SecurityFocus Newsletter #171

SecurityFocus Newsletter #171

This Issue is Sponsored By: Qualys

Proactive Network Security: FREE Guide Ensure TOTAL security for your Internet perimeter. Get the most current and most complete Web-based vulnerability assessment solution designed to keep your network secure from worms and trojans.

Get your FREE Guide to managing your network vulnerabilities today at: https://www.qualys.com/forms/guide_230.php

I. FRONT AND CENTER

1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
2. .NET/MSIL malicious code and AV/heuristic Engines
3. Locking Down the Pop-up Perps
4. Maintaining Credible IIS Log Files
5. Back to the Insecure Future
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. BUGTRAQ SUMMARY
8. PADL Software nss_ldap DNS Query Response Denial of Service...
9. Microsoft JVM Passed HTML Object Reference Denial Of Service...
10. Perception LiteServe DNS Wildcard Cross Site Scripting...
11. Microsoft JVM Class Loader Buffer Overrun Vulnerability
12. Microsoft JVM Codebase Information Disclosure Vulnerability
13. Microsoft JVM Unauthorized Clipboard Access Vulnerability
14. Microsoft JVM Package Access Restriction Bypassing Vulnerability
15. Microsoft JVM CAB File Loading Vulnerability
16. Microsoft JVM Information Disclosure Vulnerability
17. Microsoft JVM HTML Applet Tag Class Restriction Bypass...
18. Microsoft JVM URI Parsing Vulnerability
19. Microsoft JVM INativeServices Unauthorized Memory Access...
20. Perception LiteServe Directory Query String Cross Site...
21. Zeus Web Server Admin Interface Cross Site Scripting...
22. Simple Web Server File Disclosure Vulnerability
23. QNX RTOS Application Packager Non-Explicit Path Execution...
24. Sun Solaris Network Interface Denial Of Service Vulnerability
25. MailScanner Attachment Filename Validation Vulnerability
26. CVSup-Mirror Insecure Temporary Files Vulnerability
27. Incognito Systems ISMTP Gateway Buffer Overflow Vulnerability
28. KGPG Key Generation Empty Passphrase Vulnerability
29. EZ Systems HTTPBench Information Disclosure Vulnerability
30. Novell Netware eMFrame iManage Buffer Overflow Vulnerability
31. Hotfoon Dialer Plain Text Password Storage Vulnerability
32. Hotfoon Dialer Buffer Overflow Vulnerability
33. KDE Network RESLISA Buffer Overflow Vulnerability
34. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability
35. ISC BIND OPT Record Large UDP Denial of Service Vulnerability
36. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability
37. Novell eDirectory Expired Password Vulnerability
38. Light HTTPD GET Request Buffer Overflow Vulnerability
39. TinyHTTPD Directory Traversal Vulnerability
40. MasqMail Buffer Overflow Vulnerability
41. Xoops WebChat Module Remote SQL Injection Vulnerability
42. Traceroute-nanog Local Buffer Overflow Vulnerability
43. APBoard Protected Forum Thread Posting Vulnerability
44. W3Mail File Disclosure Vulnerability
45. TCPDump / LIBPCap Trojan Horse Vulnerability III. SECURITYFOCUS NEWS ARTICLES
46. Accused Pentagon Hacker's Online Life
47. US gov's 'ultimate database' run by a felon
48. Security concerns hinder remote access
49. When firewalls and intrusion detection just aren't enough IV. SECURITYFOCUS TOP 6 TOOLS
50. shell watchdog v1.1 (dev)
51. Fast OnlineUpdate for SuSE v0.8.1
52. RSA implementation in Haskell v1.0.0
53. Safer Password Generator
54. NetSplitter v20021112
55. KPassCard v0.1.1
56. SECURITYJOBS LIST SUMMARY
57. CISSP, INFOSEC Engineer Seeking Security Position in...
58. Houston, Texas, CISSP, Web Security Specialist, Attack &...
59. Network Security Engineer - Boston North - KCMO relocation...
60. AVAYA Security Consulting Positions in So. Cal, Silicon...
61. AVAYA Security Manager Position / Western Europe (Thread)
62. Security Sales Evangelist - Boston (Northeast), Atlanta...
63. Incident Response/Security position available in Denver metro... VI. INCIDENTS LIST SUMMARY
64. Unicode Attack (Thread)
65. Yahoo Messenger Stale Sessions (Thread)
66. Unicode Attack (FOLLOW UP) (Thread)
67. Port 5552? (Thread)
68. scans on port 57 (Thread)
69. new version of aris analyzer? (Thread)
70. ano@ano.com ftpd dip.t-dialin.net (Thread)
71. 030 igetnet ignkeywords (Thread)
72. Ip spoof from 0.0.0.0 (Thread)
73. IIS and leech (Thread)
74. 030 ignkeywords igetnet follow up (Thread)
75. Quick question re FTP activity (Thread)
76. 030.com (Thread)
77. What's up with 3014/tcp? (Thread)
78. Ip spoof from 0.0.0.0 (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
79. shell script cgi (Thread)
80. ColdFusion Heap Overflow (Thread)
81. PHP (Thread)
82. BIND Exploits (Thread)
83. Exploitable pine heap overflow ( Remote pine Denial of Service)... VIII. MICROSOFT FOCUS LIST SUMMARY
84. Unknown workgroup in Microsoft Windows Network (Thread)
85. Local security settings in W2k adv server causes problems (Thread)
86. Active Directory network security (Thread)
87. Tools (Thread)
88. RES: Tools (Thread)
89. SecurityFocus Microsoft Newsletter #112 (Thread)
90. Win 2000 password Complexity Requirements (Thread)
91. Win 2000 passsword Complexity Requirements (Thread)
92. IIS 5 and client certificates (Thread) IX. SUN FOCUS LIST SUMMARY
93. NO NEW POSTS FOR THE WEEK ENDING 11.15.02
94. LINUX FOCUS LIST SUMMARY
95. NO NEW POSTS FOR THE WEEK ENDING 11.15.02 XI. SPONSOR INFORMATION
96. FRONT AND CENTER

    ---

97. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux By Joe Stewart

In a previous SecurityFocus article, the author described the tools and processes involved in basic reverse engineering of a simple trojan. This article will offer a more detailed examination of the reversing process, using a trojan found in the wild, and focusing on techniques for reversing Windows-native code entirely under Linux.

http://online.securityfocus.com/infocus/1641

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. .NET/MSIL malicious code and AV/heuristic Engines By Markus Schmall

While the Windows .NET strategy incorporates numerous aspects, this article will focus on what aspects to cover in developing an AV/heuristic engine for this new platform. Specifically, it will address the additions introduced by .NET technologies to standard Windows PE (portable executable) file format and how that will affect the development of an effective heuristic engine. It will also briefly discuss the existing malicious codes for the .NET environment.

http://online.securityfocus.com/infocus/1642

3. Locking Down the Pop-up Perps
By Mark Rasch

Pop-up ads have already inspired civil lawsuits. Here's how federal computer crime law and the USA-PATRIOT Act could put obnoxious advertisers in the pokey ...

http://online.securityfocus.com/columnists/124

4. Maintaining Credible IIS Log Files
by Mark Burnett

Many network administrators by now have encountered serious Web server intrusions that have resulted in legal action. Often IIS logs are the primary evidence used to track down Web intruders. But what would happen if the credibility of your IIS logs was challenged in court? What if the defense claimed the logs were not reliable enough to be admissible as evidence?

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://online.securityfocus.com/infocus/1639

5. Back to the Insecure Future
By Richard Forno

Web services, such as Microsoft's .NET platform, represent a return to centralized computing. They also pose some serious security issues.

http://online.securityfocus.com/columnists/123

6. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. PADL Software nss_ldap DNS Query Response Denial of Service Vulnerability BugTraq ID: 6130 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6130 Summary:

nss_ldap is a module offered by Padl Software that allows a system to use LDAP directories as the source of information for user attributes and related data.

A vulnerability has been discovered in nss_ldap related to the handling of DNS queries.

It has been reported that nss_ldap fails to verify whether data returned in DNS query responses has been truncated by resolver libraries. When processing a DNS query response containing truncated data, nss_ldap will attempt to parse more data than is available. This could cause the nss_ldap process to crash.

It is unlikely that this is exploitable to execute arbitrary code, however this is not confirmed.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. Microsoft JVM Passed HTML Object Reference Denial Of Service Vulnerability BugTraq ID: 6135
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6135
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

A vulnerability has been reported in Microsoft JVM that may lead to a denial of service in Microsoft Internet Explorer.

This problem occurs when references of HTML objects are passed to Java applets via JavaScript. Applets may potentially invoke methods of proprietary Microsoft interfaces. In some cases, when a HTML object is passed to a Java applet which invokes a method of one of these proprietary interfaces, illegal memory access will occur. This will cause the web browser to crash.

It is theoretically possible that this problem may be an exploitable memory corruption vulnerability which may allow arbitrary code execution. This possibility has not been confirmed.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

3. Perception LiteServe DNS Wildcard Cross Site Scripting Vulnerability BugTraq ID: 6131
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6131
Summary:

Perception LiteServe is a commercial e-mail, web, and FTP server for Microsoft Windows operating systems.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A cross site scripting vulnerability has been discovered LiteServe.

It should be noted that this vulnerability is limited to server configurations with Wildcard DNS enabled.

It has been reported that LiteServe fails to sanitize requests containing encoded HTML and script code as the hostname when Wildcard DNS is used. Requests of this nature will be rejected by the server, effectively returning the request to the sender, without sanitizing the contents of the request.

This issue may allow an attacker to create a malicious link containing encoded HTML and script code in the requested hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client.

Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

This issue was reported in LiteServe v2.01. It is not yet known whether earlier versions are affected by this issue.

4. Microsoft JVM Class Loader Buffer Overrun Vulnerability BugTraq ID: 6134
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6134
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Details of a vulnerability in Microsoft JVM have been published. According to the report, a buffer overrun condition is present in the class loader. It may be triggered by attempting to load a class with a name of excessive length. At the very least, attackers may crash victim browsers when the condition occurs.

This vulnerability may be exploited by malicious webmasters who construct a Java applet designed to do so. It is not confirmed whether this may be exploited to execute attacker-supplied instructions or not. It should be assumed that this is possible.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

5. Microsoft JVM Codebase Information Disclosure Vulnerability BugTraq ID: 6138
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6138
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine.

By including a codebase of 'file://%00' in the applet tag of a malicious Java applet, it is possible to gain local read access to all local files on a target system. If the applet is loaded from a publicly readable network share, it is possible to list directory contents on a target system.

By gaining local read access to a target system, it may be possible for a remote attacker to disclose sensitive information, including cookie-based credentials and passwords. Information gathered through this technique, may be used by an attacker to launch further attacks against a target system.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

6. Microsoft JVM Unauthorized Clipboard Access Vulnerability BugTraq ID: 6132
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6132
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered Microsoft's implementation of the Java Virtual Machine (JVM).

By implementing the 'INativeServices' class, ClipBoardGetText() and ClipBoardSetText() methods into a malicious Java applet, it is possible for a remote attacker to access and modify the contents of a target users clipboard. The methods must be called indirectly through the java.lang.reflect.* package.

Exploiting this vulnerability may allow a remote attacker to read and potentially corrupt sensitive information stored in a users clipboard, which could be used to launch further attacks against target systems.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

7. Microsoft JVM Package Access Restriction Bypassing Vulnerability BugTraq ID: 6133
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6133
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

The JVM includes a class named com.ms.security.StandardSecurityManager which can be extended by any applet. This class contains two protected static fields named deniedDefinitionPackages and deniedAccessPackages. These fields contain package access restrictions.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The package access restrictions set in these two fields can be altered or emptied, allowing any applet to bypass the set restrictions.

These restrictions originate from the registry and are not implemented by default.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

8. Microsoft JVM CAB File Loading Vulnerability BugTraq ID: 6137
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6137
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

The JVM contains a class named com.ms.vm.loader.CabCracker. This class contains a load() method that can be used to load CAB archives from the local drive. This method performs security checks and queries the user for permission to access the CAB file from the hard drive. The method then calls load0() to load the archive from disk.

The load0() method is declared public, which allows any applet to call the method directly, bypassing the security checks performed by the load() method.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

9. Microsoft JVM Information Disclosure Vulnerability BugTraq ID: 6139
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6139
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

Due to insufficient access validation, the JVM may allow applets to retrieve sensitive information.

By calling new File(".").getAbsolutePath(), the applet may retrieve the path to the current Internet Explorer directory. On multiuser operating systems such as Windows NT/2000/XP, this path may also include the current username.

This information could be used by an attacker to mount further attacks against the system.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM HTML Applet Tag Class Restriction Bypass Vulnerability BugTraq ID: 6136 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6136 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

A vulnerability has been reported in Microsoft JVM that may lead to a denial of service in Microsoft Internet Explorer.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It is possible to abuse the HTML <applet> tag to bypass Java class restrictions. Class objects may be instantiated using the HTML <applet> tag, and since this is not expected by the browser when some native methods are used, this may crash the browser.

It is theoretically possible that this problem may be an exploitable memory corruption vulnerability which may allow arbitrary code execution. This possibility has not been confirmed.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM URI Parsing Vulnerability BugTraq ID: 6142 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6142 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

Details of a vulnerability in the Microsoft JVM have been published. The vulnerability is in the parsing of the location URI string and may result in an applet being retrieved from an attacker-specified location rather than that of the document it is embedded in. This may result in a malicious applet having access to the DOM of the target location. The applet may retrieve cookie values or manipulate web content.

According to the report, the Microsoft JVM can be fooled into believing that the HTTP username component of a HTTP URI is the domain. This allegedly occurs when a colon character is present in the URI that would normally, when it is in the correct location in the URI string, indicate the listening port of the server. If the attacker constructs a HTTP URI with a HTTP username component containing a location and the port, the Microsoft engine will use that value incorrectly as the document location. Such a URI may look like:

http://www.attackersite.tld:80@www.realsite.tld
       ^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^

In this example, if the document served by the server 'www.realsite.tld' has an embedded applet the Java engine will retrieve it from
'www.attackersite.tld'. The consequences of this are significant. An
attacker may place a rogue applet on a server under their control ('www.attackersite.tld') with the same class name. When invoked, this applet will have access to the DOM of the document from
'www.realsite.tld'. The applet may then retrieve cookie values or
otherwise access/manipulate the contents of the document.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM INativeServices Unauthorized Memory Access Vulnerability BugTraq ID: 6140 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6140 Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

INativeServices methods accept memory addresses as parameters. Due to insufficient checking of these values, it may be possible to pass invalid memory addresses and cause a denial of service.

Additionally, the pGetFontEnumeratedFamily() methods may also be invoked to read memory via INativeServices methods. This may lead to disclosure of various types of sensitive information such as websites visited, cookies, and filesystem information such as the location of the cache directory.

Exploitation of this vulnerability may facilitate other attacks, potentially leading to further information disclosure or execution of malicious code.

It is possible for a Java applet to access INativeServices methods directly via other methods such as SystemX.getNativeServices(). Indirectly, the INativeServices methods may be accessed through the the java.lang.reflect.* methods.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Perception LiteServe Directory Query String Cross Site Scripting Vulnerability BugTraq ID: 6143 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6143 Summary:

Perception LiteServe is a commercial e-mail, web, and FTP server for Microsoft Windows operating systems.

A cross site scripting vulnerability has been discovered LiteServe.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that LiteServe fails to sanitize query strings from indexed folders. By constructing a malicious link containing encoded HTML and script code in the 'dir' variable, it is possible to execute the script code within the context of a victims web browser.

Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

1. Zeus Web Server Admin Interface Cross Site Scripting Vulnerability BugTraq ID: 6144 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6144 Summary:

Zeus Web Server is a proprietary webserver for Unix, Linux, Sun, BSD, HP-UX, and Apple OS X platforms.

The web based administration interface included in Zeus Web Server is vulnerable to cross site scripting attacks. Due to insufficient sanitization of user-supplied input it is possible for an attacker to construct a malicious link which contains arbitrary HTML and script code. Attacker-supplied HTML and script code may be executed on a web client visiting the malicious link in the context of the vulnerable server.

Attacks of this nature may make it possible for attackers to steal cookie-based authentication credentials.

It is important to note that the user must supply a username and password for the administrative interface before the script will execute. This also compounds the problem, since it is now likely that an attacker exploiting this vulnerability may be able to steal the administrative user's credentials.

1. Simple Web Server File Disclosure Vulnerability BugTraq ID: 6145 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6145 Summary:

Simple Web Server is a simple lightweight webserver available for the Linux platform.

It has been reported that Simple Web Server does not properly sanitize web requests. By sending a malicious web request to the vulnerable server, containing a slash-slash sequence ('//'), it is possible for a remote attacker to disclose files, effectively bypassing any access control measures in place.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Disclosure of sensitive files may aid the attacker in launching further attacks against the target system.

1. QNX RTOS Application Packager Non-Explicit Path Execution Vulnerability BugTraq ID: 6146 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6146 Summary:

QNX RTOS is a real-time operating system designed for use on embedded systems. It is distributed and maintained by QNX.

A vulnerability has been discovered in an application packager shipped with QNX. It should be noted that the vulnerable packager is setuid root by default.

It has been reported that the application packager calls the 'cp' command, without using the programs absolute path. By modifying the PATH environment variable, it is possible for a local attacker to trick the vulnerable program into running a trojaned program, containing arbitrary system commands.

Successful exploitation of this vulnerability could result in an unauthorized local attacker gaining root access to the target system.

1. Sun Solaris Network Interface Denial Of Service Vulnerability BugTraq ID: 6147 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6147 Summary:

Sun has reported a denial of service vulnerability in Solaris 8/9.

It has been reported that it is possible for an unprivileged local or remote attacker to cause some network interfaces to stop responding to TCP traffic.

If this condition is exploited, then the affected network interfaces must be manually brought back up for normal functionality to resume.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Further details about the nature of this vulnerability are not known at this time. This record will be updated if further details become available.

1. MailScanner Attachment Filename Validation Vulnerability BugTraq ID: 6148 Remote: Yes Date Published: Nov 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6148 Summary:

MailScanner is an e-mail security product. It is designed to be deployed on gateway systems and provides the ability to detect e-mail based attacks such as viruses. It will run on Unix and Linux variants and provides support for a number of anti-virus products.

A vulnerability has been reported in how MailScanner handles filenames for attachments. MailScanner does not sufficiently validate certain types of malformed filenames.

It may be possible to bypass MailScanner security with attachment filenames that contain excessive trailing/leading whitespace, are blank, or use character encodings that are unknown to MailScanner.

The exact consequences of this vulnerability are not known, but it is possible that some attachments with malicious filenames may slip through MailScanner or that a malformed filename may cause other aspects of MailScanner to fail.

1. CVSup-Mirror Insecure Temporary Files Vulnerability BugTraq ID: 6150 Remote: No Date Published: Nov 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6150 Summary:

cvsup-mirror is included in the FreeBSD ports collection and is intended to be used in combination with cvsup to create easily maintainable FreeBSD mirrors.

cvsup-mirror is prone to a vulnerability which may enable local attackers to corrupt critical system files.

This issue is present in the 'cvsupd.sh' shell script. The source of this issue is that 'cvsupd.sh' creates temporary files in a directory which malicious local users may potentialy have access to.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerable shell script creates a file entitled 'cvsupd.out' in the /var/tmp/ directory. A local attacker could create a symbolic link in /var/tmp with the same name, pointing to critical system files. Any actions performed by cvsup-mirror on 'cvsupd.out' will instead be performed on files pointed to by the symbolic link. Files that are writeable by the user running the vulnerable software may be overwritten in this manner.

This may result in a denial of service if critical files are overwritten, and may potentially allow for privilege escalation.

20. Incognito Systems ISMTP Gateway Buffer Overflow Vulnerability BugTraq ID: 6151
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6151
Summary:

iSMTP Gateway is a Mail Gateway system developed by Incognito Systems for use with Banyan VINES Intelligent Messaging users. It is available only for the Banyan VINES operating system.

A buffer overflow vulnerability has been reported for iSMTP Gateway. The vulnerability occurs due to inappropriate bounds checking when processing user-supplied input. Specifically, the vulnerability is a result of processing the 'MAIL FROM:' command.

An attacker can exploit this vulnerability by sending an overly long 'MAIL FROM:' command consisting of about 4000 characters. When the system receives this input it will crash.

As this vulnerability is due to a buffer overflow vulnerability, it is probable that code execution may be possible. This, however, has not been confirmed.

This vulnerability was reported for Incognito Software Inc iSMTP Gateway 5.0.1.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

21. KGPG Key Generation Empty Passphrase Vulnerability BugTraq ID: 6152
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6152
Summary:

KGPG is a KDE graphical front-end for GPG (GNU Privacy Guard). It is designed for use with the KDE Desktop Environment and GPG. It is available for Unix and Linux variant operating systems.

A vulnerability has been reported for KGPG. Reportedly, KGPG generates secret keys in an unsafe manner. The vulnerability is the result of how KGPG sends command line arguments to GPG. The vulnerability occurs when keys are generated using the key generation graphical wizard. All keys generated using the wizard will have an empty passphrase.

An attacker can exploit this vulnerability to obtain access to some potentially sensitive information.

This vulnerability was reported for KGPG versions 0.6 to 0.8.2.

22. EZ Systems HTTPBench Information Disclosure Vulnerability BugTraq ID: 6153
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6153
Summary:

eZ Systems httpbench is a benchmarking utility implemented in PHP. It is available for Unix and Linux variant as well as Microsoft Windows operating environments.

An information disclosure vulnerability has been reported for httpbench. Reportedly, httpbench may disclose the contents of web server readable files to remote attackers.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability can be exploited by a remote attacker to obtain potentially sensitive information on a vulnerable system. Information obtained in this manner may be used to launch further, destructive attacks against a vulnerable system.

This vulnerability was reported for httpbench 1.1. It is not known whether other versions are affected.

23. Novell Netware eMFrame iManage Buffer Overflow Vulnerability BugTraq ID: 6154
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6154
Summary:

Novell Netware eMFrame is web-based application that provides a facility for role-based management of Novell eDirectory. iManage is a feature of eMFrame which enables remote management of Netware from the web and wireless devices.

A buffer overflow vulnerability has been reported for eMFrame. The vulnerability occurs due to inadequate bounds checking when authenticating against the system. Specifically, the vulnerability occurs when processing the DN (Distinguished Name) value supplied by users when authenticating.

If a DN attribute of greater than 256 characters is supplied by the user, it will cause eMFrame to terminate resulting in a denial of service.

This vulnerability affects eMFrame prior to 1.5.

24. Hotfoon Dialer Plain Text Password Storage Vulnerability BugTraq ID: 6155
Remote: No
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6155
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Hotfoon provides PC to Phone services accessible by using its client program, Hotfoon4.exe.

A problem with Hotfoon4.exe has been discovered that may allow an attacker to gain access to authentication credentials.

It has been reported that Hotfoon4.exe does not safely store the user's password. Hotfoon4.exe stores the user's password in plain text in a registry entry.

This problem could allow an attacker to gain access to the user's password of vulnerable system. This will allow the attacker to use the services provided by Hotfoon as the victim user.

25. Hotfoon Dialer Buffer Overflow Vulnerability BugTraq ID: 6156
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6156
Summary:

Hotfoon provides PC to Phone and other services accessible by using its client program, Hotfoon4.exe.

A buffer overflow vulnerability has been reported for the Hotfoon dialer. The vulnerability exists in a text input field for dialing telephone numbers. Reportedly, Hotfoon4.exe does not adequately perform boundary checks on this field.

This vulnerability is exacerbated by the fact that Hotfoon4.exe will define a URL protocol, 'Voice', and register itself as a remote service. Thus it is possible for a remote attacker to exploit this vulnerability by issuing a 'Voice' protocol request to launch the Hotfoon4.exe service.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability by entering an overly long value, consisting of at least 76 characters, in this text field. This will cause Hotfoon4.exe to crash. Any malicious attacker-supplied code included in the specially crafted string will be executed with the privileges of the Hotfoon4.exe process.

This vulnerability has been reported for Hotfoon dialer 4.0.

26. KDE Network RESLISA Buffer Overflow Vulnerability BugTraq ID: 6157
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6157
Summary:

LISa (LAN Information Server) is a service designed for Linux variant operating systems. It provides LAN browsing capabilities on Linux systems. resLISa is a restricted version of LISa and is distributed with LISa.

A buffer overflow vulnerability has been reported for resLISa. The vulnerability results due to inadequate checks on the LOGNAME environment variable.

An attacker can exploit this vulnerability by setting a LOGNAME environment variable with an overly long value. When the attacker invokes resLISa, it will result in the service crashing and will result in the attacker obtaining control over the execution of the vulnerable service.

resLISa is typically installed as a setUID root binary.

27. ISC BIND 8 Invalid Expiry Time Denial Of Service Vulnerability BugTraq ID: 6159
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6159
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

BIND is a server program that implements the domain name service protocol. It is used widely on the Internet.

A denial of service vulnerability has been reported for ISC BIND 8. The vulnerability is due to caching of SIG RR (resource records) with invalid expiry times.

An attacker who controls an authoritative name server may be able to cause vulnerable BIND 8 servers to cache invalid SIG RR elements. When the vulnerable DNS server attempts to reference the SIG RR elements it will result in the denial of service condition.

It has been reported that ISC BIND 8 versions up to 8.3.3 are vulnerable to this issue.

28. ISC BIND OPT Record Large UDP Denial of Service Vulnerability BugTraq ID: 6161
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6161
Summary:

BIND is a server program that implements the domain name service protocol. It is in extremely wide use on the Internet, in use by most of the DNS servers.

Recursive BIND 8 servers are vulnerable to a denial of service condition. Requesting a DNS lookup on a non-existant sub-domain of a valid domain may cause BIND to fail.

The attacker would have to attach an OPT resource record with a large UDP payload size in order to exploit this vulnerability.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The denial of service may also occur when a domain is queried and the authoritative DNS servers are unreachable.

29. ISC BIND SIG Cached Resource Record Buffer Overflow Vulnerability BugTraq ID: 6160
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6160
Summary:

BIND is a server program that implements the domain name service protocol. It is widely used on the Internet.

It has been reported that DNS servers, running BIND with recursive DNS functionality enabled, are prone to a buffer overflow condition. This issue is triggered when the vulnerable DNS server is constructing DNS responses for cached information.

An attacker-controlled authoritative DNS server may cause BIND to cache information into an internal database, when recursion is enabled. Cached information is accessed when a DNS client request is received. A vulnerability exists when creating a DNS response containing, SIG resource records (RR), which may lead to the buffer overflow condition.

By causing the vulnerable DNS server to cache information, and sending a malicious client request, it may be possible for a remote attacker to cause a buffer to be overrun. Exploitation of this issue could result in the execution of arbitrary attacker-supplied code with the privileges of the vulnerable BIND daemon.

It should be noted that recursive DNS functionality is enabled by default.

30. Novell eDirectory Expired Password Vulnerability BugTraq ID: 6163
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6163
Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Novell has recently reported a vulnerability in eDirectory. According to Novell, inappropriate privileges may be applied to users logging in from Remote Manager. This occurs when the user's password has expired.

The precise details of the "inappropriate permissions" are not currently known. It may be that users retain access they should not have while their password is expired. It is also possible that users with expired passwords are granted additional privileges when logging in from Remote Manager. This has not been confirmed by Novell.

31. Light HTTPD GET Request Buffer Overflow Vulnerability BugTraq ID: 6162
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6162
Summary:

Light httpd is a small HTTP server, derived from ghttpd. It is available for a large variety of platforms, including Linux, BSD, Solaris, and Microsoft Windows operating systems.

A vulnerability has been discovered in Light httpd, when processing GET requests. Passing an excessively long GET request to a vulnerable server, containing roughly 1024 or more bytes of data, will trigger a buffer overflow. This will typically result in sensitive memory being overwritten with attacker-supplied values.

Exploitation of this issue will result in the execution of arbitrary commands with the privileges of the target web server. As Light httpd drops privileges, commands will be executed with the privileges of the
'nobody' user.

32. TinyHTTPD Directory Traversal Vulnerability BugTraq ID: 6158
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6158
Summary:

It has been reported that TinyHTTPD fails to properly sanitize web requests. By sending a malicious web request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to access sensitive resources located outside of the web root.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.

Disclosure of sensitive system files may aid the attacker in launching further attacks against the target system.

33. MasqMail Buffer Overflow Vulnerability BugTraq ID: 6164
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6164
Summary:

MasqMail is a MTA (mail transport agent) designed for systems without a permanent Internet connection.

A buffer overflow vulnerability has been reported for MasqMail. The vulnerability may be exploited by an attacker to execute arbitrary commands with root privileges.

Although not yet confirmed, it is speculated that the vulnerability may be triggered through malicious entries in a user-supplied configuration file.

Precise technical details regarding the cause of this issue are not yet known. This BID will be updated as further information becomes available.

34. Xoops WebChat Module Remote SQL Injection Vulnerability BugTraq ID: 6165
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6165
Summary:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions.

A vulnerability exists in the WebChat module included with Xoops. The vulnerability is due to insufficient sanitization of variables used to construct SQL queries in the 'index.php' script. Specifically, the
'roomid' variable is not sanitized of malicious SQL input. It is possible
to modify the logic of SQL queries through malformed query strings in requests for the vulnerable script.

By injecting SQL code into the 'roomid' variable, it may be possible for an attacker to corrupt database information.

35. Traceroute-nanog Local Buffer Overflow Vulnerability BugTraq ID: 6166
Remote: No
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6166
Summary:

Traceroute is a tool that is used to track packets in a TCP/IP network to determine the path of network connections.

Traceroute-nanog fails to drop root privileges after obtaining a RAW socket. Because of this, it is possible for a local attacker to gain root privileges by triggering a buffer overflow. Ex