SecurityFocus Newsletter #205

SecurityFocus Newsletter #205

This Issue is Sponsored by: SPI Dynamics

Hacking Web Applications -Web Cast from SPI Dynamics Watch and learn as our top security experts from SPI Dynamics show you how to defend against Web Application Attacks in a FREE Web Cast that will cover; real examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation, step-by-step vulnerability testing for your own Web Applications and guidelines for establishing best administration and coding practices.

Click here to register:
http://www.securityfocus.com/SPIDynamics-sf-news3

I. FRONT AND CENTER

1. Linux Firewall-related /proc Entries
2. The Persistence of Hoax
3. U.S. Information Security Law, Part Four
4. The SecurityFocus 4th Anniversary Contest II. BUGTRAQ SUMMARY
5. ProductCart Custva.ASP SQL Injection Vulnerability
6. ProductCart Login.ASP SQL Injection Vulnerability
7. Apple Mac OS X Screen Saver Password Prompt Buffer Overflow...
8. Cerulean Studios Trillian Client Malformed TypingUser Denial Of...
9. ProductCart MSG.ASP Cross-Site Scripting Vulnerability
10. Macromedia ColdFusion MX Remote Development Service File...
11. Macromedia ColdFusion MX Remote Development Service Default...
12. ProductCart File Disclosure Vulnerability
13. Microsoft Outlook Web Access HTML Attachment Script Execution...
14. Microsoft RunDLL32.EXE Buffer Overflow Vulnerability
15. SEMI/WEMI Insecure Temporary File Creation Vulnerability
16. X-Face-EL Insecure Temporary File Creation Vulnerability
17. IglooFTP PRO Multiple Buffer Overflow Vulnerabilities
18. GKrellM Mailwatch Plugin From Header Remote Buffer Overflow...
19. CPanel Admin Interface HTML Injection Vulnerability
20. MyServer Malformed URI Denial Of Service Vulnerability
21. Canon GP300 Remote Malformed HTTP Get Denial Of Service...
22. Mini-Webserver Information Disclosure Vulnerability
23. BillingExplorer Multiple Remote Client Communication Integrity...
24. Liece Insecure Temporary File Creation Vulnerability
25. Mozart Unsafe Mailcap Configuration Vulnerability
26. Microsoft Windows CreateFile API Named Pipe Privilege Escal...
27. Laforge Groups Forum51 Information Disclosure Vulnerability
28. Laforge Groups Board51 Information Disclosure Vulnerability
29. Laforge Groups News51 Information Disclosure Vulnerability
30. Tower Toppler HOME Environment Variable Local Buffer Overflow...
31. Anope Services OperServ Raw Join Denial Of Service Vulnerability
32. UnrealIRCD OperServ Raw Join Denial Of Service Vulnerability
33. Macromedia Apache Web Server Encoded Space Source Disclosure...
34. Apache Web Server Prefork MPM Denial Of Service Vulnerability
35. Apache Web Server Type-Map Recursive Loop Denial Of Service...
36. Apache Web Server FTP Proxy IPV6 Denial Of Service Vulnerability
37. Rockliffe Mailsite Attachment Disclosure Vulnerability
38. Knoppix QT Insecure Temporary File Creation Vulnerability
39. Novell iChain Server Multiple Vulnerabilities
40. ZKFingerD Multiple Format String Vulnerabilities
41. Novell eDirectory DS/iMONITOR Unspecified Vulnerabilities
42. Multiple BEA WebLogic Server/Express Vulnerabilities
43. SKK/DDSKK Insecure Temporary Files Vulnerability
44. XBlockOut XBL Display Local Buffer Overrun Vulnerability
45. Teapop SQL Injection Vulnerability
46. TerminatorX Home Environment Variable Buffer Overflow...
47. TerminatorX XLocaleDIR Environment Variable Buffer Overflow...
48. NetScreen Non-IP Traffic Firewall Bypass Vulnerability
49. Cisco Catalyst Non-Standard TCP Flags Remote Denial Of Service... III. SECURITYFOCUS NEWS ARTICLES
50. IE Bugs Keep Coming
51. Man arrested in United Kingdom in hacking at U.S. physics lab
52. RFID spy-chippers leak confidential data on the Web
53. Virus hysteria debunk-site in difficulties IV. SECURITYFOCUS TOP 6 TOOLS
54. pf2x v1.0.1
55. ps-watcher v1.0
56. Ettercap v0.6b
57. Anti-Spam SMTP Proxy v0.3.0
58. J2SSH v0.2.1 (JDK 1.4)
59. quicktables v2.0
60. SECURITYJOBS LIST SUMMARY
61. Sr. SW Engineer in San Jose, CA (Thread)
62. Positions in the USA (Thread)
63. Encryption/PKI Engineer (Thread)
64. South Florida Opportunities (Thread)
65. Searching For A New Security Job (Thread)
66. Network Security Engineer opportunity in Seattle! (Thread)
67. Job positing (Thread)
68. Incident Analyst Position, Calgary, Alberta Canada - Relo Money...
69. Incident Analyst Position, Dublin Ireland - Relo Money...
70. 8 Northeast Security Software Sales opportunities (Thread)
71. Senior Technical IT Auditor - Cleveland, Ohio (Thread)
72. looking for Position in Ireland (Thread)
73. X.500/LDAP Specialist, London, UK (Thread)
74. Request for Job Postings...Job descriptions included... (Thread)
75. Senior Technology Manager-Access & Identity Management...
76. VP, IT Security #800 - New York - $140k - $160k (Thread)
77. Security Software Sales Opportunity in the Bay (Thread)
78. Network Security Engineer (Thread)
79. Senior Account Manager (Thread)
80. Senior Account Executive (Thread)
81. Account Executives (Thread)
82. .NET/C# Developer for MSS development team- Alexandria, VA...
83. IT Security Engineer, Bristol, UK (Thread)
84. Sr. Information Technology Security Auditor (Thread)
85. IT Audit Manager - (Virginia) (Thread)
86. Cheap labor seeking security position (Thread)
87. OTTAWA - Application Security Pre-Sales Engineer - Permanent...
88. TORONTO - Unix Security Specialist - 1 Year Renewable Contract...
89. OTTAWA - PKi Product Manager - Permanent Role (Thread)
90. TORONTO - Security Compliance Manager - 1 Year renewable... VI. INCIDENTS LIST SUMMARY
91. Information Needed on Malicious Traffic (Thread)
92. Possible DOS on Cisco 2651 router? (Thread)
93. Strange CONNECT entries in apache logs (Thread)
94. P2P Networking and port 3531 (Thread)
95. HTTP DDoS attack on our servers (Thread)
96. Administrivia... (Thread)
97. New Article: Promises, Promises (Thread)
98. Article Announcement: Antivirus Concerns in XP and .NET...
99. SecurityFocus Article Announcement: U.S. Information Security...
100. Missrouted - once more - what happens? (Thread)
101. tcp/19150 scans (Thread)
102. decoyed IPs (Thread)
103. frontpage extensions; backdoor or initial compromise? (Thread)
104. DeepSight Extractor 4.1 Release (Thread)
105. Strange DoS / new halflife server bug? (1st update:worm?)...
106. Strange DoS / new halflife server bug? (Thread)
107. Strange missrouted(?) (Thread)
108. UDP to port 500 (Thread)
109. Another overflow exploit for Apache? *RESOLVED* (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY
110. How vulnerable is a 'Limited" account on XP? (Thread)
111. Adobe Acrobat and PDF security: no improvements for 2 years...
112. Red Hat 9: free tickets (Thread)
113. Generic way to exploit an insecure /tmp file creation - Red... VIII. MICROSOFT FOCUS LIST SUMMARY
114. How to generate list of patches installed? (Thread)
115. FW: Keyboard Locking/Invisible Screensaver (Thread)
116. Keyboard Locking/Invisible Screensaver (Thread)
117. investigating misuse of the internet (Thread)
118. Article Announcement: Antivirus Concerns in XP and .NET...
119. Administrivia: MS Spam Thread (Thread)
120. Article Announcement: Can Microsoft End Spam? (Thread)
121. SecurityFocus Microsoft Newsletter #144 (Thread)
122. How to block users from installing other apps (Thread)
123. Article Announcement: Penetration Testing for Web Applications...
124. Administrivia: Week of July 7, 2003 (Thread)
125. SP4 Installation Failure (Thread) IX. SUN FOCUS LIST SUMMARY
126. NO NEW POSTS FOR THE WEEK ENDING 07.11.03
127. LINUX FOCUS LIST SUMMARY
128. Stealthy Linux Key Logger (Thread)
129. LIDS on production server anyone?? (Thread) XI. SPONSOR INFORMATION
130. FRONT AND CENTER

     ---

131. Linux Firewall-related /proc Entries By Brian Hatch

This article will discuss Linux kernel variables and the effect they have on network security for your host or firewall. These variables determine the handling of network packets and are independent of any kernel filtering rules.

http://www.securityfocus.com/infocus/1711

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. The Persistence of Hoax
By George Smith

Vmyths.com is fading into the sunset, while the virus hoaxes it steadfastly debunked seem to live on forever.

http://www.securityfocus.com/columnists/172

3. U.S. Information Security Law, Part Four By Steven Robinson

This is the last article in a four-part series looking at U.S. information security laws and the way those laws affect the work of security professionals. This installment continues the discussion of information security in the public sector and provides an overview of national security law in the United States as it pertains to information security.

http://www.securityfocus.com/infocus/1710

4. The SecurityFocus 4th Anniversary Contest

Only three days left to win a pair of passes to the Black Hat Briefings. Be sure to take a few minutes out of your day to enter the contest.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Please visit the contest page here:
http://www.securityfocus.com/contest

II. BUGTRAQ SUMMARY

1. ProductCart Custva.ASP SQL Injection Vulnerability BugTraq ID: 8103 Remote: Yes Date Published: Jul 04 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8103 Summary:

ProductCart is an online e-commerce site that is implemented using ASP.

ProductCart has been reported prone to an SQL injection vulnerability that may be exploited to reveal information relating to the underlying database; other attacks may also be possible.

ProductCart, in some cases, does not sufficiently sanitize user-supplied input, which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database.

This vulnerability was reported to exist in the Custva.asp script file. A remote attacker can exploit this vulnerability by manipulating the 'Email' URI parameter to modify SQL query logic.

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

2. ProductCart Login.ASP SQL Injection Vulnerability BugTraq ID: 8105
Remote: Yes
Date Published: Jul 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8105
Summary:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ProductCart is an online e-commerce site that is implemented using ASP.

ProductCart has been reported prone to an SQL injection vulnerability that may be exploited to bypass the ProductCart authentication system and access the ProductCart administration panel; other attacks may also be possible.

ProductCart, in some cases, does not sufficiently sanitize user-supplied input, which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database.

This vulnerability was reported to exist in the login.asp script file. A remote attacker can exploit this vulnerability by manipulating the
'idadmin' URI parameter to modify SQL query logic.

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

3. Apple Mac OS X Screen Saver Password Prompt Buffer Overflow Vulnerability BugTraq ID: 8106
Remote: No
Date Published: Jul 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8106
Summary:

Apple Mac OS X has a screen saver with a password feature. A buffer overflow vulnerability has been reported for the screen saver that may result in an attacker obtaining access to the vulnerable system.

An attacker can exploit this vulnerability by inputting many characters into the password field prompt and sending it to the vulnerable screen saver.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This will trigger the overflow condition and will result in the screen saver crashing and enable the attacker to access the vulnerable system as the currently logged on user.

It should be noted that an attacker requires physical access to a computer to exploit this issue.

• Reports suggest that an attacker supplying an overly long password consisting of about 1368 characters will cause the screen saver to crash. 4. Cerulean Studios Trillian Client Malformed TypingUser Denial Of Service Vulnerability BugTraq ID: 8107 Remote: Yes Date Published: Jul 04 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8107 Summary:

Trillian is an instant messaging client that supports a number of protocols (including IRC, ICQ, MSN). It is available for Microsoft Windows systems.

Cerulean Studios Trillian client has been reported prone to a remotely exploitable denial of service vulnerability.

It has been reported that when a vulnerable client receives a malformed
'TypingUser' message, an internal exception will be triggered in the
Trillian client and the client will likely fail. The issue has been reported to exist in a function within the msn.dll dynamic linked library.

It should be noted that although this issue has been reported to affect both Trillian 1 and 0.74, other versions might also be affected.

5. ProductCart MSG.ASP Cross-Site Scripting Vulnerability BugTraq ID: 8108
Remote: Yes
Date Published: Jul 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8108
Summary:

ProductCart is an online e-commerce site that is implemented using ASP.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A cross-site scripting vulnerability has been reported for ProductCart. The vulnerability exists due to insufficient sanitization of some user-supplied values. Specifically, malicious HTML code is not sanitized from the 'message' URI paramter of the msg.asp script file.

An attacker could exploit this issue to execute arbitrary HTML code in the browser of a remote user who follows a malicious link. Code execution would occur in the context of the vulnerable site.

Exploitation could permit an attacker to steal cookie-based authentication credentials or launch other attacks.

6. Macromedia ColdFusion MX Remote Development Service File Disclosure Vulnerability BugTraq ID: 8109
Remote: Yes
Date Published: Jul 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8109
Summary:

ColdFusion MX is the application server for developing and hosting infrastructure distributed by Macromedia. It is available as a standalone product for Unix, Linux, and Microsoft Operating Systems.

Remote Development Service (RDS) is a way to facilitate secure remote access to ColdFusion MX servers. This service is used by developers to access databases, files and other data sources. By default, the RDS service has SYSTEM level privileges.

A vulnerability has been reported for the RDS service that may allow an attacker to obtain unauthorized access to a data residing on a ColdFusion MX server. The vulnerability is due to the way that authentication is done when communicating with a ColdFusion MX server.

Specifically, RDS requires a password to authenticate a remote developer. However, it is possible for a remote user to configure their web site properties to access files residing on the vulnerable server.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Any information obtained in this manner may be used by an attacker to launch further attacks against a vulnerable system.

7. Macromedia ColdFusion MX Remote Development Service Default Null Password Vulnerability BugTraq ID: 8110
Remote: Yes
Date Published: Jul 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8110
Summary:

ColdFusion MX is the application server for developing and hosting infrastructure distributed by Macromedia. It is available as a standalone product for Unix, Linux, and Microsoft Operating Systems.

Remote Development Service (RDS) is a way to facilitate secure remote access to ColdFusion MX servers. This service is used by developers to access databases, files and other data sources. By default, the RDS service has SYSTEM level privileges.

It has been reported that, by default, the RDS service uses a blank password for authentication.

This could allow an unauthenticated user to access the vulnerable ColdFusion MX server.

8. Mirabilis ICQ Password Bypass Weakness BugTraq ID: 8111
Remote: No
Date Published: Jul 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8111
Summary:

Mirabilis ICQ is an instant messenger client for a number of platforms including Microsoft Windows, MacOS and Palm systems.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An issue has been reported for ICQ that may result in an attacker obtaining access to another ICQ user's account.

The issue exists because the ICQ contact window, which is specific to a single user, may be accessed using the EnableWindow API. Through the use of this API, it is possible to access the victim user's ICQ account regardless of existing security measures.

Exploitation of this issue may result in a local user being able to access another local user's ICQ contact information.

9. ProductCart File Disclosure Vulnerability BugTraq ID: 8112
Remote: Yes
Date Published: Jul 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8112
Summary:

ProductCart is an online e-commerce site that is implemented using ASP.

A vulnerability has been reported for ProductCart that may result in an attacker obtaining the contents of the database file.

The vulnerability exists due to insufficient permissions on the database/EIPC.mdb file. It is possible for remote attackers to issue a request for this file which contains sensitive information.

An attacker can use the information obtained from the file to launch other attacks against a vulnerable system.

1. Microsoft Outlook Web Access HTML Attachment Script Execution Vulnerability BugTraq ID: 8113 Remote: Yes Date Published: Jul 05 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8113 Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Microsoft Outlook Web Access (OWA) is a component of Microsoft Exchange Server, used to provide a web interface for email.

OWA is web-based and supports HTML e-mail and HTML message attachments. OWA contains a vulnerability that may result in attacker-supplied script code executing within the context of the mail interface when processing e-mail containing HTML message attachments.

In a scenario where HTML message attachments are processed, it is possible to prevent filtering of the attachment. This can be achieved by ensuring that the generated URL, to view an attachment, does not contain the
'Security' URI parameter.

If did parameter does not exist, no filtering will be performed. Unfiltered, the script code will execute if embedded in an HTML email opened by a user.

The script code that executes may perform OWA actions as the user, such as sending or deleting email.

1. Microsoft RunDLL32.EXE Buffer Overflow Vulnerability BugTraq ID: 8114 Remote: No Date Published: Jul 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8114 Summary:

rundll32.exe is an application, shipped with Microsoft Windows, that is used to execute DLLs as programs; it is also used by many programs to execute functions/methods located in a DLL file.

rundll32.exe has been reported prone to a buffer overflow vulnerability. The condition has been reported to be triggered when an excessive string is passed to the vulnerable application as a routine name for a module.

The issue likely presents itself due do a lack of sufficient bounds checking performed on user-supplied routine name data that is copied into a reserved internal memory buffer. If a malicious user supplies excessive data (>499 bytes) in a manner sufficient to trigger the condition, data greater than the size of the assigned buffer may corrupt adjacent memory. Because adjacent memory has been reported to contain a saved instruction pointer, it is possible for an attacker to influence the execution flow of the vulnerable application and possibly execute arbitrary instructions.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Exploitation of this issue may be hindered, due to the fact that user-supplied data is converted to Unicode.

It should be noted that although this issue has been reported to affect the version of rundll32.exe that is shipped with Windows XP SP1, other versions might also be affected.

This issue has also been reported to affect Windows 2000 systems with service pack 4 installed, under certain circumstances. Specifically if the excessive data passed to the vulnerable application consists of '%' percentage characters, an attacker may corrupt the instruction pointer for the affected process. Although unconfirmed it has been conjectured that this behaviour may be due to unicode formatting.

1. SEMI/WEMI Insecure Temporary File Creation Vulnerability BugTraq ID: 8115 Remote: No Date Published: Jul 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8115 Summary:

SEMI is a library used to add MIME features to Emacs. WEMI is a branch of the SEMI package using widgets.

SEMI/WEMI have been reported prone to an insecure temporary file creation vulnerability. As a result, it may be possible for local attackers to corrupt files owned by the user who is invoking a version of Emacs that is linked to the vulnerable library.

An attacker could potentially exploit this issue by creating a symbolic link in place of the temporary file that is created by the affected application. Any actions performed by the vulnerable application when it is executed will be performed on the linked file.

It should be noted that the impact of this vulnerability might be exaggerated by the fact that attackers may potentially influence content that will be added to the target file.

1. X-Face-EL Insecure Temporary File Creation Vulnerability BugTraq ID: 8116 Remote: No Date Published: Jul 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8116 Summary:

x-face-el is a decoder for Emacs that decodes images that are included inline in X-Face email headers.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

x-face-el has been reported prone to an insecure temporary file creation vulnerability. As a result, it may be possible for local attackers to corrupt files owned by the user who is invoking Emacs and x-face-el.

An attacker could potentially exploit this issue by creating a symbolic link in place of the temporary file that is created by the affected application. Any actions performed by the vulnerable application when it is executed will be performed on the linked file.

It should be noted that the impact of this vulnerability might be exaggerated by the fact that attackers may potentially influence content that will be added to the target file.

1. IglooFTP PRO Multiple Buffer Overflow Vulnerabilities BugTraq ID: 8117 Remote: Yes Date Published: Jul 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8117 Summary:

IglooFTP PRO is an FTP client that is designed for Linux and Microsoft Windows platforms.

IglooFTP PRO for Windows platforms has been reported prone to multiple buffer overrun vulnerabilities.

The issue likely presents itself due do a lack of sufficient bounds checking performed on data that is later copied into a reserved internal memory buffer. If an attacker supplies excessive data (>=1028 bytes) in a manner sufficient to trigger the condition, data greater than the size of the assigned buffer may corrupt adjacent memory. Because adjacent memory has been reported to contain a saved instruction pointer, it is possible for an attacker to influence the execution flow of the vulnerable FTP client and execute arbitrary instructions.

Remote arbitrary code execution has been confirmed.

It should be noted that although this vulnerability has been reported to affect IglooFTP PRO version 3.8 for Windows platforms, other versions might also be affected.

1. GKrellM Mailwatch Plugin From Header Remote Buffer Overflow Vulnerability BugTraq ID: 8118 Remote: Yes Date Published: Jul 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8118 Summary:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

GKrellM is the GTK Monitors suite. It is available for the Linux platform.

It has been reported that the Mailwatch plugin for GKrellM is vulnerable to a remotely exploitable buffer overflow. This may permit the execution of arbitrary code with the privileges of the GKrellM program.

The problem is in the handling of long strings contained in the From header of e-mails. By sending an e-mail with a From header that contains 558 or more characters as the e-mail user name to a user of GKrellM with the Mailwatch plugin, it is possible to overwrite sensitive process memory. This vulnerability could be exploited to execute arbitrary instructions on behalf of the attacker.

1. CPanel Admin Interface HTML Injection Vulnerability BugTraq ID: 8119 Remote: Yes Date Published: Jul 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8119 Summary:

cPanel is a multi-platform web hosting control panel that allows a user to manage their hosted account through a web-based interface. It is available for Unix and Linux variants.

cPanel is prone to an HTML injection vulnerability. It is possible for remote attacks to include hostile HTML and script code in requests to cPanel, which will be logged. When logs are viewed by an administrative user, the injected code could be rendered in their browser in the context of the site hosting cPanel. HTML may be injected into the 'Error Log' and
'Latest Visitors' pages. This is due to insufficient sanitization of HTML
and script code when logging client requests.

Exploitation of this issue could permit theft of administrative cookie-based authentication credentials. The attacker will also be able to exert control over how affected pages are rendered, which could permit log spoofing or other attacks.

1. MyServer Malformed URI Denial Of Service Vulnerability BugTraq ID: 8120 Remote: Yes Date Published: Jul 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8120 Summary:

MyServer is a web server implementation for a number of platforms, including Microsoft Windows operating systems and Linux.

MyServer has been reported to be prone to denial of service attacks when handling certain malformed URIs. This issue may be due to a flaw in the CGI parser, causing the server to crash when some invalid CGI parameters are supplied. This could be exploited to deny availability of web services to legitimate users.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue was reported in myServer 0.4.2 on Microsoft Windows platforms. Other versions may also be affected.

1. Canon GP300 Remote Malformed HTTP Get Denial Of Service Vulnerability BugTraq ID: 8121 Remote: Yes Date Published: Jul 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8121 Summary:

The GP-300 is a printer and photocopier combination server. It is distributed and maintained by Canon.

A problem in the Canon GP-300 has been reported in the handling of some types of web requests. This issue could result in the denial of service to legitimate users of the print server.

The problem is in the handling of HTTP GET requests. When a malformed HTTP GET request is issued to the HTTP server deployed on GP-300 servers, the system reportedly becomes unstable and crashes. A reboot of the system is required to resume normal operation of the print server.

This problem has been reported to occur when the server is used in conjunction with WebSpooler v4.5.062.

1. Mini-Webserver Information Disclosure Vulnerability BugTraq ID: 8122 Remote: Yes Date Published: Jul 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8122 Summary:

Mini-Webserver is a free web server implementation. It is available for Microsoft Windows operating systems.

It has been alleged that Mini-Webserver fails to adequately protect the contents of some directories installed by the server, such as 'Auth' and
'security'. It is possible for remote users to request files from these
directories. This could expose sensitive information stored in these directories to remote attackers.

This issue could be related to web server configuration.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

20. BillingExplorer Multiple Remote Client Communication Integrity Vulnerabilities BugTraq ID: 8123
Remote: Yes
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8123
Summary:

BillingExplorer is a commercially-available billing software package. It is available for the Microsoft Windows platform.

It has been reported that BillingExplorer does not properly handle some types of requests. Because of this, it is possible for a remote attacker to violate the integrity of billing and client communication.

The following issues have been identified:

It is possible to deny service to a legitimate client without knowing the login information for the target client. This can be by way of shutting down, restarting, or logging of the vulnerable client.

It is also possible to violate the integrity of billing information by sending a maliciously crafted request to the server. One can reset the timing tracked by the billing server to alter the total time charged by the server.

Other similar issues may also exist.

21. Liece Insecure Temporary File Creation Vulnerability BugTraq ID: 8124
Remote: No
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8124
Summary:

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Liece is an Internet Relay Chat client for Emacs.

It has been reported that liece does not create temporary files in a secure manner. As a result of this, a malicious user may be able to corrupt arbitrary files in the security context of the user running liece. It may be possible for the attacker to specify the data to be written, however, this has not been confirmed. If the attacker can cause custom data to be written, it may be possible to elevate privileges.

Specific details are not currently available for this vulnerability. This BID will be updated as more information becomes available.

22. Mozart Unsafe Mailcap Configuration Vulnerability BugTraq ID: 8125
Remote: Yes
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8125
Summary:

Mozart is a development platform that is based on the Oz language.

When Mozart is installed on the local system, an entry is added to the mailcap configuration file. This file is used to provide information to MIME-aware client applications regarding how to handle certain filetypes. The Mozart package specifies that any Oz filetypes are to be passed to the Oz interpreter for execution. As a result, any client browsing a web page or reading an e-mail message may potentially be forced to execute arbitrary Oz scripts. This could result in execution of malicious code.

23. Microsoft Windows CreateFile API Named Pipe Privilege Escalation Vulnerability BugTraq ID: 8128
Remote: No
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8128
Summary:

A problem in Microsoft Windows 2000 may make it possible for a local user to gain elevated privileges.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that Microsoft Windows does not properly handle named pipes. Because of this, an attacker may be able to gain access to the SYSTEM account.

The problem is in the access control mechanism of CreateFile API. There is no means of limiting what types of files are manipulated through the CreateFile call, allowing one to exploit this call to potentially perform nefarious activities.

Problems with the implementation of named pipes are a well-known issue in Microsoft Windows, and papers currently exist detailing the problems. Also, this problem may be the root of the issue of other known vulnerabilities in Microsoft Windows packages. Bugtraq IDs 3185 and 8098 are examples of other problems in named pipes which may be related, though there is no currently no information available confirming this.

24. Laforge Groups Forum51 Information Disclosure Vulnerability BugTraq ID: 8126
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8126
Summary:

Forum51 is a Web-based forum system.

Forum51 stores usernames and password hashes in a file called user.idx, located in the forumdata/data directory by default. Read access to this file is not restricted, allowing any user with a Web browser to retrieve it. This would disclose the usernames and MD5 password hashes of all users registered on the forum.

This issue is similar to BIDs 8127 and 8129.

25. Laforge Groups Board51 Information Disclosure Vulnerability BugTraq ID: 8127
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8127
Summary:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Board51 is a Web-based message board system.

Board51 stores usernames and password hashes in a file called user.idx, located in the forumdata/data directory by default. Read access to this file is not restricted, allowing any user with a Web browser to retrieve it. This would disclose the usernames and MD5 password hashes of all users registered on the message board.

This issue is similar to BIDs 8126 and 8129.

26. Laforge Groups News51 Information Disclosure Vulnerability BugTraq ID: 8129
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8129
Summary:

News51 is a Web-based news board system.

News51 stores usernames and password hashes in a file called user.idx, located in the forumdata/data directory by default. Read access to this file is not restricted, allowing any user with a Web browser to retrieve it. This would disclose the usernames and MD5 password hashes of all users with privileges to post on the news board.

This issue is similar to BIDs 8126 and 8127.

27. Tower Toppler HOME Environment Variable Local Buffer Overflow Vulnerability BugTraq ID: 8132
Remote: No
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8132
Summary:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Tower Toppler is a freely available, open source game for Linux and Microsoft operating systems.

A problem with the software may make elevation of privileges possible.

It has been reported that a buffer overflow exists in Tower Toppler. A local user may be able to exploit this issue to execute code with the privileges of the toppler program.

In some configurations, Toppler may be installed with setgid games privileges. Exploitation of this vulnerability could give the attacker group privileges of games.

28. Anope Services OperServ Raw Join Denial Of Service Vulnerability BugTraq ID: 8130
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8130
Summary:

Anope Services is an IRC implementation for Unix/Linux variants.

It is reported Anope Services may crash under some circumstances when a client sends a raw message to operserv. This may occur when a raw message is used when requesting to join a channel. This will allegedly cause the server to segfault, resulting in a potential denial of service. It is not known if this condition could be exploited to corrupt memory and execute arbitrary code.

The vulnerability is reported to exist in the do_raw() function, which exists in the 'operserv.c' source file. It should be noted that other IRC daemon implementations may be similarly affected, especially in cases where raw message code is shared with other implementations or derived from the same source.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue appears similar to BID 8131, but is being assigned a separate BID because it does seem like Anope Services is sharing the same vulnerable code with UnrealIRCD.

29. UnrealIRCD OperServ Raw Join Denial Of Service Vulnerability BugTraq ID: 8131
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8131
Summary:

UnrealIRCD is an IRC implementation that is available for a number of platforms including Linux/Unix variants and Microsoft Windows operating systems.

It is reported UnrealIRCD may crash under some circumstances when a client sends a raw message to operserv. This may occur when a raw message is used when requesting to join a channel. This will allegedly cause the server to segfault, resulting in a potential denial of service. It is not known if this condition could be exploited to corrupt memory and execute arbitrary code.

It should be noted that other IRC daemon implementations may be similarly affected, especially in cases where raw message code is shared with other implementations or derived from the same source.

The vulnerability is reported to exist in the m_join() function, which is included in the 's_user.c' source file. It should be noted that other IRC daemon implementations may be similarly affected, especially in cases where raw message code is shared with other implementations or derived from the same source.

This issue is similar to BID 8130 but is being assigned a separate BID because it does seem like Anope Services is sharing the same vulnerable code with UnrealIRCD.

30. Macromedia Apache Web Server Encoded Space Source Disclosure Vulnerability BugTraq ID: 8136
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8136
Summary:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

ColdFusion and JRun are web application delivery software packages available for the Unix, Linux, and Microsoft Windows platform.

It has been reported that an issue exists in Macromedia ColdFusion and JRun that could allow an attacker to gain unauthorized access to potentially sensitive information. This may result in an attacker gaining access to system resources.

The problem is in the disclosure of sensitive information contained in ColdFusion and Java Servlet Pages. By placing a request ending in an encoded space to the Apache Web Server packaged with ColdFusion MX and/or JRun, it is possible for the attacker to view the source of the web scripts hosted on the system.

It should be noted that this problem affects ColdFusion and JRun only on the Microsoft Windows platforms.

31. Apache Web Server SSLCipherSuite Weak CipherSuite Renegotiation Weakness BugTraq ID: 8134
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8134
Summary:

Apache provides directives for supplying cipher suite specifications for SSL transactions. The cipher suite is negotiated with the client during the SSL handshake. These directives may be used in a per-directory or per-server context.

The Apache Software Foundation has reported an issue that may occur when the SSLCipherSuite directive is used to upgrade a cipher suite. Particular sequences of per-directory renegotiations may cause a weaker cipher suite being used in place of the upgraded one.

If this issue were to occur, flaws in weaker ciphersuites could be exposed. This could threaten the integrity of SSL transactions negotiated between a vulnerable server and the client. This could provide an opportunity for passive attackers in a position to observe such a transaction.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Further technical details are not available at the time of writing. This BID will be updated appropriately when additional technical information becomes available.

32. Apache Web Server Prefork MPM Denial Of Service Vulnerability BugTraq ID: 8137
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8137
Summary:

Apache is a freely available web server. It is available for a variety of platforms including the Unix, Linux and Microsoft Windows operating systems.

Apache may be run as a non-threaded, pre-forking server via the prefork MPM (Multi-Processing Module).

The Apache Software Foundation has reported a vulnerability in the prefork MPM that could result in a temporary denial of service condition. This condition is known to occur when an accept() call on a rarely accessed port returns certain errors.

Further technical details are not available at the time of writing. This BID will be updated appropriately when additional technical information becomes available.

33. Apache Web Server Type-Map Recursive Loop Denial Of Service Vulnerability BugTraq ID: 8138
Remote: No
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8138
Summary:

Apache is a freely available web server. It is available for a variety of platforms including the Unix, Linux and Microsoft Windows operating systems.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Apache content negotiation functionality reported prone to a denial of service vulnerability.

The issue may present itself, if an attacker has the ability to create a malicious type-map file. The attacker may craft the type-map file in a manner sufficient to cause the vulnerable server to fall into an infinite loop. It has been reported that the Apache server will exponentially consume resources in such circumstance. Effectively denying service to other legitimate system users.

34. Apache Web Server FTP Proxy IPV6 Denial Of Service Vulnerability BugTraq ID: 8135
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8135
Summary:

Apache is a freely available web server. It is available for a variety of platforms including the Unix, Linux and Microsoft Windows operating systems.

A denial of service vulnerability has been reported by the vendor to affect the FTP proxy component of Apache. It has been reported that an attacker may specify a target server that possesses an IPV6 address. This may result in a denial of service to other legitimate users. The issue reportedly presents itself, because the proxy server fails to create an IPV6 socket.

Explicit technical details regarding this vulnerability are not currently known, this BID will be updated as further details are disclosed.

35. Rockliffe Mailsite Attachment Disclosure Vulnerability BugTraq ID: 8133
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8133
Summary:

Rockliffe Mailsite is an application designed to provide an HTTP interface to POP3 mailboxes. Users may connect to the site running Rockliffe Mailsite Express and view messages and attachments sent to their account.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When attachments are received by the software, they are stored on-site in a cache directory with a randomly generated name. Because these files have no explicit access restrictions, if an attacker is able to learn the path name of the stored files, it is possible to issue a request for the file directly. This may allow the attacker to retrieve these files without supplying necessary credentials for accessing the target mailbox.

36. Knoppix QT Insecure Temporary File Creation Vulnerability BugTraq ID: 8139
Remote: No
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8139
Summary:

Knoppix is a freely available, open source Linux operating system.

A problem has been identified in Knoppix that may allow an attacker to exploit the insecure creation of a temporary file. This could result in a denial of service attack, and potentially an elevation of privileges.

The problem is in the handling of temporary files when the QT libraries are invoked. KDE is installed by default with Knoppix, and when the window manager invokes the QT libraries, the libraries create the predictable library names qt_plugins_3.0rc and qt_plugins_3.0rc.lock, both with the privileges of the root user.

This problem may affect previous versions of the software.

37. Novell iChain Server Multiple Vulnerabilities BugTraq ID: 8140
Remote: Yes
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8140
Summary:

Novell iChain Server is a web-based security product designed to implement and maintain various network-based access controls.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Novell has reported that multiple vulnerabilities exist in Novell iChain Server 2.2 versions prior to Support Pack 1. The following vulnerabilities were reported:

Inadequate checks on redirect information in URLs could be exploited to cause clients to be redirected to malicious websites. Novell has released updates which address this issue by checking that redirect information in URLs match an accelerator DNS name.

When attempting to authenticate with a non-existent user, the timeout is shorter than when attempting to authenticate as a valid user with an incorrect password. By gauging the response time, it is possible to enumerate valid usernames. This could aid in attacks which attempt to compromise accounts.

This BID will be separated into individual entries when further analysis of these issues is complete.

38. ZKFingerD Multiple Format String Vulnerabilities BugTraq ID: 8142
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8142
Summary:

zkfingerd is a freely available, open source implementation of the RFC1288 protocol. It is available for the Unix and Linux operating systems.

A problem in zkfingerd may make it possible for a remote user to launch a format string attack against the daemon. This may result in an attacker gaining unauthorized access to system resources.

The problem is in the 'die.c' source file. Two instances of format string vulnerabilities exist in the file that may allow an attacker to write to arbitrary process memory and potentially execute code. Any code executed through this vulnerability could potentially be carried out with the privileges of the zkfingerd process.