SecurityFocus Microsoft Newsletter #120

SecurityFocus Microsoft Newsletter #120

This issue is sponsored by: Qualys

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php

I. FRONT AND CENTER

1. Instant Insecurity: Security Issues of Instant Messaging
2. Intelligence Gathering: Watching a Honeypot at Work
3. Closing the Floodgates: DDoS Mitigation Techniques
4. Strikeback, Part Deux
5. SecurityFocus DPP Program
6. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. MICROSOFT VULNERABILITY SUMMARY
7. DCP-Portal Remote File Include Vulnerability
8. CGIHTML Form Data File Corruption Vulnerability
9. Horde IMP Database Files SQL Injection Vulnerabilities
10. myPHPNuke Information Disclosure Vulnerability
11. CommuniGate Pro Webmail File Disclosure Vulnerability
12. CGIHTML Insecure Form-Data Temporary File Vulnerability
13. Active PHP Bookmarks Multiple File Include Vulnerabilities
14. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
15. Mambo Site Server Arbitrary File Upload Vulnerability
16. AN HTTPD Cross Site Scripting Vulnerability
17. Multiple Vendor Network Device Driver Frame Padding...
18. Microsoft Windows Fontview Denial of Service Vulnerability
19. KaZaA Advertisement Local Zone Vulnerability
20. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
21. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox...
22. AN HTTPD HTTP Request Buffer Overflow Vulnerability
23. S8Forum Remote Command Execution Vulnerability
24. FormMail Cross-Site Scripting Vulnerability
25. Bea Systems WebLogic ResourceAllocationException System...
26. DCP-Portal Unauthorized Account Access Vulnerability
27. cgihtml Signed Integer Content-Length Memory Corruption...
28. cgihtml Denial Of Service Vulnerability
29. A.ShopKart Multiple SQL Injection Vulnerabilities
30. Business Objects WebIntelligence Application Session Hijacking... III. MICROSOFT FOCUS LIST SUMMARY
31. AD replication over WAN (Thread)
32. FW: Tools for changing WMI namespace ACL's (Thread)
33. SecurityFocus Microsoft Newsletter #120 (Thread) IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
34. i.Secure Drive
35. Adhaero Transit
36. CipherPack Pro
37. NEW TOOLS FOR MICROSOFT PLATFORMS
38. K9 v1.0
39. GFI LANguard Network Security Scanner (N.S.S.) v3.0
40. Demarc PureSecure v1.6 VI. SPONSOR INFORMATION
41. FRONT AND CENTER

    ---

42. Instant Insecurity: Security Issues of Instant Messaging By Neal Hindocha

Instant messaging services are becoming an increasingly popular form of communication, both in the personal and the professional spheres. This paper will describe instant messaging and offer a brief overview of some of the security threats associated with the service.

http://online.securityfocus.com/infocus/1657

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. Intelligence Gathering: Watching a Honeypot at Work By Toby Miller

The purpose of this article is share with the security community the data the author collected from his honeypot. This discussion will include the attacker's recon, the attack, the attempted cover-up, and the reason for the attack on the honeypot.

http://online.securityfocus.com/infocus/1656

3. Closing the Floodgates: DDoS Mitigation Techniques by Matthew Tanase

To be on the receiving end of a distributed denial of service (DDoS) attack is a nightmare scenario for any network administrator, security specialist or access provider. It begins instantly, without warning, and continues relentlessly: machines down, jammed bandwidth, overloaded routers. An effective, immediate response is often difficult and may depend on third parties, such as ISPs. With these challenges in mind, this article will explore some techniques that systems administrators and security professionals can employ should they ever find themselves in this rather undesirable situation.

http://online.securityfocus.com/infocus/1655

4. Strikeback, Part Deux
By Tim Mullen

Why I should have the right to kill a malicious process on your machine.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://online.securityfocus.com/columnists/134

5. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

6. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

II. BUGTRAQ SUMMARY

1. DCP-Portal Remote File Include Vulnerability BugTraq ID: 6525 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6525 Summary:

DCP-Portal is a freely available content management system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux variants.

DCP-Portal is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in the 'library/editor/editor.php' and 'library/lib.php' scripts included with DCP-Portal.

An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the '$root' parameter.

If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known whether earlier versions are affected.

2. CGIHTML Form Data File Corruption Vulnerability BugTraq ID: 6550
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6550
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. The software uses the client supplied filename when creating the temporary file. If the attacker supplies a malicious filename, such as one pre-pended with dot-dot-slash (../) directory traversal sequences, it may be possible to corrupt files outside of the specified temporary directory.

The cause of this issue trust in user-supplied input. The routines use a client-supplied filenames when creating temporary file. The routines then do not sufficiently validate that the filename does not contain directory traversal sequences or has a name that may conflict with existing system files.

For this attack to be successful, the targetted files must be writeable by a server process that utilizes the vulnerable cgihtml routines.

3. Horde IMP Database Files SQL Injection Vulnerabilities BugTraq ID: 6559
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6559
Summary:

IMP is a web-based mail interface/client developed by members of the Horde project. It is implemented in PHP and runs on a number of operating systems, including Unix and Linux variants and Microsoft Windows operating systems.

It has been reported that IMP is prone to multiple SQL injection vulnerabilities.

IMP, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database. Consequences will vary depending on the queries used and the capabilities of the underlying database implementation.

These issues occur throughout the database command files for different database implementations, for example 'lib/db.pgsql'. These files contain syntax for constructing queries with using database implementations.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

4. myPHPNuke Information Disclosure Vulnerability BugTraq ID: 6541
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6541
Summary:

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux and Microsoft Windows operatining system.

An information disclosure vulnerability has been reported for myPHPNuke. The vulnerability exists due to insufficient checks performed in the system_footer.php script file. Specifically, the system_footer.php script, found in the 'admin/' subdirectory, calls the phpinfo() function without checking who the user is.

An attacker can exploit this vulnerability by making a request for the system_footer.php script. The system will respond by disclosing information to a remote attacker.

Information obtained in this manner may be used by an attacker to launch attacks against a vulnerable system.

5. CommuniGate Pro Webmail File Disclosure Vulnerability BugTraq ID: 6542
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6542
Summary:

CommuniGate Pro is an internet messaging server. CommuniGate Pro includes a webmail service to allow access to mailboxes via HTTP. It is available for a number of platforms including Unix and Linux variants and Microsoft Windows operating systems.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A file disclosure vulnerability has been reported in the CommuniGate Pro webmail component.

A specially crafted web request containing dot-dot-slash (../) directory traversal sequences may break out of the document root and disclose arbitrary web server readable files that exist on the underlying host.

Exploitation of this vulnerability may lead to disclosure of sensitive information that may be useful in mounting further attacks on the host system. The impact of this vulnerability is compounded by the fact that CommuniGate Pro runs as root by default, though may be configured to drop privileges. This issue was reported for CommuniGate Pro on FreeBSD. It is likely that the software is affected on other platforms as well.

6. CGIHTML Insecure Form-Data Temporary File Vulnerability BugTraq ID: 6552
Remote: No
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6552
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. A client supplied filename is used when the temporary file is created. This presents a security vulnerability since the name of the temporary file can be anticipated by the attacker.

A local attacker may take advantage of this condition to create a symbolic link in place of the temporary file, which points to another file on the system which is writeable by a server process which utilizes the vulnerable routines. The vulnerable routines will follow any symbolic links provided in place of a temporary file. The attacker may then submit a malicious form-data upload, using the attacker-supplied filename, and cause local files to be corrupted.

If custom data can be written to files, it is possible to gain elevated privileges.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

7. Active PHP Bookmarks Multiple File Include Vulnerabilities BugTraq ID: 6545
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6545
Summary:

Active PHP Bookmarks (APB) is a web-based application for managing a collection of bookmarks. APB is available for Unix and Linux variants as well as Microsoft Windows operating systems.

APB is prone to multiple issues which may allow a remote attacker to cause a malicious external file to be included and interpreted.

Attackers may influence include paths for a number of APB scripts. By specifying a path to a resource (such as a malicious PHP script) on a remote attacker-controlled server, it is possible to cause arbitrary commands to be executed with the privileges of the webserver process.

This issue is known to exist in the following scripts:

head.php
apb_common.php
apb_view_class.php

8. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 6571
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6571
Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Mambo Site Server does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. All code will be executed within the context of the website running Mambo Site Server.

The following files were reported to be prone to cross site scripting attacks:

administrator/popups/sectionswindow.php
administrator/gallery/gallery.php
administrator/gallery/navigation.php
administrator/gallery/uploadimage.php
administrator/gallery/view.php
administrator/upload.php

emailfriend/emailarticle.php
emailfriend/emailfaq.php
emailfriend/emailnews.php

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials.

This vulnerability was reported for Mambo Site Server 4.0.12 BETA and earlier.

9. Mambo Site Server Arbitrary File Upload Vulnerability BugTraq ID: 6572
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6572
Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

A problem with Mambo Site Server may make it possible for remote attackers to upload files to a vulnerable system.

Due to inadequate security checks performed by some PHP scripts, an attacker is able to upload arbitrary files to the system. The following scripts have been reported to be vulnerable to this issue: administrator/gallery/uploadimage.php administrator/upload.php upload.php

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Specifically, the scripts only check to see whether certain image extensions, such as '.jpg' and '.gif', exist in the filename. As such any file that includes the allowed extensions may be uploaded. Any uploaded files will be stored in the 'images/stories' directory on the system.

Given the ability to upload arbitrary files to the host, an attacker can exploit this vulnerability to upload malicious applications to the vulnerable system or use the system for the storage of files.

This vulnerability was reported for Mambo Site Server 4.0.12 BETA and earlier.

1. AN HTTPD Cross Site Scripting Vulnerability BugTraq ID: 6529 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6529 Summary:

AN HTTPD is a Web server designed for use on Microsoft Windows operating systems.

AN HTTPD does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. All code will be executed within the context of the website running AN HTTPD.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials.

This vulnerability was reported for AN HTTPD 1.41e.

1. Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability BugTraq ID: 6535 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6535 Summary:

Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers do not do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across ethernet segments. As the ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.

An attacker can exploit this vulnerability by sending a simple ICMP packet to a vulnerable machine. A response to such a query will involve a packet that has been padded to a sufficient length. It may be that the information that is padded is of a sensitive nature. An attacker may use the information obtained in this manner to launch other attacks against a vulnerable system.

This vulnerability has been reported to affect the atp.c, axnet_cs.c, xirc2ps_cs.c and the rtl8139.c network device drivers for Linux variant systems. Older NetApp systems using the 'Gigabit Ethernet Controller I' are vulnerable to this issue.

Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.

1. Microsoft Windows Fontview Denial of Service Vulnerability BugTraq ID: 6536 Remote: No Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6536 Summary:

Microsoft Windows uses fontview.exe as the default font viewer.

Windows is vulnerable to a denial of service condition when certain malformed OpenType font files (.otf) are viewed with the default font viewer. Attempting to view the font file causes a page fault, resulting in the system Blue Screening and rebooting.

Since this issue results in an invalid memory reference by the kernel, there is a possibility that it may be exploitable to cause code execution, however, this has not been confirmed.

The exact cause of this issue is not currently known, however, this record will be updated if and when more details become available.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability is reported to affect Windows 2000 and XP, but other versions may also be affected.

1. KaZaA Advertisement Local Zone Vulnerability BugTraq ID: 6543 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6543 Summary:

KaZaA Media Desktop is a peer to peer file sharing utility, available for Microsoft Windows based systems. A potential remote command execution vulnerability has been reported in some versions of KaZaA Media Desktop.

By default all Internet content such as websites and advertisments are run within the 'Internet Zone'. Local content is run within the 'Local Zone' and is run with lower restrictions then the Internet Zone.

It has been reported that KaZaA advertisement content is rendered in the systems Local Zone. This presents a security risk as it is possible for the content to execute arbitrary commands on the local system. This issue may also be exploited to disclose the contents of system files.

1. myPHPNuke Default_Theme Cross Site Scripting Vulnerability BugTraq ID: 6544 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6544 Summary:

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux and Microsoft Windows operating systems.

Reportedly, myPHPNuke does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. All code will be executed within the context of the website running myPHPNuke.

The vulnerability exists in the chatheader.php and partner.php script files included with myPHPNuke. Specifically, malicious HTML code is not properly sanitized from the value for the 'Default_Theme' URI parameter.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier.

1. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox Escaping Vulnerability BugTraq ID: 6566 Remote: Yes Date Published: Jan 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6566 Summary:

ColdFusion MX Enterprise Edition is the application server developing and hosting infrastructure distributed by Macromedia. It is available as a standalone product for Unix, Linux, and Microsoft Operating Systems.

A problem with ColdFusion MX Enterprise Edition may allow users to access restricted files.

A vulnerability in the use of the cfinclude and cfmodule Tags exists in ColdFusion MX. In environments that are sandboxed, it may be possible for a script to access files outside of the sandboxed directory. This could lead to unauthorized access to files on the host.

The problem is in the handling of relative paths. Due to insufficient checking of input in custom tags, it is possible to upload a file using custom tags and containing relative paths that will access files outside of a sandboxed directory. This could allow an attacker to access unauthorized and potentially sensitive information.

It should be noted that this vulnerability will only reveal the contents of files to which the ColdFusion server has read access to.

1. AN HTTPD HTTP Request Buffer Overflow Vulnerability BugTraq ID: 6528 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6528 Summary:

AN HTTPD is a Japanese language Web server designed for use on Microsoft Windows operating systems.

A buffer overflow vulnerability has been reported for AN HTTPD. The vulnerability exists when AN HTTPD receives overly long HTTP requests.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability by issuing a long HTTP request, consisting of at least 1024 characters, to any CGI or BAT script on the vulnerable server. When AN HTTPD attempts to process this request, it will crash.

Although unconfirmed, it may be possible to cause the vulnerable web server to execute malicious attacker-supplied code.

This vulnerability was reported for AN HTTPD 1.41e.

1. S8Forum Remote Command Execution Vulnerability BugTraq ID: 6547 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6547 Summary:

S8Forum is web forum software. It employs a local flat-file database for storing user information. It is available for Unix and Linux variants as well as Microsoft Windows operating systems.

S8Forum is prone to a remote command execution vulnerability.

When a user registers with the forum, a file is created locally with the specified username. The contents of this file will be the data entered by the user. As a result, a malicious user could create a file with an arbitrary name and PHP (.php) extension that contains valid PHP code. The attacker may then cause this file to be executed by requesting it via HTTP. This may result in execution of arbitrary commands with the privileges of the webserver process. An attacker may exploit this condition to gain local, interactive access to the system hosting the vulnerable software.

1. FormMail Cross-Site Scripting Vulnerability BugTraq ID: 6570 Remote: Yes Date Published: Jan 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6570 Summary:

FormMail is a web-based e-mail gateway, which allows form-based input to be emailed to a specified user. It is written in Perl and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

FormMail is allegedly prone to cross-site scripting attacks.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The FormMail script does not sufficiently sanitize HTML tags and script code from query strings, which in turn are output into pages generated by the software. As a result, a remote attacker may construct a malicious link to the script which contains arbitrary script code. If this link is visited by a web user, the attacker-supplied script code may be interpreted by their browser in the context of the site hosting the software.

This may allow an attacker to steal cookie-based authentication credentials or manipulate web content. Other attacks are also possible.

This issue was reported in FormMail 1.92. Other versions may also be affected.

1. Bea Systems WebLogic ResourceAllocationException System Password Disclosure Vulnerability BugTraq ID: 6586 Remote: Yes Date Published: Jan 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6586 Summary:

BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions.

A vulnerability in BEA Systems WebLogic Server may, under some circumstances, result in the disclosure of system passwords if exceptions are output.

BEA Systems has reported that WebLogic Server will throw an exception when an application attempts to route a JMS message across a bridge and an error occurs. This exception will include the supplied system password, in plaintext.

Applications that output exceptions may inadvertently disclose password values. This may ultimately result in a remote party gaining access to affected systems.

20. DCP-Portal Unauthorized Account Access Vulnerability BugTraq ID: 6526
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6526
Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

DCP-Portal is a freely available content management system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux variants.

DCP-Portal does not sufficiently sanitize user-supplied input for URI parameters.

An attacker can exploit this vulnerability by supplying values for the 'dcp5_member_admin' or 'dcp5_member_id' parameters with the appropriate values. This will allow an attacker to obtain access to user accounts on the vulnerable site hosting DCP-Portal.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known whether earlier versions are affected.

21. cgihtml Signed Integer Content-Length Memory Corruption Vulnerability BugTraq ID: 6551
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6551
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

A vulnerability has been discovered in cgihtml which may result in memory corruption. The problem occurs when reading a user-supplied Content-Length value for POST data.

An attacker is able to create a situation where memory may be overwritten by passing a negative length as the Content-Length value in a POST request. By passing excessive POST data it is possible for the attacker to overrun the allocated buffer, effectively overwriting heap memory. This may cause the affected program to crash.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Although not yet confirmed, it may be possible to exploit this vulnerability to execute arbitrary code. Placing a malicious malloc header in heap memory may potentially allow an attacker to overwrite a GOT address to point to shellcode.

22. cgihtml Denial Of Service Vulnerability BugTraq ID: 6555
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6555
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

A vulnerability has been discovered in cgihtml when processing Multipart HTTP headers. It has been reported that, when processing a multipart header, cgihtml fails to sufficiently verify the sanity of the header structure. This may result in an affected application reading invalid values supplied 38 bytes within a malicious header.

If this situation were to occur it may be possible for the attacker to cause the application to crash. Although it has not yet been confirmed, it is speculated that cgihtml contains other vulnerabilities similar to this issue.

23. A.ShopKart Multiple SQL Injection Vulnerabilities BugTraq ID: 6558
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6558
Summary:

a.shopKart is a freely available shopping cart system. It is implemented in ASP and is available for Microsoft Windows operating systems.

a.shopKart is prone to multiple SQL injection vulnerabilities.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Due to insufficient sanitization of user-supplied input passed to SQL queries, it may be possible to manipulate the logic of SQL queries. Depending on the nature of the individuals queries and the underlying database implementation, it may be possible to cause database corruption or disclose sensitive information from within the database.

Multiple instances of these vulnerabilities exist in the following scripts:

addcustomer.asp
addprod.asp
process.asp

It was reported that the "zip", "state", "country", "phone" and "fax" fields in the 'addcustomer.asp' script may allow for SQL injection. Further details about the other vulnerable scripts were not provided.

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

24. Business Objects WebIntelligence Application Session Hijacking Vulnerability BugTraq ID: 6569
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6569
Summary:

WebIntelligence is an analysis tool for business intelligence. It is distributed by Business Objects, and available for the Unix and Microsoft Windows platforms.

A problem with the WebIntelligence application could make it possible for remote users to hijack sessions.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that WebIntelligence uses an insecure model for ensuring session security. The application uses web-type security features that may be prone to hijacking. This could allow a remote user to gain unauthorized access to another user's session.

The problem is that the application uses cookies with guessable values to secure user sessions. It has also been suggested that a remote attacker may use other means to steal cookie-based authentication credentials from legitimate users. By gaining access to the application's session cookie, another user could gain complete access to the user's session, and perform all actions with the privileges of the victim. This vulnerability however does not permit the changing of user passwords.

III. MICROSOFT FOCUS LIST SUMMARY

1. AD replication over WAN (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/306287

2. FW: Tools for changing WMI namespace ACL's (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/305471

3. SecurityFocus Microsoft Newsletter #120 (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/305354

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS

1. i.Secure Drive by Archisoft Security Solutions Limited Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP http://www.archisoft.com.hk/securedrive.html Summary:

i.Secure Drive is a security storage module for Windows. To ensure that your system storage is fully secure, i.Secure Drive creates a secure virtual hard drive on your system, any data written on this virtual hard drive will be securely protected. The solutions utilizes PKI technologies together with personal Smart Token to promote supreme security. The product is fully integrated with Microsoft Windows NT/2000/XP and provides a transparent interface to users. Applications can utilize i.Secure Drive just like any ordinary hard drive.

2. Adhaero Transit
by Adhaero Utilities
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP http://www.adhaeroutilities.com/transit.htm Summary:

Adhaero Transit uses file encryption and compression to produce an executable package (a 'SEED') which may then be safely transferred to the recipient by email, on disk, etc. Adhaero Transit uses the AES algorithm.

3. CipherPack Pro
by BrainTree Security Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP http://www.braintree.co.uk/pages/cipherpack.htm Summary:

CipherPack Pro quickly and simply compresses and encrypts files or folders producing a stand-alone Windows executable file. This file contains the decompression and decryption code as well as the encrypted file contents. All that is required is for the correct key to be entered for the data to be recreated. Without the correct key, there is no way that the original contents can ever be viewed.

V. NEW TOOLS FOR MICROSOFT PLATFORMS

1. K9 v1.0 by ROBOTA Relevant URL: http://www.robota.net/proyectos.asp?id=172 Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP Summary:

K9 is a Windows tool for passive OS detection. It uses WinPCAP to capture network traffic and a user friendly interface to handle results, fingerprint database, etc

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. GFI LANguard Network Security Scanner (N.S.S.) v3.0 by GFI
Relevant URL:
http://www.gfisoftware.com/lannetscan/index.htm Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP Summary:

GFI LANguard Network Security Scanner (N.S.S.) is a tool that checks your network for all potential methods that a hacker might use to attack your network. By analyzing the operating system and the applications running on your network, GFI LANguard N.S.S. identifies possible security holes in your network. In other words, it plays the devil's advocate and alerts you to weaknesses before a hacker can find them, enabling you to deal with these issues before a hacker can exploit them.

3. Demarc PureSecure v1.6
by DEMARC Security
Relevant URL:
http://www.demarc.com/
Platforms: BSDI, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Perl (any system supporting perl), UNIX, Windows 2000, Windows NT, Windows XP Summary:

Instead of having one program perform file integrity

VI. SPONSOR INFORMATION

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php