Full Disclosure mailing list archives
Weekly Vulnerability Summary, Week 41 2003
From: "Sintelli SINTRAQ" <sintraq () sintelli com>
Date: Tue, 14 Oct 2003 21:45:37 +0100
SINTRAQ Weekly Summary Week 41, 2003 Created for you by SINTELLI, the definitive source of IT security intelligence. Welcome to the latest edition of SINTRAQ Weekly Summary. Information on how to manage your subscription can be found at the bottom of the newsletter. If you have any problems or questions, please e-mail us at sintraqweekly () sintelli com PDF version : http://www.sintelli.com/sinweek/week41-2003.pdf ===================================================================== Highlights: This week is Week 41 plus elements of Week 40, so the dates covered by this summary are 02 October - 13October. The reason for this is Microsoft surprised everyone by released MS03-40 on the evening of 03 October, thus we thought it would be more useful to incorporate it into Week 41. Whilst still on Microsoft there are two publicly available exploits for MS03-39 available at the K-otik web site: http://www.k-otik.com/exploits/10.09.rpcdcom3.c.php http://www.k-otik.com/exploits/10.09.rpcunshell.asm.php Other items of note this week are multiple vulnerabilities in Adobe SVG, Peoplesoft and Hummingbird Cyberdocs. Until next week, -- SINTELLI Research www.sintelli.com ***Advertisement*********************************************************** Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.solsoft.com/whitepaper_sintelli ***Advertisement*********************************************************** TABLE OF CONTENTS: SID-2003-3467 [ Adobe ] Adobe SVG Viewer Active Scripting Bypass SID-2003-3470 [ Adobe ] Adobe SVG Viewer Cross Domain and Zone Access SID-2003-3469 [ Adobe ] Adobe SVG Viewer Local and Remote File Reading SID-2003-3501 [ aziem ] prayerboard_db.php cross-site scripting vulnerability SID-2003-3495 [ Centrinity ] FirstClass Denial of Service Vulnerability SID-2003-3522 [ Compaq ] HP Tru64 dtmailpr Unspecified Flaw SID-2003-3472 [ Conexant Systems ] Conexant Access Runner DSL Console login bypass vulnerability SID-2003-3464 [ divine ] Divine OpenMarket Content Server XSS Vulnerability SID-2003-3471 [ EFS Software ] Easy File Sharing Web Server Vulnerabilities SID-2003-3481 [ EternalMart ] EternalMart Guestbook Execution of Arbitrary Code SID-2003-3480 [ EternalMart ] EternalMart Mailing List Manager Vulnerability SID-2003-3497 [ freeguppy.org ] GuppY Cross Site Scripting and Files Read/Write Vulnerabilities SID-2003-3504 [ HP ] HP OVOW Unauthorised admin access SID-2003-3505 [ HP ] HP SCM Unauthorised Access SID-2003-3486 [ HP ] HPUX dtprintinfo buffer overflow vulnerability SID-2003-3508 [ Hummingbird ] Hummingbird CyberDOCS error page installation path disclosure SID-2003-3509 [ Hummingbird ] Hummingbird CyberDOCS insecure file permissions vulnerability SID-2003-3507 [ Hummingbird ] Hummingbird CyberDOCS multiple cross-site scripting vulnerabilities SID-2003-3506 [ Hummingbird ] Hummingbird CyberDOCS SQL injection SID-2003-3474 [ JBoss Group ] JBoss Remote Command Injection Vulnerability SID-2003-3465 [ Juan Cespedes ] ltrace 'Library Call Tracer' Heap Overflow SID-2003-3494 [ Kevin Lindsay ] slocate heap overflow SID-2003-3516 [ Microsoft ] Buffer Overflow in Microsoft Word Macros SID-2003-3482 [ Microsoft ] Microsoft Internet Explorer XML data binding vulnerability SID-2003-3503 [ Microsoft ] Microsoft Windows Media Player DHTML Local Zone Access SID-2003-3499 [ Microsoft ] Microsoft Windows PostThreadMessage API process termination SID-2003-3487 [ Microsoft ] Microsoft Windows Server 2003 Shell Folders Directory Traversal SID-2003-3489 [ muziqpakistan.net ] File inclusion vulnerability in PayPal Store Front SID-2003-3485 [ NetScreen ] Netscreen Leakage of Sensitive Information via DHCP Offer SID-2003-3483 [ OpenOffice.org ] Openoffice Denial of service Vulnerability SID-2003-3468 [ Peoplesoft ] PeopleSoft Grid Option Vulnerability SID-2003-3493 [ Peoplesoft ] PeopleSoft Information Disclosure Vulnerability SID-2003-3490 [ Peoplesoft ] PeopleSoft Longchar and Varchar Data Upload Vulnerability SID-2003-3488 [ PHP-Nuke ] PHP-Nuke 6.6 SQL Injection SID-2003-3478 [ PHP-Nuke ] PHP-Nuke 6.7 Arbitrary File Upload SID-2003-3517 [ Planet ] Undocumented Superuser Account in Planet WGSD-1020 Switch SID-2003-3492 [ S.u.S.E. ] SuSE Linux javarunt symlink attack SID-2003-3491 [ S.u.S.E. ] SuSE Linux susewm symlink attack SID-2003-3520 [ scripts4webmasters.com ] TRACKtheCLICK Script Injection Vulnerabilities SID-2003-3496 [ SNAP Innovation ] SNAP Innovations PrimeBase Database Vulnerability SID-2003-3521 [ SourceForge.net ] Gallery 1.4 file inclusion vulnerability SID-2003-3484 [ SSH Communications Security ] SSH Vulnerability in BER Decoding SID-2003-3479 [ Sun ] Sun Cobalt RaQ Control Panel Cross-Site Scripting SID-2003-3502 [ Techfirm ] XShisen Privilege Escalation Vulnerabilities SID-2003-3473 [ Total War ] Medieval Total War client's crash and directory traversal SID-2003-3475 [ Total War ] Medieval Total War Fake players Denial of Service SID-2003-3477 [ Total War ] Medieval Total War long nickname Denial of Service SID-2003-3476 [ Total War ] Medieval Total War malformed nickname Denial of Service SID-2003-3498 [ Visualware ] VisualRoute LAN topology disclosure Vulnerability SID-2003-3500 [ Wrensoft ] Wrensoft Zoom Search Engine Cross-Site Scripting Vulnerability *** SID-2003-3467 [ Adobe ] Adobe SVG Viewer Active Scripting Bypass Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed GreyMagic Software identified an Active Scripting Bypass bug in Adobe SVG Viewer prior. Scripts running in a SVG document ignore a browser's Active Scripting security settings. References: http://www.greymagic.com/adv/gm002-mc/ *** SID-2003-3470 [ Adobe ] Adobe SVG Viewer Cross Domain and Zone Access Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed GreyMagic Software identified a Cross Domain and Zone Access bug in the Adobe SVG Viewer (ASV). When an SVG document performs an "alert()" command, an attacker can change the location (current URL) of the window and load a victim domain. References: http://www.greymagic.com/adv/gm004-mc/ *** SID-2003-3469 [ Adobe ] Adobe SVG Viewer Local and Remote File Reading Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed GreyMagic Software has announced a file disclosure vulnerability in Adobe SVG Viewer (ASV) 3.0. Adobe SVG Viewer exposes several non-standard extensions, such as the "postURL" and "getURL" methods. However, when a valid URL is supplied to these methods, and then redirects to a local or remote file, the content of that file is returned, allowing an attacker to read any file on the user's computer and remote sites. References: http://www.greymagic.com/adv/gm003-mc/ *** SID-2003-3501 [ aziem ] prayerboard_db.php cross-site scripting Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed PHP Prayer Board versions prior to 0.52 are vulnerable to cross-site scripting. An attacker could embed malicious script in a specially-crafted URL request to the prayerboard.php script or the prayerboard_db.php script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. References: http://sourceforge.net/project/shownotes.php?group_id=56456&release_id=188861 *** SID-2003-3495 [ Centrinity ] FirstClass Denial of Service Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed I2S LAB Security Advisory has reported a vulnerability in FirstClass. A remote DoS vulnerability in the HTTP daemon could be caused by a Heap Overflow overwriting a data pointer. References: http://www.packetstormsecurity.nl/0310-exploits/I2S-LAB-25-09-2003.txt *** SID-2003-3522 [ Compaq ] HP Tru64 dtmailpr Unspecified Flaw Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed HP has released dupatch-based, Early Release Patch kits to fix a potential vulnerability in HP Tru64 UNIX CDE code. No further details have been provided by HP. References: http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019905-V51B20 http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019852-V40GB2 http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019666-V51AB2 http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019665-V51BB2 http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=DUXKIT0019851-V40FB2 http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019667-V51AB2 *** SID-2003-3472 [ Conexant Systems ] Conexant Access Runner DSL Console Login Bypass Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Conexant Access Runner DSL Console Port 3.21 has a vulnerability that will let a remote attacker bypass the login screen and have full admin rights even if admin password is set. References: http://archives.neohapsis.com/archives/bugtraq/2003-10/0064.html *** SID-2003-3464 [ divine ] Divine OpenMarket Content Server XSS Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Valgasu has reported that OpenMarket does not properly filter HTML code from user supplied input, when generating error messages. A remote attacker can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. References: http://archives.neohapsis.com/archives/bugtraq/2003-10/0057.html *** SID-2003-3471 [ EFS Software ] Easy File Sharing Web Server Vulnerabilities Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Nimber has reported that Easy File Sharing Web Server 1.2 is prone to a flood attack and information disclosure. References: http://archives.neohapsis.com/archives/bugtraq/2003-10/0083.html *** SID-2003-3481 [ EternalMart ] EternalMart Guestbook Execution of Arbitrary Code Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Frog man has reported a remote file include vulnerability in EternalMart Guestbook. The problem is that the "emgb_admin_path" parameter is not properly verified in "auth_func.php" before it is used to include a file. A remote attacker can execute arbitrary PHP code, including operating system commands. References: http://archives.neohapsis.com/archives/bugtraq/2003-10/0062.html *** SID-2003-3480 [ EternalMart ] EternalMart Mailing List Manager Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Frog-m@n has reported a file inclusion bug in EternalMart Mailing List Manager. The emml_admin_path" and "emml_path" parameters are not properly verified in "auth.php" and "emml_email_func.php" before they are used to include a file. The remote attacker can execute arbitrary PHP code. References: http://archives.neohapsis.com/archives/bugtraq/2003-10/0062.html *** SID-2003-3497 [ freeguppy.org ] GuppY Cross Site Scripting and Files Read/Write Vulnerabilities Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed Frogman has reported several vulnerabilities in GuppY version 2x. These allow remote attackers to add arbitrary data to polls and writable files and also learn the admin password hash. References: http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0005.html *** SID-2003-3504 [ HP ] HP Openview Unauthorised admin access Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed HP has announced that OpenView VantagePoint for Windows 6.1/6.2 and OpenView Operations for Windows 7.0/7.1/7.2 contain a vulnerability that could allow unauthorized admin access of a node to other node admins.. References: http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMI0310-005 *** SID-2003-3505 [ HP ] HP SCM Unauthorised Access Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed HP has announced that HP 9000 servers running HP-UX B.11.00 and B.11.11 are affected by an issue in ServiceControl Manager. The bug is due to MySQL version 3.23.39, which is delivered with SCM 3.0. References: http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0310-287 *** SID-2003-3486 [ HP ] HPUX dtprintinfo buffer overflow vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0840 Verification:Vendor Confirmed Davide Del Vecchio reported a vulnerability in dtprintinfo in HP-UX version B.11.00. An attacker can cause a buffer overflow. References: http://www.securityfocus.com/archive/1/340665/2003-10-05/2003-10-11/0 http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0310-289 *** SID-2003-3508 [ Hummingbird ] Hummingbird CyberDOCS error page installation path disclosure Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed ProCheckUp has reported that in CyberDOCS (versions 3.5.1, 3.9, and 4.0),it is possible to display the DM Web Server installation path in certain error messages when incorrect logon credentials are entered. References: http://www.kb.cert.org/vuls/id/715548 http://www.procheckup.com/security_info/vuln_pr0305.html *** SID-2003-3509 [ Hummingbird ] Hummingbird CyberDOCS insecure file permissions vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed ProCheckUp has reported that Hummingbird CyberDOCS (Hummingbird DM) versions 3.5, 3.9, and 4.0 running on Microsoft Internet Information Services (IIS) set insecure permissions on script source code files. A remote attacker could read the contents of unprotected files. References: http://www.kb.cert.org/vuls/id/989580 http://www.procheckup.com/security_info/vuln_pr0302.html *** SID-2003-3507 [ Hummingbird ] Hummingbird CyberDOCS multiple cross-site scripting Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed ProCheckUp has reported that Hummingbird CyberDOCS (Hummingbird DM) versions 3.5.1, 3.9, and 4.0 are vulnerable to cross site scripting. These could allow an attacker to obtain sensitive information and possibly impersonate a legitimate user. References: http://www.kb.cert.org/vuls/id/488684 http://www.procheckup.com/security_info/vuln_pr0305.html *** SID-2003-3506 [ Hummingbird ] Hummingbird CyberDOCS SQL injection Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed ProCheckUp has reported that Hummingbird CyberDOCS (Hummingbird DM) versions prior to 3.9 are vulnerable to SQL injection attacks. References: http://www.kb.cert.org/vuls/id/368300 http://www.procheckup.com/security_info/vuln_pr0304.html *** SID-2003-3474 [ JBoss Group ] JBoss Remote Command Injection Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0845 Verification:Vendor Confirmed There is a command injection vulnerability that exists in an integral component of the JBoss server, allowing remote attackers to obtain remote access to vulnerable JBoss systems. References: http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0010.html http://www.securityfocus.com/archive/1/340443/2003-10-05/2003-10-11/0 *** SID-2003-3465 [ Juan Cespedes ] ltrace 'Library Call Tracer' Heap Overflow Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Abhisek Datta of BFI Security Research Group has reported that ltrace versions 0.3.10-12 are vulnerable to a heap based buffer overrun in the 'Library Call Tracer' utility. This allows execution of arbitrary code with root privilege. References: http://lists.netsys.com/pipermail/full-disclosure/2003-October/011600.html *** SID-2003-3494 [ Kevin Lindsay ] slocate heap overflow Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0847 Verification:Vendor Confirmed Patrik Hornik has reported a heap overflow in slocate 2.6. The vulnerability corrupts heap management structures and possibly leads to gaining slocate group privileges, which allows reading global slocate database and thus obtaining list of all files in the system by an unauthorized user. References: http://www.ebitech.sk/patrik/SA/SA-20031006.txt http://www.ebitech.sk/patrik/SA/SA-20031006-A.txt *** SID-2003-3516 [ Microsoft ] Buffer Overflow in Microsoft Word Macros Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Microsoft Word documents which contain Macros are susceptible to a buffer overflow. References: http://www.security.nnov.ru/search/document.asp?docid=5232 *** SID-2003-3482 [ Microsoft ] Microsoft Internet Explorer XML data binding vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0809 Verification:Vendor Confirmed Internet Explorer fails to determine an object type returned from a Web server during XML data binding. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability. References: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp http://support.microsoft.com/?kbid=828750 http://www.kb.cert.org/vuls/id/668380 *** SID-2003-3503 [ Microsoft ] Microsoft Windows Media Player DHTML Local Zone Access Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed A vulnerability exists in Microsoft Windows Media Player where a malicious script can be executed on a vulnerable system with privileges of the user. References: http://support.microsoft.com/default.aspx?scid=kb;en-us;828026 http://www.kb.cert.org/vuls/id/222044 *** SID-2003-3499 [ Microsoft ] Microsoft Windows PostThreadMessage API allows processes to be terminated without permission Bugtraq ID:8747 CVE ID:NOT AVAILABLE Verification:Single source Brett Moore has reported a flaw that lies in the way that processes handle messages sent from another process via the PostThreadMessage() API call. If a running process has a message queue and is sent one of 3 different messages, the process may terminate. References: http://securityfocus.com/archive/1/339947 *** SID-2003-3487 [ Microsoft ] Microsoft Windows Server 2003 Shell Folders Directory Traversal Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0839 Verification:Vendor Confirmed Eiji James Yoshida has reported that Microsoft Windows Server 2003 is vulnerable to directory traversal. A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name. References: http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html http://support.microsoft.com/default.aspx?scid=829493 *** SID-2003-3489 [ muziqpakistan.net ] File inclusion vulnerability in PayPal Store Front Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Zone-H Security Team has discovered a flaw in PayPal Store Front v3.0 commercial and free version. The vulnerability exiyts in the index.php file and it is possible for a remote attacker to include an external file and execute arbitrary commands with the privileges of the webserver. References: http://www.zone-h.org/en/advisories/read/id=3231/ *** SID-2003-3485 [ NetScreen ] Netscreen Leakage of Sensitive Information via DHCP Offer Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed Potentially sensitive information such as encoded administrative usernames and passwords may in some circumstances be included in DHCP Offer messages generated by a NetScreen Firewall/VPN device acting as a DHCP Server. References: http://www.netscreen.com/services/security/alerts/10_01_03_57983_v003.jsp *** SID-2003-3483 [ OpenOffice.org ] Openoffice Denial of service Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Marc Schoenefeld has reported a vulnerability in open office version 1.1.0. A remote attacker can cause denial of service in open office. References: http://www.securityfocus.com/archive/1/340663/2003-10-05/2003-10-11/0 *** SID-2003-3468 [ Peoplesoft ] PeopleSoft Grid Option Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0841 Verification:Vendor Confirmed I-Assure has reported that PeopleTools makes files available by storing them on the web server for a period of time that is hard coded into the java servlet. The file is stored in a directory with a random name, however, the random directory name could be determined using automated tools and since the file itself is not secured, it is potentially accessible by unauthorized users. References: http://www.securityfocus.com/archive/1/340531/2003-10-05/2003-10-11/2 *** SID-2003-3493 [ Peoplesoft ] PeopleSoft Information Disclosure Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed I-Assure has reported that PeopleTools version 8.42 is vulnerable to disclosure of potentially sensitive information. The <Control><J> hot key can be used to obtain information about the application infrastructure. References: http://www.securityfocus.com/archive/1/340670/2003-10-05/2003-10-11/0 *** SID-2003-3490 [ Peoplesoft ] PeopleSoft Longchar and Varchar Data Upload Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed I-Assure has reported a vulnerability in PeopleTools version 8.42. It is possible for a remote attacker to cause a denial of service. References: http://www.securityfocus.com/archive/1/340669/2003-10-05/2003-10-11/0 *** SID-2003-3488 [ PHP-Nuke ] PHP-Nuke 6.6 SQL Injection Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Mod has reported that PHP-Nuke 6.6 is vulnerable to SQL injection. This is from not filtering 'cid', which should be checked that it is only numeric. This hole could allow viewing of password hashes if the database is mysql 4.x. References: http://www.securityfocus.com/archive/1/340664/2003-10-05/2003-10-11/0 *** SID-2003-3478 [ PHP-Nuke ] PHP-Nuke 6.7 Arbitrary File Upload Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Frogman has reported a file upload bug in PHP-Nuke version 6.7. A remote user can specify a filename containing '../' directory traversal characters for the '$userfile_name' variable to cause the script to place the uploaded file in a user-specified location. References: http://archives.neohapsis.com/archives/bugtraq/2003-10/0063.html *** SID-2003-3517 [ Planet ] Undocumented Superuser Account in Planet WGSD-1020 Switch Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source The Planet WGSD-1020 Switch is a 8-port + 2 Gigabit-port Managed Ethernet Switch. It has been reported that the switch contains an undocumented superuser account. References: http://www.security.nnov.ru/search/document.asp?docid=5233 *** SID-2003-3492 [ S.u.S.E. ] SuSE Linux javarunt symlink attack Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0846 Verification:Single source A symlink vulnerability exists in the shell script /sbin/conf.d/SuSEconfig.javarunt. This vulnerability can be used by a local attacker to gain root privileges. An exploit has already been written, but not made public. References: http://amor.rz.hu-berlin.de/~nordhaus/sec/vul/2_index.html *** SID-2003-3491 [ S.u.S.E. ] SuSE Linux susewm symlink attack Bugtraq ID:NOT AVAILABLE CVE ID:CAN-2003-0847 Verification:Single source A symlink vulnerability exists in the shell script /sbin/conf.d/SuSEconfig.susewm. This vulnerability can be used by a local attacker to gain root privileges. References: http://amor.rz.hu-berlin.de/~nordhaus/sec/vul/1_index.html *** SID-2003-3520 [ scripts4webmasters.com ] TRACKtheCLICK Script Injection Vulnerabilities Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source BrainRawt has reported that TRACKtheCLICK is vulnerable to script injection. The User-Agent: and/or Referer fields can be spoofed to inject malicious code. References: http://www.securityfocus.com/archive/1/341043/2003-10-09/2003-10-15/0 *** SID-2003-3496 [ SNAP Innovation ] SNAP Innovations PrimeBase Database Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed Larry W. Cashdollar reported two vulnerabilities in PrimeBase SQL Database Server allowing malicious users to manipulate files and escalate privileges. References: http://www.securityfocus.com/archive/1/340402/2003-09-28/2003-10-04/0 *** SID-2003-3521 [ SourceForge.net ] Gallery 1.4 file inclusion vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Peter Stöckli of Rootquest has reported a vulnerability in Gallery 1.4. It is possible to include any php file from a remote host, and execute it on the target's server. References: http://www.securityfocus.com/archive/1/341044/2003-10-09/2003-10-15/0 *** SID-2003-3484 [ SSH Communications Security ] SSH Vulnerability in BER Decoding Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed SSH Communications has announced a denial of service vulnerability in SSH. A remote attacker can send malformed BER/DER packets to cause the target host to crash. References: http://www.ssh.com/company/newsroom/article/476/ http://www.kb.cert.org/vuls/id/333980 *** SID-2003-3479 [ Sun ] Sun Cobalt RaQ Control Panel Cross-Site Scripting Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Lorenzo Hernandez Garcia-Hierro has reported a cross-site scripting vulnerability in the Sun Cobalt RaQ web-based control panel. With this hole you can try to get the target user information trough the cgi script called message.cgi by including script code in the info= variable value. References: http://lists.netsys.com/pipermail/full-disclosure/2003-October/011387.html *** SID-2003-3502 [ Techfirm ] XShisen Privilege Escalation Vulnerabilities Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Steve Kemp has reported that when XShisen is installed setgid, a local attacker could pass a long argument to the program using the -KCONV command line option to overflow a buffer and execute arbitrary code on the system with set group id (setgid) 'games' privileges. References: http://marc.theaimsgroup.com/?l=secunia-sec-adv&m=106544230827172&w=2 *** SID-2003-3473 [ Total War ] Medieval Total War client's crash and directory traversal Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Luigi Auriemma has reported several vulnerabilities in Medieval Total War (MTW) Client. By sending a long map name, a malicious server can crash a client. The game is also vulnerable to a directory traversal bug. References: http://aluigi.altervista.org/adv/mtw2client-adv.txt *** SID-2003-3475 [ Total War ] Medieval Total War Fake players Denial of Service Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Luigi Auriemma has reported a denial of service vulnerability in Medieval Total War (MTW) Server. An attacker can easily fill the server (that supports a maximum of 8 players) with some non-existent players. References: http://aluigi.altervista.org/adv/mtwfakep-adv.txt *** SID-2003-3477 [ Total War ] Medieval Total War long nickname Denial of Service Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Luigi Auriemma has reported a denial of service vulnerability in Medieval Total War (MTW) Server. The bug is in the management of the nicknames sent by the clients and a nickname longer than 76 unicode chars causes the immediate crash of the server and of all the connected clients. Longer nicknames cause exceptions in other instructions. References: http://aluigi.altervista.org/adv/mtwdos-server-adv.txt *** SID-2003-3476 [ Total War ] Medieval Total War malformed nickname Denial of Service Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Luigi Auriemma has reported a denial of service vulnerability in Medieval Total War (MTW) Server. The bug is in the management of the nicknames sent by the clients and a malformed nickname will cause a "Connection expired" message to appear requiring a restart. References: http://aluigi.altervista.org/adv/mtwexp-server-adv.txt *** SID-2003-3498 [ Visualware ] VisualRoute LAN topology disclosure Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Single source Donnie Werner has reported that the VisualRoute could allow a remote attacker to obtain sensitive information. By sending a request for an internal IP address, a remote attacker could map the structure of the LAN. References: http://nothackers.org/pipermail/0day/2003-October/000201.html *** SID-2003-3500 [ Wrensoft ] Wrensoft Zoom Search Engine Cross-Site Scripting Vulnerability Bugtraq ID:NOT AVAILABLE CVE ID:NOT AVAILABLE Verification:Vendor Confirmed The Zoom Search engine does not properly filter user supplied input when displaying the search results. This issue allows remote attacker to inject malicious code in the target system. All the code will be executed within the context of the website. References: http://www.sintelli.com/adv/sa-2003-02-zoomsearch.pdf ============================================================================ Become a SINTRAQ Weekly member! Send an email with the subject "subscribe sintraqweekly" to sintraqweekly () sintelli com Unsubscribe To unsubscribe from this newsletter send an email with the subject "unsubscribe sintraqweekly" to sintraqweekly () sintelli com Your opinion counts. We would like to hear your thoughts on SINTRAQ Weekly. Please email any questions or comments to sintraqweekly () sintelli com Copyright (c) 2003 Sintelli Limited All Rights Reserved. http://www.sintelli.com ***Advertisement*********************************************************** Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.solsoft.com/whitepaper_sintelli ***Advertisement*********************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Weekly Vulnerability Summary, Week 41 2003 Sintelli SINTRAQ (Oct 14)
- RE: Weekly Vulnerability Summary, Week 41 2003 Mortis (Oct 23)