[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <304e01c39294$2179ee80$0f0aa8c0@x2>
From: sintraq at sintelli.com (Sintelli SINTRAQ)
Subject: Weekly Vulnerability Summary, Week 41 2003
SINTRAQ Weekly Summary
Week 41, 2003
Created for you by SINTELLI, the definitive source of IT security
intelligence.
Welcome to the latest edition of SINTRAQ Weekly Summary. Information on how
to manage your subscription can be found at the bottom of the newsletter. If
you have any problems or questions, please e-mail us at
sintraqweekly@...telli.com
PDF version : http://www.sintelli.com/sinweek/week41-2003.pdf
=====================================================================
Highlights:
This week is Week 41 plus elements of Week 40, so the dates covered by this
summary are 02 October - 13October. The reason for this is Microsoft
surprised everyone by released MS03-40 on the evening of 03 October, thus we
thought it would be more useful to incorporate it into Week 41. Whilst
still on Microsoft there are two publicly available exploits for MS03-39
available at the K-otik web site:
http://www.k-otik.com/exploits/10.09.rpcdcom3.c.php
http://www.k-otik.com/exploits/10.09.rpcunshell.asm.php
Other items of note this week are multiple vulnerabilities in Adobe SVG,
Peoplesoft and Hummingbird Cyberdocs.
Until next week,
-- SINTELLI Research
www.sintelli.com
***Advertisement***********************************************************
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console Download our FREE
whitepaper at:
http://www.solsoft.com/whitepaper_sintelli
***Advertisement***********************************************************
TABLE OF CONTENTS:
SID-2003-3467 [ Adobe ] Adobe SVG Viewer Active Scripting Bypass
SID-2003-3470 [ Adobe ] Adobe SVG Viewer Cross Domain and Zone Access
SID-2003-3469 [ Adobe ] Adobe SVG Viewer Local and Remote File Reading
SID-2003-3501 [ aziem ] prayerboard_db.php cross-site scripting
vulnerability
SID-2003-3495 [ Centrinity ] FirstClass Denial of Service Vulnerability
SID-2003-3522 [ Compaq ] HP Tru64 dtmailpr Unspecified Flaw
SID-2003-3472 [ Conexant Systems ] Conexant Access Runner DSL Console login
bypass vulnerability
SID-2003-3464 [ divine ] Divine OpenMarket Content Server XSS Vulnerability
SID-2003-3471 [ EFS Software ] Easy File Sharing Web Server Vulnerabilities
SID-2003-3481 [ EternalMart ] EternalMart Guestbook Execution of Arbitrary
Code
SID-2003-3480 [ EternalMart ] EternalMart Mailing List Manager Vulnerability
SID-2003-3497 [ freeguppy.org ] GuppY Cross Site Scripting and Files
Read/Write Vulnerabilities
SID-2003-3504 [ HP ] HP OVOW Unauthorised admin access
SID-2003-3505 [ HP ] HP SCM Unauthorised Access
SID-2003-3486 [ HP ] HPUX dtprintinfo buffer overflow vulnerability
SID-2003-3508 [ Hummingbird ] Hummingbird CyberDOCS error page installation
path disclosure
SID-2003-3509 [ Hummingbird ] Hummingbird CyberDOCS insecure file
permissions vulnerability
SID-2003-3507 [ Hummingbird ] Hummingbird CyberDOCS multiple cross-site
scripting vulnerabilities
SID-2003-3506 [ Hummingbird ] Hummingbird CyberDOCS SQL injection
SID-2003-3474 [ JBoss Group ] JBoss Remote Command Injection Vulnerability
SID-2003-3465 [ Juan Cespedes ] ltrace 'Library Call Tracer' Heap Overflow
SID-2003-3494 [ Kevin Lindsay ] slocate heap overflow
SID-2003-3516 [ Microsoft ] Buffer Overflow in Microsoft Word Macros
SID-2003-3482 [ Microsoft ] Microsoft Internet Explorer XML data binding
vulnerability
SID-2003-3503 [ Microsoft ] Microsoft Windows Media Player DHTML Local Zone
Access
SID-2003-3499 [ Microsoft ] Microsoft Windows PostThreadMessage API process
termination
SID-2003-3487 [ Microsoft ] Microsoft Windows Server 2003 Shell Folders
Directory Traversal
SID-2003-3489 [ muziqpakistan.net ] File inclusion vulnerability in PayPal
Store Front
SID-2003-3485 [ NetScreen ] Netscreen Leakage of Sensitive Information via
DHCP Offer
SID-2003-3483 [ OpenOffice.org ] Openoffice Denial of service Vulnerability
SID-2003-3468 [ Peoplesoft ] PeopleSoft Grid Option Vulnerability
SID-2003-3493 [ Peoplesoft ] PeopleSoft Information Disclosure Vulnerability
SID-2003-3490 [ Peoplesoft ] PeopleSoft Longchar and Varchar Data Upload
Vulnerability
SID-2003-3488 [ PHP-Nuke ] PHP-Nuke 6.6 SQL Injection
SID-2003-3478 [ PHP-Nuke ] PHP-Nuke 6.7 Arbitrary File Upload
SID-2003-3517 [ Planet ] Undocumented Superuser Account in Planet WGSD-1020
Switch
SID-2003-3492 [ S.u.S.E. ] SuSE Linux javarunt symlink attack
SID-2003-3491 [ S.u.S.E. ] SuSE Linux susewm symlink attack
SID-2003-3520 [ scripts4webmasters.com ] TRACKtheCLICK Script Injection
Vulnerabilities
SID-2003-3496 [ SNAP Innovation ] SNAP Innovations PrimeBase Database
Vulnerability
SID-2003-3521 [ SourceForge.net ] Gallery 1.4 file inclusion vulnerability
SID-2003-3484 [ SSH Communications Security ] SSH Vulnerability in BER
Decoding
SID-2003-3479 [ Sun ] Sun Cobalt RaQ Control Panel Cross-Site Scripting
SID-2003-3502 [ Techfirm ] XShisen Privilege Escalation Vulnerabilities
SID-2003-3473 [ Total War ] Medieval Total War client's crash and directory
traversal
SID-2003-3475 [ Total War ] Medieval Total War Fake players Denial of
Service
SID-2003-3477 [ Total War ] Medieval Total War long nickname Denial of
Service
SID-2003-3476 [ Total War ] Medieval Total War malformed nickname Denial of
Service
SID-2003-3498 [ Visualware ] VisualRoute LAN topology disclosure
Vulnerability
SID-2003-3500 [ Wrensoft ] Wrensoft Zoom Search Engine Cross-Site Scripting
Vulnerability
*** SID-2003-3467 [ Adobe ] Adobe SVG Viewer Active Scripting Bypass
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
GreyMagic Software identified an Active Scripting Bypass bug in Adobe SVG
Viewer prior. Scripts running in a SVG document ignore a browser's Active
Scripting security settings.
References:
http://www.greymagic.com/adv/gm002-mc/
*** SID-2003-3470 [ Adobe ] Adobe SVG Viewer Cross Domain and Zone Access
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
GreyMagic Software identified a Cross Domain and Zone Access bug in the
Adobe SVG Viewer (ASV). When an SVG document performs an "alert()" command,
an attacker can change the location (current URL) of the window and load a
victim domain.
References:
http://www.greymagic.com/adv/gm004-mc/
*** SID-2003-3469 [ Adobe ] Adobe SVG Viewer Local and Remote File Reading
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
GreyMagic Software has announced a file disclosure vulnerability in Adobe
SVG Viewer (ASV) 3.0.
Adobe SVG Viewer exposes several non-standard extensions, such as the
"postURL" and "getURL" methods. However, when a valid URL is supplied to
these methods, and then redirects to a local or remote file, the content of
that file is returned, allowing an attacker to read any file on the user's
computer and remote sites.
References:
http://www.greymagic.com/adv/gm003-mc/
*** SID-2003-3501 [ aziem ] prayerboard_db.php cross-site scripting
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
PHP Prayer Board versions prior to 0.52 are vulnerable to cross-site
scripting. An attacker could embed malicious script in a specially-crafted
URL request to the prayerboard.php script or the prayerboard_db.php script,
which would be executed in the victim's Web browser within the
security context of the hosting site, once the link is clicked.
References:
http://sourceforge.net/project/shownotes.php?group_id=56456&release_id=188861
*** SID-2003-3495 [ Centrinity ] FirstClass Denial of Service Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
I2S LAB Security Advisory has reported a vulnerability in FirstClass. A
remote DoS vulnerability in the HTTP daemon could be caused by a Heap
Overflow overwriting a data pointer.
References:
http://www.packetstormsecurity.nl/0310-exploits/I2S-LAB-25-09-2003.txt
*** SID-2003-3522 [ Compaq ] HP Tru64 dtmailpr Unspecified Flaw
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
HP has released dupatch-based, Early Release Patch kits to fix a potential
vulnerability in HP Tru64 UNIX CDE code. No further details have been
provided by HP.
References:
http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019905-V51B20
http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019852-V40GB2
http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019666-V51AB2
http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019665-V51BB2
http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=DUXKIT0019851-V40FB2
http://www4.itrc.hp.com/service/cki/patchDocDisplay.do?patchId=T64KIT0019667-V51AB2
*** SID-2003-3472 [ Conexant Systems ] Conexant Access Runner DSL Console
Login Bypass
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Conexant Access Runner DSL Console Port 3.21 has a vulnerability that will
let a remote attacker bypass the login screen and have full admin rights
even if admin password is set.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0064.html
*** SID-2003-3464 [ divine ] Divine OpenMarket Content Server XSS
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Valgasu has reported that OpenMarket does not properly filter HTML code from
user supplied input, when generating error messages. A remote attacker can
create a specially crafted URL that, when loaded by a target user, will
cause arbitrary scripting code to be executed by the target user's browser.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0057.html
*** SID-2003-3471 [ EFS Software ] Easy File Sharing Web Server
Vulnerabilities
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Nimber has reported that Easy File Sharing Web Server 1.2 is prone to a
flood attack and information disclosure.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0083.html
*** SID-2003-3481 [ EternalMart ] EternalMart Guestbook Execution of
Arbitrary Code
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Frog man has reported a remote file include vulnerability in EternalMart
Guestbook. The problem is that the "emgb_admin_path" parameter is not
properly verified in "auth_func.php" before it is used to include a file. A
remote attacker can execute arbitrary PHP code, including operating system
commands.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0062.html
*** SID-2003-3480 [ EternalMart ] EternalMart Mailing List Manager
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Frog-m@n has reported a file inclusion bug in EternalMart Mailing List
Manager. The emml_admin_path" and "emml_path" parameters are not properly
verified in "auth.php" and "emml_email_func.php" before they are used to
include a file. The remote attacker can execute arbitrary PHP code.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0062.html
*** SID-2003-3497 [ freeguppy.org ] GuppY Cross Site Scripting and Files
Read/Write Vulnerabilities
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
Frogman has reported several vulnerabilities in GuppY version 2x. These
allow remote attackers to add arbitrary data to polls and writable files and
also learn the admin password hash.
References:
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0005.html
*** SID-2003-3504 [ HP ] HP Openview Unauthorised admin access
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
HP has announced that OpenView VantagePoint for Windows 6.1/6.2 and OpenView
Operations for Windows 7.0/7.1/7.2 contain a vulnerability that could allow
unauthorized admin access of a node to other node admins..
References:
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMI0310-005
*** SID-2003-3505 [ HP ] HP SCM Unauthorised Access
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
HP has announced that HP 9000 servers running HP-UX B.11.00 and B.11.11 are
affected by an issue in ServiceControl Manager. The bug is due to MySQL
version 3.23.39, which is delivered with SCM 3.0.
References:
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0310-287
*** SID-2003-3486 [ HP ] HPUX dtprintinfo buffer overflow vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0840
Verification:Vendor Confirmed
Davide Del Vecchio reported a vulnerability in dtprintinfo in HP-UX version
B.11.00. An attacker can cause a buffer overflow.
References:
http://www.securityfocus.com/archive/1/340665/2003-10-05/2003-10-11/0
http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0310-289
*** SID-2003-3508 [ Hummingbird ] Hummingbird CyberDOCS error page
installation path disclosure
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
ProCheckUp has reported that in CyberDOCS (versions 3.5.1, 3.9, and 4.0),it
is possible to display the DM Web Server installation path in certain error
messages when incorrect logon credentials are entered.
References:
http://www.kb.cert.org/vuls/id/715548
http://www.procheckup.com/security_info/vuln_pr0305.html
*** SID-2003-3509 [ Hummingbird ] Hummingbird CyberDOCS insecure file
permissions vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
ProCheckUp has reported that Hummingbird CyberDOCS (Hummingbird DM) versions
3.5, 3.9, and 4.0 running on Microsoft Internet Information Services (IIS)
set insecure permissions on script source code files. A remote attacker
could read the contents of unprotected files.
References:
http://www.kb.cert.org/vuls/id/989580
http://www.procheckup.com/security_info/vuln_pr0302.html
*** SID-2003-3507 [ Hummingbird ] Hummingbird CyberDOCS multiple cross-site
scripting
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
ProCheckUp has reported that Hummingbird CyberDOCS (Hummingbird DM) versions
3.5.1, 3.9, and 4.0 are vulnerable to cross site scripting. These could
allow an attacker to obtain sensitive information and possibly impersonate a
legitimate user.
References:
http://www.kb.cert.org/vuls/id/488684
http://www.procheckup.com/security_info/vuln_pr0305.html
*** SID-2003-3506 [ Hummingbird ] Hummingbird CyberDOCS SQL injection
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
ProCheckUp has reported that Hummingbird CyberDOCS (Hummingbird DM) versions
prior to 3.9 are vulnerable to SQL injection attacks.
References:
http://www.kb.cert.org/vuls/id/368300
http://www.procheckup.com/security_info/vuln_pr0304.html
*** SID-2003-3474 [ JBoss Group ] JBoss Remote Command Injection
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0845
Verification:Vendor Confirmed
There is a command injection vulnerability that exists in an integral
component of the JBoss server, allowing remote attackers to obtain remote
access to vulnerable JBoss systems.
References:
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0010.html
http://www.securityfocus.com/archive/1/340443/2003-10-05/2003-10-11/0
*** SID-2003-3465 [ Juan Cespedes ] ltrace 'Library Call Tracer' Heap
Overflow
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Abhisek Datta of BFI Security Research Group has reported that ltrace
versions 0.3.10-12 are vulnerable to a heap based buffer overrun in the
'Library Call Tracer' utility. This allows execution of arbitrary code with
root privilege.
References:
http://lists.netsys.com/pipermail/full-disclosure/2003-October/011600.html
*** SID-2003-3494 [ Kevin Lindsay ] slocate heap overflow
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0847
Verification:Vendor Confirmed
Patrik Hornik has reported a heap overflow in slocate 2.6. The vulnerability
corrupts heap management structures and possibly leads to gaining slocate
group privileges, which allows reading global slocate database and thus
obtaining list of all files in the system by an unauthorized user.
References:
http://www.ebitech.sk/patrik/SA/SA-20031006.txt
http://www.ebitech.sk/patrik/SA/SA-20031006-A.txt
*** SID-2003-3516 [ Microsoft ] Buffer Overflow in Microsoft Word Macros
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Microsoft Word documents which contain Macros are susceptible to a buffer
overflow.
References:
http://www.security.nnov.ru/search/document.asp?docid=5232
*** SID-2003-3482 [ Microsoft ] Microsoft Internet Explorer XML data binding
vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0809
Verification:Vendor Confirmed
Internet Explorer fails to determine an object type returned from a Web
server during XML data
binding. If a user visited an attacker's Web site, it could be possible for
the attacker to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to exploit
this vulnerability.
References:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
http://support.microsoft.com/?kbid=828750
http://www.kb.cert.org/vuls/id/668380
*** SID-2003-3503 [ Microsoft ] Microsoft Windows Media Player DHTML Local
Zone Access
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
A vulnerability exists in Microsoft Windows Media Player where a malicious
script can be executed on a vulnerable system with privileges of the user.
References:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828026
http://www.kb.cert.org/vuls/id/222044
*** SID-2003-3499 [ Microsoft ] Microsoft Windows PostThreadMessage API
allows processes to be terminated without permission
Bugtraq ID:8747
CVE ID:NOT AVAILABLE
Verification:Single source
Brett Moore has reported a flaw that lies in the way that processes handle
messages sent from another process via the PostThreadMessage() API call. If
a running process has a message queue and is sent one of 3 different
messages, the process may terminate.
References:
http://securityfocus.com/archive/1/339947
*** SID-2003-3487 [ Microsoft ] Microsoft Windows Server 2003 Shell Folders
Directory Traversal
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0839
Verification:Vendor Confirmed
Eiji James Yoshida has reported that Microsoft Windows Server 2003 is
vulnerable to directory traversal. A remote attacker is able to gain access
to the path of the %USERPROFILE% folder without guessing a target user name.
References:
http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html
http://support.microsoft.com/default.aspx?scid=829493
*** SID-2003-3489 [ muziqpakistan.net ] File inclusion vulnerability in
PayPal Store Front
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Zone-H Security Team has discovered a flaw in PayPal Store Front v3.0
commercial and free version. The vulnerability exiyts in the index.php file
and it is possible for a remote attacker to include an
external file and execute arbitrary commands with the privileges of the
webserver.
References:
http://www.zone-h.org/en/advisories/read/id=3231/
*** SID-2003-3485 [ NetScreen ] Netscreen Leakage of Sensitive Information
via DHCP Offer
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
Potentially sensitive information such as encoded administrative usernames
and passwords may in some circumstances be included in DHCP Offer messages
generated by a NetScreen Firewall/VPN device acting as a DHCP Server.
References:
http://www.netscreen.com/services/security/alerts/10_01_03_57983_v003.jsp
*** SID-2003-3483 [ OpenOffice.org ] Openoffice Denial of service
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Marc Schoenefeld has reported a vulnerability in open office version 1.1.0.
A remote attacker can cause denial of service in open office.
References:
http://www.securityfocus.com/archive/1/340663/2003-10-05/2003-10-11/0
*** SID-2003-3468 [ Peoplesoft ] PeopleSoft Grid Option Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0841
Verification:Vendor Confirmed
I-Assure has reported that PeopleTools makes files available by storing them
on the web server for a period of time that is hard coded into the java
servlet. The file is stored in a directory with a random name, however, the
random directory name could be determined using automated tools and since
the file itself is not secured, it is potentially accessible by unauthorized
users.
References:
http://www.securityfocus.com/archive/1/340531/2003-10-05/2003-10-11/2
*** SID-2003-3493 [ Peoplesoft ] PeopleSoft Information Disclosure
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
I-Assure has reported that PeopleTools version 8.42 is vulnerable to
disclosure of potentially sensitive information. The <Control><J> hot key
can be used to obtain information about the application infrastructure.
References:
http://www.securityfocus.com/archive/1/340670/2003-10-05/2003-10-11/0
*** SID-2003-3490 [ Peoplesoft ] PeopleSoft Longchar and Varchar Data Upload
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
I-Assure has reported a vulnerability in PeopleTools version 8.42. It is
possible for a remote attacker to cause a denial of service.
References:
http://www.securityfocus.com/archive/1/340669/2003-10-05/2003-10-11/0
*** SID-2003-3488 [ PHP-Nuke ] PHP-Nuke 6.6 SQL Injection
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Mod has reported that PHP-Nuke 6.6 is vulnerable to SQL injection. This is
from not filtering 'cid', which should be checked that it is only numeric.
This hole could allow viewing of password hashes if the database is mysql
4.x.
References:
http://www.securityfocus.com/archive/1/340664/2003-10-05/2003-10-11/0
*** SID-2003-3478 [ PHP-Nuke ] PHP-Nuke 6.7 Arbitrary File Upload
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Frogman has reported a file upload bug in PHP-Nuke version 6.7. A remote
user can specify a filename containing '../' directory traversal characters
for the '$userfile_name' variable to cause the script to place the uploaded
file in a user-specified location.
References:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0063.html
*** SID-2003-3517 [ Planet ] Undocumented Superuser Account in Planet
WGSD-1020 Switch
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
The Planet WGSD-1020 Switch is a 8-port + 2 Gigabit-port Managed Ethernet
Switch. It has been reported that the switch contains an undocumented
superuser account.
References:
http://www.security.nnov.ru/search/document.asp?docid=5233
*** SID-2003-3492 [ S.u.S.E. ] SuSE Linux javarunt symlink attack
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0846
Verification:Single source
A symlink vulnerability exists in the shell script
/sbin/conf.d/SuSEconfig.javarunt. This vulnerability can be used by a local
attacker to gain root privileges. An exploit has already been written, but
not made public.
References:
http://amor.rz.hu-berlin.de/~nordhaus/sec/vul/2_index.html
*** SID-2003-3491 [ S.u.S.E. ] SuSE Linux susewm symlink attack
Bugtraq ID:NOT AVAILABLE
CVE ID:CAN-2003-0847
Verification:Single source
A symlink vulnerability exists in the shell script
/sbin/conf.d/SuSEconfig.susewm. This vulnerability can be used by a local
attacker to gain root privileges.
References:
http://amor.rz.hu-berlin.de/~nordhaus/sec/vul/1_index.html
*** SID-2003-3520 [ scripts4webmasters.com ] TRACKtheCLICK Script Injection
Vulnerabilities
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
BrainRawt has reported that TRACKtheCLICK is vulnerable to script injection.
The User-Agent: and/or Referer fields can be spoofed to inject malicious
code.
References:
http://www.securityfocus.com/archive/1/341043/2003-10-09/2003-10-15/0
*** SID-2003-3496 [ SNAP Innovation ] SNAP Innovations PrimeBase Database
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
Larry W. Cashdollar reported two vulnerabilities in PrimeBase SQL Database
Server allowing malicious users to manipulate files and escalate privileges.
References:
http://www.securityfocus.com/archive/1/340402/2003-09-28/2003-10-04/0
*** SID-2003-3521 [ SourceForge.net ] Gallery 1.4 file inclusion
vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Peter St?ckli of Rootquest has reported a vulnerability in Gallery 1.4. It
is possible to include any php file from a remote host, and execute it on
the target's server.
References:
http://www.securityfocus.com/archive/1/341044/2003-10-09/2003-10-15/0
*** SID-2003-3484 [ SSH Communications Security ] SSH Vulnerability in BER
Decoding
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
SSH Communications has announced a denial of service vulnerability in SSH. A
remote attacker can send malformed BER/DER packets to cause the target host
to crash.
References:
http://www.ssh.com/company/newsroom/article/476/
http://www.kb.cert.org/vuls/id/333980
*** SID-2003-3479 [ Sun ] Sun Cobalt RaQ Control Panel Cross-Site Scripting
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Lorenzo Hernandez Garcia-Hierro has reported a cross-site scripting
vulnerability in the Sun Cobalt RaQ web-based control panel. With this hole
you can try to get the target user information trough the cgi script called
message.cgi by including script code in the info= variable value.
References:
http://lists.netsys.com/pipermail/full-disclosure/2003-October/011387.html
*** SID-2003-3502 [ Techfirm ] XShisen Privilege Escalation Vulnerabilities
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Steve Kemp has reported that when XShisen is installed setgid, a local
attacker could pass a long argument to the program using the -KCONV command
line option to overflow a buffer and execute arbitrary code on the system
with set group id (setgid) 'games' privileges.
References:
http://marc.theaimsgroup.com/?l=secunia-sec-adv&m=106544230827172&w=2
*** SID-2003-3473 [ Total War ] Medieval Total War client's crash and
directory traversal
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Luigi Auriemma has reported several vulnerabilities in Medieval Total War
(MTW) Client. By sending a long map name, a malicious server can crash a
client. The game is also vulnerable to a directory traversal bug.
References:
http://aluigi.altervista.org/adv/mtw2client-adv.txt
*** SID-2003-3475 [ Total War ] Medieval Total War Fake players Denial of
Service
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Luigi Auriemma has reported a denial of service vulnerability in Medieval
Total War (MTW) Server. An attacker can easily fill the server (that
supports a maximum of 8 players) with some non-existent players.
References:
http://aluigi.altervista.org/adv/mtwfakep-adv.txt
*** SID-2003-3477 [ Total War ] Medieval Total War long nickname Denial of
Service
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Luigi Auriemma has reported a denial of service vulnerability in Medieval
Total War (MTW) Server. The bug is in the management of the nicknames sent
by the clients and a nickname longer than 76 unicode chars causes the
immediate crash of the server and of all the connected clients. Longer
nicknames cause exceptions in other instructions.
References:
http://aluigi.altervista.org/adv/mtwdos-server-adv.txt
*** SID-2003-3476 [ Total War ] Medieval Total War malformed nickname Denial
of Service
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Luigi Auriemma has reported a denial of service vulnerability in Medieval
Total War (MTW) Server. The bug is in the management of the nicknames sent
by the clients and a malformed nickname will cause a "Connection expired"
message to appear requiring a restart.
References:
http://aluigi.altervista.org/adv/mtwexp-server-adv.txt
*** SID-2003-3498 [ Visualware ] VisualRoute LAN topology disclosure
Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Single source
Donnie Werner has reported that the VisualRoute could allow a remote
attacker to obtain sensitive information. By sending a request for an
internal IP address, a remote attacker could map the structure of the LAN.
References:
http://nothackers.org/pipermail/0day/2003-October/000201.html
*** SID-2003-3500 [ Wrensoft ] Wrensoft Zoom Search Engine Cross-Site
Scripting Vulnerability
Bugtraq ID:NOT AVAILABLE
CVE ID:NOT AVAILABLE
Verification:Vendor Confirmed
The Zoom Search engine does not properly filter user supplied input when
displaying the search results. This issue allows remote attacker to inject
malicious code in the target system. All the code will be executed within
the context of the website.
References:
http://www.sintelli.com/adv/sa-2003-02-zoomsearch.pdf
============================================================================
Become a SINTRAQ Weekly member!
Send an email with the subject "subscribe sintraqweekly" to
sintraqweekly@...telli.com
Unsubscribe
To unsubscribe from this newsletter send an email with the subject
"unsubscribe sintraqweekly" to sintraqweekly@...telli.com
Your opinion counts.
We would like to hear your thoughts on SINTRAQ Weekly. Please email any
questions or comments to sintraqweekly@...telli.com
Copyright (c) 2003 Sintelli Limited All Rights Reserved.
http://www.sintelli.com
***Advertisement***********************************************************
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console Download our FREE
whitepaper at:
http://www.solsoft.com/whitepaper_sintelli
***Advertisement***********************************************************
Powered by blists - more mailing lists