Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > sf-news > 03 > 030018.html (Request Expert securityfocus.com Support)

SecurityFocus Newsletter #187

From: Stephen Entwisle <se(at)securityfocus.com>
Date: Mon Mar 10 2003 - 12:26:56 EST


SecurityFocus Newsletter #187


This issue sponsored by: Application Security, Inc.

Protection Where It Counts!

How vulnerable are your applications and databases to attack? How vulnerable are your Oracle, Microsoft SQL Server, IBM DB2, Sybase, and Lotus Domino installations?

Find out by downloading your FREE EVALUATION COPY of AppDetective! AppDetective will DISCOVER rogue installations; perform zero knowledge PENETRATION TESTS without administrative rights; and perform in-depth SECURITY AUDITS from the inside-out without agents.Download your FREE EVALUATION COPY of AppDetective and INFORMATIVE WHITE PAPERS on database/application security TODAY from:

http://www.appsecinc.com/securityfocus/

I. FRONT AND CENTER

  1. Cryptographic Filesystems: Design and Implementation
  2. Windows Forensics - A Case Study: Part Two
  3. An Analysis of Simile
  4. Spam Wars Make Strange Bedfellows
  5. SecurityFocus DPP Program
  6. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL) II. BUGTRAQ SUMMARY
  7. Netscape Communicator Password Disclosure Weakness
  8. Typo3 Showpic.PHP File Enumeration Vulnerability
  9. Typo3 Translations.PHP Remote File Include Vulnerability
  10. Typo3 Log HTML Injection Vulnerability
  11. Typo3 Runtime Error Page Information Disclosure Vulnerability
  12. Typo3 Translations.PHP File Disclosure Vulnerability
  13. Axis Communications 2400 Video Server Command.CGI File...
  14. Typo3 Webroot Folders Information Disclosure Weakness
  15. Sun Microsystems Solaris FTP Client Debug Mode Password...
  16. Apple QuickTime/Darwin Streaming Server Remote File...
  17. Apple QuickTime/Darwin Streaming Server parse_xml.cgi File...
  18. Typo3 HTML Hidden Form Field Information Disclosure Weakness
  19. USRobotics Broadband-Router GET Request DoS Vulnerability
  20. CoffeeCup Software Password Wizard Remote Password Retrieval...
  21. Web-ERP Configuration File Remote Access Vulnerability
  22. PY-Livredor index.php HTML Injection Vulnerability
  23. Sendmail Header Processing Buffer Overflow Vulnerability
  24. Webchat Defines.PHP Remote File Include Vulnerability
  25. XFree86 XLOCALEDIR Local Buffer Overflow Vulnerability
  26. HP JetDirect Printer SNMP JetAdmin Device Password...
  27. GTCatalog Remote File Include Vulnerability
  28. Siemens M Series SMS DoS Vulnerability
  29. Macromedia Flash Player Unspecified Buffer Overflow Vulnerability
  30. uschedule Local Privilege Escalation Vulnerability
  31. SAP R/3 sapinfo RFC API Account Locking Weakness
  32. File Local Stack Overflow Code Execution Vulnerability
  33. File Utility Local Memory Allocation Vulnerability
  34. iPlanet 6.0 Log Viewing Utility Concealed Log Entry Vulnerability
  35. Logan Pro HTTP Header Code Injection Vulnerability
  36. WebTrends Analysis Suite Logfile HTML Injection Vulnerability
  37. SurfStats Log Analyzer Logfile HTML Injection Vulnerability
  38. WebLog Expert HTTP Header Code Injection Vulnerability
  39. WebLog Expert Logfile HTML Injection Vulnerability
  40. iPlanet Log Analyzer Logfile HTML Injection Vulnerability
  41. HP Tru64 Unspecified XFS Vulnerability III. SECURITYFOCUS NEWS ARTICLES
  42. Google Closes Blogger Security Holes
  43. Windows Root Kits a Stealthy Threat
  44. Police raids following Texas University ID cyber-heist
  45. Hackers steal names, Social Security numbers from U... IV. SECURITYFOCUS TOP 6 TOOLS
  46. DiskZapper v1.0
  47. Tcpdump v3.7.2
  48. pkeytool v1.0.0
  49. pmacct v0.2.3
  50. ppplog v1.1
  51. pam_dotfile v0.1
  52. SECURITYJOBS LIST SUMMARY
  53. Should I charge to help write a security RFP? (Thread)
  54. Neoteris is hiring! (Thread)
  55. Position offered - Business Development / Outside Sales - NW...
  56. FL CISSP Seeking a Position (Thread)
  57. President/COO - Mid-West HQ (Thread)
  58. VP WW Sales - West Coast Based (Thread)
  59. VP, Government Sales & Marketing #335 - VA - $120k - $150k...
  60. Senior Security Consultant - Puerto Rico (Thread)
  61. INTERNAL IT AUDITOR w/ Risk Assessment and Mgmt - US-MD (Thread)
  62. Midwest Located Position Search (Thread)
  63. Postdoc position available on OS security (Thread)
  64. job opportunity (Thread)
  65. Sales Engineer/DC (Thread)
  66. network/security software developer (Thread)
  67. Sr. Security Systems Engineer - Baltimore/DC Area (Thread)
  68. Security Product Manager - San Francisco Bay Area ...
  69. INTERNAL FINANICAL AUDITOR w/ Risk Assessment in MD (Thread)
  70. Looking for SALES ENGINEER - Dallas, TX (Thread)
  71. Computer Security Incident Response Engineer - Denver Metro...
  72. Cleared security intern looking from Midwest (Thread)
  73. VP, Rearch & Development Laboratories #762 - MD - $175k...
  74. Seeking Contract or Permanent Remote Position (Thread)
  75. Security Sales (Thread)
  76. Security Product Manager (Thread)
  77. Sr. Product Manager - Redwood City CA (Thread)
  78. Group Product Manager - Redwood City CA (Thread)
  79. Positions Available - 2 Senior IT Security Pre-Sales...
  80. Senior Manager #766 - New York, NY - $125k - $160k (Thread)
  81. Forensic and Information Security Analyst Looking for a home...
  82. Seeking Full-time position - Master's Grad (Thread)
  83. Fwd: CHECK Certification (Thread)
  84. Probs obtaining Liability Insurance, please assist (Thread)
  85. Quick Question - Greythorn (Thread)
  86. Job Posting (Thread) VI. INCIDENTS LIST SUMMARY
  87. SMTP username dictionary attack (Thread)
  88. Backdoor ?? "Girlnextdoor_" TCP Ports 1025/1028 (Thread)
  89. TCP 445 Scan? (Thread)
  90. SecurityFocus article announcement (Thread)
  91. sending out spam through IRC server ? (Thread)
  92. Anyone recognize a DDOS tool with the signature "The Matrix...
  93. New SecurityFocus article announcement (Thread)
  94. Numerous TCP port 445 scans on 3/2/03 (Thread)
  95. Spammers? (Thread)
  96. SV: TCP 445 Scan? (Thread)
  97. UDP port 41170 (Thread)
  98. RE : UDP port 41170 (Thread)
  99. Interesting (Thread)
  100. Weird Profile in Documents and Settings (Thread)
  101. www.nopop.net (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
  102. Fwd: Kazaa file corruption (Thread)
  103. gtali Segmentation fault (Thread)
  104. Buffer overflows, return address and offset (Thread)
  105. Sygate Security Bulletin SS20030221-0001 (Thread)
  106. Implementation flaws in Adobe Document Server for Reader...
  107. DoS in 'USR848000A-02' (Thread)
  108. Security contact for Bank Of America (Thread)
  109. Non registering shell (Thread)
  110. freeconsole() (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
  111. Article Announcement: Windows Forensics - A Case Study: Part...
  112. User rights on Terminal Services (Thread)
  113. Logging mechanism in IIS (was RE: code red---- on system that...
  114. Logging mechanism in IIS (was code red---- on system that...
  115. code red---- on system that is already (and has been) patched...
  116. experiment supports concept of using host header names as...
  117. 5 security questions (Thread)
  118. SecurityFocus Microsoft Newsletter #127 (Thread)
  119. host header names as security devices (Thread)
  120. One Time Passwords (Thread) IX. SUN FOCUS LIST SUMMARY
  121. Solaris disk wipe utilitiy? (Thread)
  122. Kernel modules (Thread)
  123. Article Announcement: Secure MySQL Database Design (Thread)
  124. LINUX FOCUS LIST SUMMARY
  125. Port 113 security (Thread)
  126. Red Hat Network updates (Thread)
  127. Reviewed the rhn code .. Red Hat Network updates (Thread)
  128. Availability of Sendmail fix (Thread)
  129. chroot, scp and security on RedHat 8.0 (Thread)
  130. What Is hosts2-ns (Thread)
  131. Article Announcement: Secure MySQL Database Design (Thread) XI. SPONSOR INFORMATION
  132. FRONT AND CENTER
  133. Cryptographic Filesystems: Design and Implementation By Ido Dubrawsky

Cryptographic filesystems have recently come to the forefront of security. This article will discuss some of the background and technology of cryptographic filesystems and will then cover some example implementations of these filesystems including Microsoft's Encrypting File System for Windows 2000, the Linux CryptoAPI, and the Secure File System.

http://www.securityfocus.com/infocus/1673

Do you need help?X

2. Windows Forensics - A Case Study: Part Two By Stephen Barish

This article is the second in a two-part series that will offer a case study of forensics in a Windows environment. This article deals with determining the scope of the compromise, and understanding what the attacker is trying to accomplish at the network level. Along the way, we'll be discussing some tools and techniques that are useful in this type of detective work.

http://www.securityfocus.com/infocus/1672

3. An Analysis of Simile
by Adrian Marinescu

Virus writers have always tried to develop new methods to make malware detection more difficult. For instance, encryption was a natural step in virus evolution when scanners started to use databases with scan strings for detection. When scanners started to handle encryption patterns generically, first oligomorphism (a limited form of polymorphism - the polymorphic decryptor can have a strictly limited, relatively small number of shapes) and then polymorphism were introduced.

http://www.securityfocus.com/infocus/1671

4. Spam Wars Make Strange Bedfellows
By Jon Lasser

The open-source community is closer than ever to curing the spam problem, but they'll have to hold their noses and help out Windows users to get there.

Do you need more help?X

http://www.securityfocus.com/columnists/146

5. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

6. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today&#x2019;s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

Can we help you?X

II. BUGTRAQ SUMMARY

  1. Netscape Communicator Password Disclosure Weakness BugTraq ID: 6981 Remote: No Date Published: Feb 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6981 Summary:

Netscape Communicator is a combined web browser and e-Mail Client developed for a variety of platforms including Microsoft Windows, Linux and Unix variant operating environments.

It has been reported that the Netscape Communicator roaming profile function may store sensitive user credentials in the 'prefs.js' configuration file using plaintext or easily disclosed format.

This weakness may result in an attacker accessing sensitive user credentials that may be used in further attacks launched against the system.

Conflicting details have been reported suggesting that perhaps this issue may be due to a user initiated configuration change and that password data may be encrypted using a trivial XOR based encryption algorithm by default.

This report is closely related to the issue described in BID 6215.

2. Typo3 Showpic.PHP File Enumeration Vulnerability BugTraq ID: 6982
Remote: Yes
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6982
Summary:

TYPO3 is a web-based content management system. It is available for Microsoft Windows operating systems and Unix and Linux variants.

Can't find what you're looking for?X

TYPO3 is prone to a vulnerability that will allow remote attackers to enumerate whether or not files exist on the system hosting the software. This issue exists in the 'showpic.php' and 'thumbs.php' scripts and may be exploited by submitting a malicious request for a file (including the relative path). These scripts will return information about whether or not a file exists.

This type of information may be useful in mounting further attacks against the host system, since the scripts will reveal information about the layout of the host's filesystem.

3. Typo3 Translations.PHP Remote File Include Vulnerability BugTraq ID: 6984
Remote: Yes
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6984
Summary:

TYPO3 is a web-based content management system. It is available for Microsoft Windows operating systems and Unix and Linux variants.

TYPO3 is prone to an issue that may allow remote attackers to include files located on attacker-controlled servers.

This vulnerability is as a result of insufficient sanitization performed on remote user supplied data used by a URI parameter of the 'translations.php' PHP page.

Under some circumstances, it is possible for remote attackers to influence the path for an include file to point to an external file by manipulating the '$ONLY' URI parameter.

If the remote file is a malicious file, this may be exploited to execute arbitrary system commands in the context of the web server.

Don't know where to look next?X

4. Typo3 Log HTML Injection Vulnerability BugTraq ID: 6983
Remote: Yes
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6983
Summary:

TYPO3 is a web-based content management system. It is available for Microsoft Windows operating systems and Unix and Linux variants.

TYP03 logs all system and access related errors in the TYPO3 database and provides a facility for administrators to view this information from the web. However, data is not sanitized of HTML before being logged. As a result, remote attackers may inject malicious HTML and script code into log files. When these logs are viewed, the hostile code will be interpreted in the web client of the user viewing the logs.

This may allow for theft of administrative cookie-based authentication credentials and other attacks.

5. Typo3 Runtime Error Page Information Disclosure Vulnerability BugTraq ID: 6986
Remote: Yes
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6986
Summary:

TYPO3 is a web-based content management system. It is available for Microsoft Windows operating systems and Unix and Linux variants.

An information disclosure vulnerability has been reported for TYPO3. The vulnerability exists in several 'test', 'class' and 'library' scripts that are included with TYPO3.

These scripts may be forced to execute and generate runtime errors. When these errors occur, the scripts will output path information.

Confused? Frustrated?X

Information obtained in this manner may be used by an attacker to launch further attacks against a vulnerable system.

6. Typo3 Translations.PHP File Disclosure Vulnerability BugTraq ID: 6985
Remote: Yes
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6985
Summary:

TYPO3 is a web-based content management system. It is available for Microsoft Windows operating systems and Unix and Linux variants.

TYPO3 does not sufficiently sanitize input submitted via URI parameters of potentially malicious data. This issue exists in the 'translations.php' script. Specifically, variations of directory traversal sequences and null characters (%00) may be specified as a value for the 'ONLY' URI parameter. By submitting a malicious web request to this script that contains a relative path to a resource and a null character (%00), it is possible to retrieve arbitrary files that are readable by the web server process.

Successful exploitation will permit the attacker to gain access to sensitive information that may aid in mounting further attacks against the system hosting the software.

7. Axis Communications 2400 Video Server Command.CGI File Creation Vulnerability BugTraq ID: 6987
Remote: Yes
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6987
Summary:

The 2400 Video Server is a video serving hardware device distributed by Axis Communications. It is designed to serve video via network connections.

A problem with the video server could make it possible for a remote user to create arbitrary files.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

It has been reported that the Axis 2400 Video Server does not properly handle input to the 'command.cgi' script. Because of this, an attacker may be able to create arbitrary files that would result in a denial of service, or potentially command execution.

An attacker could exploit this issue to remotely overwrite some file types. This could allow the attacker to additionally create files that may be used maliciously to execute commands. It is unknown what privileges this daemon operates with. However, files created and commands executed through this issue would be with the privileges of the webserver process.

8. Typo3 Webroot Folders Information Disclosure Weakness BugTraq ID: 6988
Remote: Yes
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6988
Summary:

TYPO3 is a web-based content management system. It is available for Microsoft Windows operating systems and Unix and Linux variants.

It has been reported that TYPO3 installs, by default, several directories into the TYPO3 webroot. These directories are reportedly readable or lacking sufficient authentication mechanisms and contain log, configuration and script files. This weakness may result in the disclosure of sensitive system based information to malicious web users.

The following directories and files have been reported to be prone to this issue: /install /fileadmin/ /typo3conf/

The information gathered as a result of this weakness may be used in further attacks against the system.

9. Sun Microsystems Solaris FTP Client Debug Mode Password Display Vulnerability BugTraq ID: 6989
Remote: No
Date Published: Feb 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6989
Summary:

Do you need help?X

Solaris is the UNIX operating system variant distributed by Sun Microsystems.

A problem with the FTP client distributed with Solaris may reveal sensitive information to unauthorized users.

It has been reported that the FTP client distributed with Solaris does not sufficiently guard potentially sensitive information. Because of this, it may be possible for an attacker to observe sensitive information.

The problem is in the display of the FTP password. When the FTP client is executed in debug mode, it displays the FTP password entered in plaintext. A casual observer may be able to see this password, which could result in unauthorized access to the user's account.

  1. Apple QuickTime/Darwin Streaming Server Remote File Existence Revealing Vulnerability BugTraq ID: 6992 Remote: Yes Date Published: Feb 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6992 Summary:

QuickTime/Darwin Streaming Administration Server is server technology which allows you to send streaming QuickTime data to clients across the Internet.

A problem with QuickTime/Darwin Streaming Server may make it possible for a remote user to gather information about a host's file system.

It has been reported that the QuickTime/Darwin Streaming Server reveals information that may be sensitive. When certain requests are made, a difference in reponses could make possible for an attacker to gain information about the local host.

The problem is in the return of error messages. When a request for a file that does not exist is made, the server returns an error message different from one that is inaccessible to the remote user. Because of the server also allow directory traversal, an attacker could draw from several requests a map of the local file system.

  1. Apple QuickTime/Darwin Streaming Server parse_xml.cgi File Disclosure Vulnerability BugTraq ID: 6990 Remote: Yes Date Published: Feb 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6990 Summary:
Do you need more help?X

QuickTime/Darwin Streaming Administration Server is server technology which allows you to send streaming QuickTime data to clients across the Internet.

A file retrieval vulnerability has been reported for QuickTime/Darwin Streaming Server (SS). The vulnerability exists due to insufficient sanitization of some parameters given to the parse_xml.cgi script. Specifically, directory traversal sequences are not sanitized from the value supplied to the 'filename' URI parameter. Information obtained in this manner may be used by an attacker to launch more organinzed attacks against a vulnerable system.

An attacker may exploit this vulnerability by making a request to the parse_xml.cgi script containing dot-dot-slash ('../') sequences followed by a filename. When the malicious request is processed, the Streaming Server will disclose the contents of the file to an attacker.

This vulnerability was tested on SS for Microsoft Windows systems. Linux versions of Darwin SS are reportedly not vulnerable to this issue.

  1. Typo3 HTML Hidden Form Field Information Disclosure Weakness BugTraq ID: 6993 Remote: Yes Date Published: Feb 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6993 Summary:

TYPO3 is a web-based content management system. It is available for Microsoft Windows operating systems and Unix and Linux variants.

Clients of TYPO3 systems may access potentially sensitive data that have been obfuscated through hidden form fields. Such fields may contain potentially sensitive information which may provide determined attackers with valuable information which may be useful in exploiting other known issues in the software.

This vulnerability was reported for TYPO3 3.5b5.

  1. USRobotics Broadband-Router GET Request DoS Vulnerability BugTraq ID: 6994 Remote: Yes Date Published: Feb 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6994 Summary:

USRobotics Broadbrand Router is a hardware appliance used to join an internal network to an internetwork over a broadband connection.

Can we help you?X

USRobotics Broadband-Routers are reportedly prone to denial of service attacks. An attacker can exploit this vulnerability by issuing an overly long HTTP GET request to the embedded web server of a vulnerable USRobotics device. When the device attempts to process the malformed input, it will crash. It has been reported that this condition may be reproduced from within the internal network.

A restart of the device may be required for the device to function normally after exploitation has occurred.

This condition may be due to a buffer overflow in the router firmware. This issue is reported to affect v2.5 of US Robotics Broadband-Router 8000A/8000-2 (USR848000A-02).

  1. CoffeeCup Software Password Wizard Remote Password Retrieval Vulnerability BugTraq ID: 6995 Remote: Yes Date Published: Mar 01 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6995 Summary:

Password Wizard is a software package designed to offer password protection to web sites. It is available for the Microsoft Windows operating system.

A problem with the software may make it possible for remote users to gain unauthorized access to restricted resources.

It has been reported that Password Wizard does not sufficiently protect usernames and passwords. In a default configuration, an attacker may be able to gain access to this information, and thus access to restricted resources.

The problem is in the permissions of the file the credentials are stored in, in addition to the ability of an attacker to access this file remotely. An attacker could ascertain the name of the credentials file by viewing the HTML source of the login page, and download the file.

The credentials file is typically the same name as the shockwave flash login page, with the extension of .apw vice .swf.

  1. Web-ERP Configuration File Remote Access Vulnerability BugTraq ID: 6996 Remote: Yes Date Published: Mar 01 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6996 Summary:
Can't find what you're looking for?X

Web-ERP is a freely available, open source internationalized Enterprise Resource Planning package. It is available for the Unix and Linux operating systems.

A problem may make it possible for remote users to gain unauthorized access to Web-ERP information.

It has been reported that Web-ERP does not sufficiently restrict access to it's configuration information. Because of this, an attacker may be able to remotely access Web-ERP information, and potentially gain access to information that is sensitive in nature.

The problem is in the storage of the Web-ERP configuration file. By default, configuration information is stored in the /logicworks.ini file. This file is by default accessible to any user that has access to the web server on which Web-ERP is hosted. An attacker could gain information such as the MySQL username and password from this file.

  1. PY-Livredor index.php HTML Injection Vulnerability BugTraq ID: 6997 Remote: Yes Date Published: Mar 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6997 Summary:

PY-Livredor is freely available guestbook software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

PY-Livredor does not adequately filter HTML tags from various fields on the 'index.php' page. Specifically, an attacker may be able to insert malicious HTML code into the "titre", "Votre pseudo", "Votre e-mail",
"Votre message" fields.

The attacker's code may be executed in the web client of users who view the pages generated by the guestbook, in the security context of the website hosting the software.

Attackers may potentially exploit this issue to hijack web content or to steal cookie-based authentication credentials.

Don't know where to look next?X

This vulnerability has been reported for PY-Livredor version 1.0.

  1. Sendmail Header Processing Buffer Overflow Vulnerability BugTraq ID: 6991 Remote: Yes Date Published: Mar 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6991 Summary:

Sendmail is a widely used MTA for Unix and Microsoft Windows systems.

A remotely exploitable vulnerability has been discovered in Sendmail. The vulnerability is due to a buffer overflow condition in the SMTP header parsing component. Remote attackers may exploit this vulnerability by connecting to target SMTP servers and transmitting to them malformed SMTP data.

The overflow condition occurs when Sendmail processes addresses or lists of addresses in fields such as "From:" or "CC:". One of the checks to ensure that the addresses are valid is flawed, resulting in a buffer overflow condition. Successful attackers may exploit this vulnerability to gain root privileges on affected servers remotely.

It has been reported that this vulnerability may possibly be locally exploitable if the sendmail binary is setuid/setgid.

Versions 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or apply available patches to prior versions of the 8.x tree.

  1. Webchat Defines.PHP Remote File Include Vulnerability BugTraq ID: 7000 Remote: Yes Date Published: Mar 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7000 Summary:

WebChat is a chat application for JavaScript compatible web browsers written in PHP.

Webchat is prone to an issue that may allow remote attackers to include files located on attacker-controlled servers.

Confused? Frustrated?X

This vulnerability is as a result of insufficient sanitization performed on remote user supplied data used by a URI parameter of the 'defines.php' PHP page. Under some circumstances, it is possible for remote attackers to influence the path for 'db_mysql.php' and 'english.php' include files to point to an external file by manipulating the '$WEBCHATPATH' URI parameter.

If the remote file is a malicious file, this may be exploited to execute arbitrary system commands in the context of the web server.

This vulnerability was reported for WebChat 0.77. It is not known if other versions are affected.

  1. XFree86 XLOCALEDIR Local Buffer Overflow Vulnerability BugTraq ID: 7002 Remote: No Date Published: Mar 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7002 Summary:

Several XFree86 utilities may be prone to a buffer overflow condition. The vulnerability exists due to insufficient boundary checks performed by these utilities when referencing the XLOCALEDIR environment variable.

A local attacker can exploit this vulnerability by setting the XLOCALEDIR environment variable to an overly long value consisting of 6000 or greater characters. When the vulnerable utilities are executed, the buffer overflow vulnerability will be triggered.

This vulnerability affects numerous XFree86 utilities however, there are only a few that are setuid binaries. Namely the xlock, xscreensaver and xterm binaries, found in the /usr/X11R6/bin/ folder, are setuid root binaries.

This vulnerability has been reported to affect XFree86 4.2.0 and 4.2.1.

20. HP JetDirect Printer SNMP JetAdmin Device Password Disclosure Vulnerability BugTraq ID: 7001
Remote: Yes
Date Published: Mar 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7001
Summary:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

JetDirect printers are network-enabled printers distributed by Hewlett-Packard.

A problem with JetDirect printers could make it possible for a remote user to gain administrative access to the printer.

It has been reported that HP JetDirect printers leak the web JetAdmin device password under some circumstances. By sending an SNMP GET request to a vulnerable printer, the printer will return the hex-encoded device password to the requester. This could allow a remote user to access and change configuration of the printer.

Upon sending a request for the string '.1.3.6.1.4.1.11.2.3.9.1.1.13.0' via a public community string, the printer returns a string of bytes. It has been reported that the bytes are hex representation of the ASCII characters comprising the web JetAdmin device password.

This vulnerability is similar to the issue described in BID 5331.

21. GTCatalog Remote File Include Vulnerability BugTraq ID: 6998
Remote: Yes
Date Published: Mar 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6998
Summary:

GTCatalog is software designed to maintain a catalog of products. It is implemented in PHP and is available for a variety of platforms including Microsoft Windows and Linux variant operating systems.

GTCatalog is prone to an issue that may allow remote attackers to include files located on attacker-controlled servers.

Do you need help?X

This vulnerability is as a result of insufficient sanitization performed on remote user supplied data. Specifically the PHP script file 'index.php' is vulnerable to this issue.

Under some circumstances, it is possible for remote attackers to influence the include path for files ending with '.custom.inc' to point to an external file on a remote server by manipulating the '$function' and '$custom' URI parameters.

If the remote file is a malicious file, this may be exploited to execute arbitrary system commands in the context of the web server.

This vulnerability was reported for GTCatalog 0.9.1 and earlier.

22. Pastel Accounting ACCUSER.DAT Obfuscation Weakness BugTraq ID: 7003
Remote: No
Date Published: Mar 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7003
Summary:

Pastel Accounting is financial software for Microsoft Windows operating systems.

Pastel Accounting is reported to store sensitive user and security information on the local system using a trivially reversible obfuscation method. This information is stored in the 'ACCUSER.DAT' file in each particular client folder. 'ACCUSER.DAT' stores username/password information for individual client accounts.

The information in this file is obfuscated by rotating the characters in the original string. For example, the string "ABCDEFGH" will be stored as
"stuvwxyz" in 'ACCUSER.DAT'.

Do you need more help?X

Malicious users with read access to this file may easily gain access to sensitive information. This will also permit malicious users with write access to the file to modify data, since the software does not verify the contents of this file any further.

This issue was reported in Pastel Account version 6.0-6.12. Other versions may also be affected.

23. Siemens M Series SMS DoS Vulnerability BugTraq ID: 7004
Remote: Yes
Date Published: Mar 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7004
Summary:

It has been reported that some Siemens mobile phones are unable to sufficiently handle certain SMS message content.

Opening a malicious SMS message with a vulnerable phone may cause the device to behave in an unstable manner. For example the message may contain "%String" (including quotations) and may contain a language located within the language menu.

Under some circumstances, processing a malicious message of this format may result in the phone no longer functioning.

Earlier Siemens mobile phone products may share this vulnerability.

24. Macromedia Flash Player Unspecified Buffer Overflow Vulnerability BugTraq ID: 7005
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7005
Summary:

Can we help you?X

Macromedia Flash is a modular package designed to enhance web browsing, and enables users to view various multimedia web content.

An issue has been reported for Macromedia Flash that may allow attackers to obtain access to a system that has loaded a malicious Flash file. This issue is reported as being one or more buffer overflow vulnerabilities, as well as an issue with sandbox integrity.

Precise technical details are currently unavailable at this time. This BID will be updated as more information is available.

25. uschedule Local Privilege Escalation Vulnerability BugTraq ID: 7006
Remote: No
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7006
Summary:

uschedule is a collection of tools to allow scheduling of tasks. uschedule provides functionality similar to 'cron' and 'at'.

A privilege escalation vulnerability has been reported for uschedule. The vulnerability exists in the uscheduleconf utility included with uschedule. uscheduleconf is used to configure a scheduling service.

A local attacker can execute uscheduleconf with a '-' character when specifying the user to run as. Due to errors in the code, uschedule may leave multilog running as the root user rather than the non-privileged user. This may result in the malicious local attacker obtaining root privileges to a system.

This vulnerability was reported for uschedule prior to 0.7.0.

Can't find what you're looking for?X

26. SAP R/3 sapinfo RFC API Account Locking Weakness BugTraq ID: 7007
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7007
Summary:

SAP R/3 may not lock a user account after numerous attempts to login fail. On a default installation, SAP R/3 is designed to lock out accounts that fail to properly authenticate after a set number of times. This prevents an attacker from carrying out an extensive bruteforce attack.

The SAP SDK provides a utility called sapinfo that allows a user to query the SAP server.

An attacker can use the sapinfo utility to attempt to verify a password for a victim user. Due to the use of the sapinfo utility, SAP does not lock out the user account. This may provide the attacker with a greater chance of success for determining the victim user's password.

Information obtained in this manner may be used by the attacker to launch further attacks against a vulnerable system.

27. File Local Stack Overflow Code Execution Vulnerability BugTraq ID: 7008
Remote: No
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7008
Summary:

file is a freely available, open source program available for Unix and Linux operating systems.

A problem with the program may result in the execution of attacker-supplied instructions.

Don't know where to look next?X

It has been reported that a stack overflow exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user of the file utility.

This vulnerability would require an attacker to create the malicious code and place it in a critical portion of the file. Once a user executes the file utility against this file, malicious code embedded in the ELF header would likely be executed with the privileges of the file utility user.

It should also be noted that the file program may be executed by other applications on the system, some of which execute with privileges. This is true of LPRNG, which executes the file utility in the master-filter script. Exploitation may also occur through applications such as less, which execute the file utility when loading a file into the viewer.

28. File Utility Local Memory Allocation Vulnerability BugTraq ID: 7009
Remote: No
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7009
Summary:

file is a freely available, open source program available for Unix and Linux operating systems.

A problem with the program may result in a denial of service, and may potentially allow the execution of attacker-supplied instructions.

It has been reported that a memory allocation issue exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to cause a denial of service condition, and potentially execute code as the user of the file utility.

This problem has been reported as a memory allocation problem. Though unconfirmed, this vulnerability is likely either a heap overflow, or a double-free problem. In either circumstance, it would require an attacker to create the malicious code and place it in a critical portion of the file. Once a user executes the file utility against this file, malicious code embedded in the file would likely be executed with the privileges of the file utility user.

Confused? Frustrated?X

It should also be noted that the file program may be executed by other applications on the system, some of which execute with privileges. This is true of LPRNG, which executes the file utility in the master-filter script. Exploitation may also occur through applications such as less, which execute the file utility when loading a file into the viewer.

29. iPlanet 6.0 Log Viewing Utility Concealed Log Entry Vulnerability BugTraq ID: 7012
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7012
Summary:

iPlanet is an HTTP server product. It is available for a number of platforms, including Unix and Linux variants and Microsoft Windows operating systems.

A vulnerability has been reported for iPlanet that may conceal malicious log entries from the 'View Access Log' and 'View Error Log' utilities. The problem occurs due to the utilities' parsing of the 'Format=' string, which is typically used to specify log entry formatting.

An attacker can exploit this vulnerability by generating a log entry using a hostname which is prepended with the 'Format=' string. Because the data supplied as the 'Format' will not be recognized by the said utilities, the log entry will be not be shown.

It should be noted that viewing the log data with other utilities, such as a text-based editor, will disclose the malicious entries.

30. Logan Pro HTTP Header Code Injection Vulnerability BugTraq ID: 7010
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7010
Summary:

Logan Pro is a Web Log Analysis Tool for Microsoft Windows platforms that reads the log file created by a web server and generates a comprehensive report.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

A vulnerability has been discovered in Logan Pro. Under certain circumstances an attacker may embed HTML code into the HTTP header section of a web log entry. Due to insufficient sanitization of HTTP header information, Logan Pro reports that are derived from malicious web logs may incorporate the arbitrary attacker supplied HTML code.

Specifically, embedding HTML code into a HTTP header, such as 'UserAgent', may result in attacker-supplied code being executed in Logan Pro log reports.

Successful exploitation of this issue would result in the execution of HTML commands when viewing reports generated by Logan Pro. All commands executed in this manner would be run within context of the browser used to view the report.

This vulnerability was reported for Logan Pro version 1.2 previous versions may also be affected.

31. WebTrends Analysis Suite Logfile HTML Injection Vulnerability BugTraq ID: 7013
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7013
Summary:

WebTrends Analysis Suite is web traffic reporting software.

WebTrends Analysis Suite does not sufficiently sanitize HTML when logging requests. If malicious data containing HTML and script code is logged and then viewed using the software, exploitation will occur. Through exploitation of this issue, it will be possible to falsify log information and execute arbitrary script code in the web client of the user viewing the logs.

This issue has been demonstrated when the log analysis software renders a malicious hostname which contains hostile HTML or script code, which was logged when the server did an inverse lookup of hostname data. This is only one possible scenario, and it is likely that data other than the hostname is not sufficiently filtered.

Do you need help?X

Other WebTrends products may also be affected, though this has not been confirmed.

32. SurfStats Log Analyzer Logfile HTML Injection Vulnerability BugTraq ID: 7014
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7014
Summary:

SurfStats Log Analyzer is software for viewing webserver logs. It is available for Microsoft Windows operating systems.

SurfStats Log Analyzer does not sufficiently sanitize HTML when logging requests. If malicious data containing HTML and script code is logged and then viewed using the software, exploitation will occur. Through exploitation of this issue, it will be possible to falsify log information and execute arbitrary script code in the web client of the user viewing the logs.

This issue has been demonstrated when the log analysis software renders a malicious hostname which contains hostile HTML or script code, which was logged when the server did an inverse lookup of hostname data. This is only one possible scenario, and it is likely that data other than the hostname is not sufficiently filtered.

33. WebLog Expert HTTP Header Code Injection Vulnerability BugTraq ID: 7015
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7015
Summary:

WebLog Expert is a Web Log Analysis Tool for Microsoft Windows platforms that reads the log file created by a web server and generates a comprehensive report.

A vulnerability has been discovered in WebLog Expert. Under certain circumstances an attacker may embed HTML code into the HTTP header section of a web log entry. Due to insufficient sanitization of HTTP header information, WebLog Expert reports that are derived from malicious web logs may incorporate the arbitrary attacker supplied HTML code.

Do you need more help?X

Specifically, embedding HTML code into a HTTP header, such as 'UserAgent', may result in attacker-supplied code being executed in WebLog Expert log reports.

Successful exploitation of this issue would result in the execution of HTML commands when viewing reports generated by WebLog Expert. All commands executed in this manner would be run within context of the browser used to view the report.

This vulnerability was reported for WebLog Expert version 1.6.1 other versions may also be affected.

34. WebLog Expert Logfile HTML Injection Vulnerability BugTraq ID: 7016
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7016
Summary:

WebLog Expert is software for viewing webserver logs. It is available for Microsoft Windows operating systems.

WebLog Expert does not sufficiently sanitize HTML when logging requests. If malicious data containing HTML and script code is logged and then viewed using the software, exploitation will occur. Through exploitation of this issue, it will be possible to falsify log information and execute arbitrary script code in the web client of the user viewing the logs.

This issue has been demonstrated when the log analysis software renders a malicious hostname which contains hostile HTML or script code, which was logged when the server did an inverse lookup of hostname data. This is only one possible scenario, and it is likely that data other than the hostname is not sufficiently filtered.

35. iPlanet Log Analyzer Logfile HTML Injection Vulnerability BugTraq ID: 7017
Remote: Yes
Date Published: Mar 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7017
Summary:

Can we help you?X