SecurityFocus Newsletter #197

SecurityFocus Newsletter #197

This Issue is Sponsored By: Spidynamics

ALERT! "Outsmart Web Application Hackers"-FREE Product Trial

Test your Web Applications for over 4000 vulnerabilities! FREE Security Test via our 15 Day Product Trial that delivers a comprehensive vulnerability report. Secure your critical assets today!

Visit us at: http://www.spidynamics.com/mktg/freewebinspect54

1. Security Tools: From Mermaids to Suckling Pigs
2. Malware Myths and Misinformation, Part One
3. Securing Apache: Step-by-Step
4. U.S. Information Security Law, Part 3
5. Relax, It Was a Honeypot II. BUGTRAQ SUMMARY
6. Lgames LTris Local Memory Corruption Vulnerability
7. Internet Explorer file:// Request Zone Bypass Vulnerability
8. Netbus Authentication Bypass Vulnerability
9. Kerio Personal Firewall Fragmented Packet Filter Bypass...
10. Microsoft SQL Server Unspecified Vulnerability
11. ttCMS / ttForum Remote File Include Vulnerability
12. ttCMS / ttForum Profile.php SQL Injection Vulnerability
13. Boa Webserver File Disclosure Vulnerability
14. Phorum Message Form Field HTML Injection Variant Vulnerability
15. Firebird GDS_Inet_Server Interbase Environment Variable Buffer...
16. Youngzsoft CMailServer MAIL FROM Buffer Overflow Vulnerability
17. Youngzsoft CMailServer RCPT TO Buffer Overflow Vulnerability
18. Snitz Forums 2000 Register.ASP SQL Injection Vulnerability
19. Info-ZIP UnZip Encoded Character Hostile Destination Path...
20. BitchX Mode Change Denial Of Service Vulnerability
21. EType EServ Resource Exhaustion Denial Of Service Vulnerability
22. Apple AirPort Administrative Password Encryption Weakness
23. IU BLog Comment Form HTML Code Injection Vulnerability
24. Pi3Web Malformed GET Request Denial Of Service Vulnerability
25. Cerberus FTP Server Plaintext User Password Weakness
26. Happymall E-Commerce Software Normal_HTML.CGI Cross-Site...
27. PHPNuke Web_Links Module Remote SQL Injection Vulnerability
28. Happymall E-Commerce Software Normal_HTML.CGI File Disclosure...
29. Movable Type Comment Form HTML Code Injection Vulnerability
30. Yahoo! Voice Chat ActiveX Control Unspecified Vulnerability
31. Clearswift MailSweeper PowerPoint File Denial of Service...
32. BEA Systems WebLogic Multiple Password Storage Vulnerabilities
33. Netscape Navigator False URL Information Vulnerability
34. CDRTools CDRecord Devname Format String Vulnerability
35. IP Messenger For Win Filename Buffer Overflow Vulnerability
36. PHP-Nuke Modules.PHP Username URI Parameter Cross Site...
37. Clearswift MailSweeper Attachment Filename Validation...
38. AIX Sendmail Open Relay Default Configuration Weakness
39. Phorum Post.PHP Cross-Site Scripting Vulnerability
40. Phorum UserAdmin Arbitrary Command Execution Vulnerability
41. Phorum Multiple Path Disclosure Vulnerabilities
42. Phorum Common.PHP Cross-Site Scripting Vulnerability
43. Phorum Edit User Profile Arbitrary Command Execution...
44. Phorum Stats Program Arbitrary Command Execution Vulnerability
45. Phorum Download File Disclosure Vulnerability
46. Phorum Register.PHP Connection Proxying Vulnerability
47. Phorum login.PHP Cross Site Scripting Vulnerability
48. Phorum Register.PHP Cross-Site Scripting Vulnerability
49. Phorum Register.PHP Existing User HTML Injection Vulnerability
50. Poptop PPTP BCRELAY sprintf() Buffer Overflow Vulnerability
51. Phorum Login.PHP Connection Proxying Vulnerability
52. Intel Itanium 2 Processor Denial of Service Vulnerability
53. PHP-Nuke Web_Links Module Path Disclosure Vulnerability
54. PHP-Nuke Multiple Downloads Module SQL Injection Vulnerabilities
55. BEA Systems WebLogic Encryption Information Disclosure Weakness
56. BEA Systems WebLogic CredentialMapper Plaintext Password...
57. Poptop PPTP BCRELAY fscanf() Buffer Overflow Vulnerability
58. BEA WebLogic JDBCConnectionPoolRuntimeMBean On-Screen...
59. 3Com OfficeConnect ADSL Router DHCP Response Information... III. SECURITYFOCUS NEWS ARTICLES
60. Matrix Sequel Has Hacker Cred
61. Security research exemption to DMCA considered
62. Feds To Refocus on Cybersecurity
63. MS 'slush' fund provides big discounts to stop Linux - email IV. SECURITYFOCUS TOP 6 TOOLS
64. NoTrax v1.3
65. WifiScanner v0.9.0
66. Ginsu Chat Client v0.4.7
67. phpBandwidth Monitor v1.5
68. Very Simple Network Monitor v2.0.0
69. MyNetWeather v0.3
70. SECURITYJOBS LIST SUMMARY
71. Seasoned Security Expert Available (Thread)
72. Cheif Security Officer (Paris, France) (Thread)
73. Bay Area Sales Representive (Thread)
74. Malicious Code Security Analyst, Mechanicsburg, PA (Thread)
75. Application Penetration Tester Wanted (Thread)
76. Director of Quality Assurance (Thread)
77. Internet Security Architect contract position (Thread)
78. Unix Security Analyst - Bloomington, IL (Thread)
79. .Net Security Analyst - Bloomington, IL (Thread)
80. Network security Auditor - Israel (Thread)
81. Security Sales (Thread)
82. Looking for a White Hat Hacker to perform a vulnerability test...
83. Security Manager - Germany (Thread)
84. Cisco IDS Engineer- Guardent / Providence RI (Thread)
85. SAP Security Consultant, Midlands, UK (Thread)
86. Information Security Manager, Benelux (Thread)
87. Seeking Network Security position (will relocate) (Thread)
88. FL CISSP Seeking a Position (Thread)
89. Neoteris is hiring!!! - Regional Sales Managers - Japan/Korea...
90. Neoteris is hiring!!! - Sales Engineers - Japan/Korea (Thread)
91. Neoteris is hiring!!! - Sales Engineers - Germany/France...
92. Neoteris is hiring!!! - Sales Engineer - Ohio Valley (Thread)
93. Neoteris is hiring!!! - Regional Sales Managers - Germany...
94. Neoteris is hiring!!! - Federal Regional Sales Manager...
95. Technical Lead (Thread)
96. Deloitte & Touche Network Security Opportunities (Thread)
97. Deloitte & Touche: Application Security Engineer (Thread)
98. Deloitte and Touche: Identity Management Specialists Needed...
99. Network Security Analyst, Mechanicsburg, PA (Thread)
100. Security Engineer needed in Chicago, IL (Thread)
101. Global CERT Coordinator - NY - $150k-$200k - Job #781 (Thread)
102. Network Security Engineer needed in Jacksonville (Thread) VI. INCIDENTS LIST SUMMARY
103. BIND Crash (Thread)
104. tcp/1274 scans (Thread)
105. New intrusion script? (Thread)
106. Trojan modifying ntdll.dll and cmd.exe (Thread)
107. UDP/137 scans -- new worm? (Thread)
108. re: DNS poisoning to Korean address (Thread)
109. tcp/554 scans (Thread)
110. Stopping information leakage (Thread)
111. More Info: DNS poisoning to Korean address (Thread)
112. Folllow-up to the Hotmail/MSN password reset problems (Thread)
113. Source 126.0.0.1 UDP/137 (Thread)
114. New SecurityFocus Article: U.S. Information Security Law...
115. IIS/WebDav Exploit List (Thread)
116. Attack attempts from 195.86.128.45 (Thread)
117. smsx.exe? (Thread)
118. A lot of whisker attempts? (Thread)
119. SecurityFocus Article Announcement: Starting from Scratch:... VII. VULN-DEV RESEARCH LIST SUMMARY
120. MSIE integer overflows (Thread)
121. vulndev-1 and a suggestion about the ensuing discussion (Thread)
122. vulndev1.c solution (warning SPOILER) (Thread)
123. Administrivia: Challenge Guidelines (Thread)
124. Administrivia: List Announcement (Thread)
125. FW: partial analysis of vulndev-1.c (Thread)
126. partial analysis of vulndev-1.c (Thread)
127. vulndev-1 exploit. (Thread)
128. another vulndev-1.c solution (Thread)
129. Buffer overflow in Microsoft ftp.exe (Thread)
130. IIS/WebDav Exploit List (Thread)
131. vulndev-1.c challenge (was Administrivia: List Announcement)...
132. Buffer overflow in Explorer.exe (Thread)
133. TOP 75 Security Tools Translated (Thread)
134. Domain Name Forging On Authentication Prompt (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
135. Article Announcement: Security Tools: From Mermaids to Suckling...
136. Article Announcement: U.S. Information Security Law, Part 3...
137. Harden ASP.NET Configuration (Thread)
138. Share Point? (Thread)
139. SecurityFocus Microsoft Newsletter #136 (Thread)
140. Timbuktu, etc. (Thread)
141. (prevent + detect Arp spoofing) + Securing Terminal Services...
142. IPSEC through Ms ISA Server (Thread) IX. SUN FOCUS LIST SUMMARY
143. NO NEW POSTS FOR THE WEEK ENDING 05.16.03
144. LINUX FOCUS LIST SUMMARY
145. AW: IPChains Question (compatibility mode on kernel 2.4.x)...
146. IPChains Question (compatibility mode on kernel 2.4.x) (Thread)
147. how to check current backlog queue size(against synflood)... XI. SPONSOR INFORMATION
148. FRONT AND CENTER

     ---

149. Security Tools: From Mermaids to Suckling Pigs By Scott Granneman

The recent Nmap-hackers survey provides a glimpse of what security professionals are packing in their tool-belts these days.

2. Malware Myths and Misinformation, Part One

By David Harley

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This article is the first of a three-part series looking at some of the myths and misconceptions that undermine anti-virus protection. The fallacies we address here tend to begin with the words "I'm safe from viruses because..."

http://www.securityfocus.com/infocus/1695

3. Securing Apache: Step-by-Step
By Artur Maj

This article shows in a step-by-step fashion, how to install and configure the Apache 1.3.x Web server in order to mitigate or avoid successful break-in when new vulnerabilities in this software are found.

4. U.S. Information Security Law, Part 3 By Steven Robinson
This is the third part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals. In this installment, we will look at the basics of the criminal information security law.

http://www.securityfocus.com/infocus/1693

5. Relax, It Was a Honeypot
By Tim Mullen

A security company cleverly tricks hackers into compromising one of its distribution sites. Really.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.securityfocus.com/columnists/162

II. BUGTRAQ SUMMARY

1. Lgames LTris Local Memory Corruption Vulnerability BugTraq ID: 7537 Remote: No Date Published: May 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7537 Summary:

LTris is a Tetris clone written for Linux variant and BSD operating systems. It is maintained by LGames.

A memory corruption vulnerability has been reported for LTris that may result in a local attacker obtaining elevated privileges.

An attacker can exploit this vulnerability by creating an overly long $HOME environment variable, consisting of at least 520 bytes. The attacker then invokes /usr/local/share/ltris and the vulnerability is triggered resulting in the corruption of sensitive memory and the execution of attacker-supplied code. Any code to be executed will be executed with group 'games' privileges.

This vulnerability was reported to affect LTris installed on FreeBSD systems. It is likely that other systems are also affected.

2. Internet Explorer file:// Request Zone Bypass Vulnerability BugTraq ID: 7539
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7539
Summary:

Internet Explorer uses zones in order to limit the scope of execution of code depending on the zone it originates from.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been reported that could allegedly allow an executable from the Internet to be run in the Local Computer zone.

It has been alleged that if Internet Explorer attempts to open a web page containing more than 200 Iframes containing 'file://' requests for the same executable file, the file will eventually be executed in the Local Computer zone. This file would have to reside on the remote website serving the HTML document.

A reliable source has reported that this vulnerability may be due to some form of resource exhaustion. It is unclear how resource exhaustion would allow the Iframe to violate the Internet Explorer security zone. This record will be updated if more information becomes available.

3. Netbus Authentication Bypass Vulnerability BugTraq ID: 7538
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7538
Summary:

Netbus is a backdoor program that allows remote administration of a compromised system. It is available for Microsoft Windows operating systems.

Netbus can be configured to require a password for backdoor server access.

A vulnerability in Netbus may permit remote users to bypass authentication. If a connection is made to a Netbus server from a host, further connections from that IP address may not need to authenticate with the server.

This could allow unauthorized access to the Netbus server.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

4. Kerio Personal Firewall Fragmented Packet Filter Bypass Vulnerability BugTraq ID: 7540
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7540
Summary:

Kerio Personal Firewall (KPF) is a desktop firewall solution that performs stateful packet inspection. It runs on Windows NT/2000/XP.

Reportedly, a vulnerability exists in KPF that may allow malicious packets to bypass existing firewall rules.

Allegedly, KPF does not properly handle fragmented packets thus a maliciously crafted packet may bypass firewall filters.

KPF implements stateful packet filtering for its firewall and as such, unsolicited traffic, as described above, is unlikely to get through the firewall.

This vulnerability has not been confirmed by the vendor.

5. Microsoft SQL Server Unspecified Vulnerability BugTraq ID: 7541
Remote: Unknown
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7541
Summary:

A reliable source has reported an unspecified vulnerability in Microsoft SQL Server. SQL Server versions 7 and 2000, as well as the MSDE are said to be affected by this vulnerability.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The report indicates that this vulnerability involves the Microsoft Jet OLE DB provider. This component is not enabled by default and should be disabled until a fix is available if it is not needed. Linked servers using the OLE DB provider are also reported to be vulnerable.

Though unconfirmed, exploitation of this vulnerability by remote attackers may result in the compromise of affected hosts.

This is a preliminary alert. This record will be updated when further details become available.

• Reports suggest that this issue may be a variant of the vulnerability described in BID 5057. This however, has not been confirmed. 6. ttCMS / ttForum Remote File Include Vulnerability BugTraq ID: 7542 Remote: Yes Date Published: May 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7542 Summary:

ttForum is web based forum implemented in PHP and derived from YABB SE. ttCMS is another web based forum and is in turn derived from ttForum.

A remote file include vulnerability has been reported for both ttForum and ttCMS. Due to insufficient sanitization of some user-supplied variables by the 'News.php' and 'Install.php' scripts, it is possible for a remote attacker to include a malicious PHP file in a URL.

An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the '$template' or 'installdir' parameters.

If the remote file is a malicious PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the web server. Successful exploitation may provide local access to the attacker.

There are conflicting reports about whether or not this issue exists. The vendor has stated that exploitation of this issue is not possible.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

7. ttCMS / ttForum Profile.php SQL Injection Vulnerability BugTraq ID: 7543
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7543
Summary:

ttForum is web based forum implemented in PHP and derived from YABB SE. ttCMS is another web based forum and is in turn derived from ttForum.

A problem with ttCMS/ttForum could make it possible for a remote user launch SQL injection attacks.

It has been reported that a problem exists in the Profile.php script distributed as part of the software. Due to insufficient sanitizing of input, it is possible for a remote user to inject arbitrary SQL into the database used by the web forums.

This problem may allow a remote user to change the password of the administrative user of an instance of ttCMS or ttForum. It may also allow a remote user to gain other information from SQL databases used by the affected software.

There are conflicting reports about whether or not this issue exists. The vendor has stated that exploitation of this issue is not possible.

8. Boa Webserver File Disclosure Vulnerability BugTraq ID: 7544
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7544
Summary:

Boa is a single-tasking a high performance web server for Unix based systems.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Boa webserver has been reported prone to a file disclosure vulnerability. The issue presents itself due to a lack of sufficient sanitization performed on user supplied HTTP requests.

Reportedly an attacker may exploit this vulnerability by submitting a HTTP request that contains dot-dot (../..) directory traversal sequences designed to break out of the web root and access a webserver readable file on the vulnerable system. Reportedly the file contents will be displayed in the attacker's browser.

It should be noted that Boa webserver version '0.92r' on the 'PowerLinkT WAN Aggregator' appliance has been reported vulnerable. It is not yet confirmed if other platforms are vulnerable; this issue was not reproducible on Boa webserver version '0.92r' compiled and installed on Red Hat Linux 6.2.

This issue may be related to the vulnerability reported in BID 1770.

9. Phorum Message Form Field HTML Injection Variant Vulnerability BugTraq ID: 7545
Remote: Yes
Date Published: May 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7545
Summary:

Phorum is a PHP based web forums package.

An HTML injection issue has been reported which may lead to unauthorized code execution.

It has been reported that it is possible to inject HTML or script code into the subject and other fields of a message in Phorum. This may be done by including code in message fields before sending a message to the target victim.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The injected HTML and script code may execute in the security context of the Phorum site, potentially allowing an attacker to hijack web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user, including posting or deleting content.

This issue is a variant of the vulnerability described in BID 7262 that also affects Phorum 3.4.2.

1. Firebird GDS_Inet_Server Interbase Environment Variable Buffer Overflow Vulnerability BugTraq ID: 7546 Remote: No Date Published: May 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7546 Summary:

Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems. As Firebird is based on Borland/Inprise Interbase source code, it is very likely that Interbase is prone to this issue also.

A problem with Firebird could make it possible for a local user to gain elevated privileges.

A buffer overflow has been discovered in the setuid root program gds_inet_server, packaged with Firebird. This problem could allow a local user to execute the program with strings of arbitrary length. By using a custom crafted string, the attacker could overwrite stack memory, including the return address of a function, and potentially execute arbitrary code as root.

The vulnerability occurs in the INTERBASE environment variable. When the gds_inet_server program is executed with a string of arbitrary length (typically 500 or more bytes) in the INTERBASE environment variable, the result in an exploitable buffer overflow.

This could make it possible for a local user to gain administrative access.

1. Youngzsoft CMailServer MAIL FROM Buffer Overflow Vulnerability BugTraq ID: 7547 Remote: Yes Date Published: May 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7547 Summary:

CMailServer is a e-mail server designed for use with Microsoft Windows operating environments.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A buffer overflow vulnerability has been reported for CMailServer. The vulnerability exists due to insufficient bounds checking when parsing e-mail headers. Specifically, an overly long MAIL FROM e-mail header will cause CMailServer to crash and corrupt sensitive memory.

An attacker can exploit this vulnerability by crafting a malicious e-mail with an overly long MAIL FROM header field, consisting of at least 2000 bytes, to a vulnerable system. This will trigger the buffer overflow condition when CMailServer is used to process the e-mail and will result in the corruption of sensitive memory. It may also be possible for an attacker to cause CMailServer to execute malicious attacker-supplied instructions.

1. Youngzsoft CMailServer RCPT TO Buffer Overflow Vulnerability BugTraq ID: 7548 Remote: Yes Date Published: May 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7548 Summary:

CMailServer is a e-mail server designed for use with Microsoft Windows operating environments.

A buffer overflow vulnerability has been reported for CMailServer. The vulnerability exists due to insufficient bounds checking when parsing e-mail headers. Specifically, an overly long RCPT TO e-mail header will cause CMailServer to crash and corrupt sensitive memory.

An attacker can exploit this vulnerability by crafting a malicious e-mail with an overly long RCPT TO header field, consisting of at least 2000 bytes, to a vulnerable system. This will trigger the buffer overflow condition when CMailServer is used to process the e-mail and will result in the corruption of sensitive memory. It may also be possible for an attacker to cause CMailServer to execute malicious attacker-supplied instructions.

1. Snitz Forums 2000 Register.ASP SQL Injection Vulnerability BugTraq ID: 7549 Remote: Yes Date Published: May 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7549 Summary:

Snitz Forums 2000 is ASP-based web forum software. It runs on Microsoft Windows operating systems. Snitz is back-ended by a database and supports Microsoft Access 97/2000, SQL Server 6.5/7.0/2000 and MySQL.

It is possible for a remote attacker to inject SQL into queries made by the register.asp script. Specifically, the 'email' variable is not properly sanitized of malicious SQL instructions.

It is possible for a remote attacker to inject SQL into queries made by the register.asp script. This may be exploited to manipulate the logic of a query made by the script.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Depending on the database implementation used, this may possibly result in sensitive information in the database being disclosed to the attacker or may enable the attacker to modify data. There is also the possibility that this issue may be leveraged to exploit vulnerabilities that may exist in the underlying database.

The attacker would have to pass properly formatted SQL to the vulnerable script to exploit this issue.

This vulnerability was reported for Snitz Forum 2000 3.3.03. It is likely that earlier versions are affected.

1. Info-ZIP UnZip Encoded Character Hostile Destination Path Vulnerability BugTraq ID: 7550 Remote: Yes Date Published: May 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7550 Summary:

Info-ZIP UnZip contains a vulnerability during the handling of pathnames for archived files. Specifically, when certain encoded characters are inserted into '../' directory traversal sequences, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem - including paths containing system binaries and other sensitive or confidential information.

This will allow an attacker to create a file in a hostile archive to be placed anywhere on the target system.

This can be used to create or overwrite binaries in any desired location. Properly exploited, this may grant the archive creator an elevation of privileges.

This vulnerability was reported to affect Info-ZIP UnZip 5.50 and it is likely that earlier versions may be affected. This issue is similar to the vulnerability described in BID 5835.

1. BitchX Mode Change Denial Of Service Vulnerability BugTraq ID: 7551 Remote: Yes Date Published: May 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7551 Summary:

BitchX is a freely available, open source IRC client. It is available for Unix, Linux, and Microsoft operating systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A denial of service vulnerability has been reported for BitchX. It is possible to cause BitchX to crash when certain mode changes are made.

The vulnerability exists in the names.c source file where a check is not made for any arguments provided with a mode change.

The precise details of this vulnerability are currently unknown. This BID will be updated as more information becomes available.

This vulnerability affects BitchX cvs versions prior to 05/09/2003.

1. EType EServ Resource Exhaustion Denial Of Service Vulnerability BugTraq ID: 7552 Remote: Yes Date Published: May 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7552 Summary:

EServ is a proxy software package distributed by EType. It is available for Microsoft Windows operating systems.

A denial of service vulnerability has been reported for EServ. The vulnerability exists due to the way the server handles connections. Specifically, when EServ receives a connection, the server allocates a specific block of heap memory. Reportedly, when a connection is disconnected, the allocated memory is not adequately freed.

This vulnerability exists due to a delayed response time, upwards of up to two minutes, when de-allocating memory from closed connections.

An attacker can exploit this vulnerability by making numerous connections to the vulnerable server. For every connection, a small amount of memory is not properly freed from heap memory. Many connections to the vulnerable server will eventually result in a consumption of all available memory resources which may cause the system to become unstable.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability affects EServ 2.92 to 2.99.

1. Apple AirPort Administrative Password Encryption Weakness BugTraq ID: 7554 Remote: Yes Date Published: May 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7554 Summary:

The Apple Airport device is a wireless access point which implements the 802.11b wireless protocol. It is possible to administer the Airport device remotely by using a custom administration protocol. This protocol functions using plaintext however, sensitive authentication credentials are obfuscated before transmission.

A weakness has been discovered in the encoding mechanism used to obfuscate administrative user credentials. Specifically, the administrator password is XOR encoded against a 32-bit key.

An attacker capable of intercepting authentication-based network traffic may trivially deduce the key. As a result, an unauthorized remote user may gain administrative access to a target device.

1. IU BLog Comment Form HTML Code Injection Vulnerability BugTraq ID: 7553 Remote: Yes Date Published: May 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7553 Summary:

A problem with IU BLog could allow remote users to execute arbitrary code in the context of the web site hosting IU BLog. The problem occurs due to the lack of sanitization performed on encoded character representations of HTML tags.

Specifically, IU BLog fails to filter encoded HTML code, for example '<' and '>'. As a result, a malicious user may have the ability to submit arbitrary HTML code in the 'Name', 'Email Address', 'URL' or 'Comments' fields of the IU BLog comment form. This code would be executed by a user's browser in the context of the vulnerable site.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. Other attacks are also possible.

1. Pi3Web Malformed GET Request Denial Of Service Vulnerability BugTraq ID: 7555 Remote: Yes Date Published: May 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7555 Summary:

Pi3Web is a free, multi platform, configurable HTTP server and development environment.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that Pi3Web server is prone to a denial of service vulnerability. Reportedly when a malicious GET request containing 354 '/' characters is sent to the Pi3Web server the server will fail. It should be noted that the Unix version has been reported vulnerable, it is not currently known if other platforms are affected.

Although unconfirmed, due to the nature of this vulnerability, it may be possible for an attacker to exploit this issue to corrupt sensitive Pi3Web memory. If this is possible, an attacker may have the ability to supply and execute arbitrary code.

Precise technical details regarding this vulnerability are not currently known. This BID will be updated as further details are disclosed.

20. Cerberus FTP Server Plaintext User Password Weakness BugTraq ID: 7556
Remote: No
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7556
Summary:

Cerberus is an FTP Server for Microsoft Windows operating systems.

Cerberus FTP Server stores authentication credentials for the FTP service on the local system in plaintext. These credentials are stored in the 'users.pro' file in the program directory. Local users with access to this file may gain unauthorized access to the server as a result.

Exposure of authentication credentials may also lead to compromise of other services/resources if the same credentials are commonly used.

21. Happymall E-Commerce Software Normal_HTML.CGI Cross-Site Scripting Vulnerability BugTraq ID: 7557
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7557
Summary:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

HappyMall E-Commerce software is an E-Commerce software package available from HappyCGI.com.

A vulnerability has been reported for Happymall E-Commerce. Due to insufficient sanitization of user-supplied URI parameters, Happymall E-Commerce may be prone to cross-site scripting attacks. Specifically, the normal_html.cgi script fails to sanitize the 'file' variable of embedded script code.

As a result, a remote attacker may be capable of constructing a malicious link designed to execute arbitrary script code within the browser of a legitimate user who follows it. This may allow for the theft of cookie-based authentication credentials which could aid in session hijacking. Other attacks may also be possible.

It should be noted that this issue has been reported to affect HappyMall E-Commerce 4.3 and 4.4 however, earlier versions may also be affected.

22. PHPNuke Web_Links Module Remote SQL Injection Vulnerability BugTraq ID: 7558
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7558
Summary:

PHPNuke is a freely available, open source content management system written in PHP. It is available for Unix, Linux, and Microsoft Operating Systems.

It has been reported that multiple input validation bugs exist in the Web_Links module used by PHPNuke.

The problem is in the sanitizing of data passed to construct database queries. Insufficient sanity checks are performed by the Web_Links module, making it possible to inject SQL code into the database behind PHPNuke. This issue could be exploited to gain access to potentially sensitive information contained in the database with the privileges of the web application. Compromise of the web forums may also be possible. Consequences could vary depending on the the queries involved and the capabilities of the underlying database implementation.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

These issues could be especially dangerous for databases that support the UNION function, allowing for execution of multiple queries. It should also be noted that an additional 20 instances of SQL injection vulnerabilities exist in this module.

23. Happymall E-Commerce Software Normal_HTML.CGI File Disclosure Vulnerability BugTraq ID: 7559
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7559
Summary:

HappyMall E-Commerce software is an E-Commerce software package available from HappyCGI.com.

A vulnerability has been reported for Happymall E-Commerce. Due to insufficient sanitization of user-supplied URI parameters, Happymall E-Commerce may be prone to a file disclosure vulnerability. Specifically, the normal_html.cgi script fails to sanitize directory traversal (../) sequences from the 'file' variable.

As a result, a remote attacker may be capable of viewing the contents of a sensitive system file. This may allow the attacker to access information that may aid in launching further attacks against the target system.

It should be noted that this issue has been reported to affect HappyMall E-Commerce 4.3 and 4.4 however, earlier versions may also be affected.

24. Movable Type Comment Form HTML Code Injection Vulnerability BugTraq ID: 7560
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7560
Summary:

Movable Type is a web-based publishing system designed to ease maintenance of regularly updated web-sites for example news or weblogs.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A problem with the Movable Type Comment Form could allow remote users to execute arbitrary code in the context of the web site hosting Movable Type. The problem occurs due to the lack of sanitization performed on encoded character representations of HTML tags.

Specifically, Movable Type fails to filter encoded HTML characters, for example '<' and '>'. As a result, a malicious user may have the ability to submit arbitrary HTML code in the 'Name', 'Email Address', 'URL' or 'Comments' fields of the Movable Type comment form. This code would be executed by a user's browser in the context of the vulnerable site.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. Other attacks are also possible.

It should be noted that all Movable Type versions prior to version 2.6 have been confirmed vulnerable. The vendor has reported that this vulnerability has been addressed in versions higher than 2.6.

25. Yahoo! Voice Chat ActiveX Control Unspecified Vulnerability BugTraq ID: 7561
Remote: Unknown
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7561
Summary:

Users of Yahoo! Groups may participate in voice chat sessions by downloading the Yahoo! Audio Conferencing ActiveX control.

An unspecified vulnerability has been reported in the Yahoo! Audio Conferencing ActiveX control. This control should be removed from systems until a fix is available from Yahoo!.

Though unconfirmed, exploitation of this vulnerability by remote attackers may result in the compromise of affected hosts.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This is a preliminary alert. This record will be updated when further details become available.

26. Clearswift MailSweeper PowerPoint File Denial of Service Vulnerability BugTraq ID: 7562
Remote: Yes
Date Published: May 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7562
Summary:

ClearSwift MAILsweeper is an SMTP gateway e-mail filtering product. It allows filtering based on email content, source, destination and attachments.

A vulnerability has been discovered in Clearswift MAILsweeper. By including malformed or corrupt embedded objects within a PowerPoint file, it is possible to trigger a denial of service in MAILsweeper. When encountered, the file will trigger a condition which will cause the process to enter an infinite loop. This will effectively result in the consumption of available system resources and an inevitable denial of service.

It should be noted that the precise details regarding the attributes of the malicious embedded objects are currently unknown.

The affected system may need to be reboot to restore previous functionality.

This vulnerability affects all MAILsweeper versions prior to 4.3.7.

27. BEA Systems WebLogic Multiple Password Storage Vulnerabilities BugTraq ID: 7563
Remote: No
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7563
Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

WebLogic is an enterprise application server distributed by BEA Systems.

Problems with the software could make unauthorized access to user credentials possible.

It has been reported that problems exist in the storage of passwords in BEA Systems WebLogic. This could lead to users gaining unauthorized access to passwords, and potentially unauthorized access to the WebLogic server.

Three issues exist:

The JDBCConnectionPoolRuntimeMBean password is displayed in clear-text via weblogic.Admin. This could allow a passerby to observe the password on the screen of a user logged in with administrative privileges in a "shoulder-surfing" attack scenario.

The default CredentialMapper stores passwords on the disk in clear-text. A local user with access sufficient to read the binary files used by the CredentialMapper could extract the passwords from the files.

Default implementations of WebLogic Server and WebLogic Express make details about the encryption of passwords available to unprivileged users. A user with access to the encrypted passwords, with knowledge of the encryption algorithms used, and access to the config.xml, filerealm.properties, and weblogic-rar.xml could gain access to the plain-text passwords.

28. Netscape Navigator False URL Information Vulnerability BugTraq ID: 7564
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7564
Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Netscape is a web browser that is available for a number of platforms, including Microsoft Windows and Unix and Linux variants.

An issue has been reported for Netscape Navigator that may result in a false sense of security for a user.

Due to the way Netscape handles the history.back() function, the URL displayed on the 'location bar' will not correspond to the actual URL of the site displayed in the browser window. As a result, a malicious attacker can exploit this issue to entice a user to visit a web site and make them believe they are at known or trusted page.

This vulnerability was reported for Netscape Navigator 7.02 for Windows operating systems.

29. CDRTools CDRecord Devname Format String Vulnerability BugTraq ID: 7565
Remote: No
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7565
Summary:

CDRecord is a component of the CDRTools package. CDRecord is a CD-Burning application developed for UNIX and Win32 platforms.

CDRecord has been reported prone to format string vulnerability. The issue presents itself due to a programming error that occurs when calling a printf-like function. Specifically, insufficient format specifiers are supplied when calling the js_sprintf() function in the 'scsiopen.c' source file.

It has been reported that by harnessing an unsupported feature of the CDRecord utility, an attacker may supply format string specifiers as a 'dev' argument passed to the vulnerable utility.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When the device name is processed the malicious format string specifiers may be interpreted. As a result, by supplying specifiers designed to write to memory it may be possible for sensitive locations in memory to be corrupted. This may ultimately result in the execution of attacker-supplied code in the context of the CDRecord utility.

It should be noted that reports indicate CDRecord as being installed setUID root on several distributions.

It should be noted that although this vulnerability has been reported to affect CDRecord version 2.0 previous versions might also be affected.

30. IP Messenger For Win Filename Buffer Overflow Vulnerability BugTraq ID: 7566
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7566
Summary:

IP Messenger is multi-platform pop up message communication software.

IP Messenger For Win has been reported prone to Buffer overflow Vulnerability.

Reportedly the issue presents itself due to a lack of sufficient bounds checking performed on the filename of a file supplied through IP Messenger. As a result, it may be possible for a remote user to corrupt sensitive memory within IP Messenger.

If data greater than the assigned size for the buffer is supplied as a filename, excessive data will overrun the bounds of the internal buffer and corrupt adjacent memory. Because adjacent memory may contain values that are crucial to programs execution flow, an attacker may seize control of the program. Ultimately the attacker may execute arbitrary operation codes. Code execution would occur in the context of the user running the vulnerable IP Messenger application.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

31. PHP-Nuke Modules.PHP Username URI Parameter Cross Site Scripting Vulnerability BugTraq ID: 7570
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7570
Summary:

PHP-Nuke is a freely available, open source content management system written in PHP. It is available for Unix, Linux, and Microsoft Operating Systems.

A cross site scripting vulnerability has been reported for PHP-Nuke. Specifically, PHP-Nuke does not sufficiently sanitize user-supplied input for the 'username' URI parameter to the modules.php script.

As a result of this deficiency, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user. Specifically the attacker can pass malicious HTML code as a value for the 'username' URI parameter supplied to the 'modules.php' page. All code will be executed within the context of the website running PHP-Nuke.

This may allow for theft of cookie-based authentication credentials and other attacks.

This vulnerability was reported to affect PHP-Nuke version 6.5.

32. Clearswift MailSweeper Attachment Filename Validation Vulnerability BugTraq ID: 7568
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7568
Summary:

MailSweeper is an e-mail security product. It is designed to be deployed on gateway systems and provides the ability to filter content based on configured policy.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been reported in how MailSweeper handles filenames for attachments. MailSweeper does not sufficiently validate certain types of malformed filenames.

It may be possible to bypass MailSweeper security with attachment filenames that contain excessive trailing/leading whitespace, or uses multiple extensions.

It is possible that some attachments with malicious filenames or content may slip through MailSweeper. Knowledge of this problem could allow an attacker to bypass filtering of the software to send unauthorized attachment types into or out of the target network. This may also lead to a violation of local security policy.

33. AIX Sendmail Open Relay Default Configuration Weakness BugTraq ID: 7580
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7580
Summary:

Sendmail is a freely available, open source mail transport agent. It is available for various UNIX and Linux operating systems.

A problem with the default sendmail implementation on AIX systems may lead to violations in security policy.

It has been reported that the default sendmail configuration on AIX systems enables promiscuous e-mail relaying options. Because of this, a remote attacker may be able to use the e-mail server to obscure the origins of e-mail.

The problem is in the default sendmail.cf deployed with AIX. The sendmail.cf enables options that can allow anonymous remote users to relay e-mail through AIX systems. This could be used for spam, e-mail attacks, or other nefarious purposes.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

34. Phorum Post.PHP Cross-Site Scripting Vulnerability BugTraq ID: 7573
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7573
Summary:

Phorum is a PHP based web forums package.

A cross-site scripting vulnerability has been reported for Phorum. Specifically, Phorum does not sufficiently sanitize user-supplied input for some URI parameters to the post.php script.

As a result of this deficiency, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user. Specifically the attacker can pass malicious HTML code as a value for affected URI parameters supplied to the 'post.php' page. All code will be executed within the context of the website running Phorum.

This may allow for theft of cookie-based authentication credentials and other attacks.

This vulnerability was reported to affect Phorum prior to 3.4.3.

This vulnerability may be closely related to the issue described in BID 7545.

35. Phorum UserAdmin Arbitrary Command Execution Vulnerability BugTraq ID: 7578
Remote: Yes
Date Published: May 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7578
Summary:

Can we help you?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: