SecurityFocus Microsoft Newsletter #109

SecurityFocus Microsoft Newsletter #109

This issue is sponsored by: St. Bernard Software

Double Security In One Investment
Reinforce your network security policy with the Retina®/ UpdateEXPERT(tm) bundle from eEye and St. Bernard Software. Award- winning Retina scans networks for early detection of vulnerabilities, while UpdateEXPERT provides critical patch management assistance. Reliably identify and remediate your network with this security combo.

Free trial: http://www.eeye.com/ctrack.asp?ref=STBJOINT1

I. FRONT AND CENTER

1. Secure Programming with .NET
2. When Washington Mimics Sci Fi
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. MICROSOFT VULNERABILITY SUMMARY
5. SSH Communications SSH Server Privilege Escalation Vulnerability
6. acFTP Invalid Password Weak Authentication Vulnerability
7. acFreeProxy Cross Site Scripting Vulnerability
8. Working Resources BadBlue Information Disclosure Vulnerability
9. PHP-Nuke Multiple Cross Site Scripting Vulnerabilities
10. NetScreen Malicious URL Filter Bypassing Vulnerability
11. VBulletin members2.php Cross Site Scripting Vulnerability
12. N etScreen H.323 Control Session Denial Of Service Vulnerability
13. Working Resources BadBlue Search Page Cross Site Scripting...
14. Netscape/Mozilla POP3 Mail Handler Integer Overflow Vulnerability
15. AOL Instant Messenger Forced File Download Vulnerability
16. phpBB Script Injection Vulnerability
17. Bugzilla quips Feature Cross Site Scripting Vulnerability
18. Sybase Adaptive Server DBCC CHECKVERIFY Buffer Overflow...
19. YaBB YaBB.pl Cross Site Scripting Vulnerability
20. NetScreen ScreenOS Predictable Initial TCP Sequence Number...
21. SSH Communications Secure Shell Windows Client URL Catcher...
22. Moby NetSuite POST Handler Buffer Overflow Vulnerability
23. Netscape Java canConvert() Buffer Overflow Vulnerability
24. PortailPHP SQL Injection Vulnerability
25. Sybase Adaptive Server xp_freedll Buffer Overrun Vulnerability
26. pWins Web Server Directory Traversal Vulnerability
27. Sybase Adaptive Server DROP DATABASE Buffer Overflow... III. MICROSOFT FOCUS LIST SUMMARY
28. Secure / Encrypt Terminal Services (Thread)
29. Question: Buffer Overrun in Microsoft Data Access Components Coul
30. Question: Buffer Overrun in Microsoft Data Access Components Coul
31. Odd entries in Win XP Pro Certificate MMC snap-in (Thread)
32. Embedded NT/XP security (Thread)
33. IIS Log exactly 65.536 bytes ??? (Thread)
34. Exchange in the DMZ (Thread)
35. Question: Buffer Overrun in Microsoft Data Access Components
36. SecurityFocus Microsoft Newsletter #114 (Thread)
37. ASP, BizTalk server SQL DB and Firewall architecture. (Thread) IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
38. ScanDo Vulnerability Assessment Scanner
39. ArcSight Enterprise Security Management Software
40. WebMarshal
41. NEW TOOLS FOR MICROSOFT PLATFORMS
42. GPG-Ezmlm encrypted mailing list v0.3
43. Sysload server monitor v4.5
44. ABC CHAOS v2.1 VI. SPONSOR INFORMATION
45. FRONT AND CENTER

    ---

46. Secure Programming with .NET byRohyt Belani and David Wong

At the core of Microsoft's .NET initiative is the goal of interconnecting businesses, users, applications, and data. However, with all the concerns regarding security and privacy of data, many individuals and companies are reluctant to connect their business systems and place their data in reach of hackers thousands of miles away. Microsoft understands the challenges and concerns facing early adopters of their technology, and has made security one of their top priorities. The fundamental pillar for building applications is the security surrounding the .NET framework and the security services it provides. In this article, we will provide an overview of .NET framework security features and provide practical tips on how to write secure code in the .NET framework. More importantly, we will discuss which pitfalls to avoid.

http://online.securityfocus.com/infocus/1645

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. When Washington Mimics Sci Fi
By George Smith

John Poindexter's evil design for an all-seeing God Machine seems torn from the pages of visionary science fiction, where such schemes rarely end well.

http://online.securityfocus.com/columnists/126

3. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. SSH Communications SSH Server Privilege Escalation Vulnerability BugTraq ID: 6247 Remote: Yes Date Published: Nov 25 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6247 Summary:

Secure Shell is the commercial SSH implementation distributed and maintained by SSH Communications. It is available for the Unix, Linux, and Microsoft Windows platforms.

SSH Communications has reported a vulnerability in SSH server, which could result in local privilege escalation.

The setsid() function is used to create a new process group for forked processes. It has been reported that SSH server fails to run setsid() on non-interactive sessions, resulting in user processes in the parent process group and retaining the 'root' login name.

By executing programs that verify privileges against the login name (for example, those that rely on the BSD getlogin() function), it may be possible to execute various actions with escalated privileges.

Exploiting this issue has varied results depending on the operating system.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

For this issue to be exploitable an attacker must have a local account on the target system.

2. acFTP Invalid Password Weak Authentication Vulnerability BugTraq ID: 6235
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6235
Summary:

acFTP is a freely available FTP server designed for use with Microsoft Windows operating systems.

A vulnerability has been reported for acFTP. Reportedly, acFTP allows users to authenticate with an invalid password.

An attacker can exploit this vulnerability and log on to the vulnerable FTP server using any string as a password. When an invalid password is entered, acFTP will reportedly reject the password but will treat the attacker as a valid user.

This vulnerability has been reported for acFTP 1.4. It is not known whether other versions are affected.

3. acFreeProxy Cross Site Scripting Vulnerability BugTraq ID: 6236
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6236
Summary:

acFreeProxy is a freely available proxy server designed for use with Microsoft Windows operating systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that acFreeProxy is prone to cross site scripting attacks. Specifically, acFreeProxy does not properly sanitize any user-supplied input when it generates error pages.

As this vulnerability exists in acFreeProxy, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of any domain.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the vulnerable software. Cookie-based authentication credentials may be used by the attacker to hijack the session of the legitimate user.

4. Working Resources BadBlue Information Disclosure Vulnerability BugTraq ID: 6243
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6243
Summary:

BadBlue is a P2P file sharing application distributed by Working Resources. It is available for Microsoft Windows operating systems.

A problem with BadBlue could make it possible for a remote user to disclose sensitive server information.

An information disclosure bug has been discovered in a default php script included with BadBlue. The 'soinfo.php' script executes the 'phpinfo()' function. By running the 'soinfo.php' script, it is possible for a remote attacker to access information returned by the 'phpinfo()' script, which may include sensitive data such as ODBC passwords.

Information disclosed in this manner may aid an attacker in launching further attacks against the target system.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that PHP must be enabled on a target BadBlue server, for this issue to be exploitable

5. PHP-Nuke Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 6244
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6244
Summary:

PHP-Nuke is a web based Portal system. Implemented in PHP, it is available for a range of systems, including Microsoft Windows and Linux.

Several cross site scripting vulnerabilities have been reported for PHP-Nuke. Affected modules include the Discussion module, News module, and PM module among others. This vulnerability is due to insufficient sanitization of all HTML tags.

An attacker may exploit this vulnerability by enticing a victim user to follow a malicious link. Attacker-supplied HTML and script code may be executed on a web client in the context of the site hosting the web-based forum.

Attackers may potentially exploit this issue to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

These vulnerabilities have been reported for PHP-Nuke 6.5b1 and earlier.

6. NetScreen Malicious URL Filter Bypassing Vulnerability BugTraq ID: 6245
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6245
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients. A vulnerability has been reported for NetScreen.

An administrator is able to restrict access to certain URLs by defining a malicious URL pattern. Reportedly, it is possible to circumvent rules for malicious URLs by fragmenting the request.

An attacker can exploit this vulnerability to access URLs that are normally unaccessible to hosts behind the NetScreen appliance.

This vulnerability was reported for NetScreen appliances using ScreenOS v3.0.1r2.0. Older versions of ScreenOS are likely to be affected as well.

7. VBulletin members2.php Cross Site Scripting Vulnerability BugTraq ID: 6246
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6246
Summary:

vBulletin is commercial web forum software written in PHP and back-ended by a MySQL database. It will run on most Linux and Unix variants, as well as Microsoft operating systems.

The $perpage variable is used to control the way of reciting subscribed threads. This variable is later added to a query that is used to fetch database records. If an invalid value is passed to the $perpage variable, an error page is generated. Due to insufficient sanitization of data passed to the $perpage variable, it is possible to inject script code into the variable, which will be included in the error page.

As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running vBulletin.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may use cookie-based authentication credentials to hijack the session of the legitimate user.

8. NetScreen H.323 Control Session Denial Of Service Vulnerability BugTraq ID: 6250
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6250
Summary:

NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients.

H.323 is a network specification to guarantee a certain QoS (Quality of Service) for video and audio conferencing applications.

A denial of service vulnerability has been reported for all NetScreen appliances related to the processing of H.323 control sessions. The vulnerability is due to inadequate clean up of existing, half-open H.323 control sessions that can eventually result in the consumption of all firewall session table entries.

This vulnerability has been reported to only affect NetScreen appliance configurations that explicitly permit the forwarding of H.323 or Netmeeting traffic.

This vulnerability only affects ScreenOS versions 2.8 and later.

9. Working Resources BadBlue Search Page Cross Site Scripting Vulnerability BugTraq ID: 6253
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6253
Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

BadBlue is a P2P file sharing application distributed by Working Resources. It is designed for use on Microsoft Windows operating systems.

A problem with the application could make it possible to launch a cross-site scripting attack.

When started, BadBlue launches a web server on a client system. When a user executes a search using the search interface provided with BadBlue, the ext.dll ISAPI is used by BadBlue to handle the request. Users of the local system, as well as remote users may reach this interface.

The ext.dll ISAPI does not sufficiently sanitize user-supplied input in the 'style' parameter, when processing search queries. This may allow an attacker to create a custom URL containing script code that, when viewed in a browser by a legitimate user, will result in the execution of arbitrary script code.

This problem makes it possible to execute script code within the context of an arbitrary BadBlue server.

1. Netscape/Mozilla POP3 Mail Handler Integer Overflow Vulnerability BugTraq ID: 6254 Remote: Yes Date Published: Nov 26 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6254 Summary:

The Netscape Communicator and Mozilla browsers include support for email, and the ability to fetch mail through a POP3 server. Both products are available for a range of platforms, including Microsoft Windows and Linux.

An integer overflow vulnerability has been reported for the Netscape/Mozilla POP3 mail handler routines. These routines are found in
'mozilla/mailnews/local/src/nsPop3Protocol.cpp'. Reportedly, insufficient
checks are performed on some server-supplied values. Specifically, the value for m_pop3ConData->number_of_messages is not sufficiently checked for large values.

An attacker may exploit this vulnerability through an attacker-controlled POP3 server. By issuing a very large integer value that is used by the Netscape/Mozilla POP3 mail handler, it may be possible to cause the integer overflow condition and allocate a buffer that is too small. A buffer overflow condition may result if the malicious attacker-controlled server attempts to write into the buffer at a location beyond the boundary of what was actually allocated.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation of this vulnerability may allow an attacker to obtain control over the execution of the vulnerable Netscape/Mozilla process.

1. AOL Instant Messenger Forced File Download Vulnerability BugTraq ID: 6259 Remote: Yes Date Published: Nov 26 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6259 Summary:

AOL Instant Messenger (AIM) is an instant messenging client. It is available for various platforms including MacOS and Microsoft Windows operating systems.

AIM contains an option which will allow remote users to download shared files without prompting the owner. It has been reported that enabling this option may contain a vulnerability which would allow a remote attacker to force a target user to download a malicious file without prompting for authorization.

If an attacker were to download a target users's 'USER.lst' file, it may be possible to rename an arbitrary file to 'USER.lst' and force the target to download it. If this were to occur, the download would begin without first prompting for prior authorization.

Exploiting this issue may allow an attacker to fill a victims hard drive with a file of excessive length.

1. phpBB Script Injection Vulnerability BugTraq ID: 6248 Remote: Yes Date Published: Nov 25 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6248 Summary:

phpBB2 is an open-source web forum application that is written in PHP and supported by a number of database products. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

phpBB does not properly sanitize script code from HTML tags embedded in a forum posting. This vulnerability could allow a user to inject malicious script code into forum postings that would in turn be executed when the page is viewed by a legitimate user of the forum. The attacker-supplied code would be executed in the security context of the phpBB site.

The attacker supplied code would be able to access cookie data, including authentication credentials, and to take actions on the vulnerable site as the currently authenticated user.

1. Bugzilla quips Feature Cross Site Scripting Vulnerability BugTraq ID: 6257 Remote: Yes Date Published: Nov 26 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6257 Summary:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Operating Systems.

A cross site scripting vulnerability has been reported for Bugzilla. This vulnerability only affects users who have the 'quips' feature enabled.

The quips feature is designed to put short, user-supplied comments at the top of bug lists. Reportedly, Bugzilla does not properly sanitize any input submitted by users.

As a result, it is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user, in the context of the website running Bugzilla.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software.

1. Sybase Adaptive Server DBCC CHECKVERIFY Buffer Overflow Vulnerability BugTraq ID: 6269 Remote: Yes Date Published: Nov 27 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6269 Summary:

Sybase Adaptive Server is a full SQL relational database management system. It is available for a variety of platforms including Microsoft Windows operating systems.

A buffer overflow vulnerability has been reported for the Sybase Adapative Server. The vulnerability exists in the DBCC CHECKVERIFY function. This function is used to verify the results of the most recent run of DBCC CHECKSTORAGE. The DBCC CHECKVERIFY function accepts a single parameter for the name of the database to verify. This function does not perform sufficient checks on the length of the string that is supplied as the value for the parameter.

An attacker may exploit this vulnerability to cause the database process to execute malicious attacker-supplied code.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported for Sybase Adaptive Server 12.0 and 12.5.

1. YaBB YaBB.pl Cross Site Scripting Vulnerability BugTraq ID: 6272 Remote: Yes Date Published: Nov 28 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6272 Summary:

YaBB (Yet Another Bulletin Board) is freely available web forum software that is written in Perl. YaBB will run on most Unix/Linux variants, MacOS, and Microsoft Windows 9x/ME/NT/2000/XP platforms.

A cross-site scripting vulnerability has been reported in the YaBB forum
'YaBB.pl' script. This vulnerability is due to insufficient sanitization
of URI parameters.

As a result, it is possible for a remote attacker to create a malicious link to the login page of a site hosting the web forum. The malicious link may contain arbitrary HTML code in URI parameters. When this link is visited by an unsuspecting web user, the attacker-supplied code will be executed in their browser in the security context of the vulnerable website.

It has been demonstrated that this vulnerability may be exploited to steal cookie-based authentication credentials.

This vulnerability has been reported for YaBB 1 Gold - SP 1. It is not known if other versions are affected.

1. NetScreen ScreenOS Predictable Initial TCP Sequence Number Vulnerability BugTraq ID: 6249 Remote: Yes Date Published: Nov 25 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6249 Summary:

NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients.

NetScreen has discovered a vulnerability in the algorithms used by ScreenOS to generate initial TCP sequence numbers. The ability to predict TCP sequence numbers may allow a remote attacker to inject packets into a vulnerable data stream.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It may also be possible for an attacker to launch man-in-the-middle attacks or hijack network sessions which would allow her to bypass any necessary authentication procedures.

For this issue to be exploitable the attacker must be able to access to network session traffic, possibily requiring access to a local network.

1. SSH Communications Secure Shell Windows Client URL Catcher Buffer Overflow Vulnerability BugTraq ID: 6263 Remote: Yes Date Published: Nov 27 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6263 Summary:

Secure Shell is the commercial SSH implementation distributed and maintained by SSH Communications. It is available for the Unix, Linux, and Microsoft Windows platforms.

A buffer overflow vulnerability has been reported for the Secure Shell Windows client. The vulnerability is due to an error in the URL handling of the Secure Shell client. Reportedly, it is possible for a buffer overflow condition to be triggered when a user clicks on a very long URL.

An attacker can exploit this vulnerability by crafting a malicious link, containing at least 480 characters, and enticing a victim user to click it. This will result in the buffer overflow condition being triggered and causing sensitive areas in memory to be overwritten with attacker-supplied values. Any malicious attacker-supplied code embedded in the URL will be executed on the victim system.

This vulnerability affects the Secure Shell client for Microsoft Windows.

1. Moby NetSuite POST Handler Buffer Overflow Vulnerability BugTraq ID: 6277 Remote: Yes Date Published: Nov 29 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6277 Summary:

Moby NetSuite is a small SMTP and HTTP/CGI server designed for use with the Microsoft Windows operating system.

A buffer overflow vulnerability has been reported for Moby NetSuite that may result in a denial of service condition. Reportedly, it is possible to cause NetSuite to crash when a malformed POST request is received. Specifically, the denial of service condition is triggered when a POST request is received that has an overly large integer value as the value for the 'Content-Length' header field.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability by issuing a POST request with a 'Content-Length' value that is a very large integer. When NetSuite attempts to service the malformed POST request, it will crash resulting in a denial of service. Restarting the service is neccessary to restore functionality.

Although unconfirmed, this may be a remotely exploitable buffer overflow condition and code execution may be possible.

1. Netscape Java canConvert() Buffer Overflow Vulnerability BugTraq ID: 6256 Remote: Yes Date Published: Nov 26 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6256 Summary:

Netscape Communications Corp.'s Communicator is a popular package that includes a web browser (Navigator), e-mail client, news client, and address book.

The Java implementation in Netscape 4 contains an unchecked buffer in the canConvert() method of the sun.awt.windows.WDefaultFontCharset class.

A malicious Java applet could trigger the overflow by passing a long string to the class constructor and invoking the canConvert() method on the newly created instance:

new WDefaultFontCharset(long_string).canConvert('x');

Arbitrary code execution is possible in the security context of the web browser.

This vulnerability is only reported to affect Netscape 4 browsers running on Microsoft Windows platforms.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

20. PortailPHP SQL Injection Vulnerability BugTraq ID: 6273
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6273
Summary:

Portail PHP is a Web portal project based PHP and MySQL. It is available for the Linux, Unix, and Microsoft Windows operating systems.

A vulnerability exists in the mod_search module included with PortailPHP. The vulnerability is due to insufficient sanitization of variables used to construct SQL queries in the 'index.php' script. Specifically, the 'rech' variable is not sanitized of malicious SQL input. It is possible to modify the logic of SQL queries through malformed query strings in requests for the vulnerable script.

By injecting SQL code into the 'rech' variable, it may be possible for an attacker to corrupt database information.

21. Sybase Adaptive Server xp_freedll Buffer Overrun Vulnerability BugTraq ID: 6266
Remote: Yes
Date Published: Nov 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6266
Summary:

Sybase Adaptive Server is a full SQL relational database management system. It is available for a variety of platforms including Microsoft Windows operating systems.

The Sybase Adaptive Server provides an extended stored procedure (ESP) called xp_freedll in the database. This ESP is used to released a loaded library file.

It is possible to overrun a buffer in xp_freedll by providing a 57 byte string as the name parameter. This may result in the corruption of sensitive memory. By overwriting memory with attacker-supplied values, it may be possible to direct program flow to execute malicious instructions.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary system commands with the privileges of the database server.

22. pWins Web Server Directory Traversal Vulnerability BugTraq ID: 6271
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6271
Summary:

pWins is a Web server implemented using Ruby and Perl. It is designed for use on Linux variant and Microsoft Windows operating environments.

It has been reported that pWins fails to properly sanitize web requests. By sending a malicious web request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to access sensitive resources located outside of the web root.

An attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.

Disclosure of sensitive system files may aid the attacker in launching further attacks against the target system.

This vulnerability has been reported for pWins 0.2.5 for the Microsoft Windows platform.

23. Sybase Adaptive Server DROP DATABASE Buffer Overflow Vulnerability BugTraq ID: 6267
Remote: Yes
Date Published: Nov 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6267
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Sybase Adaptive Server is a full SQL relational database management system. It is available for a variety of platforms including Microsoft Windows operating systems.

A buffer overflow vulnerability has been reported for the Sybase Adapative Server. The vulnerability exists in the DROP DATABASE function. This function is used to remove any databases from the server.

The DROP DATABASE function accepts a single parameter for the name of the database to remove. This function does not perform sufficient checks on the length of the string that is supplied as the value for the parameter.

An attacker may exploit this vulnerability to cause the database process to execute malicious attacker-supplied code.

This vulnerability was reported for Sybase Adaptive Server 12.0 and 12.5.

24. Microsoft Windows XP Fast User Switching Process Viewing Weakness BugTraq ID: 6280
Remote: No
Date Published: Nov 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6280
Summary:

Microsoft Windows XP contains a feature called Fast User Switching (FUS). This allows multiple users to be concurrently logged onto the system; only one user can interact with the system at a time. FUS is enabled by default on Windows XP Home edition, but not on Professional edition. It cannot be enabled on systems that are members of a domain.

FUS contains a weakness that could allow unprivileged users to view other users' process lists.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Members of the Administrators group can enable an option to view other users' process lists. If a member of the Administrators group enables this option and is subsequently removed from the group, they are still able to view other users' process lists.

While this is not directly exploitable, it may violate other users' privacy or the information obtained may potentially be used to mount attacks on other local users.

IV. MICROSOFT FOCUS LIST SUMMARY

1. Secure / Encrypt Terminal Services (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301663

2. Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414) (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301562

3. Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414) (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301573

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

4. Odd entries in Win XP Pro Certificate MMC snap-in (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301538

5. Embedded NT/XP security (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/301502

6. IIS Log exactly 65.536 bytes ??? (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301490

7. Exchange in the DMZ (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/301255

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

8. Question: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301213

9. SecurityFocus Microsoft Newsletter #114 (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301098

1. ASP, BizTalk server SQL DB and Firewall architecture. (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/301041

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS

1. ScanDo Vulnerability Assessment Scanner by KaVaDo Platforms: Windows 2000, Windows NT, Windows XP http://www.kavado.com/ProductsScando.htmL Summary:

ScanDo is a comprehensive vulnerability-assessment scanner that audits the entire Web application environment (Web servers, application servers, business logic etc.) and uncovers both known and unknown vulnerabilities that create security risks.

2. ArcSight Enterprise Security Management Software by ArcSight
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT http://www.arcsight.com/product.htm
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ArcSight is designed to distribute agents throughout the network, which will report events to central management stations. Administrators can then view events, control security policies and even replay a sequence of events to watch the attack unfold.

3. WebMarshal
by Marshal Software
Platforms: Windows 2000, Windows NT
http://www.webmarshall.com/default.asp?page=%2Fproducts%2Easp%3FREFID%3DMARSHAL&RefID=MARSHAL Summary:

WebMarshal is an employee Internet management solution designed to promote responsible web use while providing protection from viruses, confidentiality breaches, and the downloading of non-business material. WebMarshal eliminates unproductive browsing by directing users to approved sites, while blocking offensive and unproductive sites. Detailed reporting by user and site allows management to refine Web policy so that the business can better take advantage of the Web. WebMarshal gives an organization easy, practical and customized control of Web browsing.

V. NEW TOOLS FOR MICROSOFT PLATFORMS

1. GPG-Ezmlm encrypted mailing list v0.3 by Todd MacDermid Relevant URL: http://www.synacklabs.net/projects/crypt-ml/ Platforms: Perl (any system supporting perl) Summary:

GPG-Ezmlm contains a set of scripts which adds the ability to handle OpenPGP-encrypted email to Ezmlm. Email encrypted to the list key is re-encrypted to the keys of the subscribers. Key exchange during list subscription is supported.

2. Sysload server monitor v4.5
by Good NRG
Relevant URL:
http://www.nrgglobal.com/products/sysload.php Platforms: AS/400, Linux, Netware, UNIX, Windows 2000, Windows NT, Windows XP
Summary:

Sysload does system performance monitoring on operating systems (Unix, Linux, Windows 2000/XP and NT, Netware, AS/400, GC0S7), databases (Oracle, SQL Server, DB2, Informix, Sybase), and applications (including Oracle Applications, SAP, Exchange, and IIS). It offers robust alerting and monitoring, and performance management solutions.

3. ABC CHAOS v2.1
by Investment Resources Group
Relevant URL:
http://www.safechaos.com/abc.htm
Platforms: Windows 2000, Windows 95/98, Windows CE, Windows NT, Windows XP Summary:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Easily encrypt files into your personal data archive. You can be confident that the data is safely secured. The additional special protection completely excludes an opportunity of selection of the password to the encrypted information at use of the generator of the passwords and keys.

VI. SPONSOR INFORMATION

Double Security In One Investment
Reinforce your network security policy with the Retina®/ UpdateEXPERT(tm) bundle from eEye and St. Bernard Software. Award- winning Retina scans networks for early detection of vulnerabilities, while UpdateEXPERT provides critical patch management assistance. Reliably identify and remediate your network with this security combo.

Free trial: http://www.eeye.com/ctrack.asp?ref=STBJOINT1