lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005901c381d3$beb7e070$0400a8c0@x2>
From: sintraq at sintelli.com (SINTRAQ)
Subject: SINTRAQ Weekly - Security Vulnerabilities - Week 38, 2003

SINTRAQ Weekly Summary
Week 38, 2003

Created for you by SINTELLI, the definitive source of IT security
intelligence.
 
Welcome to the latest edition of SINTRAQ Weekly Summary. Information on
how to manage your subscription can be found at the bottom of the
newsletter. If you have any problems or questions, please e-mail us at
sintraqweekly@...telli.com

PDF version is here 
http://www.sintelli.com/sinweek/week38-2003.pdf
=====================================================================

Highlights:
This week Microsoft admins were sleeping easily and watching their
fellow *nix admins run around frantically applying patches. First it was
one, then two then three vulnerabilities identified in OpenSSH.  But,
then there was more, not one but two Sendmail vulnerabilities.  Just
incase you have not upgraded your versions of OpenSSH and Sendmail to
the latest versions we suggest you do so.

Whilst still on *nix, there is remote root exploit available for Solaris
and IBM issued two advisories about AIX.  There is an exploit available
for the Solaris vulnerability, so time to fix it.

So what happened to the much hyped about Blaster-type worm which was
going to exploit the vulnerabilities in MS03-39?  Did it die, were we
all protected against or was it hype?

Well, there was a worm called Swen (aka Gibe).  It came, pretending to
be a Microsoft Bulletin, it saw vulnerable PCs, and conquered them.  Now
it's invading many countries, watch its progress here:
http://www.pandasoftware.com/virus_info/map/map.htm

The worrying thing about Swen is that it exploited a 30 month old
vulnerability (CVE-2001-0154) thus when the new blaster-type worm turns
up we are sure it will still find some vulnerable systems.  Just in case
you wanted to write such a worm the Chinese research group has provide
some information to help you at: 
http://www.xfocus.org/documents/200309/4.html

Maybe they got bored of waiting for it?
 
Until next week,
-- SINTELLI Research
www.sintelli.com

=====================================================================

>>Did you know you can trial our vulnerability alerting solution <<

Click here
http://www.sintelli.com/free-trial.htm

===================================================================== 
TABLE OF CONTENTS:

SID-2003-3347 [AppiesHost] Appies file manager directory traversal 
SID-2003-3335 [ Compaq ] HP Tru64 NFS AdvFS File Denial Of Service
Vulnerability 
SID-2003-3362 [ Debian ] ipmasq insecure packet filtering vulnerability 
SID-2003-3331 [ DrPhibez and Nitro187 ] GuildFTPd 0.999 Directory
Traversal 
SID-2003-3352 [ flying dog software ] Powerslave Portalmanager
information disclosure 
SID-2003-3330 [ GoAhead Software ] Goahead webserver denial of service 
SID-2003-3344 [ IBM ] Denial of Service Vulnerability in DB2 Discovery
Service 
SID-2003-3346 [ IBM ] IBM AIX 5.2 tsm format string vulnerability 
SID-2003-3361 [ IBM ] IBM AIX lpd format string vulnerability 
SID-2003-3340 [ IBM ] Multiple IBM DB2 Stack Overflow Vulnerabilities 
SID-2003-3367 [ Imatix ] Xitami Open Source Web Server Denial of service
vulnerability 
SID-2003-3312 [ Ipswitch ] IMail Directory Traversal Vulnerabilities 
SID-2003-3356 [ Knox Software ] Knox Arkeia Pro 5.1.12 remote root
exploit 
SID-2003-3351 [ LSH ] LSH 1.4x remote root buffer overflow vulnerability

SID-2003-3360 [ Lucent ] Lucent MAX TNT Universal Gateway Hang-Up Redial
Administrative Access Vulnerability 
SID-2003-3358 [ Macromedia ] ColdFusion MX / ColdFusion cross-site
scripting vulnerability with default error handlers 
SID-2003-3345 [ Microsoft ] Microsoft BizTalk Server virtual directories
weak permissions 
SID-2003-3350 [ Microsoft ] Microsoft Windows 2000 and XP URG memory
leak Vulnerability 
SID-2003-3364 [ Midnight Commander ] Midnight Commander Remote Code
Execution via Uninitialized Buffer 
SID-2003-3308 [ MiniHttpServer ] Minihttpserver 1.x Host Engine
Vulnerabilities 
SID-2003-3342 [ Miro Construct Pty Ltd ] Mambo 4.0.14 Stable Multiple
Vulnerabilities 
SID-2003-3357 [ Multi-Vendor ] Hztty buffer overflows 
SID-2003-3320 [ Multi-Vendor ] KDM Privilege escalation with specific
PAM modules 
SID-2003-3321 [ Multi-Vendor ] KDM weak session cookie generation
algorithm 
SID-2003-3338 [ Multi-Vendor ] Memory bugs in OpenSSH 
SID-2003-3319 [ Multi-Vendor ] OpenSSH Buffer Management Error 
SID-2003-3337 [ Multi-Vendor ] OpenSSH Multiple buffer management errors
in buffer_init and  buffer_free 
SID-2003-3315 [ Multi-Vendor ] Pine Remote Integer Overflow
Vulnerability 
SID-2003-3327 [ Multi-Vendor ] Sendmail 8.12.9 prescan() vulnerability 
SID-2003-3336 [ Multi-Vendor ] Sendmail ruleset parsing buffer overflow 
SID-2003-3363 [ myPHPNuke ] myphpnuke auth.inc.php SQL Injection 
SID-2003-3366 [ NetBSD ] NetBSD Sysctl Argument Handling Vulnerabilities

SID-2003-3311 [ Network Dweebs Corporation ] DSPAM Default Permissions
Vulnerability 
SID-2003-3310 [ Nokia ] Nokia Electronic Documentation - Multiple
Vulnerabilities 
SID-2003-3324 [ phpBB Group ] PHPBB Smiley Panel Cross Site Scripting 
SID-2003-3328 [ Plug & Play Software Ltd ] Denial Of Service in Plug &
Play Web (FTP) Server 
SID-2003-3341 [ Plug & Play Software Ltd ] Plug & Play Web Server
Directory traversal 
SID-2003-3307 [ SCO ] SCO OpenServer local root privileges vulnerability

SID-2003-3353 [ Sep City ] Community Wizard Admin Access 
SID-2003-3322 [ SGI ] SGI IRIX NFS export vulnerability 
SID-2003-3317 [ Spider ] Spider heap overflow and buffer overflow
vulnerabilities 
SID-2003-3348 [ Sun ] JDK XALAN denial of service Vulnerability 
SID-2003-3316 [ Sun ] Solaris sadmind Setting Remote Root Exploitation
Vulnerability 
SID-2003-3323 [ Symantec ] Multiple Vulnerabilities in Symantec
Antivirus for Windows Mobile 
SID-2003-3332 [ Trademark Software ] TM-POP3 Registry Plaintext Password
Vulnerability 
SID-2003-3325 [ ufoot.org ] LiquidWar Buffer Overflow Vulnerability 
SID-2003-3343 [ Valve Software ] Rcon plaintext passwords 
SID-2003-3368 [ Washington University ] Wu_ftpd buffer overflow
vulnerability 
SID-2003-3309 [ Wintel Software ] WideChapter Browser Buffer Overflow
Vulnerability 
SID-2003-3318 [ Yahoo ] Yahoo! Webcam ActiveX control buffer overflow
vulnerability


=====================================================================

>>Did you know you can trial our vulnerability alerting solution <<

Click here
http://www.sintelli.com/free-trial.htm
 
======================================================================

*** SID-2003-3347 [ AppiesHost ] Appies file manager directory traversal

Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

The file manager of "Appies" from Appieshost allows a directory
traversal attack.

References:
http://www.lostkey.org/advisories/Appies.txt


*** SID-2003-3335 [ Compaq ] HP Tru64 NFS AdvFS File Denial Of Service
Vulnerability 
Bugtraq ID:8614 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

HP announced that a vulnerability has been identified in HP Tru64 NFS.
The problem has been reported to occur under certain circumstances, when
certain non Tru64 NFS clients try to increase the size of a file on a
AdvFS. This could result in a kernel memory fault or corruption kernel
memory.

References: 
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019900-
v51ab23-e-20030906.README
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019920-
v51bb22-e-20030909.README
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019921-
v51ab21-e-20030909.README


*** SID-2003-3362 [ Debian ] ipmasq insecure packet filtering
vulnerability 
Bugtraq ID:NOT AVAILABLE 
CVE ID:CAN-2003-0785
Verification: Vendor Confirmed

Debian has reported that the ipmasq package has improper filtering
rules. As a result, traffic arriving on the external interface addressed
for an internal host would be forwarded, regardless of whether it was
associated with an established connection. This vulnerability could be
exploited by an attacker capable of forwarding IP traffic with an
arbitrary destination address to the external interface of a system with
ipmasq installed. 

References:
http://www.debian.org/security/2003/dsa-389


*** SID-2003-3331 [ DrPhibez and Nitro187 ] GuildFTPd 0.999 Directory
Traversal 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Luigi Auriemma has reported a directory traversal vulnerability in Guild
FTPd versions 0.999.5 and prior. An attacker can get files knowing their
position by using classical directory traversal exploitation techniques
but he cannot see the directories' indexes.

References: http://aluigi.altervista.org/adv/guildftpd-dir-adv.txt


*** SID-2003-3352 [ flying dog software ] Powerslave Portalmanager
information disclosure 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Powerslave features a powerful URL-rewrite function which can be used to
obtain information about the database structure.  It is reported that
arbitrary code execution may be possible.

References: 
ftp://ftp.h07.org/pub/h07.org/projects/papers/h07adv-powerslave.txt

 

*** SID-2003-3330 [ GoAhead Software ] Goahead webserver denial of
service 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Luigi Auriemma has reported that GoAhead WebServer versions prior to
2.1.3 are vulnerable to a denial of service attack. This is achieved by
sending a POST request with a Content-Length parameter equal or less
than zero.

References: 
http://aluigi.altervista.org/adv/goahead-neg-adv.txt


*** SID-2003-3344 [ IBM ] Denial of Service Vulnerability in DB2
Discovery Service 
Bugtraq ID:8653 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

If the IBM DB2 Discovery service, which runs on port 523, receives a
packet larger than 20 bytes the service will shutdown.
 
References: 
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010462.
htm


*** SID-2003-3346 [ IBM ] IBM AIX 5.2 tsm format string vulnerability 
Bugtraq ID:8648 
CVE ID:CAN-2003-0784 
Verification: Vendor Confirmed

The tsm command provides terminal state management and login
functionality which is used to verify users' identity. The services tsm
provides are used by commands such as login, passwd and su. A remote
attacker may gain root privileges by exploiting the login command. A
local user may gain elevated privileges by exploiting the login, su or
passwd commands.

References: 
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-20
03.1177.1


*** SID-2003-3361 [ IBM ] IBM AIX lpd format string vulnerability 
Bugtraq ID:8646 
CVE ID:CAN-2003-0697 
Verification: Vendor Confirmed

IBM has reported that under rare circumstances, turning on debug in lpd
can cause a security problem. 

References: http://www-1.ibm.com/support/docview.wss?uid=isg1IY45344
http://www-1.ibm.com/support/docview.wss?uid=isg1IY46256
http://www-1.ibm.com/support/docview.wss?uid=isg1IY45250


*** SID-2003-3340 [ IBM ] Multiple IBM DB2 Stack Overflow
Vulnerabilities 
Bugtraq ID:8553 , 8552 
CVE ID:CAN-2003-0759 , CAN-2003-0758 
Verification: Vendor Confirmed

IBM's DB2 database ships with two vulnerable setuid binaries, namely
db2licm and db2dart. Both binaries are vulnerable to a buffer overflow
that allows a local attacker to execute arbitrary code on the vulnerable
machine with privileges of the root user. The vulnerability is triggered
providing a long command line argument to the binaries.

References: 
http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10


*** SID-2003-3367 [ Imatix ] Xitami Open Source Web Server Denial of
service vulnerability 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

Xitami Open Source Web Server has a denial of service vulnerability that
causes abnormal termination of the program.

References: 
http://www.securityfocus.com/archive/1/338415/2003-09-19/2003-09-25/1


*** SID-2003-3312 [ Ipswitch ] IMail Directory Traversal Vulnerabilities

Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

Posidron and Rushjo of Tripbit Security Research have reported that
IMail is vulnerable to directory traversal in the Web Calendaring
Service part of IMail v8.02 and in the Web Messaging Service part of
IMail v6.00. 

References:
http://www.tripbit.org/advisories/TA-150903.txt


*** SID-2003-3356 [ Knox Software ] Knox Arkeia Pro 5.1.12 remote root
exploit 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

A buffer overflow in Knox software Arkiea has been reported. It is
possible to null out least significant byte of EBP to pull EIP out of
overflow buffer. A local or remote attacker could cause a crash or gain
root access. Working exploit code does exist for this.

References: 
http://www.securityfocus.com/archive/1/338237/2003-09-17/2003-09-23/0


*** SID-2003-3351 [ LSH ] LSH 1.4x remote root buffer overflow
vulnerability 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

There is a buffer overflow vulnerability with lsh 1.4x which allows
remote attackers to gain root privileges.

References: 
http://archives.neohapsis.com/archives/bugtraq/2003-09/att-0310/lsh_expl
oit.c
http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html


*** SID-2003-3360 [ Lucent ] Lucent MAX TNT Universal Gateway Hang-Up
Redial Administrative Access Vulnerability Bugtraq ID:8642 
CVE ID:NOT AVAILABLE 
Verification: Single source

Nathan Aguirre reported that a problem in the handling of hang-up and
redial calls to the Lucent MAX TNT Universal Gateway has been reported.
Allegedly, this may make it possible for an attacker to gain
unauthorized access to network resources.

References: 
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010609.
html

 

*** SID-2003-3358 [ Macromedia ] ColdFusion MX / ColdFusion cross-site
scripting vulnerability 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

ColdFusionMX Web Sites that use the default ColdFusionMX Site-Wide Error
Handler page or the default ColdFusionMX Missing Template Handler page
may be susceptible to a cross-site scripting attack using the HTTP
Referer[sic] header field.

References:
http://www.macromedia.com/devnet/security/security_zone/mpsb03-06.html


*** SID-2003-3345 [ Microsoft ] Microsoft BizTalk Server virtual
directories weak permissions 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

A default installation of Microsoft BizTalk Server 2000 or Microsoft
BizTalk Server 2002 creates several Microsoft Internet Information
Services (IIS) virtual directories. There are two virtual directories
configured with weak permissions. 

References: 
http://support.microsoft.com/default.aspx?scid=kb;en-us;824935
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010463.
html


*** SID-2003-3350 [ Microsoft ] Microsoft Windows 2000 and XP URG memory
leak Vulnerability 
Bugtraq ID:8531 
CVE ID:NOT AVAILABLE 
Verification: Single source

Michal Zalewski reported that Microsoft Windows 2000 and XP could
disclose sensitive information to attackers. If a data transfer is in
process when the initial SYN is sent, the URG value could contain
information from a previously sent packet, which could allow an attacker
to obtain sensitive information.

References: 
http://archives.neohapsis.com/archives/bugtraq/2003-09/0260.html
http://archives.neohapsis.com/archives/vuln-dev/2003-q3/0113.html


*** SID-2003-3364 [ Midnight Commander ] Midnight Commander Remote Code
Execution 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

Midnight Commander is using uninitialized buffer for handling symlinks
in VFS (tar, cpio). A stack overflow using specially crafted archive can
be achieved to execute arbitrary code.

References: 
http://www.securityfocus.com/archive/1/338231/2003-09-19/2003-09-25/0


*** SID-2003-3308 [ MiniHttpServer ] Minihttpserver 1.x Host Engine
Vulnerabilities 
Bugtraq ID:8619 , 8620 , 8633 
CVE ID:NOT AVAILABLE 
Verification: Single source

Peter Winter-Smith has reported that WebForums and File-Sharing for NET
are prone to a remote directory traversal attack due to insufficient
sanitization of user-supplied data. These vulnerabilities in
Minihttpserver allow complete administrator access to the system
file/forum system and any file on the remote server.

References: 
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0107.html


*** SID-2003-3342 [ Miro Construct Pty Ltd ] Mambo 4.0.14 Stable
Multiple Vulnerabilities 
Bugtraq ID:8647 
CVE ID:NOT AVAILABLE 
Verification: Single source

Mambo 4.0.14 Stable is reported to have multiple bugs that could enable
attackers to obtain sensitive information like path, user id and
passwords. The attacker could also use the server for anonymous mailing.

References:
http://www.hackingzone.org/secviewarticle.php?id=11


*** SID-2003-3357 [ Multi-Vendor ] Hztty buffer overflows 
Bugtraq ID:NOT AVAILABLE 
CVE ID:CAN-2003-0783
Verification: Vendor Confirmed

Jens Steube has reported a pair of buffer overflow vulnerabilities in
hztty, a program to translate Chinese character encodings in a terminal
session. These vulnerabilities could be exploited by a local attacker to
gain root privileges on a system where hztty is installed.

Additionally, hztty incorrectly installs as setuid root, when it only
requires the privileges of group utmp. 

References:
http://www.debian.org/security/2003/dsa-385


*** SID-2003-3320 [ Multi-Vendor ] KDM Privilege escalation with
specific PAM modules 
Bugtraq ID:NOT AVAILABLE 
CVE ID:CAN-2003-0690
Verification: Vendor Confirmed

KDE has announced that all versions of KDM as distributed with KDE up to
and including KDE 3.1.3 have a vulnerability that might grant local root
access to any user with valid login credentials.

References: 
http://www.kde.org/info/security/advisory-20030916-1.txt
http://rhn.redhat.com/errata/RHSA-2003-269.html
http://rhn.redhat.com/errata/RHSA-2003-270.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:091
http://www.debian.org/security/2003/dsa-388


*** SID-2003-3321 [ Multi-Vendor ] KDM weak session cookie generation
algorithm 
Bugtraq ID:NOT AVAILABLE 
CVE ID:CAN-2003-0692
Verification: Vendor Confirmed

KDM has a weak cookie generation that may allow non-authorized users to
guess the session cookie by a brute force attack, which allows, assuming
hostname / IP restrictions can be bypassed, to authorize to the running
session and gain full access to it. 

References: 
http://www.kde.org/info/security/advisory-20030916-1.txt
http://rhn.redhat.com/errata/RHSA-2003-270.html
http://rhn.redhat.com/errata/RHSA-2003-269.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:091
http://www.debian.org/security/2003/dsa-388


 
*** SID-2003-3338 [ Multi-Vendor ] Memory bugs in OpenSSH 
Bugtraq ID:NOT AVAILABLE 
CVE ID:CAN-2003-0682
Verification: Vendor Confirmed

OpenSSH versions 3.7.1 and prior contain some memory bugs. 

References:
http://rhn.redhat.com/errata/RHSA-2003-279.html
http://rhn.redhat.com/errata/RHSA-2003-280.html
http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000741
http://www.linuxsecurity.com/advisories/engarde_advisory-3649.html
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html
http://www.suse.com/de/security/2003_039_openssh.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000744


*** SID-2003-3319 [ Multi-Vendor ] OpenSSH Buffer Management Error 
Bugtraq ID:8628 
CVE ID:CAN-2003-0693 
Verification: Vendor Confirmed

A buffer management error was discovered in all versions of OpenSSH
prior to version 3.7. 

References: 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.opens
sh.asc
http://www.linuxsecurity.com/advisories/immunix_advisory-3627.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000739
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000740
http://www.debian.org/security/2003/dsa-382
http://www.linuxsecurity.com/advisories/gentoo_advisory-3629.html
http://www.linuxsecurity.com/advisories/suse_advisory-3632.html
http://rhn.redhat.com/errata/RHSA-2003-279.html
http://rhn.redhat.com/errata/RHSA-2003-280.html
http://www.linuxsecurity.com/advisories/engarde_advisory-3621.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:090
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.374735
http://www.openbsd.org/errata.html#sshbuffer
http://www.cert.org/advisories/CA-2003-24.html
http://xforce.iss.net/xforce/alerts/id/144
http://www.kb.cert.org/vuls/id/333628
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.tx
t.asc
http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml
http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:090-1
http://www.debian.org/security/2003/dsa-383
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.368193
http://www.turbolinux.com/security/TLSA-2003-51.txt
http://www.linuxsecurity.com/advisories/trustix_advisory-3641.html
http://www.suse.com/de/security/2003_039_openssh.html
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html
http://www.stonesoft.com/document/art/3031.html
http://www.netscreen.com/services/security/alerts/openssh_1.jsp
http://docs.info.apple.com/article.html?artnum=61798
http://www.bluecoat.com/downloads/support/BCS_OpenSSH_vulnerability.pdf
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=
category%3Asecurity
http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0309-282


 
*** SID-2003-3337 [ Multi-Vendor ] OpenSSH Multiple buffer management
errors in buffer_init and  buffer_free 
Bugtraq ID:NOT AVAILABLE 
CVE ID:CAN-2003-0695
Verification: Vendor Confirmed

Buffer manipulation problems have been found in OpenSSH versions prior
to 3.7.1. These may allow attackers to cause a denial of service or
execute arbitrary code.

References: 
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:090-1
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000741
http://rhn.redhat.com/errata/RHSA-2003-279.html
http://rhn.redhat.com/errata/RHSA-2003-280.html
http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html
http://www.debian.org/security/2003/dsa-382
http://www.debian.org/security/2003/dsa-383
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.368193
http://www.openssh.com/txt/buffer.adv
http://www.openbsd.org/errata.html#sshbuffer
http://www.linuxsecurity.com/advisories/engarde_advisory-3649.html
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html
http://www.suse.com/de/security/2003_039_openssh.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000744


*** SID-2003-3315 [ Multi-Vendor ] Pine Remote Integer Overflow
Vulnerability 
Bugtraq ID:8589 
CVE ID:CAN-2003-0721 
Verification: Vendor Confirmed

Pine is a mail and news text based client developed by the Washington
University. Pine versions 4.56 and earlier are vulnerable to an integer
overflow in the rfc2231_get_param function in the strings.c file. By
sending an email message with a specially-crafted email header, a remote
attacker could overflow a buffer and execute arbitrary code on the
system, once the victim opens the malicious email.

References:
http://www.idefense.com/advisory/09.10.03.txt
http://www.suse.com/de/security/2003_037_pine.html
http://rhn.redhat.com/errata/RHSA-2003-273.html
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.347016
http://www.linuxsecurity.com/advisories/engarde_advisory-3607.html
http://rhn.redhat.com/errata/RHSA-2003-274.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000738
http://www.securityfocus.com/archive/1/337545/2003-09-13/2003-09-19/0


*** SID-2003-3327 [ Multi-Vendor ] Sendmail 8.12.9 prescan()
vulnerability 
Bugtraq ID:8641 
CVE ID:CAN-2003-0694 
Verification: Vendor Confirmed

A bug has been identified in the Sendmail Mail Transfer Agent (MTA) that
can cause a buffer overflow. The vulnerability derives from a potential
buffer overflow in Sendmail's header handling code.

References: 
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.
html
http://www.sendmail.com/security/ http://www.sendmail.org/8.12.10.html
http://rhn.redhat.com/errata/RHSA-2003-283.html
http://rhn.redhat.com/errata/RHSA-2003-284.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:092
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.452857
http://www.openbsd.org/errata.html#sendmail
http://www.kb.cert.org/vuls/id/784980
http://www.cert.org/advisories/CA-2003-25.html
http://www.linuxsecurity.com/advisories/immunix_advisory-3652.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000742
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3655.html
http://www.debian.org/security/2003/dsa-384
http://www.turbolinux.com/security/TLSA-2003-52.txt
http://www.openpkg.org/security/OpenPKG-SA-2003.041-sendmail.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000746
http://forums.gentoo.org/viewtopic.php?t=86741
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56860&zone_32=
category%3Asecurity
http://www.linuxsecurity.com/advisories/suse_advisory-3664.html


*** SID-2003-3336 [ Multi-Vendor ] Sendmail ruleset parsing buffer
overflow 
Bugtraq ID:8649 CVE ID:CAN-2003-0681
Verification: Vendor Confirmed

Timo Sirainen has reported a buffer overflow in ruleset parsing of
Sendmail 8.12.9.  This occurs when using the nonstandard rulesets only.

References:
http://www.sendmail.org/8.12.10.html
http://rhn.redhat.com/errata/RHSA-2003-283.html
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010387.
html
http://www.linuxsecurity.com/advisories/immunix_advisory-3652.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000742
http://www.debian.org/security/2003/dsa-384
http://www.turbolinux.com/security/TLSA-2003-52.txt
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3655.html
http://www.kb.cert.org/vuls/id/108964
http://www.openpkg.org/security/OpenPKG-SA-2003.041-sendmail.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000746


*** SID-2003-3363 [ myPHPNuke ] myphpnuke auth.inc.php SQL Injection 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

Lifofifo has reported a SQL injection vulnerability in myphpnuke. The
vulnerable code is in auth.inc.php file. The author has also suggested
an unofficial fix. 

References:
http://www.hackingzone.org/secviewarticle.php?id=8


*** SID-2003-3366 [ NetBSD ] NetBSD Sysctl Argument Handling
Vulnerabilities 
Bugtraq ID:8643 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Three unrelated problems with inappropriate argument handling were found
in the kernel sysctl(2) code, which could be exploited by malicious
local user:

References: 
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-014.tx
t.asc


*** SID-2003-3311 [ Network Dweebs Corporation ] DSPAM Default
Permissions Vulnerability 
Bugtraq ID:8623 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Due to the default installation permissions of DSPAM 2.6.5, any user
capable of executing the dspam agent can run commands with mail group
privileges.

References:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010091.
html

 
*** SID-2003-3310 [ Nokia ] Nokia Electronic Documentation - Multiple
Vulnerabilities 
Bugtraq ID:8624 , 8625 , 8626 
CVE ID:CAN-2003-0801 , CAN-2003-0802 , CAN-2003-0803 
Verification: Vendor Confirmed

@stake has reported several vulnerabilities in NED, the web-based
documentation interface for many of its cellular network products. These
may allow attackers to conduct cross-site scripting attacks, view
directory listing of certain directories under the web-root and use NED
as a proxy server for HTTP requests. 

References: 
http://www.atstake.com/research/advisories/2003/a091503-1.txt


*** SID-2003-3324 [ phpBB Group ] PHPBB Smiley Panel Cross Site
Scripting 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

Benjamin Tolman  has reported a cross site scripting vulnerability in
phpBB that can be exploited using specially crafted smiley panel inputs.
The code will be able to access the target administrator's cookies.

References: 
http://www.securityfocus.com/archive/1/337462/2003-09-07/2003-09-13/0


*** SID-2003-3328 [ Plug & Play Software Ltd ] Denial Of Service in Plug
& Play Web (FTP) Server 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Bahaa Naamneh has reported a denial of service vulnerability in Plug &
Play Web Server which can be exploited by connecting to the server and
issuing certain long commands.

References: 
http://archives.neohapsis.com/archives/bugtraq/2003-09/0275.html


*** SID-2003-3341 [ Plug & Play Software Ltd ] Plug & Play Web Server
Directory traversal 
Bugtraq ID:8645 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Plug & Play Web Server have a Directory Traversal Vulnerability that
allows an attacker can gain read access to any file outside of the
intended web-published filesystem directory.

References: 
http://www.securityfocus.com/archive/1/338090/2003-09-15/2003-09-21/0


*** SID-2003-3307 [ SCO ] SCO OpenServer local root privileges
vulnerability 
Bugtraq ID:8616 , 8618 
CVE ID:CAN-2003-0742 
Verification: Vendor Confirmed

A vulnerability exists in SCO Internet Manager (mana) program for
OpenServer (SCO Unix) that lets local users gain root level privileges.

References: 
http://www.texonet.com/advisories/TEXONET-20030902.txt
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19/CSSA-2003-SCO.
19.txt


 
*** SID-2003-3353 [ Sep City ] Community Wizard Admin Access 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

Bahaa Naamneh has reported a flaw in Community Wizard. It is possible to
gain admin access by using 'or''=' as the password and entering any user
name.

References:
http://www.securityfocus.com/archive/1/338298/2003-09-17/2003-09-23/0


*** SID-2003-3322 [ SGI ] SGI IRIX NFS export vulnerability 
Bugtraq ID:8638 
CVE ID:CAN-2003-0680 
Verification: Vendor Confirmed

SGI has released a security advisory announcing that a NFS client can
avoid read-only restrictions on filesystems exported via NFS from a
server running IRIX 6.5.21 and mount them in read/write mode. 

References: 
ftp://patches.sgi.com/support/free/security/advisories/20030901-01-P


*** SID-2003-3317 [ Spider ] Spider heap overflow and buffer overflow
vulnerabilities 
Bugtraq ID:8630 
CVE ID:NOT AVAILABLE 
Verification: Single source

Spider has been reported prone to a heap overflow condition when
handling HOME environment variables of excessive length. An attacker may
lever this condition to corrupt adjacent malloc chunk headers with
attacker-supplied data contained in a malicious 'HOME' environment
variable. Although unconfirmed ultimately it may be possible that a
local attacker may exploit this condition to execute arbitrary
instructions with GID Games privileges.

References:
http://www.zone-h.org/en/advisories/read/id=3049/


*** SID-2003-3348 [ Sun ] JDK XALAN denial of service Vulnerability 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

A denial of service vulnerability was reported in Embedded XALAN
packages in JDK 1.4.x. The problem is that the methods of internal sun.*
classes can be made visible through an xslt namespace in xslt programs.
A remote attacker can inject xsl template. 

References: 
http://archives.neohapsis.com/archives/bugtraq/2003-09/0281.html


*** SID-2003-3316 [ Sun ] Solaris sadmind Setting Remote Root
Exploitation Vulnerability 
Bugtraq ID:8615 
CVE ID:CAN-2003-0722 
Verification: Vendor Confirmed

An exploit has surfaced that allows remote attackers to execute
arbitrary commands with super-user privileges against Solaris hosts
running the default RPC authentication scheme in Solstice AdminSuite.

References:
http://www.idefense.com/advisory/09.16.03.txt
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/56740
http://www.securityfocus.com/archive/1/338112/2003-09-16/2003-09-22/0
http://www.kb.cert.org/vuls/id/41870


*** SID-2003-3323 [ Symantec ] Multiple Vulnerabilities in Symantec
Antivirus for Windows Mobile 
Bugtraq ID:8639 , 8640 
CVE ID:NOT AVAILABLE 
Verification: Single source

Symantec Antivirus for Windows mobile has several vulnerabilities that
result in the Real time scan failing to protect against hostile code in
the RAM and bypass of some detections.

References: 
http://www.securityfocus.com/archive/1/337784/2003-09-14/2003-09-20/0


*** SID-2003-3332 [ Trademark Software ] TM-POP3 Registry Plaintext
Password Vulnerability 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

Ziv Kamir reported that TM-POP3 Server version 2.13 stores user
passwords in plain text in the server registry. A local attacker could
exploit this vulnerability by opening this registry to obtain sensitive
information.

References: 
http://securitytracker.com/alerts/2003/Sep/1007728.html


*** SID-2003-3325 [ ufoot.org ] LiquidWar Buffer Overflow Vulnerability 
Bugtraq ID:8629 CVE ID:NOT AVAILABLE 
Verification: Single source

ZetaLABs (Zone-H Research Laboratories) has discovered a buffer overflow
in the game Liquidwar, an application contained in the Debian GNU/Linux
distribution. 

References:
http://www.zone-h.org/en/advisories/read/id=3059/


*** SID-2003-3343 [ Valve Software ] Rcon plaintext passwords 
Bugtraq ID:8651 
CVE ID:NOT AVAILABLE 
Verification: Single source

Alexander Hagenah has reported that rcon passwords can be sniffed. To
authenticate on the half-life game server you send your password. rcon
does not encrypt the password when it is sent and the server receives it
in plaintext, too. A sniffer with some simple filter rules can find out
rcon passwords fast and easily. 

References: 
http://www.securityfocus.com/archive/1/338113/2003-09-16/2003-09-22/0


*** SID-2003-3368 [ Washington University ] Wu_ftpd buffer overflow
vulnerability 
Bugtraq ID:NOT AVAILABLE 
CVE ID:NOT AVAILABLE 
Verification: Single source

Adam Zabrocki has reported a remote buffer overflow bug with wu_ftp.
Reportedly, the bug is not manifest in the default installation but is
present when sending emails with names of uploaded files.

References: 
http://www.securityfocus.com/archive/1/338436/2003-09-19/2003-09-25/0

 

*** SID-2003-3309 [ Wintel Software ] WideChapter Browser Buffer
Overflow Vulnerability 
Bugtraq ID:8617 
CVE ID:NOT AVAILABLE 
Verification: Single source

It is possible to cause a Buffer overflow in WideChapter Browser by
sending long http request, allowing total modification of the EIP
pointer - this can be maliciously altered to allow remote arbitrary code
execution. The vulnerability is due to a lack of boundary condition
checks on URL values.

References: 
http://archives.neohapsis.com/archives/bugtraq/2003-09/0236.html


*** SID-2003-3318 [ Yahoo ] Yahoo! Webcam ActiveX control buffer
overflow vulnerability 
Bugtraq ID:8634 
CVE ID:NOT AVAILABLE 
Verification: Vendor Confirmed

When a long value is set in Yahoo! Webcam Viewer Wrapper ActiveX
control's "TargetName" property a stack and heap based buffer overflow
occurs depending on the length of the string.

References:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010193.
htm


========================================================================
====

Become a SINTRAQ Weekly member! 
Send an email with the subject "subscribe sintraqweekly" to
sintraqweekly@...telli.com 

Unsubscribe 
To unsubscribe from this newsletter send an email with the subject
"unsubscribe sintraqweekly" to sintraqweekly@...telli.com
 
Your opinion counts. 
We would like to hear your thoughts on SINTRAQ Weekly.  Please email any
questions or comments to sintraqweekly@...telli.com
 
Copyright (c) 2003 Sintelli Limited All Rights Reserved. 
http://www.sintelli.com

========================================================================
====

>>Did you know you can trial our vulnerability alerting solution <<

Click here
http://www.sintelli.com/free-trial.htm


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ