[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005901c381d3$beb7e070$0400a8c0@x2>
From: sintraq at sintelli.com (SINTRAQ)
Subject: SINTRAQ Weekly - Security Vulnerabilities - Week 38, 2003
SINTRAQ Weekly Summary
Week 38, 2003
Created for you by SINTELLI, the definitive source of IT security
intelligence.
Welcome to the latest edition of SINTRAQ Weekly Summary. Information on
how to manage your subscription can be found at the bottom of the
newsletter. If you have any problems or questions, please e-mail us at
sintraqweekly@...telli.com
PDF version is here
http://www.sintelli.com/sinweek/week38-2003.pdf
=====================================================================
Highlights:
This week Microsoft admins were sleeping easily and watching their
fellow *nix admins run around frantically applying patches. First it was
one, then two then three vulnerabilities identified in OpenSSH. But,
then there was more, not one but two Sendmail vulnerabilities. Just
incase you have not upgraded your versions of OpenSSH and Sendmail to
the latest versions we suggest you do so.
Whilst still on *nix, there is remote root exploit available for Solaris
and IBM issued two advisories about AIX. There is an exploit available
for the Solaris vulnerability, so time to fix it.
So what happened to the much hyped about Blaster-type worm which was
going to exploit the vulnerabilities in MS03-39? Did it die, were we
all protected against or was it hype?
Well, there was a worm called Swen (aka Gibe). It came, pretending to
be a Microsoft Bulletin, it saw vulnerable PCs, and conquered them. Now
it's invading many countries, watch its progress here:
http://www.pandasoftware.com/virus_info/map/map.htm
The worrying thing about Swen is that it exploited a 30 month old
vulnerability (CVE-2001-0154) thus when the new blaster-type worm turns
up we are sure it will still find some vulnerable systems. Just in case
you wanted to write such a worm the Chinese research group has provide
some information to help you at:
http://www.xfocus.org/documents/200309/4.html
Maybe they got bored of waiting for it?
Until next week,
-- SINTELLI Research
www.sintelli.com
=====================================================================
>>Did you know you can trial our vulnerability alerting solution <<
Click here
http://www.sintelli.com/free-trial.htm
=====================================================================
TABLE OF CONTENTS:
SID-2003-3347 [AppiesHost] Appies file manager directory traversal
SID-2003-3335 [ Compaq ] HP Tru64 NFS AdvFS File Denial Of Service
Vulnerability
SID-2003-3362 [ Debian ] ipmasq insecure packet filtering vulnerability
SID-2003-3331 [ DrPhibez and Nitro187 ] GuildFTPd 0.999 Directory
Traversal
SID-2003-3352 [ flying dog software ] Powerslave Portalmanager
information disclosure
SID-2003-3330 [ GoAhead Software ] Goahead webserver denial of service
SID-2003-3344 [ IBM ] Denial of Service Vulnerability in DB2 Discovery
Service
SID-2003-3346 [ IBM ] IBM AIX 5.2 tsm format string vulnerability
SID-2003-3361 [ IBM ] IBM AIX lpd format string vulnerability
SID-2003-3340 [ IBM ] Multiple IBM DB2 Stack Overflow Vulnerabilities
SID-2003-3367 [ Imatix ] Xitami Open Source Web Server Denial of service
vulnerability
SID-2003-3312 [ Ipswitch ] IMail Directory Traversal Vulnerabilities
SID-2003-3356 [ Knox Software ] Knox Arkeia Pro 5.1.12 remote root
exploit
SID-2003-3351 [ LSH ] LSH 1.4x remote root buffer overflow vulnerability
SID-2003-3360 [ Lucent ] Lucent MAX TNT Universal Gateway Hang-Up Redial
Administrative Access Vulnerability
SID-2003-3358 [ Macromedia ] ColdFusion MX / ColdFusion cross-site
scripting vulnerability with default error handlers
SID-2003-3345 [ Microsoft ] Microsoft BizTalk Server virtual directories
weak permissions
SID-2003-3350 [ Microsoft ] Microsoft Windows 2000 and XP URG memory
leak Vulnerability
SID-2003-3364 [ Midnight Commander ] Midnight Commander Remote Code
Execution via Uninitialized Buffer
SID-2003-3308 [ MiniHttpServer ] Minihttpserver 1.x Host Engine
Vulnerabilities
SID-2003-3342 [ Miro Construct Pty Ltd ] Mambo 4.0.14 Stable Multiple
Vulnerabilities
SID-2003-3357 [ Multi-Vendor ] Hztty buffer overflows
SID-2003-3320 [ Multi-Vendor ] KDM Privilege escalation with specific
PAM modules
SID-2003-3321 [ Multi-Vendor ] KDM weak session cookie generation
algorithm
SID-2003-3338 [ Multi-Vendor ] Memory bugs in OpenSSH
SID-2003-3319 [ Multi-Vendor ] OpenSSH Buffer Management Error
SID-2003-3337 [ Multi-Vendor ] OpenSSH Multiple buffer management errors
in buffer_init and buffer_free
SID-2003-3315 [ Multi-Vendor ] Pine Remote Integer Overflow
Vulnerability
SID-2003-3327 [ Multi-Vendor ] Sendmail 8.12.9 prescan() vulnerability
SID-2003-3336 [ Multi-Vendor ] Sendmail ruleset parsing buffer overflow
SID-2003-3363 [ myPHPNuke ] myphpnuke auth.inc.php SQL Injection
SID-2003-3366 [ NetBSD ] NetBSD Sysctl Argument Handling Vulnerabilities
SID-2003-3311 [ Network Dweebs Corporation ] DSPAM Default Permissions
Vulnerability
SID-2003-3310 [ Nokia ] Nokia Electronic Documentation - Multiple
Vulnerabilities
SID-2003-3324 [ phpBB Group ] PHPBB Smiley Panel Cross Site Scripting
SID-2003-3328 [ Plug & Play Software Ltd ] Denial Of Service in Plug &
Play Web (FTP) Server
SID-2003-3341 [ Plug & Play Software Ltd ] Plug & Play Web Server
Directory traversal
SID-2003-3307 [ SCO ] SCO OpenServer local root privileges vulnerability
SID-2003-3353 [ Sep City ] Community Wizard Admin Access
SID-2003-3322 [ SGI ] SGI IRIX NFS export vulnerability
SID-2003-3317 [ Spider ] Spider heap overflow and buffer overflow
vulnerabilities
SID-2003-3348 [ Sun ] JDK XALAN denial of service Vulnerability
SID-2003-3316 [ Sun ] Solaris sadmind Setting Remote Root Exploitation
Vulnerability
SID-2003-3323 [ Symantec ] Multiple Vulnerabilities in Symantec
Antivirus for Windows Mobile
SID-2003-3332 [ Trademark Software ] TM-POP3 Registry Plaintext Password
Vulnerability
SID-2003-3325 [ ufoot.org ] LiquidWar Buffer Overflow Vulnerability
SID-2003-3343 [ Valve Software ] Rcon plaintext passwords
SID-2003-3368 [ Washington University ] Wu_ftpd buffer overflow
vulnerability
SID-2003-3309 [ Wintel Software ] WideChapter Browser Buffer Overflow
Vulnerability
SID-2003-3318 [ Yahoo ] Yahoo! Webcam ActiveX control buffer overflow
vulnerability
=====================================================================
>>Did you know you can trial our vulnerability alerting solution <<
Click here
http://www.sintelli.com/free-trial.htm
======================================================================
*** SID-2003-3347 [ AppiesHost ] Appies file manager directory traversal
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
The file manager of "Appies" from Appieshost allows a directory
traversal attack.
References:
http://www.lostkey.org/advisories/Appies.txt
*** SID-2003-3335 [ Compaq ] HP Tru64 NFS AdvFS File Denial Of Service
Vulnerability
Bugtraq ID:8614
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
HP announced that a vulnerability has been identified in HP Tru64 NFS.
The problem has been reported to occur under certain circumstances, when
certain non Tru64 NFS clients try to increase the size of a file on a
AdvFS. This could result in a kernel memory fault or corruption kernel
memory.
References:
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019900-
v51ab23-e-20030906.README
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019920-
v51bb22-e-20030909.README
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64kit0019921-
v51ab21-e-20030909.README
*** SID-2003-3362 [ Debian ] ipmasq insecure packet filtering
vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0785
Verification: Vendor Confirmed
Debian has reported that the ipmasq package has improper filtering
rules. As a result, traffic arriving on the external interface addressed
for an internal host would be forwarded, regardless of whether it was
associated with an established connection. This vulnerability could be
exploited by an attacker capable of forwarding IP traffic with an
arbitrary destination address to the external interface of a system with
ipmasq installed.
References:
http://www.debian.org/security/2003/dsa-389
*** SID-2003-3331 [ DrPhibez and Nitro187 ] GuildFTPd 0.999 Directory
Traversal
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Luigi Auriemma has reported a directory traversal vulnerability in Guild
FTPd versions 0.999.5 and prior. An attacker can get files knowing their
position by using classical directory traversal exploitation techniques
but he cannot see the directories' indexes.
References: http://aluigi.altervista.org/adv/guildftpd-dir-adv.txt
*** SID-2003-3352 [ flying dog software ] Powerslave Portalmanager
information disclosure
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Powerslave features a powerful URL-rewrite function which can be used to
obtain information about the database structure. It is reported that
arbitrary code execution may be possible.
References:
ftp://ftp.h07.org/pub/h07.org/projects/papers/h07adv-powerslave.txt
*** SID-2003-3330 [ GoAhead Software ] Goahead webserver denial of
service
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Luigi Auriemma has reported that GoAhead WebServer versions prior to
2.1.3 are vulnerable to a denial of service attack. This is achieved by
sending a POST request with a Content-Length parameter equal or less
than zero.
References:
http://aluigi.altervista.org/adv/goahead-neg-adv.txt
*** SID-2003-3344 [ IBM ] Denial of Service Vulnerability in DB2
Discovery Service
Bugtraq ID:8653
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
If the IBM DB2 Discovery service, which runs on port 523, receives a
packet larger than 20 bytes the service will shutdown.
References:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010462.
htm
*** SID-2003-3346 [ IBM ] IBM AIX 5.2 tsm format string vulnerability
Bugtraq ID:8648
CVE ID:CAN-2003-0784
Verification: Vendor Confirmed
The tsm command provides terminal state management and login
functionality which is used to verify users' identity. The services tsm
provides are used by commands such as login, passwd and su. A remote
attacker may gain root privileges by exploiting the login command. A
local user may gain elevated privileges by exploiting the login, su or
passwd commands.
References:
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-20
03.1177.1
*** SID-2003-3361 [ IBM ] IBM AIX lpd format string vulnerability
Bugtraq ID:8646
CVE ID:CAN-2003-0697
Verification: Vendor Confirmed
IBM has reported that under rare circumstances, turning on debug in lpd
can cause a security problem.
References: http://www-1.ibm.com/support/docview.wss?uid=isg1IY45344
http://www-1.ibm.com/support/docview.wss?uid=isg1IY46256
http://www-1.ibm.com/support/docview.wss?uid=isg1IY45250
*** SID-2003-3340 [ IBM ] Multiple IBM DB2 Stack Overflow
Vulnerabilities
Bugtraq ID:8553 , 8552
CVE ID:CAN-2003-0759 , CAN-2003-0758
Verification: Vendor Confirmed
IBM's DB2 database ships with two vulnerable setuid binaries, namely
db2licm and db2dart. Both binaries are vulnerable to a buffer overflow
that allows a local attacker to execute arbitrary code on the vulnerable
machine with privileges of the root user. The vulnerability is triggered
providing a long command line argument to the binaries.
References:
http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10
*** SID-2003-3367 [ Imatix ] Xitami Open Source Web Server Denial of
service vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
Xitami Open Source Web Server has a denial of service vulnerability that
causes abnormal termination of the program.
References:
http://www.securityfocus.com/archive/1/338415/2003-09-19/2003-09-25/1
*** SID-2003-3312 [ Ipswitch ] IMail Directory Traversal Vulnerabilities
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
Posidron and Rushjo of Tripbit Security Research have reported that
IMail is vulnerable to directory traversal in the Web Calendaring
Service part of IMail v8.02 and in the Web Messaging Service part of
IMail v6.00.
References:
http://www.tripbit.org/advisories/TA-150903.txt
*** SID-2003-3356 [ Knox Software ] Knox Arkeia Pro 5.1.12 remote root
exploit
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
A buffer overflow in Knox software Arkiea has been reported. It is
possible to null out least significant byte of EBP to pull EIP out of
overflow buffer. A local or remote attacker could cause a crash or gain
root access. Working exploit code does exist for this.
References:
http://www.securityfocus.com/archive/1/338237/2003-09-17/2003-09-23/0
*** SID-2003-3351 [ LSH ] LSH 1.4x remote root buffer overflow
vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
There is a buffer overflow vulnerability with lsh 1.4x which allows
remote attackers to gain root privileges.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-09/att-0310/lsh_expl
oit.c
http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000127.html
*** SID-2003-3360 [ Lucent ] Lucent MAX TNT Universal Gateway Hang-Up
Redial Administrative Access Vulnerability Bugtraq ID:8642
CVE ID:NOT AVAILABLE
Verification: Single source
Nathan Aguirre reported that a problem in the handling of hang-up and
redial calls to the Lucent MAX TNT Universal Gateway has been reported.
Allegedly, this may make it possible for an attacker to gain
unauthorized access to network resources.
References:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010609.
html
*** SID-2003-3358 [ Macromedia ] ColdFusion MX / ColdFusion cross-site
scripting vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
ColdFusionMX Web Sites that use the default ColdFusionMX Site-Wide Error
Handler page or the default ColdFusionMX Missing Template Handler page
may be susceptible to a cross-site scripting attack using the HTTP
Referer[sic] header field.
References:
http://www.macromedia.com/devnet/security/security_zone/mpsb03-06.html
*** SID-2003-3345 [ Microsoft ] Microsoft BizTalk Server virtual
directories weak permissions
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
A default installation of Microsoft BizTalk Server 2000 or Microsoft
BizTalk Server 2002 creates several Microsoft Internet Information
Services (IIS) virtual directories. There are two virtual directories
configured with weak permissions.
References:
http://support.microsoft.com/default.aspx?scid=kb;en-us;824935
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010463.
html
*** SID-2003-3350 [ Microsoft ] Microsoft Windows 2000 and XP URG memory
leak Vulnerability
Bugtraq ID:8531
CVE ID:NOT AVAILABLE
Verification: Single source
Michal Zalewski reported that Microsoft Windows 2000 and XP could
disclose sensitive information to attackers. If a data transfer is in
process when the initial SYN is sent, the URG value could contain
information from a previously sent packet, which could allow an attacker
to obtain sensitive information.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-09/0260.html
http://archives.neohapsis.com/archives/vuln-dev/2003-q3/0113.html
*** SID-2003-3364 [ Midnight Commander ] Midnight Commander Remote Code
Execution
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
Midnight Commander is using uninitialized buffer for handling symlinks
in VFS (tar, cpio). A stack overflow using specially crafted archive can
be achieved to execute arbitrary code.
References:
http://www.securityfocus.com/archive/1/338231/2003-09-19/2003-09-25/0
*** SID-2003-3308 [ MiniHttpServer ] Minihttpserver 1.x Host Engine
Vulnerabilities
Bugtraq ID:8619 , 8620 , 8633
CVE ID:NOT AVAILABLE
Verification: Single source
Peter Winter-Smith has reported that WebForums and File-Sharing for NET
are prone to a remote directory traversal attack due to insufficient
sanitization of user-supplied data. These vulnerabilities in
Minihttpserver allow complete administrator access to the system
file/forum system and any file on the remote server.
References:
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0107.html
*** SID-2003-3342 [ Miro Construct Pty Ltd ] Mambo 4.0.14 Stable
Multiple Vulnerabilities
Bugtraq ID:8647
CVE ID:NOT AVAILABLE
Verification: Single source
Mambo 4.0.14 Stable is reported to have multiple bugs that could enable
attackers to obtain sensitive information like path, user id and
passwords. The attacker could also use the server for anonymous mailing.
References:
http://www.hackingzone.org/secviewarticle.php?id=11
*** SID-2003-3357 [ Multi-Vendor ] Hztty buffer overflows
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0783
Verification: Vendor Confirmed
Jens Steube has reported a pair of buffer overflow vulnerabilities in
hztty, a program to translate Chinese character encodings in a terminal
session. These vulnerabilities could be exploited by a local attacker to
gain root privileges on a system where hztty is installed.
Additionally, hztty incorrectly installs as setuid root, when it only
requires the privileges of group utmp.
References:
http://www.debian.org/security/2003/dsa-385
*** SID-2003-3320 [ Multi-Vendor ] KDM Privilege escalation with
specific PAM modules
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0690
Verification: Vendor Confirmed
KDE has announced that all versions of KDM as distributed with KDE up to
and including KDE 3.1.3 have a vulnerability that might grant local root
access to any user with valid login credentials.
References:
http://www.kde.org/info/security/advisory-20030916-1.txt
http://rhn.redhat.com/errata/RHSA-2003-269.html
http://rhn.redhat.com/errata/RHSA-2003-270.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:091
http://www.debian.org/security/2003/dsa-388
*** SID-2003-3321 [ Multi-Vendor ] KDM weak session cookie generation
algorithm
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0692
Verification: Vendor Confirmed
KDM has a weak cookie generation that may allow non-authorized users to
guess the session cookie by a brute force attack, which allows, assuming
hostname / IP restrictions can be bypassed, to authorize to the running
session and gain full access to it.
References:
http://www.kde.org/info/security/advisory-20030916-1.txt
http://rhn.redhat.com/errata/RHSA-2003-270.html
http://rhn.redhat.com/errata/RHSA-2003-269.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:091
http://www.debian.org/security/2003/dsa-388
*** SID-2003-3338 [ Multi-Vendor ] Memory bugs in OpenSSH
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0682
Verification: Vendor Confirmed
OpenSSH versions 3.7.1 and prior contain some memory bugs.
References:
http://rhn.redhat.com/errata/RHSA-2003-279.html
http://rhn.redhat.com/errata/RHSA-2003-280.html
http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000741
http://www.linuxsecurity.com/advisories/engarde_advisory-3649.html
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html
http://www.suse.com/de/security/2003_039_openssh.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000744
*** SID-2003-3319 [ Multi-Vendor ] OpenSSH Buffer Management Error
Bugtraq ID:8628
CVE ID:CAN-2003-0693
Verification: Vendor Confirmed
A buffer management error was discovered in all versions of OpenSSH
prior to version 3.7.
References:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:12.opens
sh.asc
http://www.linuxsecurity.com/advisories/immunix_advisory-3627.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000739
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000740
http://www.debian.org/security/2003/dsa-382
http://www.linuxsecurity.com/advisories/gentoo_advisory-3629.html
http://www.linuxsecurity.com/advisories/suse_advisory-3632.html
http://rhn.redhat.com/errata/RHSA-2003-279.html
http://rhn.redhat.com/errata/RHSA-2003-280.html
http://www.linuxsecurity.com/advisories/engarde_advisory-3621.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:090
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.374735
http://www.openbsd.org/errata.html#sshbuffer
http://www.cert.org/advisories/CA-2003-24.html
http://xforce.iss.net/xforce/alerts/id/144
http://www.kb.cert.org/vuls/id/333628
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-012.tx
t.asc
http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml
http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:090-1
http://www.debian.org/security/2003/dsa-383
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.368193
http://www.turbolinux.com/security/TLSA-2003-51.txt
http://www.linuxsecurity.com/advisories/trustix_advisory-3641.html
http://www.suse.com/de/security/2003_039_openssh.html
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html
http://www.stonesoft.com/document/art/3031.html
http://www.netscreen.com/services/security/alerts/openssh_1.jsp
http://docs.info.apple.com/article.html?artnum=61798
http://www.bluecoat.com/downloads/support/BCS_OpenSSH_vulnerability.pdf
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=
category%3Asecurity
http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0309-282
*** SID-2003-3337 [ Multi-Vendor ] OpenSSH Multiple buffer management
errors in buffer_init and buffer_free
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0695
Verification: Vendor Confirmed
Buffer manipulation problems have been found in OpenSSH versions prior
to 3.7.1. These may allow attackers to cause a denial of service or
execute arbitrary code.
References:
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:090-1
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000741
http://rhn.redhat.com/errata/RHSA-2003-279.html
http://rhn.redhat.com/errata/RHSA-2003-280.html
http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html
http://www.debian.org/security/2003/dsa-382
http://www.debian.org/security/2003/dsa-383
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.368193
http://www.openssh.com/txt/buffer.adv
http://www.openbsd.org/errata.html#sshbuffer
http://www.linuxsecurity.com/advisories/engarde_advisory-3649.html
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html
http://www.suse.com/de/security/2003_039_openssh.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000744
*** SID-2003-3315 [ Multi-Vendor ] Pine Remote Integer Overflow
Vulnerability
Bugtraq ID:8589
CVE ID:CAN-2003-0721
Verification: Vendor Confirmed
Pine is a mail and news text based client developed by the Washington
University. Pine versions 4.56 and earlier are vulnerable to an integer
overflow in the rfc2231_get_param function in the strings.c file. By
sending an email message with a specially-crafted email header, a remote
attacker could overflow a buffer and execute arbitrary code on the
system, once the victim opens the malicious email.
References:
http://www.idefense.com/advisory/09.10.03.txt
http://www.suse.com/de/security/2003_037_pine.html
http://rhn.redhat.com/errata/RHSA-2003-273.html
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.347016
http://www.linuxsecurity.com/advisories/engarde_advisory-3607.html
http://rhn.redhat.com/errata/RHSA-2003-274.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000738
http://www.securityfocus.com/archive/1/337545/2003-09-13/2003-09-19/0
*** SID-2003-3327 [ Multi-Vendor ] Sendmail 8.12.9 prescan()
vulnerability
Bugtraq ID:8641
CVE ID:CAN-2003-0694
Verification: Vendor Confirmed
A bug has been identified in the Sendmail Mail Transfer Agent (MTA) that
can cause a buffer overflow. The vulnerability derives from a potential
buffer overflow in Sendmail's header handling code.
References:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.
html
http://www.sendmail.com/security/ http://www.sendmail.org/8.12.10.html
http://rhn.redhat.com/errata/RHSA-2003-283.html
http://rhn.redhat.com/errata/RHSA-2003-284.html
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003
:092
http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y
=2003&m=slackware-security.452857
http://www.openbsd.org/errata.html#sendmail
http://www.kb.cert.org/vuls/id/784980
http://www.cert.org/advisories/CA-2003-25.html
http://www.linuxsecurity.com/advisories/immunix_advisory-3652.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000742
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3655.html
http://www.debian.org/security/2003/dsa-384
http://www.turbolinux.com/security/TLSA-2003-52.txt
http://www.openpkg.org/security/OpenPKG-SA-2003.041-sendmail.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000746
http://forums.gentoo.org/viewtopic.php?t=86741
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56860&zone_32=
category%3Asecurity
http://www.linuxsecurity.com/advisories/suse_advisory-3664.html
*** SID-2003-3336 [ Multi-Vendor ] Sendmail ruleset parsing buffer
overflow
Bugtraq ID:8649 CVE ID:CAN-2003-0681
Verification: Vendor Confirmed
Timo Sirainen has reported a buffer overflow in ruleset parsing of
Sendmail 8.12.9. This occurs when using the nonstandard rulesets only.
References:
http://www.sendmail.org/8.12.10.html
http://rhn.redhat.com/errata/RHSA-2003-283.html
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010387.
html
http://www.linuxsecurity.com/advisories/immunix_advisory-3652.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000742
http://www.debian.org/security/2003/dsa-384
http://www.turbolinux.com/security/TLSA-2003-52.txt
http://www.linuxsecurity.com/advisories/yellowdog_advisory-3655.html
http://www.kb.cert.org/vuls/id/108964
http://www.openpkg.org/security/OpenPKG-SA-2003.041-sendmail.html
http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000746
*** SID-2003-3363 [ myPHPNuke ] myphpnuke auth.inc.php SQL Injection
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
Lifofifo has reported a SQL injection vulnerability in myphpnuke. The
vulnerable code is in auth.inc.php file. The author has also suggested
an unofficial fix.
References:
http://www.hackingzone.org/secviewarticle.php?id=8
*** SID-2003-3366 [ NetBSD ] NetBSD Sysctl Argument Handling
Vulnerabilities
Bugtraq ID:8643
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Three unrelated problems with inappropriate argument handling were found
in the kernel sysctl(2) code, which could be exploited by malicious
local user:
References:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-014.tx
t.asc
*** SID-2003-3311 [ Network Dweebs Corporation ] DSPAM Default
Permissions Vulnerability
Bugtraq ID:8623
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Due to the default installation permissions of DSPAM 2.6.5, any user
capable of executing the dspam agent can run commands with mail group
privileges.
References:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010091.
html
*** SID-2003-3310 [ Nokia ] Nokia Electronic Documentation - Multiple
Vulnerabilities
Bugtraq ID:8624 , 8625 , 8626
CVE ID:CAN-2003-0801 , CAN-2003-0802 , CAN-2003-0803
Verification: Vendor Confirmed
@stake has reported several vulnerabilities in NED, the web-based
documentation interface for many of its cellular network products. These
may allow attackers to conduct cross-site scripting attacks, view
directory listing of certain directories under the web-root and use NED
as a proxy server for HTTP requests.
References:
http://www.atstake.com/research/advisories/2003/a091503-1.txt
*** SID-2003-3324 [ phpBB Group ] PHPBB Smiley Panel Cross Site
Scripting
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
Benjamin Tolman has reported a cross site scripting vulnerability in
phpBB that can be exploited using specially crafted smiley panel inputs.
The code will be able to access the target administrator's cookies.
References:
http://www.securityfocus.com/archive/1/337462/2003-09-07/2003-09-13/0
*** SID-2003-3328 [ Plug & Play Software Ltd ] Denial Of Service in Plug
& Play Web (FTP) Server
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Bahaa Naamneh has reported a denial of service vulnerability in Plug &
Play Web Server which can be exploited by connecting to the server and
issuing certain long commands.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-09/0275.html
*** SID-2003-3341 [ Plug & Play Software Ltd ] Plug & Play Web Server
Directory traversal
Bugtraq ID:8645
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Plug & Play Web Server have a Directory Traversal Vulnerability that
allows an attacker can gain read access to any file outside of the
intended web-published filesystem directory.
References:
http://www.securityfocus.com/archive/1/338090/2003-09-15/2003-09-21/0
*** SID-2003-3307 [ SCO ] SCO OpenServer local root privileges
vulnerability
Bugtraq ID:8616 , 8618
CVE ID:CAN-2003-0742
Verification: Vendor Confirmed
A vulnerability exists in SCO Internet Manager (mana) program for
OpenServer (SCO Unix) that lets local users gain root level privileges.
References:
http://www.texonet.com/advisories/TEXONET-20030902.txt
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19/CSSA-2003-SCO.
19.txt
*** SID-2003-3353 [ Sep City ] Community Wizard Admin Access
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
Bahaa Naamneh has reported a flaw in Community Wizard. It is possible to
gain admin access by using 'or''=' as the password and entering any user
name.
References:
http://www.securityfocus.com/archive/1/338298/2003-09-17/2003-09-23/0
*** SID-2003-3322 [ SGI ] SGI IRIX NFS export vulnerability
Bugtraq ID:8638
CVE ID:CAN-2003-0680
Verification: Vendor Confirmed
SGI has released a security advisory announcing that a NFS client can
avoid read-only restrictions on filesystems exported via NFS from a
server running IRIX 6.5.21 and mount them in read/write mode.
References:
ftp://patches.sgi.com/support/free/security/advisories/20030901-01-P
*** SID-2003-3317 [ Spider ] Spider heap overflow and buffer overflow
vulnerabilities
Bugtraq ID:8630
CVE ID:NOT AVAILABLE
Verification: Single source
Spider has been reported prone to a heap overflow condition when
handling HOME environment variables of excessive length. An attacker may
lever this condition to corrupt adjacent malloc chunk headers with
attacker-supplied data contained in a malicious 'HOME' environment
variable. Although unconfirmed ultimately it may be possible that a
local attacker may exploit this condition to execute arbitrary
instructions with GID Games privileges.
References:
http://www.zone-h.org/en/advisories/read/id=3049/
*** SID-2003-3348 [ Sun ] JDK XALAN denial of service Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
A denial of service vulnerability was reported in Embedded XALAN
packages in JDK 1.4.x. The problem is that the methods of internal sun.*
classes can be made visible through an xslt namespace in xslt programs.
A remote attacker can inject xsl template.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-09/0281.html
*** SID-2003-3316 [ Sun ] Solaris sadmind Setting Remote Root
Exploitation Vulnerability
Bugtraq ID:8615
CVE ID:CAN-2003-0722
Verification: Vendor Confirmed
An exploit has surfaced that allows remote attackers to execute
arbitrary commands with super-user privileges against Solaris hosts
running the default RPC authentication scheme in Solstice AdminSuite.
References:
http://www.idefense.com/advisory/09.16.03.txt
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/56740
http://www.securityfocus.com/archive/1/338112/2003-09-16/2003-09-22/0
http://www.kb.cert.org/vuls/id/41870
*** SID-2003-3323 [ Symantec ] Multiple Vulnerabilities in Symantec
Antivirus for Windows Mobile
Bugtraq ID:8639 , 8640
CVE ID:NOT AVAILABLE
Verification: Single source
Symantec Antivirus for Windows mobile has several vulnerabilities that
result in the Real time scan failing to protect against hostile code in
the RAM and bypass of some detections.
References:
http://www.securityfocus.com/archive/1/337784/2003-09-14/2003-09-20/0
*** SID-2003-3332 [ Trademark Software ] TM-POP3 Registry Plaintext
Password Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
Ziv Kamir reported that TM-POP3 Server version 2.13 stores user
passwords in plain text in the server registry. A local attacker could
exploit this vulnerability by opening this registry to obtain sensitive
information.
References:
http://securitytracker.com/alerts/2003/Sep/1007728.html
*** SID-2003-3325 [ ufoot.org ] LiquidWar Buffer Overflow Vulnerability
Bugtraq ID:8629 CVE ID:NOT AVAILABLE
Verification: Single source
ZetaLABs (Zone-H Research Laboratories) has discovered a buffer overflow
in the game Liquidwar, an application contained in the Debian GNU/Linux
distribution.
References:
http://www.zone-h.org/en/advisories/read/id=3059/
*** SID-2003-3343 [ Valve Software ] Rcon plaintext passwords
Bugtraq ID:8651
CVE ID:NOT AVAILABLE
Verification: Single source
Alexander Hagenah has reported that rcon passwords can be sniffed. To
authenticate on the half-life game server you send your password. rcon
does not encrypt the password when it is sent and the server receives it
in plaintext, too. A sniffer with some simple filter rules can find out
rcon passwords fast and easily.
References:
http://www.securityfocus.com/archive/1/338113/2003-09-16/2003-09-22/0
*** SID-2003-3368 [ Washington University ] Wu_ftpd buffer overflow
vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification: Single source
Adam Zabrocki has reported a remote buffer overflow bug with wu_ftp.
Reportedly, the bug is not manifest in the default installation but is
present when sending emails with names of uploaded files.
References:
http://www.securityfocus.com/archive/1/338436/2003-09-19/2003-09-25/0
*** SID-2003-3309 [ Wintel Software ] WideChapter Browser Buffer
Overflow Vulnerability
Bugtraq ID:8617
CVE ID:NOT AVAILABLE
Verification: Single source
It is possible to cause a Buffer overflow in WideChapter Browser by
sending long http request, allowing total modification of the EIP
pointer - this can be maliciously altered to allow remote arbitrary code
execution. The vulnerability is due to a lack of boundary condition
checks on URL values.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-09/0236.html
*** SID-2003-3318 [ Yahoo ] Yahoo! Webcam ActiveX control buffer
overflow vulnerability
Bugtraq ID:8634
CVE ID:NOT AVAILABLE
Verification: Vendor Confirmed
When a long value is set in Yahoo! Webcam Viewer Wrapper ActiveX
control's "TargetName" property a stack and heap based buffer overflow
occurs depending on the length of the string.
References:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010193.
htm
========================================================================
====
Become a SINTRAQ Weekly member!
Send an email with the subject "subscribe sintraqweekly" to
sintraqweekly@...telli.com
Unsubscribe
To unsubscribe from this newsletter send an email with the subject
"unsubscribe sintraqweekly" to sintraqweekly@...telli.com
Your opinion counts.
We would like to hear your thoughts on SINTRAQ Weekly. Please email any
questions or comments to sintraqweekly@...telli.com
Copyright (c) 2003 Sintelli Limited All Rights Reserved.
http://www.sintelli.com
========================================================================
====
>>Did you know you can trial our vulnerability alerting solution <<
Click here
http://www.sintelli.com/free-trial.htm
Powered by blists - more mailing lists