SecurityFocus Newsletter # 209

Precisely Define and Implement Network Security and Performance Policies Integrated Intrusion Prevention and Traffic Shaping to:

• Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
• Automatically Control P2P, IM and Spam Traffic
• Ensure Reliable Performance of Mission Critical Applications **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo

http://www.securityfocus.com/sponsor/CaptusNetworks_sf-news_030811

1. The Lingering Ghost of Slammer
2. Blogs: Another Tool in the Security Pro's Toolkit (Part Two)
3. Demonstrating ROI for Penetration Testing (Part Two) II. BUGTRAQ SUMMARY
4. Multiple Atari800 Emulator Local Buffer Overflow Vulnerabili...
5. Cisco IOS UDP Echo Service Memory Disclosure Vulnerability
6. RAV AntiVirus Online Virus Scan Ravupdt.DLL ActiveX Control ...
7. Novell GroupWise Wireless Webaccess Insecure Logged Password...
8. IISShield Unspecified Scan Bypass Vulnerability
9. Hassan Consulting Shopping Cart Multiple Vulnerabilities
10. CDRTools RSCSI Debug File Arbitrary Local File Manipulation ...
11. Symantec Norton AntiVirus Device Driver Memory Overwrite Vul...
12. Linux Netfilter NAT Remote Denial of Service Vulnerability
13. Netfilter Connection Tracking Denial of Service Vulnerabilit...
14. mindi Temporary File Creation Vulnerabilities
15. Multiple Postfix Denial of Service Vulnerabilities
16. Counterpane Password Safe Clipboard Data Recovery Vulnerabil...
17. Invision Board Overlapping IBF Formatting Tag HTML Injection...
18. HP Compaq Insight Management Agent Format String Vulnerabili...
19. Xtokkaetama Nickname Local Buffer Overflow Vulnerability
20. Macromedia Dreamweaver MX PHP User Authentication Suite Cros...
21. NetBSD Kernel OSI Packet Handler Remote Denial Of Service Vu...
22. Man-db DEFINE Arbitrary Command Execution Vulnerability
23. ZoneAlarm Local Device Driver IO Control Code Execution Vuln...
24. EveryBuddy Long Message Denial Of Service Vulnerability
25. IBM DB2 db2job File Overwrite Vulnerability
26. FreezingCold Software aspBoard URL HTML Injection Vulnerabil...
27. IBM DB2 Shared Library Injection Vulnerability
28. TightVNC Win32 Server QueryAllowNoPass Access Control Bypass...
29. gURLChecker HTML Parser Denial Of Service Vulnerability
30. Webware WebKit Cookie String Command Execution Vulnerability
31. ERoaster Local Insecure Temporary File Creation Vulnerabilit...
32. Sun Microsystems ONE Application Server Java Server Page Sou...
33. ManDB Compressor Binary Substitution Vulnerability
34. JSCI SSO URI Pattern Matching Access Validation Vulnerabilit...
35. vBulletin Register.PHP HTML Injection Vulnerability
36. D-Link DI-704P Long URL Denial Of Service Vulnerability
37. 121 Software 121 WAM! FTP Server Directory Traversal Vulnera...
38. Bea WebLogic/Liquid Data Multiple Cross-Site Scripting Vulne...
39. Cisco Content Service Switch ONDM Ping Failure Denial Of Ser...
40. Lotus Sametime Multiple Encryption Implementation Flaw Vulne...
41. IdealBB Error.ASP Cross-Site Scripting Vulnerability
42. Postfix Connection Proxying Vulnerability
43. Postfix SMTP Malformed E-mail Envelope Address Denial of Ser...
44. MiniHTTPServer WebForums Server Null Default Password Vulner...
45. VMware Workstation For Linux File Deletion Vulnerability
46. IPNetSentryX / IPNetMonitorX Unauthorized Network Reconnaiss...
47. TCPflow Format String Vulnerability

III. SECURITYFOCUS NEWS ARTICLES

1. NSA Proposes Backdoor Detection Center
2. Appeal in bug disclosure case
3. Official: Cyberterror fears missed real threat
4. Habeas cans spammer
5. Security spending to hit $13.5bn by 2006
6. Security spending to hit $13.5bn by 2006

IV. SECURITYFOCUS TOP 6 TOOLS

1. AIM Sniff v0.1.2
2. FIAIF is an Intelligent Firewall v1.16.0
3. FirePay v0.9.2
4. Antinat v0.61
5. Webanalyse v1.13
6. ngrep v1.41
7. SECURITYJOBS LIST SUMMARY
8. Security analyst and experienced network engineer se... (Thread)
9. Senior Security Engineer wanted Miami/Fort Lauderdal... (Thread)
10. InfoSec Ninj4 Wanted (Thread)
11. Security Professional with Auditing or Certification... (Thread)
12. Checkpoint Network Security Consultant needed (Thread)
13. LURHQ is hiring! (Thread)
14. Firewall Security Expert (Thread)
15. Channel Sales Manager, Germany (Thread)
16. Security Professional openings (2) in Jax, Fl (Thread)
17. Security Professional Needed (Thread)
18. Security Systems Administrator/Architect - Redwood C... (Thread)
19. Senior Product Manager, SF Bay Area (Thread)
20. Strategic Business Development Manager - #798JA - S... (Thread)
21. Request for Job Postings...Job descriptions included... (Thread)
22. Security Researcher/Signature Developer needed (Thread)
23. IDS / IPS and Network Security Professional looking ... (Thread)
24. Multiple Positions - St. Louis - Software Security D... (Thread)
25. Audit (Thread)
26. Web-based Application Security Engineer (Thread)
27. Security Product Line Manager - New Jersey (Thread)
28. Director of Sales & Marketing - Zurich (Thread)
29. VP Microsoft Security Architecture - NYC Financial ... (Thread)
30. Spam slipped through - DMR (Thread)
31. URGENT REQUIREMENT - Sr. IDS Manager, Bethesda, MD (Thread)
32. Kidnap & Ransom, Security Consulting (Thread)
33. Senior Product Manager- Sunnyvale, CA (Thread)
34. Question about opportunities for Americans outside t... (Thread)
35. ERP Senior Consultant (Thread)
36. job opening (Thread)
37. IMMEDIATE Opportunity (Thread)
38. The potential Expat ....... (Thread)
39. Internship in Australia (Thread)
40. Senior Forensics & Incident Handler GURU needed ASAP... (Thread)
41. Mail Filter by Location within Subject Field (Thread)
42. Looking for UNIX Security / Penetration Tester - UK (Thread)

VI. INCIDENTS LIST SUMMARY

1. Dig in: autorooter, maybe that IRC one but SAV doesn... (Thread)
2. Heads up! distributed scans and attacks targeting ns... (Thread)
3. port 445 probes continued (Thread)
4. [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe (Thread)
5. New mail scanner? (Thread)
6. Heads up! distributed scans and attacks targeting n... (Thread)
7. Secure.dcom.exe (Thread)
8. [unisog] Heads up! distributed scans and attacks tar... (Thread)
9. DCOM95 for Windows 95 (Thread)
10. [unisog] Heads up! distributed scans and attacks ta... (Thread)
11. Stumbler: Reserved IP 73.247.223.148 scan source (Thread)
12. 445 probes (Thread)
13. Musical irc bot backdoor? (Thread)
14. FW: Secure.dcom.exe (Thread)
15. Backdoor.Trojan and payload.dat (Thread)
16. WORM_MIMAIL.A Anyone have any info on what this does... (Thread)
17. WORM_MIMAIL.A cleaner ? (Thread)
18. Question for all (Thread)
19. Pdmin / Trojaned csrss.exe (Thread)
20. Command Line RPC vulnerability scanner? (Thread)
21. /tmp/pdk ? (Thread)
22. RPC DCOM exploit (Thread)

VII. VULN-DEV RESEARCH LIST SUMMARY

1. Bug in Norton FireWall 2003 (Thread)
2. quick question (Thread)
3. middleware corba vulnerabilities:do they exist? (Thread)
4. TOORCON 2003 CALL FOR PAPERS CLOSING (Thread)
5. Some help With BOF Exploits Writing. (Thread)
6. Anyone looked at the canary stack protection in Win2... (Thread)
7. Oracle xdb ftp service? (Thread)

VIII. MICROSOFT FOCUS LIST SUMMARY

1. Administrivia: Spam threads (Thread)
2. MS broadening its efforts to warn customers (Thread)
3. Exchange 2000 out of office (Thread)
4. TSGrinder 2.03 Released (Thread)
5. HTASploit (Thread)
6. How to silently deploy DirectX9b? (Thread)
7. SecurityFocus Microsoft Newsletter #148 (Thread)

IX. SUN FOCUS LIST SUMMARY

1. Solaris Vulnerability Calculator (Thread)
2. LINUX FOCUS LIST SUMMARY NO NEW POSTS FOR THE WEEK 2003-08-04 to 2003-08-11.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

XI. SPONSOR INFORMATION I. FRONT AND CENTER

1. The Lingering Ghost of Slammer By Tim Mullen

The last big Windows worm showed that network security can literally be a matter of life and death. http://www.securityfocus.com/columnists/178

2. Blogs: Another Tool in the Security Pro's Toolkit (Part Two) By Scott Granneman

Part Two on blogs covers RSS feeds that are highly relevant to the security community. http://www.securityfocus.com/columnists/177

3. Demonstrating ROI for Penetration Testing (Part Two) By Marcia Wilson

The second article in this series will introduce Risk Management concepts as they relate to Information Asset valuation. http://www.securityfocus.com/infocus/1718

II. BUGTRAQ SUMMARY

1. Multiple Atari800 Emulator Local Buffer Overflow Vulnerabili... BugTraq ID: 8322 Remote: No Date Published: Jul 31 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8322 Summary: atari800 is multi platform Atari 800, 800XL, 5200 and 130XE emulator software developed for Unix, WinCE, MS-DOS, Atari TT/Falcon, SDL and Amiga platforms.

atari800 emulator has been reported prone to multiple local buffer overflow vulnerabilities.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The issues are likely due to insufficient bounds checking performed on user-supplied data before it is copied into reserved buffers in memory. A local attacker may supply excessive data in a manner sufficient to trigger these issues and in doing so corrupt arbitrary memory. Because atari800 requires direct access to graphic devices, it has been reported that one of the affected applications is setuid root. Therefore, it has been reported that a local attacker may exploit this condition to gain local root access.

It should be noted that although version 1.2.2 and prior have been reported vulnerable, other versions are also likely to be prone to this issue.

2. Cisco IOS UDP Echo Service Memory Disclosure Vulnerability BugTraq ID: 8323
Remote: No
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8323 Summary:
IOS is the router operating system maintained and distributed by Cisco Systems.

Under some circumstances Cisco IOS UDP Echo Service may leak sensitive memory contents to remote attackers.

It has been reported that, if the upd-small-servers command is enabled, a Cisco appliance running IOS may answer malicious malformed UDP echo packets with replies that contain partial contents from the affected router's memory.

It has been reported that a remote attacker may repeat this process to disclose portions of data stored in the router's memory. This could expose sensitive information that may be useful in mounting other attacks.

**Update: This issue may be exploited in conjunction with other vulnerabilities, as is demonstrated in BID 8373. In BID 8373, memory disclosed through the exploitation of the UDP Echo Service, is used to assist in the successful exploitation of the IOS HTTP 2GB Buffer Overflow vulnerability.

The vendor has reported that the udp-small-servers command is disabled by default since IOS 11.2(1). Additionally, IOS 12.1, 12.2, and 12.3 based images are not reported to be affected by this issue.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. RAV AntiVirus Online Virus Scan Ravupdt.DLL ActiveX Control ... BugTraq ID: 8324
Remote: Yes
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8324 Summary:
Ravupdt.dll is a linked library distributed as part of the ActiveX control for the RAV AntiVirus Online Virus Scan service.

ravupdt.dll has been reported prone to a buffer overflow vulnerability. The issue reportedly presents itself when excessive data is passed to the update() function.

It has been conjectured that this issue could potentially lead to the execution of code with the privileges of the user executing the web browser. This problem requires that a user with the vulnerable control installed visit a web page that invokes the control in a manner sufficient to trigger the issue. Upon doing so, it may be possible to create a remotely exploitable stack overflow condition that results in the overwriting of sensitive process memory. This, however, has not been confirmed.

It should be noted, that ActiveX controls by nature might contain latent vulnerabilities. Caution should be employed if installing ActiveX controls.

4. Novell GroupWise Wireless Webaccess Insecure Logged Password... BugTraq ID: 8325
Remote: No
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8325 Summary:
GroupWise is the commercial groupware package distributed and maintained by Novell.

A problem in the handling of user passwords by Novell GroupWise Wireless Webaccess has been reported. This may make it possible for an unauthorized user to gain access to sensitive information.

The problem is in the storage of passwords. When a user accesses network and authenticates through GroupWise Wireless Webaccess, user credentials are logged in plain text in the GroupWise Apache logs. A user that has the ability to read these log files could gain access to another user's credentials, and potentially impersonate another user on the network.

The vendor has reported that this onlys occur when WML and HDML pages are accessed by a wireless phone.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

5. IISShield Unspecified Scan Bypass Vulnerability BugTraq ID: 8326
Remote: Yes
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8326 Summary:
IISShield is an IIS ISAPI filter that is designed to prevent anomalous activity and attacks from disrupting IIS servers.

IISShield has been reported prone to an unspecified scan bypass vulnerability.

It has been reported that in some circumstances, although IISShield detects a specific malformed HTTP request, it will fail to drop the malicious request.

Although unconfirmed, this issue may allow an attacker to bypass IISShield scans in attacks launched against a protected IIS server.

This BID will be updated as further technical details are disclosed.

6. Hassan Consulting Shopping Cart Multiple Vulnerabilities BugTraq ID: 8327
Remote: Yes
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8327 Summary:
Hassan Consulting Shopping Cart is prone to a path disclosure issue. It is reported that the software will display path information when the shop.cfg file is requested. This could permit remote attackers to gain access to information about the layout of the file system, which could be useful in further attacks against system resources.

It is possible that this issue may be related to configuration, for example, debugging directives may be enabled in the software. This has not been confirmed.  

It is also reported that the software could also expose the system to other attacks, including allowing files and directory contents to be read. Few details about these other issues are available at this time. If more details about the specific nature of these other issues are disclosed, separate BIDs will be created appropriately. It is possible that these additional issues have been previously reported and are already covered in BID 1777. 7. CDRTools RSCSI Debug File Arbitrary Local File Manipulation ... BugTraq ID: 8328
Remote: No
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8328 Summary:
rscsi is a helper component of the cdrtools package.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that a local attacker may invoke the rscsi utility against an attacker specified file. The attacker may accomplish this by supplying a rscsi 'debug file' argument that points to a file that already exists, to the affected utility. This action will have the affect of causing the group ownership of the target file to be modified. The changes will reflect the group of which the individual invoking the rscsi utility is a member. Additionally the target file contents will be corrupted with data that may be influenced by the attacker.

Because the rscsi utility is installed with setuid 'root' permissions by default, a local attacker may harness this vulnerability to achieve elevated privileges.

This vulnerability has been reported to affect the version 2.x branch of cdrtools, and all previous versions.

8. Symantec Norton AntiVirus Device Driver Memory Overwrite Vul... BugTraq ID: 8329
Remote: No
Date Published: Aug 02 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8329 Summary:
It has been reported that a memory corruption vulnerability affects the Symantec Norton AntiVirus Device Driver, "NAVAP.SYS". According to the report, one of the device control operation handlers attempts to write data to an address offset from a pointer parameter passed to DeviceIoControl().  There is no validation on the parameter supplied or the address written to.

The vulnerability is reportedly present in the driver subroutine for handling control code "0x222a87". This control operation can be invoked by unprivileged userland processes through DeviceIoControl(). One of the arguments passed to this control operation is later used as the target of a memory write without any validation. As the device driver code runs in kernel mode, a write to an invalid address (not page-mapped) will result in a complete system crash. It may also be possible, though likely difficult, for a malicious userland program to hijack control of the kernel to escalate privileges.

In the report, NAV 2002 was listed as vulnerable. It is not currently known if NAV 2003 is affected.

Proof-of-concept code has been developed.

9. Linux Netfilter NAT Remote Denial of Service Vulnerability BugTraq ID: 8330
Remote: Yes
Date Published: Aug 02 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8330 Summary:
The Netfilter project maintains the packet filter component of the Linux kernel. A fix for a denial of service vulnerability has been reported by the Netfilter project.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability is present on systems with the ip_nat_ftp or ip_nat_irc modules loaded or with a kernel built supporting options CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC. These optional subcomponents implement limited stateful inspection of the FTP and IRC application protocols, allowing for features such as active mode FTP and DCC through NAT.

A remotely exploitable denial of service vulnerability exists when at least one of these features are enabled and communication to FTP/IRC servers is permitted.

Version 2.4.20 of the Linux kernel is confirmed vulnerable. A patch is available. According to the Netfilter team, the 2.4.20 kernels shipped with Red Hat Linux include the patch.

1. Netfilter Connection Tracking Denial of Service Vulnerabilit... BugTraq ID: 8331 Remote: Yes Date Published: Aug 02 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8331 Summary: The Netfilter project maintains the packet filter component of the Linux kernel. A fix for a denial of service vulnerability has been reported by the Netfilter project.

The vulnerability is present on systems with support for connection tracking enabled. Connection tracking allows for the firewall to identify which packets belong to established connections. Linux 2.4.20 systems with kernels built supporting the CONFIG_IP_NF_CONNTRACK option or with the ip_conntrack module loaded are vulnerable. Other kernel versions are not affected.

The vulnerability is due to the introduction into the Linux 2.4.20 kernel of a new generic linked list implementation. The reliance on the previous linked list implementation resulted in a condition which could result in a denial of service.

A patch has been released that removes dependence on a specific kernel linked list API.

1. mindi Temporary File Creation Vulnerabilities BugTraq ID: 8332 Remote: No Date Published: Aug 02 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8332 Summary: Mindi is a program for creating boot/root disks that is maintained by Hugo Robson.

Debian has reported that Mindi is affected by several temporary file creation vulnerabilities that could allow for corruption of local files and, possibly, elevation of privileges. Throughout it's operation, mindi creates numerous files in /tmp with predictable filenames. Because /tmp is world-writeable, symbolic link attacks are possible. Some of the temporary file filenames are static and can be predicted with certainty and others are based on process IDs.

If malicious local attackers know that another user on the system is going to run mindi, symbolic links with anticipated filenames can be created in /tmp. If the file pointed to by the symbolic link is writeable by the user running mindi, the file will be overwritten or deleted if the attacker chose the correct filenames. If the contents can be controlled by the attacker, privilege escalation may be possible. As there are numerous temporary files, different attack channels may yield different consequences.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Debian has issued fixes.

1. Multiple Postfix Denial of Service Vulnerabilities BugTraq ID: 8333 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8333 Summary: Postfix is a free, open-source mailer that was designed to be an alternative to Sendmail. It is written and maintained by Wietse Venema.

Debian has reported two vulnerabilities in the Postfix mail transfer agent.  The first vulnerability, CAN-2003-0468, can allow for an adversary to "bounce-scan" a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. This is reportedly possible through forcing the server to connect to an arbitrary port on an arbitrary host.

The second vulnerability, CAN-2003-0540, is another denial of service. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener, also resulting in a denial of service.

This BID has been divided into BIDs 8361 and 8362 and is being retired.

1. Counterpane Password Safe Clipboard Data Recovery Vulnerabil... BugTraq ID: 8334 Remote: No Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8334 Summary: Counterpane Password Safe is a password storage application for Microsoft Windows operating systems.

Password Safe has security options that clear data from the clipboard and lock the password database when the Password Safe window is minimized by the user.  

It has been reported the Password Safe will not clear passwords or other sensitive information from the clipboard when the program is minimized, even in circumstances where it is configured to do so. This could create a false sense of security as the user expects that credentials have been cleared from the clipboard when the program window is minimized. This could also permit password credentials to be retrieved by malicious users under some circumstances.

It should be noted that a user must first copy a password or other sensitive information to the clipboard for this issue to be exploited.

1. Invision Board Overlapping IBF Formatting Tag HTML Injection... BugTraq ID: 8335 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8335 Summary: Invision Board is web forum software. It is implemented in PHP and is available for Unix and Linux variants and Microsoft Windows operating systems.

Invision Board supports the use of formatting tags that allow users to insert images and links into content as well as control certain aspects of how content is rendered. These tags are referred to as IBF codes.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It may be possible to inject hostile HTML into Invision Board by using overlapping IBF tags. This could cause the hostile code to be interpreted in the context of the site hosting the software. Any input fields which support inclusion of IBF code may be prone to this issue.

It should be noted that it may not be possible to inject arbitrary HTML into Invision Board but it is more likely that this could be exploited to spoof or manipulate links or include other abusive content.

1. HP Compaq Insight Management Agent Format String Vulnerabili... BugTraq ID: 8336 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8336 Summary: Compaq Web Agent is a component of Compaq Insight Manager which facilitates remote management of Proliant servers via a web-based interface.

It has been reported that the webserver component of the Insight Management Agent contains a format string vulnerability.

Remote attackers may pass format specifiers to Insight Management Agent HTTP server via ".DebugSearchPaths>?Url=" requests. Incorrect usage of a formatting function when these requests are handled exposes the software to a format string vulnerability. This allows arbitrary locations and sensitive data in memory to be overwritten. This could permit arbitrary code to be executed. The Insight Management Agent HTTP server runs as Local System.

Compaq Insight Management Agent 5.00 H was reported to be prone to this issue, however, other versions may also be affected.

1. Xtokkaetama Nickname Local Buffer Overflow Vulnerability BugTraq ID: 8337 Remote: No Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8337 Summary: xtokkaetama, also known as xkaetama, is a puzzle game similar to Tetris available for Linux.

xtokkaetama is prone to a locally exploitable buffer overflow vulnerability. This is due to insufficient bounds checking of the '-nickname' command line option. By supplying an excessive long parameter for this command line option, it is possible to corrupt adjacent regions of stack memory with attacker-supplied values. This could result in execution of arbitrary code in the context of the software.

The software is typically installed setgid 'games'.

It should be noted that this issue was not patched in the updates provided in BID 8312.

1. Macromedia Dreamweaver MX PHP User Authentication Suite Cros... BugTraq ID: 8339 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8339 Summary: Macromedia's Dreamweaver MX is a product designed to allow visual creation of websites and web applications.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It is possible to create an authentication or access control page, using Dreamweaver MX PHP Authentication Suite. This script will generate an error page that contains dynamic content when a user fails to authenticate correctly to the site.

A cross-site-scripting vulnerability has been reported to affect PHP authentication functions used in PHP access control pages created with the Macromedia Dreamweaver MX PHP Authentication Suite.

The issue presents itself, due to a lack of sufficient sanitization performed on URI parameters that may be influenced by an attacker. An attacker may supply encoded HTML as a value for the access denied variable that is used by the affected sites' authentication page. The attacker may present this code contained in a link to an affected site, to an unsuspecting user. The malicious HTML code will be incorporated into an error page and rendered in the browser of the user if the link is followed.

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user.

It should be noted that while this vulnerability has been reported to affect Macromedia Dreamweaver MX version 6, other versions might also be affected.

1. NetBSD Kernel OSI Packet Handler Remote Denial Of Service Vu... BugTraq ID: 8340 Remote: Yes Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8340 Summary: It has been reported that NetBSD systems that have OSI networking support compiled into their kernel are prone to a remote denial of service vulnerability.

The issue exists because error-reporting functions invoked by the netiso enabled kernel, under some circumstances, are not implemented correctly to abide by requisites of the BSD networking stack.

When the kernel processes an OSI packet that is sufficient to trigger the generation of an error indication response packet one of two outcomes may occur. If the kernel has been compiled with "options DEBUG" a kernel panic may result and the kernel will report this condition. Otherwise the system may crash unpredictably.

This is because the function that is responsible for crafting error indication response packets was not converted to use a "PKTHDR" mbuf, which is the standard for the BSD networking stack.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that this issue does not affect systems that do not have OSI networking support installed and an OSI network address assigned.

1. Man-db DEFINE Arbitrary Command Execution Vulnerability BugTraq ID: 8341 Remote: No Date Published: Aug 04 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8341 Summary: man-db is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility.

man-db could allow a local user to execute commands with elevated privileges.

This occurs because man-db allows commands to be executed through the DEFINE directive even if it is running setuid "man". This would allow a local user to execute any command with "man" privileges.

It is important to note that man-db is not installed setuid by default. This vulnerability is only present if man-db was installed setuid "man".

20. ZoneAlarm Local Device Driver IO Control Code Execution Vuln... BugTraq ID: 8342
Remote: No
Date Published: Aug 05 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8342 Summary:
ZoneAlarm is a firewall software package available for the Microsoft Windows operating system. It is distributed and maintained by Zone Labs.

A problem in the handling of input may, under some circumstances, allow an attacker to cause the execution of code at arbitrary locations of memory through the ZoneAlarm application. This may lead to unauthorized access to system resources.

The problem is in the handling of input by the ZoneAlarm Device Driver "VSDATANT". It is possible to overwrite specific locations in memory by supplying a signal and location to which the data will be written. By using a dwIoControl code, it is possible to cause the ZoneAlarm application to jump to this location of memory and execute the code contained at the address. The code executed by ZoneAlarm would be with the privileges of ring0.

This vulnerability was reported to affect ZoneAlarm 3.1, however, other versions may also be affected.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

21. EveryBuddy Long Message Denial Of Service Vulnerability BugTraq ID: 8343
Remote: Yes
Date Published: Aug 05 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8343 Summary:
EveryBuddy is an instant messaging client that supports numerous instant messaging services, including AIM, ICQ and MSN. It is available for Microsoft Windows operating systems.

EveryBuddy is prone to a denial of service vulnerability when handling instant messages of excessive length. The condition is reportedly reproducible by sending 55 lines with 27 characters per line in an instant message to a user of a vulnerable client. Most legitimate clients will limit the length of outgoing instant messages, however this could be exploited with a malicious instant messaging client designed to send messages of excessive length.

This condition may be due to a buffer overflow, though this has not been confirmed.

22. IBM DB2 db2job File Overwrite Vulnerability BugTraq ID: 8344
Remote: No
Date Published: Aug 05 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8344 Summary:
IBM's DB2 database ships with a utility, db2job, installed with permissions 4550 and owned by root.db2asgrp. It has been reported that db2job writes to a number of files with root privileges.

When db2job runs, it does not drop privileges before writing data to the following files:

db2jobht.prf
db2jobht.bak
db2jobsm.bak

The files written to are created with 0770 permissions (owner, group writeable) and are owned by root.db2asgrp. If a symbolic link is written to, the file pointed to will be overwritten and given these permissions. This would be exploitable, however, db2job is allegedly not world-executable by default (permissions are 4550). The two members of group db2asgrp, db2as and db2inst1, are the only users besides root that would normally have execute access.

This can be exploited by local attackers with effective groupid db2asgrp privileges to gain write access to sensitive root-owned files (such as /etc/passwd, /etc/shadow) that have been overwritten. If the attacker can run commands or gain the access level of that group (perhaps through one of those two accounts), they may further elevate their access level through exploitation of this vulnerability.

23. FreezingCold Software aspBoard URL HTML Injection Vulnerabil... BugTraq ID: 8345
Remote: Yes
Date Published: Aug 05 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8345 Summary:
aspBoard is a bulletin board system implemented in ASP.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

aspBoard is prone to an HTML injection vulnerability. This issue is exposed through inadequate sanitization of user input for the 'URL' variable. The script that processes user supplied URLs used in posts to the message board may allow attackers to embed HTML and script commands within the post. An attacker may exploit this issue by including hostile HTML and script code in posts to the bulletin board. This code may be rendered in the web browser of a user who views these areas of the site. This would occur in the security context of the site hosting aspBoard.

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user.

24. IBM DB2 Shared Library Injection Vulnerability BugTraq ID: 8346
Remote: No
Date Published: Aug 05 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8346 Summary:
IBM DB2 ships with a number of shared libraries, stored in a directory owned by the user and group 'bin'.

*In version 7.1, the directory /usr/IBMdb2/V7.1 contains the following subdirectories:

drwxr-xr-x    2 bin      bin          4096 Jun 21  2002 java12
drwxr-xr-x    2 bin      bin          4096 Jul 30 19:54 lib
drwxr-xr-x    2 bin      bin          4096 Jun 21  2002 map

*In version 8.1, /opt/IBM/db2/V8.1/ contains:

drwxr-xr-x    2 bin      bin          4096 Dec 11  2002 java
drwxr-xr-x    2 bin      bin          4096 Dec 11  2002 lib
drwxr-xr-x   30 bin      bin          4096 Dec 11  2002 license
drwxr-xr-x    2 bin      bin          4096 Dec 11  2002 map
 

As setuid root utilities are linked to the libraries stored in these directories, their ownership by a user and group of a lower privilege level constitutes a vulnerability. If an attacker can obtain user bin privileges, the shared libraries can be overwritten with malicious replacements designed to obtain root privileges from the setuid root utilities that use them.

It is likely that root privileges can be obtained through all or most of the setuid utilities shipped with DB2.

• - Local directory structure may vary. 25. TightVNC Win32 Server QueryAllowNoPass Access Control Bypass... BugTraq ID: 8347 Remote: Yes Date Published: Aug 05 2003 12:00A Relevant URL: http://www.securityfocus.com/bid/8347 Summary: TightVNC is a VNC implementation that is freely available for a number of platforms including Linux variants and Microsoft Windows operating systems.

TightVNC for Win32 platforms is reported to be prone to an unspecified vulnerability that could permit access controls to be bypassed. This issue is reportedly due to a failure of the software while acting on the QueryAllowNoPass configuration directive. This issue is known to affect the TightVNC server.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It has been reported that this issue exists in versions prior to 1.2.9.

Precise technical details are not available at this time. This BID will be updated when further details become available.

26. gURLChecker HTML Parser Denial Of Service Vulnerability BugTraq ID: 8348
Remote: Yes
Date Published: Aug 05 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8348 Summary:
gURLChecker is software that can validate web links. It is available for Unix and Linux variants.

gURLChecker is reported to be prone to a denial of service vulnerability. This issue is exposed when the HTML parser (html_parser.c) included with the software encounters specifically malformed HTML tags of excessive length. The issue appears to be present in the uc_html_parser_get_attributes() function. This could be exploited to cause gURLChecker to crash if the software is used to access an untrusted web page that contains code designed to trigger the condition.

Though unconfirmed, this condition could result in memory corruption. Due to the nature of memory corruption issues, it may be possible to exploit this issue to execute arbitrary code in the context of the software.

27. Webware WebKit Cookie String Command Execution Vulnerability BugTraq ID: 8349
Remote: Yes
Date Published: Aug 01 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8349 Summary:
Webware is an application suite which provides tools for development of web-based applications. It is implemented in Python.

Webware ships with a component entitled WebKit that provides Python classes for dynamically generating web server content.

The Webware WebKit component is prone to a vulnerability that may allow for execution of malicious commands. This issue is due to usage of SmartCookie, which is provided in the CookieEngine module. SmartCookie will attempt to unpickle malicious client-supplied cookie strings. This could result in the Python pickle module executing malicious code contained in cookie-strings.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A remote attacker could potentially exploit this issue to execute malicious commands with the privileges of the software.

28. ERoaster Local Insecure Temporary File Creation Vulnerabilit... BugTraq ID: 8350
Remote: No
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8350 Summary:
eroaster is a freely available graphical frontend to cdrecord. It is available for the Linux operating system.

A problem has been reported in the secure creation of temporary files by the eroaster application. This may allow an attacker to overwrite files belonging to the eroaster user.

Few details are available about this vulnerability. However, it is theorized that this issue results from inadequate checks on the existence of a predictable temporary file prior to an attempt to create the file during program execution. By creating a symbolic link, an attacker could potentially destroy data at the end of the symbolic link, or perform other nefarious deeds.

29. Sun Microsystems ONE Application Server Java Server Page Sou... BugTraq ID: 8351
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8351 Summary:
ONE Application Server is the web application server distributed and maintained by Sun Microsystems.

A problem with Sun ONE Application Server may result in the disclosure of the source code of Java Server Pages (JSP). This may allow an attacker to gain unauthorized access to sensitive information.

The precise details of this vulnerability have not been disclosed, and this BID will be updated to contain additional information when it becomes available. What is known is that JSPs often contain sensitive credentials used in database and system communication. By disclosing the source code of a JSP, an attacker could potentially gain access to these credentials, and potentially the systems that the web application communicates with.

30. ManDB Compressor Binary Substitution Vulnerability BugTraq ID: 8352
Remote: No
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8352 Summary:
mandb is a utility that is used to initialize or manually update the index database caches that are usually maintained by the man utility.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

mandb is prone to a vulnerability that may permit local attackers to gain elevated privileges. The source of this issue is that local users are able to specify an arbitrary program as the location for a compressor utility for cat files. In particular, the open_cat_stream() function call will be made while the program still has privileges. By specifying a malicious program, the attacker can cause arbitrary code execution with the privileges of mandb. mandb typically executes with the privileges of user 'man'.

31. JSCI SSO URI Pattern Matching Access Validation Vulnerabilit... BugTraq ID: 8353
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8353 Summary:
JCSI is a suite of Java components that offer solutions for data security requirements. JCSI SSO (Single Sign-On) suite provides for authorization and access control for Java applications using Microsoft Active Directory.

JSCI SSO has been reported prone to an access validation vulnerability under certain circumstances.

The issue presents itself in pattern-matching tags contained in JSCI SSO XML configuration files; these tags are used when controlling access to Java applications. It has been reported that these pattern-matching tags match an entire URI rather than the relative path to the secured Java application. This may mean that if the protected Java application is moved and has a different context root, JSCI SSO will no longer be protecting it.

This may lead a system administrator into a false sense of security and may allow remote attackers to access restricted Java applications that were presumed secured.

32. vBulletin Register.PHP HTML Injection Vulnerability BugTraq ID: 8354
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8354 Summary:
vBulletin is a message board system implemented in PHP.

vBulletin may be prone to an HTML injection vulnerability. This issue is exposed through inadequate sanitization of user input for fields marked "optional" within the register.php script. This may allow attackers to embed HTML and script commands within their user profile. An attacker may exploit this issue by including hostile HTML and script code in fields that may be viewable by other users. This code may be rendered in the web browser of a user who views posts to the message board which will have this user information automatically appended. This would occur in the security context of the site hosting vBulletin.

The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

33. D-Link DI-704P Long URL Denial Of Service Vulnerability BugTraq ID: 8355
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8355 Summary:
The D-Link DI-704P is an Internet Broadband Gateway device. The DI-704P provides a method to share a single broadband Internet connection and share a single printer among systems connected to the local network.

D-Link DI-704P has been reported prone to a remote denial of service vulnerability.

The issue presents itself when a request of excessive length is sent to the router. It has been reported that when a URL of excessive length is requested, the device behaves in an unstable manner. This may result in a complete denial of service condition requiring a device reboot, or the loss of the ability to log in to the administration interface.

Although unconfirmed, it should be noted that other D-Link devices that use related firmware might also be affected.

34. 121 Software 121 WAM! FTP Server Directory Traversal Vulnera... BugTraq ID: 8356
Remote: Yes
Date Published: Aug 06 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8356 Summary:
121 WAM! Server is a FTP Server for Microsoft Windows Platform allowing users to manage online databases including Microsoft Access, SQL Server and MySQL.

A vulnerability has been reported in 121 WAM! Server that may allow remote users to access restricted data from the server and other user accounts outside the user root directory. The vulnerability is due to an access validation error that allows clients to traverse outside of the root FTP directory using '/../' character sequences.

This may allow the attacker to access system resources on the server. Information that could be useful in further attacks could be disclosed to an attacker through successful exploitation of this issue.

35. Bea WebLogic/Liquid Data Multiple Cross-Site Scripting Vulne... BugTraq ID: 8357
Remote: Yes
Date Published: Aug 07 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8357 Summary:
BEA Systems has reported multiple cross-site scripting vulnerabilities in BEA WebLogic Express/Server and the WebLogic Integration and Liquid Data components.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The following issues were reported:

A cross-site scripting vulnerability that could be exposed when web applications use a forward statement with a dynamically calculated URL. This is reportedly not exploitable when a web application hosted by the vulnerable software includes a forward statement that points to a static URL.

Multiple cross-site scripting vulnerabilities issues in the WebLogic Server console application which could permit hostile HTML or script code to be rendered in the web browser of a user with special privileges that follows a malicious link.

Execution of hostile HTML or script code via these issues will occur in the context of the site hosting the vulnerable software. Exploitation could allow for theft of cookie-based authentication credentials from administrative or other users. Other attacks are also plausible since it is possible for an attacker to control how an affected site is rendered to a web user who follows the attacker's malicious link.

36. Cisco Content Service Switch ONDM Ping Failure Denial Of Ser... BugTraq ID: 8358
Remote: Yes
Date Published: Aug 07 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8358 Summary:
Cisco Content Service Switch is an appliance designed to provide a front-end for server farms and cache clusters.

It has been reported that under certain circumstances, it may be possible for remote attackers to force the System Controller Module (SCM) on Cisco Content Service Switches to reboot. A component on the device known as the Online Diagnostics Monitor (ONDM) periodically sends out ping packets to all SFP cards present on the device to ensure functionality. In the event that a reply is not received, the SCM will reboot the device.

Remote attackers may be able to perform a SYN flood attack against the device by directing a large amount of data to the circuit IP address of the Content Service Switch. This may prevent delivery of these diagnostic ping packets, causing the router to believe the component is not functional and cause the SCM to reboot.

37. Lotus Sametime Multiple Encryption Implementation Flaw Vulne... BugTraq ID: 8359
Remote: Yes
Date Published: Aug 07 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8359 Summary:
Sametime is the Instant Message client distributed and maintained by Lotus.  It is available for the Microsoft Windows operating system.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Several problems have been identified in Lotus Sametime that may make information encrypted through Sametime more prone to retrieval by a malicious party. This may result in an adversary gaining access to sensitive information.

One issue is the RC2/40 key being sent in the login message. Upon intercepting the login message, an adversary has a significantly greater chance of decrypting the user's password.

Next, the key is also transmitted with Instant Messages. This may also increase the liklihood of decrypting sensitive information.

Also, Encrypted Instant Messages contain six bytes of known characters at the beginning of each IM. It is theorized that by gathering Instant Messages over a period of time and cracking the six bytes of known text, it may be possible to reveal the encryption key used. This has not been confirmed.

Finally, the implementation of RC2/40 in Sametime uses a limited range of characters when generating encryption keys that significantly weakens generated keys. The implementation uses only ASCII representations of decimal numbers that weaken keyspace from 256^10 possibilities to 10^10 possibilities.

38. IdealBB Error.ASP Cross-Site Scripting Vulnerability BugTraq ID: 8360
Remote: Yes
Date Published: Aug 07 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8360 Summary:
IdealBB is a web based bulletin board system implemented in ASP.

IdealBB error.asp page has been reported prone to a cross-site scripting vulnerability.

The issue presents itself due to a lack of sufficient sanitization performed by functions in the error.asp script on user-influenced 'msg' URI parameters. It has been reported that a remote attacker may construct a malicious link to the error.asp script hosted on a remote site, and supply arbitrary HTML code as a value for the 'msg' URI parameter. If this link is followed, the content of the 'msg' parameter is incorporated into a dynamic error message, and will be executed in the browser of the user who followed the link.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This could permit the theft of cookie authentication credentials; other attacks may also be possible.

This vulnerability has been reported to affect IdealBB version 1.4.9 beta, other versions might also be vulnerable.

39. Postfix Connection Proxying Vulnerability BugTraq ID: 8361
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8361 Summary:
Postfix is a free, open-source mailer that was designed to be an alternative to Sendmail. It is written and maintained by Wietse Venema.

A vulnerability has been reported in Postfix that may allow an adversary to "bounce-scan" a private network.

The problem is in handling an attempt to deliver a message to an address with the following format:

<[server_ip]:service!@local-host-name>

This will cause the server to make a connection to the port and IP address that is specified. Such an address can be included in the "RCPT TO" or "MAIL FROM" / Errors-To SMTP header fields. By designing requests that create bounces, an adversary can abuse this issue to proxy scans to networks that the adversary would not normally have direct access to.

It has been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool. This is reportedly possible through forcing the server to connect repeatedly to an arbitrary port on an arbitrary host.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue was described in BID 8333 and is now being assigned an individual BID.

40. Postfix SMTP Malformed E-mail Envelope Address Denial of Ser... BugTraq ID: 8362
Remote: Yes
Date Published: Aug 04 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8362 Summary:
Postfix is a free, open-source mailer that was designed to be an alternative to Sendmail. It is written and maintained by Wietse Venema.

Postfix is reported to be prone to a denial of service attack. It can be triggered by a malformed envelope address and can cause the queue manager to lock up until the message is removed manually from the queue. It is also reportedly possible to lock the SMTP listener, also resulting in a denial of service. The vulnerability is present in the address parser code.

Evidence of exploitation of this vulnerability can be detected in the mail server logs. Deleting the malicious message in the queue that is associated to the "resolve_clnt_query: null recipient" error message contained in Postfix logs and restarting the service can restore normal functionality.

This issue was described in BID 8333 and is now being assigned an individual BID.

41. MiniHTTPServer WebForums Server Null Default Password Vulner... BugTraq ID: 8363
Remote: Yes
Date Published: Aug 07 2003 12:00A
Relevant URL: http://www.securityfocus.com/bid/8363 Summary:
WebForums Server is a commercially available HTTP server. It is available for the Microsoft Windows platform.

A vulnerability has been reported for WebForums server. Reportedly, the database's administrative user, the 'admin' account, is created by default during installation and is assigned a blank password.

A remote attacker can exploit this vulnerability by connecting to a vulnerable system's as an administrative user, and supplying a null password. The attacker may gain administrative access on a default installation. It has been reported that attributes for this account include the ability to access the local 'C:\' drive.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other