SecurityFocus Newsletter #179

SecurityFocus Newsletter #179

This Issue is Sponsored by: SPI Dynamics

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation, and Parameter Manipulation. All undetectable by Firewalls and IDS!

Download *FREE* white paper from SPI Dynamics for a complete guide to protection!

http://www.spidynamics.com/mktg/webappsecurity42

I. FRONT AND CENTER

1. Instant Insecurity: Security Issues of Instant Messaging
2. Intelligence Gathering: Watching a Honeypot at Work
3. Closing the Floodgates: DDoS Mitigation Techniques
4. Strikeback, Part Deux
5. SecurityFocus DPP Program
6. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. BUGTRAQ SUMMARY
7. OpenTopic Private Message HTML Injection Vulnerability
8. DCP-Portal Remote File Include Vulnerability
9. FreeBSD System Call f_count Integer Overflow Vulnerability
10. DCP-Portal Unauthorized Account Access Vulnerability
11. H-Sphere Webshell Remote Buffer Overrun Vulnerability
12. AN HTTPD HTTP Request Buffer Overflow Vulnerability
13. AN HTTPD Cross Site Scripting Vulnerability
14. Longshine Wireless Access Point Devices Information Disclosure...
15. Multiple Vendor Network Device Driver Frame Padding Information...
16. IPFilter TCP ACK/Bad Checksum Packet Denial Of Service...
17. Microsoft Windows Fontview Denial of Service Vulnerability
18. H-Sphere Webshell flist() Buffer Overflow Vulnerability
19. S-PLUS For Unix Insecure Temporary File Vulnerabilities
20. H-Sphere Webshell diskusage.cc Buffer Overflow Vulnerability
21. H-Sphere Webshell Command.C Mode URI Parameter Command...
22. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command...
23. myPHPNuke Information Disclosure Vulnerability
24. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
25. KaZaA Advertisement Local Zone Vulnerability
26. CommuniGate Pro Webmail File Disclosure Vulnerability
27. S8Forum Remote Command Execution Vulnerability
28. Active PHP Bookmarks Multiple File Include Vulnerabilities
29. Active PHP Bookmarks Arbitrary Bookmark Addition Vulnerability
30. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities
31. GeneWeb File Disclosure Vulnerability
32. cgihtml Signed Integer Content-Length Memory Corruption...
33. cgihtml Denial Of Service Vulnerability
34. CGIHTML Form Data File Corruption Vulnerability
35. CGIHTML Insecure Form-Data Temporary File Vulnerability
36. TANne Session Manager SysLog Format String Vulnerability
37. A.ShopKart Multiple SQL Injection Vulnerabilities
38. Horde IMP Database Files SQL Injection Vulnerabilities
39. AJ's Internet Cafe World-Writeable Files Vulnerability
40. AppIdeas MyCart Information Disclosure Vulnerability
41. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox...
42. Business Objects WebIntelligence Application Session Hijacking...
43. FormMail Cross-Site Scripting Vulnerability
44. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
45. Mambo Site Server Arbitrary File Upload Vulnerability
46. Efficient Networks DSL Router Denial Of Service Vulnerability
47. Follett Software WebCollection Plus File Reading Vulnerability
48. BRS WebWeaver MKDir FTP Root Path Disclosure Vulnerability
49. Half-Life ClanMod Plugin Remote Format String Vulnerability
50. Half-Life AdminMod Plugin Remote Format String Vulnerability
51. Half-Life StatsMe Plug-in CMD_ARGV Buffer Overflow Vulnerability
52. Half-Life StatsMe Plug-in MakeStats Format String Vulnerability
53. Half-Life HLTV Remote Denial Of Service Vulnerability
54. SCO UnixWare/Open UNIX PS Buffer Overflow Vulnerability
55. Middleman net_dns() Frame Pointer Overwrite Vulnerability
56. Bea Systems WebLogic ResourceAllocationException System... III. SECURITYFOCUS NEWS ARTICLES
57. Feds seek public input on hacker sentencing
58. RIAA defaced -again!
59. The View From Symantec's Security Central
60. The return of the celebrity virus IV. SECURITYFOCUS TOP 6 TOOLS
61. RSA implementation in Octave v0.01
62. e2undel v0.81
63. RSA encrypting tool v0.11
64. System Statistics Remote Checker v0.8
65. Pathalizer v0.3
66. Packetflow Firewall Generator v0.7
67. SECURITYJOBS LIST SUMMARY
68. Senior Federal Territory Manager (Thread)
69. Information Security Analyst (Thread)
70. IDS Signature Engineer needed now! (revised) (Thread)
71. IDS Signature Engineer needed now! (Thread)
72. Security Position with Bristol-Myers Squibb-Hopewell-NJ (Thread)
73. Seeking internship or entry-level position (Thread)
74. Looking for a security based role (no expierence) (Thread)
75. @stake Employment in Seattle (Thread)
76. Looking for security job opportunity in Northern...
77. Sales / Account Manager - Information Security Solutions (Thread)
78. VP of Sales - NJ - #730 (Thread)
79. Entrust Ops Engineer and Technical Support. Contract Saudi...
80. Hi Alfred!! (Thread)
81. Security Account Manager - OTTAWA, Canada - Government focus...
82. Sun security position available... (Thread)
83. Senior Risk Assessment Scientist - Chicago, IL - EOE (Thread)
84. Senior Security Architect - Chicago - up to $110,000 (Thread)
85. PKI Identrus Eleanor Expertise available (Thread)
86. Looking for an internship(SSCP/CCNA) (Thread)
87. Senior Systems Security Engineer - Baltimore/Washington DC...
88. Security Design and Support Engineer - Baltimore/Wasington...
89. Senior Security Engineer - Baltimore/Washington, DC (Thread)
90. ISS Certified Contract Role Saudi Arabia (Thread)
91. Sr. Project Manager - Employee Monitoring Solutions (Thread)
92. US - MD - Baltimore Area - Web Security Positions & Security...
93. Development Manager Needed (Thread)
94. Needed for Long term contract w/Full benefits-SYSTEMS...
95. "I am seeking" Sr. Security Position in Colorado area. CISSP... VI. INCIDENTS LIST SUMMARY
96. Hacked web server (Thread)
97. Virus? Trojan? (Thread)
98. IRC -> smtp worm? (Thread)
99. Curious "spam" (or broken viral payload)... (Thread)
100. Any known exploit for the samba 2.2.2-2.2.6 encrypted password...
101. /sumthin Revisited (Thread)
102. Possible google hack (Thread)
103. Root password changed (Thread)
104. Re[2]: Spoofed RFC1918 Network Source Addresses... (Thread)
105. Subseven 2.2 Server? (Thread)
106. PDL anti-spam blacklist (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
107. NO NEW POSTS FOR THE WEEK ENDING 01.10.03 VIII. MICROSOFT FOCUS LIST SUMMARY
108. AD replication over WAN (Thread)
109. FW: Tools for changing WMI namespace ACL's (Thread)
110. SecurityFocus Microsoft Newsletter #120 (Thread) IX. SUN FOCUS LIST SUMMARY
111. NO NEW POSTS FOR THE WEEK ENDING 01.10.03
112. LINUX FOCUS LIST SUMMARY
113. NO NEW POSTS FOR THE WEEK ENDING 01.10.03 XI. SPONSOR INFORMATION
114. FRONT AND CENTER

     ---

115. Instant Insecurity: Security Issues of Instant Messaging By Neal Hindocha

Instant messaging services are becoming an increasingly popular form of communication, both in the personal and the professional spheres. This paper will describe instant messaging and offer a brief overview of some of the security threats associated with the service.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://online.securityfocus.com/infocus/1657

2. Intelligence Gathering: Watching a Honeypot at Work By Toby Miller

The purpose of this article is share with the security community the data the author collected from his honeypot. This discussion will include the attacker's recon, the attack, the attempted cover-up, and the reason for the attack on the honeypot.

http://online.securityfocus.com/infocus/1656

3. Closing the Floodgates: DDoS Mitigation Techniques by Matthew Tanase

To be on the receiving end of a distributed denial of service (DDoS) attack is a nightmare scenario for any network administrator, security specialist or access provider. It begins instantly, without warning, and continues relentlessly: machines down, jammed bandwidth, overloaded routers. An effective, immediate response is often difficult and may depend on third parties, such as ISPs. With these challenges in mind, this article will explore some techniques that systems administrators and security professionals can employ should they ever find themselves in this rather undesirable situation.

http://online.securityfocus.com/infocus/1655

4. Strikeback, Part Deux
By Tim Mullen

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Why I should have the right to kill a malicious process on your machine.

http://online.securityfocus.com/columnists/134

5. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

6. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. OpenTopic Private Message HTML Injection Vulnerability BugTraq ID: 6523 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6523 Summary:

OpenTopic is a commercially available content management system.

A HTML injection vulnerability has been reported for OpenTopic. The vulnerability exists because OpenTopic does not sufficiently sanitize HTML code from private message posts.

An attacker may include arbitrary HTML and script code in private messages and when this information is viewed by other users, the attacker-supplied code will execute in their web client in the security context of the site.

Exploitation may allow for theft of cookie-based authentication credentials or other attacks.

This vulnerability was reported for OpenTopic 2.3.1. It is not known whether other versions are affected.

2. DCP-Portal Remote File Include Vulnerability BugTraq ID: 6525
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6525
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

DCP-Portal is a freely available content management system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux variants.

DCP-Portal is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in the 'library/editor/editor.php' and 'library/lib.php' scripts included with DCP-Portal.

An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the '$root' parameter.

If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known whether earlier versions are affected.

3. FreeBSD System Call f_count Integer Overflow Vulnerability BugTraq ID: 6524
Remote: No
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6524
Summary:

A vulnerability has been reported in the FreeBSD system. Reportedly, the fpathconf and lseek system calls are affected by vulnerabilities that may lead to a kernel integer overflow condition.

The FreeBSD kernel has an internal reference counter maintained for each file. This counter is incremented whenever additional references to it are created (for example, by using the dup() system call). The counter is then decremented for every close() call. System calls that involve files will issue fhold() and fdrop() calls to increment and decrement this counter.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Reportedly, the fpathconf and lseek system calls do not issue a fdrop() call. This issue can be exploited by a local attacker by invoking repeatedly these system calls to eventually overflow the file reference counter. An attacker who exploits this vulnerability may cause the system to panic or to obtain root privileges on the vulnerable system.

This vulnerability has been reported to affect RELENG_4 earlier than 20021111 and all FreeBSD RELEASE versions.

4. DCP-Portal Unauthorized Account Access Vulnerability BugTraq ID: 6526
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6526
Summary:

DCP-Portal is a freely available content management system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux variants.

DCP-Portal does not sufficiently sanitize user-supplied input for URI parameters.

An attacker can exploit this vulnerability by supplying values for the 'dcp5_member_admin' or 'dcp5_member_id' parameters with the appropriate values. This will allow an attacker to obtain access to user accounts on the vulnerable site hosting DCP-Portal.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known whether earlier versions are affected.

5. H-Sphere Webshell Remote Buffer Overrun Vulnerability BugTraq ID: 6527
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6527
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

A vulnerability has been discovered in H-Sphere Webshell. The problem occurs during the pre-authentication phase. Due to insufficient bounds checking on user-supplied HTTP parameters, it is possible for a remote attacker to cause a buffer to be overrun

The vulnerability occurs in the CGI::readFile() function and can be triggered by passing the target server an HTTP Content-Type 'boundary' parameter of excessive length.

Successful exploitation of this issue would allow an attacker to overwrite the vulnerable functions instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

6. AN HTTPD HTTP Request Buffer Overflow Vulnerability BugTraq ID: 6528
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6528
Summary:

AN HTTPD is a Japanese language Web server designed for use on Microsoft Windows operating systems.

A buffer overflow vulnerability has been reported for AN HTTPD. The vulnerability exists when AN HTTPD receives overly long HTTP requests.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability by issuing a long HTTP request, consisting of at least 1024 characters, to any CGI or BAT script on the vulnerable server. When AN HTTPD attempts to process this request, it will crash.

Although unconfirmed, it may be possible to cause the vulnerable web server to execute malicious attacker-supplied code.

This vulnerability was reported for AN HTTPD 1.41e.

7. AN HTTPD Cross Site Scripting Vulnerability BugTraq ID: 6529
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6529
Summary:

AN HTTPD is a Web server designed for use on Microsoft Windows operating systems.

AN HTTPD does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. All code will be executed within the context of the website running AN HTTPD.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials.

This vulnerability was reported for AN HTTPD 1.41e.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

8. Longshine Wireless Access Point Devices Information Disclosure Vulnerability BugTraq ID: 6533
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6533
Summary:

Longshine provides several products for networking including external wireless LAN access points. An information disclosure vulnerability has been reported for the Longshine LCS-883R-AC-B WLAN access point.

The Longshine LCS-883R-AC-B device will allow tftp connections without any authentication. An attacker can exploit this vulnerability to connect via tftp to the access point and download the configuration file.

Obtainable files from the tftp service include config.img, mac.dat, and rom.img.

The configuration file contains sensitive information including the administrator password and WEP keys. An attacker who has access to this information may be able to modify existing settings and intercept traffic from the access point.

• The D-Link DI-614+ product, reportedly based on the Longshine device, appears to be vulnerable to this issue. 9. Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability BugTraq ID: 6535 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6535 Summary:

Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.

Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers do not do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across ethernet segments. As the ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.

An attacker can exploit this vulnerability by sending a simple ICMP packet to a vulnerable machine. A response to such a query will involve a packet that has been padded to a sufficient length. It may be that the information that is padded is of a sensitive nature. An attacker may use the information obtained in this manner to launch other attacks against a vulnerable system.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability has been reported to affect the atp.c, axnet_cs.c, xirc2ps_cs.c and the rtl8139.c network device drivers for Linux variant systems. Older NetApp systems using the 'Gigabit Ethernet Controller I' are vulnerable to this issue.

Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.

1. IPFilter TCP ACK/Bad Checksum Packet Denial Of Service Vulnerability BugTraq ID: 6534 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6534 Summary:

IPFilter is a packet filtering implementation that is in wide use on a variety of Unix systems.

IPFilter is prone to a denial of service when handling specially crafted packets.

Normally when IPFilter handles a TCP ACK packet (without a previous SYN packet to initiate the session), it will mark the session as
"TCPS_ESTABLISHED" in the state table. The system will respond with a RST
packet and IPFilter will set the timeout for the session in the state table to one minute.

However, when IPFilter handles this type of TCP ACK packet with a bad checksum, it will add an "ESTABLISHED" session to its state table, which will time out in 120 hours.

If numerous packets of this nature are sent, this may cause a denial of service as the state table will be filled with these sessions.

This issue is known to occur when "keep state" rules are used without
"flags S". The vendor advises users against employing this configuration.
It is possible to trigger this condition with other packet sequences.

1. Microsoft Windows Fontview Denial of Service Vulnerability BugTraq ID: 6536 Remote: No Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6536 Summary:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Microsoft Windows uses fontview.exe as the default font viewer.

Windows is vulnerable to a denial of service condition when certain malformed OpenType font files (.otf) are viewed with the default font viewer. Attempting to view the font file causes a page fault, resulting in the system Blue Screening and rebooting.

Since this issue results in an invalid memory reference by the kernel, there is a possibility that it may be exploitable to cause code execution, however, this has not been confirmed.

The exact cause of this issue is not currently known, however, this record will be updated if and when more details become available.

This vulnerability is reported to affect Windows 2000 and XP, but other versions may also be affected.

1. H-Sphere Webshell flist() Buffer Overflow Vulnerability BugTraq ID: 6538 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6538 Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

A remotely exploitable vulnerability has been discovered in H-Sphere. The problem occurs in the flist() function used by the WebShell component. By making a request for a directory name of excessive length, it may be possible to overrun a buffer.

By exploiting this issue to overwrite sensitive locations in memory a remote attacker would be able to control the program and possibly execute arbitrary instructions.

1. S-PLUS For Unix Insecure Temporary File Vulnerabilities BugTraq ID: 6530 Remote: No Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6530 Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

S-PLUS for Unix is statistical analysis software.

S-PLUS for Unix is prone to a number of insecure temporary file creation vulnerabilities. These issues exist in some of the S-PLUS Spqe binary and various shell scripts.

S-PLUS creates temporary files using predictable names, which are derived from the process ID (PID). Additionally, when these files are created symbolic links will be followed. If the attacker can anticipate the names of these temporary files, it is possible to lauch symbolic link attacks which may result in file corruption. The attacker must simply create a symbolic link in place of one of the temporary files, and the symbolic link must point to another file that is writeable by the user executing one of the vulnerable S-PLUS utilities.

S-PLUS for Unix is prone to multiple instances of this vulnerability.

1. H-Sphere Webshell diskusage.cc Buffer Overflow Vulnerability BugTraq ID: 6540 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6540 Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

A vulnerability has been discovered in H-Sphere Webshell. The problem occurs due to insufficient bounds checking on user-supplied values.

The vulnerability occurs in the diskusage.cc file and can be triggered by passing the target server an value of excessive length, of greater than 1024 characters, for the 'path' variable.

Successful exploitation of this issue may allow an attacker to overwrite the vulnerable functions instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

1. H-Sphere Webshell Command.C Mode URI Parameter Command Execution Vulnerability BugTraq ID: 6537 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6537 Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

The H-Sphere Webshell component is prone to a remote command execution vulnerability.

This issue exists in the 'command.C' source file and is due to insufficient validation of input supplied via the 'mode' URI parameter. It is possible for a remote attacker to supply shell commands via this URI parameter, which will be executed with the privileges of Webshell.

Exploitation of this vulnerability will allow the attacker to gain interactive and possibly privileged access to the underlying host.

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

1. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command Execution Vulnerability BugTraq ID: 6539 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6539 Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

The H-Sphere Webshell component is prone to a remote command execution vulnerability.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue exists in the 'command2.CC' source file and is due to insufficient validation of input supplied via the 'zipfile' URI parameter. It is possible for a remote attacker to supply shell commands via this URI parameter, which will be executed with the privileges of Webshell.

Exploitation of this vulnerability will allow the attacker to gain interactive and possibly privileged access to the underlying host.

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

1. myPHPNuke Information Disclosure Vulnerability BugTraq ID: 6541 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6541 Summary:

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux and Microsoft Windows operatining system.

An information disclosure vulnerability has been reported for myPHPNuke. The vulnerability exists due to insufficient checks performed in the system_footer.php script file. Specifically, the system_footer.php script, found in the 'admin/' subdirectory, calls the phpinfo() function without checking who the user is.

An attacker can exploit this vulnerability by making a request for the system_footer.php script. The system will respond by disclosing information to a remote attacker.

Information obtained in this manner may be used by an attacker to launch attacks against a vulnerable system.

1. myPHPNuke Default_Theme Cross Site Scripting Vulnerability BugTraq ID: 6544 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6544 Summary:

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux and Microsoft Windows operating systems.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Reportedly, myPHPNuke does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. All code will be executed within the context of the website running myPHPNuke.

The vulnerability exists in the chatheader.php and partner.php script files included with myPHPNuke. Specifically, malicious HTML code is not properly sanitized from the value for the 'Default_Theme' URI parameter.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials.

This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier.

1. KaZaA Advertisement Local Zone Vulnerability BugTraq ID: 6543 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6543 Summary:

KaZaA Media Desktop is a peer to peer file sharing utility, available for Microsoft Windows based systems. A potential remote command execution vulnerability has been reported in some versions of KaZaA Media Desktop.

By default all Internet content such as websites and advertisments are run within the 'Internet Zone'. Local content is run within the 'Local Zone' and is run with lower restrictions then the Internet Zone.

It has been reported that KaZaA advertisement content is rendered in the systems Local Zone. This presents a security risk as it is possible for the content to execute arbitrary commands on the local system. This issue may also be exploited to disclose the contents of system files.

20. CommuniGate Pro Webmail File Disclosure Vulnerability BugTraq ID: 6542
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6542
Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

CommuniGate Pro is an internet messaging server. CommuniGate Pro includes a webmail service to allow access to mailboxes via HTTP. It is available for a number of platforms including Unix and Linux variants and Microsoft Windows operating systems.

A file disclosure vulnerability has been reported in the CommuniGate Pro webmail component.

A specially crafted web request containing dot-dot-slash (../) directory traversal sequences may break out of the document root and disclose arbitrary web server readable files that exist on the underlying host.

Exploitation of this vulnerability may lead to disclosure of sensitive information that may be useful in mounting further attacks on the host system. The impact of this vulnerability is compounded by the fact that CommuniGate Pro runs as root by default, though may be configured to drop privileges. This issue was reported for CommuniGate Pro on FreeBSD. It is likely that the software is affected on other platforms as well.

21. S8Forum Remote Command Execution Vulnerability BugTraq ID: 6547
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6547
Summary:

S8Forum is web forum software. It employs a local flat-file database for storing user information. It is available for Unix and Linux variants as well as Microsoft Windows operating systems.

S8Forum is prone to a remote command execution vulnerability.

When a user registers with the forum, a file is created locally with the specified username. The contents of this file will be the data entered by the user. As a result, a malicious user could create a file with an arbitrary name and PHP (.php) extension that contains valid PHP code. The attacker may then cause this file to be executed by requesting it via HTTP. This may result in execution of arbitrary commands with the privileges of the webserver process. An attacker may exploit this condition to gain local, interactive access to the system hosting the vulnerable software.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

22. Active PHP Bookmarks Multiple File Include Vulnerabilities BugTraq ID: 6545
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6545
Summary:

Active PHP Bookmarks (APB) is a web-based application for managing a collection of bookmarks. APB is available for Unix and Linux variants as well as Microsoft Windows operating systems.

APB is prone to multiple issues which may allow a remote attacker to cause a malicious external file to be included and interpreted.

Attackers may influence include paths for a number of APB scripts. By specifying a path to a resource (such as a malicious PHP script) on a remote attacker-controlled server, it is possible to cause arbitrary commands to be executed with the privileges of the webserver process.

This issue is known to exist in the following scripts:

head.php
apb_common.php
apb_view_class.php

23. Active PHP Bookmarks Arbitrary Bookmark Addition Vulnerability BugTraq ID: 6546
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6546
Summary:

Active PHP Bookmarks (APB) is prone to a vulnerability which may allow a remote attacker to add bookmarks arbitrarily.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The user ID is stored in a hidden form field of the add_bookmark form. An attacker may submit this form with an arbitrary value in the appropriate form field. For example, the attacker may edit a local copy of the form and then submit it with an arbitrary user ID. This will permit the remote attacker to add bookmarks for any user.

24. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities BugTraq ID: 6531
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6531
Summary:

HTTP Fetcher is a small library used for downloading files via HTTP using the GET method. It is available for various platforms including the Linux and Unix operating systems.

Multiple buffer overflows have been discovered in HTTP Fetcher. The vulnerabilities occur in the http_fetch() function which is used to gather various HTTP header information. These buffer overflow occurs due to insufficient bounds checking of user-supplied parameters.

It is possible to trigger these conditions by supplying excessive data as the 'host', 'referer', or 'userAgent' parameters. By exploiting one of these issues to overrun 'requestBuf', it may be possible for a remote attacker to overwrite sensitive memory.

Successful exploitation of one of these vulnerabilities may allow an attacker to seize control of an application linked to the library. By overwriting the function's instruction pointer it may be possible to execute arbitrary commands.

The exploitability of this issue may be an issue only if the client application were accessible remotely through a proxy server. For instance, a server which allowed a client to make GET requests from other servers.

25. GeneWeb File Disclosure Vulnerability BugTraq ID: 6549
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6549
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

GeneWeb is Web based genealogy software. It is available for a variety of platforms including Linux variant operating systems.

A file disclosure vulnerability has been reported for GeneWeb. Reportedly, GeneWeb does not adequately sanitize some input.

An attacker can exploit this vulnerability to craft a specially formed URL that can cause geneweb to disclose the contents of arbitrary files on the vulnerable system.

Although unconfirmed, it is likely that an attacker can construct a URL consisting of dot-dot-slash (../) character sequences to obtain access to files outside of the document root. It should be noted that only files accessible by the geneweb server will be disclosed to the attacker.

Exploitation of this vulnerability may lead to disclosure of sensitive information that may be useful in mounting further attacks on the host system.

This vulnerability affects GeneWeb versions 4.0.8 and earlier.

26. cgihtml Signed Integer Content-Length Memory Corruption Vulnerability BugTraq ID: 6551
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6551
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been discovered in cgihtml which may result in memory corruption. The problem occurs when reading a user-supplied Content-Length value for POST data.

An attacker is able to create a situation where memory may be overwritten by passing a negative length as the Content-Length value in a POST request. By passing excessive POST data it is possible for the attacker to overrun the allocated buffer, effectively overwriting heap memory. This may cause the affected program to crash.

Although not yet confirmed, it may be possible to exploit this vulnerability to execute arbitrary code. Placing a malicious malloc header in heap memory may potentially allow an attacker to overwrite a GOT address to point to shellcode.

27. cgihtml Denial Of Service Vulnerability BugTraq ID: 6555
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6555
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

A vulnerability has been discovered in cgihtml when processing Multipart HTTP headers. It has been reported that, when processing a multipart header, cgihtml fails to sufficiently verify the sanity of the header structure. This may result in an affected application reading invalid values supplied 38 bytes within a malicious header.

If this situation were to occur it may be possible for the attacker to cause the application to crash. Although it has not yet been confirmed, it is speculated that cgihtml contains other vulnerabilities similar to this issue.

28. CGIHTML Form Data File Corruption Vulnerability BugTraq ID: 6550
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6550
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. The software uses the client supplied filename when creating the temporary file. If the attacker supplies a malicious filename, such as one pre-pended with dot-dot-slash (../) directory traversal sequences, it may be possible to corrupt files outside of the specified temporary directory.

The cause of this issue trust in user-supplied input. The routines use a client-supplied filenames when creating temporary file. The routines then do not sufficiently validate that the filename does not contain directory traversal sequences or has a name that may conflict with existing system files.

For this attack to be successful, the targetted files must be writeable by a server process that utilizes the vulnerable cgihtml routines.

29. CGIHTML Insecure Form-Data Temporary File Vulnerability BugTraq ID: 6552
Remote: No
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6552
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. A client supplied filename is used when the temporary file is created. This presents a security vulnerability since the name of the temporary file can be anticipated by the attacker.

A local attacker may take advantage of this condition to create a symbolic link in place of the temporary file, which points to another file on the system which is writeable by a server process which utilizes the vulnerable routines. The vulnerable routines will follow any symbolic links provided in place of a temporary file. The attacker may then submit a malicious form-data upload, using the attacker-supplied filename, and cause local files to be corrupted.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If custom data can be written to files, it is possible to gain elevated privileges.

30. TANne Session Manager SysLog Format String Vulnerability BugTraq ID: 6553
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6553
Summary:

TANne is a freely available, open source session management package. It is available for Unix and Linux operating systems.

A problem with TANne may make it possible to execute arbitrary code.

Due to programming error, it may be possible to exploit a format string vulnerability. A logging function in the TANne program contains insecure syslog() calls. This could result in the execution of attacker-supplied code.

The problem is the in two syslog() calls in the netzio.c source file. When the program is invoked using the vulnerable function, it may be possible to exploit a format string vulnerability through the generation of a malicious log event which contains attacker-supplied format strings. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with the privileges of the TANne user.

31. A.ShopKart Multiple SQL Injection Vulnerabilities BugTraq ID: 6558
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6558
Summary:

a.shopKart is a freely available shopping cart system. It is implemented in ASP and is available for Microsoft Windows operating systems.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

a.shopKart is prone to multiple SQL injection vulnerabilities.

Due to insufficient sanitization of user-supplied input passed to SQL queries, it may be possible to manipulate the logic of SQL queries. Depending on the nature of the individuals queries and the underlying database implementation, it may be possible to cause database corruption or disclose sensitive information from within the database.

Multiple instances of these vulnerabilities exist in the following scripts:

addcustomer.asp
addprod.asp
process.asp

It was reported that the "zip", "state", "country", "phone" and "fax" fields in the 'addcustomer.asp' script may allow for SQL injection. Further details about the other vulnerable scripts were not provided.

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

32. Horde IMP Database Files SQL Injection Vulnerabilities BugTraq ID: 6559
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6559
Summary:

IMP is a web-based mail interface/client developed by members of the Horde project. It is implemented in PHP and runs on a number of operating systems, including Unix and Linux variants and Microsoft Windows operating systems.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that IMP is prone to multiple SQL injection vulnerabilities.

IMP, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database. Consequences will vary depending on the queries used and the capabilities of the underlying database implementation.

These issues occur throughout the database command files for different database implementations, for example 'lib/db.pgsql'. These files contain syntax for constructing queries with using database implementations.

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

33. AJ's Internet Cafe World-Writeable Files Vulnerability BugTraq ID: 6560
Remote: No
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6560
Summary:

AJ's Internet Cafe is a freely available internet cafe software package for use with the Linux Thin Client Project software.

A problem with AJ's Internet Cafe may allow unauthorized write access to files.

It has been reported that AJ's Internet Cafe installs with insecure permissions. By default, many files installed with the package are world-writeable. This may allow users to modify the contents to gain free time on the host, or perform other malicious activities.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-m