Full Disclosure mailing list archives
SINTRAQ Weekly - Security Vulnerabilities - Week 38, 2003
From: "SINTRAQ" <sintraq () sintelli com>
Date: Tue, 23 Sep 2003 14:08:13 +0100
SINTRAQ Weekly Summary Week 38, 2003 Created for you by SINTELLI, the definitive source of IT security intelligence. Welcome to the latest edition of SINTRAQ Weekly Summary. Information on how to manage your subscription can be found at the bottom of the newsletter. If you have any problems or questions, please e-mail us at sintraqweekly () sintelli com PDF version is here http://www.sintelli.com/sinweek/week38-2003.pdf ===================================================================== Highlights: This week Microsoft admins were sleeping easily and watching their fellow *nix admins run around frantically applying patches. First it was one, then two then three vulnerabilities identified in OpenSSH. But, then there was more, not one but two Sendmail vulnerabilities. Just incase you have not upgraded your versions of OpenSSH and Sendmail to the latest versions we suggest you do so. Whilst still on *nix, there is remote root exploit available for Solaris and IBM issued two advisories about AIX. There is an exploit available for the Solaris vulnerability, so time to fix it. So what happened to the much hyped about Blaster-type worm which was going to exploit the vulnerabilities in MS03-39? Did it die, were we all protected against or was it hype? Well, there was a worm called Swen (aka Gibe). It came, pretending to be a Microsoft Bulletin, it saw vulnerable PCs, and conquered them. Now it's invading many countries, watch its progress here: http://www.pandasoftware.com/virus_info/map/map.htm The worrying thing about Swen is that it exploited a 30 month old vulnerability (CVE-2001-0154) thus when the new blaster-type worm turns up we are sure it will still find some vulnerable systems. Just in case you wanted to write such a worm the Chinese research group has provide some information to help you at: http://www.xfocus.org/documents/200309/4.html Maybe they got bored of waiting for it? Until next week, -- SINTELLI Research www.sintelli.com =====================================================================
Did you know you can trial our vulnerability alerting solution <<
Click here http://www.sintelli.com/free-trial.htm ===================================================================== TABLE OF CONTENTS: SID-2003-3347 [AppiesHost] Appies file manager directory traversal SID-2003-3335 [ Compaq ] HP Tru64 NFS AdvFS File Denial Of Service Vulnerability SID-2003-3362 [ Debian ] ipmasq insecure packet filtering vulnerability SID-2003-3331 [ DrPhibez and Nitro187 ] GuildFTPd 0.999 Directory Traversal SID-2003-3352 [ flying dog software ] Powerslave Portalmanager information disclosure SID-2003-3330 [ GoAhead Software ] Goahead webserver denial of service SID-2003-3344 [ IBM ] Denial of Service Vulnerability in DB2 Discovery Service SID-2003-3346 [ IBM ] IBM AIX 5.2 tsm format string vulnerability SID-2003-3361 [ IBM ] IBM AIX lpd format string vulnerability SID-2003-3340 [ IBM ] Multiple IBM DB2 Stack Overflow Vulnerabilities SID-2003-3367 [ Imatix ] Xitami Open Source Web Server Denial of service vulnerability SID-2003-3312 [ Ipswitch ] IMail Directory Traversal Vulnerabilities SID-2003-3356 [ Knox Software ] Knox Arkeia Pro 5.1.12 remote root exploit SID-2003-3351 [ LSH ] LSH 1.4x remote root buffer overflow vulnerability SID-2003-3360 [ Lucent ] Lucent MAX TNT Universal Gateway Hang-Up Redial Administrative Access Vulnerability SID-2003-3358 [ Macromedia ] ColdFusion MX / ColdFusion cross-site scripting vulnerability with default error handlers SID-2003-3345 [ Microsoft ] Microsoft BizTalk Server virtual directories weak permissions SID-2003-3350 [ Microsoft ] Microsoft Windows 2000 and XP URG memory leak Vulnerability SID-2003-3364 [ Midnight Commander ] Midnight Commander Remote Code Execution via Uninitialized Buffer SID-2003-3308 [ MiniHttpServer ] Minihttpserver 1.x Host Engine Vulnerabilities SID-2003-3342 [ Miro Construct Pty Ltd ] Mambo 4.0.14 Stable Multiple Vulnerabilities SID-2003-3357 [ Multi-Vendor ] Hztty buffer overflows SID-2003-3320 [ Multi-Vendor ] KDM Privilege escalation with specific PAM modules SID-2003-3321 [ Multi-Vendor ] KDM weak session cookie generation algorithm SID-2003-3338 [ Multi-Vendor ] Memory bugs in OpenSSH SID-2003-3319 [ Multi-Vendor ] OpenSSH Buffer Management Error SID-2003-3337 [ Multi-Vendor ] OpenSSH Multiple buffer management errors in buffer_init and buffer_free SID-2003-3315 [ Multi-Vendor ] Pine Remote Integer Overflow Vulnerability SID-2003-3327 [ Multi-Vendor ] Sendmail 8.12.9 prescan() vulnerability SID-2003-3336 [ Multi-Vendor ] Sendmail ruleset parsing buffer overflow SID-2003-3363 [ myPHPNuke ] myphpnuke auth.inc.php SQL Injection SID-2003-3366 [ NetBSD ] NetBSD Sysctl Argument Handling Vulnerabilities SID-2003-3311 [ Network Dweebs Corporation ] DSPAM Default Permissions Vulnerability SID-2003-3310 [ Nokia ] Nokia Electronic Documentation - Multiple Vulnerabilities SID-2003-3324 [ phpBB Group ] PHPBB Smiley Panel Cross Site Scripting SID-2003-3328 [ Plug & Play Software Ltd ] Denial Of Service in Plug & Play Web (FTP) Server SID-2003-3341 [ Plug & Play Software Ltd ] Plug & Play Web Server Directory traversal SID-2003-3307 [ SCO ] SCO OpenServer local root privileges vulnerability SID-2003-3353 [ Sep City ] Community Wizard Admin Access SID-2003-3322 [ SGI ] SGI IRIX NFS export vulnerability SID-2003-3317 [ Spider ] Spider heap overflow and buffer overflow vulnerabilities SID-2003-3348 [ Sun ] JDK XALAN denial of service Vulnerability SID-2003-3316 [ Sun ] Solaris sadmind Setting Remote Root Exploitation Vulnerability SID-2003-3323 [ Symantec ] Multiple Vulnerabilities in Symantec Antivirus for Windows Mobile SID-2003-3332 [ Trademark Software ] TM-POP3 Registry Plaintext Password Vulnerability SID-2003-3325 [ ufoot.org ] LiquidWar Buffer Overflow Vulnerability SID-2003-3343 [ Valve Software ] Rcon plaintext passwords SID-2003-3368 [ Washington University ] Wu_ftpd buffer overflow vulnerability SID-2003-3309 [ Wintel Software ] WideChapter Browser Buffer Overflow Vulnerability SID-2003-3318 [ Yahoo ] Yahoo! Webcam ActiveX control buffer overflow vulnerability =====================================================================
Did you know you can trial our vulnerability alerting solution <<
Click here http://www.sintelli.com/free-trial.htm ====================================================================== *** SID-2003-3347 [ AppiesHost ] Appies file manager directory traversal Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source The file manager of "Appies" from Appieshost allows a directory traversal attack. References: http://www.lostkey.org/advisories/Appies.txt *** SID-2003-3335 [ Compaq ] HP Tru64 NFS AdvFS File Denial Of Service Vulnerability Bugtraq ID:8614 CVE ID:NOT AVAILABLE Verification: Vendor Confirmed HP announced that a vulnerability has been identified in HP Tru64 NFS. The problem has been reported to occur under certain circumstances, when certain non Tru64 NFS clients try to increase the size of a file on a AdvFS. This could result in a kernel memory fault or corruption kernel memory. References: http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019900- v51ab23-e-20030906.README http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019920- v51bb22-e-20030909.README http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019921- v51ab21-e-20030909.README *** SID-2003-3362 [ Debian ] ipmasq insecure packet filtering vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0785 Verification: Vendor Confirmed Debian has reported that the ipmasq package has improper filtering rules. As a result, traffic arriving on the external interface addressed for an internal host would be forwarded, regardless of whether it was associated with an established connection. This vulnerability could be exploited by an attacker capable of forwarding IP traffic with an arbitrary destination address to the external interface of a system with ipmasq installed. References: http://www.debian.org/security/2003/dsa-389 *** SID-2003-3331 [ DrPhibez and Nitro187 ] GuildFTPd 0.999 Directory Traversal Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Luigi Auriemma has reported a directory traversal vulnerability in Guild FTPd versions 0.999.5 and prior. An attacker can get files knowing their position by using classical directory traversal exploitation techniques but he cannot see the directories' indexes. References: http://aluigi.altervista.org/adv/guildftpd-dir-adv.txt *** SID-2003-3352 [ flying dog software ] Powerslave Portalmanager information disclosure Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Powerslave features a powerful URL-rewrite function which can be used to obtain information about the database structure. It is reported that arbitrary code execution may be possible. References: ftp://ftp.h07.org/pub/h07.org/projects/papers/h07adv-powerslave.txt *** SID-2003-3330 [ GoAhead Software ] Goahead webserver denial of service Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Luigi Auriemma has reported that GoAhead WebServer versions prior to 2.1.3 are vulnerable to a denial of service attack. This is achieved by sending a POST request with a Content-Length parameter equal or less than zero. References: http://aluigi.altervista.org/adv/goahead-neg-adv.txt *** SID-2003-3344 [ IBM ] Denial of Service Vulnerability in DB2 Discovery Service Bugtraq ID:8653 CVE ID:NOT AVAILABLE Verification: Vendor Confirmed If the IBM DB2 Discovery service, which runs on port 523, receives a packet larger than 20 bytes the service will shutdown. References: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010462. htm *** SID-2003-3346 [ IBM ] IBM AIX 5.2 tsm format string vulnerability Bugtraq ID:8648 CVE ID:CAN-2003-0784 Verification: Vendor Confirmed The tsm command provides terminal state management and login functionality which is used to verify users' identity. The services tsm provides are used by commands such as login, passwd and su. A remote attacker may gain root privileges by exploiting the login command. A local user may gain elevated privileges by exploiting the login, su or passwd commands. References: http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-20 03.1177.1 *** SID-2003-3361 [ IBM ] IBM AIX lpd format string vulnerability Bugtraq ID:8646 CVE ID:CAN-2003-0697 Verification: Vendor Confirmed IBM has reported that under rare circumstances, turning on debug in lpd can cause a security problem. References: http://www-1.ibm.com/support/docview.wss?uid=isg1IY45344 http://www-1.ibm.com/support/docview.wss?uid=isg1IY46256 http://www-1.ibm.com/support/docview.wss?uid=isg1IY45250 *** SID-2003-3340 [ IBM ] Multiple IBM DB2 Stack Overflow Vulnerabilities Bugtraq ID:8553 , 8552 CVE ID:CAN-2003-0759 , CAN-2003-0758 Verification: Vendor Confirmed IBM's DB2 database ships with two vulnerable setuid binaries, namely db2licm and db2dart. Both binaries are vulnerable to a buffer overflow that allows a local attacker to execute arbitrary code on the vulnerable machine with privileges of the root user. The vulnerability is triggered providing a long command line argument to the binaries. References: http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10 *** SID-2003-3367 [ Imatix ] Xitami Open Source Web Server Denial of service vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source Xitami Open Source Web Server has a denial of service vulnerability that causes abnormal termination of the program. References: http://www.securityfocus.com/archive/1/338415/2003-09-19/2003-09-25/1 *** SID-2003-3312 [ Ipswitch ] IMail Directory Traversal Vulnerabilities Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source Posidron and Rushjo of Tripbit Security Research have reported that IMail is vulnerable to directory traversal in the Web Calendaring Service part of IMail v8.02 and in the Web Messaging Service part of IMail v6.00. References: http://www.tripbit.org/advisories/TA-150903.txt *** SID-2003-3356 [ Knox Software ] Knox Arkeia Pro 5.1.12 remote root exploit Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source A buffer overflow in Knox software Arkiea has been reported. It is possible to null out least significant byte of EBP to pull EIP out of overflow buffer. A local or remote attacker could cause a crash or gain root access. Working exploit code does exist for this. References: http://www.securityfocus.com/archive/1/338237/2003-09-17/2003-09-23/0 *** SID-2003-3351 [ LSH ] LSH 1.4x remote root buffer overflow vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed There is a buffer overflow vulnerability with lsh 1.4x which allows remote attackers to gain root privileges. References: http://archives.neohapsis.com/archives/bugtraq/2003-09/att-0310/lsh_expl oit.c http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html *** SID-2003-3360 [ Lucent ] Lucent MAX TNT Universal Gateway Hang-Up Redial Administrative Access Vulnerability Bugtraq ID:8642 CVE ID:NOT AVAILABLE Verification: Single source Nathan Aguirre reported that a problem in the handling of hang-up and redial calls to the Lucent MAX TNT Universal Gateway has been reported. Allegedly, this may make it possible for an attacker to gain unauthorized access to network resources. References: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010609. html *** SID-2003-3358 [ Macromedia ] ColdFusion MX / ColdFusion cross-site scripting vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed ColdFusionMX Web Sites that use the default ColdFusionMX Site-Wide Error Handler page or the default ColdFusionMX Missing Template Handler page may be susceptible to a cross-site scripting attack using the HTTP Referer[sic] header field. References: http://www.macromedia.com/devnet/security/security_zone/mpsb03-06.html *** SID-2003-3345 [ Microsoft ] Microsoft BizTalk Server virtual directories weak permissions Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed A default installation of Microsoft BizTalk Server 2000 or Microsoft BizTalk Server 2002 creates several Microsoft Internet Information Services (IIS) virtual directories. There are two virtual directories configured with weak permissions. References: http://support.microsoft.com/default.aspx?scid=kb;en-us;824935 http://lists.netsys.com/pipermail/full-disclosure/2003-September/010463. html *** SID-2003-3350 [ Microsoft ] Microsoft Windows 2000 and XP URG memory leak Vulnerability Bugtraq ID:8531 CVE ID:NOT AVAILABLE Verification: Single source Michal Zalewski reported that Microsoft Windows 2000 and XP could disclose sensitive information to attackers. If a data transfer is in process when the initial SYN is sent, the URG value could contain information from a previously sent packet, which could allow an attacker to obtain sensitive information. References: http://archives.neohapsis.com/archives/bugtraq/2003-09/0260.html http://archives.neohapsis.com/archives/vuln-dev/2003-q3/0113.html *** SID-2003-3364 [ Midnight Commander ] Midnight Commander Remote Code Execution Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source Midnight Commander is using uninitialized buffer for handling symlinks in VFS (tar, cpio). A stack overflow using specially crafted archive can be achieved to execute arbitrary code. References: http://www.securityfocus.com/archive/1/338231/2003-09-19/2003-09-25/0 *** SID-2003-3308 [ MiniHttpServer ] Minihttpserver 1.x Host Engine Vulnerabilities Bugtraq ID:8619 , 8620 , 8633 CVE ID:NOT AVAILABLE Verification: Single source Peter Winter-Smith has reported that WebForums and File-Sharing for NET are prone to a remote directory traversal attack due to insufficient sanitization of user-supplied data. These vulnerabilities in Minihttpserver allow complete administrator access to the system file/forum system and any file on the remote server. References: http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0107.html *** SID-2003-3342 [ Miro Construct Pty Ltd ] Mambo 4.0.14 Stable Multiple Vulnerabilities Bugtraq ID:8647 CVE ID:NOT AVAILABLE Verification: Single source Mambo 4.0.14 Stable is reported to have multiple bugs that could enable attackers to obtain sensitive information like path, user id and passwords. The attacker could also use the server for anonymous mailing. References: http://www.hackingzone.org/secviewarticle.php?id=11 *** SID-2003-3357 [ Multi-Vendor ] Hztty buffer overflows Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0783 Verification: Vendor Confirmed Jens Steube has reported a pair of buffer overflow vulnerabilities in hztty, a program to translate Chinese character encodings in a terminal session. These vulnerabilities could be exploited by a local attacker to gain root privileges on a system where hztty is installed. Additionally, hztty incorrectly installs as setuid root, when it only requires the privileges of group utmp. References: http://www.debian.org/security/2003/dsa-385 *** SID-2003-3320 [ Multi-Vendor ] KDM Privilege escalation with specific PAM modules Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0690 Verification: Vendor Confirmed KDE has announced that all versions of KDM as distributed with KDE up to and including KDE 3.1.3 have a vulnerability that might grant local root access to any user with valid login credentials. References: http://www.kde.org/info/security/advisory-20030916-1.txt http://rhn.redhat.com/errata/RHSA-2003-269.html http://rhn.redhat.com/errata/RHSA-2003-270.html http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003 :091 http://www.debian.org/security/2003/dsa-388 *** SID-2003-3321 [ Multi-Vendor ] KDM weak session cookie generation algorithm Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0692 Verification: Vendor Confirmed KDM has a weak cookie generation that may allow non-authorized users to guess the session cookie by a brute force attack, which allows, assuming hostname / IP restrictions can be bypassed, to authorize to the running session and gain full access to it. References: http://www.kde.org/info/security/advisory-20030916-1.txt http://rhn.redhat.com/errata/RHSA-2003-270.html http://rhn.redhat.com/errata/RHSA-2003-269.html http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003 :091 http://www.debian.org/security/2003/dsa-388 *** SID-2003-3338 [ Multi-Vendor ] Memory bugs in OpenSSH Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0682 Verification: Vendor Confirmed OpenSSH versions 3.7.1 and prior contain some memory bugs. References: http://rhn.redhat.com/errata/RHSA-2003-279.html http://rhn.redhat.com/errata/RHSA-2003-280.html http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000741 http://www.linuxsecurity.com/advisories/engarde_advisory-3649.html http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html http://www.suse.com/de/security/2003_039_openssh.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000744 *** SID-2003-3319 [ Multi-Vendor ] OpenSSH Buffer Management Error Bugtraq ID:8628 CVE ID:CAN-2003-0693 Verification: Vendor Confirmed A buffer management error was discovered in all versions of OpenSSH prior to version 3.7. References: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.opens sh.asc http://www.linuxsecurity.com/advisories/immunix_advisory-3627.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000739 http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000740 http://www.debian.org/security/2003/dsa-382 http://www.linuxsecurity.com/advisories/gentoo_advisory-3629.html http://www.linuxsecurity.com/advisories/suse_advisory-3632.html http://rhn.redhat.com/errata/RHSA-2003-279.html http://rhn.redhat.com/errata/RHSA-2003-280.html http://www.linuxsecurity.com/advisories/engarde_advisory-3621.html http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003 :090 http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y =2003&m=slackware-security.374735 http://www.openbsd.org/errata.html#sshbuffer http://www.cert.org/advisories/CA-2003-24.html http://xforce.iss.net/xforce/alerts/id/144 http://www.kb.cert.org/vuls/id/333628 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.tx t.asc http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003 :090-1 http://www.debian.org/security/2003/dsa-383 http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y =2003&m=slackware-security.368193 http://www.turbolinux.com/security/TLSA-2003-51.txt http://www.linuxsecurity.com/advisories/trustix_advisory-3641.html http://www.suse.com/de/security/2003_039_openssh.html http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html http://www.stonesoft.com/document/art/3031.html http://www.netscreen.com/services/security/alerts/openssh_1.jsp http://docs.info.apple.com/article.html?artnum=61798 http://www.bluecoat.com/downloads/support/BCS_OpenSSH_vulnerability.pdf http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32= category%3Asecurity http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0309-282 *** SID-2003-3337 [ Multi-Vendor ] OpenSSH Multiple buffer management errors in buffer_init and buffer_free Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0695 Verification: Vendor Confirmed Buffer manipulation problems have been found in OpenSSH versions prior to 3.7.1. These may allow attackers to cause a denial of service or execute arbitrary code. References: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003 :090-1 http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000741 http://rhn.redhat.com/errata/RHSA-2003-279.html http://rhn.redhat.com/errata/RHSA-2003-280.html http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html http://www.debian.org/security/2003/dsa-382 http://www.debian.org/security/2003/dsa-383 http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y =2003&m=slackware-security.368193 http://www.openssh.com/txt/buffer.adv http://www.openbsd.org/errata.html#sshbuffer http://www.linuxsecurity.com/advisories/engarde_advisory-3649.html http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html http://www.suse.com/de/security/2003_039_openssh.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000744 *** SID-2003-3315 [ Multi-Vendor ] Pine Remote Integer Overflow Vulnerability Bugtraq ID:8589 CVE ID:CAN-2003-0721 Verification: Vendor Confirmed Pine is a mail and news text based client developed by the Washington University. Pine versions 4.56 and earlier are vulnerable to an integer overflow in the rfc2231_get_param function in the strings.c file. By sending an email message with a specially-crafted email header, a remote attacker could overflow a buffer and execute arbitrary code on the system, once the victim opens the malicious email. References: http://www.idefense.com/advisory/09.10.03.txt http://www.suse.com/de/security/2003_037_pine.html http://rhn.redhat.com/errata/RHSA-2003-273.html http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y =2003&m=slackware-security.347016 http://www.linuxsecurity.com/advisories/engarde_advisory-3607.html http://rhn.redhat.com/errata/RHSA-2003-274.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000738 http://www.securityfocus.com/archive/1/337545/2003-09-13/2003-09-19/0 *** SID-2003-3327 [ Multi-Vendor ] Sendmail 8.12.9 prescan() vulnerability Bugtraq ID:8641 CVE ID:CAN-2003-0694 Verification: Vendor Confirmed A bug has been identified in the Sendmail Mail Transfer Agent (MTA) that can cause a buffer overflow. The vulnerability derives from a potential buffer overflow in Sendmail's header handling code. References: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287. html http://www.sendmail.com/security/ http://www.sendmail.org/8.12.10.html http://rhn.redhat.com/errata/RHSA-2003-283.html http://rhn.redhat.com/errata/RHSA-2003-284.html http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003 :092 http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y =2003&m=slackware-security.452857 http://www.openbsd.org/errata.html#sendmail http://www.kb.cert.org/vuls/id/784980 http://www.cert.org/advisories/CA-2003-25.html http://www.linuxsecurity.com/advisories/immunix_advisory-3652.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000742 http://www.linuxsecurity.com/advisories/yellowdog_advisory-3655.html http://www.debian.org/security/2003/dsa-384 http://www.turbolinux.com/security/TLSA-2003-52.txt http://www.openpkg.org/security/OpenPKG-SA-2003.041-sendmail.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000746 http://forums.gentoo.org/viewtopic.php?t=86741 http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56860&zone_32= category%3Asecurity http://www.linuxsecurity.com/advisories/suse_advisory-3664.html *** SID-2003-3336 [ Multi-Vendor ] Sendmail ruleset parsing buffer overflow Bugtraq ID:8649 CVE ID:CAN-2003-0681 Verification: Vendor Confirmed Timo Sirainen has reported a buffer overflow in ruleset parsing of Sendmail 8.12.9. This occurs when using the nonstandard rulesets only. References: http://www.sendmail.org/8.12.10.html http://rhn.redhat.com/errata/RHSA-2003-283.html http://lists.netsys.com/pipermail/full-disclosure/2003-September/010387. html http://www.linuxsecurity.com/advisories/immunix_advisory-3652.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000742 http://www.debian.org/security/2003/dsa-384 http://www.turbolinux.com/security/TLSA-2003-52.txt http://www.linuxsecurity.com/advisories/yellowdog_advisory-3655.html http://www.kb.cert.org/vuls/id/108964 http://www.openpkg.org/security/OpenPKG-SA-2003.041-sendmail.html http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000746 *** SID-2003-3363 [ myPHPNuke ] myphpnuke auth.inc.php SQL Injection Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source Lifofifo has reported a SQL injection vulnerability in myphpnuke. The vulnerable code is in auth.inc.php file. The author has also suggested an unofficial fix. References: http://www.hackingzone.org/secviewarticle.php?id=8 *** SID-2003-3366 [ NetBSD ] NetBSD Sysctl Argument Handling Vulnerabilities Bugtraq ID:8643 CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Three unrelated problems with inappropriate argument handling were found in the kernel sysctl(2) code, which could be exploited by malicious local user: References: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-014.tx t.asc *** SID-2003-3311 [ Network Dweebs Corporation ] DSPAM Default Permissions Vulnerability Bugtraq ID:8623 CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Due to the default installation permissions of DSPAM 2.6.5, any user capable of executing the dspam agent can run commands with mail group privileges. References: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010091. html *** SID-2003-3310 [ Nokia ] Nokia Electronic Documentation - Multiple Vulnerabilities Bugtraq ID:8624 , 8625 , 8626 CVE ID:CAN-2003-0801 , CAN-2003-0802 , CAN-2003-0803 Verification: Vendor Confirmed @stake has reported several vulnerabilities in NED, the web-based documentation interface for many of its cellular network products. These may allow attackers to conduct cross-site scripting attacks, view directory listing of certain directories under the web-root and use NED as a proxy server for HTTP requests. References: http://www.atstake.com/research/advisories/2003/a091503-1.txt *** SID-2003-3324 [ phpBB Group ] PHPBB Smiley Panel Cross Site Scripting Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source Benjamin Tolman has reported a cross site scripting vulnerability in phpBB that can be exploited using specially crafted smiley panel inputs. The code will be able to access the target administrator's cookies. References: http://www.securityfocus.com/archive/1/337462/2003-09-07/2003-09-13/0 *** SID-2003-3328 [ Plug & Play Software Ltd ] Denial Of Service in Plug & Play Web (FTP) Server Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Bahaa Naamneh has reported a denial of service vulnerability in Plug & Play Web Server which can be exploited by connecting to the server and issuing certain long commands. References: http://archives.neohapsis.com/archives/bugtraq/2003-09/0275.html *** SID-2003-3341 [ Plug & Play Software Ltd ] Plug & Play Web Server Directory traversal Bugtraq ID:8645 CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Plug & Play Web Server have a Directory Traversal Vulnerability that allows an attacker can gain read access to any file outside of the intended web-published filesystem directory. References: http://www.securityfocus.com/archive/1/338090/2003-09-15/2003-09-21/0 *** SID-2003-3307 [ SCO ] SCO OpenServer local root privileges vulnerability Bugtraq ID:8616 , 8618 CVE ID:CAN-2003-0742 Verification: Vendor Confirmed A vulnerability exists in SCO Internet Manager (mana) program for OpenServer (SCO Unix) that lets local users gain root level privileges. References: http://www.texonet.com/advisories/TEXONET-20030902.txt ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19/CSSA-2003-SCO. 19.txt *** SID-2003-3353 [ Sep City ] Community Wizard Admin Access Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Vendor Confirmed Bahaa Naamneh has reported a flaw in Community Wizard. It is possible to gain admin access by using 'or''=' as the password and entering any user name. References: http://www.securityfocus.com/archive/1/338298/2003-09-17/2003-09-23/0 *** SID-2003-3322 [ SGI ] SGI IRIX NFS export vulnerability Bugtraq ID:8638 CVE ID:CAN-2003-0680 Verification: Vendor Confirmed SGI has released a security advisory announcing that a NFS client can avoid read-only restrictions on filesystems exported via NFS from a server running IRIX 6.5.21 and mount them in read/write mode. References: ftp://patches.sgi.com/support/free/security/advisories/20030901-01-P *** SID-2003-3317 [ Spider ] Spider heap overflow and buffer overflow vulnerabilities Bugtraq ID:8630 CVE ID:NOT AVAILABLE Verification: Single source Spider has been reported prone to a heap overflow condition when handling HOME environment variables of excessive length. An attacker may lever this condition to corrupt adjacent malloc chunk headers with attacker-supplied data contained in a malicious 'HOME' environment variable. Although unconfirmed ultimately it may be possible that a local attacker may exploit this condition to execute arbitrary instructions with GID Games privileges. References: http://www.zone-h.org/en/advisories/read/id=3049/ *** SID-2003-3348 [ Sun ] JDK XALAN denial of service Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source A denial of service vulnerability was reported in Embedded XALAN packages in JDK 1.4.x. The problem is that the methods of internal sun.* classes can be made visible through an xslt namespace in xslt programs. A remote attacker can inject xsl template. References: http://archives.neohapsis.com/archives/bugtraq/2003-09/0281.html *** SID-2003-3316 [ Sun ] Solaris sadmind Setting Remote Root Exploitation Vulnerability Bugtraq ID:8615 CVE ID:CAN-2003-0722 Verification: Vendor Confirmed An exploit has surfaced that allows remote attackers to execute arbitrary commands with super-user privileges against Solaris hosts running the default RPC authentication scheme in Solstice AdminSuite. References: http://www.idefense.com/advisory/09.16.03.txt http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/56740 http://www.securityfocus.com/archive/1/338112/2003-09-16/2003-09-22/0 http://www.kb.cert.org/vuls/id/41870 *** SID-2003-3323 [ Symantec ] Multiple Vulnerabilities in Symantec Antivirus for Windows Mobile Bugtraq ID:8639 , 8640 CVE ID:NOT AVAILABLE Verification: Single source Symantec Antivirus for Windows mobile has several vulnerabilities that result in the Real time scan failing to protect against hostile code in the RAM and bypass of some detections. References: http://www.securityfocus.com/archive/1/337784/2003-09-14/2003-09-20/0 *** SID-2003-3332 [ Trademark Software ] TM-POP3 Registry Plaintext Password Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source Ziv Kamir reported that TM-POP3 Server version 2.13 stores user passwords in plain text in the server registry. A local attacker could exploit this vulnerability by opening this registry to obtain sensitive information. References: http://securitytracker.com/alerts/2003/Sep/1007728.html *** SID-2003-3325 [ ufoot.org ] LiquidWar Buffer Overflow Vulnerability Bugtraq ID:8629 CVE ID:NOT AVAILABLE Verification: Single source ZetaLABs (Zone-H Research Laboratories) has discovered a buffer overflow in the game Liquidwar, an application contained in the Debian GNU/Linux distribution. References: http://www.zone-h.org/en/advisories/read/id=3059/ *** SID-2003-3343 [ Valve Software ] Rcon plaintext passwords Bugtraq ID:8651 CVE ID:NOT AVAILABLE Verification: Single source Alexander Hagenah has reported that rcon passwords can be sniffed. To authenticate on the half-life game server you send your password. rcon does not encrypt the password when it is sent and the server receives it in plaintext, too. A sniffer with some simple filter rules can find out rcon passwords fast and easily. References: http://www.securityfocus.com/archive/1/338113/2003-09-16/2003-09-22/0 *** SID-2003-3368 [ Washington University ] Wu_ftpd buffer overflow vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification: Single source Adam Zabrocki has reported a remote buffer overflow bug with wu_ftp. Reportedly, the bug is not manifest in the default installation but is present when sending emails with names of uploaded files. References: http://www.securityfocus.com/archive/1/338436/2003-09-19/2003-09-25/0 *** SID-2003-3309 [ Wintel Software ] WideChapter Browser Buffer Overflow Vulnerability Bugtraq ID:8617 CVE ID:NOT AVAILABLE Verification: Single source It is possible to cause a Buffer overflow in WideChapter Browser by sending long http request, allowing total modification of the EIP pointer - this can be maliciously altered to allow remote arbitrary code execution. The vulnerability is due to a lack of boundary condition checks on URL values. References: http://archives.neohapsis.com/archives/bugtraq/2003-09/0236.html *** SID-2003-3318 [ Yahoo ] Yahoo! Webcam ActiveX control buffer overflow vulnerability Bugtraq ID:8634 CVE ID:NOT AVAILABLE Verification: Vendor Confirmed When a long value is set in Yahoo! Webcam Viewer Wrapper ActiveX control's "TargetName" property a stack and heap based buffer overflow occurs depending on the length of the string. References: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010193. htm ======================================================================== ==== Become a SINTRAQ Weekly member! Send an email with the subject "subscribe sintraqweekly" to sintraqweekly () sintelli com Unsubscribe To unsubscribe from this newsletter send an email with the subject "unsubscribe sintraqweekly" to sintraqweekly () sintelli com Your opinion counts. We would like to hear your thoughts on SINTRAQ Weekly. Please email any questions or comments to sintraqweekly () sintelli com Copyright (c) 2003 Sintelli Limited All Rights Reserved. http://www.sintelli.com ======================================================================== ====
Did you know you can trial our vulnerability alerting solution <<
Click here http://www.sintelli.com/free-trial.htm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SINTRAQ Weekly - Security Vulnerabilities - Week 38, 2003 SINTRAQ (Sep 23)