SecurityFocus Newsletter #202

SecurityFocus Newsletter #202

This Issue is Sponsored by: IBM

SecureWorld: IBM's End-To-End Security Conference, August 25-29, 2003, Miami Beach, Florida

As Information Technology increases in importance, so do the number of threats directed against this critical infrastructure. A comprehensive security strategy is essential to protecting your vital data and ensuring continuity of operations. The SecureWorld Conference provides over 100 sessions to help you assess, protect, detect, correct, and recover from security concerns with end-to-end security solutions.

For more information or to enroll, visit: http://www.securityfocus.com/IBM-sf-news

I. FRONT AND CENTER

1. Securing PHP: Step-by-step
2. Tracking Down the Phantom Host
3. From the Booby Hatch II. BUGTRAQ SUMMARY
4. IKE-Scan Local Logging Format String Vulnerability
5. PostNuke Modules.PHP Multiple Cross-Site Scripting Vulnerabilities
6. PostNuke User.PHP UNAME Cross-Site Scripting Vulnerability
7. Sphera HostingDirector VDS Control Panel Multiple Cross-Site...
8. ATFTP Timeout Command Line Argument Local Buffer Overflow...
9. Sphera HostingDirector Session ID Random Generator Weakness
10. ATFTP Blocksize Command Line Argument Local Buffer Overflow...
11. ATFTP TFTP-Timeout Command Line Argument Local Buffer Overflow...
12. Methodus 3 FTP Server File Disclosure Vulnerability
13. Methodus 3 Web Server File Disclosure Vulnerability
14. Mollensoft Hyperion FTP/Enceladus Server Suite Multiple Remote...
15. Multiple Vendor PDF Hyperlinks Arbitrary Command Execution...
16. MikMod Long File Name Local Buffer Overflow Vulnerability
17. Progress Database DBAgent InstallDir Local Privilege Elevation...
18. Progress Database Environment Variable Local Privilege...
19. myServer Signal Handling Denial Of Service Vulnerability
20. FreeWnn JServer Logging Option Data Corruption Vulnerability
21. PMachine Lib.Inc.PHP Remote Include Command Execution...
22. LedNews Post Script Code Injection Vulnerability
23. Mailtraq Remote Directory Traversal Vulnerability
24. Snitz Forums Search.ASP Cross-Site Scripting Vulnerability
25. Snitz Forum Cookie Authentication Bypass Vulnerability
26. Snitz Forums Password.ASP Password-Reset Vulnerability
27. Mailtraq Remote Format String SMTP Resource Consumption...
28. Xoops/E-Xoops Tutorials Module Remote Command Execution...
29. Linux-PAM Pam_Wheel Module getlogin() Username Spoofing...
30. Mailtraq Webmail Remote HTML Injection Vulnerability
31. Dantz Retrospect Client StartupItems Insecure Default...
32. Pod.Board Forum_Details.PHP Multiple HTML Injection...
33. Pod.Board New_Topic.PHP Multiple HTML Injection Vulnerabilities
34. PHPBB Admin_Styles.PHP Theme_Info.CFG File Include Vulnerability
35. Noweb/Noroff Insecure Temporary File Creation Vulnerability
36. Microsoft Internet Explorer MSXML XML File Parsing Cross-Site...
37. Microsoft Internet Explorer Custom HTTP Error HTML Injection...
38. Portmon Host File Option Sensitive File Arbitrary Content...
39. Internet Security Systems BlackICE Defender Cross-site...
40. Armida Databased Web Server Long Request Denial Of Service...
41. Portmon Log File Option File Overwrite Vulnerability
42. MyServer HTTP Server Directory Traversal Vulnerability
43. Dune HTTP Get Remote Buffer Overrun Vulnerability
44. Squirrelmail Multiple Remote Vulnerabilities
45. Proxomitron Proxy Server Long Get Request Remote Denial Of...
46. MiniHTTPServer WebForums Server Remote Directory Traversal...
47. MidHosting FTP Daemon Shared Memory Local Denial Of Service...
48. CesarFTP Remote CWD Denial of Service Vulnerability
49. Unspecified IBM OS/390 Vulnerability
50. Alguest Admin Panel Cookie Authentication Bypass Vulnerability
51. IBM RACF Profile Updating Privilege Elevation Vulnerability
52. Sun Management Center Insecure File Permissions Vulnerability
53. Avaya Cajun Network Switch Connection Stalling Denial Of... III. SECURITYFOCUS NEWS ARTICLES
54. Guess settles with FTC over cybersecurity snafu
55. Security Researchers Nibble at Bluetooth
56. Spam Bill Gains In Senate
57. Meet Stumbler: Next Gen port scanning malware IV. SECURITYFOCUS TOP 6 TOOLS
58. socklog v1.1.0
59. GkrellMMS v2.1.12
60. TinyCA v0.4.5
61. softflowd v0.8.1
62. Coyote Linux 2.0.0-pre5
63. ADMLogger - Default branch v1.0
64. SECURITYJOBS LIST SUMMARY
65. Senior Consultant #793 - Seattle,WA - Salary $90k-$110k (Thread)
66. Security Consultant #787 - Chicago, IL - $90k - $105k (Thread)
67. Security Intern, Dublin, OH (Thread)
68. Director of Engineer-Product Development-Application Security...
69. Training Manager (Thread)
70. IT Auditor CISA - required in Hong Kong (Thread)
71. Disaster Recovery Specialist position in PA (Thread)
72. Disaster Recovery Admin w/ Strohl product knowledge (Thread)
73. Senior Security Consultant - Seattle / Tacoma / Puget Sound Are...
74. Immediate Openings Support Engineers (Sunnyvale CA) (Thread)
75. Security Engineer, Manager, CISSP seeking leads in SF Bay area...
76. Messaging Security Specialist needed in Washington, DC / Nort...
77. Washington, DC area Project / Systems Engineers needed (Thread)
78. Firewall Expert Needed for Washington, DC job (Thread)
79. Senior Security Architect - Seattle, WA - Contract to Hire...
80. Sr Security Sales / Business Dev Manager - Auckland New...
81. Security specialist contract - canada (Thread)
82. IT Security Consultant (CHECK Team Leader), London, UK (Thread)
83. Internet Security Architect contract position (Thread)
84. New articles available on SecurityFocus (Thread)
85. Intrusion Detection & Incident Response - Chicago, IL (Thread)
86. Principal Security Consultant (CLAS), UK (Thread)
87. Security Engineer Contract Position in TX or Bay Area (Thread)
88. NJ Systems Architect (Thread)
89. Security expert for $25/hr (Thread)
90. Neoteris is hiring!!! - PR/Media Relations Manager - Silicon...
91. Neoteris is hiring!!! - SR Tech Support Engineer - Silicon...
92. Neoteris is hiring!!! - Regional Sales Manager - Scandic (Thread)
93. Neoteris is hiring!!! - Regional Sales Manager - Federal (Thread)
94. Pre-Sales Engineers (Thread)
95. Security Engineers needed in Denver! (Thread)
96. Enterprise Security Architect--NJ/Full-time (Thread)
97. Posting for another party - Director, Information Security NYC... VI. INCIDENTS LIST SUMMARY
98. FW: IANA Reserved IP Source scans 55808 (Thread)
99. odd RST packets with 55808 (Thread)
100. sdbot variant and WS 55808 activity (Thread)
101. Unusual registry entries (Thread)
102. sdbot variant and WS 55808 activity (Thread)
103. SNMP search for printers? (Thread)
104. One observed pattern of Win 55808 packets (Thread)
105. chkrootkit and LKM? (Thread)
106. sdbot variant and port 55808 activity (Thread)
107. Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log...
108. UDP/41170 (Thread)
109. Wierd Profile in Document Settings (Thread)
110. Help with identifying scan/attack (Thread)
111. File on desktop called "~" (Thread)
112. Odd windows ICMP... any ideas what this is? (Thread)
113. Windows 2k rootkit incident, files zipped for your pleasure...
114. Windows 2k rootkit incident, files zipped for your pleasure... VII. VULN-DEV RESEARCH LIST SUMMARY
115. Java class obfuscation (Thread)
116. Question (Thread)
117. Formatstrings on *BSD (Thread)
118. Black Hat Briefings 2003 - Announcement (Thread)
119. Microsoft Access 97 MDW files (Thread)
120. IE exposing URLs to msn.com and alexa.com? (Thread)
121. Directory traversal vulnerability on Xoops/E-xoops CMS module...
122. Research on Source Code Review -C (Thread)
123. Sphera Hosting Director Control Panel Multiple Vulnerabilities...
124. shellcode with standard characters (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
125. Filtering DHCP Assignments by MAC Address (Thread)
126. Windows Event Logs (Thread)
127. NTRootkit (Thread)
128. Article Announcement: Tracking Down the Phantom Host (Thread)
129. Question regarding su.exe (Thread)
130. Administrivia: OOO Messages (Thread)
131. SecurityFocus Microsoft Newsletter #141 (Thread)
132. Local User Permissions in a Public, Domain Environment? (Thread) IX. SUN FOCUS LIST SUMMARY
133. Package Log for Solaris (Thread)
134. Solaris Patch Manager (Thread)
135. New SecurityFocus Article (Thread)
136. LINUX FOCUS LIST SUMMARY
137. deny deleting a file for users.. trying a solution (Thread)
138. New SecurityFocus Article (Thread) XI. SPONSOR INFORMATION
139. FRONT AND CENTER

     ---

140. Securing PHP: Step-by-step By Artur Maj

This article shows the basic steps in securing PHP, one of the most popular scripting languages used to create dynamic web pages on the Internet.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.securityfocus.com/infocus/1706

2. Tracking Down the Phantom Host
By John Payton

This article explains techniques on how to locate a problem host when you are not sure where it is physically located.

http://www.securityfocus.com/infocus/1705

3. From the Booby Hatch
By George Smith

Senator Orrin Hatch says he wants to destroy music swappers' computers, but what he really means is that kids today have no respect for their elders.

http://www.securityfocus.com/columnists/168

II. BUGTRAQ SUMMARY

1. IKE-Scan Local Logging Format String Vulnerability BugTraq ID: 7897 Remote: No Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7897 Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ike-scan is a utility designed to discover IPsec VPN hosts running IKE (Internet Key Exchange). It is maintained by NTA and is available for Unix variant operating systems.

A vulnerability has been discovered in ike-scan. The problem is said to occur due to insufficient format specifiers being supplied to the syslog() function. As a result, by passing a command-line argument to ike-scan it may be possible for a malicious local user to corrupt process memory.

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code with the privileges of ike-scan. It should be noted that ike-scan is not installed suid by default.

2. PostNuke Modules.PHP Multiple Cross-Site Scripting Vulnerabilities BugTraq ID: 7898
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7898
Summary:

PostNuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

The PostNuke 'modules.php' script does not sufficiently sanitize data supplied via URI parameters, making it prone to cross-site scripting attacks. In particular, the 'categories' and 'letter' URI parameters are not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code. This would occur in the security context of the site hosting the software.

Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to affect PostNuke version 0.7.2.3, other versions might also be affected.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. PostNuke User.PHP UNAME Cross-Site Scripting Vulnerability BugTraq ID: 7901
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7901
Summary:

PostNuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

The PostNuke 'user.php' script does not sufficiently sanitize data supplied via URI parameters, making it prone to cross-site scripting attacks. In particular, the 'uname' URI parameter is not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code. This would occur in the security context of the site hosting the software.

Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to affect PostNuke version 0.7.2.3, other versions might also be affected.

4. Sphera HostingDirector VDS Control Panel Multiple Cross-Site Scripting Vulnerabilities BugTraq ID: 7899
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7899
Summary:

Sphera HostingDirector is software designed to provide centralized administration of a dedicated environment. ServerDirector/Virtual Dedicated Server(VDS) technology is a component that is shipped with HostingDirector; it is designed to simulate multiple virtual dedicated servers on a single system.

Sphera HostingDirector VDS Control Panel has been reported prone to several cross-site scripting attacks. The vulnerabilities exist due to insufficient sanitization of user-supplied input for certain URI parameters.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Specifically, the 'uid', 'error' and 'vds_ip' URI parameters, of the login_screen.php and sm_login_screen.php scripts, are not sanitized of malicious HTML code.

An attacker can exploit this by crafting a link that includes malicious HTML code. If a web user follows a malicious link to a site hosting the vulnerable software that includes hostile HTML or script code. This code would be executed in the context of the site hosting the software.

Successful exploitation could permit theft of cookie-based authentication credentials from legitimate users of the HostingDirector Control Panel, which may in turn permit unauthorized access to resources that are managed by the software. Other attacks may also be possible.

5. ATFTP Timeout Command Line Argument Local Buffer Overflow Vulnerability BugTraq ID: 7902
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7902
Summary:

atftp is a TFTP client/server implementation for Linux and Unix variants.

atftp is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient bounds checking performed on input supplied to the command line parameter (-t) for "timeout". By providing a string of excessive length (9000 bytes) as a value for the command line parameter, it is possible to trigger this condition to corrupt stack variables. Local attackers may leverage the resulting memory corruption to execute arbitrary instructions.

If atftp is installed setuid/setgid, an attacker may potentially exploit this condition to execute arbitrary instructions with elevated privileges.

It should be noted that although this vulnerability has been reported to affect atftp version 0.7cvs, other versions might also be vulnerable.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

6. Sphera HostingDirector Session ID Random Generator Weakness BugTraq ID: 7904
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7904
Summary:

HostingDirector is a commercially available system administration package distributed by Sphera. It is available for the Linux and Microsoft Windows platforms.

A problem with the software may increase the possibility of a user gaining unauthorized access to the system.

It has been reported that Sphera HostingDirector uses a weak method of generating session IDs. This problem may increase the possibility of an attacker brute-force guessing a valid session ID.

The problem is in the method used to generate session IDs. Upon session ID generation, each new session ID may be a total of 11 bytes in length, of which five bytes vary from a previously generated session ID. Of these five bytes, one is incremented sequentially in a predictable location. This value is stored in a cookie on the system of the authenticated user. It, and the session ID, is persistent until the user logs out.

To gain access to a vulnerable implementation, an attacker still must know a valid user name to place in the authentication cookie.

7. ATFTP Blocksize Command Line Argument Local Buffer Overflow Vulnerability BugTraq ID: 7907
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7907
Summary:

atftp is a TFTP client/server implementation for Linux and Unix variants.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

atftp is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient bounds checking performed on input supplied to the command line parameter (-b) for "blocksize". By providing a string of excessive length as a value for the command line parameter, it is possible to trigger this condition to corrupt stack variables. Local attackers may leverage the resulting memory corruption to execute arbitrary instructions.

If atftp is installed setuid/setgid, an attacker may potentially exploit this condition to execute arbitrary instructions with elevated privileges.

It should be noted that although this vulnerability has been reported to affect atftp version 0.7cvs, other versions might also be vulnerable.

It should also be noted that atftp is not installed setuid/setgid by default.

8. ATFTP TFTP-Timeout Command Line Argument Local Buffer Overflow Vulnerability BugTraq ID: 7906
Remote: No
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7906
Summary:

atftp is a TFTP client/server implementation for Linux and Unix variants.

atftp is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient bounds checking performed on input supplied to the command line parameter (-T) for "tftp-timeout". By providing a string of excessive length as a value for the command line parameter, it is possible to trigger this condition to corrupt stack variables. Local attackers may leverage the resulting memory corruption to execute arbitrary instructions.

If atftp is installed setuid/setgid, an attacker may potentially exploit this condition to execute arbitrary instructions with elevated privileges.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that although this vulnerability has been reported to affect atftp version 0.7cvs, other versions might also be vulnerable.

It should also be noted that atftp is not installed setuid/setgid by default.

9. Methodus 3 FTP Server File Disclosure Vulnerability BugTraq ID: 7905
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7905
Summary:

Methodus 3 is utility that provides a number of features such as file sharing through an HTTP server and FTP client/server implementation. It is a available for Microsoft Windows operating systems.

The Methodus 3 FTP server component is prone to a file disclosure vulnerability.

This vulnerability is due to insufficient sanitization of various directory traversal sequences from FTP commands. It is possible to break out of the FTP root directory by submitting directory sequences such as
'../' and '//..' via the change directory (CD) FTP command. Other
commands may be similarly affected. As a result, files that are readable by the server could be disclosed to remote attackers. The attacker would need to authenticate with the FTP server to exploit this issue, though this could occur through anonymous access if it is enabled.

1. Methodus 3 Web Server File Disclosure Vulnerability BugTraq ID: 7908 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7908 Summary:

Methodus 3 is utility that provides a number of features such as file sharing through an HTTP server and FTP client/server implementation. It is a available for Microsoft Windows operating systems.

It is possible for remote attackers to retrieve resources outside of the web root directory. The vulnerability is due to insufficient sanitization of directory traversal sequences such as '../' from web requests. This could potentially be exploited to gain access to sensitive files on a system hosting the vulnerable software. Files that are readable by the web server could be disclosed if this issue is exploited.

1. Mollensoft Hyperion FTP/Enceladus Server Suite Multiple Remote Heap Corruption Vulnerabilities BugTraq ID: 7909 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7909 Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

MollenSoft Hyperion FTP Server is a server that supports basic FTP functionality and more. It is available for the Microsoft Windows operating systems.

MollenSoft Enceladus Server Suite, is a combined FTP and HTTP server product. It is available for the Microsoft Windows operating systems.

Multiple vulnerabilities have been reported for Mollensoft Hyperion FTP and Enceladus Server Suite. The problem likely occurs due to insufficient bounds checking of user-supplied command parameters. As a result, by supplying excessive data to one of multiple FTP commands it is possible to corrupt heap-based memory.

The affected commands include cwd, stat, mkd, xmkd, rmd, and nlst. It is possible to trigger this condition by supplying approximately 270 to 344 bytes as a parameter to one of the commands.

This vulnerability could potentially be exploited by an attacker to execute arbitrary code with the privileges of the server process, possibly SYSTEM. A denial of service attack is also possible.

1. Multiple Vendor PDF Hyperlinks Arbitrary Command Execution Vulnerability BugTraq ID: 7912 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7912 Summary:

A vulnerability has been reported for multiple viewers for Unix variant operating systems. Both Adobe Acrobat Reader and Xpdf are said to be affected.

The vulnerability allegedly occurs when following a malicious hyperlink. When the hyperlink is followed the PDF viewer externally calls the 'sh -c' command to invoke a utility to handle the request. Supposedly, when the link is followed it is possible to execute arbitrary code by placing shell metacharacters designed to escape the command. This can be accomplished by placing (`) characters within the hyperlink.

Successful exploitation of this vulnerability could potentially allow an attacker to execute arbitrary commands on a target system with the privileges of the user invoking the PDF document. This would occur externally to the program and the utility invoked to handle the link would still be called.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The exploitability of this issue is said to vary between PDF viewers, as some do not support the use of external hyperlinks. If a viewer is currently invoked within a browser, the call to 'sh -c' may not be made.

This vulnerability is said to affect Adobe Acrobat Reader 5.06 and Xpdf 1.01, however, other versions may also be affected.

It should be noted that this vulnerability may be similar to that described in BID 1624. If it is concluded that this is in fact the case, the older BID will be updated and this BID will be retired.

1. MikMod Long File Name Local Buffer Overflow Vulnerability BugTraq ID: 7914 Remote: No Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7914 Summary:

mikmod is a freely available, open source sound library and module player. It is available for Unix, Linux, and Microsoft platforms.

A problem with the program may make it possible for users to gain unauthorized privileges.

It has been reported that mikmod does not properly handle some types of input. Because of this, an attacker may be able to gain unauthorized privileges on a system using the program.

mikmod does not properly handle file names of arbitrary length. Long file names inside archive files can cause the corruption of sensitive process memory that may potentially be exploited to execute code with the privileges of the process.

1. Progress Database DBAgent InstallDir Local Privilege Elevation Vulnerability BugTraq ID: 7915 Remote: No Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7915 Summary: Progress Database is a commercial database for Microsoft Windows, Linux, and Unix systems.

A problem with the software may grant unauthorized privileges.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that dbagent packaged with Progress does not properly handle untrusted input in some command line arguments. Because of this, an attacker may be able to gain unauthorized privileges.

The problem is in the installdir option. The dbagent program does not perform sufficient checks or sanitizing of values passed with this argument when executed. This could lead to an attacker supplying a directory in an arbitrary location on the system, and potentially loading a malicious library into the program.

Any library code loaded and executed through the installdir argument would be with the privileges of the dbagent program. dbagent is typically installed with privileges.

1. Progress Database Environment Variable Local Privilege Escalation Vulnerability BugTraq ID: 7916 Remote: No Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7916 Summary: Progress Database is a commercial database for Microsoft Windows, Linux, and Unix systems.

A problem with the software may grant unauthorized privileges.

It has been reported that Progress database does not properly handle untrusted input when opening shared libraries. Specifically, the dlopen() function, used by several Progress utilities in /usr/dlc/bin/, checks the user's PATH environment variable when including shared object libraries. If any shared objects are found, Progress will load and execute them. Due to this, an attacker may be able to gain unauthorized privileges.

An attacker can exploit this vulnerability by creating a malicious shared object and setting the PATH environment variable to include the directory containing the shared object. When certain utilities in the /usr/dlc/bin/ directory are executed, the malicious shared library will be loaded.

Any library code loaded will execute with elevated privileges.

1. myServer Signal Handling Denial Of Service Vulnerability BugTraq ID: 7917 Remote: Yes Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7917 Summary: myServer is an application and web server for Microsoft Windows and Linux operating systems.

A vulnerability has been reported for myServer that may result in a denial of service condition. The vulnerability exists when myServer receives certain signals. Specifically, when myServer receives the SIGINT signal, it will crash.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported to affect myServer 0.4.1.

1. FreeWnn JServer Logging Option Data Corruption Vulnerability BugTraq ID: 7918 Remote: No Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7918 Summary:

FreeWnn 1.1.0 is a kana-kanji (japanese) translation system. This software is a client-server type application, with the jserver portion acting as a server and performing translations for clients.

A vulnerability has been reported for FreeWnn that may result in an attacker obtaining elevated privileges. Specifically, when /usr/bin/Wnn4/jserver is invoked with the '-s' commandline option to indicate a log file, it does not perform proper file existence checks. Due to this, an attacker may be able to overwrite system files, and potentially gain elevated privileges.

If the jserver process is executed as a user with elevated privileges, this could allow an attacker to gain privileges equal to the jserver user.

It should be noted that this program might also be installed with setuid or setgid privileges on some systems. This would allow an attacker to execute and exploit the program at will.

1. PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability BugTraq ID: 7919 Remote: Yes Date Published: Jun 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7919 Summary:

PMachine is a web content management system. It is available for the Unix and Linux platforms.

A problem with the software may make unauthorized access possible.

It has been reported that PMachine does not properly handle include files under some circumstances. Because of this, an attacker may be able to remotely execute commands.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The problem is in the lib.inc.php file. This file does not adequately check the input of an include() function. Because of this, an attacker can supply a value to a remote include file containing malicious commands to be executed in a shell on the local host. This could allow an attacker to gain access to the host with the privileges of the web server process.

1. LedNews Post Script Code Injection Vulnerability BugTraq ID: 7920 Remote: Yes Date Published: Jun 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7920 Summary:

LedNews is a freely available, open source news posting script. It is available for the Unix and Linux platforms.

A problem with the software may make script injection attacks possible.

It has been reported that LedNews does not properly filter input from news posts. Because of this, it may be possible for an attacker to steal authentication cookies or perform other nefarious activities.

The problem is in filtering of input. The program does not properly sanitize input, allowing HTML and script code to be posted as news. This could be abused to execute code in the browser of site users.

It should be noted that it may also be possible to execute arbitrary commands through server-side includes on a host using the vulnerable software.

20. Mailtraq Remote Directory Traversal Vulnerability BugTraq ID: 7921
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7921
Summary:

Mailtraq is a commercially available e-mail server and client software package. It is available for the Microsoft Windows platform.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A problem with the software may make it possible for an attacker to gain unauthorized access to sensitive information.

It has been reported that Mailtraq is vulnerable to a remote directory traversal issue. Because of this, an attacker may be able to gain access to files on the local system with the privileges of the Mailtraq server process.

The problem is in the handling of input by the Mailtraq server process. By issuing a request to the Mailtraq web interface for a specific directory, a remote user can view all the files contained in the requested directory. As the Mailtraq program typically executes with elevated privileges, this may permit the disclosure of privileged information.

21. Snitz Forums Search.ASP Cross-Site Scripting Vulnerability BugTraq ID: 7922
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7922
Summary:

Snitz Forums is ASP-based web forum software. It runs on Microsoft Windows operating systems.

Snitz Forums is prone to cross-site scripting attacks. This is due to insufficient sanitization of data passed to the search facility via URI parameters. As a result, it is possible for a remote user to create a malicious link to a site hosting the vulnerable software, which contains hostile HTML and script code. If this link is visited, the attacker-supplied HTML and script code will be interpreted by their browser. This will occur in the context of the site hosting the vulnerable software.

Exploitation may allow theft of cookie-based authentication credentials or other attacks.

This issue was reported in Snitz Forums 3.4.0.3, other versions might also be affected.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

22. Snitz Forum Cookie Authentication Bypass Vulnerability BugTraq ID: 7924
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7924
Summary:

Snitz Forums is ASP-based web forum software. It runs on Microsoft Windows operating systems.

Snitz Forum has been reported prone to a cookie authentication bypass vulnerability.

It has been reported that, if a remote attacker can retrieve the authentication cookie of another user, they can extract the password hash and use it to construct a malicious cookie that can be harnessed to hijack the victim's account.

An attacker may exploit this issue to hijack another Snitz forum users account.

This issue was reported in Snitz Forums 3.4.0.3, other versions might also be affected.

23. Mailtraq User Password Encoding Weakness BugTraq ID: 7923
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7923
Summary:

Mailtraq is a commercially available e-mail server and client software package. It is available for the Microsoft Windows platform.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A problem with the software may make increase the possibility of an attacker discovery passwords.

It has been reported that Mailtraq does not securely store passwords. Because of this, an attacker may have an increased chance at gaining access to clear text passwords.

The problem is in the algorithm used to store passwords. Mailtraq uses a weak encoding scheme that can be easily reversed by a user with read access to the password file. This can result in an attacker revealing the clear text password strings and gaining access to the accounts of Mailtraq users.

24. Snitz Forums Password.ASP Password-Reset Vulnerability BugTraq ID: 7925
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7925
Summary:

Snitz Forums is ASP-based web forum software. It runs on Microsoft Windows operating systems.

Snitz Forums 'password.asp' has been reported prone to a password-reset vulnerability. It has been reported that by requesting a forgotten password, an attacker may save the 'password reset' page offline. By modifying the member id in the saved script the attacker may reset arbitrary account passwords, if the corresponding member id is known.

This issue was reported in Snitz Forums 3.4.0.3, other versions might also be affected.

25. Mailtraq Remote Format String SMTP Resource Consumption Vulnerability BugTraq ID: 7926
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7926
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Mailtraq is a commercially available e-mail server and client software package. It is available for the Microsoft Windows platform.

A problem with the software may make a remote denial of service possible.

It has been reported that Mailtraq does not reliably handle format strings in some SMTP protocol fields. This may cause a system to become unstable and crash, allowing a remote attacker to deny service to the system.

The problem is in the handling of certain format string sequences. It has been reported that sending an e-mail with strings such as @@%s%p%n and %s%p%n to the server in the following fields may consume excessive resources:

MAIL FROM
RCPT TO
HELO
FROM Each string must contain 65535 repetitions of the string to successfully cause the system to become momentarily resource-bound. This can be automated to result in a prolonged denial of service.

26. Xoops/E-Xoops Tutorials Module Remote Command Execution Vulnerability BugTraq ID: 7927
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7927
Summary:

Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions.

The Tutorials module allows remote users to upload various content to a site, including image MIME type. All images are uploaded to the images directory. This module is also available for E-Xoops.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A vulnerability has been discovered in the function used by Tutorials to upload images to a site. The problem occurs due to the module failing to verify that the file being uploaded is indeed an image MIME type.

Due to this lack of input validation, a remote attacker may be capable of uploading malicious script files to the images directory or possibly other locations on the system. If a script file were successfully uploaded, an attacker could subsequently trigger its execution by issuing an HTTP request for the file.

This would effectively result in the execution of arbitrary system commands with the privileges of the httpd server, possibly root.

27. Linux-PAM Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability BugTraq ID: 7929
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7929
Summary:

Linux-PAM (Pluggable Authentication Modules for Linux) is an authentication system used to enforce various access restrictions and security mechanisms. The pam_wheel module can be used to enforce access restrictions to various utilities, such as 'su', using the 'wheel' group.

When the "trust" configuration option is implemented, users of the trusted group are not required to supply a password when running the 'su' utility. A configuration option "use_uid" is also available which specifies whether a user of the trusted group should be verified using the login name or user id.

A vulnerability has been discovered in the pam_wheel module when running a configuration with the "trust" option enabled and the "use_uid" option disabled. The vulnerability occurs due to the insecure use of the getlogin() function when verifying user login names against a list of trusted users. It should be noted that the said configuration is not used by default.

Due to the insecure use of getlogin() a local attacker may be capable of gaining unauthorized 'root' privileges without supplying a password. This can be accomplished by spoofing the 'logname' return value, effectively making the getlogin() function to return a value of another logged in user. The spoofed user would have to be logged in to the system and also be part of the trusted group for this to attack take place.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Successful exploitation of this issue would allow an attacker to invoke the 'su' utility and gain unauthorized superuser privileges.

28. Mailtraq Webmail Remote HTML Injection Vulnerability BugTraq ID: 7928
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7928
Summary:

Mailtraq is a commercially available e-mail server and client software package. It is available for the Microsoft Windows platform.

It has been reported that Mailtraq does not sufficiently sanitize potentially malicious content from e-mails.

The problem is in the filtering of HTML and script code from e-mail header fields. When this type of content is sent to a user of the vulnerable webmail service, it is not filtered of HTML tags. This may allow an attacker to send HTML or script code to users that could result in a denial of service, theft of authentication cookie credentials or other attacks.

29. Dantz Retrospect Client StartupItems Insecure Default Permissions Vulnerability BugTraq ID: 7934
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7934
Summary:

Retrospect is a backup software package distributed by Dantz.

A problem with the software may make local data destruction or privilege elevation possible.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that Retrospect does not create some directories and files with secure permissions. Because of this, an attacker may be able to launch symbolic link or other types of attacks.

The problem is in the creation of the directories and files below the /Library/StartupItems/ directory. These files are created by Retrospect with world-read and world-write permissions. These files could be changed to symbolic links, replaced with files of malicious content, or other scenarios.

30. Pod.Board Forum_Details.PHP Multiple HTML Injection Vulnerabilities BugTraq ID: 7933
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7933
Summary:

pod.board is a web-based portal/forum system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

The pod.board 'forum_details.php' script does not sufficiently sanitize data supplied via URI parameters or web-based input fields, making it prone to HTML injection attacks. In particular, the 'user_homepage',
'user_location', 'user_nick' and 'user_signature' URI parameters and
corresponding input fields are not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious injected code. This would occur in the security context of the site hosting the software.

Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to affect pod.board version 1.1, other versions might also be affected.

31. Pod.Board New_Topic.PHP Multiple HTML Injection Vulnerabilities BugTraq ID: 7936
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7936
Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

pod.board is a web-based portal/forum system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows.

The pod.board 'new_topic.php' script does not sufficiently sanitize data supplied via URI parameters or web-based input fields, making it prone to HTML injection attacks. In particular, the 'topic_title' or 'post_text' URI parameters and corresponding input fields are not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious injected code. This would occur in the security context of the site hosting the software.

Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to affect pod.board version 1.1, other versions might also be affected.

32. Tarantella Enterprise Redirected Keypress Applicaton Control Weakness BugTraq ID: 7935
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7935
Summary:

A vulnerability has been discovered Tarantella Enterprise versions 3.0 through 3.3. The problem occurs when the "Maximum Users Per Engine" configuration option has been modified to contain a value greater than 1. When this occurs, Tarantella may fail to correctly transmit keypresses to the correct user session, and instead transmit them to another user's session. These keypresses would then be interpreted by the second user's application.

This would result in the actions being interpreted by their application, potentially resulting in unexpected behaviour or data loss.

It is currently unknown whether a remote user could potentially transmit keypresses to a target user. However, if the transmission is sent to a random user, an attacker could repeatedly hit a sequence of keypresses designed to corrupt data. When the unpredictable transmission occurs, the keypresses would cause a random Tarantella Enterprise user to be
'attacked'.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Other potential scenarios may include a user unexpectedly viewing a second user's password. Also, if a malicious user were to attempt to trigger a specific sequence of keypresses, if sent to a user using a specific application, it may be possible to execute commands or carry out other forms of attacks.

The precise details regarding this vulnerability are currently unknown. This BID will be updated when further information is made available.

33. PHPBB Admin_Styles.PHP Theme_Info.CFG File Include Vulnerability BugTraq ID: 7932
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7932
Summary:

phpBB is an open-source web forum application that is written in PHP and supported by a number of database products. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

It has been reported that phpBB may permit an attacker to influence the include path of 'theme_info.cfg'. The path to this file can be influenced by supplying a malicious value for the '$install_to' CGI variable.

While it does not seem possible to supply a path to a remote server, it may be possible to supply a relative path to a malicious local
'theme_info.cfg' file. This could lead to execution of arbitrary PHP code
with the privileges of the web server. Older versions of PHP may also permit an attacker to specify a path to an arbitrary system file by including a NULL byte (%00) in the request, which could reportedly cause files to be disclosed to the attacker.

34. Noweb/Noroff Insecure Temporary File Creation Vulnerability BugTraq ID: 7937
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7937
Summary:

noweb is an application designed to automate the process of preparing the source of a program for human readers.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

noroff is a tool that is shipped as part of noweb, noroff is designed to format documents in a specific manner that have been partially processed by noweb.

noroff has been reported prone to an insecure temporary file creation vulnerability. As a result, it may be possible for local attackers to corrupt files owned by the user who is invoking the noroff application.

An attacker could potentially exploit this issue by creating a symbolic link in place of the temporary file which is created. Any actions performed by noroff when it is executed will be performed on the linked file.

It should be noted that although this vulnerability has been reported to affect noweb version 2.9a, other versions might also be affected.

35. Microsoft Internet Explorer MSXML XML File Parsing Cross-Site Scripting Vulnerability BugTraq ID: 7938
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7938
Summary:

A vulnerability has been reported for Internet Explorer, using the MSXML parser, that may result in cross-site scripting attacks. The vulnerability exists due to the way that the MSXML parser handles certain types of XML data.

When IE views a XML file, it will automatically attempt to parse it using the MSXML parser. If IE is unable to parse the XML file, it will display a parse error that also includes the URL of the requested XML file.

In some instances, the displayed URL is not sufficiently sanitized of query strings that may have been passed in as URI parameters.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell