SecurityFocus Microsoft Newsletter #135

From: John Boletta <jboletta(at)securityfocus.com>
Date: Mon May 05 2003 - 14:03:07 EDT

SecurityFocus Microsoft Newsletter #135

---

This issue is sponsored by: KaVaDo

The only integrated Web Application Security Suite

---

ScanDo - Web Application Scanner
InterDo - Web Application Firewall

KaVaDo Inc., Web Application Security without Compromise Read more at: http://www.securityfocus.com/Kavado-ms-secnews

---

I. FRONT AND CENTER

1. Honeypots: Simple, Cost-Effective Detection
2. Madonna's Borderline MP3 Tactics
3. Auditing Web Site Authentication, Part Two II. MICROSOFT VULNERABILITY SUMMARY
4. Bugzilla Local Dependency Graph HTML Injection Vulnerability
5. Bugzilla Default HTML Template Cross-Site Scripting...
6. Bugzilla Insecure Temporary File Handling Vulnerabilities
7. VisNetic ActiveDefense Multiple GET Request Denial of...
8. Alt-N MDaemon POP Server DELE Command Buffer Overflow...
9. Alt-N MDaemon IMAP Server Folder Creation Buffer Overflow...
10. Opera JavaScript Console Single Quote Attribute Injection...
11. 3D-FTP Client Buffer Overflow Vulnerability
12. Opera 6/7 Remote Heap Corruption Vulnerability
13. Truegalerie Unauthorized Administrative Access Vulnerability
14. Multiple PHP-Nuke HTML Injection Vulnerabilities
15. Macromedia ColdFusion MX Error Message Path Disclosure...
16. Netscape Navigator Directory Cross-Domain Scripting Vulnerability III. MICROSOFT FOCUS LIST SUMMARY
17. Outlook Security Settings removed (Thread)
18. AD Question (Thread)
19. SecurityFocus Microsoft Newsletter #135 (Thread)
20. Windows 2003 Security Guides (Thread) IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
21. Steganos InternetTrace-Destructor 6
22. iView Security Analytics
23. Preventon Web Protect
24. NEW TOOLS FOR MICROSOFT PLATFORMS
25. Jeb Perl Ping Stats v1.4.4
26. proDETECT v0.2b
27. WaveLock v1.0 VI. SPONSOR INFORMATION
28. FRONT AND CENTER

    ---

29. Honeypots: Simple, Cost-Effective Detection By Lance Spitzner

This is the fourth article in an ongoing series on honeypots. This article will examine the role of honeypots in detection.

http://www.securityfocus.com/infocus/1690

2. Madonna's Borderline MP3 Tactics
By Mark Rasch

The material girl's foul-mouthed revenge on music traders could be interpreted as a deceptive trade practice, or even outright fraud.

http://www.securityfocus.com/columnists/158

3. Auditing Web Site Authentication, Part Two By Mark Burnett

This is the second part of a two-part series addressing both of those issues by establishing a standard audit procedure by which to measure your own security. This article will explore issues surrounding user privacy, session authentication, user security, and cookies.

http://www.securityfocus.com/infocus/1691

II. BUGTRAQ SUMMARY

---

1. Bugzilla Local Dependency Graph HTML Injection Vulnerability BugTraq ID: 6861 Remote: Yes Date Published: Apr 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6861 Summary:

Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Windows operating systems.

Bugzilla versions 2.16 and later include a feature that allows users to generate bug dependency graphs on their local system via the GraphViz suite.

HTML will not be sanitized when these graphs are generated locally. Malicious HTML and script may be included in bug summaries. When the dependency graph is generated, the HTML and script code may be contained in the ALT and NAME attributes to the AREA tags in the client-side image map.

This may be exploited to cause HTML or script code to be interpreted by the web client of a user who generates a dependency graph which contains malicious data. Though unconfirmed, in some browsers this may result in HTML/script code being executed with relaxed permissions if it is executed in a local context. If this is possible, it may be possible to gain unauthorized access to local resources.

Earlier versions of Bugzilla which are configured use a remote server to generate dependency graphs are not affected by this vulnerability.

2. Bugzilla Default HTML Template Cross-Site Scripting Vulnerabilities BugTraq ID: 6868
Remote: Yes
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6868
Summary:

Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Windows operating systems.

Multiple cross-site scripting vulnerabilities exist in the default HTML templates for Bugzilla. User-supplied input is not sanitized of HTML and script code before being output by Bugzilla. Hostile script code and HTML could be passed through Bugzilla and interpreted in the browser of a web user who visits a Bugzilla site. This will occur in the security context of the site hosting Bugzilla.

Successful exploitation may allow for theft of cookie-based authentication credentials or other attacks which could compromise the integrity or other security properties of the bug tracking system.

Default HTML templates were not prone to these issues in Bugzilla versions prior to 2.16. English, Russian and German HTML template localizations are reported to be affected, though templates for other languages may also be affected.

3. Bugzilla Insecure Temporary File Handling Vulnerabilities BugTraq ID: 7412
Remote: Unknown
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7412
Summary:

Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Windows operating systems.

Bugzilla creates temporary files insecurely. Multiple instances of this problem were reported. An attacker could exploit this issue by creating a symbolic link named after one of the temporary files created by Bugzilla. If the symbolic link points to a file which is writeable by the web server hosting Bugzilla, file corruption could result when Bugzilla attempts to perform temporary file operations on attacker-created symbolic links.

Although unconfirmed, there is a potential for privilege escalation if the attacker can cause files to be corrupted with custom data via symbolic link attacks. Loss of critical data is also possible if this issue is successful, which could also result in a denial of service.

4. VisNetic ActiveDefense Multiple GET Request Denial of Service Vulnerability BugTraq ID: 7428
Remote: Yes
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7428
Summary:

VisNetic ActiveDefense is a network-based intrusion detection system designed to run on web and email servers. Its capabilities include web and email traffic filtering. ActiveDefense is available for the Microsoft Windows operating system.

A vulnerability has been discovered in ActiveDefense when running on a Microsoft IIS web server. The problem occurs while processing a multitude of malicious HTTP requests.

The issue can be triggered by sending 90 subsequent HTTP requests to the IIS server, each containing approximately 100 bytes of data. When processed, these packets will trigger a condition that will crash the affected system.

An attacker could exploit this issue to deny other legitimate users from accessing HTTP services.

The system must be restarted to restore regularly functionality.

This denial of service is known to affect VisNetic ActiveDefense 1.3.1. It is likely that earlier versions are similarly affected.

5. Alt-N MDaemon POP Server DELE Command Buffer Overflow Vulnerability BugTraq ID: 7445
Remote: Yes
Date Published: Apr 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7445
Summary:

Alt-N MDaemon is a Microsoft Windows based mail server product.

A buffer overflow vulnerability has been reported for MDaemon. The vulnerability is due to inadequate bounds checking on the 'DELE' POP server command.

An attacker can exploit this vulnerability by submitting a very large value for the DELE command to the POP server. When the POP server receives this command, it will trigger the overflow condition and will cause MDaemon to crash.

Although unconfirmed, it may be possible for a remote attacker to exploit this issue to execute arbitrary system commands with the privileges of the MDaemon process.

This vulnerability was reported for MDaemon versions 6.0.7 and later.

This issue is very similar to the issue described in BID 6053.

6. Alt-N MDaemon IMAP Server Folder Creation Buffer Overflow Vulnerability BugTraq ID: 7446
Remote: Yes
Date Published: Apr 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7446
Summary:

Alt-N MDaemon is a Microsoft Windows based mail server product.

A buffer overflow vulnerability has been reported for the MDaemon IMAP server. The vulnerability exists when IMAP folders are created. Specifically, MDaemon does not perform adequate bounds checks when processing the the CREATE command.

A malicious IMAP user is able to issue a CREATE command with an overly long value, consisting of greater than 2000 characters, to the vulnerable MDaemon server. Upon processing this malicious user-input, the buffer overflow condition will be triggered which may result in code execution with elevated privileges.

This vulnerability was reported to affect MDaemon 6.7.5 and later.

7. Opera JavaScript Console Single Quote Attribute Injection Vulnerability BugTraq ID: 7449
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7449
Summary:

Opera is a web client available for a number of platforms, including Microsoft Windows, Linux and Unix variants and Apple MacOS.

A vulnerability has been reported for Opera 7 browsers for Microsoft Windows operating systems. The vulnerability exists in Opera's JavaScript console program. The console program consists of three HTML files, one of which is 'console.html'. Any unhandled exceptions thrown by any JavaScript are listed in the console and are converted into clickable links.

The vulnerability is present in the regular expressions used by 'console.html' to format exception messages. Specifically, exception messages are not parsed for quote characters. It is possible, by inserting of single quote (') characters, to add additional attributes to URIs that may make it possible to execute arbitrary attacker-supplied script code through the file:// URI handler. This may lead to disclosure of local file contents to remote attackers.

This issue is a variant of the vulnerability described in BID 6755, using single quote characters instead of double quotes. It is reported that this variant also affects patched versions of the browser. Opera 7.10 attempts to address this issue by sanitizing single quote characters, but is still prone to the issue if the hexadecimal code for the single quote HTML entity is used.

8. 3D-FTP Client Buffer Overflow Vulnerability BugTraq ID: 7451
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7451
Summary:

3D-FTP is a lightweight FTP client application for Microsoft Windows.

It has been reported that 3D-FTP client may be prone to a buffer overflow condition. This issue is due to the client not implementing sufficient bounds checking on banner data copied into local memory buffers.

When the FTP client receives a FTP banner that contains an excessive amount of data it becomes unstable. It has been reported that this vulnerability can be reproduced by sending an FTP banner of 8192 bytes or more to a vulnerable client. When the client reads in the banner, sensitive regions of memory may be corrupted with attacker-supplied values.

It may be possible for attackers to leverage this vulnerability to execute instructions. Any code executed would be in the security context of the FTP client process.

9. Opera 6/7 Remote Heap Corruption Vulnerability BugTraq ID: 7450
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7450
Summary:

Opera is a web browser available for a number of platforms, including Microsoft Windows, Linux and Unix variants and Apple MacOS.

A vulnerability has been reported for Opera versions 7.10 and earlier, on the Microsoft Windows platform. The problem is said to occur due to insufficient bounds checking on filename extensions. As a result, it may be possible for an attacker to corrupt heap-based memory. This may allow for the execution of arbitrary code or a prolonged denial of service.

If this issue were exploited, Opera may continuously crash until the 'dcache4.url' file has been deleted. This is due to the malicious filename being stored within the cache-index.

1. Truegalerie Unauthorized Administrative Access Vulnerability BugTraq ID: 7427 Remote: Yes Date Published: Apr 25 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7427 Summary:

Truegalerie is web-based photo album software implemented in PHP and is available for a variety of platforms including Microsoft Windows and Linux variant systems.

A vulnerability has been reported for Truegalerie that may result in unauthorized administrative access. The vulnerability exists due to insufficient sanitization of some URI values. Specifically, the values for the URI parameter 'loggedin' are not properly verified.

An attacker can exploit this vulnerability by manipulating the 'loggedin' URI parameter to obtain administrative access to the site hosting Truegalerie.

This vulnerability was reported for Truegalerie 1.0.

1. Multiple PHP-Nuke HTML Injection Vulnerabilities BugTraq ID: 7432 Remote: Yes Date Published: Apr 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7432 Summary:

PHP-Nuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

Multiple HTML injection vulnerabilities have been reported in PHP-Nuke. PHP-Nuke does not sufficiently sanitize HTML and script code from various input fields. This input may be displayed throughout various places in the forum, private messages, user profiles, comments, news and possibly other modules.

In some instances, hostile HTML and script code will not be sanitized from HTML elements which are considered safe to use. Form fields for certain modules may also permit injection of HTML and script code.

Code that is injected through exploitation of these issues may be rendered by web clients visiting the site hosting PHP-Nuke. This will occur in the context of the site. Exploitation could allow theft of cookie-based authentication credentials or other attacks.

These issues were reported in PHP-Nuke 6.5 Final. Other versions may also be affected.

1. Macromedia ColdFusion MX Error Message Path Disclosure Vulnerability BugTraq ID: 7443 Remote: Yes Date Published: Apr 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7443 Summary:

ColdFusion MX is the application server for developing and hosting infrastructure distributed by Macromedia. It is available as a standalone product for Unix, Linux, and Microsoft Operating Systems.

A vulnerability has been reported for Macromedia ColdFusion MX that may reveal the physical path information to attackers.

When certain malformed URL requests are received by the server, an error message is returned containing the full path of the ColdFusion installation. Specifically, when a request for the /CFIDE/probe.cfm page is made on the server process on port 8500, an error message is returned which contains path information.

Information obtained in this manner may be used by an attacker to launch further attacks against a vulnerable system.

1. Netscape Navigator Directory Cross-Domain Scripting Vulnerability BugTraq ID: 7456 Remote: Yes Date Published: Apr 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7456 Summary:

Netscape is a web browser which is available for a number of platforms, including Microsoft Windows and Unix and Linux variants.

A vulnerability has been reported that could allow an attacker to fool Netscape into running script in a foreign domain. If a dot (.) is appended to the end of the hostname in a URI, Netscape may accept the directory name as the actual domain. This could permit a malicious web page to access the DOM (Document Object Model) of another foreign domain.

An attacker could exploit this by enticing a user to visit a malicious URI and then running malicious script code which can access the properties of a foreign domain. This could lead to theft of cookie-based authentication credentials, information disclosure or other attacks.

This issue was reported for Netscape Navigator 7.02. It is likely that other versions of Netscape are vulnerable to this issue. As well, browsers based on Mozilla may be vulnerable too.

III. MICROSOFT FOCUS LIST SUMMARY

---

1. Outlook Security Settings removed (Thread) Relevant URL:

http://www.securityfocus.com/archive/88/320115

2. AD Question (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/320113

3. SecurityFocus Microsoft Newsletter #135 (Thread) Relevant URL:

http://www.securityfocus.com/archive/88/319876

4. Windows 2003 Security Guides (Thread) Relevant URL:

http://www.securityfocus.com/archive/88/319711

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS

---

1. Steganos InternetTrace-Destructor 6 by Steganos Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP Relevant URL: http://www.steganos.com/en/itd/info.htm Summary:

Steganos InternetTrace-Destructor 6 helps protect users online and offline privacy. The latest version of Steganos software features enhanced browser support, including for AOL, as well as Internet Explorer and Netscape; the one-click elimination of even more traces of online and offline PC activity, including from AOL, Office 2000, Windows XP, various media players, WinZip and Google Toolbar; the prevention of XP user data from being transmitted to Microsoft; the management and destruction of cookies; the destruction of history data, logs and cache; the elimination of temporary files that slow down PCs; and the permanent destruction of confidential documents.

2. iView Security Analytics
by The Illumen Group
Platforms: N/A
Relevant URL:
http://www.illumen.com/products.cfm?detailsid=2 Summary:

iView Security Analytics software provides detailed, easy-to-read and interpret reports of Internet data traffic for today's connected enterprise. iView uses highly optimized algorithms that process and classify firewall's raw information to generate reports accurately and efficiently. Developed by The Illumen Group, Inc., a trusted veteran in the ever-changing Internet security market, iView's reports can be leveraged to help secure and protect an organization while improving Internet resource utilization. With iView, you have the power to...

• DEVELOP and enforce acceptable use policies
• DETERMINE whether Internet bandwidth is adequate for the organization's needs.
• QUANTIFY and deploy bandwidth shaping policies
• REVEAL denied events and attempted intrusions
• DOCUMENT and investigate attacks from both internal and external sources
• COMBAT those attacks with more comprehensive security policies 3. Preventon Web Protect by PreventonTechnologies Ltd. Platforms: Windows 2000, Windows 95/98, Windows XP Relevant URL: http://www.preventon.com/webprotect/ Summary:

Preventon Web Protect is an advanced defence system for protecting your website against attack! This exceptional security software provides control over the communications between the Internet and your web server by filtering out malicious attacks that it recognises, including: worm attacks, buffer overflows attacks, unauthorised page uploads, and many others!

V. NEW TOOLS FOR MICROSOFT PLATFORMS

---

1. Jeb Perl Ping Stats v1.4.4 by Jean-Edouard BABIN Jeb@jeb.com.fr Relevant URL: http://www.jeb.be/codingstuff/ Platforms: N/A Summary:

JPPS (Jeb Perl Ping Stats) is a Perl script which extracts statistics from the output generated by the 'ping' command.

2. proDETECT v0.2b
by Egemen Tas egemen@ipipi.com or egemen@usaf.org Relevant URL:
http://www.cmpe.boun.edu.tr/~tas/
Platforms: Windows 2000, Windows NT, Windows XP Summary:

proDETECT is an open source promiscious mode scanner with a GUI.It uses ARP packet analyzing technique to detect adapters in promiscious mode.This tool can be used by security administrators to detect sniffers in a LAN.It can be scheduled for regular scanning over periods.It also has some advanced reporting capabilities such as SMTP reporting.Full source code is included.

3. WaveLock v1.0
by SecureWave http://www.securewave.com
Relevant URL:
http://www.securewave.com/products/free_utilities/wavelock.html Platforms: Windows 2000, Windows NT, Windows XP Summary:

Windows 2000 and Windows XP come with drivers for several wireless LAN ("WLAN") adapters; installation requires only insertion of one of those adapters. Administrative privileges are not required, as no new drivers must be registered with the operating system. WaveLock assists in enforcing security policies by blocking access to these adapters, making it harder to circumvent firewalls, filters, proxies, and other required safeguards.

To install WaveLock, download and uncompress wavelock.zip. Execute the resulting wavelock.msi file (a Windows Installer setup), which installs wavelock.sys. Reboot to load and activate WaveLock.

A list of the wireless network adapters supported out-of-the-box on Windows 2000 and Windows XP can be found below. Note that WaveLock cannot know about and will therefore not block additional drivers installed by administrators.

VI. SPONSOR INFORMATION

---

This issue is sponsored by: KaVaDo

The only integrated Web Application Security Suite

---

ScanDo - Web Application Scanner
InterDo - Web Application Firewall

KaVaDo Inc., Web Application Security without Compromise Read more at: http://www.securityfocus.com/Kavado-ms-secnews

---

Received on Mon May 5 15:14:38 2003