SecurityFocus Newsletter #199

SecurityFocus Newsletter #199

This Issue is Sponsored by: Interland

"For a limited time get 15% OFF Netscreen Firewalls and an additional 15% OFF any Managed Dedicated Hosting Solution from Interland. Knowledgeable 24/7/365 Technical Support. Call 1-877-504-0091 for more details on how to protect your dedicated server."

Visit us at: http://www.securityfocus.com/Interland-sf-news

I. FRONT AND CENTER

1. **Announcing the new SecurityFocus Pen-Test and Firewalls Focus Areas**
2. Malware Myths and Misinformation Part 2
3. A Special Needs Class
4. Untrustworthy Passport II. BUGTRAQ SUMMARY
5. TextPortal Undocumented Username / Password Weakness
6. IISProtect Web Administration Interface SQL Injection...
7. UML_NET Integer Mismanagement Code Execution Vulnerability
8. BLNews Remote File Include Vulnerability
9. Ultimate PHP Board admin_iplog.PHP Arbitrary PHP Execution...
10. Encrypted Virtual Filesystem Local Heap Overrun Vulnerability
11. AnalogX Proxy URI Buffer Overflow Vulnerability
12. FastTrack P2P Supernode Packet Handler Buffer Overflow...
13. D-Link DI-704P Syslog.HTM Denial Of Service Vulnerability
14. Ifenslave Argument Local Buffer Overflow Vulnerability
15. Multiple Vignette Cross-Site Scripting Vulnerabilities
16. Vignette Unauthorized Legacy Tool Access Vulnerability
17. Vignette Memory Disclosure Vulnerability
18. Vignette SSI Injection Vulnerability
19. Vignette Style Template Information Leakage Vulnerability
20. Vignette Login Template User Information Leakage Vulnerability
21. Vignette License Template Denial Of Service Vulnerability
22. BRS WebWeaver POST and HEAD Denial Of Service Vulnerability
23. PalmVNC Insecure Password Storage Vulnerability
24. P-News Administrative Account Creation Vulnerability
25. Vignette VALID_PATHS Command TCL Code Injection Vulnerability
26. Vignette NEEDS Command TCL Code Injection Vulnerability
27. Batalla Naval Remote Buffer Overflow Vulnerability
28. Remote PC Access Denial Of Service Vulnerability
29. Privatefirewall FIN/XMas Scan Traffic Handling Vulnerability
30. BNC IRC Proxy Multiple Session Denial of Service Vulnerability
31. PostNuke Phoenix Glossary Module SQL Injection Vulnerability
32. PostNuke Phoenix Main Modules Multiple Path Disclosure...
33. PostNuke Phoenix Rating System Denial Of Service Vulnerability
34. iPlanet Messaging Server HTML Attachment Cross Site Scripting...
35. Newsscript Administrative Privilege Elevation Vulnerability
36. Upclient Command Line Argument Buffer Overflow Vulnerability
37. ST FTP Service Information Disclosure Vulnerability
38. Microsoft Internet Explorer Malformed JavaScript Denial of...
39. Meteor FTP Server Username Information Disclosure Vulnerability
40. Eterm PATH_ENV Buffer Overflow Vulnerability
41. Sun One Application Server Request Logging Circumvention Weakness
42. Sun ONE Application Server Source Disclosure Vulnerability
43. Sun ONE Application Server Error Message Cross-Site Scripting...
44. Sun ONE Application Server Plaintext Password Vulnerability
45. Multiple HP Tru64 Unspecified CDE Privilege Escalation...
46. Red Hat Linux up2date Unspecified Vulnerability
47. Softrex Tornado WWW-Server File Disclosure Vulnerability
48. Softrex Tornado WWW-Server Buffer Overflow Vulnerability
49. Super-M Son hServer File Disclosure Vulnerability
50. Multiple Vendor FTP Server File Disclosure Vulnerability III. SECURITYFOCUS NEWS ARTICLES
51. California Supremes Hear DeCSS Case
52. Report: Too Much Cyber Security at CIA
53. Palm signs Wi-Fi security, access, VoIP deals
54. US cyber crime losses tumble IV. SECURITYFOCUS TOP 6 TOOLS
55. Access Control Designer vbeta1
56. IPA v1.3.4
57. BCWipe v1.2-3
58. Log Tool v1.3.0
59. SSHTerm v0.1.4 beta
60. SSHVnc v0.1.0
61. SECURITYJOBS LIST SUMMARY
62. Kansas City - Application Security Engineer (Thread)
63. Research and Development Engineer location (Thread)
64. Senior Business Development Manager, UK (Thread)
65. Research and Development Team Lead - (Thread)
66. CISSP Information Security Engineer seeking position in...
67. Need security consultants in Boston (Thread)
68. Security Project Manager (Thread)
69. Security Engineer position in Knoxville, TN (Thread)
70. Looking for information security position (Thread)
71. SAP Security Consultant, Midlands, UK (Thread)
72. Information Security Manager, Benelux (Thread)
73. Research and Development Engineer (Thread)
74. Information Security Architect - Fairfield County, CT (Thread)
75. Need Security Evangelist in Chicago (Thread)
76. Seeking Tivoli Access Manager Consultant (NJ) (Thread)
77. Senior Security Manager -Cleveland, Ohio (Thread)
78. Neoteris is hiring!!! - Sales Engineer - Southern California...
79. Information Security Dr available (Thread)
80. Neoteris is hiring!!! - Technical Support Engineers...
81. CISSP Security consultant seeking position in NYC (Thread)
82. Etiquette for recruiters (Thread)
83. Good article on job hunting in this environ. (Thread)
84. Seeking security consulting position in NYC (Thread)
85. Immediate opening for a Tivoli Access Manager Securit...
86. Sales Engineer / San Francisco (Thread)
87. Cleared, Navy looking for work in San Diego, CA (Thread)
88. North East Coast Sr. Security Engineering Position Available...
89. Administrivia (Thread)
90. Business Development Director EMEA - based in UK (Thread)
91. Field Engineer (DC and SF) (Thread)
92. Senior Security Manager - Cleveland, Ohio (Thread)
93. Neoteris is hiring!!! - Senior Technical Trainer - Silico...
94. Neoteris is hiring!!! - Product Marketing Manager - Silicon...
95. Neoteris is hiring!!! - Technical Marketing Engineer - Silicon...
96. Neoteris is hiring!!! - Manager, Business Development...
97. Neoteris is hiring!!! - Inside Sales Rep - East Region (Thread)
98. Neoteris is hiring!!! - Federal Sales Rep - VA/MD/DC (Thread) VI. INCIDENTS LIST SUMMARY
99. Weird Traffic from www.eyeblaster-bs.com (Thread)
100. Whois updates, Was: [ Possible Intrusion Attempt?] (Thread)
101. strange cmd.exe access (Thread)
102. A question for the list... (Thread)
103. DDoS Attack (Thread)
104. Possible Intrusion Attempt? (Thread)
105. Are they back? (was Scans from proxyprotector.com) (Thread)
106. New Paper on Passive OS Fingerprinting (Thread)
107. Scans from proxyprotector.com (Thread)
108. [ANNOUNCE] protocol watcher (Thread)
109. is this new ... (Thread)
110. Stukach Trojaned SysReg.exe (Thread)
111. cisco 7200 performance issue (Thread)
112. ICMP/SYN Flood (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
113. Re[2]: mirc32 6.0x crash when resolving dns. (Thread)
114. mirc32 6.0x crash when resolving dns. (Thread)
115. Abo3 (can someone help me?) (Thread)
116. [Vuln-dev Challenge] Challenge #2 (Thread)
117. N00b questions :\ (Thread)
118. [Vuln-dev Challenge] Challenge #2 (return-to-libc) (Thread)
119. Mac OS X shellcode and SIGTRAP (Thread)
120. [Vuln-dev Challenge] example exploit for 2 (Thread)
121. [Vuln-dev Challenge]: Symlink Attack (Thread)
122. Frame Pointer Overwriting (Thread)
123. [Vuln-dev Challenge] Challenge #2 (SPOILER) (Thread)
124. [Vuln-dev Challenge] nonexec stack&heap solution (encrypted)...
125. Is this exploitable? (Thread)
126. CORRECTION: vulndev1.c solution (WARNING! QUESTIONS!) (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
127. Article Announcement: Malware Myths and Misinformation Part 2...
128. Article Announcement: Conducting a Security Audit: An...
129. SecurityFocus Microsoft Newsletter #138 (Thread)
130. Re[2]: Windows 2003 Server - MS Rulez? (Thread)
131. Windows 2003 Server - MS Rulez? (Thread) IX. SUN FOCUS LIST SUMMARY
132. NO NEW POSTS FOR THE WEEK ENDING 05.30.03
133. LINUX FOCUS LIST SUMMARY
134. process accounting (Thread)
135. more on linux hardening (fwd) (Thread)
136. more on linux hardening (Thread)
137. hardening scripts (Thread) XI. SPONSOR INFORMATION
138. FRONT AND CENTER

     ---

139. ** Announcing the new SecurityFocus Pen-Test and Firewalls Focus Areas **

In response to the ever evolving needs of the security community, SecurityFocus is very pleased to announce the release of two new focus areas effective June 2, 2003: Pen-Test
<http://www.securityfocus.com/pen-test> and Firewalls <http://www.securityfocus.com/firewalls>

2. Malware Myths and Misinformation Part 2 By David Harley May 28, 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This article is the second of a three-part series looking at some of the myths and misconceptions that undermine anti-virus protection.

http://www.securityfocus.com/infocus/1698

3. A Special Needs Class
By George Smith

The University of Calgary's new course in virus-writing begs the question: is it a cheap publicity stunt or just boneheaded educating?

http://www.securityfocus.com/columnists/164

4. Untrustworthy Passport
by Yen-Ming Chen (yenming.chen@foundstone.com)

On May 7, 2003, yet another vulnerability[1,2,3] was found on Microsoft's Passport service, a single sign-on service for multiple Web sites including Microsoft's own Hotmail and Expedia.com. The vulnerability allows an attacker to gain control of any passport user's account by resetting her password simply by accessing a server response file (SRF) interface. Microsoft disabled the vulnerable feature in a few hours after the information went public. Some sources [4] claim federal regulators can fine Microsoft up to 22 trillion dollars, although that will be unlikely. Either way, the damage to Passport and Microsoft's perception of trustworthy computing has been done. In this article, we take a deeper look at the vulnerability from the perspective of a software development life cycle, its impact and how to monitor and fix such problem. We will also examine how the bug could have slipped through the cracks standard penetration testing methodologies and provide recommendations to harden the methodology.

http://www.securityfocus.com/guest/20225

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

II. BUGTRAQ SUMMARY

1. TextPortal Undocumented Username / Password Weakness BugTraq ID: 7673 Remote: Yes Date Published: May 23 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7673 Summary:

TextPortal is a web-based content management system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux and Unix variant operating environments.

A weakness has been reported for TextPortal that may allow an attacker to obtain unauthorized access. The issue exists due to a weak, undocumented password used for the default administrative user 'god2'.

TextPortal encrypts passwords using crypt and stores them in the
'db_ures\admin_pass.php' file. Specifically, the user 'god2' has a default
undocumented password of '12345'.

Access to the 'god2' account could grant unauthorized administrative access to remote attackers.

Administrative privileges gained on target systems may allow attackers to corrupt configuration settings. Other attacks are also possible.

2. IISProtect Web Administration Interface SQL Injection Vulnerability BugTraq ID: 7675
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7675
Summary:

iisProtect is a security product for Microsoft Windows that provides authentication based access control to protect web resources.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The IISProtect web administration interface is prone to an SQL injection vulnerability.

The interface fails to properly sanitize user-supplied input before including it in SQL queries. This could allow remote users to pass malicious SQL input to database queries, resulting in modification of query logic and other attacks.

Successful exploitation could result in a compromise of site integrity, disclosure or modification of data, or potential exploitation of vulnerabilities in the underlying database implementation. This could also be exploited to call stored procedures such as 'xp_cmdshell', to execute operating system commands.

It is not clear if the IISProtect web administration interface is enabled by default.

3. UML_NET Integer Mismanagement Code Execution Vulnerability BugTraq ID: 7676
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7676
Summary:

uml_utilities is a collection of packages designed to be used in conjunction with the User Mode Linux (UML) kernel patch. The uml_net program can be used by an administrator to configure various network devices and system networking parameters.

A vulnerability has been discovered in uml_net. The problem lies in the uml_net.c source file and occurs while handling user-supplied version information.

The 'v' variable is declared as a signed integer, however it is used to store an unsigned integer value returned by a call to the 'strtoul()' function. This will result in 'v' being interpreted as a negative value. As 'v' is later used in various bounds checking calculations, specifically
'if (v > CURRENT_VERSION)', it is possible to trigger an unexpected
calculation and bypass the check.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If all necessary calculation checks are passed, an attacker may be capable of indexing into a malformed location within an array of function pointers. Specifically, the 'v' variable is used as an index into the (*handlers[])() array. When this occurs the negative value stored in 'v' will allow the attacker to reference a supplied address lower in process memory.

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands with the privileges of uml_net, possibly root. It has been confirmed that uml_net is installed suid root on at least one Linux distribution.

4. BLNews Remote File Include Vulnerability BugTraq ID: 7677
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7677
Summary:

BLNews is a web-based news application written in PHP. BLNews supports the use of themes.

A vulnerability has been reported for BLNews 2.1.3-beta. The problem occurs due to the 'objects.inc.php4' script failing to include the
'server.inc.php4' file. As a result, it is possible for a remote attacker
making a request to BLNews to control the 'Server' variable. This may allow for the inclusion of attacker-supplied PHP header files, specifically 'tools.inc.php4' and 'cmd.php4'.

Successful exploitation of this vulnerability would allow an attacker to upload a malicious PHP file to BLNews. This could result in the execution of arbitrary PHP code with the privileges of the web server.

It should be noted that, although this vulnerability is said to affect BLNews 2.1.3-beta, previous versions may also affected.

5. Ultimate PHP Board admin_iplog.PHP Arbitrary PHP Execution Vulnerability BugTraq ID: 7678
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7678
Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Ultimate PHP Board (UPB) is a freely available, open source PHP Bulletin Board. It is available for the Unix and Linux operating systems.

UPB stores information about each connected user in the 'db' file, stored in the 'iplog' directory. Information logged includes the users IP address as well as the HTTP user agent information. An administrator is capable of viewing this information by calling the 'admin_iplog.php' script.

A vulnerability has been reported for UPB 1.9. The problem is said to occur due to insufficient sanitization of the HTTP 'User-Agent' information before including it within the 'admin_iplog.php' script. As a result, an attacker may be capable of embedding malicious PHP commands within this field, which would in turn be interpreted by the web server.

The execution of these commands would only occur when an administrator chooses to view the log of forum activity via the 'admin_iplog.php' script. All commands executed would be run with the privileges of the web server, typically httpd.

It should be noted that although unconfirmed this may also affect UPB versions prior to 1.9.

6. Encrypted Virtual Filesystem Local Heap Overrun Vulnerability BugTraq ID: 7679
Remote: No
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7679
Summary:

Encrypted Virtual Filesystem (EVFS) is a virtual filesystem that runs on top of the Linux VFS. It allows multiple users to each mount their own encrypted filesystems using individual keys. It is available for the Linux operating system.

A vulnerability has been discovered in the 'efs' utility used by EVFS. The problem occurs during the 'do_mount()' function within the efs.c source file. During a call to salloc(), the size calculation fails to take the size of the 'to' argument into account. Data greater then that allocated may subsequently be written into the buffer. As a result, it may be possible for an attacker to corrupt sensitive memory management information.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation of this vulnerability could allow a legitimate EVFS user to execute arbitrary commands with root privileges.

This vulnerability affects EVFS v0.2, however earlier versions may also be affected.

7. AnalogX Proxy URI Buffer Overflow Vulnerability BugTraq ID: 7681
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7681
Summary:

AnalogX Proxy is proxy server software for Microsoft Windows operating systems.

AnalogX Proxy is prone to a buffer overflow due to insufficient bounds checking of client-supplied URIs. It is possible to trigger this condition by submitting a URI that is greater than 340 characters. Exploitation could allow an attacker to corrupt sensitive regions of memory with attacker-supplied values, which could result in execution of arbitrary code in the context of the AnalogX server.

This is similar to this issue described in BID 5139.

8. FastTrack P2P Supernode Packet Handler Buffer Overflow Vulnerability BugTraq ID: 7680
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7680
Summary:

KaZaA, Grokster and Morpheus are file-sharing clients based on FastTrack P2P technologies. They will run on Microsoft Windows 9x/ME/NT/2000/XP systems. Ports also exist for variants of the Linux operating system.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

FastTrack P2P Supernode Packet Handler has been reported prone to a buffer overflow vulnerability. The issue presents itself in the FastTrack Supernode packet handler. The handler does not perform sufficient bounds checking on Supernode entries received before they are copied into a reserved buffer in internal memory.

Specifically, when Supernode data extracted from certain FastTrack P2P network packets is passed to the affected FastTrack class and later copied into internal memory, excessive Supernode data (>200 entries) may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been reported to contain values that are crucial to controlling memory management or program execution flow. Therefore it may be possible for a remote attacker to trigger a denial of service condition or ultimately seize control of the vulnerable application and have arbitrary attacker supplied code executed. Code execution would occur in the context of the user running an application that incorporates the vulnerable FastTrack P2P Packet Handler.

It should be noted that this vulnerability has been tested on KaZaA version 2.0.2. Other versions of KaZaA and similar file-sharing clients based on FastTrack P2P technology may also be affected.

9. D-Link DI-704P Syslog.HTM Denial Of Service Vulnerability BugTraq ID: 7686
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7686
Summary:

The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P provides a method to share a single broadband Internet connection and share a single printer among systems connected to the local network.

D-Link DI-704P has been reported prone to a remote denial of service vulnerability.

The issue presents itself in the 'Syslog.htm' page, a part of the router's web management interface. It has been reported that when excessive is data passed URI parameter in a request for the vulnerable page, the router firmware the device behaves in an unstable manner. Although unconfirmed this may be due to an attempted name resolution of the malicious data. Subsequent malicious requests may result in corruption of device logs or in a complete denial of service condition requiring a device reboot.

Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected.

1. Ifenslave Argument Local Buffer Overflow Vulnerability BugTraq ID: 7682 Remote: No Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7682 Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ifenslave is a tool designed to attach and detach slave network interfaces to a bonding device. The bonding device will act like an Ethernet network device to the Linux kernel, but will send out packets using the bound slave devices using a scheduler.

ifenslave for Linux has been reported prone to a buffer overflow vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space.

Specifically, excessive data passed as the first command line argument to the vulnerable ifenslave executable, when copied into internal memory, may overrun the boundary of the assigned buffer and corrupt adjacent memory. Memory adjacent to this buffer has been confirmed to contain values that are crucial to controlling program execution flow. It is therefore possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of ifenslave. ifenslave is not installed setUID or setGID by default.

It should be noted that although this vulnerability has been reported to affect ifenslave version 0.07 previous versions might also be affected.

1. Multiple Vignette Cross-Site Scripting Vulnerabilities BugTraq ID: 7687 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7687 Summary:

Vignette distributes several products that include content management and application portal software.

Vignette software has been reported prone to multiple cross-site scripting vulnerabilities.

Reportedly the issue presents itself, because the Vignette software does not sufficiently sanitize HTML characters (",&,<,>) from user-supplied data. As a direct result of this, all vignette applications that do not implement an explicit filters to sanitize user-supplied variables and later generates dynamic content based on the supplied data, are potentially affected.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker may exploit these vulnerabilities by enticing a victim user to follow a malicious link that contains malicious HTML code. Attacker-supplied HTML and script code may be executed on a web client in the context of the site hosting the affected Vignette software.

This may allow for theft of cookie-based authentication credentials and other attacks.

This issue was reported for Vignette StoryServer version 4 to version 6; it has been speculated that all current versions are vulnerable.

1. Vignette Unauthorized Legacy Tool Access Vulnerability BugTraq ID: 7683 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7683 Summary:

Vignette distributes several products that include content management and application portal software.

Vignette does not sufficiently restrict access to the Legacy Tool application. This tool is accessible via the /vgn/legacy/edit template, which requires authentication. However, it is also possible to access the functions of the tool via the /vgn/legacy/save template, which does not have the same level of access control. Cookie values are not sufficiently checked when a remote user attempts to access the /vgn/legacy/save template. A remote attacker may gain access to this template by submitting a falsified cookie.

Unauthorized remote users may use the /vgn/legacy/save template to execute database queries. This includes the ability to execute a SELECT query on any tables which are accessible by the Vignette database user. This could expose sensitive information to remote attackers.

1. Vignette Memory Disclosure Vulnerability BugTraq ID: 7684 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7684 Summary:

Vignette distributes several products that include content management and application portal software.

Vignette is prone to an issue which may expose the contents of memory to remote attackers. This condition is due to a flaw in how Vignette calculates the size of certain characters in URI variables. This condition may occur when a request contains "-->". This will cause the software to miscalculate the size of the request and random parts of adjacent memory will be included in the response. This could result in disclosure of sensitive information contained in memory and may also aid in exploitation of other vulnerabilities.

This issue was reported for Vignette on IBM AIX.  Other platforms may also
be affected, though this has not been confirmed.  The issue affects some
of the default templates provided with Vignette.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue is similar to the vulnerability described in BID 7296.

1. Vignette SSI Injection Vulnerability BugTraq ID: 7685 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7685 Summary:

Vignette distributes several products that include content management and application portal software.

Under some circumstances, Vignette applications may be prone to injection of Server-Side Includes (SSI). It may be possible to inject SSI through URI variables and other input fields. This could allow remote attackers to execute arbitrary commands with the privileges of Vignette. It is believed that some of the default Vignette applications are prone to this issue.

Exploitation is possible only if the SSI EXEC feature is enabled. This issue could also affected third-party applications that are developed for use with Vignette.

1. Vignette Style Template Information Leakage Vulnerability BugTraq ID: 7688 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7688 Summary:

Vignette distributes several products that include content management and application portal software.

A problem with Vignette software may make it possible to gain potentially sensitive information.

It has been reported that some Vignette products install several templates, including the style template, in the /vgn directory. Because of this, it may be possible for a remote attacker to gain access to potentially sensitive information.

The problem is in the style template. This template is by default installed as /vgn/style on an affected system. When this template is accessed by a remote user, the server leaks information that may include variable names, paths, and other installation information. This could be exploited to provide an attacker with information necessary in launching a more organized attack against systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This problem has been reported to affect Vignette StoryServer and Vignette V/5, though other products may also be affected.

1. Vignette Login Template User Information Leakage Vulnerability BugTraq ID: 7691 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7691 Summary:

Vignette distributes several products that include content management and application portal software.

A problem with Vignette software may make it possible to gain potentially sensitive information.

It has been reported that some Vignette products install several templates, including the login template, in the /vgn directory. Because of this, it may be possible for a remote attacker to gain access to potentially sensitive information.

The problem is in the login template. This template is by default installed as /vgn/login on an affected system. When this template is accessed by a remote user, the server leaks information when user names are entered. Differing responses are given for existing users, non-existing users, and disabled users. This could be exploited to provide an attacker information necessary in launching a more organized attack against systems.

This problem has been reported to affect Vignette StoryServer and Vignette V/5, though other products may also be affected.

1. Vignette License Template Denial Of Service Vulnerability BugTraq ID: 7694 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7694 Summary:

Vignette distributes several products that include content management and application portal software.

A problem with Vignette software may make it possible to deny service to web content.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that some Vignette products install several templates, including the license template, in the /vgn directory. Because of this, it may be possible for a remote attacker to deny service to a system using the software to manage web content.

The problem is in the license template. This template is by default installed as /vgn/license on an affected system. When this template is accessed by a remote user, the template allows the remote user to view and alter license information. By altering the license data to invalid values, the software could be made to not function. This could be exploited by an attacker to prevent legitimate users from access content on a site.

1. BRS WebWeaver POST and HEAD Denial Of Service Vulnerability BugTraq ID: 7695 Remote: Yes Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7695 Summary:

BRS WebWeaver is an FTP and web server from Blaine Southam.

A vulnerability has been reported for WebWeaver that may result in a denial of service condition.

When a POST or HEAD request is received containing 32700 characters or more, WebWeaver will return an "Unable to insert string" error message and fail. This issue is likely due to a boundary condition error, but this has not been confirmed. It is not known if the condition is exploitable to execute arbitrary code.

This vulnerability was reported for WebWeaver 1.04. Earlier versions may also be vulnerable.

1. PalmVNC Insecure Password Storage Vulnerability BugTraq ID: 7696 Remote: No Date Published: May 26 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7696 Summary:

PalmVNC is a VNC implementation for PalmOS. It can be used to establish VNC sessions with Windows or Unix/Linux systems.

PalmVNC stores password credentials in plaintext. By default, the database file (PalmVNCDB) that contains VNC passwords has the backup bit set. As a result, these credentials may be stored on a desktop system when the Palm is "Hotsynced". This could expose credentials to other users of the system that the backup is stored on.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue was reported in PalmVNC 1.40. Other versions are also likely affected.

20. P-News Administrative Account Creation Vulnerability BugTraq ID: 7689
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7689
Summary:

P-News is a web-based news management system. It is implemented in PHP and available for Unix/Linux variants and Microsoft Windows operating systems.

A vulnerability has been reported that could enable a P-News member to create and access an administrative account. The flaw exists in the
'p-news.php' script. It is possible to inject malicious data into the
'Name' account editing input field. Exploitation could allow a member to
compromise P-News.

This issue was reported in P-News 1.16. Other versions may also be affected.

21. Vignette VALID_PATHS Command TCL Code Injection Vulnerability BugTraq ID: 7692
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7692
Summary:

Vignette distributes several products that include content management and application portal software.

Under some circumstances Vignette applications that harness the Vignette API, specifically the 'VALID_PATHS' command, may be prone to injection of arbitrary TCL code. The issue presents itself due to a lack of sufficient sanitization performed on a user-supplied variable parsed by the
'VALID_PATHS' command. This variable, HTTP_REFERER may be influenced by an
attacker to ultimately inject arbitrary TCL code.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This could allow remote attackers to execute arbitrary commands with the privileges of the affected server. It has been reported that several of the default Vignette applications are prone to this issue.

This issue could also affect third-party applications that are developed for use with Vignette.

This issue was reported for Vignette StoryServer version 5 and version 6. However it has been speculated that all current versions may be vulnerable.

22. Vignette NEEDS Command TCL Code Injection Vulnerability BugTraq ID: 7690
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7690
Summary:

Vignette distributes several products that include content management and application portal software.

Under some circumstances Vignette applications that harness the Vignette API, specifically a 'NEEDS' command that follows a certain code path, may be prone to injection of arbitrary TCL code. The issue presents itself due to a lack of sufficient sanitization performed on user-supplied variables parsed by the 'NEEDS' command. These variables, HTTP_QUERY_STRING and HTTP_COOKIE, may be influenced by an attacker to ultimately inject arbitrary TCL code.

This could allow remote attackers to execute arbitrary commands with the privileges of the affected server. It has been reported that several of the default Vignette applications are prone to this issue.

This issue could also affect third-party applications that are developed for use with Vignette.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue was reported for Vignette StoryServer version 5 and version 6. However it has been speculated that all current versions may be vulnerable.

Conflicting reports suggest that while SHOW HTTP_COOKIE and HTTP_QUERY_STRING may be vulnerable to cross-site scripting attacks, only the SET HTTP_COOKIE and HTTP_QUERY_STRING are vulnerable to TCL code injection attacks.

23. Batalla Naval Remote Buffer Overflow Vulnerability BugTraq ID: 7699
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7699
Summary:

Batalla Naval is graphical naval battle game that can be played over a network. It is available for Unix/Linux variants and Microsoft Windows operating systems.

Batalla Naval is prone to a remotely exploitable buffer overflow when handling requests of excessive length. In particular, sending a string to the game server (gbnserver) that is 500 or more bytes in length may cause stack memory to be corrupted. This could allow for execution of malicious instructions in the context of the game server.

The game server listens on port 1995 by default.

24. Remote PC Access Denial Of Service Vulnerability BugTraq ID: 7698
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7698
Summary:

Remote PC Access is a remote administration tool designed for Microsoft Windows platforms.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Remote PC Access has been reported to be prone to a denial of service vulnerability.

The issue, although unconfirmed is likely due to a lack of bounds checking performed by the Remote PC Access server on network communications received from the client. Specifically an attacker may craft an authorization packet and transmit it to the vulnerable server, after the initial authorization process has been completed the server will send data to the client. The attacker may copy the information received and re-transmit it back to the server. This has the invariable effect of causing the vulnerable PC Access server to behave in an unstable manner eventually leading to a fatal exception.

Although unconfirmed, due to the nature of this vulnerability, it may be possible for a remote attacker to supply and execute arbitrary code.

It should be noted that although this vulnerability has been reported to affect Remote PC Access version 2.2, previous versions might also be affected.

25. Privatefirewall FIN/XMas Scan Traffic Handling Vulnerability BugTraq ID: 7700
Remote: Yes
Date Published: May 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7700
Summary:

Privatefirewall is a security software package distributed and maintained by Privacyware. It is available for the Microsoft Windows platform.

A problem with Privatefirewall may make it possible to bypass firewall policies.

It has been reported that Privatefirewall does not properly handle TCP traffic with certain flag settings. This may allow an attacker to circumvent firewall filtering.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The problem is in the parsing of traffic with FIN and Xmas tree flag settings. Privatefirewall does not correctly handle traffic with these specific flags set. These types of flags may be set during either port scanning, or other potentially malicious network activity such as back door communication.

It has been reported that Privatefirewall does not properly filter these types of traffic when the "Filter Internet Traffic" and "Deny Internet Traffic" configuration variables in Privatefirewall are selected. An attacker could circumvent both traffic policies.

26. BNC IRC Proxy Multiple Session Denial of Service Vulnerability BugTraq ID: 7701
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7701
Summary:

BNC IRC Proxy is an open source IRC proxying server that allows a system without direct Internet access to relay through the BNC server.

It has been reported that the BNC IRC Proxy is prone to a denial of service vulnerability.

This vulnerability appears to occur when two legitimate users of the service connect from the same IP address. If the second connected user disconnects before the first connected user, the service reportedly fails when the first user disconnects.

Precise technical details of this vulnerability are not currently known. This record will be updated when further details become available.

This vulnerability was reported to affect BNC IRC Proxy version 2.6.2 and prior.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

27. PostNuke Phoenix Glossary Module SQL Injection Vulnerability BugTraq ID: 7697
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7697
Summary:

A vulnerability has been discovered in PostNuke Phoenix v0723 and earlier. Specifically, the Glossary module fails to sufficiently sanitize user-supplied input, making it prone to SQL injection attacks.

Exploitation may allow for modification of SQL queries, resulting in information disclosure, or database corruption. The consequences depend on the nature of specific queries. This issue may allow the attacker to exploit latent vulnerabilities in the underlying database.

28. PostNuke Phoenix Main Modules Multiple Path Disclosure Vulnerabilities BugTraq ID: 7693
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7693
Summary:

PostNuke is a web-based content management system. It is implemented in PHP and available for Unix/Linux variants and Microsoft Windows platforms.

Path disclosure vulnerabilities have been reported in modules which are included with PostNuke Phoenix. Affected modules include Downloads, Web_Links, Sections, FAQ, Search, Reviews and Glossary. The nature of these issues is poor handling of data supplied via URI parameters, causing error pages to be generated that contain the path to the installation root directory and other resources.

Exploitation of these issues may allow an attacker to gather sensitive information.

Some of these issues may be previously reported or exist in other content management systems such as PHP-Nuke or PHPBB, due to shared code.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

29. PostNuke Phoenix Rating System Denial Of Service Vulnerability BugTraq ID: 7702
Remote: Yes
Date Published: May 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7702
Summary:

PostNuke is a web-based content management system. It is implemented in PHP and available for Unix/Linux variants and Microsoft Windows platforms.

A problem in the software may make it possible to prevent access to sites by legitimate users.

It has been reported that the PostNuke rating system does not properly handle some submissions to the rating system. Because of this, a remote attacker may be able to submit a string that causes a denial of service to legitimate users.

The problem is in the handling of rating strings of excessive length. By submitting a maliciously crafted string, it is possible to cause the software to become unstable and potentially crash. It has been reported this can affect both the web server and database server under the PostNuke installation, though it's not entirely clear how.

30. iPlanet Messaging Server HTML Attachment Cross Site Scripting Vulnerability BugTraq ID: 7704
Remote: Yes
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7704
Summary:

iPlanet Messaging Server is a webmail product maintained by Sun Microsystems. It supports a variety of protocols including SMTP, IMAP, and POP3. Various security mechanisms are also supported, such as access control lists.

It has been reported that iPlanet Messaging Server may be prone to cross-site scripting attacks.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The problem is said to occur while processing HTML attachments received via e-mail. An option exists within iPlanet Messaging Server which allows a user to open an attachment 'online'. If used, this option will interpret the attachment within the context of the webmail domain.

Successful exploitation of this vulnerability could allow an attacker to steal a legitimate users iPlanet Messaging Server session ID information. Access to this information may aid in launching further attacks, such as session hijacking. Other attacks may also be possible.

31. Newsscript Administrative Privilege Elevation Vulnerability BugTraq ID: 7705
Remote: Yes
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7705
Summary:

Newsscript is a web-based news management system. It is written in PHP and available for Unix/Linux variants and Microsoft Windows operating systems.

A vulnerability was reported in Newsscript that may permit an unauthorized member to increase their privilege level. The issue exists in the profile editing function of the 'write.php' script. This is due to insufficient validation of data supplied to account editing input fields of Newsscript. In particular, it is possible to include user database delimiters (<~>) when editing user profile properties. This could be used to add arbitrary data to a user record, including modification of the user's privilege level.

32. Upclient Command Line Argument Buffer Overflow Vulnerability BugTraq ID: 7703
Remote: No
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7703
Summary:

upclient is a multi-platform utility that is designed to extract and publish system uptime statistics.

upclient has been reported prone to a buffer overflow vulnerability when handling command line arguments of excessive length. Specifically when the vulnerable upclient handles a '-p' command line argument of greater than 1022 bytes, the bounds of an internal buffer in memory is overrun and memory adjacent to the buffer is corrupted with attacker-supplied data.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Memory adjacent to this buffer has been reported to contain values that are crucial to controlling program execution flow. It is therefore possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of upclient. It has been reported that upclient is installed on FreeBSD systems as setuid kmem.

An attacker may harness elevated privileges obtained in this way to manipulate arbitrary areas in system memory through /dev/mem or /dev/kmem devices.

33. ST FTP Service Information Disclosure Vulnerability BugTraq ID: 7674
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7674
Summary:

A vulnerability has been reported in ST FTP Service. Allegedly, ST FTP Service fails to enforce a document root before sharing files. As a result, a remote attacker may be capable of accessing arbitrary system files with the privileges of the ST FTP process.

Access to arbitrary system files may aid an attacker in launching further attacks against the target server and its users.

It should be noted that this vulnerability may be due to a configuration error within the server. However this possibility has not been confirmed.

34. Microsoft Internet Explorer Malformed JavaScript Denial of Service Vulnerability BugTraq ID: 7706
Remote: Yes
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7706
Summary:

An issue has been reported in Microsoft Internet Explorer. It is possible for a malicious web page using JavaScript to crash the browser process.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When certain malformed or incomplete JavaScript statements are handled by the JavaScript interpreter, Internet Explorer will fail. This may be due to use of irregular statements with the quoteText() function, though this is unconfirmed.

With Internet Explorer 6, this condition will result in only the browser used to parse the JavaScript failing.

Precise technical details of this vulnerability are not currently known. This record will be updated when new information becomes available.

35. Meteor FTP Server Username Information Disclosure Vulnerability BugTraq ID: 7707
Remote: Yes
Date Published: May 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7707
Summary:

Meteor FTP Server is an FTP Server for Microsoft Windows operating systems.

It has been reported that Meteor FTP Server is prone to an information disclosure weakness.

The problem exists in the way the FTP server handles the authentication procedure. Specifically the FTP server returns a '530 Not logged on' error message to the console, if the username supplied is invalid, before disconnecting the user. An attacker may exploit this weakness to enumerate valid usernames.

It should be noted that although this weakness was reported to affect Meteor FTP server version 1.5, previous versions might also be affected.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews