SecurityFocus Linux Newsletter #139

SecurityFocus Linux Newsletter #139

This Issue is Sponsored by: SpiDynamics

FREE White Paper: "How Web Application Hackers Break In!" Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation, and Parameter Manipulation.

All undetectable by Firewalls and IDS! Download *FREE* white paper from SPI Dynamics for a complete guide to protection!

Visit us at:
http://www.securityfocus.com/SPIDynamics-linux-secnews6

I. FRONT AND CENTER

1. Penetration Testing for Web Applications (Part Two)
2. IDS Correlation of VA Data and IDS Alerts
3. Antivirus Concerns in XP and .NET Environments
4. Promises, Promises
5. The SecurityFocus 4th Anniversary Contest II. LINUX VULNERABILITY SUMMARY
6. iXmail iXmail_NetAttach.PHP File Deletion Vulnerability
7. GTKSee PNG Image Loading Heap Corruption Vulnerability
8. Verity K2 Toolkit Query Builder Search Script Cross-Site...
9. PABox Password Reset Vulnerability
10. PABox Admin Control Panel PHP Code Injection Vulnerability
11. MoreGroupWare Multiple Cross-Site Scripting Vulnerabilities
12. iXmail Arbitrary File Upload Vulnerability
13. Portmon USER Environment Variable Buffer Overrun Vulnerability
14. Linux 2.4 Kernel execve() System Call Race Condition Vulnerability
15. MoreGroupWare Arbitrary File Upload Vulnerability
16. iXmail Index.PHP Authentication Bypass SQL Injection...
17. VMware Workstation 4.0 Insecure Temporary File Vulnerability
18. WZDFTPD Incomplete Port Command Denial Of Service Vulnerability
19. ImageMagick Temporary File Creation Vulnerability
20. XGalaga Environment Variable Multiple Buffer Overflow...
21. CutePHP CuteNews HTML Injection Vulnerability
22. Abyss Web Server HTTP GET Heap Overrun Vulnerability
23. Abyss Web Server HTTP Header Injection Vulnerability
24. MegaBook Multiple HTML Injection Vulnerabilities III. LINUX FOCUS LIST SUMMARY
25. NO NEW POSTS FOR THE WEEK ENDING 07.04.03 IV. NEW PRODUCTS FOR LINUX PLATFORMS
26. iomart NetIntelligence
27. PowerPassword
28. SysOrb
29. NEW TOOLS FOR LINUX PLATFORMS
30. Amrita VPN v0.97-2
31. TinyCA v0.4.8
32. mpscan v0.1.0 VI. SPONSOR INFORMATION
33. FRONT AND CENTER

    ---

34. Penetration Testing for Web Applications (Part Two) By Jody Melbourne and David Jorm

The second installment in this series expands upon issues of input validation - how developers routinely, through a lack of proper input sanity and validity checking, expose their back-end systems to server-side code-injection and SQL-injection attacks. It also explores the manner in which these issues may manifest the client-side as cross-site scripting and other content-manipulation vulnerabilities.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.securityfocus.com/infocus/1709

2. IDS Correlation of VA Data and IDS Alerts By Neil Desai

This article discusses the correlation of VA data and IDS alerts to helpprioritize events and reduce the time it takes to sift through events.

http://www.securityfocus.com/infocus/1708

3. Antivirus Concerns in XP and .NET Environments by Roger A. Grimes

After Windows NT was released, it took virus writers 5 years to learn how to infect it. Windows NT 3.1 and the Win32 API were released in late 1993, but it wasn't until August 1998 that W32.Cabanas became the first NT virus by capturing coveted kernel mode access. .NET and some of Microsoft's other initiatives have not been as lucky. The purpose of this article is to discuss antivirus (AV) concerns with .NET and Microsoft Windows XP.

http://www.securityfocus.com/infocus/1707

4. Promises, Promises
By Mark Rasch

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Most online businesses promise they'll protect customer data as if it were their own. Now the government is holding them to it.

http://www.securityfocus.com/columnists/171

5. The SecurityFocus 4th Anniversary Contest

Enter before July 16th, 2003 to win two passes to the Black Hat Briefings. Please visit the contest page here:

http://www.securityfocus.com/contest

II. BUGTRAQ SUMMARY

1. iXmail iXmail_NetAttach.PHP File Deletion Vulnerability BugTraq ID: 8046 Remote: Yes Date Published: Jun 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8046 Summary:

iXmail is a web-based e-mail system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux and Unix variant systems.

A vulnerability has been reported for iXmail that may allow for the deletion of files. The vulnerability occurs due to insufficient sanitization of user-supplied input for certain URI parameters. Specifically, the ixmail_netattach.php script does not sanitize user-supplied values for the 'file' URI parameter.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An authenticated attacker may be able to exploit this vulnerability by specifying a filename as the value to the 'file' URI parameter. This will result in the deletion of the specified file.

Although unconfirmed, it may be possible for an attacker to use '../' directory traversal sequences to delete arbitrary web-server readable files.

2. GTKSee PNG Image Loading Heap Corruption Vulnerability BugTraq ID: 8061
Remote: No
Date Published: Jun 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8061
Summary:

GTKSee is an image viewer developed for Linux and Unix variant operating systems.

A vulnerability has been reported for GTKSee that may result in the corruption of heap memory. The vulnerability occurs when GTKSee attempts to load PNG files with a certain colour depth.

An attacker may be able to exploit this vulnerability by creating a PNG image file with a certain colour depth. When GTKSee is used to view the image, the overflow issue will be triggered and will result in the corruption of heap memory with attacker-supplied values.

Successful exploitation will result in the execution of attacker-supplied code.

The precise technical details of this vulnerability are unknown. This BID will be updated as further information becomes available.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. Verity K2 Toolkit Query Builder Search Script Cross-Site Scripting Vulnerability BugTraq ID: 8074
Remote: Yes
Date Published: Jul 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8074
Summary:

The K2 Toolkit is a web application infrastructure distributed by Verity. It is available for the Unix, Linux, and Microsoft Windows platforms.

It has been reported that the K2 Toolkit does not sufficiently sanitize input by users. Because of this, it may be possible for an attacker to launch an attack that results in the execution of web code in the browsers of users that have loaded a malicious link created by the attacker.

The problem is in the filtering of input from URI parameters of the search script of the query building tool. User-supplied input will be echoed back without being sufficiently sanitized of HTML or script code. By passing malicious HTML or script code to the script, it is possible to render the code in the security context of the site hosting the vulnerable software. This could lead to the theft of authentication credentials such as cookies, or other nefarious activities.

4. PABox Password Reset Vulnerability
BugTraq ID: 8067
Remote: Yes
Date Published: Jun 30 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8067
Summary:

paBox is a web-application that is written in PHP. It will run on Unix and Linux variants, as well as Microsoft Windows operating systems.

paBox is prone to an issue that may allow unauthenticated remote users to reset administrative passwords. This issue is due to insufficient access validation prior to allow users to perform certain actions. This could permit unauthorized access to the administrative Control Panel, which may aid the attacker in further attacks against the underlying system.

5. PABox Admin Control Panel PHP Code Injection Vulnerability BugTraq ID: 8068 Remote: Yes Date Published: Jun 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8068 Summary: paBox is a web-application that is written in PHP. It will run on Unix and Linux variants, as well as Microsoft Windows operating systems.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Remote users with access to the administrative Control Panel may be able to inject malicious PHP code when adding banned users. Banned user information is stored in the 'bannedusers.php' script. This code could then be executed, allowing for execution of arbitrary commands in the context of the web server hosting the software.

Unauthorized remote users may exploit other latent vulnerabilities in the software to gain access to the administrative console.

6. MoreGroupWare Multiple Cross-Site Scripting Vulnerabilities BugTraq ID: 8041
Remote: Yes
Date Published: Jun 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8041
Summary:

moregroupware is a tool to facilitate office communications. It includes, among other features, webmail, calendering and project management functionality. It is implemented in PHP and is available for a variety of platforms including Microsoft Windows and Linux and Unix variant operating environments.

Several cross-site scripting vulnerabilities have been reported for moregroupware. The vulnerability exists due to insufficient sanitization of user-supplied data.

An attacker could exploit these issues by enticing a web user to a malicious link which contains hostile HTML or script code. The hostile code may be rendered in the user's browser when the user follows the link.

Exploitation could permit an attacker to steal cookie-based authentication credentials or launch other attacks.

This vulnerability was reported for moregroupware 0.6.7. Earlier versions may be affected.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

7. iXmail Arbitrary File Upload Vulnerability BugTraq ID: 8048
Remote: Yes
Date Published: Jun 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8048
Summary:

iXmail is a web-based e-mail system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux and Unix variant systems.

When an attacker makes a request to the iXmail ixmail_attach.php script the $attach1 and $attach1_name variables define the location of data and the name of a PHP file respectively. The PHP file is stored within the /tmp directory of the established web root.

iXmail has been reported prone to an arbitrary file upload vulnerability. The problem is said to occur due to insufficient sanitization of the user-supplied $attach1 URI parameter.

An authenticated attacker could exploit this vulnerability by supplying a remote file, containing malicious PHP commands, as the $attach1 parameter. This will result in the PHP commands being stored within the /tmp directory, using the naming convention of the attacker-supplied $attach1_name parameter. By supplying a name with a PHP extension, an attacker could effectively execute arbitrary PHP code on the remote system by making a request for the newly created script file.

8. Portmon USER Environment Variable Buffer Overrun Vulnerability BugTraq ID: 8039
Remote: No
Date Published: Jun 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8039
Summary:

Portmon is a freely available, open source network service monitoring utility. It is available for Unix and Linux operating systems.

A vulnerability has been discovered in Portmon version 1.8 and earlier. The problem occurs due to insufficient bounds checking before copying the USER environment variable into an internal memory buffer.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The problem specifically lies when calling the sprintf() library function to copy the USER environment variable data into the dynamically allocated err_msg buffer. The err_msg buffer is allocated using the following library call: (char *)malloc(128 * sizeof(char));. As a result, including approximately 129 bytes of data within the environment variable could allow an attacker to overwrite adjacent heap memory management structures and other values on the heap.

Although unconfirmed, this could potentially be exploited by an attacker to execute arbitrary code.

It should be noted that Portmon may not be installed setuid root by default, however a configuration option exists which allows an administrator to specify that the utility should in fact be installed setuid.

9. Linux 2.4 Kernel execve() System Call Race Condition Vulnerability BugTraq ID: 8042
Remote: No
Date Published: Jun 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8042
Summary:

The Linux execve() system call is used to invoke target binaries on the system.

A race condition vulnerability has been discovered in the Linux execve() system call, affecting the 2.4 kernel tree.

The problem occurs within the load_elf_binary() kernel function, located in the fs/binfmt_elf.c source file, while opening an ELF binary prior to its execution. The file descriptor of the ELF is stored within the file descriptor table of the current process. This occurs prior to the execution of the ELF, which under specific circumstances could open a window of opportunity for the file descriptor to be accessed.

This race condition poses a security threat if a parent were to spawn a child process using the clone() system call, declaring that they share a global file descriptor table. Between the time the child process calls execve() and the target ELF is opened and subsequently executed, the parent process could potentially carry out actions on the file descriptor.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability is exaggerated by the fact that the compute_creds() kernel function, which checks for the existence of shared file descriptors, occurs after the race condition.

By targeting an otherwise restricted setuid application, this could allow an unauthorized attacker to gain read or potentially write access to a setuid executable.

This could ultimately allow an attacker to gain access to sensitive information or could theoretically allow for the execution of arbitrary code with the privileges of the target executable.

1. MoreGroupWare Arbitrary File Upload Vulnerability BugTraq ID: 8043 Remote: Yes Date Published: Jun 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8043 Summary:

moregroupware is a tool to facilitate office communications. It includes, among other features, webmail, calendering and project management functionality. It is implemented in PHP and is available for a variety of platforms including Microsoft Windows and Linux and Unix variant operating environments.

A vulnerability has been reported for moregroupware that may make it possible for a remote attacker to upload files to a vulnerable system. The vulnerability may be likely due to insufficient permissions on the
'modules/files/store/' folder of the moregroupware installation.

It is not clear where the specific vulnerable component of moregroupware lies. However, because of the problem, it may be possible for an attacker to upload and overwrite files with the privileges of the web server process. This could result in data corruption, or other potentially malicious activities.

This vulnerability was reported to affect moregroupware 0.6.7.

1. iXmail Index.PHP Authentication Bypass SQL Injection Vulnerability BugTraq ID: 8047 Remote: Yes Date Published: Jun 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8047 Summary:

iXmail is a web-based e-mail system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux and Unix variant systems.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

iXmail Index.PHP script has been reported prone to an SQL Injection Vulnerability.

The issue presents itself, when some criteria are met. If
'magic_quotes_gpc' is set as 'off' in the 'php.ini' configuration file, a
remote user may inject arbitrary SQL code via the 'username' URI parameter to bypass the iXmail authentication procedure. It has also been demonstrated that this vulnerability may be exploited to disclose all of the fields of the table 'db_authtable' to a remote attacker.

It may also be possible, depending on the database implementation and other factors, to launch attacks against the underlying database. This could result in disclosure of sensitive information or other consequences.

1. VMware Workstation 4.0 Insecure Temporary File Vulnerability BugTraq ID: 8049 Remote: No Date Published: Jun 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8049 Summary:

VMware is a Virtual Machine software package maintained and distributed by VMware, Incorporated.

It has been reported that it is possible for a user to gain an escalation in privileges on a system running VMware Workstation 4.0 for Linux.

This issue presents itself if a TEMPDIR environment variable is not set on a Linux system that is running the affected software. If VMware Workstation cannot find a TEMPDIR entry it will attempt to use the world writeable /tmp directory by default. Therefore, under these circumstances, it may be possible for an unprivileged user to create symbolic links that link files stored in the /tmp directory to arbitrary files on the system. Actions taken on the temporary files will be mirrored in the linked files.

A local attacker may corrupt arbitrary files in this manner, in the context of the user who is running VMware Workstation.

1. WZDFTPD Incomplete Port Command Denial Of Service Vulnerability BugTraq ID: 8055 Remote: Yes Date Published: Jun 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8055 Summary:

wzdftpd is an FTP server implementation that is available for a number of operating systems, including Unix/BSD/Linux variants.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

wzdftpd is reported to be prone to a denial of service when receiving an incomplete or malformed FTP PORT command. Sending such a command to the FTP server will allegedly cause the server to crash. This could be exploited by authenticated FTP users to deny availability of FTP services to legitimate users.

1. ImageMagick Temporary File Creation Vulnerability BugTraq ID: 8057 Remote: No Date Published: Jun 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8057 Summary:

ImageMagick is an image manipulation program. It is available for a variety of platforms including Microsoft Windows and Unix and Linux variant operating systems.

ImageMagick has been reported prone to an insecure temporary file creation vulnerability. As a result, it may be possible for local attackers to corrupt files owned by the user who is invoking the ImageMagick application.

An attacker could potentially exploit this issue by creating a symbolic link in place of the temporary file, which is created. Any actions performed by ImageMagick when it is executed will be performed on the linked file.

1. XGalaga Environment Variable Multiple Buffer Overflow Vulnerabilities BugTraq ID: 8058 Remote: No Date Published: Jun 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8058 Summary:

XGalaga is a graphical game designed for use with Linux and Unix variant operating systems.

Several buffer overflow vulnerabilities have been reported for xgalaga when parsing certain environment variables. Specifically, bounds checks are not performed on the HOME environment variable.

An attacker can exploit this vulnerability by setting an overly long HOME environment variable and invoking xgalaga. This will result in the corruption of sensitive memory with attacker-supplied values to obtain elevated privileges.

xgalaga is typically installed setuid 'games'.

1. CutePHP CuteNews HTML Injection Vulnerability BugTraq ID: 8060 Remote: Yes Date Published: Jun 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8060 Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

CutePHP is a web-based bulletin board system. It is implemented in PHP and is available for a variety of platforms including Microsoft Windows and Unix and Linux variant operating environments.

CutePHP is prone to HTML injection attacks. The vulnerability exists due to insufficient sanitization of user-supplied input. Specifically, user-supplied input to news posts are not sufficiently sanitized of malicious HTML code.

An attacker can exploit this vulnerability by adding HTML code within IFRAME tags. The hostile code may be rendered in the user's browser when the user views the entry.

Exploitation could permit an attacker to steal cookie-based authentication credentials or launch other attacks.

1. Abyss Web Server HTTP GET Heap Overrun Vulnerability BugTraq ID: 8062 Remote: Yes Date Published: Jun 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8062 Summary:

Abyss Web Server is a freely available personal web server. It is maintained by Aprelium Technologies and runs on Microsoft Windows operating systems, as well as Linux.

Abyss Web Server is prone to a remotely exploitable heap overrun. This is due to insufficient bounds checking of data supplied via client HTTP GET requests which is used in a strcpy() operation. By submitting an HTTP GET request in excess of 2048 bytes, it will be possible to trigger this condition. It should be noted that the ':\' characters must be appended to the end of the request. This will permit remote attackers to corrupt adjacent regions of heap memory with attacker-supplied values.

This condition could be exploited to execute arbitrary code with the privileges of the web server.

This issue is reported to affect Abyss Web Server 1.1.2. Later versions, such as 1.1.4 and 1.1.5 may be similarly affected, though this has not been confirmed.

1. Abyss Web Server HTTP Header Injection Vulnerability BugTraq ID: 8064 Remote: Yes Date Published: Jun 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8064 Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Abyss Web Server is a freely available personal web server. It is maintained by Aprelium Technologies and runs on Microsoft Windows operating systems, as well as Linux.

Abyss Web Server is prone to a vulnerability that could permit attackers to inject malicious data into server response headers. HTTP GET requests ending with ':\' characters will cause the server to return a HTTP 302 response to the client, which includes the requested URI in the Location: header field of the server response. User input is not sufficiently sanitized from this header field in the response. An attacker could cause malicious data such as HTML and script code to be included in the server response. It will also be possible be append additional HTTP header fields to the server response.

This could be exploited to launch cross-site scripting attacks. The attacker can also append arbitrary HTTP header information to the server response, which could permit cookie values to be set or spoofed header field data.

This issue is reported to affect Abyss Web Server 1.1.2. Later versions, such as 1.1.4 and 1.1.5 may be similarly affected, though this has not been confirmed.

1. MegaBook Multiple HTML Injection Vulnerabilities BugTraq ID: 8065 Remote: Yes Date Published: Jun 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8065 Summary:

MegaBook is a web-based guestbook that is intended to run on Unix and Linux variants.

MegaBook is prone to multiple HTML injection vulnerabilities. This is due to insufficient sanitization of HTML and script code from user-supplied input, including input supplied to the administrative login page (admin.cgi). It is not known if this malicious input supplied to the admin login page will be stored within the guestbook system, so the admin script may not provide an attack vector for HTML injection. However, it is possible to inject HTML and script code into 'gbook.db' file via the client HTTP User-Agent: header field.

Exploitation of these issues could permit hostile HTML or script code to be injected into the guestbook system and rendered in the browser of a legitimate guestbook user. Code would be interpreted in the context of the site hosting the software.

Exploitation could allow for theft of cookie-based authentication credentials or permit an attacker to control how the guestbook site is rendered to legitimate users. Other attacks are also possible.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

20. Pam_Timestamp_Check Privilege Escalation Weakness BugTraq ID: 8072
Remote: No
Date Published: Jul 02 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8072
Summary:

A weakness has been reported in the pam_timestamp_check implementation for Red Hat 9.0 and other distributions that may be derived from this version or include this functionality.

pam_timestamp_check is a tty ticketing implementation that is designed to cache credentials so that users are not constantly required to use a facility such as sudo or su to perform actions as another user. pam_timestamp_check is implemented through the pam_timestamp_check.so module and with the pam_timestamp_check setuid helper. The implementation works by fetching the pseudo-terminal name (A), current user name (B), and the user whose credentials are cached (C). The implementation then checks to see if the timestamp of /var/run/sudo/B/A:C is recent to determine whether access should be granted. The ticket contents are not sufficiently verified, allowing for ticket spoofing.

If the attacker can cause the timestamp of the file to change, it will be possible to gain elevated privileges through exploitation of this weakness. This scenario will be possible in combination with file corruption issues such as those that are the result of insecure temporary file handling and allow files in privileged directories to be corrupted.

III. LINUX FOCUS LIST SUMMARY

1. NO NEW POSTS FOR THE WEEK ENDING 07.04.03

1. iomart NetIntelligence by iomart Platforms: AIX, Linux, Netware, Solaris, Windows 2000, Windows 95/98, Windows NT, Windows XP Relevant URL: http://www.netintelligence.com/ Summary:

The NetIntelligence product consists of a main reports interface which is supported by easy to use administration tools. NetIntelligence has a deployment application which is purpose built for straightforward rollout of the product. Thereafter the main technical interface is via the administration console which allows the administrator to establish policies, user and machine groups- and delegate reporting authority to specified users within the organisation. Custom content allows bespoke fingerprinting as required. Web-blocking gives policy control over Internet Usage.

2. PowerPassword
by Symark Software
Platforms: AIX, DG-UX, HP-UX, IRIX, Linux, Solaris, True64 UNIX, UNIX Relevant URL:
http://www.symark.com/powerpassword.htm
Summary:

Symark PowerPassword is a flexible, yet powerful password management and login control system that allows system administrators to centrally manage login and password policies across heterogeneous UNIX networks. Symark PowerPassword provides stronger passwords, aging and history, reset and synchronization, along with comprehensive logging. Symark PowerPassword's security capabilities are the perfect complement to NIS and LDAP environments that require greater password strength, login constraints, and auditing capabilities. In addition to creating a more secure UNIX environment, Symark PowerPassword reduces help desk support costs with features such as password synchronization across UNIX hosts. Take control of who, when and how users login to a system and maintain a comprehensive log of activities.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. SysOrb
by Evalesco Systems ApS
Platforms: FreeBSD, HP-UX, Linux, Netware, Solaris, SunOS, Windows 2000, Windows NT
Relevant URL:
http://www.evalesco.com/
Summary:

SysOrb is the leading network monitoring system giving you the best price/performance ratio in the industry. No other system provides a similar combination of advanced monitoring technology, security, scalability and flexibility.

V. NEW TOOLS FOR LINUX PLATFORMS

1. Amrita VPN v0.97-2 by Jayaraj Relevant URL: http://amvpn.sourceforge.net Platforms: Linux, POSIX Summary:

Amrita VPN is an easy-to-use open source VPN solution that runs on the GNU/Linux platform. The implementation is fully in userspace and requires no kernel patches or enhancements. It uses SSL for strong encryption and authentication.

2. TinyCA v0.4.8
by Stephan Martin
Relevant URL:
http://tinyca.sm-zone.net/
Platforms: Linux, OpenNMS, POSIX
Summary:

TinyCA is a simple GUI written in Perl/Tk to manage a small certification authority. It is based on OpenSSL and Perl modules from the OpenCA project. TinyCA lets you manage x509 certificates. It is possible to export data in PEM or DER format for use with servers, as PKCS#12 for use with clients, or as S/MIME certificates for use with email programs. It is also possible to import your own PKCS#10 requests and generate certificates from them.

3. mpscan v0.1.0
by Markus Fraczek
Relevant URL:
http://mpscan.sourceforge.net/
Platforms: Linux, POSIX
Summary:

mpscan is a parallel network scanner that checks for open ports. It uses select() to increase its speed and was designed for rapidly scanning large networks, but also works with a single IP.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

VI. SPONSOR INFORMATION

FREE White Paper: "How Web Application Hackers Break In!" Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation, and Parameter Manipulation.

All undetectable by Firewalls and IDS! Download *FREE* white paper from SPI Dynamics for a complete guide to protection!

Visit us at:
http://www.securityfocus.com/SPIDynamics-linux-secnews6