SecurityFocus Newsletter #189

SecurityFocus Newsletter #189

I. FRONT AND CENTER

1. IDS Logs in Forensics Investigations: An Analysis of a...
2. Remote Desktop Management Solution for Microsoft
3. The Promise and Peril of Palladium
4. Why the Dogs of Cyberwar Stay Leashed
5. SecurityFocus DPP Program II. BUGTRAQ SUMMARY
6. XChat Server Strings Buffer Overflow Vulnerability
7. EPIC PRIVMSG Remote Heap Corruption Vulnerability
8. TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability
9. ircII Make_Status_One Memory Corruption Vulnerability
10. ircII Client-Side Private Message Handling Memory Corruption...
11. ircII Client-Side Cannot_Join_Channel Memory Corruption...
12. ircII Status_Make_Printable Memory Corruption Vulnerability
13. OpenSSL Timing Attack RSA Private Key Information Disclosure...
14. BitchX Remote Send_CTCP() Memory Corruption Vulnerability
15. BitchX Remote cannot_join_channel() Buffer Overflow Vulnerability
16. BitchX Remote BX_compress_modes() Buffer Overflow Vulnerability
17. BitchX Remote Cluster() Heap Corruption Vulnerability
18. Epic Status Bar Writing Buffer Overflow Vulnerability
19. Epic Userhost_Cmd_Returned Buffer Overflow Vulnerability
20. Filebased Guestbook 'Comment' HTML Injection Vulnerability
21. Thunderstone TEXIS Texis.EXE Information Disclosure Vulnerability
22. Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability
23. Samba REG File Writing Race Condition Vulnerability
24. RSA ClearTrust Login Page Cross Site Scripting Vulnerability
25. Multiple Vendor Java Virtual Machine java.util.zip Null Value...
26. McAfee ePolicy Orchestrator HTTP GET Request Format String...
27. Linux Kernel Privileged Process Hijacking Vulnerability
28. McAfee ePolicy Orchestrator Information Disclosure Vulnerability
29. Outblaze Webmail Cookie Authentication Bypass Vulnerability
30. Microsoft Windows 2000 ntdll.dll WebDAV Interface Buffer...
31. BEA WebLogic Remote Unprivileged Administration Access...
32. BEA WebLogic Internal Servlet Input Validation Vulnerabilities
33. Sun XDR Library xdrmem_getbytes() Integer Overflow Vulnerability
34. Kebi Academy 2001 Input Validation Vulnerability
35. Gnome-lokkit Iptables No Forward Chain Rule Vulnerability
36. MyAbraCadaWeb Path Disclosure Vulnerability
37. MyAbraCadaWeb Search Engine Cross-Site Scripting Vulnerability
38. PXE Server Remote Buffer Overrun Vulnerability
39. BEA Systems WebLogic JNDI Tree Modify Access Vulnerability
40. BEA WebLogic Web Application Authentication Bypass Vulnerability
41. HP Tru64/HP-UX C Library Standard I/O File Descriptor...
42. SIPS User Information Disclosure Vulnerability
43. Cyber-Cats Chitchat PHP Message Board/Guestbook Password File...
44. Mambo Site Server index.php Cross Site Scripting Vulnerability III. SECURITYFOCUS NEWS ARTICLES
45. Hackers Claim NSA Breach
46. Point, click, get root on Yahoo
47. Is SSL safe?
48. Web Sites Vandalized With Antiwar Messages IV. SECURITYFOCUS TOP 6 TOOLS
49. pppcost v0.2
50. NetMap network scanner v0.2.1
51. 3cmstats v1.0
52. Proxy Chains v1.8.0
53. East-Tec File Shredder v1.0
54. Distributed John v0.9.7
55. SECURITYJOBS LIST SUMMARY
56. Neoteris Is Hiring Regional Sales Managers (Thread)
57. Let's try this again....IDS Specialist needed in North Central...
58. WANTED: Sr. Network Security R&D Engineer - Austin, TX (Thread)
59. Looking for a InfoSec job in Australia (Thread)
60. sr information security professional seeks job in St. Louis...
61. Anti SPAM/IDS Security Architect Needed (Thread)
62. Security Project Manager Position available in Raleigh, NC...
63. Security Analyst Position available in Raleigh, NC (Thread)
64. Vulnerability Security Consultant - Cleveland, Ohio PS145032...
65. Information Security Consultant - Cleveland, Ohio PS145032
66. Avaya Security Consulting Positions (Thread)
67. Position Avail: Info Assurance Network Eng w/ CURRENT TS/SSBI...
68. Global Security Strategist, UK based (Thread)
69. IT Security Strategist x 5 (Europe) (Thread)
70. Network Professional seeking a job in the Austin, TX area....
71. Security god with big 5 exp needs work (Thread)
72. NJ - Checkpoint Network Security Engineer-Cisco Certified...
73. Position Title: Systems Engineering Consultant ? Cleveland...
74. Position: Sr. Security Project Manager - Cleveland, Oh...
75. Systems Engineer - Security - Central Florida (Thread)
76. Looking for a Job (Thread)
77. Security Engineer/Admin Available (Thread)
78. IDS Specialist with the Largest Wireless Company in the USA...
79. Any hints for Australia? (Thread)
80. Penetration Tester, UK (Thread)
81. CISSP Certified Systems Architect/Developer with strong...
82. IT Security Analyst x 2 Essex/London Borders UK (Thread)
83. Seeking junior to midlevel position in DC metro area (Thread)
84. FW: IT Security Evangelist for Denmark (Thread)
85. FW: IT Security Evangelist for Switzerland (Thread)
86. FW: IT Security Evangelist for Germany (Thread)
87. FW: IT Security Evangelist for France (Thread) VI. INCIDENTS LIST SUMMARY
88. Nimda.E/unknown memory resident, internet-aware processes (Thread)
89. SPM2000$ Rouge Share - Information (Thread)
90. SPM2000$ Rouge Share (Thread)
91. CodeRed Observations. (Thread)
92. Animal Rights Hacktivist Group? (Thread)
93. CodeRed Observations. ## (Thread)
94. CodeRed Observations. ## Christine_Kronberg@genua.de (Thread)
95. IRC DDoS bots (Thread)
96. [unisog] Port 109 Mystery (Thread)
97. unidentified DOS "bad traffic" -- SOLVED (Thread)
98. Unknown attack, possible trojan? (Thread)
99. Final word on WINLOGON (Thread)
100. unidentified DOS "bad traffic" (Thread)
101. [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
102. NSLOOKUP.EXE (Thread)
103. mpg123 segfault (Thread)
104. Outlook Crashing, and not asking for password (Thread)
105. Outlook HTML crash (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
106. Anyone have hard evidence of problems with Windows Automatic...
107. MS03-007 Round-up (Thread)
108. Expire accounts from Active Directory after a period of...
109. write permissions for IIS (Thread)
110. Microsoft Security Advisory MS 03-007 (Thread)
111. FW: Microsoft Security Advisory MS 03-007 (Thread)
112. Article Announcement: Remote Desktop Management Solution for...
113. Microsoft Security Advisory MS 03-007 - Problems (Thread)
114. Exchange/MAPI/RPC (Thread)
115. SecurityFocus Microsoft Newsletter #129 (Thread)
116. AD replication - IP site to site encryption? (Thread) IX. SUN FOCUS LIST SUMMARY
117. PAM authentication problem (Thread)
118. Better Syslog server (Thread)
119. SUNWlldap vulnerability (Thread)
120. LINUX FOCUS LIST SUMMARY
121. Seeing who has su-ed (Thread)
122. latest ptrace hole patch? (Thread)
123. How to custom sulog? (Thread)
124. Port 113 security (Thread)
125. Local security scanner (Thread)
126. FRONT AND CENTER

     ---

127. IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot By Alan Neville

This paper will deconstruct the steps taken to conduct a full analysis of a compromised machine. In particular, we will be examining the tool that was used to exploit a dtspcd buffer overflow vulnerability, which allows remote root access to the system. The objective of this paper is to show the value of IDS logs in conducting forensics investigations.

http://www.securityfocus.com/infocus/1676

2. Remote Desktop Management Solution for Microsoft by Artur Maj

One of the many challenges facing Microsoft administrators is how to manage remote systems in a secure manner? In the world of the UNIX the answer is quite simple: using the SSH protocol is sufficient. Thanks to the SSH, we can manage remote systems not only in the text mode, but we can also run remote X-Window applications by using the protocol tunneling technique. And all of that by using strong cryptography, which protects transmitted data from unauthorized access.

http://www.securityfocus.com/infocus/1677

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. The Promise and Peril of Palladium
By Tim Mullen

Whether Microsoft's ambitious project is a security solution or a Trojan horse depends much on the company's intentions.

http://www.securityfocus.com/columnists/148

4. Why the Dogs of Cyberwar Stay Leashed By Mark Rasch

The United States could try out its much-hyped "cyberwarfare" capabilities in Iraq... but it would probably be illegal.

http://www.securityfocus.com/columnists/149

5. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

II. BUGTRAQ SUMMARY

1. XChat Server Strings Buffer Overflow Vulnerability BugTraq ID: 7089 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7089 Summary:

XChat is a freely available, open source IRC client. It is available for the the Unix, Linux, and Microsoft Windows platforms.

XChat IRC client has been reported vulnerable, under certain circumstances, to a buffer overflow condition.

It has been reported that due to a lack of both, sufficient bounds checking and string termination, two malformed non-terminated server supplied strings may be stored contiguously in a fixed internal memory buffer.

As a result of this, a malicious IRC server may be used to pass excessive data to the client and overwrite memory adjacent to the deficient buffer. If this memory contains crucial saved program state values the attacker may be able to influence the programs' flow and execute arbitrary code.

Any code successfully executed would be in the context of the user running the vulnerable IRC application.

This vulnerability was reported to affect XChat version 2.0.1 other versions may also be affected.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. EPIC PRIVMSG Remote Heap Corruption Vulnerability BugTraq ID: 7088
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7088
Summary:

Epic is a freely available, open source IRC client. It is maintained by the Epic project.

A vulnerability has been discovered in EPIC4 1.1.7.20020907. The problem occurs due to insufficient bounds checking data interchanged between clients. Specifically, by using the PRIVMSG command to send a message of excessive length to a vulnerable client, it may be possible to corrupt the processes heap memory.

It should be noted that this issue might only be exploitable when the
'mangle_inbound' option is set. Secondly, the data which can be written to
sensitive memory is limited to a defined character set, making remote code execution unlikely.

Successful exploitation of this issue would likely cause the vulnerable client to crash.

3. TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability BugTraq ID: 7090
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7090
Summary:

tcpdump is a freely available, open source network monitoring tool. It is available for the Unix, Linux, and Microsoft Windows operating systems.

A vulnerability in the processing of some packet types may result in an inability to further use the tcpdump application.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that tcpdump is vulnerable to a denial of service when some packet types are received. By sending a maliciously formatted packet to a system using a vulnerable version of tcpdump, it is possible for a remote user to cause tcpdump to ignore network traffic from the time the packet is received until the application is terminated and restarted.

The problem is in the handling of RADIUS packets. When tcpdump receives a maliciously crafted RADIUS packet, the application enters an infinite loop and ceases to further monitor network traffic. This could allow the passing of undetected network traffic that would typically be seen by tcpdump.

4. ircII Make_Status_One Memory Corruption Vulnerability BugTraq ID: 7093
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7093
Summary:

ircII is an IRC and ICB client for Unix and Linux platforms.

A buffer overflow vulnerability has been reported in ircII. The vulnerability is related to the way ircII refreshes its status bar. Specifically, the make_status_one() function in the status.c source file does not properly account for some control characters when attempting to refresh the status bar.

This issue is exploitable by a malicious IRC server that sends an overly long response to the vulnerable ircII client. As the client does not make proper checks for control characters when updating the status bar, it will result in the corruption of sensitive memory.

This will cause the client to crash thus resulting in a denial of service condition.

This issue was reported in ircII build 20020912. Other versions may also be affected.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue was originally described in BID 7087 "Multiple IrcII Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

5. ircII Client-Side Private Message Handling Memory Corruption Vulnerability BugTraq ID: 7094
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7094
Summary:

ircII is an IRC and ICB client for Unix and Linux platforms.

A buffer overflow vulnerability has been reported for ircII. This issue is due to insufficient bounds checking of server-supplied data and may potentially result in denial of service in the IRC client. This overflow occurs during client handling of private message data supplied by an IRC server, allowing for the 'ctcp_buffer' to be overrun. Though unconfirmed, exploitation may also allow for execution of arbitrary code in the context of the client.

This could result in corruption of sensitive regions of memory with attacker-supplied data. It may be possible for another client to trigger this condition, though this is also unconfirmed.

This issue was originally described in BID 7087 "Multiple IrcII Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

This issue was reported in ircII build 20020912. Other versions may also be affected.

6. ircII Client-Side Cannot_Join_Channel Memory Corruption Vulnerability BugTraq ID: 7095
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7095
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ircII is an IRC and ICB client for Unix and Linux platforms.

A buffer overflow vulnerability has been reported in ircII. This issue is due to insufficient bounds checking of server-supplied data and may potentially result in denial of service in the IRC client. This issue exists in the cannot_join_channel() function and could be triggered by a channel length of excessive length.

This could result in corruption of memory (including stack variables) with attacker-supplied data.

This issue was originally described in BID 7087 "Multiple IrcII Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

7. ircII Status_Make_Printable Memory Corruption Vulnerability BugTraq ID: 7098
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7098
Summary:

ircII is an IRC and ICB client for Unix and Linux platforms.

A buffer overflow vulnerability has been reported in ircII. The vulnerability is related to the way ircII refreshes its status bar. Specifically, the status_make_printable() function in the status.c source file does not properly account for some control characters when attempting to refresh the status bar.

This issue is exploitable by a malicious IRC server that sends an overly long response to the vulnerable ircII client. As the client does not make proper checks for control characters when updating the status bar, it will result in the corruption of sensitive memory with attacker-supplied values.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This will cause the client to behave in an unpredictable manner and possibly execute attacker-supplied code.

This issue was reported in ircII build 20020912. Other versions may also be affected.

This issue was originally described in BID 7087 "Multiple IrcII Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

8. OpenSSL Timing Attack RSA Private Key Information Disclosure Vulnerability BugTraq ID: 7101
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7101
Summary:

OpenSSL is an open source implementation of the SSL protocol.

A side-channel attack in the OpenSSL implementation has been published in a recent paper that may ultimately result in an active adversary gaining the RSA private key of a target server. The attack involves analysis of the timing of certain operations during client-server session key negotiation.

Session negotiation occurs using the RSA PKCS 1 type public key cryptography standard. During the client-server negotiation, the client constructs a proto-session-key using PKCS 1 formatted random bytes and encrypts it with the RSA public key of the server. The client then transmits this value to the server, which uses it to compute the shared session key. The server will generate a session key on its own and send an alert message to the client if the client-supplied proto-key decrypted by the server using its RSA private key is not properly PKCS 1 formatted.

It is possible for an adversary, acting as a client, to obtain bits of information about the server RSA private key by observing the time elapsed between the transmission of an invalid proto-key value and reception of the alert message from the server that is sent in response. The information is leaked during the decryption process and may, through successive observations, reveal the factorization of the private key to the adversary. An attacker may perform this attack by repeatedly establishing sessions with invalid proto-key values.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Upon successful compromise of a RSA private key, it is possible for an attacker to monitor the establishing of all future sessions with the server. This may additionally allow an attacker to impersonate the server based on the compromised private key. This problem also affects other SSL implementations that do not implement RSA blinding by default.

9. BitchX Remote Send_CTCP() Memory Corruption Vulnerability BugTraq ID: 7097
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7097
Summary:

BitchX is a freely available, open source IRC client. It is available for Unix, Linux, and Microsoft operating systems.

A memory corruption vulnerability has been reported in the send_ctcp() function which is used when handling server-supplied data. The function takes the length of an argument, char *to, and uses it to allocate a buffer on the stack. This occurs by calling the alloca() function with an argument of 512 - (12 + strlen(to)). Delimiter characters are later appended to the buffer returned by alloca().

If a hostile IRC server were to supply a 'to' argument containing a length, -12, which is larger then 512 bytes, it would be possible to supply a negative value as the argument to alloca(). If this were to occur the negative value would be interpreted and a stack address used by a previous frame will be returned. This may allow for delimiter characters and a NULL value to be written to arbitrary stack memory.

Successful exploitation of this issue may allow a malicious server to execute arbitrary commands on the client system with the privileges of the user running the vulnerable client.

This vulnerability has been reported to affect BitchX 1.0c19. Other versions may also be affected.

This issue was originally described in BID 7086 "Multiple BitchX Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

1. BitchX Remote cannot_join_channel() Buffer Overflow Vulnerability BugTraq ID: 7099 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7099 Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

BitchX is a freely available, open source IRC client. It is available for Unix, Linux, and Microsoft operating systems.

A memory corruption vulnerability has been discovered in BitchX 1.0c19. This issue occurs when calling the cannot_join_channel() function. If a channel of excessive length is supplied a buffer overflow could occur which may result in predefined strings being written over sensitive stack memory.

As a result, it may be possible for a malicious IRC server to crash a vulnerable client. Although unconfirmed this vulnerability could potentially be leveraged to execute arbitrary commands within a target client.

This vulnerability has been reported to affect BitchX 1.0c19. Other versions may also be affected.

This issue was originally described in BID 7086 "Multiple BitchX Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

1. BitchX Remote BX_compress_modes() Buffer Overflow Vulnerability BugTraq ID: 7100 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7100 Summary:

BitchX is a freely available, open source IRC client. It is available for Unix, Linux, and Microsoft operating systems.

BitchX has been reported prone to a buffer overflow vulnerability.

Reportedly, when the BitchX option 'compress_modes' is activated a potential circumstance for a buffer overflow condition may be created. If an excessive amount of data is supplied to the BitchX
'BX_Compress_modes()' function an internal memory buffer, 'nmodes[16]',
will be overflowed. This action may cause adjacent memory to be corrupted with attacker-supplied values.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

There is a potential that this issue could be exploited to corrupt crucial program management variables on the stack and thus seize control of program flow. As a result, a hostile IRC server may be capable of executing arbitrary code on a target client.

Any arbitrary code executed would be in the context of the user running the vulnerable software.

This vulnerability was reported to affect BitchX 1.0c19 earlier versions may also be affected.

This issue was originally described in BID 7086 "Multiple BitchX Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

1. BitchX Remote Cluster() Heap Corruption Vulnerability BugTraq ID: 7096 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7096 Summary:

BitchX is a freely available, open source IRC client. It is available for Unix, Linux, and Microsoft operating systems.

BitchX has been reported prone to a heap based memory corruption vulnerability. Reportedly when an excessively long hostname is supplied to the BitchX 'cluster()' function an internal static memory buffer is overflowed.

It has been reported that 1500 bytes of data may be written past the buffer, potentially corrupting sensitive values located in the heap.

Although unconfirmed, due to the nature of heap corruption vulnerabilities, there is a potential that this issue could be exploited to corrupt memory management information. As a result, a hostile IRC server may be capable of executing arbitrary code on a target client.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported to affect BitchX 1.0c19 earlier versions may also be affected.

This issue was originally described in BID 7086 "Multiple BitchX Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

1. Epic Status Bar Writing Buffer Overflow Vulnerability BugTraq ID: 7103 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7103 Summary:

Epic is a freely available, open source IRC client. It is maintained by the Epic project.

A problem with the software may make it possible for an attacker to gain access to a vulnerable client system.

It has been reported that Epic does not properly handle some types of server replies. This particular problem occurs when the status bar is written to by the server. Because of this, an attacker may be able to gain access to a vulnerable client system with the privileges of the Epic user.

The client does not perform sufficient bounds checking on the data returned by the server. Because of this, data that is passed by the server that may be written to the status bar may make it is possible for a malicious server to send a response of arbitrary length that will result in a client-side overflow, and potentially the execution of arbitrary code.

This issue was originally described in BID 7077 "Multiple Epic Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

1. Epic Userhost_Cmd_Returned Buffer Overflow Vulnerability BugTraq ID: 7091 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7091 Summary:

Epic is a freely available, open source IRC client. It is maintained by the Epic project.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A problem with the software may make it possible for an attacker to gain access to a vulnerable client system.

It has been reported that Epic does not properly handle some types of server replies. This particular problem occurs in the userhost returned by the server. Because of this, an attacker may be able to gain access to a vulnerable client system with the privileges of the Epic user.

The client does not perform sufficient bounds checking on the data returned by the server when the userhost is sent. Because of this, it is possible for a malicious server to send a response of arbitrary length that will result in a client-side overflow, and potentially the execution of arbitrary code.

This issue was originally described in BID 7077 "Multiple Epic Remote Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a separate BID.

1. Filebased Guestbook 'Comment' HTML Injection Vulnerability BugTraq ID: 7104 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7104 Summary:

Filebased Guestbook is a text-based guestbook written in PHP.

It has been reported that Filebased Guestbook is prone to HTML injection attacks. This problem occurs due to Filebased Guestbook insufficiently sanitizing user-supplied input. Specifically, embedded HTML and script code is not filtered from the 'comment' guestbook field.

As a result, attackers may embed malicious script code or HTML into forum posts. When a malicious post is viewed by another user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software.

It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible.

1. Thunderstone TEXIS Texis.EXE Information Disclosure Vulnerability BugTraq ID: 7105 Remote: Yes Date Published: Mar 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7105 Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

TEXIS is an integrated SQL RDBMS that queries and manages databases containing natural language text, standard data types, geographic information, images, video, audio, and other payload data.

Under certain circumstances a malicious user may pass command line switches as URI parameters to the TEXIS executable. Specifically the attacker may pass the '-version' or '-dump' switches to the 'texis.exe' executable. This action may result in the vulnerable TEXIS server returning sensitive information pertaining to the TEXIS executable and the server environment, in the form of a web page, to the attackers browser.

Information gathered in this way may be used in further attacks mounted against the system.

1. Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability BugTraq ID: 7106 Remote: Yes Date Published: Mar 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7106 Summary:

Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms. The Samba daemon is typically run with super user privileges.

A buffer overflow vulnerability has been reported for Samba. The vulnerability occurs when the smbd service attempts to re-assemble specially crafted SMB/CIFS packets.

An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered when smbd attempts to re-assemble the malformed packet fragments. smbd will overwrite sensitive areas of memory with attacker-supplied values resulting in the execution of malicious code.

This vulnerability is further exacerbated by the fact that the smbd service runs with root privileges.

This vulnerability affects Samba 2.0.0 to 2.2.7a. Additionally, HP CIFS/9000 server versions up to A.01.09.01 on HP-UX 11.0, 11.11(11i), and 11.22 are vulnerable.

1. Samba REG File Writing Race Condition Vulnerability BugTraq ID: 7107 Remote: No Date Published: Mar 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7107 Summary:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows file and printer sharing between operating systems on the Unix and Microsoft platforms. The Samba daemon is typically run with super user privileges.

A race condition vulnerability has been reported for Samba. The vulnerability occurs when Samba attempts to write reg files. However, it may be possible to create a symbolic link in a crucial point of program execution that would result in the overwriting of files pointed to by the link. This will only occur if the files are writeable by the Samba process.

Successful exploitation may cause local files to be corrupted. If files can be corrupted with custom data, this may result in privilege elevation.

Full details of this vulnerability are not currently known. The BID will be updated as further details are disclosed.

This vulnerability is reported to exist for Samba 2.0.0 to 2.2.7a.

1. RSA ClearTrust Login Page Cross Site Scripting Vulnerability BugTraq ID: 7108 Remote: Yes Date Published: Mar 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7108 Summary:

RSA ClearTrust is a Web-based access management application that provides secure access to resources.

A cross-site scripting vulnerability has been discovered in ClearTrust. Specifically, the login page for the management application is not properly sanitized of some user-supplied values. The login page is called ct_logon.asp and the values for the 'CTLoginErrorMsg' parameter is not properly sanitized of malicious HTML code.

An attacker can exploit this vulnerability by creating a specially crafted URL that includes malicious HTML code for the login page used by ClearTrust.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This may allow for theft of cookie-based authentication credentials and other attacks.

20. Qpopper Username Information Disclosure Weakness BugTraq ID: 7110
Remote: Yes
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7110
Summary:

Qpopper is a POP3 mail server available for Linux and Unix based systems.

An information disclosure weakness has been reported for Qpopper when authenticating. The weakness is due to the fact that if a valid username is sent with a bad password, Qpopper will wait a small amount of time prior to disconnecting the client. If the username that is sent is invalid, Qpopper immediately disconnects the client.

A determined attacker can exploit this weakness to gather a list of valid usernames on a vulnerable system using Qpopper.

Any information obtained in this manner may be used by the attacker to launch other attacks against a victim user or system.

This weakness was reported for Qpopper 3.1 and 4.0.4. It is not known whether other versions are affected.

21. Multiple Vendor Java Virtual Machine java.util.zip Null Value Denial Of Service Vulnerability BugTraq ID: 7109
Remote: Yes
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7109
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Several implementations of the Java Virtual Machine have been reported to be prone to a denial of service condition.

This vulnerability occurs in several methods in the java.util.zip class. The following native methods have been reported to be vulnerable to this issue:

java.util.zip.Adler32().update();
java.util.zip.Deflater().setDictionary();
java.util.zip.CRC32().update();
java.util.zip.Deflater().deflate();
java.util.zip.CheckedOutputStream().write();
java.util.zip.CheckedInputStream().read();

The methods can be called with certain types of parameters however, there does not appear to be proper checks to see whether the parameters are NULL values. When these native methods are called with NULL values, this will cause the JVM to reach an undefined state which will cause it to behave in an unpredictable manner and possibly crash.

This BID will be separated into individual entries where appropriate.

22. McAfee ePolicy Orchestrator HTTP GET Request Format String Vulnerability BugTraq ID: 7111
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7111
Summary:

McAfee ePolicy Orchestrator is a product designed to remotely manage various policies and antivirus products. It is available for the Microsoft Windows operating system.

A format string vulnerability has been discovered in the ePolicy Orchestrator Agent which is designed to distribute log data remotely. Authentication does not occur when connecting to the ePolicy Orchestrator Agent, thus allowing an anonymous attacker to exploit this issue.

The format string bug occurs when processing HTTP GET requests via port 8081. An attacker who makes a malicious request containing format specifiers, such as '%x' or '%n', may be capable of obtaining and writing to sensitive locations in memory.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands with SYSTEM privileges.

It should be noted that this vulnerability has been reported to affect McAfee ePolicy Orchestrator 2.5.1; other versions may also be affected.

23. Linux Kernel Privileged Process Hijacking Vulnerability BugTraq ID: 7112
Remote: No
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7112
Summary:

The Linux Kernel is the core of the Linux operating system and is distributed by various Linux distributions.

A vulnerability has been discovered related to the automatic loading of kernel modules via kmod. This feature allows for modules to be loaded at run-time when required by certain system calls. When such a module is required, the kernel will create a privileged process and exec the modprobe executable. It should be noted that, although the process loading the module is owned by the root user its parent process is the process calling the function requiring the module.

The vulnerability presents itself because the kernel fails to restrict tracing permissions on the privileged process. As a result, by anticipating the PID of the process probing the module and making a ptrace() call at the correct time interval, an attacker may be able to attach to the privileged process. This may give an attacker the ability to inject arbitrary instructions into memory and thus execute arbitrary commands.

Successful exploitation of this vulnerability could allow a local attacker, on a Linux system running a 2.2 or 2.4 kernel tree, to gain root privileges.

24. McAfee ePolicy Orchestrator Information Disclosure Vulnerability BugTraq ID: 7114
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7114
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

McAfee ePolicy Orchestrator is a product designed to remotely manage various policies and antivirus products. It is available for the Microsoft Windows operating system.

The McAfee ePolicy Orchestrator Agent listens on port 8081 and is designed to distribute various log data to remote users. It has been discovered that the ePolicy Orchestrator Agent fails to carry out any authentication when distributing logs. As a result, it may be possible for a remote attacker to obtain sensitive information which could be used to launch further attacks.

It should be noted that this vulnerability has been reported to affect McAfee ePolicy Orchestrator 2.5.1; other versions may also be affected.

25. Multiple Cryptographic Weaknesses in Kerberos 4 Protocol BugTraq ID: 7113
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7113
Summary:

Multiple cryptographic weaknesses have recently been reported to affect the Kerberos 4 protocol. These are design faults and affect every full implementation of the protocol. The most serious allows for an adversary to impersonate any principal in a realm. This can result in a complete compromise of the Kerberos Domain Controller and any hosts which rely on it for authentication. Another weakness allow fabrication of Kerberos 4 tickets for unauthorized client principals if triple-DES keys are used to key Kerberos 4 services.

It should be noted that Kerberos 5 implementations may also be affected in some environments.

This record will be updated as more information becomes available. Depending on analysis by Symantec, this entry may be split into multiple BIDs.

26. Outblaze Webmail Cookie Authentication Bypass Vulnerability BugTraq ID: 7115
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7115
Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Outblaze is a Web based e-mail service that supports SMTP and POP3 Internet protocols, which allows it to be used as a front-end to an e-mail account.

Outblaze web mail service has been reported prone to an authentication cookie spoofing vulnerability.

This issue may allow a malicious attacker to bypass the cookie based authentication mechanisms used by the affected Outblaze web mail server. If the attacker has a valid authentication cookie that was created and saved during the Outblaze login process the attacker can manipulate the domain name, mail id and user credentials. Using this malicious cookie the attacker may access the victim's information page and thereby retrieve the victim's password.

If successful the attacker may disclose a user's authentication credentials and gain full administrative access to the user's e-mail account.

27. Microsoft Windows 2000 ntdll.dll WebDAV Interface Buffer Overflow Vulnerability BugTraq ID: 7116
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7116
Summary:

Microsoft Windows 2000 utilizes WebDAV (World Wide Web Distributed Authoring and Versioning) when IIS is installed.

When the ntdll.dll system component is called by WebDAV, a buffer within the component can be overrun. Ntdll.dll is a dynamically linked library file loaded with almost every user mode process in Windows.

When unusually long data is supplied to WebDAV, it is in turn passed to the ntdll.dll system component. Proper bounds checking is not performed on this data, allowing a buffer to be overrun. This could result in the execution of arbitrary code with Local System privileges.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

There may be attack vectors for this vulnerability other than through WebDAV, since ntdll.dll is accessed by other applications.

**There have been reports that this vulnerability was being actively exploited in the wild for some time before it was discovered and fixed by Microsoft. See the MSNBC link in the References section for more details of systems that were exploited by this vulnerability. It is also important to note that there is a strong possibility that this vulnerability was known to exist for some time prior to March 12th as indicated by the news story.

28. BEA WebLogic Remote Unprivileged Administration Access Vulnerability BugTraq ID: 7124
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7124
Summary:

BEA Systems WebLogic Server is an enterprise level Java web application server.

The WebLogic server contains undocumented applications that are normally used during data replication between servers and for supporting application deployment, including source code distribution.

These applications may be accessed remotely by any unprivileged user. The unprivileged user could modify applications, source code, and access various administrative functions on the underlying server.

29. BEA WebLogic Internal Servlet Input Validation Vulnerabilities BugTraq ID: 7122
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7122
Summary:

BEA Systems WebLogic is an enterprise level Java web application server.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Input validation issues have been reported in a WebLogic internal servlet that is used by the web management interface. Unauthenticated users may exploit these issues in the internal servlet to upload malicious files to a host running the vulnerable software. It has been reported that arbitrary files may be overwritten when a file is uploaded via the internal servlet. It will also be possible to retrieve arbitrary server readable files from the host.

Exploitation could result in execution of arbitrary commands in the context of the server or disclosure of sensitive information would may aid in further attacks.

WebLogic 6.0 and 6.1 allow unauthenticated users to upload files via the internal servlet. WebLogic 6.0, 6.1 and 7.0 are prone to various file disclosure attacks. It is not known whether 7.0.0.1 is affected.

These issues were reported to affect BEA WebLogic Server. BEA WebLogic Express may also be affected, so users of WebLogic Express are also advised to apply the provided patches.

30. Sun XDR Library xdrmem_getbytes() Integer Overflow Vulnerability BugTraq ID: 7123
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7123
Summary:

The Sun XDR (External Data Representation) library is used to for various functions including interprocess communication (IPC) and is typically implemented by RPC services. XDR library code is implemented by a variety of system libraries including GNU libc, BSD libc, and Sun Microsystem's libnsl.

A vulnerability has been discovered in the xdrmem_getbytes() function defined by the XDR library. Due to an integer overflow in the function, multiple applications linking to the library may be prone to a variety of vulnerabilities.

By passing a malicious integer to the function, it may be possible for an attacker to trigger an unexpected allocation of process memory. This may cause implemented bounds checking to be insufficient. Furthermore, previously used memory may be allocated which could contain sensitive information.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation of this issue on a vulnerable application may allow an attacker to execute arbitrary commands with root privileges.

31. Kebi Academy 2001 Input Validation Vulnerability BugTraq ID: 7125
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7125
Summary:

Kebi Academy 2001 is web-based mail/community software. It is available for Unix and Linux variants.

Kebi Academy 2001 does not sufficiently validate input supplied via URI parameters. As a result, it has been reported that it is possible to retrieve arbitrary files which are readable by the web server. This is due to insufficient sanitization of directory traversal sequences from requests.

It has also been reported that it is possible to upload malicious files to the server. This could result in disclosure of sensitive information which may be useful in mounting further attacks against the system. Execution of arbitrary commands in the context of the web server is also possible if a malicious file can be uploaded and then requested by the remote attacker.

32. Gnome-lokkit Iptables No Forward Chain Rule Vulnerability BugTraq ID: 7128
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7128
Summary:

Gnome-lokkit is a utility that provides firewalling for the average Linux end user based on responses to a small number of simple questions.

Gnome-lokkit for Red Hat 8.0 was modified to configure iptables instead of ipchains based firewalls. Gnome-lokkit has been reported prone to a condition where FORWARD chains in iptables rulesets are not configured by default. This situation may result in a variety of security vulnerabilities depending on system configuration.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that a vulnerability might only present itself if an administrator were to enable packet forwarding, without adding rules to the FORWARD chain.

The vulnerability was reported to affect Gnome-lokkit for Red Hat Linux 8.0. Previous versions of Gnome-lokkit are not reported to be affected.

33. MyAbraCadaWeb Path Disclosure Vulnerability BugTraq ID: 7126
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7126
Summary:

MyABraCaDaWeb is a web content management system. It is implemented in PHP and available for Unix and Linux variants and Microsoft Windows operating systems.

MyABraCaDaWeb is reported to disclose path information in error messages when handling some invalid requests. This may occur when an invalid administrative ID is requested or in some other cases. The full path to the web root directory will be included in the error output. This information could be useful in further attacks against a system hosting the software.

34. MyAbraCadaWeb Search Engine Cross-Site Scripting Vulnerability BugTraq ID: 7127
Remote: Yes
Date Publishe