SecurityFocus Linux Newsletter #116

SecurityFocus Linux Newsletter #116

This newsletter is sponsored by: Black Hat (http://www.blackhat.com)

Spooked about Windows security? Find solutions instead. Plan now to attend the Black Hat Briefings & Training Windows Security conference, February 25-28 in Seattle, the world's premier technical event for Windows and .Net security experts. This event is fully supported by Microsoft.

The Training on February 25-26 features 7 two-day courses on the hottest subjects. The Briefings on February 27-28 features 30 of the top industry speakers presenting topics in 6 tracks. Visit www.blackhat.com to see why top security experts rave about the Black Hat Briefings.

I. FRONT AND CENTER

1. SunScreen, Part One: An Overview of the Sun Microsystem Firewall
2. The Turkey that Bites
3. The Canary in the Data Mine
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12,2003,Orlando,FL) II. LINUX VULNERABILITY SUMMARY
6. Blackboard Learning System search.pl SQL Injection Vulnerability
7. ESCPUtil Local Printer Name Buffer Overflow Vulnerability
8. Apache Web Server MS-DOS Device Name Denial Of Service...
9. GNU Mailman 'email' Cross Site Scripting Vulnerability
10. GNU Mailman Error Page Cross Site Scripting Vulnerability
11. MyRoom save_item.php Arbitrary File Upload Vulnerability
12. slocate Local Buffer Overrun Vulnerability
13. CVS Directory Request Double Free Heap Corruption Vulnerability
14. ModLogAn Remote Heap Corruption Vulnerability
15. Apache Web Server MS-DOS Device Name Arbitrary Code Execution...
16. Apache Web Server Illegal Character HTTP Request File...
17. Apache Web Server Default Script Mapping Bypass Vulnerability
18. MTink Printer Status Monitor Environment Variable Buffer...
19. YABB SE Packages.PHP Remote File Include Vulnerability
20. Kodak KCMS KCS_OPEN_PROFILE Procedure Arbitrary File Access...
21. PHPOutsourcing Zorum Remote Include Command Execution...
22. YaBB SE News.PHP Remote File Include Vulnerability III. LINUX FOCUS LIST SUMMARY
23. Secure Web-Based Administration (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORM
24. Cisco VPN 5000 Series Concentrators
25. Covalent Fast Start Server
26. DirectorySmart
27. NEW TOOLS FOR LINUX PLATFORMS
28. radmind v0.9.3
29. BENIDS v0.1.3
30. Lepton's Crack v1.1 VI. SPONSOR INFORMATION
31. FRONT AND CENTER

    ---

32. SunScreen, Part One: An Overview of the Sun Microsystem Firewall By Ido Dubrawsky

SunScreen is Sun Microsystem's firewall that runs under the Solaris operating system. It provides for packet filtering, authentication and data encryption as well as the creation of IPsec-based VPNs. This article is the first of a two-part series that will offer a brief overview of the implementation and administration of SunScreen.

http://online.securityfocus.com/infocus/1660

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. The Turkey that Bites
By Jon Lasser

With last week's RIAA worm hoax, the scallywags at Gobbles raised security advisories to subversive performance art.

http://online.securityfocus.com/columnists/137

3. The Canary in the Data Mine
By Mark Rasch

At the turn of the century just past, mining companies would use a brightly colored bird in the mine shaft to protect the lives of citizens. These canaries were more sensitive to the foul, noxious and deadly but invisible vapors that would otherwise threaten the lives of the mine shaft workers. When the canaries died, the miners would know an invisible threat existed.

http://online.securityfocus.com/columnists/136

4. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. Blackboard Learning System search.pl SQL Injection Vulnerability BugTraq ID: 6655 Remote: Yes Date Published: Jan 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6655 Summary:

Blackboard Learning system is a suite of software products available for Microsoft Windows, Linux and Solaris servers that power an "e-Education Infrastructure" for education providers.

Blackboard Learning System, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries. As a result, attackers may supply malicious parameters to manipulate the structure and logic of SQL queries. This may result in unauthorized operations being performed on the underlying database.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported to exist in the search.pl script file (the address book search feature). A remote attacker can exploit this vulnerability to brute-force user accounts. It may also be possible to conduct other attacks, such as executing stored procedures and exploiting vulnerabilities in the database server.

This vulnerability was reported for Blackboard Learning System 5.5.1,level 1 and 2. Previous releases may also be affected.

2. ESCPUtil Local Printer Name Buffer Overflow Vulnerability BugTraq ID: 6658
Remote: No
Date Published: Jan 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6658
Summary:

escputil is a freely available, open source print driver for the Linux operating system. It is publicly maintained.

It has been reported that a buffer overflow in escputil exists.

This problem is due to insufficient bounds checking on the values supplied as arguments of the -P command line parameter. It is possible for a malicious local user to corrupt sensitive regions of memory with attacker-supplied values.

escputil is reportedly installed setgid 'sys' on Mandrake Linux, so it is possible that this issue may be exploited to execute arbitrary code with elevated privileges. Other distributions may also be affected if the utility is installed or runs with elevated privileges.

It should also be noted that this program is included with a number of other packages for printing on Linux systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. Apache Web Server MS-DOS Device Name Denial Of Service Vulnerability BugTraq ID: 6662
Remote: Yes
Date Published: Jan 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6662
Summary:

Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems.

A vulnerability has been reported in Apache Web server for Microsoft Windows 9x/Me operating environments. The vulnerability exists in the way some HTTP requests are handled by the Apache Web server. Specifically, HTTP requests that involve MS-DOS device names may cause the Apache Web server to crash.

An attacker can exploit this vulnerability by sending a malformed HTTP GET request to the Apache server using a reserved MS-DOS device name such as
'aux'. When the server receives this request it will crash.

This vulnerability exists for Apache versions prior to 2.0.44 for Microsoft Windows 9x/Me operating environments.

4. GNU Mailman 'email' Cross Site Scripting Vulnerability BugTraq ID: 6677
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6677
Summary:

Mailman is software to help manage email discussion lists, much like Majordomo and SmartList. It is written and maintained by the GNU Project and is available for the Linux and Unix operating systems.

A cross site scripting vulnerability has been discovered in GNU Mailman. The issue occurs due to insufficient sanitization of URI parameters. Specifically, the 'email' URI parameter is not correctly filtered for embedded HTML or script code.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. When this link is followed by a web user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

5. GNU Mailman Error Page Cross Site Scripting Vulnerability BugTraq ID: 6678
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6678
Summary:

Mailman is software to help manage email discussion lists, much like Majordomo and SmartList. It is written and maintained by the GNU Project and is available for the Linux and Unix operating systems.

A cross site scripting vulnerability has been discovered in GNU Mailman. The issue occurs due to insufficient sanitization of URI parameters. Specifically, the 'language' variable is not sufficiently sanitized before being included in error pages.

As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. When this link is followed by a web user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

It has been reported that GNU Mailman 2.0.11 is not affected by this issue.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

6. MyRoom save_item.php Arbitrary File Upload Vulnerability BugTraq ID: 6644
Remote: Yes
Date Published: Jan 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6644
Summary:

MyRoom is an online item management system implemented in PHP. It is available for a variety of platforms including Linux variant operating systems and Microsoft Windows.

A problem with MyRoom may make it possible for remote attackers to upload files to a vulnerable system.

Due to inadequate security checks performed by some PHP scripts, an attacker is able to upload arbitrary files to the system. The room/save_item.php script has been reported to be vulnerable to this issue.

Specifically, the script only checks to see whether the file to be uploaded is an image file. As such, any file that includes the allowed extensions may be uploaded. Any uploaded files will be stored in the
'img/photo' folder.

Given the ability to upload arbitrary files to the host, an attacker can exploit this vulnerability to upload malicious applications to the vulnerable system or use the system for the storage of files.

This vulnerability was reported for MyRoom 3.5 GOLD.

7. slocate Local Buffer Overrun Vulnerability BugTraq ID: 6676
Remote: No
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6676
Summary:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Secure Locate (slocate) provides a secure way to index and quickly search for files on your system. It is available for the Linux and Unix operating systems. Typically slocate is installed with setgid 'slocate' privileges.

A buffer overrun vulnerability has been discovered in slocate. The issue occurs when 1024, or more, bytes of data are supplied to both the regex ('-r') and the parse /etc/updatedb.conf ('-c') command line arguments. This issue occurs due to insufficient bounds checking on user-supplied input.

A malicious local user may be able to exploit this issue to overwrite sensitive locations in memory. For instance, by overwriting the programs instruction pointer it may be possible to redirect program flow to point to attacker-supplied instructions. As slocate is typically installed with setgid privileges, any code execution accomplished by an attacker will be executed with group 'slocate' privileges. An attacker may leverage this privilege escalation to exploit the target system further.

It should be noted that this issue has been reportedly verified on RedHat 7.3 and 7.2. RedHat 6.2 appears to be immune to this issue. It has not yet been verified whether other versions are also affected.

8. CVS Directory Request Double Free Heap Corruption Vulnerability BugTraq ID: 6650
Remote: Yes
Date Published: Jan 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6650
Summary:

CVS is the concurrent versioning system. CVS is a freely available, open source software development package for the Unix, Linux, and Microsoft Windows platforms.

CVS is prone to a double free vulnerability in Directory requests. Malformed Directory requests may potentially cause dynamically allocated memory to be de-allocated twice, using the free() function.

An attacker may potentially take advantage of this issue to cause heap memory to be corrupted with attacker-supplied values, which may result in execution of arbitrary code in the security context of the CVS server.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

9. ModLogAn Remote Heap Corruption Vulnerability BugTraq ID: 6652
Remote: Yes
Date Published: Jan 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6652
Summary:

ModLogAn is a modular logfile analyzer which parses logfiles generated by several server types including HTTP and FTP. It is available for the Unix and Linux operating systems.

A vulnerability has been discovered in ModLogAn. The problem occurs when attempting to decode a URL with the url_decode() function. When the url_decode() function detects a percentage character ('%') in a URL, it incorrectly presumes that the following 2 bytes will represent a hexadecimal encoded value. After this assumption is made the length counter (for the size of the decoded string) is reduced by two. If the URL contains values after the percentage character which are not hexadecimal, the URL data may be larger than the buffer allocated for the decoded string.

By generating a malicious log entry containing a URL with excessive percentage characters designed to trigger to the issue, it may be possible for an attacker to corrupt heap memory.

Exploiting this issue to overwrite a malloc() header may make it possible to overwrite an arbitrary word in memory when the corrupted chunk is freed. This may result in arbitrary attacker-supplied instructions being executed with the privileges of the ModLogAn process.

1. Apache Web Server MS-DOS Device Name Arbitrary Code Execution Vulnerability BugTraq ID: 6659 Remote: Yes Date Published: Jan 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6659 Summary:

Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems.

A vulnerability has been reported in Apache Web server for Microsoft Windows 9x/Me operating environments. The vulnerability exists in the way some HTTP requests are handled by the Apache Web server. Specifically, the issue exists due to the way some CGI input is redirected when the ScriptAlias directive is enabled.

The ScriptAlias directive is used to map between URLs and paths residing outside of the DocumentRoot. This directive also enables the target directory as containing only CGI scripts.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability by making a malformed HTTP POST request to 'con.xxx' in a directory enabled with ScriptAlias. When this malformed POST data is sent to a CGI, it may result in any malicious code to be executed by the requested CGI.

This vulnerability exists for Apache versions prior to 2.0.44 for Microsoft Windows 9x/Me operating environments.

1. Apache Web Server Illegal Character HTTP Request File Disclosure Vulnerability BugTraq ID: 6660 Remote: Yes Date Published: Jan 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6660 Summary:

Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems.

A vulnerability has been reported in Apache Web server for Microsoft Windows operating environments. The vulnerability exists in the way some HTTP requests are handled by the Apache Server. Any HTTP requests that end in some illegal characters will cause the server to disclose the contents of certain files to a remote attacker.

It has been reported that an HTTP request that ends in the '>' character will cause the Apache Web server to serve certain files to the remote attacker. Any information obtained in this manner may be used by the attacker to launch further attacks against a vulnerable system.

This vulnerability exists for Apache versions prior to 2.0.44 for Microsoft Windows operating environments.

1. Apache Web Server Default Script Mapping Bypass Vulnerability BugTraq ID: 6661 Remote: Yes Date Published: Jan 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6661 Summary:

Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems.

A vulnerability has been reported in the Apache Web browser that may result in the server bypassing existing default mappings when serving files.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability exists when making requests for files in directories with extensions. The vulnerability may cause the Web server to incorrectly parse the requested file.

An attacker may be able to make a request for www.target.com/folder.php/test. The request for the file test should be served as a text file but due to some flaws in the mapping algorithm, the file 'test' will be interpreted as a PHP script.

This may have unintended consequences on users and the system.

This vulnerability was reported to affect Apache versions prior to 2.0.44.

1. MTink Printer Status Monitor Environment Variable Buffer Overflow Vulnerability BugTraq ID: 6656 Remote: No Date Published: Jan 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6656 Summary:

mtink is a printer status monitor for Linux operating systems. It is used to monitor ink quantity, negotiate changing and cleaning of ink cartridges, etc.

mtink is prone to a locally exploitable buffer overflow condition. This is due to insufficient bounds checking of the $HOME environment variable. An attacker may take advantage of this issue to corrupt sensitive regions of memory, such as stack variables, with attacker-supplied values. This may result in execution of arbitrary attacker-supplied code.

mtink is reportedly installed setgid 'sys' on Mandrake Linux, so it is possible that this issue may be exploited to execute arbitrary code with elevated privileges. Other distributions may also be affected if mtink is installed or runs with elevated privileges.

1. YABB SE Packages.PHP Remote File Include Vulnerability BugTraq ID: 6663 Remote: Yes Date Published: Jan 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6663 Summary:

YaBB SE is a freely available, open source port of Yet Another Bulletin Board (YaBB). It is available for a number of platforms include Unix, Linux, and Microsoft Windows operating systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

YaBB SE allows remote users to influence the location of an external script ('Packer.php') that is included by the 'Packages.php'. A remote attacker may exploit this condition to cause an external, attacker-supplied file to be included by YaBB SE. If the attacker includes malicious PHP code, then it may be executed.

This may allow a remote attacker to execute arbitrary commands in the context of the webserver.

1. Kodak KCMS KCS_OPEN_PROFILE Procedure Arbitrary File Access Vulnerability BugTraq ID: 6665 Remote: Yes Date Published: Jan 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6665 Summary:

The Kodak Color Management System (KCMS) is an image and video management Application Programming Interface (API) for Unix, Linux, and Windows Operating Systems. It is distributed and maintained by Kodak.

A problem could make it possible for a remote user to gain unauthorized remote access to arbitrary files.

It has been reported that a problem exists in the Kodak Color Management System (KCMS) due to the insecure handling of input. It may be possible for a remote user to gain access to arbitrary files on a vulnerable host. This could allow remote information gathering, leakage of sensitive information, and potentially privilege elevation.

The problem occurs in the KCS_OPEN_PROFILE. By exploiting a vulnerable system running the kcms_server process, it is possible for a remote user to download any file to which the kcms_server has read access. As the kcms_server process is typically executed as root, this could be any file on the target system. It should be noted that an attacker must use the TT_ISBUILD procedure call of ToolTalk to exploit this issue.

1. PHPOutsourcing Zorum Remote Include Command Execution Vulnerability BugTraq ID: 6669 Remote: Yes Date Published: Jan 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6669 Summary:

Zorum is a freely available, open source PHP forum. It is available for UNIX, Linux, and Microsoft operating systems.

A problem could make it possible for remote users to execute arbitrary commands.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that Zorum may allow remote users to influence to location of PHP includes. Because of this, it is possible for a remote user to include an external arbitrary PHP script containing commands that may be carried out on the vulnerable host.

This problem could allow a remote attacker to execute arbitrary code with the privileges of the web server process. This could result the attacker gaining local access, and potentially elevated privileges.

1. YaBB SE News.PHP Remote File Include Vulnerability BugTraq ID: 6674 Remote: Yes Date Published: Jan 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6674 Summary:

YaBB SE is a freely available, open source port of Yet Another Bulletin Board (YaBB). It is available for a number of platforms include Unix, Linux, and Microsoft Windows operating systems.

A vulnerability has been discovered in YaBB SE. Due to insufficient sanitization of some user-supplied variables by the 'News.php' script, it is possible for a remote attacker to include a malicious PHP file in a URL. An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the
'$template' parameter.

If the remote file is a malicious PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.

This vulnerability was reported for YaBB SE 1.5.1 and earlier.

III. LINUX FOCUS LIST SUMMARY

1. Secure Web-Based Administration (Thread) Relevant URL:

http://online.securityfocus.com/archive/91/307958

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

IV. NEW PRODUCTS FOR LINUX PLATFORM

1. Cisco VPN 5000 Series Concentrators by Cisco Systems Platforms: Linux, MacOS, Solaris, Windows 95/98, Windows NT http://www.cisco.com/warp/public/cc/pd/hb/vp5000/ Summary:

The Cisco VPN 5000 series of concentrators, and associated VPN client software, provide a comprehensive and flexible set of IPsec VPN capabilities for both site to site and remote access services. This series of products enables both customer premise equipment (CPE) and service provider edge based depolyments utilizing the most advanced high performance encyrption and authentication techniques available. The Cisco VPN 5000 concentrator series is a feature rich carrier class VPN product that supports the most demanding multiplatform, multiprotocol environments.

2. Covalent Fast Start Server
by Covalent Technologies
Platforms: AIX, BSDI, DG-UX, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Solaris, UNIX, Unixware
http://www.covalent.net/products/faststart/ Summary:

Covalent Fast Start Server automatically produces an Apache configuration suitable for many enterprise applications. Because of Apache's standards-based interoperability, Fast Start Server is able to serve as the presentation layer for all major application servers, databases and Web-based applications, reducing the complexity of Web infrastructures. It includes a streamlined installer for rapid deployment.

3. DirectorySmart
by OpenNetwork Technologies
Platforms: AIX, HP-UX, Linux, Solaris, Windows NT http://www.opennetwork.com/products/
Summary:

By defining and enforcing eBusiness rules through user security and secure access, DirectorySmart enables eBusinesses to provide self-service applications and create tight customer feedback loops. DirectorySmart scales to millions of users and is designed for the largest and most complex of computing environments. DirectorySmart makes it possible for enterprises to manage information access for thousands, or even millions, of users, all of whom require different levels of application access, without adding dramatically to the burden on corporate IT departments or risking the security of sensitive corporate data.

V. NEW TOOLS FOR LINUX PLATFORMS

1. radmind v0.9.3 by UMich RSUG Relevant URL: http://rsug.itd.umich.edu/software/radmind Platforms: FreeBSD, Linux, MacOS, OpenBSD, Solaris, SunOS, UNIX Summary:

radmind is a suite of Unix command-line tools and a server designed to remotely administer the file systems of multiple Unix machines. At its core, radmind operates as a tripwire. It is able to detect changes to any managed filesystem object, e.g. files, directories, links, etc. However, radmind goes further than just integrity checking: once a change is detected, radmind can optionally reverse the change. Each managed machine may have its own loadset composed of multiple, layered overloads. This allows, for example, the operating system to be described separately from applications. Loadsets are stored on a remote server. By updating a loadset on the server, changes can be pushed to managed machines.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. BENIDS v0.1.3
by lifeonmars
Relevant URL:
http://www.marlboro.edu/~ttoomey/benids/ Platforms: Linux, POSIX
Summary:

BENIDS is a pcap-based Network Intrusion Detection System for Linux. It uses its own XML rule file format which allows arbitrary, complex boolean matching conditions. It generates IDMEFv0.3 alert messages, and also supports fragment and TCP stream reassembly.

3. Lepton's Crack v1.1
by Nekromancer nekromancer@eudoramail.com Relevant URL:
http://usuarios.lycos.es/reinob/
Platforms: Linux, POSIX, Windows 2000, Windows NT Summary:

Lepton's Crack is a generic password cracker. It is easily-customizable with a simple plugin system and allows system administrators to review the quality of the passwords being used on their systems. It can perform a dictionary-based (wordlist) attack as well as a brute force (incremental) password scan. It supports standard MD4 hash, standard MD5 hash, NT MD4/Unicode, and Lotus Domino HTTP password (R4) formats.

VI. SPONSOR INFORMATION

Spooked about Windows security? Find solutions instead. Plan now to attend the Black Hat Briefings & Training Windows Security conference, February 25-28 in Seattle, the world's premier technical event for Windows and .Net security experts. This event is fully supported by Microsoft.

The Training on February 25-26 features 7 two-day courses on the hottest subjects. The Briefings on February 27-28 features 30 of the top industry speakers presenting topics in 6 tracks. Visit www.blackhat.com to see why top security experts rave about the Black Hat Briefings.