SecurityFocus Newsletter #182

SecurityFocus Newsletter #182

This Issue is Sponsored by: GuardedNet - Transforming Security Data into Knowledge

Event Correlation - Is it Security's Holy Grail?

neuSECURE isa centralized monitoring system that correlates and analyzes event data from firewalls, IDS's, hosts and routers for real-time attack detection and response. It's proven to improve attack detection and reduce the time you spend investigating attacks.

Sign up to receive our White Paper about neuSECURE's correlation capabilities entitled "Event Correlation: Security's Holy Grail?" at http://www.guarded.net/sfocusfebruary_correlation.html

I. FRONT AND CENTER

1. Forensics on the Windows Platform, Part 1
2. The Busy Life of a Welsh Virus-Writer
3. New Book: Hacker's Challenge 2 Test Your Network Security...
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March10-12,2003,Orlando,FL) II. BUGTRAQ SUMMARY
6. GNU Mailman 'email' Cross Site Scripting Vulnerability
7. GNU Mailman Error Page Cross Site Scripting Vulnerability
8. SpamAssassin BSMTP Mode Buffer Overflow Vulnerability
9. Sun Java Virtual Machine Illegal Access To Object Methods...
10. SyGate Insecure UDP Source Port Firewall Bypass Weak Default...
11. FTLS GuestBook Script Injection Vulnerability
12. Blackboard Learning System search.pl SQL Injection Variant...
13. List Site Pro User Database Delimiter Injection Vulnerability
14. Hypermail Message Attachment Buffer Overflow Vulnerability
15. Hypermail CGI Mail Reverse DNS Lookup Buffer Overflow...
16. PlatinumFTPServer File Disclosure Vulnerability
17. Sun Solaris AT Command Arbitrary File Deletion Vulnerability
18. Sun Solaris AT Command Race Condition Vulnerability
19. Noffle Remote Memory Corruption Vulnerability
20. Nuked-Klan Guestbook HTML Injection Vulnerability
21. Nuked-Klan Forum Module HTML Injection Vulnerability
22. Nuked-Klan Shoutbox HTML Injection Vulnerability
23. Finjan SurfinGate Active Content Filter Bypass Vulnerability
24. Finjan SurfinGate Java Applet Analyzer Bypass Vulnerability
25. Finjan SurfinGate File Extension File Filter Circumvention...
26. Finjan SurfinGate Compressed Archive File Filter Circumvention...
27. Finjan SurfinGate Unknown File Extension File Filter...
28. Replicom ProxyView Default Password Vulnerability
29. Solaris in.ftpd Remote Denial of Service Vulnerability
30. MIT Kerberos Remote Heap Corruption Vulnerability
31. MIT Kerberos Key Distribution Center Remote Format String...
32. MIT Kerberos / Key Distribution Center Shared Key User...
33. DotProject Remote File Include Vulnerability
34. PLP Tools plpnfsd Syslog Format String Vulnerability III. SECURITYFOCUS NEWS ARTICLES
35. E-Voting security debate comes home
36. 'Secure by design', claims MS op-ed ad
37. Canada's biggest Identity theft?
38. $1m hacking challenge' product is flawed IV. SECURITYFOCUS TOP 6 TOOLS
39. coridoras v0.0.17
40. fwtrends v0.1
41. TinyMonitor v0.9b
42. GNU SASL v0.0.5
43. J2SSH v0.0.4
44. Darik's Boot and Nuke v2003013000
45. SECURITYJOBS LIST SUMMARY
46. LOOKING FOR INFOSEC POSITION WASH DC AREA (Thread)
47. Network Security Analyst opportunity for CLEARED individual at...
48. Sr. InfoSec Opportunity for Cleared individual in Reston...
49. NY/NJ - Security professional looking for a new opportunity...
50. Seeking Employment (Thread)
51. What is a good way to find CSO jobs? (Thread)
52. WILL WORK FOR FOOD (Thread)
53. SEEKING: Network Security position (Thread)
54. IL Security Analyst (Thread)
55. Looking for Work... (Thread)
56. Senior Network Security Analysts Needed (Thread)
57. Senior IDS Engineers (Thread)
58. Network Security Engineer (Thread)
59. Seeking employment - 20 years information security exp. (Thread)
60. IL Unix Security Specialist (Thread)
61. IT Director needed in San Francisco Bay Area (Thread)
62. SEEKING: InfoSec or Network Security Position in CA. (Thread)
63. SEEKING: InfoSec or Network Security Position (Thread)
64. Security Sales Position in Maryland (Thread)
65. Internship (Thread)
66. Seeking: Network Security Engineer - Herndon, VA - USA...
67. Common Criteria Security Engineer position in VA (Thread)
68. POSITION: Security Specialist - CA (Thread)
69. POSITION: Information Security Consultant - CA (Thread)
70. Sales Support / Tactical Marketing Position (Boston, MA) (Thread)
71. Inside Sales Position (Boston, MA) (Thread)
72. Seeking Entry Level Security Position (fwd) (Thread) VI. INCIDENTS LIST SUMMARY
73. Packet from port 80 with spoofed microsoft.com ip (Thread)
74. Packets from 255.255.255.255(80) (was: Packet from port 80 with...
75. Firewall logging port 6346 (Thread)
76. HTML email bug [was: (Fwd) hi] (Thread)
77. MSDE contained in... (Thread)
78. MSDE contained in... (MS Office ? really ?) (Thread)
79. Variant or original posting to packetstormsecurity - long (Thread)
80. Scan UDP port 135 (Thread)
81. Incidents Mailing List Administrivia (Thread)
82. Take note of products that don't "advertise" they have...
83. SQL Sapphire Worm Analysis (Thread)
84. SNMP Weirdness (Thread)
85. wierd: udp port 0 traffic (Thread)
86. MS SQL server worm logs question (Thread)
87. graphical stats of new SQL worm (Thread)
88. internet status (Thread)
89. strange attacks - flood udp packets from 1030 to msql (Thread)
90. Paypal.com hosting IRC server, possible hack? (Thread)
91. New spam-probing wave? (Thread)
92. Increased activity on UDP/1434 (Thread)
93. Microsoft SQL Server 2000 worm - port 1434 (Thread)
94. strange traffic (Thread)
95. udp/1434 (Thread)
96. MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! (Thread)
97. New MS SQL Server Worm (Thread)
98. Is anyone else seeing a real heavy incrase in TCP/1434? (Thread)
99. New Web Hack? (Thread)
100. Hacked web server (Thread)
101. SGI.com hosts HACKED and being abused by scriptkiddies on IRC... VII. VULN-DEV RESEARCH LIST SUMMARY
102. re: slocate vulnerability (Thread)
103. Black Hat Announcements (Thread)
104. format strings vulns in /bin/login and /usr/bin/passwd (Thread)
105. SQL Sapphire Worm Analysis (Thread)
106. Administrivia: New Moderators (Thread)
107. What to do with a vulerability? (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
108. uh, oh (was:Re: w2k server compromised) (Thread)
109. Problems with Pwdump3e (Thread)
110. Win2k log management (Thread)
111. Bypass Traverse Checking? (Thread)
112. IIS 5.0 and Digest Authentication (Thread)
113. Securing IIS/5 with ASP (Thread)
114. At.exe Service Account - scripted or registry? (Thread)
115. Administrivia (Thread)
116. SecurityFocus Microsoft Newsletter #122 (Thread)
117. SQL Sapphire Worm Analysis (Thread)
118. w2k server compromised (Thread)
119. Attacking EFS through cached domain logon credentials (Thread)
120. AD replication over WAN (Thread)
121. Stopping Admin Alert SPAM (Thread)
122. Fw: Bypass Traverse Checking? (Thread) IX. SUN FOCUS LIST SUMMARY
123. LDAP replacing NIS...? (Thread)
124. Setting TOS bit in related packets (Thread)
125. Administrivia: Please trim replies (Thread)
126. [focus-sun] LDAP replacing NIS...? (Thread)
127. LINUX FOCUS LIST SUMMARY
128. NIS with local root (Thread)
129. Secure Web-Based Administration (Thread)
130. Administrivia: Trimming replies (Thread) XI. SPONSOR INFORMATION
131. FRONT AND CENTER

     ---

132. Forensics on the Windows Platform, Part 1 By Jamie Morris

This article, the first in a two-part series about forensics on the Windows platform, will examine the preparatory steps that can be taken by both investigators and system administrators alike. While this series is concerned with Windows-specific investigations, this article will examine some basic, non-technical concepts that are applicable to all forensic investigations.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://online.securityfocus.com/infocus/1661

2. The Busy Life of a Welsh Virus-Writer By George Smith

The prison-bound author of the Gokar virus loves shoes, pole dancers and personal self-disclosure. His blog tells all.

http://online.securityfocus.com/columnists/138

3. New Book: Hacker's Challenge 2 Test Your Network Security & Forensic Skills

Do you have what it takes to keep the bad guys out of your network? Find out with the latest edition of this best-selling book featuring 20+ all new hacking challenges for you to solve. Plus, you'll get in-depth solutions for each, all written by experienced security consultants.

For more information visit:
http://shop.osborne.com/cgi-bin/osborne/0072226307.html

4. SecurityFocus DPP Program

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. GNU Mailman 'email' Cross Site Scripting Vulnerability BugTraq ID: 6677 Remote: Yes Date Published: Jan 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6677 Summary:

Mailman is software to help manage email discussion lists, much like Majordomo and SmartList. It is written and maintained by the GNU Project and is available for the Linux and Unix operating systems.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A cross site scripting vulnerability has been discovered in GNU Mailman. The issue occurs due to insufficient sanitization of URI parameters. Specifically, the 'email' URI parameter is not correctly filtered for embedded HTML or script code.

As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. When this link is followed by a web user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

2. GNU Mailman Error Page Cross Site Scripting Vulnerability BugTraq ID: 6678
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6678
Summary:

Mailman is software to help manage email discussion lists, much like Majordomo and SmartList. It is written and maintained by the GNU Project and is available for the Linux and Unix operating systems.

A cross site scripting vulnerability has been discovered in GNU Mailman. The issue occurs due to insufficient sanitization of URI parameters. Specifically, the 'language' variable is not sufficiently sanitized before being included in error pages.

As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. When this link is followed by a web user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that GNU Mailman 2.0.11 is not affected by this issue.

3. SpamAssassin BSMTP Mode Buffer Overflow Vulnerability BugTraq ID: 6679
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6679
Summary:

SpamAssassin is a mail filter to identify and process spam. It is available for Linux and Unix variant operating systems.

A buffer overflow vulnerability has been reported for SpamAssassin. The vulnerability exists when SpamAssassin has been configured for use with BSMTP (Batch Simple Mail Transfer Protocol) processing.

SpamAssassin uses the program spamc to process mail. 'spamc' is the client program that feeds data to the spamd service that processes email. BSMTP processing is enabled by executing spamc with the '-B' option.

The vulnerability occurs when SpamAssassin is escaping '.' characters when processing email headers. Due to insufficient bounds checking performed by the filter, it is possible for a remote attacker to trigger the buffer overflow condition.

An attacker can exploit this vulnerability by composing a malicious email with specific headers. This will cause the buffer overflow condition in the program, spamc. This may result in malicious attacker-supplied code being executed with the privileges of the spamc process.

It should be noted that this issue allows an attacker to write the value of the '.' character to the LSB of the value stored above the affected buffer. Under some circumstances this may be the function's saved frame pointer but the exploitability of this issue is highly volatile.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported to affect SpamAssassin 2.40 to 2.43.

4. Sun Java Virtual Machine Illegal Access To Object Methods Vulnerability BugTraq ID: 6681
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6681
Summary:

A vulnerability has been reported in the Sun Java Virtual Machine that may allow illegal access to protected fields or methods of an object.

Precise technical details of this vulnerability are not currently known however this vulnerability may have security implications. It may be possible to exploit this vulnerability to gain read/write access to system files despite the security constraints placed on the Applet sandbox. The ability to access protected values may also be leveraged to launch other attacks.

It may be possible to execute commands on target systems if this vulnerability is exploited in conjunction with others.

5. SyGate Insecure UDP Source Port Firewall Bypass Weak Default Configuration Vulnerability BugTraq ID: 6684
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6684
Summary:

Sygate Pro is a personal firewall application for Microsoft Windows operating system.

It has been reported that the Sygate Pro firewall permits traffic originating from UDP source port 137 or 138 by default. UDP packets originating from either of these source ports will bypass the firewall. Remote attackers attacker may potentially exploit this vulnerability to get malicious network traffic past the firewall.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

6. FTLS GuestBook Script Injection Vulnerability BugTraq ID: 6686
Remote: Yes
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6686
Summary:

FTLS Guestbook is freely available guestbook software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Guestbook does not adequately filter HTML tags from various fields. This may enable an attacker to inject arbitrary script code into pages that are generated by the guestbook.

The attacker's script code may be executed in the web client of arbitrary users who view the pages generated by the guestbook, in the security context of the website running the software.

Attackers may potentially exploit this issue to hijack web content or to steal cookie-based authentication credentials.

This vulnerability was reported for FTLS Guestbook 1.1.

7. Blackboard Learning System search.pl SQL Injection Variant Vulnerability BugTraq ID: 6687
Remote: Yes
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6687
Summary:

Blackboard Learning system is a suite of software products available for Microsoft Windows, Linux and Solaris servers that power an "e-Education Infrastructure" for education providers.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Blackboard Learning System, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries. As a result, attackers may supply malicious parameters to manipulate the structure and logic of SQL queries. This may result in unauthorized operations being performed on the underlying database.

This vulnerability was reported to exist in the search.pl script file. A remote attacker can exploit this vulnerability to discover the passwords of other users.

This vulnerability is a variant of the vulnerability described in BID 6655.

This vulnerability was reported for Blackboard Learning System 5.5.1,level 1 and 2. Previous releases may also be affected.

8. Qualcomm Eudora Email Message Deletion Weakness BugTraq ID: 6688
Remote: No
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6688
Summary:

Eudora is a graphical e-mail client for Windows operating environments.

A weakness has been reported for Qualcomm Eudora. The weakness exists in the way Eudora deletes email from the "Trash" folder. When a message is deleted from the "Trash" folder, it is only marked as 'deleted' and is still exists in the Trash.mbx file.

The message is only removed from Trash.mbx when the user chooses to compact mailboxes. This may lull a user into a false sense of security.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This weakness was reported for Eudora 5.2.0.9. It is likely that other versions share this weakness.

9. List Site Pro User Database Delimiter Injection Vulnerability BugTraq ID: 6685
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6685
Summary:

List Site PRO is a top site ranking system that counts hits from member sites and then ranks them according to the number of hits.

A problem has been reported for List Site PRO that would allow an attacker to inject arbitrary values via html input form fields into the database that the 'List Site Pro' ranking system uses.

The problem is caused by both:

The lack of input sanitization for the 'bannerurl' field. The form field
'bannerurl' accepts pipe characters '|' which are used as delimiters in
the List Site Pro database.

And:

In the way List Site PRO discloses the user id of a site in its relative link.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker may combine these vulnerabilities to modify or reset any stored user credentials in the underlying List Site PRO flat-file database.

1. Hypermail Message Attachment Buffer Overflow Vulnerability BugTraq ID: 6689 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6689 Summary:

Hypermail is a freely available tool for converts email into HTML format.

A buffer overflow vulnerability has been reported for Hypermail. The vulnerability occurs when Hypermail processes emails with overly long attachment names. Specifically, the buffer overflow condition exists in the source file, parse.c, when processing emails.

This vulnerability is only exploitable if Hypermail is configured to output verbose information with the option 'progress = 2'. An attacker can exploit this vulnerability by sending an email with an overly long attachment name, consisting of more than 252 characters, to the vulnerable Hypermail service. The buffer overflow condition will be triggered when Hypermail parses the email and may result in malicious attacker-supplied code being executed by the vulnerable hypermail process.

This vulnerability was reported for Hypermail 2.1.3 to 2.1.5.

1. Hypermail CGI Mail Reverse DNS Lookup Buffer Overflow Vulnerability BugTraq ID: 6690 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6690 Summary:

Hypermail is a freely available tool for converts email into HTML format.

A buffer overflow vulnerability has been reported for Hypermail's CGI mail program.

The vulnerability exists due to insufficient bounds checking performed by the CGI mail program when resolving DNS replies. Specifically, the program uses the function gethostbyaddr() to obtain a hostname from a given IP address. If the DNS server's reply is greater than 80 characters, this would result in a buffer overflow condition.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Operators of malicious DNS servers may exploit this condition to execute arbitrary code on target hosts. It may also be possible for attackers who do not control the DNS server to spoof malicious responses.

Successful exploitation of this vulnerability may result in the attacker obtaining control of the execution of the vulnerable program.

This vulnerability was reported for Hypermail 2.1.3 to 2.1.5.

1. PlatinumFTPServer File Disclosure Vulnerability BugTraq ID: 6691 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6691 Summary:

PlatinumFTPServer is an FTP server for Microsoft Windows systems. It is commercially available, and distributed by BYTE/400.

A directory traversal vulnerability has been reported in PlatinumFTPServer. The program does not sufficiently handle backslash-dot-dot input, which could result in an attacker gaining access to unauthorized resources.

This problem can allow an attacker to break out of the FTP root directory, and access the entire file system of the vulnerable host. It has been reported that an attacker may also be able to create and remove arbitrary files and directories on the system by specifying the full path to the file. This vulnerability requires an attacker to use the '\..' notation.

This vulnerability was reported for PlatinumFTPServer 1.0.7. It is likely that earlier versions are affected.

1. Sun Solaris AT Command Arbitrary File Deletion Vulnerability BugTraq ID: 6692 Remote: No Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6692 Summary:

/usr/bin/at is used to schedule jobs at a future time. The at utility shipped with Sun Solaris may be prone to an issue which may allow attackers to delete arbitrary files on the system.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability occurs when using at with the '-r' option. This option is used to remove previously scheduled at jobs. The vulnerability exists because at does not properly sanitize parameters submitted as part of the -r commandline option. Specifically, at does not properly sanitize '../' character sequences to the parameters of the -r option.

A local attacker can exploit this vulnerability by invoking 'at -r' with a malicious parameter involving '../' directory traversal sequences. This will cause at to remove arbitrary files on the vulnerable system.

This vulnerability is further exacerbated by the fact that at is a setuid root utility.

1. Sun Solaris AT Command Race Condition Vulnerability BugTraq ID: 6693 Remote: No Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6693 Summary:

/usr/bin/at is used to schedule jobs at a future time. The at utility shipped with Sun Solaris may be prone to an issue which may allow unprivileged users to delete any file on the vulnerable system.

This vulnerability is a consequence of the issue described in BID 6692 and also occurs when at is used with the -r commandline option.

at is prone to a race condition vulnerability that may result in the deletion of a file other than the specified one. The issue exists in the way the at utility first verifies ownership of a file via the stat() function and then unlink()s a file. If the filesystem can be changed slightly between these calls, it is possible to cause at to delete an arbitrary file.

This vulnerability is further exacerbated by the fact that at is a setuid root utility.

1. Noffle Remote Memory Corruption Vulnerability BugTraq ID: 6695 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6695 Summary:

Noffle is a news (nntp) server designed to service few users and low speed dial-up connections to the Internet. It is available for the Unix and Linux operating systems.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A memory corruption bug has been discovered in Noffle. The issue can be triggered remotely and may cause a segmentation violation in the affected server. This issue is likely caused when Noffles is attempting to process a malicious news group or entry.

Although unconfirmed, this issue may be exploitable by a remote attacker to trigger a denial of service or possibly execute arbitrary code. Attacker-supplied instructions would be executed with the privileges of the invoker of Noffle, likely the 'news' user.

The technical details regarding this issue are currently unknown. This BID will be updated when further information becomes available.

1. Nuked-Klan Guestbook HTML Injection Vulnerability BugTraq ID: 6697 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6697 Summary:

A vulnerability has been discovered in the Nuked-Klan guestbook module. It has been reported that Nuked-Klan fails to sufficiently sanitize HTML and script code embedded in certain user-supplied variables. Specifically, the guestbook module fails to filter the 'Author' variable for malicious input.

As a result, attackers may embed malicious script code or HTML into forum posts. When a malicious post is viewed by another user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

1. Nuked-Klan Forum Module HTML Injection Vulnerability BugTraq ID: 6699 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6699 Summary:

A vulnerability has been discovered in the Nuked-Klan 'Forum' module. It has been reported that Nuked-Klan fails to sufficiently sanitize HTML and script code embedded in certain user-supplied variables. Specifically, the
'Forum' module fails to filter the 'Pseudo' and 'Titre' forum post form
fields for malicious input.

As a result, attackers may embed malicious script code or HTML into forum posts. When a malicious post is viewed by another user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

1. Nuked-Klan Shoutbox HTML Injection Vulnerability BugTraq ID: 6700 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6700 Summary:

A vulnerability has been discovered in the Nuked-Klan 'Shoutbox' module. It has been reported that Nuked-Klan fails to sufficiently sanitize HTML and script code embedded in certain user-supplied variables. Specifically, the 'Shoutbox' module fails to filter the "The Opinion column" or "La Tribune Libre" form field for malicious input.

As a result, attackers may embed malicious script code or HTML into shoutbox messages. When a malicious message is viewed by another user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

1. Finjan SurfinGate Password Ciphering Weaknesses BugTraq ID: 6705 Remote: No Date Published: Jan 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6705 Summary:

SurfinGate is a commercially available content filtering and application firewall package. It is distributed by Finjan, and available for the Sun Solaris and Microsoft Windows platforms.

A weakness has been discovered in the encryption algorithms implemented by Finjan SurfinGate. The SurfinGate Console password is viewable through the properties table and is obfuscated using an algorithm which may be trivial for an attacker to reverse. SurfinGate uses the following algorithm to obfuscate the Console password:

CHAR encrypted(n) = CHAR( ACSCII(CHAR cleartext(n)) + n )

Where n is the position of the character in the password beginning with 0.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When the SurfinGate console is used to access a Solaris installation the Oracle protocol is used. For this to be possible a valid Oracle user must exist for SurfinGate to use. The Oracle user credentials are stored in a locally accessible configuration file. It has been reported that the user's Oracle password is also obfuscated using a slightly more complex algorithm, which would be trivial for an attacker to reverse.

If the password is discovered, this may lead to further attacks against the target system and the filtering software.

The Oracle password is obfuscated used the following algorithm:

CHAR encrypted(n) = HEX( ASCII( CHAR cleartext(n) ) + 1 )

Where n is the position of the character in the password.

20. Finjan SurfinGate HTML Filtering Weakness BugTraq ID: 6702
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6702
Summary:

SurfinGate is a commercially available content filtering and application firewall package. It is distributed by Finjan, and available for the Sun Solaris and Microsoft Windows platforms.

The HTML filter included with Finjan SurfinGate does not sufficiently recognize certain types of malicious HTML which may pose a threat to end users.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

As a result, end users may be exposed to attacks which utilize malicious HTML to cause a denial of service or impact the user in other ways.

Due to this weakness in the SurfinGate filter, it may be possible for malicious HTML code to be accessed by a user. Specifically, HTML META-Tags with a refresh set to 0, infinite recursive frame sets, and infinite recursive iframes are not detected by the affected application. Processing malicious HTML code sequences may result in a denial of service, depending on the end user's web browser implementation.

21. Finjan SurfinGate Active Content Filter Bypass Vulnerability BugTraq ID: 6701
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6701
Summary:

SurfinGate is a commercially available content filtering and application firewall package. It is distributed by Finjan, and available for the Sun Solaris and Microsoft Windows platforms.

A flaw was reported in the SurfinGate active content filter, which provides functionality for analyzing various types of active content (JavaScript, ActiveX, VBScript, etc.). The active content filter works by filtering out specific code which is deemed dangerous and permitting "safe" code to pass. However, the JavaScript parser included in the active content filter does not sufficiently sanitize script code.

It is possible to bypass the filter by obfuscating the malicious JavaScript. This may be accomplished by hex-encoding the malicious code and then passing it through a function which decodes the string (such as through the eval() method).

Successful exploitation will permit arbitrary JavaScript to bypass the filter and reach end users.

22. Finjan SurfinGate Java Applet Analyzer Bypass Vulnerability BugTraq ID: 6704
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6704
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

SurfinGate is a commercially available content filtering and application firewall package. It is distributed by Finjan, and available for the Sun Solaris and Microsoft Windows platforms.

A flaw was reported in the Java applet analyzer included with Finjan SurfinGate. The analyzer works by filtering out specific code which is deemed dangerous and permitting "safe" code to pass. The Java applet analyzer scans the contents of a JAR archive and removes classes which are on a blacklist.

However, the Finjan SurfinGate Java applet analyzer does not properly detect the use of the Java Reflection API. As a result, this API may be used to call methods and classes that may otherwise be restricted.

A malicious Java applet may use this technique to bypass the Finjan SurfinGate filter. End users may not be protected from malicious Java applets as a result.

23. Finjan SurfinGate File Extension File Filter Circumvention Vulnerability BugTraq ID: 6703
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6703
Summary:

SurfinGate is a commercially available content filtering and application firewall package. It is distributed by Finjan, and available for the Sun Solaris and Microsoft Windows platforms.

A problem with SurfinGate could make it possible for an attacker to circumvent file filters that are set in place.

SurfinGate uses the file extension to determine if a file is of a type that is blacklisted by the software. It has been reported that an attacker may bypass SurfinGate file filtering rules by appending an extra file extension of a type that is not blacklisted to the end of the file name.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

For example, an attacker may rename an executable file to
'filename.com.txt' to bypass the SurfinGate file filter.

It should be noted that an end user would still have interactively to open or execute the malicious file.

24. Finjan SurfinGate Compressed Archive File Filter Circumvention Vulnerability BugTraq ID: 6706
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6706
Summary:

SurfinGate is a commercially available content filtering and application firewall package. It is distributed by Finjan, and available for the Sun Solaris and Microsoft Windows platforms.

A problem with SurfinGate could make it possible for an attacker to circumvent file filters that are set in place.

It has been reported that SurfinGate does not sufficiently dissect archive files for analysis. This may allow an attacker to circumvent the SurfinGate file filter rules by including the malicious file of a blacklisted type inside a file archive (such as '.ZIP' or '.RAR').

It should be noted that an end user would still have interactively to open or execute the malicious file.

25. Finjan SurfinGate Unknown File Extension File Filter Circumvention Vulnerability BugTraq ID: 6707
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6707
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

SurfinGate is a commercially available content filtering and application firewall package. It is distributed by Finjan, and available for the Sun Solaris and Microsoft Windows platforms.

A problem with SurfinGate could make it possible for an attacker to circumvent file filters that are set in place.

SurfinGate uses the file extension to determine if a file is of a type that is blacklisted by the software. It has been reported that an attacker may bypass SurfinGate file filtering rules by using a file extension that is not recognized by the filtering software.

It should be noted that an end user would still have interactively to open or execute the malicious file. This may be suspicious if there is no handler on the local system for the unknown file extension.

26. Replicom ProxyView Default Password Vulnerability BugTraq ID: 6708
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6708
Summary:

Replicom ProxyView is a remote access tool. It is intended for use by network administrators to provide KVM functionality to remote servers. The device's operating environment is Embedded Windows NT.

It has been reported that the ProxyView device has a default undocumented password for the Administrator account for Embedded Windows NT.

An attacker can exploit this vulnerability by connecting to the ProxyView device on port 139 and login as the 'Administrator' with the password
'Administrator'. This will provide the attacker with administrative access
to the device's operating system.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It is possible to exploit this vulnerability to obtain access to the servers connected to the ProxyView device.

27. Solaris in.ftpd Remote Denial of Service Vulnerability BugTraq ID: 6709
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6709
Summary:

in.ftpd is the default File Transfer Protocol (FTP) daemon used by Solaris.

A vulnerability has been discovered in the Solaris in.ftpd daemon. It has been reported that a non-privileged remote attacker may be able to trigger this condition. It has not yet been verified if authentication is required to exploit this vulnerability.

A malicious user exploiting this vulnerability may cause the ftp service to intermittently deny service to other legitimate users. This condition will occur whenever the attacking ftp client issues a command and will cause the service to hang for roughly 60 seconds. During this time legitimate users may time out of their connection to the service.

The technical details regarding this vulnerability are currently unknown. This BID will be updated as further details are made available.

28. MIT Kerberos Remote Heap Corruption Vulnerability BugTraq ID: 6713
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6713
Summary:

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret- key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been discovered in MIT Kerberos. It has been reported that, due to insufficient bounds checking and sanitization of user-supplied data, Kerberos is prone to memory corruption.

A remote attacker may trigger this condition my supplying a negative length value in a malicious packet sent to a target server. This may result in insufficient memory being allocated or cause invalid memory to be referenced. Successful exploitation of this issue may result in a denial of service.

Due to the nature of this vulnerability it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this could allow for the execution of arbitrary code with the privileges of Kerberos. The possibility of exploitation of this issue to execute code, however, has not been confirmed.

As this issue affects older releases of Kerberos, a BID may already exist. If this is issue proves to be covered in a previous database entry, this BID will be retired and the correct BID will be updated accordingly.

29. MIT Kerberos Key Distribution Center Remote Format String Vulnerabilities BugTraq ID: 6712
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6712
Summary:

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret- key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems.

A number of vulnerabilities have been reported in the MIT Kerberos Key Distribution Center (KDC). It has been reported that KDC fails to supply sufficient format specifiers when handling user-supplied data. Specifically, principal names supplied by a remote user are handled by functions of the printf family without supplying format specifiers. It has been determined that under some cirumstances an unauthenticated remote user may be able to pass principal names to an affected server.

An attacker could exploit this vulnerability by supplying a maliciously crafted principal name containing format specifiers. By writing attacker-controlled values to memory using the %n format specifier, it may be possible for a remote attacker to execute arbitrary commands.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

As this issue affects older releases of Kerberos, a BID may already exist. If this is issue proves to be covered in a previous database entry, this BID will be retired and the correct BID will be updated accordingly.

30. MIT Kerberos / Key Distribution Center Shared Key User Spoofing Vulnerability BugTraq ID: 6714
Remote: Yes
Date Published: Jan 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6714
Summary:

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret- key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems.

A vulnerability has been discovered MIT Kerberos and Key Distribution Center (KDC). It has been reported that a user within a realm implementing shared keys may be able to spoof another legitimate non-local user.

This issue is exploitable due to insufficent realm transit path verification by the affected software.

This vulnerable exists only if non-local principal names are located in the KDC's access control list. The ability to impersonate another legitimate user may be leveraged by an attacker to obtain sensitive information. Under some cirumstances a malicious attacker may be able to impersonate a user with additional privileges to their own.

This issue affects MIT Kerberos 5 release 1.2.2 and earlier. As this issue affects older releases of Kerberos, a BID may already exist. If this is issue proves to be covered in a previous database entry, this BID will be retired and the correct BID will be updated accordingly.

31. DotProject Remote File Include Vulnerability BugTraq ID: 6710
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6710
Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

dotproject is web-based project management software, written in PHP. It is designed to run on Unix and Linux variants.

dotproject is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in several PHP script files provided with dotproject in the 'modules' directory which try to include the file 'classdefs/date.php'.

The following are a list of scripts that are affected:

modules/projects/addedit.php
modules/projects/view.php
modules/projects/vw_files.php
modules/tasks/addedit.php
modules/tasks/viewgantt.php

Under some circumstances, it is possible for remote attackers to influence the include path for 'date.php' to point to an external file on a remote server by manipulating the $root_dir URI parameter.

If the remote file is a malicious PHP script, this may be exploited to execute arbitrary commands in the context of the webserver.

32. PLP Tools plpnfsd Syslog Format String Vulnerability BugTraq ID: 6715
Remote: No
Date Published: Jan 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6715
Summary:

PLP Tools is a collection of libraries and utilities for enabling Unix and Linux variant systems to communicate with a Psion palmtop over a serial line. plpnfsd is the server application that allows users to mount Psion filesystems on workstations.

A vulnerability has been reported for plpnfsd that may result in an attacker obtaining elevated privileges on the vulnerable system.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Due to a programming error, it may be possible to exploit a format string vulnerability in plpnfsd. A logging function in plpnfsd contains insecure syslog() calls. This could result in the execution of attacker-supplied code.

The vulnerability occurs when plpnfsd receives a carefully constructed directory name that include malicious format string specifiers. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with elevated privileges.

This vulnerability is also exacerbated by the fact that the plpnfsd daemon is installed with setuid root privileges.

This vulnerability was reported for plptools 0.6.

III. SECURITYFOCUS NEWS AND COMMENTARY

1. E-Voting security debate comes home By Kevin Poulsen

Why are some high-power technologists trying to keep fully-electronic ballots out of Silicon Valley voting booths? They're worried that hackers might decide the next election.

http://online.securityfocus.com/news/2197

2. 'Secure by design', claims MS op-ed ad By Andrew Orlowski, The Register

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms