SecurityFocus Microsoft Newsletter #118

SecurityFocus Microsoft Newsletter #118

This issue is sponsored by: Qualys

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php

I. FRONT AND CENTER

1. Microsoft Baseline Security Analyzer V1.1
2. Evaluating Network Intrusion Detection Signatures, Part Three
3. OpenAV: Developing Open Source AntiVirus Engines
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando,FL) II. MICROSOFT VULNERABILITY SUMMARY
6. Microsoft Internet Explorer PNG Deflate Heap Corruption...
7. Microsoft Windows SMB Signing Vulnerability
8. Deerfield VisNetic WebSite Cross Site Scripting Vulnerability
9. Microsoft Java Virtual Machine COM Object Access Validation...
10. Microsoft Java Virtual Machine CODEBASE Parameter File...
11. MySQL COM_CHANGE_USER Password Length Account Compromise...
12. MySQL libmysqlclient Library Read_Rows Buffer Overflow...
13. MySQL libmysqlclient Library Read_One_Row Buffer Overflow...
14. Mambo Site Server PHPInfo.PHP Information Disclosure Vulnerability
15. Bea Systems WebLogic Xerces XML Parser Denial Of Service...
16. Microsoft Java Virtual Machine Standard Security Manager...
17. Microsoft Java Virtual Machine Java Object Instantiation...
18. Mambo Site Server Account Registration HTML Injection...
19. Mambo Site Server Path Disclosure Vulnerability
20. Captaris Infinite WebMail HTML Injection Vulnerability
21. EServ Buffer Overflow Vulnerability
22. PKZip Tar Hostile Destination Path Vulnerability
23. Microsoft Java Virtual Machine user.dir Access Information...
24. VIM ModeLines Arbitrary Command Execution Vulnerability
25. PHP-Nuke Web Mail Remote PHP Script Execution Vulnerability
26. Microsoft Java Virtual Machine Multiple Vulnerabilities
27. MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
28. Microsoft Java Virtual Machine URL Parsing Vulnerability
29. Microsoft Java Virtual Machine JDBC API Access Vulnerability
30. PHP-Nuke 6.0 Multiple Cross Site Scripting Vulnerabilities
31. Symantec Enterprise Firewall RealAudio Proxy Buffer Overflow...
32. MyPHPSoft MyPHPLinks SQL Injection Administration Bypassing...
33. Cypherix Cryptainer Information Disclosure Vulnerability
34. PHP-Nuke Web Mail Script Injection Vulnerability
35. PHP-Nuke Multiple Path Disclosure Vulnerabilities
36. ZipMagic Tar Hostile Destination Path Vulnerability
37. WinZip Tar Hostile Destination Path Vulnerability III. MICROSOFT FOCUS LIST SUMMARY
38. Removing locking user from CTRL-ALT-DEL window - NT 4.0 (Thread)
39. Logging Terminal Services Access? (Thread)
40. ipsecpol on Windows 2000 (Thread)
41. SecurityFocus Microsoft Newsletter #117 (Thread)
42. Users Peeved at Microsoft Security Effort (Thread)
43. IIS 4 Security (Thread)
44. Exchange 5.5 delivery receipts (Thread)
45. Bulletin MS02-069 (Thread) IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
46. ipPulse
47. BVRP Mail Warden
48. Silent Watch
49. NEW TOOLS FOR MICROSOFT PLATFORMS
50. Lepton's Crack v1.0.1
51. perltrash v0.3
52. Opticon|Users 2002 VI. SPONSOR INFORMATION
53. FRONT AND CENTER

    ---

54. Microsoft Baseline Security Analyzer V1.1 By Mike Fahland, Eric Schultze

Earlier this month, Microsoft released version 1.1 of the Microsoft Baseline Security Analyzer (MBSA). This article will offer a brief overview of MBSA.

http://online.securityfocus.com/infocus/1649

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. Evaluating Network Intrusion Detection Signatures, Part Three by Karen Kent

In this three-part series of articles, we are presenting recommendations that will help readers to evaluate the quality of network intrusion detection (NID) signatures, either through hands-on testing or through careful consideration of third-party product reviews and comparisons. The first installment discussed some of the basics of evaluating NID signature quality, as well as selecting attacks to be used in testing. The second installment concluded the discussion of criteria for choosing attacks and provided recommendations for generating attacks and creating a good testing environment. This article will wrap up the series by examining other ways of generating attacks with other security-related tools and by manually creating your own attacks.

http://online.securityfocus.com/infocus/1651

3. OpenAV: Developing Open Source AntiVirus Engines by Costin G. Raiu

This article will take a look at the OpenAntivirus AV engine, assess its progress so far, and offer some suggestions of how the developers can continue to develop it. While some of the commentary in the following sections may be fairly critical, the purpose of this paper is not to flame the OpenAV project or its developers but, on the contrary, to salute their efforts. Hopefully, this article and the comments herein will make a significant contribution to the development of a viable, working open source antivirus product.

http://online.securityfocus.com/infocus/1650

4. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. Microsoft Internet Explorer PNG Deflate Heap Corruption Vulnerability BugTraq ID: 6366 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6366 Summary:

A heap corruption vulnerability has been reported for Microsoft Internet Explorer 5.01 through 6.0.

The vulnerability is related to the way that Microsoft Internet Explorer (MSIE) interprets PNG image data. Specifically, the 'inflate_fast()' function within 'pngfilt.dll' does not properly handle invalid length codes within PNG image files.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability by tricking a user into viewing a maliciously constructed PNG image file. When the image file is rendered by the 'pngfilt.dll' library, it will trigger the heap corruption condition and overwrite critical areas in memory. Any malicious attacker-supplied code will be executed with elevated privileges.

It should be noted that applications which depend on MSIE to render PNG files are also affected.

Internet Explorer 6.0 with Service Pack 1 is not affected by this issue.

2. Microsoft Windows SMB Signing Vulnerability BugTraq ID: 6367
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6367
Summary:

Microsoft Windows 2000 and XP contain a new feature that can be set in group policy allowing SMB packets to be digitally signed. There are four settings that govern the signing of the SMB packets; two for acting as a server and two for acting as a client. The system can be configured to allow signing, disallow signing, or require signing. The default setting is to allow signing, but not require it.

When two hosts establish an SMB session, negotiation of the digital signing level occurs. The systems determine what level of signing each requires and whether a connection can be established. If one system cannot meet the other system's requirements, the communication channel is not established.

Due to a flaw in the way the signing negotiation is implemented, an attacker can malform a negotiation packet through a man-in-the-middle attack to cause the target system to silently drop its signing requirement for that particular session. This could allow the attacker to then modify the SMB packets undetected by the receiving system since the digital signature is not checked. The attacker would have to exploit this vulnerability once for each SMB session to be modified.

It is important to note that when a client logs into a domain, the group policy is transmitted from the server to the client using signed SMB packets. This could allow a knowledgeable attacker to modify the group policy settings that are applied to the client.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. Deerfield VisNetic WebSite Cross Site Scripting Vulnerability BugTraq ID: 6369
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6369
Summary:

VisNetic Website is web server that supports multiple domains, and allows TLS/SSL secured domains. It is available for the Microsoft Windows operating system.

When a requested page does not exist VisNetic Website will construct a customized 404 page containing a link to the referring page. The referring address is taken from the HTTP 'referer' header.

A vulnerability has been discovered in VisNetic Website when generating a 404 page for a non-existent resources. The issue is due to insufficient sanitization of the HTTP 'referer' header. It is possible to cause arbitrary code to be executed within the context of the visited 404 page by embedding script code into the HTTP 'referer' header.

An attacker could exploit this issue to steal cookie-based authentication credentials, which could be used to hijack a legitimate users session.

It should be noted that this vulnerability was discovered in VisNetic Website 3.5.13.1. It is not yet known whether this issue also affects earlier versions.

4. Microsoft Java Virtual Machine COM Object Access Validation Vulnerability BugTraq ID: 6371
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6371
Summary:

The Microsoft Java Virtual Machine (JVM) implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft JVM.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability is due to insufficient checks in the JVM that allow malicious, untrusted applets access to COM (Component Object Model) objects. COM objects are used by the system to perform a variety of functions, including the ability to modify data.

An attacker can exploit this vulnerability by creating a malicious applet that invokes certain COM objects. Due to insufficient security checks performed by the JVM, it is possible for the untrusted applet to access the requested, sensitive COM object. Through the manipulation of the object, the attacker can modify arbitrary files on the vulnerable system and allow the attacker to obtain total control of the system.

This vulnerability was originally described in BID 6365. It is now being assigned its own BugTraq ID.

5. Microsoft Java Virtual Machine CODEBASE Parameter File Disclosure Vulnerability BugTraq ID: 6372
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6372
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine.

The vulnerability results from a specially constructed 'CODEBASE' parameter specified as part of an 'APPLET' HTML tag. The 'CODEBASE' parameter tells the JVM where the applet is located. If an applet is located on a local hard drive or resource, the applet has access to all files and directories that lie directly under the path of its execution. Due to insufficient parsing of HTML tags performed by the JVM, it may be possible for a malicious applet to misrepresent the location of its existence.

An attacker can exploit this vulnerability to load a malicious applet from a remote site and trick the Virtual Machine into thinking that it was executed from a trusted location, such as the vulnerable system's hard drive. This will allow an attacker to obtain access to potentially sensitive files on a vulnerable system or on network shares the user has access to. The vendor has stated that the vulnerability will only allow an attacker to obtain read access to files.

This vulnerability was originally described in BID 6365. It is now being assigned its own BugTraq ID.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

6. MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability BugTraq ID: 6373
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6373
Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

A flaw in the password authentication mechanism for MySQL may make it possible for an authenticated database user to compromise the accounts of other database users.

The flaw lies in the fact that the server uses a string returned by the client when the COM_CHANGE_USER command is issued to iterate through a comparison when attempting to authenticate the password. The server does not verify that the password string is of sufficient length. As a result, it is possible for a client to submit a single character as a response and that single character will be compared to the expected password. If this character matches the first character in the password, MySQL will reportedly authenticate the user. The range of the valid character set for passwords is 32 characters, which means that a malicious user can authenticate after a maximum of 32 attempts if they cycle through all of the valid characters.

Since this flaw exists in the COM_CHANGE_USER command, an attacker must have access to a database user account to exploit the issue. They must also know the username of the account they are attempting to compromise. Depending on how the database has been deployed, this may allow for a malicious user to compromise the MySQL root account.

This issue is related to the vulnerability described in Bugtraq ID 975. The problem was not sufficiently addressed in the COM_CHANGE_USER command.

7. MySQL libmysqlclient Library Read_Rows Buffer Overflow Vulnerability BugTraq ID: 6370
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6370
Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

MySQL contains a library called libmysqlclient that allows queries to be performed against the MySQL server database. A problem exists in the read_rows function of the libmysqlclient library that could result in a buffer overflow.

When the MySQL client performs a SELECT query on the database, the read_rows function loops through the returned fields, copying them to a local buffer. The problem occurs because the function does not verify that the size of the returned fields are smaller than the buffer to which they are being copied.

Additionally, each row is terminated with a '\0' without verifying that there is sufficient space within the destination buffer.

This vulnerability may be exploited to cause a denial of service or to execute arbitrary code in the security context of the MySQL client application. Anything that is linked against libmysql may also be affected by this issue.

8. MySQL libmysqlclient Library Read_One_Row Buffer Overflow Vulnerability BugTraq ID: 6374
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6374
Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

MySQL contains a library called libmysqlclient that allows queries to be performed against the MySQL server database. A problem exists in the read_one_row function of the libmysqlclient library that could result in a buffer overflow.

When the MySQL client fetches a row from the database, read_one_row stores the field and the field size without verifying that the data will not overrun the buffer. After storing the pointer to a field, the function terminates the previous field with a '\0' and moves on to the next field. Since the data is not verified against the size of the buffer, a malformed packet can supply an exceptionally long field size and have arbitrary memory overwritten with a '\0', potentially causing the client to crash.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation will most likely result in a denial of service against the MySQL client application. Though it hasn't been confirmed, it may be possible with some client implementations to cause execution of arbitrary code.

9. Mambo Site Server PHPInfo.PHP Information Disclosure Vulnerability BugTraq ID: 6376
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6376
Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

A problem with Mambo may make it possible for a remote user to gain access to sensitive information.

It has been reported that Mambo enables a script by default that may reveal sensitive information. The phpinfo.php script is packaged with Mambo, and installed by default in the administrator subdirectory. A remote user may use this script to gain information about the server, including path and environment information.

This vulnerability could lead to a more directed attack against hosts. An attacker may access this script via
http://www.example.com/mambo/administrator/phpinfo.php.

1. Bea Systems WebLogic Xerces XML Parser Denial Of Service Vulnerability BugTraq ID: 6378 Remote: No Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6378 Summary:

BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions.

A problem with WebLogic could allow an attacker to deny service to legitimate users.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability in the handling of XML documents has been discovered. XML documents are parsed by the Xerces component of the WebLogic infrastructure. By parsing a malicious XML document locally, it is possible to cause the WebLogic server process to hang.

This issue could allow an attacker with the ability to place files on the vulnerable host to deny service to legitimate users. Normal service would resume only when the process is killed, and manually restarted. Additionally, this vulnerability could continue to be exploited until the malicious XML file is removed.

1. Microsoft Java Virtual Machine Standard Security Manager Access Validation Vulnerability BugTraq ID: 6381 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6381 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine.

This vulnerability is due to a flaw in the access validation check performed by the Virtual Machine's Standard Security Manager. This vulnerability could allow an attacker to suppress the execution of Java applets in the current Internet Explorer browser session.

The Standard Security Manager contains a list of Java applets and modules that applets should not be allowed to invoke. Normally, only the Virtual Machine itself should be allowed to write to the Standard Security Manager. However, due to insufficient access validation controls, any Java applet can write to the Standard Security Manager. This could allow an attacker to add other applets to the banned list, preventing the applets from executing or being executed by other applets.

Exploitation of this vulnerability would only affect the current Internet Explorer browser session. Other sessions running in parallel to or after the affected session would not be affected. Simply closing the affected browser session would correct the results of exploitation.

1. Microsoft Java Virtual Machine Java Object Instantiation Denial Of Service Vulnerability BugTraq ID: 6382 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6382 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine.

The vulnerability may allow an attacker to cause the hosting application to fail when a user executes a malicious applet. Restarting the hosting application will restore normal functionality.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability is due to the way the JVM initializes some Java objects. An attacker can exploit this vulnerability by creating a Java applet that will created an incorrectly initialized Java object. This will result in the corruption of memory of the hosting application and its subsequent failure.

This vulnerability was originally described in BID 6365. It is now being assigned its own BugTraq ID.

1. Mambo Site Server Account Registration HTML Injection Vulnerability BugTraq ID: 6386 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6386 Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

Mambo Site Server does not sufficiently sanitize HTML submitted through the "Your Name" form field during account registration. Data in this field may be output to other users, such as in articles. Though it has been reported that an administrative user must approve articles before they are displayed to other users, it is possible that malicious script code may be displayed to the administrative user when an article is reviewed for approval. This possibility has not been confirmed.

An attacker may include arbitrary HTML and script code in the "Your Name" field and when this information is viewed by other users, the attacker-supplied code will execute in their web client in the security context of the site.

Exploitation may allow for theft of cookie-based authentication credentials or other attacks.

It is possible that other account registration form fields also do not sufficiently sanitize HTML.

1. Mambo Site Server Path Disclosure Vulnerability BugTraq ID: 6387 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6387 Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been discovered in Mambo Site Server. Requesting the
'index.php' script with an invalid parameter will cause an error page to
be generated containing the path of the Mambo script.

This will disclose sensitive information about the layout of the filesystem of the host running the vulnerable software. Information of this nature may aid in mounting further attacks against the host.

It should be noted that this vulnerability was reported in Mambo Site Server 4.0.11. It is not yet known whether other versions are affected.

1. Captaris Infinite WebMail HTML Injection Vulnerability BugTraq ID: 6411 Remote: Yes Date Published: Dec 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6411 Summary:

Captaris Infinite WebMail is a Web server application that provides HTML access to email stored in SMTP, POP3, and IMAP mail systems. It is available for the Microsoft Windows operating system.

A vulnerability has been discovered in Infinite WebMail. Due to insufficient sanitization of HTML content it is possible to embed arbitrary script code within an HTML email. The problem occurs in the <p> and <b> HTML tags.

When an unsuspecting user of the vulnerable software views the malicious message, the attacker-supplied code will executed in their web browser in the security context of the webmail system.

This may allow an attacker to steal cookie-based authentication credentials from users of the webmail system. Other attacks are also possible.

1. EServ Buffer Overflow Vulnerability BugTraq ID: 6391 Remote: Yes Date Published: Dec 13 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6391 Summary:

EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft Windows 9x/NT/2000 systems.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A buffer overflow vulnerability has been reported for EServ. The vulnerability occurs when EServ receives an overly long stream of data for any of its listening services.

An attacker can exploit this vulnerability by sending an overly long stream of data, consisting of at least 5080000 characters, to any of the ports that EServ is listening on. This will trigger the buffer overflow condition and will result in the EServ process crashing.

Although unconfirmed, it may be possible for an attacker to gain control over the execution of the vulnerable process and execute malicious attacker-supplied code.

This vulnerability was reported for EServ 2.97 and 2.99; it is likely that previous versions are also affected.

1. PKZip Tar Hostile Destination Path Vulnerability BugTraq ID: 6419 Remote: Yes Date Published: Dec 17 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6419 Summary:

PKZip is prone to a security vulnerability when unpacking .tar archives. The problem is in the handling of pathnames.

By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. An attacker may take advantage of this vulnerability to cause malicious files to be placed anywhere on a target filesystem.

An attacker may exploit this condition by specifying a relative extraction path in a malicious .tar that points to sensitive or critical files, such as system binaries.

This issue was reported in PKZip for Microsoft Windows platforms. It is not known if other platforms are also affected.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue is similar to the issue described in Bugtraq ID 5933, but affects how .tar archives are handled specifically.

This vulnerability was originally described in BID 6412 "Multiple Vendor Archiving Software Tar Hostile Destination Path Vulnerability" and is now being assigned an individual Bugtraq ID.

1. Microsoft Java Virtual Machine user.dir Access Information Disclosure Vulnerability BugTraq ID: 6380 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6380 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine.

The vulnerability may allow an attacker to obtain access to the user.dir system property. The user.dir property contains information about the current working directory of the hosting application.

An attacker can exploit this issue by enticing a user to execute a malicious applet. The JVM does not restrict access to the user.dir system property to untrusted Java applets and will result in the malicious applet obtaining access to user.dir. This will allow an attacker to obtain information that may be used to launch further attacks against a vulnerable system.

This vulnerability was originally described in BID 6365. It is now being assigned its own BugTraq ID.

1. VIM ModeLines Arbitrary Command Execution Vulnerability BugTraq ID: 6384 Remote: No Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6384 Summary:

vim is a freely available, open source text editor. It is available for Unix, Linux, and Microsoft Operating Systems.

A problem with vim may make it possible to execute arbitrary commands on a vulnerable host.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that a problem exists in vim with modelines. Modelines are instructions placed at the beginning and end of text files to instruct the editor on how to handle certain elements of the file. Due to insufficent handling of input, it may be possible to execute arbitrary commands through the modelines function.

This vulnerability could allow an attacker to execute arbitrary commands with the privileges of the vim user. Through social engineering, this may give an attacker the ability to gain remote access to the vulnerable host.

20. PHP-Nuke Web Mail Remote PHP Script Execution Vulnerability BugTraq ID: 6399
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6399
Summary:

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

A vulnerability has been discovered in a web mail module available for PHP-Nuke. When a user opens an email containing an attachment the file will be stored in a remote accessible web directory. The module fails to filter attachments containing active content, making it possible for an attacker to access a PHP script located in the users web directory.

By sending a user a malicious attachment and then accessing the script a remote attacker is able to cause arbitrary PHP code to be executed on the target system. This may allow an attacker to access sensitive information or compile malicious programs designed to open backdoors into the server.

21. Microsoft Java Virtual Machine Multiple Vulnerabilities BugTraq ID: 6365
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6365
Summary:

Several vulnerabilities have been reported for Microsoft Java Virtual Machine.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The first vulnerability may allow a malicious Java applet to access COM (Component Object Model) objects. A malicious Java applet may be able to access COM objects that allow control of the system. By exploiting this vulnerability an attacker would be able to take complete control over a compromised machine.

The second vulnerability may allow an attacker to misrepresent the location of a malicious Java applet. Through the use of an APPLET HTML tag, an attacker can specify a false value for the 'CODEBASE' parameter. The 'CODEBASE' parameter is used to tell a browser where the Java applet is located. An attacker can exploit this vulnerability to load a malicious applet from a remote site and trick the Virtual Machine into thinking that it was executed from a trusted location, such as the vulnerable system's hard drive. This will allow an attacker to obtain access to potentially sensitive files on a vulnerable system.

The third vulnerability may allow an attacker to construct a malicious URL that would load a Java applet from an attacker's site but misrepresent it as belonging to another, trusted, site. The vulnerability is due to a flaw in the Virtual Machine's URL parser. An attacker can exploit this vulnerability to intercept any traffic that the user would send to the trusted site. This information may be used by an attacker to launch further attacks against a vulnerable system.

The fourth vulnerability may allow an attacker to access databases used by the system as another user. This will allow an attacker to obtain read and write access to the database. This vulnerability is due to the bypassing of existing security checks of the JDBC (Java Database Connectivity) APIs by malicious applets.

The fifth vulnerability may allow an attacker to prevent Java applets on other pages from running. This vulnerability exists due to insufficient security checks in the Virtual Machine that allows Java applets to write to the Standard Security Manager. An attacker can exploit this vulnerability to write to the Standard Security Manager and prevent other applets from being executed. This vulnerability will allow an attacker to prevent Java applets from being run only in the current browser session; any new browser sessions will be unaffected.

The sixth vulnerability may allow an attacker to obtain access to the user.dir property. The user.dir property contains information about the current working directory of the hosting application. Exploitation of this issue may allow an attacker to obtain information that may be used to launch further attacks against a vulnerable system.

The final vulnerability may allow an attacker to cause the hosting application to fail when a user visits a malicious site. Restarting the hosting application will restore normal functionality. The vulnerability is due to the way the Virtual Machine initializes some Java objects. An attacker can exploit this vulnerability by creating a Java applet that will created an incorrectly initialized Java object. This will result in the corruption of memory of the hosting application and its subsequent failure.

• At the earliest possible convenience, this record will be divided up into new vulnerability records where it is appropriate. Existing records will also be updated to reflect the information contained in the Microsoft Security Bulletin. 22. MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability BugTraq ID: 6375 Remote: Yes Date Published: Dec 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6375 Summary:

MySQL is an open source relational database project, and is available for a number of operating systems, including Microsoft Windows.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

MySQL is prone to a memory corruption vulnerability in the COM_CHANGE_USER command.

Due to a lack of sufficient bounds checking for client responses to password authentication challenges, it may be possible to corrupt sensitive regions of memory.

It has been reported that it is possible to overwrite the saved instruction pointer on the stack with bytes generated by the random number generator of the password verification algorithm. Given enough attempts, it may be possible for an attacker to change to flow of execution of the program so that a significant region of memory is returned to, such as a region containing attacker-supplied instructions. Failed exploitation attempts will cause the MySQL server to crash, only to be restarted, so it is possible for an attacker to make multiple exploitation attempts. Theoretically, an attacker could leverage such a condition to cause execution of arbitrary code in the security context of the MySQL server process.

It is believed the attacker must be able to issue a COM_CHANGE_USER command to exploit this issue, so having access to a valid database user account may be a prerequisite for exploitation. It is not known if this condition exists when an unauthenticated user attempts to authenticate normally.

This condition may not be exploitable on Microsoft Windows platforms due to the random number generator for the password verification algorithm using a limited character set.

23. Microsoft Java Virtual Machine URL Parsing Vulnerability BugTraq ID: 6377
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6377
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine.

This vulnerability is due to a flaw in the way the JVM parses URLs. This vulnerability may allow an attacker to construct a malicious URL that would load a Java applet from an attacker's site but misrepresent it as belonging to another, trusted, site.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability to trick a user into executing a malicious applet to intercept any traffic that the user would send to a trusted site. Such information could include personal information or even credit card details; an attacker could potentially obtain any information the user is willing to divulge to the site from which the malicious applet appears to originate. This vulnerability could also be used to steal cookie based credentials.

This vulnerability was originally described in BID 6365. It is now being assigned its own BugTraq ID.

24. Microsoft Java Virtual Machine JDBC API Access Vulnerability BugTraq ID: 6379
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6379
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine (JVM).

The vulnerability is due to insufficient security checks performed by the JVM on JDBC (Java Database Connectivity) API access by remote applets. The JDBC APIs are a set of functions that allow Java applets to access databases on systems.

Only trusted Java applets should be able to access these APIs however, an attacker may be able to create an applet that can bypass the existing security checks performed by the JVM to access the APIs. This will allow an attacker to access databases with the privileges of another user to manipulate the contents of databases accessible by the user.

This vulnerability was originally described in BID 6365. It is now being assigned its own BugTraq ID.

25. PHP-Nuke 6.0 Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 6409
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6409
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

Cross-site scripting vulnerabilities have been discovered in multiple PHP scripts used by PHP-Nuke 6. Due to insufficient sanitization of web requests it is possible for script code to be embedded in PHP script requests.

The scripts, which are vulnerable to these issues, include
'bb_smilies.php', 'bbcode_ref.php', 'editpost.php', 'newtopic.php',
'reply.php', 'topicadmin.php', 'viewforum.php', and 'searchbb.php'.

By constructing a malicious link which exploits one of these vulnerabilities, it may be possible to execute arbitrary code within the context of a website visited by an unsuspecting user. This may allow a remote attacker to steal cookie-based authentication credentials, which could be used at a later time to hijack a user's web session.

26. Symantec Enterprise Firewall RealAudio Proxy Buffer Overflow Vulnerability BugTraq ID: 6389
Remote: Yes
Date Published: Dec 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6389
Summary:

Raptor Firewall is an enterprise level firewall originally developed by Axent Technologies and is maintained and distributed by Symantec. Symantec Enterprise Firewall is formerly known as Raptor firewall. It is available for Microsoft Windows and Unix operating systems.

A vulnerability has been reported for Symantec Enterprise Firewall. A buffer overflow vulnerability occurs in the RealAudio Proxy installed on Symantec Enterprise Firewall. Reportedly when the Proxy process is sent a specially formatted stream of data, it will trigger a buffer overflow condition. This will result in the rad (ReadAudio) and statsd (statistics) services to unexpectedly terminate and produce Dr. Watson logs.

The vulnerability occurs when the RealAudio Proxy receives packets that do not follow the RealAudio Protocol. An attacker can exploit this vulnerability and send a specially crafted stream of data to the Proxy process. This will result in a local buffer to be overrun with attacker supplied values and will trigger the buffer overflow condition. This will cause the rad and statsd services to terminate resulting in a denial of service condition.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Although unconfirmed, it may be possible for an attacker to gain control over the execution of the vulnerable RealAudio Proxy process.

27. MyPHPSoft MyPHPLinks SQL Injection Administration Bypassing Vulnerability BugTraq ID: 6395
Remote: Yes
Date Published: Dec 14 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6395
Summary:

MyPHPLinks is a freely available, open source PHP application distributed by MyPHPSoft. It is available for Unix, Linux, and Microsoft Windows operating systems.

A problem with MyPHPLinks could allow remote attackers unauthorized access to system resources.

It has been reported that a problem with the checking of input by MyPHPLinks exists. A problem in the checking of the idsession variable used by MyPHPLinks to verify Administrator access may allow a remote user to gain access to the host. This problem could allow an attacker to gain administrator access to the MyPHPLinks section of a web site.

This vulnerability may be exploited by passing a SQL statement through the idsession variable. This SQL statement must evaluate to true. Exploitation of this vulnerability would allow an attacker to change the links indexed in a MyPHPLink implementation.

28. Cypherix Cryptainer Information Disclosure Vulnerability BugTraq ID: 6396
Remote: No
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6396
Summary:

Cypherix Cryptainer is data encryption software designed for use with Microsoft Windows operating systems.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been reported for Cryptainer that may allow attackers to obtain access to the passwords used by Cryptainer. The vulnerability exists due to the way Cryptainer stores the user-supplied password to access the program. Specifically, Cryptainer stores the password in memory in clear text.

This vulnerability can only be exploited when Cryptainer is loaded and the victim user has entered the password at least once. However, Cryptainer contains a feature that allows the program to be minimized in the System Tray. This satisfies one condition of exploitation and may provide local attackers with a greater chance for exploitation.

By exploiting this issue a malicious local user may be able to retrieve sensitive information from a system using Cryptainer and may lead to compromise of computing resources.

29. PHP-Nuke Web Mail Script Injection Vulnerability BugTraq ID: 6400
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6400
Summary:

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

A vulnerability has been discovered in the web mail module available for PHP-Nuke. Due to insufficient sanitization of message content it is possible for an attacker to embed script code into a malicious HTML email. An unsuspecting user that opens the email will cause the script code to be executed within their browser.

Exploiting this issue may allow an attacker to steal cookie-based authentication credentials, which may be used at a later time to hijack a user's web session.

30. PHP-Nuke Multiple Path Disclosure Vulnerabilities BugTraq ID: 6406
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6406
Summary:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

PHP-Nuke is a web based Portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

Multiple path disclosure vulnerabilities have been discovered in PHP scripts used by PHP-Nuke. The issue occurs when a request is made for a script, which should not be accessed directly. Some scripts do not provide sufficient error handling for cases where these scripts are accessed directly. This will cause the script to generate an error page containing the absolute path information. The PHP scripts affected by this issue include voteinclude.php, navbar.php, attachment.php, and mainfile.php.

Exploiting this issue will cause the target server to disclose sensitive information about the layout of the filesystem of the host running the vulnerable software. Information of this nature may aid in mounting further attacks against the host.

31. ZipMagic Tar Hostile Destination Path Vulnerability BugTraq ID: 6416
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6416
Summary:

ZipMagic is a file compression utility available from Aladdin Systems. It is available for the Microsoft Windows operating system.

A vulnerability has been discovered in Aladdin Systems ZipMagic when handling malicious .tar archives. The problem lies in the handling of pathnames.

By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. An attacker may take advantage of this vulnerability to cause malicious files to be placed anywhere on a target filesystem.

An attacker may exploit this condition by specifying a relative extraction path in a malicious .tar that points to sensitive or criticals files, such as system binaries.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was originally described in BID 6412 "Multiple Vendor Archiving Software Tar Hostile Destination Path Vulnerability" and is now being assigned an individual Bugtraq ID.

32. WinZip Tar Hostile Destination Path Vulnerability BugTraq ID: 6418
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6418
Summary:

WinZip is an archiving utility for Microsoft Windows platforms.

WinZip is prone to a security vulnerability when unpacking .tar archives. The problem is in the handling of pathnames.

By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. An attacker may take advantage of this vulnerability to cause malicious files to be placed anywhere on a target filesystem.

This issue is present when the "Extract folder names" option is checked in the extraction dialogue, which is the default setting and is used to retain the directory structure when extracting files. An attacker may exploit this condition by specifying a relative extraction path in a malicious .tar that points to sensitive or critical files, such as system binaries.

This vulnerability was originally described in BID 6412 "Multiple Vendor Archiving Software Tar Hostile Destination Path Vulnerability" and is now being assigned an individual Bugtraq ID.

33. WinRAR Archive Improper File Representation Weakness BugTraq ID: 6422
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6422
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news