From schaefer at alphanet.ch  Tue Mar  2 18:21:02 2004
From: schaefer at alphanet.ch (Marc SCHAEFER)
Date: Tue Mar  2 18:21:02 2004
Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?=
 =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #238
Message-ID: <20040302170507.GA5413@defian.alphanet.ch>

XFree86 Direct Rendering Infrastructure Buffer Overflow Vuln...
BugTraq ID: 9701
Remote: Yes
Date Published: Feb 20 2004
Relevant URL: http://www.securityfocus.com/bid/9701
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.

It has been reported that XFree86 is prone to a denial of service.  The
condition reportedly can be caused by clients connecting to the X server
using the GLX extension and Direct Rendering Infrastructure.  The client
may cause the X server to fail due to insufficient bounds checking on
array indexes and integer sign errors.

Precise details of this vulnerability are not currently known.  This
record will be updated when more information becomes available.

PSOProxy Remote Buffer Overflow Vulnerability
BugTraq ID: 9706
Remote: Yes
Date Published: Feb 20 2004
Relevant URL: http://www.securityfocus.com/bid/9706
Summary:
PSOProxy is a web server designed to work with the Gamecube web browser
facilitating copying and formatting Phantasy Star Online snapshot files to
a PC on the same network.  Implemented in C++, it has been designed to run
on Windows, Mac OS X, Unix and Unix like operating systems.

It has been reported that PSOProxy is prone to a remote buffer overflow
vulnerability.  The issue is due to the insufficient boundary checking of
all remote server requests.  Requests sent to the server of excessive
size, approximately one kilobyte, may trigger an overflow condition,
causing the process to raise an exception.  The immediate consequence of
such an exception is denial of service to legitimate users.

A malicious user may exploit this condition to potentially corrupt
sensitive process memory in the affected process and ultimately execute
arbitrary code with the privileges of the web server.

This issue has been reported to affect version 0.91 of the software, it is
likely however that this issue affects earlier version as well.

Jabber Software Jabber Gadu-Gadu Transport Multiple Remote D...
BugTraq ID: 9710
Remote: Yes
Date Published: Feb 21 2004
Relevant URL: http://www.securityfocus.com/bid/9710
Summary:
Jabber Gadu-Gadu Transport is a gateway that bridges the Jabber and
Gadu-Gadu  instant messaging protocols, facilitating communication between
applications using the different protocols.

Multiple denial of service vulnerabilities have been identified in Jabber
Gadu-Gadu Transport.  These issues are due to the application failing to
handle exceptional conditions.

Activation of the 'roster import' functionality will cause the gateway to
crash when implemented using the Gadu-Gadu library libgadu 1.0 or greater,
ultimately denying service to legitimate users.  This issue is due to the
application failing to deal with the reduced functionality in the later
versions of the library.

The application fails to properly deal with registered users that attempt
to re-register.  If a user that is previously registered attempts to
re-register, the application will enter an infinite loop, ultimately
denying service to legitimate users.

Messages sent to the software that contain no '<priority/>' tag will cause
the application to fail, resulting in a denial of service condition.

Successful exploitation of any of these issues may cause the affected
server to crash, denying service to legitimate users.

[ licence ? ]

W3C Jigsaw Unspecified Remote URI Parsing Vulnerability
BugTraq ID: 9711
Remote: Yes
Date Published: Feb 21 2004
Relevant URL: http://www.securityfocus.com/bid/9711
Summary:
Jigsaw is an HTTP server produced by W3C. It is implemented in Java, and
will run on a wide range of systems, including Microsoft Windows, Linux
and other Unix based systems.

Jigsaw is prone to an unspecified remote URI parsing vulnerability.  This
issue is reportedly due to a failure of the application to properly parse
and sanitize user supplied URI input.

The problem revolves around the web server failing to properly handle URI
separators.

The results of successful exploitation of this issue are currently
unknown, however it is conjectured that this issue may be leveraged to
compromise web server readable files outside of the server root directory.

This BID will be updated as further details regarding this issue are
disclosed.

Synaesthesia Insecure File Creation Vulnerability
BugTraq ID: 9713
Remote: No
Date Published: Feb 22 2004
Relevant URL: http://www.securityfocus.com/bid/9713
Summary:
Synaesthesia is an application designed to represent sounds visually.  It
is designed to run under Unix and Unix like platforms and has been ported
to run under Windows as well.

An insecure file creation vulnerability exists in Synaesthesia.  This
issue arises due to the creation of a configuration file by the process
while running with root privileges.

Upon execution the application creates the file '.synaesthesia' in the
home directory of the executing user while holding root privileges. This
issue is due to the software failing to properly determine if the file
exists before attempting to create it.

A local attacker could exploit this issue by creating a symbolic link
titled './synaesthesia' pointing to a target system file. Upon execution,
the Synaesthesia software will then write to the configuration file
symbolic link, potentially destroying sensitive system data at the end of
the link, which could result in denial of service.

Samhain Labs HSFTP Remote Format String Vulnerability
BugTraq ID: 9715
Remote: No
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9715
Summary:
hsftp is an ftp emulator, designed to provide the look and feel of ftp,
while providing secure network communication via the ssh protocol.  The
application is freely available under the GNU General Public license and
supports Linux and Unix like platforms.

hsftp has been found to be prone to a remote print format string
vulnerability. The problem presents itself when hsftp reads the contents
of a directory and a file contained within has been labeled with a
malicious name containing embedded format string specifiers.  The source
of the problem is incorrect use of a formatted printing function. As a
result, format specifiers supplied in this manner will be interpreted
literally and may result in attacker-specified memory being corrupted or
disclosed.

Ultimately this vulnerability could allow for execution of arbitrary code
on the system implementing the affected software, which would occur in the
security context of the server process.

It should be noted that when hsftp is installed with set SUID root
permissions it only uses the escalated privileges to acquire locked memory
containing the user password, and relinquishes them immediately
afterwards.

nCipher Hardware Security Module Firmware Secrets Disclosure...
BugTraq ID: 9717
Remote: Yes
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9717
Summary:
nCipher HSM(Hardware Security Module) is a software/appliance solution,
for a security infrastructure.

nCipher HSM firmware has been reported prone to a vulnerability that may
provide for the disclosure of infrastructure and application keys. It has
been reported that an attacker who has the ability to invoke commands with
a vulnerable nCipher HSM may potentially exploit this vulnerability to
peruse the affected module's run-time memory and disclose sensitive keys.

Information disclosed by an attacker in this manner may then be used to
aid in further attacks launched against the affected system.

It has been reported that only some versions of the nCipher HSM firmware
are vulnerable to this issue. The commands needed to exploit the issue are
available in some nCipher's `nForce' series key-management HSMs and later
only made available in the CodeSafe (SEE) procedures of the 'nShield'
series of HSMs. These versions are only vulnerable if the GeneralSEE
feature set has been enabled.

[ firmware ]

LiveJournal CSS HTML Injection Vulnerability
BugTraq ID: 9727
Remote: Yes
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9727
Summary:
LiveJournal is freely available web based personal journal application
distributed under the GNU Public License.  It is implemented using Perl
scripts and requires a MySQL database back end.

LiveJournal is reportedly prone to HTML injection via Cascading Style
Sheet (CSS) tags.  This issue is due to insufficient sanitization of
journal input supplied in CSS styles.  This may be exploited by creating a
malicious style sheet with embedded script code in the journal entry,
which also includes a reference to the style using the HTML CLASS
attribute.  In this manner, it is possible to inject hostile HTML and
script code into journal entries.

This could potentially be exploited to steal cookies from other site
users.  Other attacks are also possible.

Confirm E-Mail Header Remote Command Execution Vulnerability
BugTraq ID: 9728
Remote: Yes
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9728
Summary:
Confirm is a Procmail script to prevent unsolicited e-mail using a
whitelist.

Confirm is prone to a remote command execution vulnerability.  The source
of the vulnerability is that Confirm does not sufficiently sanitize
malicious input before passing it through an external shell when invoking
other programs.  This issue is exposed when the script handles malicious
input such as shell metacharacters in e-mail headers.

Successful exploitation will allow for execution of shell commands in the
context of the user invoking the script.

Gigabyte Gn-B46B Wireless Router Authentication Bypass Vulne...
BugTraq ID: 9740
Remote: Yes
Date Published: Feb 24 2004
Relevant URL: http://www.securityfocus.com/bid/9740
Summary:
Gigabyte Gn-B46B is a wireless router appliance. The appliance provides a
web-based interface for router configuration; this interface is protected
with an authentication procedure.

Gigabyte Gn-B46B has been reported prone to an authentication bypass
vulnerability. It has been reported that an attacker may save the router
HTML menu on a local machine, the attacker may then use this menu to
access and configure an accessible router without requiring prior
authentication.

An attacker may exploit this issue to disclose sensitive information, or
potentially to make configuration changes to the affected appliance.

[ firmware ]

Alcatel OmniSwitch 7000 Series Security Scan Denial Of Servi...
BugTraq ID: 9745
Remote: Yes
Date Published: Feb 25 2004
Relevant URL: http://www.securityfocus.com/bid/9745
Summary:
The Alcatel OmniSwitch 7000 series switches are multi-layer switching
appliances.

A vulnerability has been reported in the handling of specific types of
network traffic by OmniSwitch 7000 series systems. Because of this, an
attacker may be able to deny service to legitimate users of a vulnerable
switch.

The problem is in the handling of scans by third-party security software.
It has been reported that several services run by default on an affected
switch (Ports 80, 260, 261 and 443). When the affected services of
OmniSwitch 7000 series systems are scanned by third-party security
software, the switch firmware becomes unstable. As a result of such scans,
the switch reportedly reboots, impacting performance. In some
circumstances the attack may result in a denial of service to the switched
network.

An attacker may exploit this issue to deny network services to hosts on a
vulnerable switched network.

It should be noted that although the OmniSwitch 7000 series (7700,7800)
switches have been reported prone to this vulnerability, other versions
including the OmniSwitch 8800 series might also be vulnerable.

[ firmware ]

MTools MFormat Privilege Escalation Vulnerability
BugTraq ID: 9746
Remote: No
Date Published: Feb 25 2004
Relevant URL: http://www.securityfocus.com/bid/9746
Summary:
Mtools are a collection of tools designed to allow users to access MS-DOS
formatted discs from Linux operating systems.  MFormat is a utility
designed to enable the addition of an MS-DOS filesystem to a low-level
formatted diskette. They are freely available under the GNU Public
License.

It has been reported that mformat is prone to an insecure file creation
vulnerability when installed as a setUID application.  This issue is due
to a design error allowing a user to create any arbitrary files with
permissions 0666 as the root user.

It has also been reported that the application retains root privileges
when reading local configuration files.

A local attacker could exploit this issue by forcing the creation of
sensitive system files that already exist.  When the application formats
the specified files, the target system file will be overwritten,
destroying sensitive system data.  Since the files that are given
permissions 0666 and owned by root, the attacker may alter overwritten
system configuration files, allowing for a escalation of privileges.

Mozilla Browser Zombie Document Cross-Site Scripting Vulnera...
BugTraq ID: 9747
Remote: Yes
Date Published: Feb 25 2004
Relevant URL: http://www.securityfocus.com/bid/9747
Summary:
Mozilla is a freely available web browser designed for a number of
platforms, including Microsoft Windows and Linux.

Mozilla has been reported to be prone to a cross-site scripting
vulnerability.  This issue is due to a design error that allows event
handlers in a web document from one domain to be executed in the context
of another.

This issue is due to the browser allowing a new web page to interact with
a previously visited web page before the new page is completely loaded;
producing a zombie document.  This allows any script events that are
activated within a certain time frame to be invoked in the context of the
new web page, and thus facilitate cross-site scripting attacks.

The problem surrounds the use of event handlers inside HTML tags.  Mozilla
does attempt to deactivate these, however they are possible to bypass.

This could permit a remote attacker to create a malicious web page that
includes hostile event handling script code. If this page were to redirect
to a target page when certain event handling code was activated, the
hostile code may be rendered in the web browser of the victim user. This
would occur in the security context of the new page and may allow for
theft of cookie-based authentication credentials or other attacks.

CalaCode @mail Webmail System Cross-Site Scripting Vulnerabi...
BugTraq ID: 9748
Remote: Yes
Date Published: Feb 26 2004
Relevant URL: http://www.securityfocus.com/bid/9748
Summary:
@mail Webmail System is a web based e-mail software package. It can be
installed with a SQL database or flat files.

A cross-site scripting vulnerability has been identified in the software
that may allow an attacker to execute HTML or script code in a user's
browser.

It has been reported that the @mail 'util.pl' script is prone to a
cross-site scripting vulnerability. The issue arises due to the script
failing to properly sanitize user-supplied information. The 'Displayed
Name' field is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It has been reported that this issue affects @mail version 3.64, however,
earlier versions may also be vulnerable.

[ licence? ]



From schaefer at alphanet.ch  Wed Mar 10 11:01:02 2004
From: schaefer at alphanet.ch (Marc SCHAEFER)
Date: Wed Mar 10 11:01:02 2004
Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?=
 =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #139
Message-ID: <20040310094746.GA537@defian.alphanet.ch>

NOTES
   - Apparemment cela n'int?resse plus securityfocus de nous indiquer
     le r?le et les licences des logiciels, ni m?me les plateformes.
     Je ferai de mon mieux pour compl?ter.
   - Les entr?es accept?es sont:
        - logiciel libre uniquement
        - pas de jeux ou de clients/serveurs de chat, etc.
        - pas de PHP (?ventuellement si cela concerne le core
          mais pas des scripts lambda)
        - firmwares, comme exception.

calife local overflow
Remote: No
Date Published: Feb 27 2004
Relevant URL: http://www.securityfocus.com/bid/9756
Summary:
Calife is reportedly prone to a locally exploitable heap overrun
vulnerability.  This issue is due to insufficient bounds checking of
password input.  If this issue was successfully exploited to execute
arbitrary code, it could potentially allow an unprivileged local user to
gain root access.

It has been reported that this issue may actually be indicative of a more
serious problem in the glibc implementation of the getpass() function.
This has not been confirmed.  This BID will be updated as more information
is provided.

[ calife est une version l?g?re de sudo ]

UUDeview MIME Archive Buffer Overrun Vulnerability
BugTraq ID: 9758
Remote: Yes
Date Published: Feb 27 2004
Relevant URL: http://www.securityfocus.com/bid/9758
Summary:
A buffer overrun vulnerability has been reported in UUDeview.  This issue
exists in the MIME parsing routines.

It is reported that this issue may be exploited via a malicious MIME
archive that specifies excessively long strings for various parameters.
This could be exploited to execute arbitrary code on a system in the
context of a user who opens a malicious MIME archive using the UUDeview
program.

It should be noted that UUDeview is shipped as a component of WinZip.

[ logiciel libre, disponible dans certaines distributions ]

FreeBSD Unauthorized Jailed Process Attaching Vulnerability
BugTraq ID: 9762
Remote: No
Date Published: Feb 27 2004
Relevant URL: http://www.securityfocus.com/bid/9762
Summary:
A vulnerability was reported in FreeBSD that may permit a jailed process
with superuser privileges to gain unauthorized access to other jails.
This is due to an access validation issue in the jail_attach(2) system
call.

GNU Anubis Multiple Remote Buffer Overflow and Format String...
BugTraq ID: 9772
Remote: Yes
Date Published: Mar 01 2004
Relevant URL: http://www.securityfocus.com/bid/9772
Summary:
GNU Anubis has been reported prone to multiple buffer overflow and format
string vulnerabilities.  It has been conjectured that a remote attacker
may potentially exploit these vulnerabilities to have arbitrary code
executed in the context of the Anubis software.  The buffer overflow
vulnerabilities exist in the 'auth_ident' function in 'auth.c'.  The
format string vulnerabilities are reported to affect the 'info' function
in 'log.c', the 'anubis_error' function in 'errs.c' and the 'ssl_error'
function in 'ssl.c'.

These vulnerabilities have been reported to exist in GNU Anubis versions
3.6.0, 3.6.1, 3.6.2, 3.9.92, and 3.9.93.  It is possible that other
versions are affected as well.

These issues are undergiong further analysis, they will be divided into
separate BIDs as analysis is completed.

Squid Proxy NULL URL Character Unauthorized Access Vulnerabi...
BugTraq ID: 9778
Remote: Yes
Date Published: Mar 01 2004
Relevant URL: http://www.securityfocus.com/bid/9778
Summary:
It has been reported that Squid Proxy may be prone to an unauthorized
access vulnerability that may allow remote users to bypass access controls
resulting in unauthorized access to attacker-specified resources.  The
vulnerability presents itself when a URI that is designed to access a
specific location with a supplied username, contains '%00' characters.
This sequence may be placed as part of the username value prior to the @
symbol in the malicious URI.

Squid Proxy versions 2.0 to 2.5 STABLE4 are reported to be prone to this
vulnerability.

Motorola T720 Phone Denial Of Service Vulnerability
BugTraq ID: 9779
Remote: Yes
Date Published: Mar 01 2004
Relevant URL: http://www.securityfocus.com/bid/9779
Summary:
The Motorola T720 has been reported prone to a remote denial of service
vulnerability. The issue presents itself when the phone handles excessive
IP based traffic under certain circumstances.

An attacker may potentially exploit this issue to cause a target phone to
crash.

[ firmware ]

ProFTPD _xlate_ascii_write() Buffer Overrun Vulnerability
BugTraq ID: 9782
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9782
Summary:
A remotely exploitable buffer overrun was reported in ProFTPD.  This issue
is due to insufficient bounds checking of user-supplied data in the
_xlate_ascii_write() function, permitting an attacker to overwrite two
bytes memory adjacent to the affected buffer.  This may potentially be
exploited to execute arbitrary code in the context of the server.  This
issue may be triggered when submitting a RETR command to the server.

Symantec Firewall/VPN Appliance Cached Plaintext Password Vu...
BugTraq ID: 9784
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9784
Summary:
It has been reported that Symantec Firewall/VPN Appliance is prone to an
issue where depending on browser settings; administration password
credentials may be stored in the browser\proxy cache in plaintext format.

Symantec Firewall/VPN Appliance Models 100, 200, 200R are reported to be
prone to this vulnerability.

[ firmware ]

Nortel Wireless LAN Access Point 2200 Series Denial Of Servi...
BugTraq ID: 9787
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9787
Summary:
Nortel Wireless LAN Access Point 2200 series appliances have been reported
to be prone to a remote denial of service vulnerability.  The issue is
reported to present itself when a large network request is handled by one
of the Wireless LAN Access Point default administration services. This
will reportedly cause the Access Point Appliance Operating service to
crash, effectively denying service to legitimate users.

[ firmware ]

SonicWall Firewall/VPN Appliance Multiple ARP Request Handli...
BugTraq ID: 9789
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9789
Summary:
Several problems in the handling of ARP requests have been identified in
SonicWall VPN and Firewall devices.  Because of this, an attacker may be
able to gain access to sensitive information about networks behind
SonicWall devices.  Denial of service attacks through affected devices are
also possible.

[ firmware ]

NetScreen SA 5000 Series delhomepage.cgi Cross-Site Scriptin...
BugTraq ID: 9791
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9791
Summary:
It has been reported that NetScreen SA 5000 Series may be prone to a
cross-site scripting vulnerability that may allow an attacker to execute
arbitrary HTML or script code in the browser of a vulnerable user.  The
issue presents itself due to insufficient sanitization of user-supplied
data via the 'row' parameter of the 'delhomepage.cgi' CGI binary.

The vulnerability has been discovered in an appliance called
A5030-Clustered pair running IVE firmware version 3.3 Patch 1 build 4797.

[ firmware ]

FreeBSD Out Of Sequence Packets Remote Denial Of Service Vul...
BugTraq ID: 9792
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9792
Summary:
A problem in the handling of out-of-sequence packets has been identified
in FreeBSD.  Because of this, it may be possible for remote attackers to
deny service to legitimate users of vulnerable systems.

Coreutils DIR Width Argument Integer Overflow Vulnerability
BugTraq ID: 9793
Remote: Unknown
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9793
Summary:
Coreutils 'dir' has been reported prone to an integer overflow
vulnerability. The issue reportedly presents itself when handling large
integer value '-w' (width) command line arguments passed to the vulnerable
application.

Due to the nature of this issue it may possibly be leveraged to deny
service to applications that use the 'dir' utility.  It has been
conjectured that when invoked by an application with a malicious integer
value passed via the '-w' argument, the affected application may hang
while waiting for the utility to return output.

SureCom Network Device Malformed Web Authorization Request D...
BugTraq ID: 9795
Remote: Yes
Date Published: Mar 02 2004
Relevant URL: http://www.securityfocus.com/bid/9795
Summary:
An issue in the handling of specific web requests by SureCom network
devices has been identified.  By placing a malformed request to the web
configuration interface, it is possible for an attacker to deny service to
legitimate users of a vulnerable device.

[ firmware ]

QMail-QMTPD RELAYCLIENT Environment Variable Integer Overflo...
BugTraq ID: 9797
Remote: Yes
Date Published: Mar 03 2004
Relevant URL: http://www.securityfocus.com/bid/9797
Summary:
An integer overflow vulnerability has been reported in qmail-qmtpd.  This
issue exists in code that processes values supplied to qmail-qmtpd in
RELAYCLIENT data.  Though unconfirmed, this issue may be exploitable to
execute arbitrary code with elevated privileges.

It should be noted that this issue does not exist in the default
configuration and is only exposed if mail relaying is enabled by setting
the RELAYCLIENT environment variable.

Multiple Vendor HTTP Response Splitting Vulnerability
BugTraq ID: 9804
Remote: Yes
Date Published: Mar 04 2004
Relevant URL: http://www.securityfocus.com/bid/9804
Summary:
A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning
Attacks, and Related Topics) was released to describe various attacks that
target web users through web application, browser, web/application server
and proxy implementations.  These attacks are described under the general
category of HTTP Response Splitting and involve abusing various input
validation flaws in these implementations to split HTTP responses into
multiple parts in such a way that response data may be misrepresented to
client users.

Exploitation would occur by injecting variations of CR/LF sequences into
parts of HTTP response headers that the attacker may control or influence.
The general consequences of exploitation are that an attacker may
misrepresent web content to the client, potentially enticing the user to
trust the content and take actions based on this false trust.

While the various implementations listed in the paper contribute to these
attacks, this issue will most likely be exposed through web applications
that do not properly account for CR/LF sequences when accepting
user-supplied input that may be returned in server responses.

This vulnerability could also aid in exploitation of cross-site scripting
vulnerabilities.

Cisco Content Service Switch Management Port UDP Denial Of S...
BugTraq ID: 9806
Remote: Yes
Date Published: Mar 04 2004
Relevant URL: http://www.securityfocus.com/bid/9806
Summary:
A problem in the handling of some types of malformed UDP network traffic
to the Cisco Content Service Switch management port has been identified.
Because of this, it may be possible for an attacker to deny service to
legitimate users of vulnerable systems.

[ firmware ]



From schaefer at alphanet.ch  Thu Mar 11 10:01:02 2004
From: schaefer at alphanet.ch (Marc SCHAEFER)
Date: Thu Mar 11 10:01:02 2004
Subject: [gull-annonces] Prochain cours du GULL par Marc
Message-ID: <20040311085320.GA2574@defian.alphanet.ch>

Bonjour,

le GULL m'a propos? de faire un cours bient?t. Reste la question du
sujet ? aborder. C'est pour cela que je propose 5 possibilit?s.

            Concept de base de UNIX. Mod?le en couche. 
GULL-UNIX-1 Syst?mes de fichiers. Utilisateurs et      
            groupes. Le shell (base) X11. Extensions et
            particularit?s de Linux.                   
						       
            R?seau et s?curit? sous UNIX. Mod?le OSI.  
            Application ? TCP/IP. Ethernet, PPP.       
GULL-UNIX-2 Routage IP. Couche transport (TCP/UDP).    
            Couche application (DNS, HTTP, FTP, NFS,   
            SMTP, DHCP, NTP). La s?curit? (SSH,        
            firewalls, VPNs).                          
						       
            S?curit? d'un syst?me. Int?grit?. Logiciels
GULL-SIB    de sauvegarde (backup) et exemples/        
            applications pratiques. D?tection          
            d'intrusion.                               
						       
            Les interfaces parall?le et s?rie.         
            Application: commande de relais en Perl.   
GULL-PERIPH Les bus SCSI et USB. Application: programme
            user-space de lecture de donn?es pour      
            Webcam g?n?rique en C. Les pilotes en mode 
            kernel. Quelques exemples pratiques.       
						       
            Bases de donn?es avanc?es. Cours th?orique 
            avec exemples en PostgreSQL. Mod?le ACID.  
GULL-PSQL   Transactions et isolation. Proc?dures      
            stock?es. Int?grit? de donn?es. Vues       
            actives. Interfacage avec les applications 
            (C, C++, Perl, OpenOffice.org)             

Pour innover un peu, je propose, plut?t que de me dire par mail ce que
vous pr?f?rez ce qui me chargerait pas mal, d'utiliser mon interface
KISS (Keep It Simple Stupid) de gestion d'?v?nement.

Inscrivez-vous:

   http://login.alphanet.ch/~inscridb/cgi-bin/inscription.pl?mode=create_form

de vous connecter ensuite via

   http://login.alphanet.ch/~inscridb/cgi-bin/inscription.pl

et de s?lectionner `Voir les activit?s', puis de vous inscrire en
indiquant le nombre de personnes qui viendront avec vous et votre
moyen de transport.

Inscrivez-vous ? toutes les conf?rences qui vous int?ressent. Elles
seront donn?es ensuite par ordre d'int?r?t.

Pour l'instant la date pour la premi?re conf?rence est fantaisiste,
elle n'est pas encore fix?e.

Merci de me contacter en priv? en cas de bugs avec le logiciel
(attention au Reply-To!).

PS: vous avez le droit d'?crire des donn?es fantaisistes si vous
pr?f?rez. A l'avenir une authentification par la DB du GULL sera
probablement impl?ment?e.



From schaefer at alphanet.ch  Wed Mar 17 08:41:01 2004
From: schaefer at alphanet.ch (Marc SCHAEFER)
Date: Wed Mar 17 08:41:01 2004
Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?=
 =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #240
Message-ID: <20040316190221.GA1450@defian.alphanet.ch>

NFS-Utils rpc.mountd Denial Of Service Vulnerability
BugTraq ID: 9813
Remote: No
Date Published: Mar 06 2004
Relevant URL: http://www.securityfocus.com/bid/9813
Summary:
An unspecified denial of service vulnerability exists in nfs-utils.  It
has been reported that certain DNS configurations may cause rpc.mountd to
crash, potentially impacting availability of the DNS client at mount time.

GNU Automake Insecure Temporary Directory Creation Symbolic ...
BugTraq ID: 9816
Remote: No
Date Published: Mar 08 2004
Relevant URL: http://www.securityfocus.com/bid/9816
Summary:
It has been reported that GNU Automake may be prone to a symbolic link
vulnerability that may allow an attacker to modify data or gain elevated
privileges on a vulnerable system.  This issue results due to insecure
creation of directories during compilation.  The attacker may potentially
create symbolic links in the place of files contained in the affected
directories, which may potentially lead to elevated privileges due to
modification of data.

GNU Automake versions prior to 1.8.3 are reported to be affected by this
vulnerability.


Network Time Protocol Daemon Integer Overflow Vulnerability
BugTraq ID: 9818
Remote: No
Date Published: Mar 08 2004
Relevant URL: http://www.securityfocus.com/bid/9818
Summary:
The Network Time Protocol daemon (NTPd) may be prone to an integer
overflow vulnerability that may cause integrity loss in a machine.

It has been reported that if a client issues a request to a NTP server
containing a date that is more than 34 years of the server's date, the
server may calculate an erroneous offset reply.  This issue could lead to
a loss of integrity in a machine issuing a request to the NTP server as an
erroneous time value would not correspond to logs and file creation and
modification times, possibly disrupting the audit trail for
security-related system and network events.

NTPd versions 3 and prior are reported to be affected by this issue.

Apache Mod_SSL HTTP Request Remote Denial Of Service Vulnera...
BugTraq ID: 9826
Remote: Yes
Date Published: Mar 09 2004
Relevant URL: http://www.securityfocus.com/bid/9826
Summary:
mod_ssl has been reported to be prone to a remote denial of service
vulnerability. It has been reported that the issue is as a result of a
memory leak and will present itself when standard HTTP requests are
handled on the SSL port of an affected Apache server.

Apache Mod_Access Access Control Rule Bypass Vulnerability
BugTraq ID: 9829
Remote: Yes
Date Published: Mar 09 2004
Relevant URL: http://www.securityfocus.com/bid/9829
Summary:
Apache mod_access has been reported to be prone to an access rule bypass
vulnerability. When an Allow or Deny rule is specified and an IP address
is used in the rule without a netmask, the affected module may fail to
match the rule. As a result of this vulnerability, access controls may not
be enforced correctly.

Confixx DB Parameter SQL Injection Vulnerability
BugTraq ID: 9830
Remote: Yes
Date Published: Mar 09 2004
Relevant URL: http://www.securityfocus.com/bid/9830
Summary:
It has been reported that an input validation error with the potential for
use in a SQL injection attack is present in the "db_mysql_loeschen2.php"
script. When a user is requesting the "db_mysql_loeschen2.php" script, one
of the parameters that can be passed to the script is "db". There are no
checks on the value of this variable before it is used in an SQL query
string.

Consequently, malicious users may corrupt the resulting SQL queries by
specially crafting a value for the "db" variable.

Confixx Perl Debugger Remote Command Execution Vulnerability
BugTraq ID: 9831
Remote: Yes
Date Published: Mar 09 2004
Relevant URL: http://www.securityfocus.com/bid/9831
Summary:
The Confixx PERL debugging utility functionality has been reported to be
prone to a remote command execution vulnerability. The issue is reported
to occur when a command sequence is appended to a HTTP request for a PERL
script resource, the command sequence must contain a prefixed ';'
semi-colon character. When this request is processed, the command sequence
will be reportedly executed with the privileges of the process that
invokes the Confixx PERL debugging utility.

WU-FTPD restricted-gid Unauthorized Access Vulnerability
BugTraq ID: 9832
Remote: Yes
Date Published: Mar 09 2004
Relevant URL: http://www.securityfocus.com/bid/9832
Summary:
It has been reported that WU-FTPD FTP server is prone to an unauthorized
access vulnerability.  The issue is related to the "restricted-gid"
feature supported by WU-FTPD.  This feature allows for an administrator to
restrict FTP user access to certain directories.  The vulnerability
reportedly allows users to bypass those restrictions through modifying the
permissions on their home directory so that they themselves can no longer
access it.  Under such circumstances, the server may grant the user
unauthorized access to the root directory.

Further technical details are not known at this time.  This record will be
updated as more information becomes available.

This BID is created in response to Two Possibly New WU-FTPD
Vulnerabilities BID 9820.  BID 9820 is being retired.

Python getaddrinfo Function Remote Buffer Overflow Vulnerabi...
BugTraq ID: 9836
Remote: Yes
Date Published: Mar 10 2004
Relevant URL: http://www.securityfocus.com/bid/9836
Summary:
It has been reported that Python may be prone to a remote buffer overflow
vulnerability that may allow an attacker to execute arbitrary code on a
vulnerable system in order to gain unauthorized access.  The issue exists
due to insufficient boundary checks performed by the 'getaddrinfo'
function and occurs when an IPv6 address of excessive length is sent to a
vulnerable host via DNS.

It has been reported that this issue affects Python versions 2.2 and
2.2.1.

Due to a lack of information, further details cannot be outlined at the
moment. This BID will be updated as more information becomes available.

Sysstat Insecure Temporary File Creation Vulnerability
BugTraq ID: 9838
Remote: No
Date Published: Mar 10 2004
Relevant URL: http://www.securityfocus.com/bid/9838
Summary:
The Sysstat system monitoring utility is prone to an issue that may allow
malicious local users to corrupt system files, most likely resulting in
loss of data or a denial of service.

The source of this vulnerability is that the utility creates temporary
files in an insecure manner, facilitating creation of malicious symbolic
links in the /tmp directory.

Multiple Vendor Internet Browser Cookie Path Argument Restri...
BugTraq ID: 9841
Remote: Yes
Date Published: Mar 10 2004
Relevant URL: http://www.securityfocus.com/bid/9841
Summary:
Multiple vendor Internet Browsers have been reported to be prone to a
cookie path argument restriction bypass vulnerability. The issue presents
itself due to a failure to properly sanitize encoded URI content, this may
make it possible for an attacker to craft a URI that will contain encoded
directory traversal sequences sufficient to provide access to a supposedly
path exclusive cookie from an alternate path.

GdkPixbuf Unspecified Bitmap Handling Denial Of Service Vuln...
BugTraq ID: 9842
Remote: Yes
Date Published: Mar 10 2004
Relevant URL: http://www.securityfocus.com/bid/9842
Summary:
The GdkPixbuf library has been reported prone to an unspecified denial of
service vulnerability. This issue is reported to cause the Evolution email
client to crash when a malicious Bitmap file is handled. Other
applications that rely on the library may be similarly affected.

Sysstat Isag Temporary File Creation Vulnerability
BugTraq ID: 9844
Remote: No
Date Published: Mar 10 2004
Relevant URL: http://www.securityfocus.com/bid/9844
Summary:
The Sysstat Isag command is prone to an issue that may allow malicious
local users to corrupt system files, most likely resulting in loss of data
or a denial of service.

The source of this vulnerability is that the utility creates temporary
files in an insecure manner, facilitating creation of malicious symbolic
links in the /tmp directory.

Courier Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 9845
Remote: Yes
Date Published: Mar 11 2004
Relevant URL: http://www.securityfocus.com/bid/9845
Summary:
Multiple buffer overflow vulnerabilities have been identified in Courier
MTA, Courier SqWebMail, and Courier-IMAP.  These vulnerabilities may allow
a remote attacker to execute arbitrary code on a vulnerable system in
order to gain unauthorized access.

The issues exist in the 'SHIFT_JIS' converter in 'shiftjis.c' and
'ISO2022JP' converter in 'so2022jp.c'.  An attacker may be able to exploit
these issues by supplying Unicode characters that exceed BMP (Basic
Multilingual Plane) range.

These issues have been reported to affect Courier MTA 0.44.2 and prior,
Courier-IMAP 2.2.1 and prior, and Courier SqWebMail 3.6.2 and prior.  It
has also been reported that the vulnerable codeset mappings may be
employed by the Courier IMAP and Webmail service, however, they are not
enabled by default.

These issues are being further analyzed and this BID will be updated once
analysis is complete.

GNU MyProxy Cross-Site Scripting Vulnerability
BugTraq ID: 9846
Remote: Yes
Date Published: Mar 11 2004
Relevant URL: http://www.securityfocus.com/bid/9846
Summary:
It has been reported that GNU MyProxy may be prone to a cross-site
scripting vulnerability that may allow a remote attacker to execute HTML
or script code in a user's browser.  The issue presents itself due to
insufficient sanitization of user-supplied data.

Due to the possibility of attacker-specified HTML and script code being
rendered in a victim's browser, it is possible to steal cookie-based
authentication credentials from that user. Other attacks are possible as
well.

GNU MyProxy version 20030629 has been reported to be affected by this
issue, however, it is possible that other versions are vulnerable as well.




From gmaurer at maurer-data.ch  Thu Mar 18 19:07:01 2004
From: gmaurer at maurer-data.ch (Guy Maurer)
Date: Thu Mar 18 19:07:01 2004
Subject: [gull-annonces] Brevets logiciel =?iso-8859-1?Q?=E0?= l'ARI
Message-ID: <4057851A.D08FEC94@maurer-data.ch>

Bonjour,

Je vous signale que l'ARI (Association Romande des Informaticien) organise
   une conf?rence-d?bat sur 

   Les BREVETS LOGICIEL,  Vendredi 26 mars 2004 au buffet de la Gare de Lausanne
? 18h00
avec
   Monsieur Daniele MARI, EPFL,   
   Monsieur Fran?ois WOLLNER, formateur brevets/dipl?mes
   Monsieur Jean-Olivier PIN de la RSR , ainsi qu'un
   repr?sentant de l'institut f?d?ral de la propri?t? intellectuelle.

Plus de pr?cision sur   http://www.ari-web.ch

Peut s'inscrire qui veut (sous r?serve d'un maximum...)

Meilleures salutations
-- 
Guy Maurer, membre du Gull et de l'ARI,
C/O Maurer Data S?rl
Ch des Sapins 12  --   CH-1170 Aubonne   SUISSE
Phone ++41 021 831 0300 /  Fax: ++41 021 808 7286


From schaefer at alphanet.ch  Wed Mar 24 23:01:07 2004
From: schaefer at alphanet.ch (Marc SCHAEFER)
Date: Wed Mar 24 23:01:07 2004
Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?=
 =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #241
Message-ID: <20040324215607.GA1309@defian.alphanet.ch>

Metamail Extcompose Program Symlink Vulnerability
BugTraq ID: 9850
Remote: No
Date Published: Mar 12 2004
Relevant URL: http://www.securityfocus.com/bid/9850
Summary:
It has been reported that Metamail extcompose program may be prone to a
symbolic link vulnerability that may allow an attacker to corrupt or
overwrite sensitive files.  It has been reported that 'extcompose' writes
output to a file specified by the user via the command line.  The issue
has been reported to present itself because the program creates files
without verifying the existence of the specified files.  A local user may
leverage this condition to corrupt arbitrary files triggering a system
wide denial of service or potentially elevating their system privileges.

Although unconfirmed, it has been reported that the 'extcompose.sigh' is
also vulnerable to this issue.

Metamail 2.7 and prior may be prone to these issues.

UUDeview Insecure Temporary File Creation Vulnerability
BugTraq ID: 9857
Remote: No
Date Published: Mar 12 2004
Relevant URL: http://www.securityfocus.com/bid/9857
Summary:
UUDeview is prone to an issue that may allow malicious local users to
corrupt system files, most likely resulting in loss of data or a denial of
service.

The source of this vulnerability is that the utility creates temporary
files in an insecure manner. This type of vulnerability may potentially
allow for elevation of privileges in situations where an attacker could
influence what is written or appended during this operation. The
possibility of privilege escalation has not been confirmed in this
instance.

IP3 Networks IP3 NetAccess Appliance SQL Injection Vulnerabi...
BugTraq ID: 9858
Remote: Yes
Date Published: Mar 12 2004
Relevant URL: http://www.securityfocus.com/bid/9858
Summary:
It has been reported that the IP3 NetAccess Appliance is prone to a remote
SQL injection vulnerability.  This issue is due to a failure of the
appliance to properly sanitize user input.

This issue may allow an attacker to gain full control of the appliance
through the network administration interface. It may also be possible for
a malicious user to influence database queries in order to view or modify
sensitive information potentially compromising the system or the database.

[ firmware ]

OpenBSD httpd Access Rule Bypass Vulnerability
BugTraq ID: 9867
Remote: Yes
Date Published: Mar 14 2004
Relevant URL: http://www.securityfocus.com/bid/9867
Summary:
OpenBSD httpd access module is reported to allow unauthorized access.
This is due to an error in the parsing of Allow/Deny rules with IP
addresses without a netmask.

Apache HTAccess LIMIT Directive Bypass Configuration Error W...
BugTraq ID: 9874
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9874
Summary:
LIMIT directives are commonly used in htaccess files to restrict HTTP
methods that are available for a particular resource. However it has been
reported that if the requested resource is served by an Apache module and
not by Apache Server itself, LIMIT restrictions may not apply.
Additionally, CGI/Script resources that do not sufficiently check the
calling method may potentially be invoked with methods not listed in the
LIMIT clause to evade LIMIT restrictions.

GNU SPIP Unspecified PHP Code Execution Vulnerability
BugTraq ID: 9875
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9875
Summary:
It has been reported that SPIP may be prone to an unspecifed PHP code
execution vulnerability that could allow an attacker to inject arbitrary
PHP code via certain URI parameters of 'forum.php3' script.

Successful exploitation of this issue may allow an attacker to execute
malicous PHP code in the context of the vulnerable site.

Although unconfirmed, SPIP versions 1.7 and prior may be prone to these
issues.

VocalTec VGW4/8 Telephony Gateway Remote Authentication Bypa...
BugTraq ID: 9876
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9876
Summary:
It has been reported that the VGW4/8 Telephony Gateway is prone to a
remote authentication bypass vulnerability via its web configuration tool.
The problem is due to a design error in the application that allows a user
to access configuration pages without prior authentication.

Successful exploitation of this issue may allow a remote attacker to gain
control of the affected appliance via its web configuration tool.

[ firmware ]

Multiple Vendor SOAP Server Undisclosed Request Denial Of Se...
BugTraq ID: 9877
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9877
Summary:
A problem has been identified in several different SOAP servers when
handling certain types of requests. Because of this, it is possible for an
attacker to force a denial of service on systems using a vulnerable
implementation.

This BID will be updated as further details regarding this vulnerability
are made public.

Apache Mod_Security Module SecFilterScanPost Off-By-One Buff...
BugTraq ID: 9885
Remote: Yes
Date Published: Mar 16 2004
Relevant URL: http://www.securityfocus.com/bid/9885
Summary:
It has been reported that the Apache 2 mod_security module is affected by
an off-by-one buffer overflow condition that could potentially allow a
remote attacker to execute arbitrary code on a vulnerable system under
some circumstances.  The issue presents itself when the
'SecFilterScanPost' directive is enabled.  Specifically, malformed POST
data sent by a remote attacker may trigger an off-by-one buffer overflow
condition.

Due to a lack of details further information cannot be provided at the
moment.  This BID will be updated as more information becomes available.

mod_security 1.7.4 has been reported to be prone to this issue, however,
it is possible that other versions are affected as well.

ClamAV RAR Archive Remote Denial Of Service Vulnerability
BugTraq ID: 9897
Remote: Yes
Date Published: Mar 16 2004
Relevant URL: http://www.securityfocus.com/bid/9897
Summary:
ClamAV has been reported prone to a remote denial of service
vulnerability. The issue presents itself when a RAR archive that is
created by variants of the W32.Beagle.A at mm worm (MCID 2443) is
encountered.

OpenSSL Denial of Service Vulnerabilities
BugTraq ID: 9899
Remote: Yes
Date Published: Mar 17 2004
Relevant URL: http://www.securityfocus.com/bid/9899
Summary:
Three security vulnerabilities have been reported to affect OpenSSL.  Each
of these remotely exploitable issues may result in a denial of service in
applications which use OpenSSL.

The first vulnerability is a NULL pointer assignment that can be triggered
by attackers during SSL/TLS handshake exchanges.  The CVE candidate name
for this vulnerability is CAN-2004-0079.  Versions 0.9.6c to 0.9.6k
(inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable.

The second vulnerability is also exploited during the SSL/TLS handshake,
though only when Kerberos ciphersuites are in use. The vendor has reported
that this vulnerability may not be a threat to many as it is only present
when Kerberos ciphersuites are in use, an uncommon configuration.  The CVE
candidate name for this vulnerability is CAN-2004-0112.  Versions 0.9.7a,
0.9.7b, and 0.9.7c are affected.

This entry will be retired when individual BID records are created for
each issue.

*Note: A third denial of service vulnerability included in the
announcement was discovered affecting 0.9.6 and fixed in 0.9.6d.  The CVE
candidate name for this vulnerability is CAN-2004-0081.

OpenBSD isakmpd Multiple Unspecified Remote Denial Of Servic...
BugTraq ID: 9907
Remote: Yes
Date Published: Mar 17 2004
Relevant URL: http://www.securityfocus.com/bid/9907
Summary:
OpenBSD's isakmpd daemon is reported prone to multiple issues that may
lead to a remote denial of service. These issues are reported to occur
when processing certain malformed payloads. This issue may be leveraged by
a remote attacker to cause the isakmpd to cease processing requests,
thereby effectively denying service to legitimate users.

DameWare Mini Remote Control Server Weak Encryption Implemen...
BugTraq ID: 9909
Remote: Yes
Date Published: Mar 17 2004
Relevant URL: http://www.securityfocus.com/bid/9909
Summary:
DameWare Mini Remote Control Server has been reported to be prone to a
weak encryption implementation.

It has been reported that analysis of encrypted traffic will reveal the
block cipher that is used by DameWare Mini Remote Control to encrypt the
plaintext data using ECB (Electronic Code Book) mode. This may ultimately
allow an attacker to determine the block cipher and thereby expose
plaintext credentials by reversing the process.

[ ?? ]



From schutz at mathgen.ch  Fri Mar 26 03:01:02 2004
From: schutz at mathgen.ch (Frederic Schutz)
Date: Fri Mar 26 03:01:02 2004
Subject: [gull-annonces] Switzerland approves new open source software strategy
Message-ID: <1080266390.40638e96c0b15@mail.hebweb.net>

Les cordonniers etant bien sur les plus mal chausses, c'est sur LWN que
j'ai trouve ce document interessant (desole pour l'URL a rallonge) :

http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&documentID=2278&parent=chapter&preChapterID=0-140-194

Frederic


From Pierre.Keller at bcu.unil.ch  Fri Mar 26 08:53:02 2004
From: Pierre.Keller at bcu.unil.ch (Pierre Keller - BCU Lausanne)
Date: Fri Mar 26 08:53:02 2004
Subject: [gull-annonces] Switzerland approves new open source
  software strategy
In-Reply-To: <1080266390.40638e96c0b15@mail.hebweb.net>
Message-ID: <5.1.0.14.2.20040326084536.00a75390@pop-server.unil.ch>

Bonjour,

A 02:59 26/03/2004 +0100, Frederic Schutz ?crivait:
>Les cordonniers etant bien sur les plus mal chausses, c'est sur LWN que
>j'ai trouve ce document interessant (desole pour l'URL a rallonge) :
>
>http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&documentID=2278&parent=chapter&preChapterID=0-140-194

Voir: "Strat?gie OSS de l?administration f?d?rale. - Version 1.0 du 23.02.2004
http://www.isb.admin.ch/internet/strategien/00665/01491/index.html?lang=fr

Bonne journ?e,


--

   Pierre Keller  <Pierre.Keller at bcu.unil.ch>
   Biblioth?que cantonale et universitaire
   Universit? de Lausanne
   CH-1015 Lausanne Dorigny     (Switzerland)    
   WWW:  http://www.unil.ch/BCU/docs/pkeller/
   T?l.: 021/692 48 13



From schaefer at alphanet.ch  Wed Mar 31 11:01:02 2004
From: schaefer at alphanet.ch (Marc SCHAEFER)
Date: Wed Mar 31 11:01:02 2004
Subject: [gull-annonces] =?iso-8859-1?Q?R=E9sum?=
 =?iso-8859-1?Q?=E9?= SecurityFocus Newsletter #242
Message-ID: <20040331083321.GB2392@defian.alphanet.ch>

Jetty Unspecified Denial Of Service Vulnerability
BugTraq ID: 9917
Remote: Yes
Date Published: Mar 18 2004
Relevant URL: http://www.securityfocus.com/bid/9917
Summary:
An unspecified denial of service vulnerability has been reported in Jetty
Java HTTP Servlet Server.  It is conjectured that this may be exploited
remotely.

SquidGaurd NULL URL Character Unauthorized Access Vulnerabil...
BugTraq ID: 9919
Remote: Yes
Date Published: Mar 19 2004
Relevant URL: http://www.securityfocus.com/bid/9919
Summary:
Reportedly SquidGaurd is prone to a remote NULL URL character unauthorized
access vulnerability.  This issue is due to a failure of the application
to properly filter out invalid URIs.

Successful exploitation of this issue may allow a remote attacker to
bypass access controls resulting in unauthorized access to
attacker-specified resources. This may allow the attacker to gain
unauthorized access to sensitive resources.

Although it has not been confirmed, this issue may be related to the issue
defined in BID 9778.

[ SquidGuard? ]

Apache Connection Blocking Denial Of Service Vulnerability
BugTraq ID: 9921
Remote: Yes
Date Published: Mar 19 2004
Relevant URL: http://www.securityfocus.com/bid/9921
Summary:
Apache is prone to an issue that may permit remote attackers to cause a
denial of service issue via a listening socket on a rarely accessed port.
This will reportedly block out new connections to the server until another
connection on the rarely accessed socket is initiated.

The functionality that exposes this issue is reportedly enabled by default
on all platforms except Windows.

FVWM fvwm_make_browse_menu.sh Scripts Command Execution Vuln...
BugTraq ID: 9922
Remote: No
Date Published: Mar 19 2004
Relevant URL: http://www.securityfocus.com/bid/9922
Summary:
It has been reported that the FVWM fvwm_make_browse_menu.sh script is
prone to a command execution vulnerability. This issue is due to the
script allowing a user to define which application should be used to
execute the file via its filename.

An attacker may be able to leverage this issue to cause arbitrary commands
to be executed with the privileges of a victim user.

This issue is related to the issue described in BID 9161.

FVWM fvwm_make_directory_menu.sh Scripts Command Execution V...
BugTraq ID: 9925
Remote: No
Date Published: Mar 19 2004
Relevant URL: http://www.securityfocus.com/bid/9925
Summary:
It has been reported that the FVWM 'fvwm_make_directory_menu.sh' script is
prone to a command execution vulnerability. This issue is due to the
script allowing a user to define which application should be used to
execute the file via its filename.

An attacker may be able to leverage this issue to cause arbitrary commands
to be executed with the privileges of a victim user.

This issue is related to the issue described in BID 9161.

Samba SMBPrint Sample Script Insecure Temporary File Handlin...
BugTraq ID: 9926
Remote: No
Date Published: Mar 19 2004
Relevant URL: http://www.securityfocus.com/bid/9926
Summary:
It has been reported that the 'smbprint-new.sh' sample Samba script is
prone to a local insecure temporary file handling symbolic link
vulnerability.  This issue is due to a design error that allows the
application to insecurely write to a temporary file that is created with a
predictable file name.

An attacker may exploit this issue to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or in a
system wide denial of service.

It should be noted that the 'smbprint-new.sh' is a sample script located
in the 'examples' directory.  This script is not intended for commercial
use.  The 'smbprint' script included in the 'packaging' directory is not
vulnerable to this issue.  Individual package distributions may vary.

Borland Interbase Database User Privilege Escalation Vulnera...
BugTraq ID: 9929
Remote: No
Date Published: Mar 20 2004
Relevant URL: http://www.securityfocus.com/bid/9929
Summary:
By default, insecure permissions are set on the file storing the user
database that is shipped with Borland Interbase.  The permissions, 0666,
permit all users to write to the file.  This configuration error can be
exploited to gain administrative access within the database.  The
consequences of this flaw may extend further if the database supports
applications.

Apache Error Log Escape Sequence Injection Vulnerability
BugTraq ID: 9930
Remote: Yes
Date Published: Mar 20 2004
Relevant URL: http://www.securityfocus.com/bid/9930
Summary:
It has been reported that the Apache web server is prone to a remote error
log escape sequence injection vulnerability.  This issue is due to an
input validation error that may allow escape character sequences to be
injected into apache log files.

This may facilitate exploitation of issues such as those found in BIDs
6936 and 6938.

This issue may allow an attacker to carry out a number of actions
including arbitrary file creation and code execution on the affected
system.

Apache mod_disk_cache Module Client Authentication Credentia...
BugTraq ID: 9933
Remote: Yes
Date Published: Mar 20 2004
Relevant URL: http://www.securityfocus.com/bid/9933
Summary:
It has been reported that Apache mod_disk_cache module may be prone to a
weakness that could result in an attacker gaining access to proxy or
standard authentication credentials.  The mod_disk_cache module is
reported to store HTTP Hop-by-hop headers including user login and
password information in plaintext format on disk.

This issue could be used in conjunction with other possible
vulnerabilities in a host to gain access to user authentication
credentials.  Successful exploitation of this issue may lead to further
attacks agains vulnerable users of the affected host.

Apache versions 2.0.49 and prior with mod_disk_cache enabled are assumed
to be affected by this issue.

Xine Bug Reporting Script Insecure Temporary File Creation V...
BugTraq ID: 9939
Remote: No
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9939
Summary:
The xine bug reporting scripts (xine-bugreport and xine-check) create
temporary files in an insecure manner.  A malicious local user could take
advantage of this issue by mounting a symbolic link attack to corrupt
other system files, most likely resulting in destruction of data.
Privilege escalation is also theoretically possible.  This issue is only
exposed when the vulnerable scripts are run to submit a bug report to the
vendor.

It should be noted that xine-bugreport and xine-check are separate
instances of the same script.

Ethereal Multiple Vulnerabilities
BugTraq ID: 9952
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9952
Summary:
Ethereal 0.10.3 has been released to address multiple vulnerabilities.
These issues include:

- Thirteen stack-based buffer overruns in various protocol dissectors
(NetFlow, IGAP, EIGRP, PGM, IrDA, BGP, ISUP, and TCAP).

- A denial of service that is triggered by a zero length Presentation
protocol selector.

- Specially crafted RADIUS packets may cause a crash in Ethereal.

- Corrupt color filter files may cause a crash in Ethereal.

These issues may result in a denial of service or potentially be leveraged
to execute arbitrary code in the instance of the buffer overruns.

rident.pl Symbolic Link Vulnerability
BugTraq ID: 9968
Remote: No
Date Published: Mar 24 2004
Relevant URL: http://www.securityfocus.com/bid/9968
Summary:
It has been reported that rident.pl may be prone to a symbolic link
vulnerability that may allow an attacker to corrupt or overwrite arbitrary
files.  This issue exists because the script writes output to a temporary
file as 'rident.pid' in 'tmp' directory.

It has been reported that a user will require root privileges to invoke
the affected script; this may increase the impact of this vulnerability.