to Beta 2.82, Unix Any version, Windows Any version Vulnerability: thwboard-multiple-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13583 Date Reported: 10/31/2003 Brief Description: Tritanium Bulletin Board thread_id could allow an attacker to view messages Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Tritanium Bulletin Board 1.2.3, Unix Any version, Windows Any version Vulnerability: tritanium-threadid-view-messages X-Force URL: http://xforce.iss.net/xforce/xfdb/13587 Date Reported: 11/02/2003 Brief Description: Nutzungskontrolle imported registry key could bypass security Risk Factor: Medium Attack Type: Host Based Platforms: Linux Any version, Nutzungskontrolle 2.1, Nutzungskontrolle 2.2, Unix Any version, Windows Any version Vulnerability: nutzungskontrolle-registry-security-bypass X-Force URL: http://xforce.iss.net/xforce/xfdb/13589 Date Reported: 11/02/2003 Brief Description: PHPKIT include.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, PHPKIT Any version, Unix Any version, Windows Any version Vulnerability: phpkit-include-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13590 Date Reported: 11/03/2003 Brief Description: Oracle Application Server Portal components SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Oracle9i Application Server Release 1 3.0.9.8.5 - earlier, Oracle9i Application Server Release 2 9.0.2.3.0 - earlier, Unix Any version, Windows Any version Vulnerability: oracle-portal-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13593 Date Reported: 11/02/2003 Brief Description: Bugzilla product name SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Bugzilla 2.16.3 and earlier, Conectiva Linux 9.0, Linux Any version, Unix Any version, Windows Any version Vulnerability: bugzilla-productname-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13594 Date Reported: 11/04/2003 Brief Description: OpenSSL ASN.1 sequence denial of service Risk Factor: Medium Attack Type: Network Based Platforms: EnGarde Secure Linux 1.0.1, EnGarde Secure Linux Community Edition 2, EnGarde Secure Linux Professional 1.1, EnGarde Secure Linux Professional 1.2, EnGarde Secure Linux Professional Ed 1.5, OpenSSL 0.9.6k, Windows Any version Vulnerability: openssl-asn1-sequence-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13595 Date Reported: 11/02/2003 Brief Description: Bugzilla URL SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Bugzilla 2.16.3 and earlier, Bugzilla 2.17.1 to 2.17.4, Conectiva Linux 9.0, Linux Any version, Unix Any version, Windows Any version Vulnerability: bugzilla-url-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13596 Date Reported: 11/02/2003 Brief Description: Bugzilla group ID allows attacker to gain privileges of users who have previously been trusted Risk Factor: Medium Attack Type: Network Based Platforms: Bugzilla 2.16.3 and earlier, Conectiva Linux 8.0, Linux Any version, Unix Any version, Windows Any version Vulnerability: bugzilla-groupid-gain-privileges X-Force URL: http://xforce.iss.net/xforce/xfdb/13597 Date Reported: 11/02/2003 Brief Description: Bugzilla allows attacker to obtain summary of bug information Risk Factor: Medium Attack Type: Network Based Platforms: Bugzilla 2.16.3 and earlier, Bugzilla 2.17.1 to 2.17.4, Conectiva Linux 9.0, Linux Any version, Unix Any version, Windows Any version Vulnerability: bugzilla-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/13600 Date Reported: 11/04/2003 Brief Description: Multiple vendor X.400 protocol implementations message buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Any application Any version Vulnerability: x400-message-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13601 Date Reported: 11/02/2003 Brief Description: Bugzilla describecomponents.cgi script allows attacker to obtain information Risk Factor: Medium Attack Type: Network Based Platforms: Bugzilla 2.17.1 to 2.17.4, Linux Any version, Unix Any version, Windows Any version Vulnerability: bugzilla-describecomponents-obatin-info X-Force URL: http://xforce.iss.net/xforce/xfdb/13602 Date Reported: 11/04/2003 Brief Description: Multiple vendor S/MIME protocol implementation ASN.1 buffer overflow Risk Factor: High Attack Type: Network Based Platforms: Any application Any version Vulnerability: smime-asn1-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13603 Date Reported: 11/03/2003 Brief Description: OpenAutoClassifieds friendmail.php script cross- site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, OpenAutoClassifieds 1.0 Vulnerability: openautoclassifieds-friendmail-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13604 Date Reported: 11/01/2003 Brief Description: Unichat non-alphanumeric characters denial of service Risk Factor: Low Attack Type: Network Based Platforms: Unichat Any version, Windows 9x, Windows NT Any version Vulnerability: unichat-nonalphanumeric-character-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13610 Date Reported: 11/04/2003 Brief Description: X-CD-Roast symlink attack Risk Factor: Medium Attack Type: Host Based Platforms: Linux Any version, Unix Any version, X-CD-Roast prior to 0.98alpha15 Vulnerability: xcdroast-symlink X-Force URL: http://xforce.iss.net/xforce/xfdb/13612 Date Reported: 11/04/2003 Brief Description: OpenBSD ibcs2_exec.c and exec_elf.c denial of service Risk Factor: Low Attack Type: Host Based Platforms: OpenBSD 2.8, OpenBSD 3.3 Vulnerability: openbsd-ibcs2exe-execelf-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13614 Date Reported: 11/05/2003 Brief Description: MLdonkey cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Mac OS X Any version, MLdonkey 2.x, Unix Any version Vulnerability: mldonkey-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13615 Date Reported: 11/05/2003 Brief Description: MLdonkey administrative interface allows attacker to obtain information Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, Mac OS X Any version, MLdonkey 2.x, Unix Any version Vulnerability: mldonkey-admininterface-obtain-information X-Force URL: http://xforce.iss.net/xforce/xfdb/13616 Date Reported: 11/02/2003 Brief Description: OpenBSD isakmpd daemon does not apply encryption to Quick Mode messages Risk Factor: Medium Attack Type: Network Based Platforms: OpenBSD 3.x Vulnerability: openbsd-isakmpd-no-encryption X-Force URL: http://xforce.iss.net/xforce/xfdb/13625 Date Reported: 11/02/2003 Brief Description: OpenBSD ISAKMP daemon encryption failure Risk Factor: Medium Attack Type: Network Based Platforms: OpenBSD 3.x Vulnerability: openbsd-isakmpd-encryption-failure X-Force URL: http://xforce.iss.net/xforce/xfdb/13626 Date Reported: 11/01/2003 Brief Description: Sympoll index.php cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: Sympoll 1.5, Unix Any version, Windows Any version Vulnerability: sympoll-indexphp-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13630 Date Reported: 11/06/2003 Brief Description: Ganglia gmond denial of service Risk Factor: Low Attack Type: Network Based Platforms: ganglia 2.5.3, Linux Any version, Mac OS X Any version, Unix Any version Vulnerability: ganglia-gmond-dos X-Force URL: http://xforce.iss.net/xforce/xfdb/13631 Date Reported: 11/08/2003 Brief Description: DB2 db2start, db2stop, and db2govd binaries contain buffer overflow Risk Factor: Low Attack Type: Host Based Platforms: IBM DB2 7.0, IBM DB2 8.0, Linux Any version, Unix Any version Vulnerability: db2-multiple-binaries-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13633 Date Reported: 11/07/2003 Brief Description: PowerPortal search forum cross-site scripting Risk Factor: Medium Attack Type: Network Based Platforms: PowerPortal 1.1b, Unix Any version Vulnerability: powerportal-search-xss X-Force URL: http://xforce.iss.net/xforce/xfdb/13634 Date Reported: 11/07/2003 Brief Description: terminatorX buffer overflows in parse_arg function Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, terminatorX 3.8.1, Unix Any version Vulnerability: terminatorx-multiple-parsearg-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13635 Date Reported: 11/07/2003 Brief Description: termintorX tX_ladspa.cc buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, terminatorX 3.8.1, Unix Any version Vulnerability: terminatorx-txladspa-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13636 Date Reported: 11/07/2003 Brief Description: terminatorX tx_note function format string Risk Factor: High Attack Type: Host Based Platforms: Linux Any version, terminatorX 3.8.1, Unix Any version Vulnerability: terminatorx-txnote-format-string X-Force URL: http://xforce.iss.net/xforce/xfdb/13637 Date Reported: 11/10/2003 Brief Description: Conquest long environment variable buffer overflow Risk Factor: High Attack Type: Host Based Platforms: Conquest Any version, Debian Linux 3.0 Vulnerability: conquest-long-environment-bo X-Force URL: http://xforce.iss.net/xforce/xfdb/13640 Date Reported: 11/08/2003 Brief Description: phpBB profile.php SQL injection Risk Factor: Medium Attack Type: Network Based Platforms: Linux Any version, phpBB 2.0.5 and earlier, Unix Any version, Windows Any version Vulnerability: phpbb-profile-sql-injection X-Force URL: http://xforce.iss.net/xforce/xfdb/13641 |
Nov 10th 2003 (SF) pt 1/2
SecurityFocus
1. Sun Java Installation File Corruption Vulnerability BugTraq ID: 8937 Remote: No Date Published: Oct 31 2003 Relevant URL: http://www.securityfocus.com/bid/8937 Summary: Sun Java implementations are reported to create temporary files in an insecure manner when the software is installed. A local attacker could exploit this issue to corrupt files owned by the user installing the software, most likely resulting in a denial of service. This issue was reported in Sun JRE and SDK 1.4.2 for Linux platforms. Other versions and platforms may also be affected. 2. BEA WebLogic InteractiveQuery.jsp Cross-Site Scripting Vulne... BugTraq ID: 8938 Remote: Yes Date Published: Oct 31 2003 Relevant URL: http://www.securityfocus.com/bid/8938 Summary: BEA WebLogic InteractiveQuery.jsp is an example CGI application supplied with WebLogic. It is used to demonstrate use of arguments to query a database. A cross-site scripting vulnerability has been reported in the software. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information that could be used to launch further attacks. BEA WebLogic 8.1 and prior are reported to be prone to this issue, however other versions may be affected as well. 7. Tritanium Scripts Tritanium Bulletin Board Unauthorized Acce... BugTraq ID: 8944 Remote: Yes Date Published: Oct 31 2003 Relevant URL: http://www.securityfocus.com/bid/8944 Summary: Tritanium Bulletin Board is a bulletin board application written in PHP. A vulnerability has been reported in the software that may allow a remote attacker to gain unauthorized access to threads. The problem may occur due to improper handling of user-supplied input. A remote attacker may be able to access sensitive data by modifying the URL and supplying a value for thread_id, forum_id, and sid paremeters. It has been reported that the thread id is not a randomly generated number therefore an attacker may easily gain access to all threads without authorization. Successful exploitation of this issue may allow an attacker to gain access to sensitive information that could be used to launch further attacks against a system. Tritanium Bulletin Board version 1.2.3 has been reported to be prone to this issue, however other versions may be affected as well. 9. Mldonkey Web Interface Error Message Cross-site Scripting Vu... BugTraq ID: 8946 Remote: Yes Date Published: Oct 31 2003 Relevant URL: http://www.securityfocus.com/bid/8946 Summary: Mldonkey is a client program for the E-Donkey network. It is configurable to implement the use of a web-based interface that can listen on an arbitrary port. It has been reported that the Mldonkey interface is prone to cross-site scripting attacks when generated error pages for an invalid request. This vulnerability occurs due to the Mldonkey application failing to carry out sufficient sanitization of URI parameters. An attacker could potentially exploit this condition to execute arbitrary script code within the context of the web interface. Ultimately, this could lead to a variety attacks. 13. DATEV Nutzungskontrolle Unauthorized Access Vulnerability BugTraq ID: 8950 Remote: No Date Published: Nov 01 2003 Relevant URL: http://www.securityfocus.com/bid/8950 Summary: DATEV Nutzungskontrolle (NUKO) is a software used to enforce access control for various applications and systems. A vulnerability has been reported in the software that may allow a local attacker to access restricted data. The issue presents itself as a local user is able modify certain keys in the Windows registry resulting in bypassing the security model of the software. An attacker may then gain unauthorized access to sensitive data. This issue would not present itself if the registry keys were set to read only. Successful exploitation of this issue may allow an attacker to gain access to sensitive data that could be used to launch further attacks against the system. Nutzungskontrolle V.2.1 and V.2.2 has been reported to be prone to this issue, however other versions may be affected as well. 14. Multiple Ethereal Protocol Dissector Vulnerabilities BugTraq ID: 8951 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8951 Summary: Multiple Ethereal protocol dissectors are prone to remotely exploitable vulnerabilities. These issues have been addressed with the release of Ethereal 0.9.16. The following specific issues were reported: A malformed GTP MSISDN string could cause a buffer overrun to occur. Malformed ISAKMP or MEGACO packets could cause Ethereal or Tethereal to crash, resulting in a denial of service. The SOCKS dissector is reported to be prone to a heap overrun. These issues may be exploited by causing Ethereal to process a malformed packet, either while Ethereal is monitoring live network traffic or via a packet trace. Successful exploitation could lead to code execution or denial of service attacks against Ethereal. 15. Cups Internet Printing Protocol Job Loop Denial Of Service V... BugTraq ID: 8952 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8952 Summary: CUPS is a freely available, open source UNIX printing utility. It is freely available for the Unix and Linux platforms. A problem has been identified in the handling of requests via CUPS Internet Printing Protocol (IPP). Because of this, it is possible for an attacker to deny service to legitimate users. The specifics of the problem are not currently available. It is known that an attacker must have the ability to connect to the vulnerable service on the IPP port, and that submitting a specially-crafted request can result in a busy loop of the software. This issue may be related to Bugtraq ID 7637, and will be further updated when additional details become available. 16. Bugzilla Multiple Vulnerabilities BugTraq ID: 8953 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8953 Summary: Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Windows operating systems. Multiple vulnerabilities has been reported to exist in the software. The issues include SQL injection, unauthorized privileges, and information disclosure. A SQL injection issue has been reported to be present in the nightly statistics cron job called collectstats.pl. A user with 'editproducts' privileges which are usually granted to administrators may be to carry out SQL injection attacks. This issue affects Bugzilla versions 2.16.3 and earlier. Another SQL injection vulnerability has been reported that may allow a user with 'editkeywords' privileges which are usually granted to administrators. An attacker may be able to inject arbitrary SQL code in the underlying database through the URL used to edit an existing keyword. This issue affects Bugzilla versions 2.16.3 and earlier and 2.17.1 through 2.17.4. A vulnerability has been reported that may allow users to retain privileges that were previously granted. This issue may occur when products are being deleted. If the 'usebuggroups' parameter was selected, users may still be able to add others to the group that is being deleted. If another group is created that reuses the group id from the group being deleted, they may automatically inherit privileges granted to the group. This vulnerability only allows users that had those privileges before to retain them. This issue affects Bugzilla versions 2.16.3 and earlier. An information disclosure issue has been reported that may allow an attacker to view restricted bugs stored in the database. It has been reported that if an attacker knows the e-mail address of a user who has voted on a secure or restricted bug they may be able to view the summary of the bug without having sufficient permissions. This issue affects Bugzilla versions 2.16.3 and earlier and 2.17.1 through 2.17.4. Another information disclosure issue has been reported that may allow an attacker to disclose component descriptions for a product without proper authorization. This issue affects Bugzilla versions 2.17.3 and 2.17.4. 18. Synthetic Reality SymPoll Cross-Site Scripting Vulnerability BugTraq ID: 8956 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8956 Summary: Sympoll is web-based voting booth software. It is implemented in PHP and will run on most Unix and Linux variants as well as Microsoft Windows operating systems. A cross-site scripting vulnerability has been reported in the software. The problem is reported to exist due to improper handling of user-supplied data through the 'vo' parameter. HTML and script code will be rendered in a user's browser, therefore making it possible for an attacker to a construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information that could be used to launch further attacks. Sympoll version 1.5 is reported to be prone to this issue, however other versions may be affected as well. 19. Web Wiz Forum Unauthorized Private Forum Access Vulnerabilit... BugTraq ID: 8957 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8957 Summary: A vulnerability has been reported for Web Wiz Forum. The problem is said to occur due to the application failing to compare specific request parameters in specially formatted requests. Specifically, by setting the 'mode' parameter to 'quote', Web Wiz Forum will not carry out sufficient comparison checks of the Post number (PID) and Forum number (FID). An attacker could exploit this condition by supplying a PID relating to a private forum and an FID to a forum that they access to. A Topic number (TID) must also be supplied that is associated with the Post number, such as the thread that the post will be written to or accessed from. When the application handles the above request, due to the selected mode, sufficient checks will not be carried out on the supplied parameters and the application may erroneously allow the user to post or read messages on the forum. In a worst case scenario, successful exploitation of this issue could lead to the exposure of sensitive information. 20. MPM Guestbook Cross-Site Scripting Vulnerability BugTraq ID: 8958 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8958 Summary: MPM Guestbook is a freely available web application. It is implemented in PHP and available for Unix/Linux variants as well as Microsoft Windows platforms. MPM Guestbook is reported to be prone to a cross-site scripting vulnerability. This is due to insufficient sanitization of HTML from URI parameters, which will be displayed in web pages that are dynamically generated by the software. In particular, the 'lng' URI parameter is not filtered. An attacker could exploit this issue by enticing a victim user to follow a malicious link that includes HTML and script code as a value for the vulnerable URI parameter. The attacker-supplied code could be rendered in the victim's browser in the context of the site hosting the software. This could theoretically allow for theft of cookie-based authentication credentials. The attacker may also influence how the guestbook is rendered to the user following the link, allowing for a variety of other attacks. 21. ThWboard Cross-Site Scripting Vulnerability BugTraq ID: 8959 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8959 Summary: ThWboard is a bulletin board software written in PHP and MySQL. A cross-site scripting vulnerability has been reported in the software. The problem is reported to exist due to improper handling of user-supplied data. HTML and script code will be rendered in a user's browser, therefore making it possible for an attacker to a construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information that could be used to launch further attacks. ThWboard versions 2.8 and 2.81 may be prone to this issue, however other versions may be affected as well. This BID will be updated as more information becomes available. 22. PHPKit Include.PHP Cross-Site Scripting Vulnerability BugTraq ID: 8960 Remote: Yes Date Published: Nov 02 2003 Relevant URL: http://www.securityfocus.com/bid/8960 Summary: PHPKIT is content management software. It is implemented in PHP and available for Unix/Linux variants as well as Microsoft Windows. PHPKIT is reported to be prone to a cross-site scripting vulnerability. This is due to insufficient sanitization of HTML from URI parameters, which will be displayed in web pages that are dynamically generated by the software. The issue exists in the 'include.php' script and is specific to the 'contact_email' URI parameter. An attacker could exploit this issue by enticing a victim user to follow a malicious link that includes HTML and script code as a value for the vulnerable URI parameter. The attacker-supplied code could be rendered in the victim's browser in the context of the site hosting the software. This could theoretically allow for theft of cookie-based authentication credentials. The attacker may also influence how the site is rendered to the user following the link, allowing for a variety of other attacks. 23. ThWboard SQL Injection Vulnerability BugTraq ID: 8961 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8961 Summary: ThWboard is a bulletin board software written in PHP and MySQL. A vulnerability has been reported to exist in the software that may a remote user to inject malicious SQL syntax into database queries. This issue is caused by insufficient sanitization of user-supplied data. A remote attacker may exploit this issue to influence SQL query logic to disclose sensitive information that could be used to gain unauthorized access. A malicious user may influence database queries in order to view or modify sensitive information potentially compromising the software or the database. ThWboard versions 2.8 and 2.81 may be prone to this issue, however other versions may be affected as well. 25. PHPRecipeBook Unspecified Cross-Site Scripting/HTML Injectio... BugTraq ID: 8963 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8963 Summary: PHPRecipeBook is a web application for managing recipes. It is implemented in PHP and available for Unix/Linux and Microsoft Windows. PHPRecipeBook 2.18 has been released to address an unspecified cross-site scripting vulnerability. This issue is likely due to insufficient sanitization of HTML from URI parameters, which will be displayed in web pages that are dynamically generated by the software. An attacker could exploit this issue by enticing a user to follow a malicious link. This could theoretically allow for theft of cookie-based authentication credentials or other attacks. An attacker could possibly exploit this issue by enticing a victim user to follow a malicious link that includes HTML and script code as a value for the vulnerable URI parameter. The attacker-supplied code could be rendered in the victim's browser in the context of the site hosting the software. This could theoretically allow for theft of cookie-based authentication credentials. The attacker may also influence how the site is rendered to the user following the link, allowing for a variety of other attacks. It should also be noted that the vendor has reported that HTML and script code will now be sanitized (as of version 2.18) before being included in recipes as a measure to mitigate against potential HTML injection attacks. This could allow users to inject hostile HTML into a PHPRecipeBook site if successfully exploited. 26. OpenBSD isakmpd Multiple IKE Payload Handling Security Weakn... BugTraq ID: 8964 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8964 Summary: isakmpd is the IKE key management dameon provided with OpenBSD. isakmpd is used when negotiating security associations in authenticated or encrypted network traffic and is normally used to facilitate VPN. OpenBSD's isakmpd daemon is said to be prone to multiple weaknesses when handling various IKE payloads. Specifically, four weaknesses have been discovered in various implementations of the daemon. The problems include: 1) Fails to enforce encrypted Quick Mode messages despite RFC 2409 specification. This could lead to the unintentional exposure of sensitive session initialization data. 2) isakmpd fails to encrypt Quick Mode payloads, when acting as the responder, if the initiator has not implemented encryption on the payload. The issue occurs due to a check by the message_recv() function, located within the message.c source file. Specifically, an if statement within the function determines the status by checking the ISAKMP_FLAGS_ENC flag of the received packet, only if the flag is set will the responder enforce payload encryption. This could also potentially lead to the exposure of sensitive session initialization data. 3) Hash payloads are only enforced on Quick Mode exchanges, despite the RFC 2409 and RFC 2407 specifications stating that Phase 2 messages containing delete payloads and 'notify' status messages should also contain hash payloads. This could result in isakmpd not having a mechanism for verifying the sanity of specific payloads received. It has also been reported that hash payloads received from an unexpected source are not verified. 4) Phase 2 delete messages are not verified to ensure that the origin of the request is the owner of the requested SA to be deleted. The check occurs within the ipsec_handle_leftover_payload() function, located in the ipsec.c source file. This does not violate RFC specification, however it is an insecure security policy that could be exploited by an unauthorized user to delete an arbitrary SA. It should be noted that due to the isakmpd daemon being widely distributed, other operating systems may also be affected by this issue. As further analysis of these weaknesses are carried out, it is likely that each issue will be given a separate BID. At this time, this BID will be updated and subsequently retired. 28. Oracle9iAS Portal Component SQL Injection Vulnerability BugTraq ID: 8966 Remote: Yes Date Published: Nov 03 2003 Relevant URL: http://www.securityfocus.com/bid/8966 Summary: A vulnerability has been reported to exist in the software that may allow a remote user to inject malicious SQL syntax into database queries through a URL. This issue is caused by insufficient sanitization of user-supplied data. The problem is reported to exist in the Portal component which is installed by default in the application server. A remote attacker may exploit this issue to influence SQL query logic to disclose sensitive information from the database. Successful exploitation may allow a malicious user to influence database queries in order to view or modify sensitive information, and potentially compromising the software or the database. It is reported that unauthenticated users may access PL/SQL packages and procedures from the web. This would occur within the context of the invoker or definer. If a procedure were to be executed by a definer with SYS or SYSTEM access rights, this would allow the attacker to gain access to all data within the database. The Portal DB Forms, Hierarchy, XML Components and List of Values packages may allow this level of access. It should also be noted that these packages are required by the software and cannot be disabled or deleted. 32. OpenSSL ASN.1 Large Recursion Remote Denial Of Service Vulne... BugTraq ID: 8970 Remote: Yes Date Published: Nov 04 2003 Relevant URL: http://www.securityfocus.com/bid/8970 Summary: OpenSSL is a freely available, open source implementation of Secure Socket Layer tools. It is available for the Unix, Linux, and Microsoft platforms. A problem has been identified in OpenSSL when handling specific types of ASN.1 requests. This may result in remote attackers creating a denial of service condition. The problem is in the handling of specific types of requests when handling ASN.1 data that causes large recursion. Though specifics of how this occurs are not available, it has been reported that this can result in a crash of OpenSSL. This could potentially lead to an attacker crashing a service that uses an implementation of the vulnerable software. This issue is also known to affect numerous Cisco products. It is possible that other vendors will also be acknowledging this issue and providing fixes. 34. OpenAutoClassifieds Listing Parameter Cross-Site Scripting V... BugTraq ID: 8972 Remote: Yes Date Published: Nov 04 2003 Relevant URL: http://www.securityfocus.com/bid/8972 Summary: OpenAutoClassifieds is an open source classifieds manager written in PHP. A cross-site scripting vulnerability has been reported in the software. The problem is reported to exist due to improper handling of user-supplied data through the 'listings' parameter. HTML and script code will be rendered in a user's browser, therefore making it possible for an attacker to a construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site. Successful exploitation of this attack may allow an attacker to steal cookie-based authentication credentials. Since the attacker can influence how to site will be rendered to a victim user, other attacks are also possible such as manipulating site content. OpenAutoClassifieds version 1.0 is reported to be prone to this issue, however other versions may be affected as well. |
Nov 10th 2003 (SF) pt 2/2
SecurityFocus
35. CDE LibDTHelp DTHelpUserSearchPath Local Buffer Overflow Vul... BugTraq ID: 8973 Remote: No Date Published: Nov 04 2003 Relevant URL: http://www.securityfocus.com/bid/8973 Summary: Common Desktop Environment (CDE) is a commercially-available desktop environment for the Unix and Linux operating systems. A problem has been identified in CDE libDtHelp. Because of this, it may be possible for a local attacker to gain elevated privileges. The problem is in the handling of data in the DTHELPUSERSEARCHPATH environment variable. Due to insufficient bounds checking, it is possible to corrupt system memory, potentially overwriting sensitive values. As a result, it may be possible for a local attacker to execute arbitrary code. Applications linked against libDtHelp are typically installed with setuid root privileges. An attacker taking advantage of this issue could therefore potentially gain administrative access on a vulnerable system. This issue may be related to Bugtraq ID 7730, although this has not been confirmed by Symantec. 36. John Beatty Easy PHP Photo Album dir Parameter HTML Injectio... BugTraq ID: 8977 Remote: Yes Date Published: Nov 04 2003 Relevant URL: http://www.securityfocus.com/bid/8977 Summary: A vulnerability has been reported in the software that may allow a remote attacker to execute HTML and script code in a user's browser. The issue is reported to be present in the 'dir' parameter. The problem exists due to insufficient sanitization of user-supplied input. It may be possible for an attacker to include malicious HTML code in one of the vulnerable fields. The injected code could then be interpreted by the browser of a user visiting the vulnerable site. This attack would occur in the security context of the affected site. Successful exploitation of this issue may allow a remote attacker to steal cookie-based authentication credentials. Other attacks are possible as well. Easy PHP Photo Album version 1.0 has been reported to be vulnerable to this issue, however prior versions may be affected as well. 37. Ope37. OpenBSD Local Malformed Binary Execution Denial of Service V... BugTraq ID: 8978 Remote: No Date Published: Nov 04 2003 Relevant URL: http://www.securityfocus.com/bid/8978 Summary: iBCS2 (Intel Binary Compatibility Specification 2) is a binary compatibility format designed commonly used by SCO and ISC binaries. ELF is the executable and linkable format which is the default binary format used on Unix and Linux operating systems. The OpenBSD has recently fixed a vulnerability in the OpenBSD kernel when handling iBCS2 binaries. The problem occurs within the ibcs2_exec.c source file and is due to insufficient sanity checks before allocating memory via malloc(), using the xe_segsize binary parameter. The precise technical details regarding this issue are currently unknown, however it is believed that a segment table size (xe_segsize) value greater than the maximum allowable number of segments (16) could potentially cause malloc() to fail and under some circumstances return 0. Because sufficient checks of the return value of malloc() are not carried out, an unexpected value may be used in future calculations, effectively triggering a kernel panic. An additional issue was also addressed in exec_elf.c that could potentially result in a kernel panic. This particular problem also involved insufficient checks before calling malloc(), in this case with the ELF program header size value as an argument. If a malicious binary with a malformed size were handled, this may cause an unexpected calculation in the code, effectively triggering a kernel panic. The OpenBSD team has addressed this issue by verifying the size of the two size values prior to calling the malloc() function. An attacker could exploit this condition by constructing a malicious iBCS2 or ELF binary. It should be noted that, in the case of an iBCS2 binary, support for the format would explicitly need to supported by the kernel configuration. *** November 5, 2003 - New information discovered by the researcher suggests that the implications of this vulnerability could in fact be higher then initially anticipated. As such, it is believed that successful exploitation of this issue under some conditions could potentially lead to code execution within the context of the kernel. This has been conjectured due to varying crashes observed when triggering the condition. Due to the lack of details regarding this possiblity, the status of this BID will remain the same until more information is available. 40. Multiple Vendor S/MIME ASN.1 Parsing Denial of Service Vulne... BugTraq ID: 8981 Remote: Yes Date Published: Nov 05 2003 Relevant URL: http://www.securityfocus.com/bid/8981 Summary: Multiple vulnerabilities have been reported to be present in various implementations of S/MIME protocol. S/MIME is used to send binary data and attachments across e-mail in a secure fashion. S/MIME is also used to package ASN.1. It has been reported that various products may be affected by denial of service issues resulting from improperly handling of exceptional ASN.1 elements. An attacker may exploit this issue by sending an exceptional ASN.1 element to a vulnerable system in order to cause a denial of service condition. Successful exploitation of this issue may allow an attacker cause the software to behave in an unstable manner leading to a crash or hang. Theses issues are reported to affect ASN.1 parsing routines, however cryptographic libraries that implement S/MIME may affected as well due to sharing of ASN.1 code between the cryptographic functions and S/MIME. Currently Hitachi PKI Runtime Library and Hitachi Hitachi Groupmax Mail - Security Option version 6 and possibly prior have reported to be vulnerable, however this BID will be updated as more information becomes available.nBSD Local Malformed Binary Execution Denial of Service V... BugTraq ID: 8978 Remote: No Date Published: Nov 04 2003 Relevant URL: http://www.securityfocus.com/bid/8978 Summary: iBCS2 (Intel Binary Compatibility Specification 2) is a binary compatibility format designed commonly used by SCO and ISC binaries. ELF is the executable and linkable format which is the default binary format used on Unix and Linux operating systems. The OpenBSD has recently fixed a vulnerability in the OpenBSD kernel when handling iBCS2 binaries. The problem occurs within the ibcs2_exec.c source file and is due to insufficient sanity checks before allocating memory via malloc(), using the xe_segsize binary parameter. The precise technical details regarding this issue are currently unknown, however it is believed that a segment table size (xe_segsize) value greater than the maximum allowable number of segments (16) could potentially cause malloc() to fail and under some circumstances return 0. Because sufficient checks of the return value of malloc() are not carried out, an unexpected value may be used in future calculations, effectively triggering a kernel panic. An additional issue was also addressed in exec_elf.c that could potentially result in a kernel panic. This particular problem also involved insufficient checks before calling malloc(), in this case with the ELF program header size value as an argument. If a malicious binary with a malformed size were handled, this may cause an unexpected calculation in the code, effectively triggering a kernel panic. The OpenBSD team has addressed this issue by verifying the size of the two size values prior to calling the malloc() function. An attacker could exploit this condition by constructing a malicious iBCS2 or ELF binary. It should be noted that, in the case of an iBCS2 binary, support for the format would explicitly need to supported by the kernel configuration. *** November 5, 2003 - New information discovered by the researcher suggests that the implications of this vulnerability could in fact be higher then initially anticipated. As such, it is believed that successful exploitation of this issue under some conditions could potentially lead to code execution within the context of the kernel. This has been conjectured due to varying crashes observed when triggering the condition. Due to the lack of details regarding this possiblity, the status of this BID will remain the same until more information is available. 40. Multiple Vendor S/MIME ASN.1 Parsing Denial of Service Vulne... BugTraq ID: 8981 Remote: Yes Date Published: Nov 05 2003 Relevant URL: http://www.securityfocus.com/bid/8981 Summary: Multiple vulnerabilities have been reported to be present in various implementations of S/MIME protocol. S/MIME is used to send binary data and attachments across e-mail in a secure fashion. S/MIME is also used to package ASN.1. It has been reported that various products may be affected by denial of service issues resulting from improperly handling of exceptional ASN.1 elements. An attacker may exploit this issue by sending an exceptional ASN.1 element to a vulnerable system in order to cause a denial of service condition. Successful exploitation of this issue may allow an attacker cause the software to behave in an unstable manner leading to a crash or hang. Theses issues are reported to affect ASN.1 parsing routines, however cryptographic libraries that implement S/MIME may affected as well due to sharing of ASN.1 code between the cryptographic functions and S/MIME. Currently Hitachi PKI Runtime Library and Hitachi Hitachi Groupmax Mail - Security Option version 6 and possibly prior have reported to be vulnerable, however this BID will be updated as more information becomes available. 41. Clearswift MAILsweeper for SMTP Zip Archive Filtering Bypass... BugTraq ID: 8982 Remote: Yes Date Published: Nov 05 2003 Relevant URL: http://www.securityfocus.com/bid/8982 Summary: MAILsweeper for SMTP is a commercial application for filtering e-mail content at the gateway level. A vulnerability has been reported to be present in the software that may cause the software to fail in detecting malicious zip archives. It has been reported that the software does not filter certain malicious zip archives such as those generated by the Mimail worm (MCID 1763). Successful exploitation may allow malicious code to be executed on client systems. This is due to the fact that the malicious e-mail will not be filtered at the gateway level and may affect users within an organization that is using MAILsweeper to filter e-mail content. Exploitation can only occur if a user executes a malicious attachment and malicious files must also bypass any local anti virus software. MAILsweeper for SMTP 4.3.10 and prior versions have been reported to be prone to this issue. 42. X-CD-Roast Local Insecure File Creation Symlink Vulnerabilit... BugTraq ID: 8983 Remote: No Date Published: Nov 04 2003 Relevant URL: http://www.securityfocus.com/bid/8983 Summary: X-CD-Roast is a freely available CD burning utility available for Linux and Unix based systems. X-CD-Roast has been reported prone to an insecure file creation vulnerability that may be exploited to corrupt arbitrary files. The issue has been reported to present itself because X-CD-Roast will follow symbolic links when writing certain specific files. The problem is also conjectured to be exaggerated as a result of a lack of sufficient access controls set by X-CD-Roast on the files that it creates and employs. Ultimately a local user may exploit this condition by creating a symbolic link in the place of the vulnerable X-CD-Roast file. The malicious symbolic link will point to an arbitrary file on the system. When an unsuspecting user invokes X-CD-Roast the file linked by the symbolic link will be corrupted, the file corruption will occur only if the user invoking X-CD-Roast has sufficient privileges to write to the target file. A local user may leverage this condition to corrupt arbitrary files triggering a system wide denial of service or potentially elevating their system privileges. 46. Linux Kernel Trojan Horse Vulnerability BugTraq ID: 8987 Remote: No Date Published: Nov 05 2003 Relevant URL: http://www.securityfocus.com/bid/8987 Summary: It has been announced that a file 'kernel/exit.c' was modified on the kernel.bkbits.net Linux Kernel CVS tree by a malicious party. The file 'kernel/exit.c' was modified to include trojan horse code that would potentially allow a local user to elevate privileges. Specifically, when '__WCLONE|__WALL' is passed to the sys_wait4() function in a sufficient manner a malicious procedure in the trojaned kernel 'current->uid = 0' is performed to elevate the malicious user to uid '0' or root system privileges. It is not currently known what version of the Linux kernel is affected by this issue. This BID will be updated as further information regarding this issue is disclosed. 47. Ganglia gmond Malformed Packet Remote Denial of Service Vuln... BugTraq ID: 8988 Remote: Yes Date Published: Nov 06 2003 Relevant URL: http://www.securityfocus.com/bid/8988 Summary: Ganglia Monitoring Daemon (gmond) is cluster monitoring software available for a wide variety of Unix-based operating systems, as well as Linux. When a user transmits a packet to the gmond service, advertising a metric, a hashing function handles the packet. The advertisement packet, when transmitted from an official client, will include a name string that will be a minimum of 2 bytes; 1 character followed by a NULL byte. The hashval function, located within the lib/hash.c source file, parses the string name and attempts to calculate the hash value within a for loop. The calculated value is then used as an index into a specific array of hashes. A vulnerability has been discovered in this procedure that could potentially result in a denial of service condition. The problem occurs when a malformed packet from a modified client or custom program is transmitted with a 1 byte name string. When the hashval function handles this packet, due to the unexpected name string size, the calculated value will not be run through a modulus operation designed to ensure the value is a legitimate index. As a result, a 1 byte number of greater size than a valid index could potentially cause an unexpected calculation or invalid pointer dereference. It has been reported that due to this miscalculation, the gmond service will crash when attempting to lock access to the hash entry by locking the data at the calculated pointer. This would effectively result in a denial of service condition. This vulnerability is said to affected gmond version 2.5.3 however, other versions may also be affected. |
All times are GMT -5. The time now is 09:56 PM. |