From schaefer at alphanet.ch Wed Jun 2 14:11:01 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed Jun 2 14:11:01 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #251 Message-ID: <20040602113957.GA3337@defian.alphanet.ch> BNBT BitTorrent Tracker Denial of Service Vulnerability BugTraq ID: 10399 Remote: Yes Date Published: May 22 2004 Relevant URL: http://www.securityfocus.com/bid/10399 Summary: BNBT BitTorrent Tracker versions Beta 7.5 release 2 and prior are affected by a flaw related to decoding of HTTP Basic Authentication credentials (util.cpp). If a client transmits to the server the credential string "A==", the server will crash. A check has been introduced in version 73_20040521 that will log exploitation attempts and return prematurely if a request is made with credentials "A==". This may not be enough to eliminate the vulnerability entirely. Version Beta 7.5 Release 3 removes the likely vulnerable code, but may break authentication on Big Endian systems. [ BitTorrent est un syst?me de distribution de logiciel efficace en logiciel libre, en python, voir http://bitconjurer.org/BitTorrent/. ] Liferay Enterprise Portal Multiple XSS Vulnerabilities BugTraq ID: 10402 Remote: Yes Date Published: May 22 2004 Relevant URL: http://www.securityfocus.com/bid/10402 Summary: It has been reported that Liferay Enterprise Portal is susceptible to multiple cross-site scripting and HTML injection vulnerabilities. User-supplied data from many input fields is included in server generated content without appropriate validation/encoding. This may allow for typical cross-site scripting attacks against other users of the portal. [ Portail style Yahoo impl?ment? en tant qu'EJB (modules Java), pour JBoss. ] xpcd-svga Buffer Overflow Vulnerability BugTraq ID: 10403 Remote: No Date Published: May 23 2004 Relevant URL: http://www.securityfocus.com/bid/10403 Summary: The xpcd-svga utility is susceptible to a locally exploitable buffer overflow condition. According to the report, xpcd-svga copies untrusted data into a buffer of predefined size without bounds checking. The procedure where this occurs is "pcd_open()", suggesting that the source of the data may be in the image file or photo disk. [ xpcd-svga - PhotoCD tool collection: SVGA Viewer ] Netgear RP114 Content Filter Bypass Vulnerability BugTraq ID: 10404 Remote: Yes Date Published: May 24 2004 Relevant URL: http://www.securityfocus.com/bid/10404 Summary: It is reported that users may bypass Netgear RP114 content filter functionality. This can be accomplished by making a URI request string that is over 220 bytes in length. This vulnerability may result in a false sense of security for a network administrator, where a malicious website is believed to be unreachable. In reality any host may contact blacklisted websites. [ firmware ] VocalTec VGW120/ VGW480 Telephony Gateway Remote H.225 Denia... BugTraq ID: 10411 Remote: Yes Date Published: May 24 2004 Relevant URL: http://www.securityfocus.com/bid/10411 Summary: It has been reported that the VocalTec VGW120 and VGW480 Telephony Gateways are prone to a remote denial of service vulnerability. The issue is reported to exist in the ASN.1/H.323/H.225 stack. A remote attacker may exploit this issue to deny service to the affected appliances. [ firmware ] GNU Mailman Unspecified Password Retrieval Vulnerability BugTraq ID: 10412 Remote: Yes Date Published: May 25 2004 Relevant URL: http://www.securityfocus.com/bid/10412 Summary: Mailman is prone to an unspecified password retrieval vulnerability. This vulnerability was disclosed by the vendor. Reportedly, a remote attacker can gain access to user passwords, when the users subscribe to a mailing list. A remote attacker can use the sensitive information to hijack user accounts or carry out other attacks. Mailman versions 2.1.4 and prior are prone to this issue. Due to a lack of details further information is not available at the moment. This BID will be updated as more information becomes available. HP Integrated Lights Out Remote Denial of Service Vulnerabil... BugTraq ID: 10415 Remote: Yes Date Published: May 26 2004 Relevant URL: http://www.securityfocus.com/bid/10415 Summary: HP Integrated Lights Out (iLO) is prone to a remote denial of service vulnerability when LAN management products use TCP port 0 to access the iLO service. A successful attack can allow an attacker to cause the iLO service to crash, affectively denying service to legitimate users. iLO firmware prior to versions 1.55 is prone to this vulnerability. [ firmware ] FreeBSD msync(2) System Call Buffer Cache Implementation Vul... BugTraq ID: 10416 Remote: No Date Published: May 26 2004 Relevant URL: http://www.securityfocus.com/bid/10416 Summary: FreeBSD msync(2) system call is prone to a vulnerability that can allow a local attacker to prevent modifications made to a file from being written to disk. Under certain circumstances, a local user with read access to a file can prevent modifications made to a file from being written to disk. It is conjectured that an attacker can potentially cause a denial of service, if the attacker can influence a sensitive configuration file. Other attacks are possible as well. The attack would depend on the privileges held by the attacker. 3Com OfficeConnect Remote 812 ADSL Router Telnet Buffer Over... BugTraq ID: 10419 Remote: Yes Date Published: May 26 2004 Relevant URL: http://www.securityfocus.com/bid/10419 Summary: 3Com OfficeConnect Remote 812 ADSL Router is prone to a remotely exploitable buffer overflow through the telnet port. Exploitation of this vulnerability will likely result in a denial of service. [ firmware ] XFree86 XDM RequestPort Random Open TCP Socket Vulnerability BugTraq ID: 10423 Remote: Yes Date Published: May 27 2004 Relevant URL: http://www.securityfocus.com/bid/10423 Summary: xdm is reported prone to a potential security vulnerability that may lead to a false sense of security. A problem reported in xdm, is reported to result in a false sense of security because even though DisplayManager.requestPort is set to 0, xdm will open a chooserFd TCP socket on all interfaces. Canon ImageRUNNER Remote Port Scan Denial of Service Vulnera... BugTraq ID: 10425 Remote: Yes Date Published: May 27 2004 Relevant URL: http://www.securityfocus.com/bid/10425 Summary: imageRUNNER is prone to a remote denial of service vulnerability. This issue presents itself when a remote attacker carries out multiple port scans against port 80, which leads to network services offered by the printer to hang. imageRUNNER 210 series is prone to this vulnerability. [ firmware ] 3Com OfficeConnect Remote 812 ADSL Router Web Interface Auth... BugTraq ID: 10426 Remote: Yes Date Published: May 27 2004 Relevant URL: http://www.securityfocus.com/bid/10426 Summary: 3Com OfficeConnect Remote 812 ADSL Router is reportedly affected by an authentication bypass vulnerability through its web configuration interface. Successful exploitation of this issue would allow an attacker to gain administrative access to the affected device. [ firmware ] Subversion Pre-Commit-Hook Template Undisclosed Vulnerabilit... BugTraq ID: 10428 Remote: No Date Published: May 27 2004 Relevant URL: http://www.securityfocus.com/bid/10428 Summary: Subversion is reported prone to an undisclosed vulnerability. The issue is reported to present itself due to an insecure implementation of the pre-commit-hook template. This BID will be updated as soon as further information regarding this vulnerability becomes available. From schaefer at alphanet.ch Sat Jun 5 10:41:02 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Sat Jun 5 10:41:02 2004 Subject: [gull-annonces] 30.6., ISG.EE: Talking about System Management Message-ID: <20040605082722.GA1342@defian.alphanet.ch> Conf?rence sur l'administration syst?me et la gestion de parc informatique, en allemand, ? l'ETH ? Z?rich, le 30 juin. Inscription gratuite (sauf erreur), places limit?es. Talk: 30. Juni, ISG.EE: Talking about System Management ------------------------------------------------------- Sehr geehrte Damen und Herren, Ich moechte Sie auf unsere dritte Veranstaltung der Seminarreihe "ISG.EE: Talking about System Management ..." der ISG.EE in 2004 aufmerksam machen. Diese Seminarreihe richtet sich an alle, die sich f?r professionelles System Management und Benutzerunterst?tzung interessieren. Das Seminar findet am 30. Juni 2004 von 10:00-13:00 Uhr im ETL-E11 (Physikstrasse 3, 8092-Z?rich) statt und hat folgende Struktur: - Auftrag, Bestellung, Kunde, Lieferant: Orientierung f?r meine Arbeit als IT Dienstleister. Abstract: Anhand eines einfachen Modells und mit Hilfe verschiedener Begriffskl?rungen soll eine Orientierungshilfe f?r die t?gliche Arbeit und Ausrichtung eines IT-Serviceproviders vorgestellt werden, mit der eine m?glichst optimale ?bereinstimmung zwischen den Erwartungen der Benutzer und den M?glichkeiten des Providers erzielt werden kann. (Fritz Zaucker) - Real Men Don't Click. Wie l?sst sich Windows System Management automatisieren? Abstract: Windows ist sehr Benutzer und Administrator freundlich. Die meisten Arbeiten lassen sich intuitiv und ohne viele Vorkenntnisse erledigen. Problematisch wird es, wenn hunderten von Maschinen Verwaltet werden sollen, wenn Updates oder Konfigurations?nderungen innerhalb von Stunden auf alle Ger?te verteilt werden m?ssen oder wenn ich eine Umgebung m?chte in der die Beutzer sorgenfrei arbeiten k?nnen, ohne Angst durch eine Fehlmanipulation ihren PC zu zerst?ren. In der Presentation werde ich das Windows Konzept der ISG.EE vorstellen. Dazu geh?ren die konzeptionellen Grundlagen, Management Verfahren so wie eine Reihe von Tools die wir entwickelt haben. (Tobias Oetiker) - Gemeinsames Lunch, Erfahrungsaustausch und Diskussion. Die Teilnehmeranzahl ist begrenzt. Damit wir planen k?nnen ist eine verbindliche Anmeldung erforderlich (siehe Website). http://isg.ee.ethz.ch/events/j2004/talking_register.cgi Die Anmeldung wird best?tigt. Es ist nur moeglich, an der gesamten Veranstaltung teilzunehmen. Weitere Informationen ?ber ISG.EE: Talking about System Management ... einschliesslich unserer woechentlichen Seminare sind zu finden unter: http://isg.ee.ethz.ch/events/ Wir freuen uns auf einen intensiven fachlichen und persoenlichen Austausch. Haben Sie etwas zu berichten, dass in unsere Vortragsreihe 'Talking about System Management ...' passen wuerde? Dann melden sie sich bitte bei mir. Senden sie Ihren Themenvorschlag und eine Kurzfassung Ihres Vortrags an 'isgee-seminar at ee.ethz.ch'. Speziell m?chten wir Teilnehmer aus der Industire und Wirtschaft einladen ihre Erfahrungen und Konzepte vorzustellen. Mit freundlichen Gruessen Roya Soleymani Kohler D-ITET, Institut ISG.EE E-Mail: roya at ee.ethz.ch From schaefer at alphanet.ch Tue Jun 8 15:01:03 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Tue Jun 8 15:01:03 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #252 Message-ID: <20040608121436.GA5090@defian.alphanet.ch> Isoqlog Multiple Buffer Overflow Vulnerabilities BugTraq ID: 10433 Remote: Yes Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10433 Summary: Isoqlog is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk. [ http://www.enderunix.org/isoqlog/, ?crit en C ] Spamguard Multiple Buffer Overflow Vulnerabilities BugTraq ID: 10434 Remote: Yes Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10434 Summary: Spamguard is prone to multiple buffer overflow vulnerabilities that span various source files and functions. Some of the vulnerabilities are remotely exploitable and may permit execution of arbitrary code in the context of the process. Others are local in nature, but as the software is not typically installed setuid/setgid, should not present any security risk. [ http://www.enderunix.org/spamguard/, analyse les logs de sendmail/qmail/postfix et r?agit en cons?quence pour ?viter le spam ] gatos xatitv Missing Configuration File Privilege Escalation... BugTraq ID: 10437 Remote: No Date Published: May 29 2004 Relevant URL: http://www.securityfocus.com/bid/10437 Summary: The gatos xatitv utility is prone to a local privilege escalation vulnerability. This issue may occur when the utility, which is installed setuid root, fails to drop privileges due to a missing configuration file. Unsanitized user-supplied environment variables may then be exploited to escalate privileges. It is noted that the software ships with a default configuration file, so exploitation would require that the file was removed at some point. [ application similaire ? xawtv, voir http://www.debian.org/security/2004/dsa-509 ] Linksys WRT54G Router World Accessible Remote Administration... BugTraq ID: 10441 Remote: Yes Date Published: May 31 2004 Relevant URL: http://www.securityfocus.com/bid/10441 Summary: A weakness is reported to affect the Linksys WRT54G appliance. It is reported that the web based administration service is published to the WAN interface of the appliance, even when the remote administration functionality is disabled. [ firmware ] Firebird Remote Pre-Authentication Database Name Buffer Over... BugTraq ID: 10446 Remote: Yes Date Published: Jun 01 2004 Relevant URL: http://www.securityfocus.com/bid/10446 Summary: Firebird is reported prone to a remote buffer overrun vulnerability. The issue presents itself due to a lack of sufficient boundary checks performed when the database server is handling database names. A remote attacker may exploit this vulnerability, without requiring valid authentication credentials, to influence execution flow of the affected Firebird database server. Ultimately this may lead to the execution of attacker-supplied code in the context of the affected software. [ Je suppose qu'il s'agit du RDBMS Firebird AKA Interbase, licence libre, http://firebird.sourceforge.net/ ] MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Na... BugTraq ID: 10448 Remote: Yes Date Published: Jun 01 2004 Relevant URL: http://www.securityfocus.com/bid/10448 Summary: Kerberos 5 is prone to multiple boundary condition errors that exist in the krb5_aname_to_localname() and helper functions and are due to insufficient bounds checking performed on user-supplied data. An additional boundary condition issue also exists in the krb5_aname_to_localname() function. The condition is reported to present itself in the explicit mapping functionality of the krb5_aname_to_localname() as an off-by-one. These conditions may be theoretically exploitable to execute arbitrary code remotely in the context of the affected service. It is reported that explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() must be enabled for these vulnerabilities to be present. Additionally it is necessary that the principal name used by the attacker to exploit the issue be listed in the explicit mapping list. These vulnerabilities are reported to affect all releases of MIT Kerberos 5, up to and including version krb5-1.3.3. IBM Multiple Product Unspecified Credential Impersonation Vu... BugTraq ID: 10449 Remote: Yes Date Published: Jun 02 2004 Relevant URL: http://www.securityfocus.com/bid/10449 Summary: Multiple IBM products are prone to an unspecified credential impersonation vulnerability. According to IBM this vulnerability may allow a remote attacker to gain access to resources and data, or gain control of the compromised application. It is reported that this attack can allow the attacker to exploit the usage of cookies and impersonate a legitimate user to gain unauthorized access. Due to a lack of details, further information is not available at the moment. This BID will be updated as more information becomes available. [ J'adore celle-l?. Aucune information derri?re cette information. Impossible de d?terminer la licence des logiciels concern?s. Impossible d'?valuer l'impact. On se demande si ce n'est pas juste l? pour ?tre le premier ? le dire. ] Multiple Linksys Routers Gozila.CGI Denial Of Service Vulner... BugTraq ID: 10453 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10453 Summary: Multiple Linksys routers are reported vulnerable to a denial of service condition. The issues presents themselves due to a lack of sufficient sanitization performed on parameters that are passed to the Gozila.CGI script. A remote attacker may potentially exploit these conditions to deny service to an affected appliance. It is reported that the device must be reset to the original factory defaults in order to restore normal device functionality. [ firmware ] Tripwire Email Reporting Format String Vulnerability BugTraq ID: 10454 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10454 Summary: Tripwire is affected by an email reporting format string vulnerability. This issue is due to a failure to properly inplement a formatted string function. This vulnerability will allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the superuser. **Update - It is reported that this issue only presents itself when the MAILMETHOD is sendmail. Unix and Unix-based select() System Call Overflow Vulnerabil... BugTraq ID: 10455 Remote: Unknown Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10455 Summary: The select() system call may be vulnerable to an overflow condition, possibly allowing attackers to write data past the end of a fixed size buffer. select() uses arguments of type 'fd_set', which is of a fixed size in many Unix variants. fd_set is used to keep track of open file descriptors. If a process raises its rlimit for open files past 1024, it is theoretically possible to cause select to change individual bits past the end of the fixed size fds_bits structure. In theory, an attacker may be able to use this vulnerability to cause a denial of service condition, or possibly execute arbitrary code. It should be noted that rlimits can only be raised by root, and that only processes with rlimits allowing more than 1024 file descriptors would be affected. This is a theoretical issue, and it has not been confirmed by any vendor. This BID will be updated when further information is released. [ Tr?s g?n?ral. Sous le kernel Linux, ? ma connaissance, en interne une structure dynamique bas?e sur des pointeurs et des tests de longueur sont faits. Le probl?me n'est d'ailleurs pas forc?ment au niveau de l'appel syst?me: certains syst?mes impl?mentent select() au niveau de la libc via poll(2). Comme work-around dans tous les cas: modifier les `hard limits' de mani?re appropri?e. Seul root peut les remonter. Voir ulimit. ] Sun Fire B1600 Network Management Port Remote Denial Of Serv... BugTraq ID: 10458 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10458 Summary: Sun Fire B1600 is reported prone to remote denial of service vulnerability. The issue exists because the switch firmware will disable all of the network ports on the switch for a short period when an ARP datagram is received on the Network Management Port. [ firmware ] Netgear WG602 Wireless Access Point Default Backdoor Account... BugTraq ID: 10459 Remote: Yes Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10459 Summary: Netgear WG602 reportedly contains a default administrative account. This issue can allow a remote attacker to gain administrative access to the device. Netgear WG602 access point with firmware version 1.04.0 is reportedly affected by this issue. It is likely that other versions of the firmware are also vulnerable. It is reported that the new version (1.7.14) of the Firmware for WG602 is vulnerable to this issue as well, however, the username and password for the backdoor account has been changed. [ firmware ] Michael Krax log2mail Log File Writing Format String Vulnera... BugTraq ID: 10460 Remote: No Date Published: Jun 03 2004 Relevant URL: http://www.securityfocus.com/bid/10460 Summary: Michael Krax log2mail is reported prone to a log file writing format string vulnerability. This issue is due to a failure of the application to properly implement a formatted string function. This vulnerability will ultimately allow for execution of arbitrary code on a system running the affected software. This would occur in the security context of the user invoking the vulnerable application; typically the 'log2mail' user with group 'adm'. mkdir Buffer Overflow Vulnerability BugTraq ID: 10462 Remote: No Date Published: Jun 02 2004 Relevant URL: http://www.securityfocus.com/bid/10462 Summary: It is reported that mkdir is susceptible to a buffer overflow vulnerability. An attacker with local access passes a long path to mkdir, which overflows a fixed buffer. mkdir is installed setuid root by default, as the mknod() system call can only be called by root. There is no mkdir() system call, so the mkdir command must use mknod to create a directory node, then populate the node with "." and ".." itself. A local attacker can exploit this issue to execute arbitrary code as root. [ sous Linux, mkdir(2) est un appel syst?me et donc cette attaque est impossible. Il est vrai que certains tr?s anciens syst?mes que j'ai utilis?s jusqu'en 1992, comme SPIX 31 (SYSVR2), n'avaient pas de mkdir(2) et donc mkdir(1) le faisait manuellement comme ce qui est d?crit ici, mais franchement cette approche a tant d'autres probl?mes ... Ah, et mknod(2) dans les syst?mes modernes est appelable par les utilisateurs normaux pour cr?er des `named pipes'. ] From schaefer at alphanet.ch Thu Jun 10 16:11:07 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Thu Jun 10 16:11:07 2004 Subject: [gull-annonces] Open-04 in Sierre (Siders) am 11.-12. Juni Message-ID: <20040610140108.GA1879@defian.alphanet.ch> [ post? de gull-org ] J'ai trouv? aujourd'hui via [0] une r?f?rence concernant la r?union Open-04 ? Sierre [1]. Il aura lieu le 11 et 12 juin ? Sierre durant le festival de la BD ? la Haute Ecole du Valais, en collaboration avec l'Ecole Romande d'Art et de Communication ERACOM [1]. Ce qui m'a saut? aux yeux imm?diatement est l'annonce sur un poster en format Word, [3] ce qui m'inqui?te tout de m?me dans le contexte! Est-ce que quelqu'un conna?t un ou plusieurs de ces orateurs et pourrait nous en dire plus? Je ne suis malheureusement pas libre ce week-end sinon j'aurais ?t? me faire une id?e sur place. Amiti?s Myriam, secr?taire Guillaume Tux Links/liens: [0] http://www.symlink.ch [1] http://www.eracom-vd.ch/index.php3 [2] http://www.hevs.ch/ [3]http://www.eracom-vd.ch/IMG/doc/Affiche_Open04-HEVs_V03.doc - --- pub ?1024D/86FCA592 2004-05-03 ? ? ?Myriam Rita Schweingruber (Work key) ? ? ?key-fingerprint = 5307 4896 120B 1B11 6470 ?A84F 92FB FD57 86FC A592 sub ?2048g/91A1D903 2004-05-03 From schaefer at alphanet.ch Mon Jun 14 16:11:01 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Mon Jun 14 16:11:01 2004 Subject: [gull-annonces] Cours: SIB (securite, integrite, backups) Message-ID: <20040614140510.GA6133@defian.alphanet.ch> Bonjour, le cours SIB (s?curit?, int?grit?, backup) aura lieu le mardi 22 juin 2004. Date: mardi 2004-06-22 Heures: 19h30 ? 22h Lieu: Grenier Bernois ? Morges (adresse et plan ? http://www.linux-gull.ch/pv/images/AG2003plan.jpg) Th?me: S?curit?, int?grit?, backups (SIB) Public: Utilisateurs avanc?s, administrateurs syst?mes Responsable: Marc SCHAEFER Entr?e: Membre GULL ou 50.- Inscription: recommand?e: http://www.linux-gull.ch/cours/ R?serv? aux membres du GULL ou paiement de 50.-. Guide Programme: (mise ? jour sur http://cvs.alphanet.ch/cgi-bin/cvsweb/~checkout~schaefer/public/cours/GULL/SIB/ORGANISATION) From schaefer at alphanet.ch Wed Jun 16 22:51:03 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed Jun 16 22:51:03 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #253 Message-ID: <20040616173749.GA640@defian.alphanet.ch> cPanel Killacct Script Customer Account DNS Information Dele... Multiple CPanel Perl Script Failure To Implement Taint Mode ... cPanel Passwd Remote SQL Injection Vulnerability BugTraq ID: 10468, 10479, 10505 Remote: Yes Date Published: Jun 05 2004 Relevant URL: http://www.securityfocus.com/bid/10468 Summary: cPanel is prone to a vulnerability that can allow a remote authenticated administrator to delete customer account DNS information for customers that are not administered by that administrator. This attack can allow an attacker to cause a denial of service condition against vulnerable Web sites. Multiple Perl scripts that are distributed with cPanel are reported prone to a security weakness. The issues are reported to exist because the scripts do not run with taint mode. These weaknesses may be exploited in conjunction with the weakness described in BID 10478 in order to elevate privileges on a vulnerable system. cPanel is reportedly affected by a remote SQL injection vulnerability in the passwd script. This issue is due to a failure of the application to properly sanitize user-supplied URI parameter input before using it in an SQL query. The problem presents itself when malicious SQL statements are passed to the 'passwd' script through URI parameters. As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. PostgreSQL ODBC Driver Unspecified Remote Buffer Overflow Vu... BugTraq ID: 10470 Remote: Yes Date Published: Jun 07 2004 Relevant URL: http://www.securityfocus.com/bid/10470 Summary: PostgreSQL ODBC driver is reportedly prone to a remote buffer overflow vulnerability. This vulnerability was reported in a Debian advisory and may allow a remote attacker to crash a Web server used with the application. It is reported that this issue can be exploited by using a malicious script in order to cause a denial of service condition in the Web server. Due to a lack of details, further information is not available at the moment. This BID will be updated as more information becomes available. PostgreSQL version 7.2.1 is confirmed to be vulnerable at the moment, however, it is likely that other versions are affected as well. Webmin Multiple Unspecified Vulnerabilities BugTraq ID: 10474 Remote: Yes Date Published: Jun 07 2004 Relevant URL: http://www.securityfocus.com/bid/10474 Summary: Webmin is prone to multiple unspecified vulnerabilities that may allow an attacker to disclose sensitive information and carry out denial of service attacks against legitimate users of the application. The first issue can allow a user to disclose sensitive configuration information about any module regardless of the user's privileges. The second issue can allow an attacker to send fake credentials to the application that results in locking out legitimate users of Webmin. Webmin versions 1.140 and prior are affected by these issues. IBM GSKit SSL Handshake Unspecified Denial of Service Vulner... BugTraq ID: 10475 Remote: Yes Date Published: Jun 07 2004 Relevant URL: http://www.securityfocus.com/bid/10475 Summary: IBM Global Security Toolkit (GSKit) is susceptible to an unspecified denial of service vulnerability. IBM has reported that during SSL handshakes, malformed packets can either crash the affected application, or cause a performance degradation. Multiple applications incorporate GSKit, and are therefore all affected by this vulnerability. Linksys Web Camera Software Next_file Parameter File Disclos... BugTraq ID: 10476 Remote: Yes Date Published: Jun 07 2004 Relevant URL: http://www.securityfocus.com/bid/10476 Summary: It is reported that Linksys Web Camera software is prone to a remote file disclosure vulnerability that may allow a remote attacker to disclose sensitive files. Linksys Web Camera software version 2.10 is reportedly prone to this issue, however, it is possible that other versions are affected as well. [ firmware ] ClueCentral Apache Suexec Patch Security Weakness BugTraq ID: 10478 Remote: No Date Published: Jun 07 2004 Relevant URL: http://www.securityfocus.com/bid/10478 Summary: cluecentral Apache suexec patch is reported prone to a local security weakness. It is reported that the patch that is applied to Apache suexec makes suexec insecure. The patch reportedly removes security checks on insecure directory permissions and permits the execution of files owned by arbitrary users, by the 'nobody' user. A local attacker who has permissions to create, publish and request PHP web content on the affected system may exploit this weakness in conjunction with other security vulnerabilities to achieve some degree of privilege escalation. FreeBSD jail() Process Unauthorized Routing Table Modificati... BugTraq ID: 10485 Remote: No Date Published: Jun 07 2004 Relevant URL: http://www.securityfocus.com/bid/10485 Summary: FreeBSD improperly allows routing updates from superuser processes inside jail() environments. An attacker that gains superuser privileges inside of a jailed process can send routing table changes. An attacker could corrupt the routing table of the server, denying network services to legitimate users. Attackers may also be able to perform connection-hijacking and redirection attacks, such as the SSH man-in-the-middle attack. Blosxom Writeback Plug-in HTML Injection Vulnerability BugTraq ID: 10488 Remote: Yes Date Published: Jun 08 2004 Relevant URL: http://www.securityfocus.com/bid/10488 Summary: Blosxom is prone to an HTML injection vulnerability. This issue presents itself when Blosxom is used in combination with the 'writeback' plug-in. This can allow an attacker to inject HTML and script code when posting comments on a vulnerable site. A successful attack can allow an attacker to steal cookie-based authentication credentials. Other attacks are possible as well. Blosxom version 2.0 is affected by this issue, however, other versions could be vulnerable as well. U.S. Robotics Broadband Router 8003 Administration Web Inter... BugTraq ID: 10490 Remote: Yes Date Published: Jun 08 2004 Relevant URL: http://www.securityfocus.com/bid/10490 Summary: U.S. Robotics Broadband Router 8003 is affected by an administration web interface insecure password vulnerability. This issue is due to a design error that allows the device's administrator password to be read in plain text. This issue would allow an attacker to gain administrative access to the affected device allowing for the manipulation of such things as Internet access controls. This might also aiding further attacks against computers on the local area network. [ firmware ] Roundup Remote File Disclosure Vulnerability BugTraq ID: 10495 Remote: Yes Date Published: Jun 08 2004 Relevant URL: http://www.securityfocus.com/bid/10495 Summary: Roundup is prone to a remote file disclosure vulnerability. A remote user can disclose files on a vulnerable computer by using the /home/@@file/ prefix and '../' directory traversal sequences. This vulnerability affects Roundup 0.6.11 and prior versions. [ Un syst?me de gestion de tickets en Python ] OpenBSD ISAKMPD Security Association Piggyback Delete Payloa... BugTraq ID: 10496 Remote: Yes Date Published: Jun 08 2004 Relevant URL: http://www.securityfocus.com/bid/10496 Summary: It is reported that OpenBSD's isakmpd daemon is susceptible to a remote denial of service vulnerability. An attacker is able to delete security associations and policies from IPSec VPN's by sending a malformed UDP ISAKMP packet to a vulnerable server. The malformed packet contains payloads for both setting up a new tunnel and deleting a tunnel. Isakmpd improperly acts upon the delete payload and terminates the associations and policys relating to the tunnel. It is possible to destroy security associations, effectively eliminating the VPN connection between gateways, denying service to legitimate users of the VPN. GNU Aspell Stack Buffer Overflow Vulnerability BugTraq ID: 10497 Remote: No Date Published: Jun 08 2004 Relevant URL: http://www.securityfocus.com/bid/10497 Summary: It is reported that the word-list-compress utility, which is a part of aspell contains a buffer overflow vulnerability. The word-list-compress utility is used for the compression and decompression of word lists. Improper bounds checking allows a buffer overflow condition allowing code execution in the context of the victim's account. An attacker would have to have access to influence the contents of another user's dictionary to successfully exploit this issue. Potentially through social engineering, improper file permissions, or a file association vulnerability. CVS Multiple Vulnerabilities BugTraq ID: 10499 Remote: Yes Date Published: Jun 09 2004 Relevant URL: http://www.securityfocus.com/bid/10499 Summary: CVS is prone to multiple vulnerabilities. The issues include a double free vulnerability, format string vulnerabilities, and integer overflows. There is also a null termination issue in the security patch for BID 10384, potentially leading to a server crash. Some of these issues may be leveraged to execute arbitrary code, while other issues may only result in a denial of service. Squid Proxy NTLM Authentication Buffer Overflow Vulnerabilit... BugTraq ID: 10500 Remote: Yes Date Published: Jun 09 2004 Relevant URL: http://www.securityfocus.com/bid/10500 Summary: Squid Web Proxy Cache is reportedly affected by a buffer overflow vulnerability when processing NTLM authentication credentials. This issue is due to a failure of the application to properly validate buffer boundaries when copying user-supplied input. This would allow an attacker to modify stack based process memory in order to cause a denial of service condition and execute arbitrary code in the context of the vulnerable web proxy. This will most likely facilitate unauthorized access to the affected computer. Horde IMP Unspecified Input Validation Vulnerability BugTraq ID: 10501 Remote: Yes Date Published: Jun 09 2004 Relevant URL: http://www.securityfocus.com/bid/10501 Summary: Horde IMP is reportedly affected by an unspecified input validation vulnerability. This issue is due to input validation errors that arise when the application processes user-supplied input. This issue might be leveraged by an attacker to execute arbitrary HTML or script code in the browser of an unsuspecting user, facilitating session hijacking and theft of cookie-based authentication credentials. Symantec Gateway Security 360R Wireless VPN Bypass Weakness BugTraq ID: 10502 Remote: Yes Date Published: Jun 09 2004 Relevant URL: http://www.securityfocus.com/bid/10502 Summary: Symantec Gateway Security 360R may be prone to a weakness that could allow a remote attacker to establish an insecure wireless connection with an internal computer. This weakness reportedly affects Symantec Gateway Security 360R firmware 2.1 build 300 and build 415. [ firmware ] Cisco CatOS TCP-ACK Denial Of Service Vulnerability BugTraq ID: 10504 Remote: Yes Date Published: Jun 09 2004 Relevant URL: http://www.securityfocus.com/bid/10504 Summary: It has been reported that Cisco CatOS is vulnerable to a denial of service attack. Improper initial TCP handshakes can cause affected devices to cease functioning and reboot. These improper connections can originate from spoofed source addresses, making it easier for an attacker to accomplish a denial of service attack. This vulnerability is only accessible if the device is running telnet, HTTP, or SSH services. IOS is not affected by this vulnerability. [ firmware ] Apache Mod_Proxy Remote Negative Content-Length Buffer Overf... BugTraq ID: 10508 Remote: Yes Date Published: Jun 10 2004 Relevant URL: http://www.securityfocus.com/bid/10508 Summary: A remote buffer overflow vulnerability exists in Apache mod_proxy. The source of this issue is that a negative user-specified length value may be used in a memory copy operation, allowing for corruption of memory. This may triggered if a remote server returns a negative Content-Length: HTTP header field to be passed through the proxy. Exploitation will likely result in a denial of service, though there is an unconfirmed potential for execution of arbitrary code on some platforms (such as BSD implementations). Versions that have the optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be exploitable on some platforms. This issue affects Apache servers 1.3.26 through 1.3.31 that have mod_proxy enabled and configured. Apache 2.0.x releases are not affected by this issue. smtp.proxy Remote Format String Vulnerability BugTraq ID: 10509 Remote: Yes Date Published: Jun 10 2004 Relevant URL: http://www.securityfocus.com/bid/10509 Summary: smtp.proxy is prone to a remotely exploitable format string vulnerability. The vulnerability occurs in routines that log SMTP headers in email passed through the proxy. This issue may be exploited to execute arbitrary code. Billion BIPAC-640 AE Administrative Interface Authentication... BugTraq ID: 10510 Remote: Yes Date Published: Jun 10 2004 Relevant URL: http://www.securityfocus.com/bid/10510 Summary: Billion BIPAC-640 AE is reported prone to an authentication bypass vulnerability. The issue is reported to exist when a Mozilla Firefox or Opera Web Browser is used to access the Billion BIPAC-640 AE administrative interface. This vulnerability is reported to affect Billion BIPAC-640 AE firmware version 3.33, other versions might also be affected. [ firmware, apparemment ils ont une s?curit? qui laisse passer si le client n'est pas Microsoft IE ] Edimax 7205APL 802.11b Wireless Access Point Default Backdoo... BugTraq ID: 10512 Remote: Yes Date Published: Jun 10 2004 Relevant URL: http://www.securityfocus.com/bid/10512 Summary: The Edimax 7205APL is reported to contain a default backdoor account. This account is hard coded and cannot be removed. This account can be used to log into the device and create a backup of the configuration. This configuration contains all users and their corresponding passwords, allowing an attacker to then log into the device as administrator. The reported vulnerable device had firmware revision 2.40a-00. Other revisions may also contain similar backdoor accounts. [ firmware ] ksymoops ksymoops-gznm Insecure Temporary File Handling Symb... BugTraq ID: 10516 Remote: No Date Published: Jun 10 2004 Relevant URL: http://www.securityfocus.com/bid/10516 Summary: Ksymoops ships with several scripts, one of these scripts is 'ksymoops-gznm'. It is reported that the 'ksymoops-gznm' script is prone to a local insecure temporary file handling symbolic link vulnerability. This issue is due to a design error that allows the application to insecurely write to a temporary file that is created with a predictable file name. The script will write to this file before verifying its existence; this would facilitate a symbolic link attack. Subversion SVN Protocol Parser Remote Integer Overflow Vulne... BugTraq ID: 10519 Remote: Yes Date Published: Jun 11 2004 Relevant URL: http://www.securityfocus.com/bid/10519 Summary: It is reported that Subversion is prone to a remote integer overrun vulnerability. The issue exists in the svn protocol parser and is due to a lack of sufficient bounds checking performed on svn URI strings that are transmitted by the client. If the URI string recieved is long enough an integer overrun may occur where the size value of the URI string will wrap and be misrepresented. This may potentially result in corruption of heap memory management structures. Usermin HTML Email Script Code Execution Vulnerability BugTraq ID: 10521 Remote: Yes Date Published: Jun 11 2004 Relevant URL: http://www.securityfocus.com/bid/10521 Summary: Usermin is reportedly affected by a script code execution vulnerability when rendering HTML email messages. This issue is due to a failure to sanitize HTML email messages. This issue will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user; facilitating theft of cookie based authentication credentials. This could potentially allow unauthorized access to user accounts on the computer. Webmin Configuration Module Information Disclosure Vulnerabi... BugTraq ID: 10522 Remote: Yes Date Published: Jun 11 2004 Relevant URL: http://www.securityfocus.com/bid/10522 Summary: Webmin is reportedly prone to a vulnerability that allow for unauthorized disclosure of the configuration of a module. This issue is due to an access validation error. This issue may allow an attacker to view the configuration of a module for the affected application that may facilitate further attacks against the affected system. Webmin And Usermin Account Lockout Bypass Vulnerability BugTraq ID: 10523 Remote: Yes Date Published: Jun 11 2004 Relevant URL: http://www.securityfocus.com/bid/10523 Summary: Webmin and Usermin are affected by an account lockout bypass vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input. This issue may be leveraged to carry out brute force authentication attacks against the affected computer; facilitating unauthorized access to the Webmin and Usermin accounts as well as the affected computer. It has been reported that this issue can also be leveraged to prevent users from logging in, although how this occurs is unspecified. NetBSD Swapctl() Local Denial Of Service Vulnerability BugTraq ID: 10529 Remote: No Date Published: Jun 11 2004 Relevant URL: http://www.securityfocus.com/bid/10529 Summary: NetBSD's swapctl() system call is reported susceptible to a local denial of service vulnerability. It manifests itself as an integer overflow condition in in the swapctl() system call. This issue may be exploited by local users to trigger a kernel panic, effectively denying service to legitimate users. This has been fixed in NetBSD-current, and the NetBSD-2-0 branch of CVS. From schutz at mathgen.ch Tue Jun 22 04:53:01 2004 From: schutz at mathgen.ch (Frederic Schutz) Date: Tue Jun 22 04:53:01 2004 Subject: [gull-annonces] Article de 24heures: "Les logiciels libres titillent =?iso-8859-1?b?bJJpbmZvcm1hdGlxdWU=?= vaudoise" Message-ID: <1087872646.40d79e86ddfd5@mail.hebweb.net> L'article est disponible sur http://www.24heures.ch/home/journal/gros_titres/index.php?Page_ID=6445&art_id=38237&Rubrique=Gros+titres et un editorial sur le meme sujet a http://www.24heures.ch/home/journal/gros_titres/index.php?Page_ID=6445&art_id=38229&Rubrique=Gros+titres [reference trouvee dans la liste PLLA] Frederic From schaefer at alphanet.ch Wed Jun 23 15:11:05 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed Jun 23 15:11:05 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #254 Message-ID: <20040623125931.GA3743@defian.alphanet.ch> Horde Chora Viewer Remote Command Execution Vulnerability BugTraq ID: 10531 Remote: Yes Date Published: Jun 13 2004 Relevant URL: http://www.securityfocus.com/bid/10531 Summary: Horde Chora Viewer is reported to be prone to a remote command execution vulnerability. The vulnerability is reported to exist due to a lack of sanitization performed on values that may be user-supplied. Shell metacharacters that are included as a value for the affected URI parameter may result in attacker specified shell commands being executed in an exec() call. Command execution will occur in the context of the affected web server. Chora versions up to an including version 1.2.1 are reported to be affected by this vulnerability. [ Chora est un butineur :) CVS ] Mozilla Browser URI Obfuscation Weakness BugTraq ID: 10532 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10532 Summary: A weakness is reported in Mozilla that may allow an attacker to obfuscate the URI of a link. This could facilitate the impersonation of legitimate web sites in order to steal sensitive information from unsuspecting users. It is reported that the weakness exists when form method GET action URI's that are appended with the %2F encoded character, several space characters and an appended '.' URI are followed. Mozilla 1.6 and 1.7rc3 for Windows and Firefox 0.8 and 0.9rc for Windows are reportedly affected by this issue. Linksys Web Camera Software Next_file Parameter Cross-Site S... BugTraq ID: 10533 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10533 Summary: It is reported that Linksys Web Camera software is prone to a cross-site scripting vulnerability that may allow a remote attacker to steal cookie-based authentication credentials or carry out other attacks. The problem presents itself when an attacker passes malicious HTML or script code to the application via the 'next_file' parameter of the 'main.cgi' script. Linksys Web Camera software version 2.10 is reportedly prone to this issue, however, it is possible that other versions are affected as well. [ firmware ] Immunix StackGuard Canary Corruption Handler Evasion Vulnera... BugTraq ID: 10535 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10535 Summary: Immunix StackGuard is affected by a canary corruption handler evasion vulnerability. this issue is due to a design error that allows an attacker to influence the execution flow of the canary corruption handling function. This issue may allow an attacker to bypass the security features of StackGuard and allow an attacker to manipulate the execution flow of the canary corruption handling function. It has been speculated that this issue will allow for code execution, although this has not been verified. This issue reportedly affects Immunix OS version 7.0, however it is likely that other versions are affected as well. [ StackGuard ajoute un `canari' -- une valeur d?termin?e de mani?re ? d?tecter des corruptions de pile en retour de fonctions. Il a d?j? ?t? prouv? que cela n'est pas suffisant pour toutes les attaques et voici un cas d'exploitation direct ] Multiple Vendor Anti-Virus Scanner Remote Denial Of Service ... BugTraq ID: 10537 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10537 Summary: Multiple vendor anti-virus scanning software is reported prone to a remote denial of service vulnerability. The issue is reported to present itself when certain malicious archives containing large quantities of data are scanned. In the supplied example approximately 300 Gigabytes of data is archived in many different archive types. This archive may be transmitted to a client or submitted to an online anti-virus scanning service in order to crash the anti-virus software. [ clamav non vuln?rable ? l'exploit actuellement utilis?, le DoS est correctement d?tect?. ] Linux Kernel Assembler Inline Function Local Denial Of Servi... BugTraq ID: 10538 Remote: No Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10538 Summary: The Linux Kernel is reportedly to be affected by a local denial of service vulnerability surrounding inline assembly functions. This issue is due to a design error that causes the application to fail to properly handle stack frame management. This issue may be leveraged by an attacker to cause the affected system to crash, denying service to legitimate users. Although only select linux kernels are reported to be affected, it is likely that various other versions are vulnerable as well. [ c'est bien vague. ] FreeIPS Protected Service Denial Of Service Vulnerability BugTraq ID: 10541 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10541 Summary: It is reported that FreeIPS is susceptible to a denial of service vulnerability. FreeIPS scans TCP connections for particular strings, defined by regular expressions. If a packet matches the regular expression, FreeIPS assumes malicious intent and attempts to close the TCP connection. It accomplishes this by sending TCP RST packets to both the client (attacker) and the server (victim TCP server). The software correctly generates a TCP RST+ACK packet to the originating client, but the packet sent to the server is incorrectly generated. The packet sent to the server contains invalid sequence and acknowledgment numbers and is ignored. An attacker can deny service to any TCP application protected by FreeIPS, denying network service to legitimate users. The attacker would have to know or guess a string pattern that matches a regular expression in FreeIPS to successfully exploit this vulnerability. [ http://sourceforge.net/projects/freeips/, un IPS (Intrusion Prevention/Detection System, originellement BSD, ] VICE Monitor Memory Dump Format String Vulnerability BugTraq ID: 10543 Remote: No Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10543 Summary: VICE monitor is reported prone to a format string vulnerability. The issue is reported to exist when output from the monitor "memory dump" command is displayed. Memory contents are used without sanitization as the format string for a print formatted function. As a result, malicious memory contents containing format specifiers will be interpreted literally when a memory dump is performed; this may result in attacker-specified memory being corrupted in the context of the user who is running the VICE monitor memory dump command. [ ?mulateur VIC-20 ... ] KAME Racoon IDE Daemon X.509 Improper Certificate Verificati... BugTraq ID: 10546 Remote: Yes Date Published: Jun 14 2004 Relevant URL: http://www.securityfocus.com/bid/10546 Summary: It is reported that racoon improperly validates X.509 certificates when negotiating IPSec connections. When checking certificate validity, racoon ignores many errors from OpenSSL and grants access to invalid certificates. When ignoring these errors, racoon would allow improper certificates to be used when authenticating connections. This vulnerability would allow attackers to forge certificates and potentially gain access to IPSec VPNs. This would also effectively make all certificates permanent. It is unknown the exact versions of racoon that are vulnerable at this time. Thy HTTP Daemon Null Pointer Exception Denial Of Service Vul... BugTraq ID: 10550 Remote: Yes Date Published: Jun 15 2004 Relevant URL: http://www.securityfocus.com/bid/10550 Summary: Thy HTTP Daemon is reportedly affected by a NULL pointer exception denial of service vulnerability. This issue is due to a failure of the application to handle malformed requests. Successful exploitation of this issue will cause the affected server to crash, denying service to legitimate users. [ un daemon HTTP l?ger POSIX en GPL ] Cisco IOS Border Gateway Protocol Denial Of Service Vulnerab... BugTraq ID: 10560 Remote: Yes Date Published: Jun 16 2004 Relevant URL: http://www.securityfocus.com/bid/10560 Summary: The problem presents itself when an affected device handles a malformed or invalid Border Gateway Protocol (BGP) packet. During processing the offending packet the affected device will reset. It should be noted that this issue only affects devices with BGP enabled; BGP is not enabled by default. It has been reported that this issue would be very difficult to exploit as it would require injecting malicious packets into communication between trusted peers. An attacker may exploit this issue to cause the affected device to reset, taking several minutes to become functional. It is possible to create a persistent denial of service condition by continually transmitting malformed packets to the affected device. [ firmware ] Linux Kernel I2C Bus Driver Integer Overflow BugTraq ID: 10563 Remote: No Date Published: Jun 17 2004 Relevant URL: http://www.securityfocus.com/bid/10563 Summary: The Linux kernel has been reported to be vulnerable to an integer overflow in the inter integrated circuit (I2C) bus driver. This issue is due to a failure of the offending driver to properly validate user-reported size values. This issue could be leveraged by an attacker to execute machine code with the privileges of the affected driver; potentially leading to privilege escalation and ring 0 access. It should be noted that in most cases I2C device files are by default only readable and writable by superusers; in such a case an attacker would have to have superuser privileges. Linux Kernel Multiple Device Driver Vulnerabilities BugTraq ID: 10566 Remote: No Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10566 Summary: It has been reported that the Linux kernel is vulnerable to multiple device driver issues. These issues were found during a recent audit of the Linux kernel source. Drivers reportedly affected by these issues are: aironet, asus_acpi, decnet, mpu401, msnd, and pss. These issues may reportedly allow attackers to gain access to kernel memory or gain escalated privileges on the affected computer. MoinMoin Group Name Privilege Escalation Vulnerability BugTraq ID: 10568 Remote: Yes Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10568 Summary: It is reported that MoinMoin contains a privilege escalation vulnerability whereby regular users can gain administrative privileges. MoinMoin allows remote web clients to create their own user accounts without administrative intervention or approval. It is reported that if a user creates an account with the same name as an administrative group, the user will inherit the privileges of that same administrative group. An attacker would use this vulnerability to gain complete access to the MoinMoin Wiki, and could gain access to sensitive information, or destroy information. Versions before 1.2.2 are reported vulnerable. [ Wiki en Python ] Asterisk PBX Multiple Logging Format String Vulnerabilities BugTraq ID: 10569 Remote: Yes Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10569 Summary: It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable. Versions 0.7.0 through to 0.7.2 are reported vulnerable. [ en particulier si vous contr?lez l'information de caller-id From schaefer at alphanet.ch Wed Jun 30 11:11:02 2004 From: schaefer at alphanet.ch (Marc SCHAEFER) Date: Wed Jun 30 11:11:02 2004 Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?= =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #255 Message-ID: <20040630081750.GA2207@defian.alphanet.ch> Infoblox DNS One Script Injection Vulnerability BugTraq ID: 10573 Remote: Yes Date Published: Jun 19 2004 Relevant URL: http://www.securityfocus.com/bid/10573 Summary: The Infoblox DNS One appliance has been reported prone to a script injection vulnerability. A remote attacker could potentially gain access to the vulnerable device or potentially execute script on the computer used to access the device. The issue is only present if the device is being used for DHCP. [ `firmware' ] RSSH Information Disclosure Vulnerability BugTraq ID: 10574 Remote: Yes Date Published: Jun 19 2004 Relevant URL: http://www.securityfocus.com/bid/10574 Summary: rssh contains a vulnerability that could allow users within a chroot jail to determine the existence of files outside the chroot jail. Information gathered in this manner can be used to launch further attacks against the system. This vulnerability is reported to exist in rssh versions 2.0 to 2.1.x. super Local Format String Vulnerability BugTraq ID: 10575 Remote: No Date Published: Jun 19 2004 Relevant URL: http://www.securityfocus.com/bid/10575 Summary: super is prone to a locally exploitable format string vulnerability. The problem occurs due to the incorrect usage of programming functions designed to take formatted arguments. Because of this, attacker supplied format specifiers will be interpreted literally by the vulnerable program. This vulnerability may provide a conduit for an attacker to influence arbitrary writes into process memory space. Ultimately this vulnerability may be exploited in order to have arbitrary code executed with superuser privileges. **Update: This issue was originally believed to be a duplicate of BID 5367, however further reports indicate that this is not the case. Therefore this BID is reinstated. [ ca sert ? quoi? quelle license? ] WWW-SQL Include Command Buffer Overflow Vulnerability BugTraq ID: 10577 Remote: Yes Date Published: Jun 21 2004 Relevant URL: http://www.securityfocus.com/bid/10577 Summary: www-sql is reportedly vulnerable to a buffer overflow vulnerability in its include command implementation. This issue arises due to a failure of the affected application to properly handle user-supplied strings when copying them into finite stack-based buffers. An attacker can leverage this issue to manipulate process memory; by supplying program code as well as a specially selected memory address an attacker gain control of the processes execution flow allowing for arbitrary code execution. [ http://www.jamesh.id.au/software/www-sql/ ] rlpr msg() Function Multiple Vulnerabilities BugTraq ID: 10578 Remote: Yes Date Published: Jun 19 2004 Relevant URL: http://www.securityfocus.com/bid/10578 Summary: It is reported that rlpr is prone to multiple vulnerabilities. These vulnerabilities can allow a remote attacker to execute arbitrary code in order to gain unauthorized access. The application is affected by a format string vulnerability. This vulnerability presents itself due to insufficient sanitization of user-supplied data through the 'msg()' function. The 'msg()' function is also affected by a buffer overflow vulnerability. This issue occurs due to insufficient boundary checking and may also be exploited to gain unauthorized access to a vulnerable computer. rlpr versions 2.04 and prior are affected by these issues. [ voir http://www.debian.org/security/2004/dsa-524. Notons qu'on peut ?muler la fonctionnalit? de rlpr avec lpr -Plp at 1.2.3.4 avec lprng, m?me sans serveur local activ? ] monit Authentication Handling Buffer Overflow Vul... BugTraq ID: 10581 Remote: Yes Date Published: Jun 21 2004 Relevant URL: http://www.securityfocus.com/bid/10581 Summary: It is reported that monit is vulnerable to a buffer overflow vulnerability during authentication handling. This issue arises due to a failure of the affected application to properly handle user-supplied strings when copying them into finite stack-based buffers. Successful exploitation of this issue allows an attacker to execute arbitrary code as the superuser; facilitating unauthorized access and privilege escalation. [ moniteur / alerteur monit, http://www.tildeslash.com/monit/, GPL ] GNU Radius SNMP OID Remote Denial Of Service Vulnerability BugTraq ID: 10582 Remote: Yes Date Published: Jun 21 2004 Relevant URL: http://www.securityfocus.com/bid/10582 Summary: GNU Radius is reported prone to a remote denial of service vulnerability. The issue is reported to present itself when GNU Radius handles SNMP messages that contain invalid Object ID data. It is reported that this vulnerability will exist only when the affected Radius server is compiled with the '-enable-snmp' option. [ SNMP, ASN.1 dans toute sa gloire de buffer overflows. Radius est un protocole d'identification pour routeurs, concentrateurs, serveurs de terminaux, serveur PPP ] nCipher netHSM Logged Passphrase Information Disclosure Vuln... BugTraq ID: 10583 Remote: Yes Date Published: Jun 21 2004 Relevant URL: http://www.securityfocus.com/bid/10583 Summary: It is reported that nCipher's netHSM improperly logs passphrases entered via the netHSM front panel. Passphrases are improperly logged when entered on the front panel of the netHSM device, either through the built-in thumbwheel or a directly attached keyboard. Under certain configurations, these passphrases are also sent to a remote filesystem. If an attacker has access to the passphrases, it may aid them in further attacks. Exploitation of the netHSM infrastructure requires physical access to a hardware smartcard, the netHSM device, an acquired passphrase, and access to host data. If the passphrase is reused in a different context, an attacker may be able to launch further attacks. A firmware upgrade is available resolving this issue. [ firmware ] Multiple Vendor Broadband Router Web-Based Administration De... BugTraq ID: 10585 Remote: Yes Date Published: Jun 21 2004 Relevant URL: http://www.securityfocus.com/bid/10585 Summary: Multiple broadband routers from several different vendors, used for home and small office Internet sharing and routing are reported affected by a denial of service vulnerability in their web-based administration interfaces. The embedded web server is reportedly unable to maintain more than a small number of simultaneous TCP connections. An attacker who maintains a number of connections to port 80 of an affected device will block access to the web administration application for legitimate users. An attacker could block access to the administration interface as long as they can maintain the TCP connections. Netgear FVS318, Linksys BEFSR41, and Microsoft MN-500 devices are reported to be susceptible. [ firmware, probablement la m?me pile TCP/IP propri?taire ] D-Link AirPlus DI-614+ DHCP Log HTML Injection Vulnerability BugTraq ID: 10587 Remote: Yes Date Published: Jun 21 2004 Relevant URL: http://www.securityfocus.com/bid/10587 Summary: It is reported that the DI-614+ is susceptible to an HTML injection vulnerability in its DHCP log. An attacker who has access to the wireless segment of the router can craft malicious DHCP hostnames, that when sent to the router, will be logged for later viewing by the administrator of the device. The injected HTML can be used to cause the administrator to make unintended changes to the configuration of the router. Other attacks may be possible. Although only the DI-614+ is reported vulnerable, code reuse across devices is common and other products may also be affected. SqWebMail Email Header HTML Injection Vulnerability BugTraq ID: 10588 Remote: Yes Date Published: Jun 21 2004 Relevant URL: http://www.securityfocus.com/bid/10588 Summary: SqWebMail is reported to be prone to an email header HTML injection vulnerability. This issue presents itself due to a failure of the application to properly sanitize user-supplied email header strings. The problem presents itself when an unsuspecting user views an email message containing malicious HTML and script code in the email header. An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials. BT Voyager 2000 Wireless ADSL Router SNMP Community String ... BugTraq ID: 10589 Remote: Yes Date Published: Jun 22 2004 Relevant URL: http://www.securityfocus.com/bid/10589 Summary: BT Voyager 2000 Wireless ADSL Router is reported prone to a sensitive information disclosure vulnerability. It is reported that 'public' SNMP MIB community strings which, are world readable by default contain sensitive information pertaining to the internal protected network. Data collected by exploiting this vulnerability may be used in further attacks against the victim network. [ SNMP strikes again. Firmware ] ISC DHCPD Hostname Options Logging Buffer Overflow Vulnerabi... BugTraq ID: 10590 Remote: Yes Date Published: Jun 22 2004 Relevant URL: http://www.securityfocus.com/bid/10590 Summary: ISC DHCPD is prone to a remotely exploitable buffer overflow vulnerability. This issue exists in routines responsible for logging hostname options provided by DHCP clients. Successful exploitation could result in execution of arbitrary code in the context of the DHCPD server. This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. The vulnerable code exists in previous versions of ISC DHCPD 3, but is only believed to be exploitable in these two releases. ISC DHCPD VSPRINTF Buffer Overflow Vulnerability BugTraq ID: 10591 Remote: Yes Date Published: Jun 22 2004 Relevant URL: http://www.securityfocus.com/bid/10591 Summary: ISC DHCPD is reported likely vulnerable to remotely exploitable buffer overflow vulnerabilities on systems which lack a vsnprintf() library function. On systems which lack the vsnprintf() library call, ISC DHCPD defines vsnprintf as: #define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) This definition discards the size argument to the function, potentially allowing any occurrence of vsnprintf() to be exploitable, by overflowing whatever intended buffer is passed to the library call. Other locations in DHCPD utilizing this function may be exploitable. Successfully exploiting this issue may lead to a denial of service condition, or remote code execution in the context of the DHCPD server. This issue is reported to affect ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13. [ GNU/Linux a vsnprintf. Pas un probl?me pour *cette* plateforme. ] Linux Kernel IEEE 1394 Integer Overflow Vulnerability BugTraq ID: 10593 Remote: No Date Published: Jun 22 2004 Relevant URL: http://www.securityfocus.com/bid/10593 Summary: The driver for IEEE 1394 in the Linux kernel is reported to contain an integer overflow vulnerability. The driver contains a function called alloc_hpsb_packet(). This function takes an unsigned integer argument and uses it to allocate kernel memory. When allocating memory, the value is incremented, potentially overflowing the integer. There are multiple code paths leading to the vulnerable alloc_hpsb_packet() function, with multiple possible methods of exploiting this vulnerability. Successful exploitation could lead to system crash, or possible code execution. FreeBSD execve() Unaligned Memory Access Denial Of Service V... BugTraq ID: 10596 Remote: No Date Published: Jun 23 2004 Relevant URL: http://www.securityfocus.com/bid/10596 Summary: It is reported that FreeBSD running on the Alpha architecture is susceptible to a denial of service vulnerability in its execve() system call. An attacker with local interactive user-level access on an affected machine is reportedly able to crash FreeBSD when running on the Alpha architecture, denying service to legitimate users. FreeBSD 5.1-RELEASE/Alpha is reported vulnerable, other architectures with strict memory alignment requirements are also likely vulnerable. IA32 is reported immune. Versions other than 5.1-RELEASE are likely affected as well. cplay Insecure Temporary File Handling Symbolic Link Vulnera... BugTraq ID: 10597 Remote: No Date Published: Jun 23 2004 Relevant URL: http://www.securityfocus.com/bid/10597 Summary: It is reported that cplay is prone to a local insecure temporary file handling symbolic link vulnerability. This issue is due to a design error that allows the application to insecurely write to a temporary file that is created with a predictable file name. The cplay utility will write to this file before verifying its existence; this would facilitate a symbolic link attack. [ frontal ? des joueurs de son, http://www.tf.hut.fi/~flu/cplay/ ] Linux Kernel Broadcom 5820 Cryptonet Driver Integer Overflow... BugTraq ID: 10599 Remote: No Date Published: Jun 23 2004 Relevant URL: http://www.securityfocus.com/bid/10599 Summary: It is reported that the bcm5820 Linux kernel driver contains an integer overflow vulnerability. The driver contains a function ubsec_ioctl() which is used to setup operating parameters for the driver. This function takes user-supplied data and copies it into kernel-space. When copying this data, a user-supplied length value is used in a calculation. This calculation could cause an integer overflow when allocating buffer space. This vulnerability could lead to a system crash, or possible code execution in the context of the kernel. This driver is not present in the vanilla Linux kernel, nor is it standard in most distributions of Linux. Redhat 8, with Linux kernel 2.4.20 is confirmed to include the vulnerable driver, but others are also potentially vulnerable. [ Les pilotes Broadcom sont souvent sur les machines Dell et leur source, m?me si elle est parfois disponible, n'est pas pour le moment int?gr?e dans le kernel. ] 3Com SuperStack Switch Web Interface Denial Of Service Vulne... BugTraq ID: 10601 Remote: Yes Date Published: Jun 24 2004 Relevant URL: http://www.securityfocus.com/bid/10601 Summary: It has been reported that 3Com SuperStack switches are affected by a denial of service vulnerability. This issue arises due to a failure of the device to handle exceptional input. This issue will allow an attacker to cause the affected device to reset, denying service to legitimate users. [ firmware ] GNU gzexe Temporary File Command Execution Vulnerability BugTraq ID: 10603 Remote: Yes Date Published: Jun 24 2004 Relevant URL: http://www.securityfocus.com/bid/10603 Summary: Reportedly gzexe is affected by a temporary file command execution vulnerability. This issue is due to a failure of the application properly handle exceptional condition when attempting to create temporary files. This issue may allow an attacker to execute an arbitrary file in the context of an unsuspecting user; this may potentially lead to privilege escalation or unauthorized access. [ gzexe permet de compresser des ex?cutables qui seront d?compress?s ? la vol?e ? l'ex?cution. Jamais utilis? ?a. ] Dr.Cat drcatd Multiple Local Buffer Overflow Vulnerabilities BugTraq ID: 10608 Remote: No Date Published: Jun 25 2004 Relevant URL: http://www.securityfocus.com/bid/10608 Summary: Dr.Cat is reported prone to multiple local buffer overflow vulnerabilities. These vulnerabilities exist due to insufficient boundary checks performed by certain functions of the application. These vulnerabilities may allow a local attacker to gain uanuthorized access and/or elevated privileges on a vulnerable computer. An attacker may also be able to exploit this issue remotely, however, this cannot be confirmed at the moment. All versions of the application are considered to be vulnerable at this moment. [ pourquoi ne pas faire alias rcat=ssh remote host cat ou quelque chose d'?quivalent ? ] GNU GNATS syslog() Format String Vulnerability BugTraq ID: 10609 Remote: Yes Date Published: Jun 25 2004 Relevant URL: http://www.securityfocus.com/bid/10609 Summary: It is reported that GNU GNATS contains a format string vulnerability in its logging function. GNATS has the ability to log to various files: stderr, syslog() or a file. If an attacker devises a method of controlling the arguments to the logging function, they would be able to read or write arbitrary locations in memory. Code execution could be possible. GNU GNATS version 4.0 is reported vulnerable. Other version may also be affected. sysstat Multiple Local Buffer Overflow Vulnerabilities BugTraq ID: 10610 Remote: No Date Published: Jun 25 2004 Relevant URL: http://www.securityfocus.com/bid/10610 Summary: sysstat is reported prone to multiple local buffer overflow vulnerabilities. It is reported that these vulnerabilities are not exploitable to execute arbitrary code. However, although unconfirmed, due to the nature of these vulnerabilities, the issue may be exploitable in order to execute arbitrary code on certain platforms or when certain compilers are used. [ http://perso.wanadoo.fr/sebastien.godard/, ?trangement ce sont des utilitaires plut?t d'administration syst?me. L'overflow est-il ? la lecture de donn?es syst?mes genre SYSV acct ? sinon l'exploit est nul. ] FreeS/WAN X.509 Patch Certificate Verification Vulnerability BugTraq ID: 10611 Remote: Yes Date Published: Jun 25 2004 Relevant URL: http://www.securityfocus.com/bid/10611 Summary: FreeS/WAN X.509 patch is reported susceptible to a certificate verification vulnerability. When the vulnerable implementation is negotiating an IPSec connection using PKCS#7 wrapped X.509 certificates, it can be fooled into authenticating fake certificates. If an attacker crafts a Certificate Authority (CA) certificate and a user certificate with identical subjects, they can reportedly be improperly authenticated by FreeS/WAN. Using this vulnerability, an attacker could potentially successfully authenticate to a FreeS/WAN VPN server. Further attacks on machines now accessible to the attacker are likely possible. **Update: This vulnerability was previously thought to exist in the FreeS/WAN application, however, new information suggests that the issue is present in the X.509 patch for the application.