SecurityFocus Linux Newsletter #112

SecurityFocus Linux Newsletter #112

This issue is sponsored by: Qualys

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php

I. FRONT AND CENTER

1. Evaluating Network Intrusion Detection Signatures, Part Three
2. OpenAV: Developing Open Source AntiVirus Engines
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. LINUX VULNERABILITY SUMMARY
5. MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
6. MySQL COM_CHANGE_USER Password Length Account Compromise...
7. MySQL libmysqlclient Library Read_Rows Buffer Overflow...
8. MySQL libmysqlclient Library Read_One_Row Buffer Overflow...
9. Mambo Site Server PHPInfo.PHP Information Disclosure Vulnerability
10. Bea Systems WebLogic Xerces XML Parser Denial Of Service...
11. Mambo Site Server Account Registration HTML Injection...
12. Mambo Site Server Path Disclosure Vulnerability
13. PFinger Syslog Format String Vulnerability
14. Eric S. Raymond Fetchmail Heap Corruption Vulnerability
15. VIM ModeLines Arbitrary Command Execution Vulnerability
16. PHP-Nuke Web Mail Remote PHP Script Execution Vulnerability
17. MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
18. Overkill Remote Buffer Overflow Vulnerability
19. mICQ Denial Of Service Vulnerability
20. zkfingerd SysLog Format String Vulnerability
21. PHP-Nuke 6.0 Multiple Cross Site Scripting Vulnerabilities
22. XOOPS Information Disclosure Vulnerability
23. MyPHPSoft MyPHPLinks SQL Injection Administration Bypassing...
24. PHP-Nuke Web Mail Script Injection Vulnerability
25. zkfingerd say() Format String Vulnerability
26. PHP-Nuke Multiple Path Disclosure Vulnerabilities
27. CPIO Tar Hostile Destination Path Vulnerability
28. Linux Kernel 2.2 mmap() Local Denial of Service Vulnerability III. LINUX FOCUS LIST SUMMARY
29. User´s and Shells (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORM
30. ArcSight Enterprise Security Management Software
31. Arkeia 5
32. QuickStart Data Rescue
33. NEW TOOLS FOR LINUX PLATFORMS
34. Levy v0.3
35. IP Security Validator for Linux v1.0
36. Easy Integrity Check System v1.0a VI. SPONSOR INFORMATION
37. FRONT AND CENTER

    ---

38. Evaluating Network Intrusion Detection Signatures, Part Three by Karen Kent

In this three-part series of articles, we are presenting recommendations that will help readers to evaluate the quality of network intrusion detection (NID) signatures, either through hands-on testing or through careful consideration of third-party product reviews and comparisons. The first installment discussed some of the basics of evaluating NID signature quality, as well as selecting attacks to be used in testing. The second installment concluded the discussion of criteria for choosing attacks and provided recommendations for generating attacks and creating a good testing environment. This article will wrap up the series by examining other ways of generating attacks with other security-related tools and by manually creating your own attacks.

http://online.securityfocus.com/infocus/1651

2. OpenAV: Developing Open Source AntiVirus Engines by Costin G. Raiu

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This article will take a look at the OpenAntivirus AV engine, assess its progress so far, and offer some suggestions of how the developers can continue to develop it. While some of the commentary in the following sections may be fairly critical, the purpose of this paper is not to flame the OpenAV project or its developers but, on the contrary, to salute their efforts. Hopefully, this article and the comments herein will make a significant contribution to the development of a viable, working open source antivirus product.

http://online.securityfocus.com/infocus/1650

3. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. MySQL COM_TABLE_DUMP Memory Corruption Vulnerability BugTraq ID: 6368 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6368 Summary:

MySQL is prone to memory corruption when attempting to handle malformed COM_TABLE_DUMP server commands.

When a MySQL server processes a COM_TABLE_DUMP server command, two chars are taken from the packet received by the server and casted into unsigned integers. The unsigned integers are used as length parameters for a memcpy operation. Memory corruption may occur if negative values are stored in the two chars, as the char values will turn into very large unsigned numbers.

If an attacker can cause a malformed COM_TABLE_DUMP server command to be issued with malformed parameters, it may be able to cause a denial of service, either because the server hangs or because of a direct crash. It is not believed that this issue may be exploited to execute arbitrary code.

2. MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability BugTraq ID: 6373
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6373
Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

A flaw in the password authentication mechanism for MySQL may make it possible for an authenticated database user to compromise the accounts of other database users.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The flaw lies in the fact that the server uses a string returned by the client when the COM_CHANGE_USER command is issued to iterate through a comparison when attempting to authenticate the password. The server does not verify that the password string is of sufficient length. As a result, it is possible for a client to submit a single character as a response and that single character will be compared to the expected password. If this character matches the first character in the password, MySQL will reportedly authenticate the user. The range of the valid character set for passwords is 32 characters, which means that a malicious user can authenticate after a maximum of 32 attempts if they cycle through all of the valid characters.

Since this flaw exists in the COM_CHANGE_USER command, an attacker must have access to a database user account to exploit the issue. They must also know the username of the account they are attempting to compromise. Depending on how the database has been deployed, this may allow for a malicious user to compromise the MySQL root account.

This issue is related to the vulnerability described in Bugtraq ID 975. The problem was not sufficiently addressed in the COM_CHANGE_USER command.

3. MySQL libmysqlclient Library Read_Rows Buffer Overflow Vulnerability BugTraq ID: 6370
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6370
Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

MySQL contains a library called libmysqlclient that allows queries to be performed against the MySQL server database. A problem exists in the read_rows function of the libmysqlclient library that could result in a buffer overflow.

When the MySQL client performs a SELECT query on the database, the read_rows function loops through the returned fields, copying them to a local buffer. The problem occurs because the function does not verify that the size of the returned fields are smaller than the buffer to which they are being copied.

Additionally, each row is terminated with a '\0' without verifying that there is sufficient space within the destination buffer.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability may be exploited to cause a denial of service or to execute arbitrary code in the security context of the MySQL client application. Anything that is linked against libmysql may also be affected by this issue.

4. MySQL libmysqlclient Library Read_One_Row Buffer Overflow Vulnerability BugTraq ID: 6374
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6374
Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

MySQL contains a library called libmysqlclient that allows queries to be performed against the MySQL server database. A problem exists in the read_one_row function of the libmysqlclient library that could result in a buffer overflow.

When the MySQL client fetches a row from the database, read_one_row stores the field and the field size without verifying that the data will not overrun the buffer. After storing the pointer to a field, the function terminates the previous field with a '\0' and moves on to the next field. Since the data is not verified against the size of the buffer, a malformed packet can supply an exceptionally long field size and have arbitrary memory overwritten with a '\0', potentially causing the client to crash.

Successful exploitation will most likely result in a denial of service against the MySQL client application. Though it hasn't been confirmed, it may be possible with some client implementations to cause execution of arbitrary code.

5. Mambo Site Server PHPInfo.PHP Information Disclosure Vulnerability BugTraq ID: 6376
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6376
Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A problem with Mambo may make it possible for a remote user to gain access to sensitive information.

It has been reported that Mambo enables a script by default that may reveal sensitive information. The phpinfo.php script is packaged with Mambo, and installed by default in the administrator subdirectory. A remote user may use this script to gain information about the server, including path and environment information.

This vulnerability could lead to a more directed attack against hosts. An attacker may access this script via
http://www.example.com/mambo/administrator/phpinfo.php.

6. Bea Systems WebLogic Xerces XML Parser Denial Of Service Vulnerability BugTraq ID: 6378
Remote: No
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6378
Summary:

BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions.

A problem with WebLogic could allow an attacker to deny service to legitimate users.

A vulnerability in the handling of XML documents has been discovered. XML documents are parsed by the Xerces component of the WebLogic infrastructure. By parsing a malicious XML document locally, it is possible to cause the WebLogic server process to hang.

This issue could allow an attacker with the ability to place files on the vulnerable host to deny service to legitimate users. Normal service would resume only when the process is killed, and manually restarted. Additionally, this vulnerability could continue to be exploited until the malicious XML file is removed.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

7. Mambo Site Server Account Registration HTML Injection Vulnerability BugTraq ID: 6386
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6386
Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

Mambo Site Server does not sufficiently sanitize HTML submitted through the "Your Name" form field during account registration. Data in this field may be output to other users, such as in articles. Though it has been reported that an administrative user must approve articles before they are displayed to other users, it is possible that malicious script code may be displayed to the administrative user when an article is reviewed for approval. This possibility has not been confirmed.

An attacker may include arbitrary HTML and script code in the "Your Name" field and when this information is viewed by other users, the attacker-supplied code will execute in their web client in the security context of the site.

Exploitation may allow for theft of cookie-based authentication credentials or other attacks.

It is possible that other account registration form fields also do not sufficiently sanitize HTML.

8. Mambo Site Server Path Disclosure Vulnerability BugTraq ID: 6387
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6387
Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been discovered in Mambo Site Server. Requesting the
'index.php' script with an invalid parameter will cause an error page to
be generated containing the path of the Mambo script.

This will disclose sensitive information about the layout of the filesystem of the host running the vulnerable software. Information of this nature may aid in mounting further attacks against the host.

It should be noted that this vulnerability was reported in Mambo Site Server 4.0.11. It is not yet known whether other versions are affected.

9. PFinger Syslog Format String Vulnerability BugTraq ID: 6403
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6403
Summary:

PFinger is an open-source finger daemon. It is available for Linux and Unix variants.

PFinger is prone to a format string vulnerability. This problem is due to incorrect use of the 'syslog()' function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. This issue can be exploited via a malformed response to a DNS lookup when a host levies a finger request to the vulnerable server.

The vulnerability exists in the 'log()' function in the 'log.c' source file. Successful exploitation of this issue may allow the attacker to execute arbitrary instructions with the privileges of the daemon, which normally runs as 'nobody'.

It has been suggested that this issue may not be exploitable with many available DNS resolvers, since the '%' character is not allowed in responses.

1. Eric S. Raymond Fetchmail Heap Corruption Vulnerability BugTraq ID: 6390 Remote: Yes Date Published: Dec 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6390 Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Fetchmail is a freely available, open source mail retrieval utility. It is maintained by Eric S. Raymond.

A remotely exploitable heap overflow vulnerability has been reported for Fetchmail 6.1.3 and earlier. The vulnerability occurs when Fetchmail performs a reply-hack action. The action is performed so that all addresses in email headers are searched for local email addresses. Next Fetchmail will allocate enough space for the case that all addresses are local addresses. Due to a calculation flaw, Fetchmail does not allocate enough space for memory buffers.

An attacker can exploit this vulnerability by composing an email with specially crafted header lines and sending it to the vulnerable system. When Fetchmail attempts to parse the headers, it will allocate insufficient space and will result in Fetchmail corrupting heap memory with attacker-supplied values.

An attacker may exploit this condition to overwrite arbitrary words in memory. This may allow for the execution of arbitrary code.

This vulnerability has been reported for Fetchmail 6.1.3 and earlier.

1. VIM ModeLines Arbitrary Command Execution Vulnerability BugTraq ID: 6384 Remote: No Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6384 Summary:

vim is a freely available, open source text editor. It is available for Unix, Linux, and Microsoft Operating Systems.

A problem with vim may make it possible to execute arbitrary commands on a vulnerable host.

It has been reported that a problem exists in vim with modelines. Modelines are instructions placed at the beginning and end of text files to instruct the editor on how to handle certain elements of the file. Due to insufficent handling of input, it may be possible to execute arbitrary commands through the modelines function.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability could allow an attacker to execute arbitrary commands with the privileges of the vim user. Through social engineering, this may give an attacker the ability to gain remote access to the vulnerable host.

1. PHP-Nuke Web Mail Remote PHP Script Execution Vulnerability BugTraq ID: 6399 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6399 Summary:

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

A vulnerability has been discovered in a web mail module available for PHP-Nuke. When a user opens an email containing an attachment the file will be stored in a remote accessible web directory. The module fails to filter attachments containing active content, making it possible for an attacker to access a PHP script located in the users web directory.

By sending a user a malicious attachment and then accessing the script a remote attacker is able to cause arbitrary PHP code to be executed on the target system. This may allow an attacker to access sensitive information or compile malicious programs designed to open backdoors into the server.

1. MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability BugTraq ID: 6375 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6375 Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

MySQL is prone to a memory corruption vulnerability in the COM_CHANGE_USER command.

Due to a lack of sufficient bounds checking for client responses to password authentication challenges, it may be possible to corrupt sensitive regions of memory.

It has been reported that it is possible to overwrite the saved instruction pointer on the stack with bytes generated by the random number generator of the password verification algorithm. Given enough attempts, it may be possible for an attacker to change to flow of execution of the program so that a significant region of memory is returned to, such as a region containing attacker-supplied instructions. Failed exploitation attempts will cause the MySQL server to crash, only to be restarted, so it is possible for an attacker to make multiple exploitation attempts. Theoretically, an attacker could leverage such a condition to cause execution of arbitrary code in the security context of the MySQL server process.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It is believed the attacker must be able to issue a COM_CHANGE_USER command to exploit this issue, so having access to a valid database user account may be a prerequisite for exploitation. It is not known if this condition exists when an unauthenticated user attempts to authenticate normally.

This condition may not be exploitable on Microsoft Windows platforms due to the random number generator for the password verification algorithm using a limited character set.

1. Overkill Remote Buffer Overflow Vulnerability BugTraq ID: 6388 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6388 Summary:

0verkill is a client-server game. It is available for the Linux operating system.

It has been alleged that a buffer overflow condition has been discovered in the 0verkill server. Exploiting this issue may allow a remote attacker to overwrite sensitive values in memory, resulting in the execution of arbitrary code. Commands executed in this manner will be run with the privileges of the server.

Precise technical details regarding this vulnerability are not yet known. This BID will be updated as more information becomes available.

1. mICQ Denial Of Service Vulnerability BugTraq ID: 6392 Remote: Yes Date Published: Dec 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6392 Summary:

mICQ is a text-based ICQ client designed for use with Linux variant operating systems.

A denial of service vulnerability has been reported for mICQ. The vulnerability occurs when mICQ is processing certain types of ICQ messages. Specifically, when mICQ receives messages that do not have the required 0xFE separator, it will crash.

This vulnerability has been reported to affect all versions of mICQ.

1. zkfingerd SysLog Format String Vulnerability BugTraq ID: 6402 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6402 Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

zkfingerd is a small fingerd replacement server. It is available for Unix and Linux operating systems.

zkfingerd is prone to a format string vulnerability. This problem is due to incorrect use of the 'syslog()' function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values.

The vulnerability exists in the 'putlog()' function in the 'log.c' source file. Successful exploitation of this issue may allow the attacker to execute arbitrary instructions, possibly, with elevated privileges.

This vulnerability was reported for zkfingerd 0.9.1 and earlier.

1. PHP-Nuke 6.0 Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 6409 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6409 Summary:

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

Cross-site scripting vulnerabilities have been discovered in multiple PHP scripts used by PHP-Nuke 6. Due to insufficient sanitization of web requests it is possible for script code to be embedded in PHP script requests.

The scripts, which are vulnerable to these issues, include
'bb_smilies.php', 'bbcode_ref.php', 'editpost.php', 'newtopic.php',
'reply.php', 'topicadmin.php', 'viewforum.php', and 'searchbb.php'.

By constructing a malicious link which exploits one of these vulnerabilities, it may be possible to execute arbitrary code within the context of a website visited by an unsuspecting user. This may allow a remote attacker to steal cookie-based authentication credentials, which could be used at a later time to hijack a user's web session.

1. XOOPS Information Disclosure Vulnerability BugTraq ID: 6393 Remote: Yes Date Published: Dec 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6393 Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions.

Xoops includes a Private Message System for users, so that they may send messages to one another. It has been reported that the 'pmlite.php' script contains a flaw, which allows unauthorized users to view private messages. This issue can be exploited due to invalid authorization validation.

Information gained by exploiting this issue may aid an attacker in launching further attacks against the vulnerable site or other users.

1. MyPHPSoft MyPHPLinks SQL Injection Administration Bypassing Vulnerability BugTraq ID: 6395 Remote: Yes Date Published: Dec 14 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6395 Summary:

MyPHPLinks is a freely available, open source PHP application distributed by MyPHPSoft. It is available for Unix, Linux, and Microsoft Windows operating systems.

A problem with MyPHPLinks could allow remote attackers unauthorized access to system resources.

It has been reported that a problem with the checking of input by MyPHPLinks exists. A problem in the checking of the idsession variable used by MyPHPLinks to verify Administrator access may allow a remote user to gain access to the host. This problem could allow an attacker to gain administrator access to the MyPHPLinks section of a web site.

This vulnerability may be exploited by passing a SQL statement through the idsession variable. This SQL statement must evaluate to true. Exploitation of this vulnerability would allow an attacker to change the links indexed in a MyPHPLink implementation.

20. PHP-Nuke Web Mail Script Injection Vulnerability BugTraq ID: 6400
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6400
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

A vulnerability has been discovered in the web mail module available for PHP-Nuke. Due to insufficient sanitization of message content it is possible for an attacker to embed script code into a malicious HTML email. An unsuspecting user that opens the email will cause the script code to be executed within their browser.

Exploiting this issue may allow an attacker to steal cookie-based authentication credentials, which may be used at a later time to hijack a user's web session.

21. zkfingerd say() Format String Vulnerability BugTraq ID: 6404
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6404
Summary:

zkfingerd is a small fingerd replacement server. It is available for Unix and Linux operating systems.

zkfingerd is prone to a format string vulnerability. This problem exists in the 'say()' function. The function does not perform sufficient checks when displaying user-supplied input. It is possible to corrupt memory by passing format strings through the vulnerable function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values.

Successful exploitation of this issue may allow the attacker to execute arbitrary instructions, possibly, with elevated privileges.

This vulnerability was reported for zkfingerd 0.9.1 and earlier.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

22. PHP-Nuke Multiple Path Disclosure Vulnerabilities BugTraq ID: 6406
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6406
Summary:

PHP-Nuke is a web based Portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

Multiple path disclosure vulnerabilities have been discovered in PHP scripts used by PHP-Nuke. The issue occurs when a request is made for a script, which should not be accessed directly. Some scripts do not provide sufficient error handling for cases where these scripts are accessed directly. This will cause the script to generate an error page containing the absolute path information. The PHP scripts affected by this issue include voteinclude.php, navbar.php, attachment.php, and mainfile.php.

Exploiting this issue will cause the target server to disclose sensitive information about the layout of the filesystem of the host running the vulnerable software. Information of this nature may aid in mounting further attacks against the host.

23. CPIO Tar Hostile Destination Path Vulnerability BugTraq ID: 6415
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6415
Summary:

cpio is a utility to copy files in and out of cpio and .tar archives. It is maintained by GNU and is available for various Unix and Linux platforms.

cpio is prone to a security vulnerability when unpacking .tar archives. The problem is in the handling of pathnames.

By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. An attacker may take advantage of this vulnerability to cause malicious files to be placed anywhere on a target filesystem.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker may exploit this condition by specifying a relative extraction path in a malicious .tar that points to sensitive or criticals files, such as system binaries. The cpio utility will not warn the user that the extraction path may be hostile or may overwrite files unexpectedly. However, it is possible for users to inspect the contents of the archive to ensure that files will not be extracted to an unexpected location.

This vulnerability was originally described in BID 6412 "Multiple Vendor Archiving Software Tar Hostile Destination Path Vulnerability" and is now being assigned an individual Bugtraq ID.

24. Linux Kernel 2.2 mmap() Local Denial of Service Vulnerability BugTraq ID: 6420
Remote: No
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6420
Summary:

A denial of service vulnerability has been discovered in the Linux 2.2 kernel. It has been reported that it is possible for an unprivileged user to cause the kernel to stop responding due to a bug in the implementation of mmap().

When a process requests a map of memory which is invalid, a pointer to the buffer is returned. Although the pointer is returned, the mapped page is un-readable by the requesting process. A failure occurs in the kernel when another process attempts to read data at the location of that pointer through a mmap() of that process memory space (/proc/pid/mem). The kernel does not prevent read attempts on this invalid memory and as a result the system hangs. This may be due to a deadlock condition.

It should be noted that this issue does not affect the 2.4 kernel tree. This is because support for mmap() in the /proc/pid/mem implementation has been dropped.

III. LINUX FOCUS LIST SUMMARY

1. User´s and Shells (Thread) Relevant URL:

http://online.securityfocus.com/archive/91/304047

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

IV. NEW PRODUCTS FOR LINUX PLATFORM

1. ArcSight Enterprise Security Management Software by ArcSight Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT Relevant URL: http://www.arcsight.com/product.htm Summary:

ArcSight is designed to distribute agents throughout the network, which will report events to central management stations. Administrators can then view events, control security policies and even replay a sequence of events to watch the attack unfold.

2. Arkeia 5
by Arkeia
Platforms: AIX, DG-UX, Digital UNIX/Alpha, HP-UX, IRIX, Linux, MacOS, SCO, Solaris, SunOS, True64 UNIX, Unixware, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://arkeia.com/a5technical.html
Summary:

Safeguarding a company's priceless data can create a multitude of questions for system administrators. Arkeia provides proven answers: speedy, automated backup and recovery that is a reliable industry standard for heterogeneous network backup. Arkeia is quick on its feet, easy to use and smoothly compatible with almost all combinations of computers, operating systems and storage devices. It's simple to install, configured in minutes and readily adaptable to anything from a small business network to a complex enterprise. Arkeia automatically detects SCSI hardware and recognizes tape drive types. Administrators can easily choose full or incremental backups that preserve directory structure, registry, symbolic links and special attributes. Arkeia makes it easy to program "exceptions" to your backup schedule with a convenient calendar interface.

3. QuickStart Data Rescue
by TOLIS Group
Platforms: FreeBSD, Linux, Netware, OpenBSD, OS/2, SCO, Solaris, Unixware, Windows 2000, Windows 95/98, Windows NT, Windows XP Relevant URL:
http://www.tolisgroup.com/qsdr3.html
Summary:

QuickStart Data RescueTM is a PC crash and disaster recovery utility that recovers damaged systems while virtually eliminating the human error associated with the process. And, you can even recover to a larger hard disk! QuickStart Data RescueTM is a self-contained product. Other disaster recovery products rely on interaction with some other utility or application, or require a base OS reinstall, in order to do their job. QuickStart can write an image backup of the disk to the target device, and verify the backup for accuracy as well as manage the disaster recovery process. Used independently, or in conjunction with your normal backup procedure, QuickStart gets you up and running simply and effectively.

V. NEW TOOLS FOR LINUX PLATFORMS

1. Levy v0.3 by Godot godot@linuxmafia.org Relevant URL: http://muse.linuxmafia.org/levy/ Platforms: Perl (any system supporting perl) Summary:

Levy is a Perl script which generates a basic iptables ruleset based on a given external interface and a set of ports to open. It is designed to save time in creating a skeleton ruleset to work from, though it can construct a fully functional firewall with NAT support.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. IP Security Validator for Linux v1.0
by alphaWorks
Relevant URL:
http://www.alphaworks.ibm.com/
Platforms: Linux
Summary:

IP Security Validator enables independent evaluation of VPN configurations and quick/autonomous reaction to problems. An offline mode even allows the offline evaluation of traffic that was captured into a file with other tools such as tcpdump or pcapture. This way, traffic collected from non-Linux network nodes can be evaluated on a Linux machine.

3. Easy Integrity Check System v1.0a
by Aki Tossavainen
Relevant URL:
http://eics.sourceforge.net
Platforms: POSIX
Summary:

Easy Integrity Check System is a tool for system administrators that performs filesystem integrity checks. It is easy to set up and use, and makes use of the mcrypt and mhash libraries for encrypting its database.

VI. SPONSOR INFORMATION

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php