SecurityFocus Newsletter #198

SecurityFocus Newsletter #198

This Issue is Sponsored By: Spidynamics

ALERT! "Outsmart Web Application Hackers"-FREE Product Trial

Test your Web Applications for over 4000 vulnerabilities! FREE Security Test via our 15 Day Product Trial that delivers a comprehensive vulnerability report. Secure your critical assets today!

Visit us at: http://www.spidynamics.com/mktg/freewebinspect54

I. FRONT AND CENTER

1. Passive Network Traffic Analysis: Understanding a Network...
2. Conducting a Security Audit: An Introductory Overview
3. Cyber Insurance Between the Lines II. BUGTRAQ SUMMARY
4. HP-UX IPCS Unspecified Buffer Overflow Vulnerability
5. HP-UX Kermit Unspecified Privilege Escalation Vulnerability
6. Apple MacOS X IPSec Policy By Port Bypass Vulnerability
7. SLocate Path Malloc Integer Signing Heap Overflow Vulnerability
8. Maelstrom Server Argument Buffer Overflow Vulnerability
9. PHPNuke Remote Main Modules Multiple SQL Injection Vulnerabilities
10. Maelstrom Player Argument Buffer Overflow Vulnerability
11. Engarde Secure Linux Default Address Daily Log Summary...
12. ttCMS / ttForum Index.PHP Instant-Messages Preferences SQL...
13. Snort Spoofed Packet TCP State Evasion Vulnerability
14. PHP-Banner Exchange Path Disclosure Vulnerability
15. Microsoft Netmeeting CALLTO URL Buffer Overflow Vulnerability
16. Working Resources BadBlue Unauthorized HTS Access Vulnerability
17. CUPS Cupsd Request Method Denial Of Service Vulnerability
18. Microsoft Windows Media Player Automatic File Download and...
19. WSMP3 Remote Information Disclosure Vulnerability
20. Sun Cluster Database High Availability Insecure Password...
21. WSMP3 Remote Command Execution Vulnerability
22. WSMP3 Request Data Heap Overflow Vulnerability
23. Owl Intranet Engine Search Cross Site Scripting Vulnerability
24. Blackmoon FTP Server Plaintext User Password Weakness
25. Blackmoon FTP Server Username Information Disclosure...
26. Compaq Management Agents Remote Authentication Bypass...
27. BZFlag Reconnect Denial Of Service Vulnerability
28. Demarc PureSecure Plaintext Password Vulnerability
29. SudBox Boutique login.PHP Authentication Bypass Vulnerability
30. Qualcomm Eudora File Attachment Spoofing Variant Vulnerability
31. Slackware rc.M Runlevel Script Unexpected Partition R...
32. Platform Load Sharing Facility LSF_ENVDIR Local Command...
33. OpenLDAP LDBM_Back_Exop_Passwd Denial Of Service Vulnerability
34. ShareMailPro Username Identification Weakness
35. IISProtect Authentication Bypass Vulnerability
36. Apple QuickTime/Darwin Streaming Server QTSSReflector Module...
37. Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 T...
38. XMB Forum Member.PHP Cross-Site Scripting Vulnerability
39. Polymorph Filename Buffer Overflow Vulnerability
40. Nessus LibNASL Arbitrary Code Execution Vulnerability
41. Cisco VPN Client Privilege Escalation Variant Vulnerability
42. Microsoft Internet Connection Firewall IPv6 Traffic Blocking...
43. Magic Winmail Server USER POP3 Command Format String...
44. EServ Directory Indexing Vulnerability
45. EServ Unauthorized Proxy Access Vulnerability
46. Prishtina FTP Client Remote Denial of Service Vulnerability
47. IRIX MediaMail HOME Environment Variable Buffer Overflow... III. SECURITYFOCUS NEWS ARTICLES
48. PayPal Scam Rises Again
49. Anti-Terror Law Used Against Hackers, Thieves
50. Government to appoint new cybersecurity chief; some expect...
51. Cybersecurity and You: Five Tips Every Consumer Should Know IV. SECURITYFOCUS TOP 6 TOOLS
52. Encrypted Virtual File System v0.3
53. incident.pl v2.6
54. LFT v2.2
55. mtr v0.54
56. Phayoune Firewall v0.3.6
57. sysstat v4.1.3
58. SECURITYJOBS LIST SUMMARY
59. Cleared, Navy looking for work in San Diego, CA (Thread)
60. North East Coast Sr. Security Engineering Position Available...
61. Administrivia (Thread)
62. Business Development Director EMEA - based in UK (Thread)
63. Field Engineer (DC and SF) (Thread)
64. Senior Security Manager - Cleveland, Ohio (Thread)
65. Neoteris is hiring!!! - Senior Technical Trainer - Silicon...
66. Neoteris is hiring!!! - Product Marketing Manager - Silicon...
67. Neoteris is hiring!!! - Technical Marketing Engineer - Silicon...
68. Neoteris is hiring!!! - Manager, Business Development...
69. Neoteris is hiring!!! - Inside Sales Rep - East Region (Thread)
70. Neoteris is hiring!!! - Federal Sales Rep - VA/MD/DC (Thread)
71. C++ Windows Security Developer in Seattle (Thread)
72. Network Intrusion Tester Ad-hoc role, Auckland or Wellington...
73. PricewaterhouseCoopers - Threat & Vulnerability Management...
74. WANTED: "Top Secret" Consultants in Washington, DC (Thread)
75. Senior Security Consultant - Financial (Thread)
76. Senior Security Consultant - Healthcare (Thread)
77. Tivoli Access Manager/Policy Director Architect available...
78. PRE-SALES SECURITY ENGINEER, So. CA (Thread)
79. Consultant Available (Thread)
80. Vulnerability Assessment professional looking for contracts...
81. Penetration Testing position in Knoxville, TN (Thread)
82. Security Project Manager - Cleveland, Ohio (Thread)
83. Architect Security Manager - Cleveland, Ohio (Thread)
84. Software Test Engineer for Network Security Products...
85. MD Community College Teaching Opportunities (Thread)
86. IT Security Engineer (Defence Sector) UK (Thread)
87. Security Practice Manager – Business Development &#821...
88. Application Security Consultant - Chigago, ILL (Thread)
89. Information Security Risk Consultant - Chicago, ILL (Thread)
90. CHICAGO OR DETROIT PRE SALES ENGINEER (Thread)
91. Pre-Sales Engineers (Thread)
92. Wanted -- Computer Forensic Examiner (Thread)
93. Configuration Management Engineer (Lab) (Thread)
94. Information Security Corporate Policy Developer (Thread)
95. Information Security Policy Analyst (Thread)
96. Senior Application Security Consultant #781 - NY - $100k...
97. Vendor Security Assessment Coordinator #781 - NY - $100k...
98. Application Penetration Tester Wanted (Thread)
99. Corporate Systems Engineer in Bay Area (Thread)
100. Wanted: Sales Exec - Enterprise Security Software for Banks... VI. INCIDENTS LIST SUMMARY
101. DDoS Attack (Thread)
102. Possible Intrusion Attempt? (Thread)
103. [ANNOUNCE] protocol watcher (Thread)
104. cisco 7200 performance issue (Thread)
105. ICMP/SYN Flood (Thread)
106. A question for the list... (Thread)
107. Scans from proxyprotector.com (Thread)
108. proxyprotecor.com (Thread)
109. Update on BIND ns_resp.c crash (Thread)
110. Trojan modifying ntdll.dll and cmd.exe (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
111. N00b questions :\ (Thread)
112. [Vuln-dev Challenge] Challenge #2 (Thread)
113. [Vuln-dev Challenge] example exploit for 2 (Thread)
114. [Vuln-dev Challenge]: Symlink Attack (Thread)
115. Frame Pointer Overwriting (Thread)
116. [Vuln-dev Challenge] Challenge #2 (SPOILER) (Thread)
117. Mac OS X shellcode and SIGTRAP (Thread)
118. [Vuln-dev Challenge] nonexec stack&heap solution (encrypted)...
119. Is this exploitable? (Thread)
120. CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!) (Thread)
121. [Vuln-Dev Challenge] - VulnDev1.c Summary (Thread)
122. ntoskrnl.exe and isql.exe hard crash (update) NetWare the...
123. ELF ET_REL injection into ET_EXEC (Thread)
124. ntoskrnl crashing hard via isqlw.exe (Thread)
125. 127 Research and Development: 127 Day! (Thread)
126. safe mallocs (was Re: vulndev-1 and a suggestion about the...
127. OWL Intranet Engine (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
128. Windows 2003 Server - MS Rulez? (Thread)
129. Updated URLScan Security Tool Released (Thread)
130. Netreg for Windows (Thread)
131. Article Announcement: Passive Network Traffic Analysis:...
132. Administrivia: Sobig/Mankx/Palyh (Thread)
133. SecurityFocus Microsoft Newsletter #137 (Thread)
134. Article Announcement: "Relax, It Was a Honeypot" (Thread)
135. Article Announcement: Malware Myths and Misinformation, Part... IX. SUN FOCUS LIST SUMMARY
136. BSM Audit Records (Thread)
137. LINUX FOCUS LIST SUMMARY
138. hardening scripts (Thread) XI. SPONSOR INFORMATION
139. FRONT AND CENTER

     ---

140. Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring By Kevin Timm

This article will offer a brief overview of passive network monitoring, which can offer a thorough understanding of the network's topology: what services are available, what operating systems are in use, and what vulnerabilities may be exposed on the network.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.securityfocus.com/infocus/1696

2. Conducting a Security Audit: An Introductory Overview By Bill Hayes

This article will offer a brief overview of security audits: what they are, why they are important, and how they are conducted.

http://www.securityfocus.com/infocus/1697

3. Cyber Insurance Between the Lines
By Mark Rasch

Your company may already have insurance against computer attacks and electronic sabotage, without even knowing it.

http://www.securityfocus.com/columnists/163

II. BUGTRAQ SUMMARY

1. HP-UX IPCS Unspecified Buffer Overflow Vulnerability BugTraq ID: 7626 Remote: No Date Published: May 19 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7626 Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The HP-UX ipcs utility is allegedly prone to a locally exploitable buffer overflow condition. This utility is used to report IPC status.

This is likely due to insufficient bounds checking performed on user supplied data that is copied into an internal memory buffer. This could allow for corruption of sensitive regions of memory with attacker-supplied data, potentially resulting in a denial of service condition or ultimately the execution of malicious instructions.

This utility may be installed setgid 'sys' on vulnerable systems and could be exploited to gain these privileges.

This issue was reported to affect ipcs on HP9000 Series 700/800 running HP-UX 11.00. Other versions are not affected.

2. HP-UX Kermit Unspecified Privilege Escalation Vulnerability BugTraq ID: 7627
Remote: No
Date Published: May 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7627
Summary:

Kermit is a communications software package available with most implementations of the UNIX Operating System. A problem exists in the kermit software package distributed with HP-UX.

The HP-UX implementation of Kermit has been reported prone to a privilege escalation vulnerability.

The issue can be exploited by a local attacker to achieve 'bin' and
'group' daemon privileges.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue has been reported to affect HP9000 Series 700/800 that are running HP-UX releases 10.20 and 11.00. Other versions are not known to be affected.

3. Apple MacOS X IPSec Policy By Port Bypass Vulnerability BugTraq ID: 7628
Remote: Yes
Date Published: May 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7628
Summary:

MacOS X is the commercially available UNIX-based operating systems distributed and maintained by Apple. It is available for Apple hardware.

A problem with MacOS X could make it possible for remote users to gain unintended access to hosts.

It has been reported that MacOS X does not properly handle some types of traffic when IPSec is enabled, and security policies are implemented by port. This could allow unauthorized users to gain access to potentially sensitive services.

Little detailed information about this vulnerability is available. What is known is that when security policies are designed to match on the basis of port, it may be possible to circumvent matching to pass unauthorized traffic to the host. It is speculated that this problem could be exploited to reach arbitrary services on the vulnerable host, though there is no information to confirm this hypothesis.

4. SLocate Path Malloc Integer Signing Heap Overflow Vulnerability BugTraq ID: 7629
Remote: No
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7629
Summary:

slocate is the Secure Locate program. It is available for various UNIX operating systems, and is maintained by public domain.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A problem with slocate may make it possible for a local user to gain unauthorized privileges.

It has been reported that slocate is vulnerable to a signed integer overflow issue when handling data in the environment variable SLOCATE_PATH. Because of this problem, it may be possible for a local attacker to cause a heap corruption issue, potentially executing code.

The problem is in the handling of large amounts of data in the SLOCATE_PATH variable. By placing a specially crafted string in the environment variable, it could be possible for an attacker to cause the wrapping of a signed bit in an integer value, resulting in an insufficient amount of malloc'd memory. This could potentially be exploited by the attacker to execute code with the privileges of the slocate program.

5. Maelstrom Server Argument Buffer Overflow Vulnerability BugTraq ID: 7630
Remote: No
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7630
Summary:

Maelstrom is a multi-platform arcade game.

Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space.

Specifically, excessive data passed as the 'server' argument to the vulnerable Maelstrom executable, when copied into internal memory, may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been reported to contain values that are crucial to controlling memory management or program execution flow. It may be possible for an attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of Maelstrom. Typically setGID games.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that although this vulnerability has been reported to affect Maelstrom version 3.0.6 and 3.0.5 previous versions might also be affected.

6. PHPNuke Remote Main Modules Multiple SQL Injection Vulnerabilities BugTraq ID: 7631
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7631
Summary:

PHPNuke is a freely available, open source web content management system. It is maintained by Francisco Burzi, and available for the Unix, Linux, and Microsoft Operating Systems.

Multiple input checking problems may make it possible for remote users to pass malicious data to the database.

It has been reported that multiple problems exist in the PHPNuke main modules. SQL injection issues exist in the Sections, Avantgo, Surveys, Downloads, Reviews, and Web_Links modules. This could allow an attacker pass malicious SQL code to the database. It should be noted that multiple path disclosure issues also exist.

Each of these modules does not properly handle the backtick character at precise locations in queries. Because of this, it is possible to create a custom command that will be executed with the privileges of the PHPNuke application.

7. Maelstrom Player Argument Buffer Overflow Vulnerability BugTraq ID: 7632
Remote: No
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7632
Summary:

Maelstrom is a multi-platform arcade game.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space.

Specifically, excessive data passed as the 'player' argument to the vulnerable Maelstrom executable, when copied into internal memory, may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been reported to contain values that are crucial to controlling memory management or program execution flow. It may be possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of Maelstrom. Typically setGID games.

It should be noted that although this vulnerability has been reported to affect Maelstrom version 3.0.6 and 3.0.5 previous versions might also be affected.

8. Engarde Secure Linux Default Address Daily Log Summary Vulnerability BugTraq ID: 7633
Remote: No
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7633
Summary:

Engarde Secure Linux is the Linux distribution maintained by Guardian Digital.

A problem with the default configuration may prevent administrators from getting daily log summaries.

It has been reported that Engarde Secure Linux does not send daily log summaries to a valid address until the system is properly configured. This may lead to an administrator not getting daily log summaries, or having to manually review logs.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Symantec has not determined the security implications of this issue. However, the vendor has announced this issue in a security advisory.

9. ttCMS / ttForum Index.PHP Instant-Messages Preferences SQL Injection Vulnerability BugTraq ID: 7634
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7634
Summary:

ttForum is a web-based forum implemented in PHP and derived from YABB SE. ttCMS is another web-based forum and is in turn derived from ttForum.

A problem with ttCMS/ttForum could make it possible for a remote user launch SQL injection attacks.

It has been reported that a problem exists in the Instant-Messages script distributed as part of the software. Due to insufficient sanitizing of input, it is possible for a remote user to inject arbitrary SQL into the database used by the web forums. Specifically, an attacker may modify SQL query logic by submitting SQL commands via the Ignorelist Textbox in the forum Instant-Messages preferences page.

This problem may allow a remote user to add themselves as an administrative user of an instance of ttCMS or ttForum. It may also allow a remote user to gain other information from SQL databases used by the affected software.

It should be noted that the current version of YaBB SE, the Forum that ttForum was derived from, is not affected by this vulnerability.

1. Snort Spoofed Packet TCP State Evasion Vulnerability BugTraq ID: 7635 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7635 Summary:

Snort is a freely available, open source intrusion detection system. It is available for Unix, Linux, and Microsoft Windows platforms.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been reported within the spp_stream4.c source file. The problem is said to occur while maintaining the state of an established session.

Specifically, Snort is said to call UpdateState before verifying the legitimacy of a packet received from a client partaking in a legitimate session. As a result, it may be possible to corrupt stateful inspection carried out by Snort.

This issue can be triggered by forging a packet to a server containing the legitimate client source IP and port. When encountered by Snort, the state of the session is updated before verifying that the packet is a legitimate part of the established session. However when the packet is received by the server, due to invalid sequence and acknowledgement data, the packet will be dropped.

An attacker could exploit this vulnerability to trigger a situation under which legitimate session traffic transmitted would no longer be detected by Snort.

This vulnerability has been reported to affected Snort 2.0.0rc2, however other versions may also be affected.

It should be noted that this is a theoretical issue and has not yet been officially confirmed.

1. PHP-Banner Exchange Path Disclosure Vulnerability BugTraq ID: 7636 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7636 Summary:

PHP-Banner Exchange is banner management software. It is written in PHP and available for a number of operating systems including Microsoft Windows and Unix and Linux variants.

PHP-Banner Exchange is prone to a path disclosure vulnerability. Requesting the directory for the software will cause an error message to be displayed with contains path information.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

PHP-Banner Exchange can be used as a module for PHP-Nuke.

Exploitation may be dependant on web server and PHP configuration.

This type of information may aid an attacker in mapping out the filesystem for further attacks against the host.

1. Microsoft Netmeeting CALLTO URL Buffer Overflow Vulnerability BugTraq ID: 7639 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7639 Summary:

Microsoft Netmeeting sessions can be launched through Internet Explorer by browsing to a 'callto:' link. These links usually contain the address of the Netmeeting user to be called and may also contain a directory to retrieve the addressing information from.

It has been reported that clicking on a malformed 'callto:' URI using Internet Explorer may result in Windows failing due to a kernel mode exception. This issue may be due to a boundary condition error in one of the parameters accepted by the CALLTO protocol handler.

Successful exploitation of this vulnerability may result in a denial of service to the system. If this is due to a boundary condition error, it is not currently known if critical memory is overwritten that could allow for code execution.

Symantec was unable to reproduce this vulnerability on a Windows 2000 SP3 system running Internet Explorer 6.0 SP1 and Netmeeting 3.01 using the supplied proof of concept code.

It is important to note that the CALLTO protocol handler does not function by default on browsers other than Internet Explorer.

• It has been reported that when Windows fails in this instance, a pointer may be overwritten. This indicates that code execution could be possible through successful exploitation of this vulnerability.
  1. Working Resources BadBlue Unauthorized HTS Access Vulnerability BugTraq ID: 7638 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7638 Summary:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

BadBlue is a P2P file sharing application distributed by Working Resources. It is available for Microsoft Windows operating systems.

BadBlue is prone to a vulnerability that could allow remote attackers to gain unauthorized access to administrative functions. BadBlue includes a server-side scripting language which uses '.htx' and '.hts' files. The
'.hts' extension represents files that are only intended to be requested
and executed by the local host.

It is possible to bypass BadBlue security checks when '.hts' files are requested by a remote user. BadBlue restricts access to non-HTML files by replacing the first two letters in the file extension of a requested resource with 'ht'. If the third character of a file extension is 's', then it is possible to trick BadBlue into serving a non-HTML file with an extension of '.hts'. This will bypass other security checks which would normally prevent BadBlue from serving these files to remote users.

Exploitation could result in unauthorized access to administrative functions provided in '.hts' files.

1. CUPS Cupsd Request Method Denial Of Service Vulnerability BugTraq ID: 7637 Remote: Yes Date Published: May 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7637 Summary:

CUPS, Common Unix Printing System, is a widely used set of printing utilities for Unix based systems.

The cupsd has been reported prone to a denial of service vulnerability.

The issue presents itself when a remote attacker invokes an incomplete HTTP POST request. The cupsd does not adequately apply a time-out process for the operation and service is denied to subsequent cupsd requests.

This issue may be exploited by remote attackers to deny cupsd service to legitimate users.

1. Microsoft Windows Media Player Automatic File Download and Execution Vulnerability BugTraq ID: 7640 Remote: Yes Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7640 Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Windows Media Player could allegedly allow files to be downloaded and executed without user intervention.

When a specifically crafted XMLNS (XML Name Space) URI is embedded within an HTML email message, a media file referenced in the URI may be automatically downloaded. If this is combined with the vulnerability described in BID 5543 (Microsoft Windows Media Player File Attachment Script Execution Vulnerability), a malicious script or executable file may be automatically downloaded and executed on the vulnerable system.

This vulnerability was reported to affect systems running Outlook Express 6.00.2800.1123 and Windows Media Player 7.01.00.3055 or 8.00.00.4487. Windows Media Player 9 series is said to be unaffected.

Symantec was unable to reproduce this vulnerability in testing with Outlook Express 6.00.2800.1123 and Windows Media Player 7.01.00.3055.

1. WSMP3 Remote Information Disclosure Vulnerability BugTraq ID: 7642 Remote: Yes Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7642 Summary:

WsMp3 is a web server designed to stream MP3 files over the internet. It is available for the Linux operating system.

A vulnerability has been reported for WsMp3. The problem is said to occur due to insufficient sanitization of HTTP GET requests. Specifically, WsMp3 fails to strip directory traversal sequences (../) from requests. As a result, an attacker may be capable of accessing the contents of sensitive system resources. Information obtained in this manner may aid an attacker in launching further attacks against the target system.

All files accessed in this manner will be done so with the privileges of WsMp3d, typically root.

This vulnerability is said to affect WsMp3 0.0.10 and earlier.

1. Sun Cluster Database High Availability Insecure Password Storage Vulnerability BugTraq ID: 7641 Remote: No Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7641 Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Cluster is the high availability software distributed and maintained by Sun Microsystems.

A problem with the software may give users unauthorized access to resources.

It has been reported that the user of Sun Cluster may make some types of sensitive information more easily accessible to local attackers. This could lead to an attacker gaining unauthorized access to database resources.

The problem is in the handling of password storage. When the database high availability software is used in conjunction with Oracle or Sybase, passwords are stored in the cluster configuration file in plain text. A local user could exploit this to gain access to the database using one of the stored passwords.

1. WSMP3 Remote Command Execution Vulnerability BugTraq ID: 7645 Remote: Yes Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7645 Summary:

WsMp3 is a web server designed to stream MP3 files over the internet. It is available for the Linux operating system.

A vulnerability has been reported for WsMp3. The problem is said to occur due to insufficient sanitization of HTTP POST requests. Specifically, WsMp3 fails to strip directory traversal sequences (../) from requests. As a result, an attacker may be capable of running arbitrary executables. This may lead to the complete compromise of a target system.

All files executed in this manner would be invoked with the privileges of WsMp3d, typically root.

This vulnerability is said to affect WsMp3 0.0.10 and earlier.

1. WSMP3 Request Data Heap Overflow Vulnerability BugTraq ID: 7643 Remote: Yes Date Published: May 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7643 Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

WSMP3 is a freely available server that allows users to stream MP3 files.

WSMP3 is prone to a remotely exploitable heap overflow. Request data, which will be stored in dynamically allocated memory, is not sufficiently checked for a bounds violation before being freed. This lack of bounds checking occurs in multiple places in the 'req_descriptor.c' source file. An attacker may leverage this condition to corrupt malloc headers with custom data.

It is possible to exploit this issue to execute malicious instructions with the privileges of the WSMP3 server.

20. Owl Intranet Engine Search Cross Site Scripting Vulnerability BugTraq ID: 7644
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7644
Summary:

Owl is a web-based multi user document repository implemented in PHP4. It is used to publish and share files via a web browser.

Owl Intranet Engine has been reported prone to a Cross-Site Scripting vulnerability.

It has been reported that search queries are not sufficiently sanitized of HTML and script code, an attacker may supply arbitrary HTML code as a search query submitted to the vulnerable site. When the malicious search is submitted the script code contained within the search query will be executed in the context of the vulnerable website.

This vulnerability may be exploited to steal another users session id. Other attacks are also possible.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Owl version 0.71 and previous have been reported vulnerable.

21. Blackmoon FTP Server Plaintext User Password Weakness BugTraq ID: 7646
Remote: No
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7646
Summary:

Blackmoon FTP Server is an FTP Server for Microsoft Windows operating systems.

Blackmoon FTP Server stores authentication credentials for the FTP service on the local system in plaintext. These credentials are stored in the
'blackmoon.mdb' file in the program directory. Local users with access to
this file may gain unauthorized access to the server as a result.

Exposure of authentication credentials may also lead to compromise of other services/resources if the same credentials are commonly used.

It should be noted that although this weakness was reported to affect Blackmoon FTP server version 2.6, previous versions might also be affected.

22. Blackmoon FTP Server Username Information Disclosure Vulnerability BugTraq ID: 7647
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7647
Summary:

Blackmoon FTP Server is an FTP Server for Microsoft Windows operating systems.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that Blackmoon FTP Server is prone to an information disclosure weakness.

The problem exists in the way the FTP server handles the authentication procedure. Specifically the FTP server returns a '530-Account does not exist.' error message to the console, if the username supplied is invalid, before disconnecting the user. An attacker may exploit this weakness to enumerate valid usernames.

It should be noted that although this weakness was reported to affect Blackmoon FTP server version 2.6, previous versions might also be affected.

23. Compaq Management Agents Remote Authentication Bypass Vulnerability BugTraq ID: 7648
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7648
Summary:

Compaq Management Agents is a web-based interface designed to monitor various system device parameters. It is available for a variety of operating systems including Unix, GNU/Linux, and Microsoft Windows.

A vulnerability has been reported for Compaq Management Agents (CMA). The problem is said to present itself when anonymous access has been enabled. Supposedly, if the administrator password has been changed from the default, an unauthorized remote user may gain administrative access. This can be accomplished by placing 'administrator' in all fields at the password screen.

Successful exploitation of this issue will allow an attacker to gain administrative access to the CMA interface. This may result in the tampering of sensitive system device settings or possibly other attacks.

This vulnerability has been reported to affect Compaq Management Agents 4.36 and Insight Manager Version 5.0.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

24. BZFlag Reconnect Denial Of Service Vulnerability BugTraq ID: 7649
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7649
Summary:

BZFlag is a multi-player action game. It is available for a number of operating systems, including Microsoft Windows and Unix/Linux variants.

BZFlag is prone to a denial of service vulnerability. Users that have established a session with BZFlag may cause a denial of service by reconnecting and flooding BZFlag ports with excessive amounts of data. This may reportedly cause a server crash or a memory leak that could exhaust available resources. Though unconfirmed, exploitation could result in memory corruption, which may allow for execution of malicious code.

This issue was reported in BZFlag 1.7g0. Other versions are also likely affected.

25. Demarc PureSecure Plaintext Password Vulnerability BugTraq ID: 7650
Remote: No
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7650
Summary:

Demarc PureSecure is a commercially available graphical front-end for Snort, in addition to being a generalized network monitoring solution. Snort is a popular open-source NIDS (Network Intrusion Detection System). Demarc PureSecure will run on most Linux and Unix variants, as well as Microsoft Windows NT/2000/XP operating systems.

A problem with the Demarc PureSecure software could make unauthorized access to user credentials possible.

It has been reported that a problem exists in the method used in the storage of passwords by Demarc PureSecure. This could lead to users gaining unauthorized access to passwords, and potentially unauthorized access to the central/remote logging server.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Specifically, Demarc PureSecure stores certain user passwords on the disk using plain-text format by default. A local user with access sufficient to read the files used by the Demarc PureSecure may disclose the usernames and passwords.

Information gathered in this way may be used to aid in further attacks launched against the vulnerable system.

It should be noted that although this vulnerability has been reported to affect Demarc PureSecure version 1.0.6 previous versions might also be affected.

26. SudBox Boutique login.PHP Authentication Bypass Vulnerability BugTraq ID: 7651
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7651
Summary:

SudBox Boutique is an web-based script designed for use by online shops.

A vulnerability has been reported for SudBox Boutique. The problem has been reported to occur while validating a request to the login.php. The affected script fails to initialize the 'check' variable, which is later used to verify administrative authorization. As a result, an attacker can bypass the authentication mechanism by making a request by setting the
'check' and 'admin' variables.

This may allow an attacker to obtain sensitive information or possibly corrupt online shop settings. Other attacks may also be possible.

This vulnerability is said to affect SudBox Boutique version 1.2, however earlier versions are also affected.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

27. Qualcomm Eudora File Attachment Spoofing Variant Vulnerability BugTraq ID: 7653
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7653
Summary:

Eudora is a graphical e-mail client for Windows computers offered for free by Qualcomm.

Eudora is reported to be prone to an issue which may allow attackers to spoof the file extension in an attachment. This may aid an attacker in enticing a user of the e-mail client into executing malicious content.

It is possible to refer to other files or attachments in a message through specially formatted inline text.

If the CR (carriage return) character (0x0D, Ctrl-M) is embedded anywhere in the 'Attachment Converted' string, it is possible to execute message attachments without further user interaction.

Successful exploitation may require the attacker to know the full path to the attachment directory.

It is likely that this vulnerability is related to the issue described in BID 5432. 28. Slackware rc.M Runlevel Script Unexpected Partition Remounting Weakness BugTraq ID: 7654
Remote: No
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7654
Summary:

The rc.M runlevel script used by Slackware is invoked when a system is entering multi-user mode. During the execution of rc.M the
'/sbin/quotacheck' file is invoked, which is used to analyze the usage of
files and directories on a target filesystem.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A weakness has been discovered in the rc.M runlevel script when invoking quotacheck. The problem lies in the use of the '-M' command-line switch, in place of the intended '-m' switch. As a result, the '-M' will cause the filesystem and thus corresponding partition to be remounted. When this occurs any normally enforced mount options, such as 'noexec', 'nosuid', etc may not be used.

This may result in an administrator having a false sense of security. Furthermore, access to less restrictive partitions may aid a local attacker in launching unrelated attacks successful.

This vulnerability is said to affect the Slackware 9.0 rc.M script, however earlier releases of Slackware may also be affected.

29. Platform Load Sharing Facility LSF_ENVDIR Local Command Execution Vulnerability BugTraq ID: 7655
Remote: No
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7655
Summary:

Load Sharing Facility is a high availability and load balancing software package distributed and maintained by Platform. It is available for Unix, Linux, and Microsoft Windows.

A problem in the software for the Unix and Linux platform may make it possible for a local user to gain unauthorized privileges.

It has been reported that Load Sharing Facility (LSF) does not properly handle input in environment variables. Because of this, an attacker may be able to gain escalated privileges on a vulnerable system.

The problem is in the handling of environment variables. When the lsadmin program is executed, shortly after starting execution it calls the lim program. The path to this program is specified in the configuration file. However, it is possible to change the location that will be checked for this program by altering the LSF_ENVDIR environment variable to force lsadmin to look for the lim program in a different location. By doing so, it is possible to create a malicious copy of the lim program which would be executed with the privileges of the lsadmin program. The lsadmin program is typically installed with elevated privileges.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

30. OpenLDAP LDBM_Back_Exop_Passwd Denial Of Service Vulnerability BugTraq ID: 7656
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7656
Summary:

OpenLDAP is an open-source implementation of the LDAP protocol.

OpenLDAP is prone to a remotely exploitable denial of service. Under some circumstances, the server may attempt to free an uninitialized structure during authentication. This issue exists in the 'password.c' source file. According to the vendor, this issue can occur when 'struct berval' is uninitialized and freed by the ldbm_back_exop_passwd() function (which handles LDAP Modify Password Extended Operations).

This could deny availability of LDAP services to legitimate users.

31. ShareMailPro Username Identification Weakness BugTraq ID: 7658
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7658
Summary:

ShareMailPro is an e-mail server solution designed for use with Microsoft Windows systems.

A weakness has been reported in ShareMailPro that may reveal the existence of usernames to remote attackers.

This weakness is due to the fact that ShareMailPro responds with different messages depending on whether a given username exists or not.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If an attacker connects with a non-existent username, the following message is displayed:

-ERR sorry , no such mailbox

An attacker may be able to use this information to launch further intelligent attacks against the server or to launch a brute force password attack against a known user name.

This vulnerability was reported for ShareMailPro 3.6.1.

32. IISProtect Authentication Bypass Vulnerability BugTraq ID: 7661
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7661
Summary:

iisProtect is a security product for Microsoft Windows that provides authentication based access control to protect web resources.

A vulnerability has been reported that may allow for iisProtect authentication to be circumvented by web users. It is possible to bypass authentication to gain access to web resources by submitting a request which URL encoded character representations. iisProtect fails to recognize these character representations, but the underlying IIS server will interpret them and serve the resource that is requested.

Remote attackers may exploit this issue to gain access to sensitive web resources, which could allow for other attacks which compromise web resources.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

33. Apple QuickTime/Darwin Streaming Server QTSSReflector Module Integer Overflow Vulnerability BugTraq ID: 7659
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7659
Summary:

The Darwin/QuickTime Streaming Servers are used as a web interface for Streaming Server configuration. They are available for the Linux, Solaris, Microsoft Windows and MacOS X operating systems.

A vulnerability has been reported for Apple Quicktime/Darwin Streaming Server. The problem is said to occur within the QTSSReflector module while processing the ANNOUNCE command. Specifically, by specifying the Content-Length of an ANNOUNCE request to 0xffffffff (4294967295) it may be possible to overflow an unsigned integer. As a result, an unexpected calculation may occur within the affected module, causing the server to crash. Due to the nature of the value that is supplied to Content-Length, this issue may actually be a result of signed/unsigned variable mismatching. This behavior however has not been confirmed.

It should be noted that it has been speculated that this issue may be exploitable to corrupt process memory. If so, it may be possible for an attacker to overwrite sensitive values in an attempt to execute arbitrary instructions with the privileges of the server.

Apple has confirmed that this issue may be exploitable to trigger a denial of service. However, it is believed that remote exploitability is unlikely as it would require an administrator to manually configure the service to permit unauthenticated broadcasts.

34. Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 Tag Handling Vulnerability BugTraq ID: 7660
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7660
Summary:

The Apple QuickTime/Darwin MP3 Broadcaster is encoding software used to stream online broadcasts. They are available for the Linux, Solaris, Microsoft Windows and MacOS X operating systems.

MP3Broadcaster has been reported prone to a vulnerability when processing malformed ID3 tag information. The issue presents itself, under specific conditions, when the user invokes the MP3Broadcaster utility using the '-X -l' command line options, to generate a list based off malicious MP3 files. When a malformed integer within the ID3 data of a malicious MP3 file is processed, a miscalculation may occur which could potentially result in the corruption of process memory. This is likely due to insufficient sanity checks performed when handling signed integer values contained within MP3 file ID3 tags.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Apple has confirmed that this issue may be exploitable to trigger a denial of service. However, it is believed that remote exploitability is unlikely, as it would require an administrator to manually configure the service to permit unauthenticated broadcasts.

35. XMB Forum Member.PHP Cross-Site Scripting Vulnerability BugTraq ID: 7662
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7662
Summary:

XMB Forum 1.8 is a web based discussion forum.

XMB Forum has been reported prone to a cross-site scripting vulnerability.

XMB Forum does not adequately filter script code from URL parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to the 'member.php' script. The attacker-supplied script code will be executed in the browser of a web user who visits this link, in the security context of the host running XMB Forum. Such a link might be included in a HTML e-mail or on a malicious web page.

This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users of a host running XMB Forum.

It should be noted that although this vulnerability has been reported to affect XMB Forum version 1.8, previous versions might also be affected.

36. Polymorph Filename Buffer Overflow Vulnerability BugTraq ID: 7663
Remote: No
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7663
Summary: