[linux-leman-annonces] Résumé SecurityFocus Newsletter #191

Marc SCHAEFER schaefer at alphanet.ch
Wed Apr 9 09:56:42 CEST 2003


Snort Evasion Echo Flag Port Scan Vulnerability
BugTraq ID: 7220
Remote: Yes
Date Published: Mar 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7220
Summary:

Snort is a freely available, open source intrusion detection system.  It
is available for Unix, Linux, and Microsoft Windows platforms.

It has been reported that a vulnerability exists in the default
configuration of Snort.  Due to this issue it is possible for a user to
evade detection while performing some types of scans.

The problem is in the detection of specifically crafted packets.  When a
port scan is initiated with the TCP SYN, FIN, and ECN flags set, the
default configuration of snort will not register these packets as an IDS
event.  This could permit an attacker to gather information on network
resources that could be used for more organized attack against systems.

This problem has been reported in version 1.9.1, though earlier versions
may be affected.

Alexandria / SourceForge Cross Site Scripting Vulnerability
BugTraq ID: 7223
Remote: Yes
Date Published: Mar 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7223
Summary:

Alexandria is a freely available project management system. VA Software
SourceForge is a modified version of Alexandria.

Alexandria does not adequately filter some HTML code thus making it prone
to cross-site scripting attacks. It is possible for a remote attacker to
create a malicious link containing script code which will be executed in
the browser of a legitimate user.

It has been reported that sections of Alexandria that display a user's
resume are prone to cross site scripting attacks. Any attacker-supplied
code will be executed within the context of the website running
Alexandria.

This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.

This vulnerability was reported for Alexandria 2.5 and 2.0.

Alexandria / SourceForge CRLF Injection Vulnerability
BugTraq ID: 7224
Remote: Yes
Date Published: Mar 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7224
Summary:

Alexandria is a freely available project management system. VA Software
SourceForge is a modified version of Alexandria.

A vulnerability has been reported for Alexandria that may allow remote
attackers to use the Alexandria system for proxying of unsolicited e-mail.
The vulnerability exists in the 'sendmessage.php' script file.

There is no input validation performed on user-supplied data passed to
functions in the 'sendmessage.php' script file. As a result, malicious
users may embed CR/LF sequences to inject additional headers into outgoing
messages.

Attackers may exploit this weakness to manipulate the structure of
outgoing messages. For example, it may be possible for attackers to set
the recipient to an arbitrary value. This could be leveraged by
individuals to send mass unsolicited mail in a manner similar to how
"formmail" is actively exploited (BID 3955).

This vulnerability was reported for Alexandria 2.5 and 2.0.

Alexandria / SourceForge File Disclosure Vulnerability
BugTraq ID: 7225
Remote: Yes
Date Published: Mar 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7225
Summary:

Alexandria is a freely available project management system. VA Software
SourceForge is a modified version of Alexandria.

A vulnerability has been reported for Alexandria that may result in the
disclosure of sensitive files to remote attackers.

The vulnerability occurs in the 'docman/new.php' and 'patch/index.php'
script files which allow the uploading of files. Due to insufficient
checks performed by these scripts, it is possible for an attacker to
specify any web server readable files as the files that were recently
uploaded. This will result in the disclosure of the contents of these
files to remote attackers.

This vulnerability was reported for Alexandria 2.5 and 2.0.

Mutt IMAP Remote Folder Buffer Overflow Vulnerabilities
BugTraq ID: 7229
Remote: Yes
Date Published: Mar 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7229
Summary:

Mutt is a freely available, open source mail user agent. It is available
for the Unix and Linux operating systems.

Buffer overrun vulnerabilities have been reported for Mutt. These
vulnerabilities are similar to the issues described in BID 7120, Mutt
UTF-7 Internationalized Remote Folder Buffer Overrun Vulnerability.

Mutt provides functionality that allows a remote user to read e-mail from
folders through Internet Message Access Protocol (IMAP). A specially
crafted folder on an IMAP server may be able to trigger these overflow
conditions to cause the vulnerable mutt client to crash. Although
unconfirmed, it may be possible to execute attacker-supplied code with the
privileges of the mutt process.

Further details of this vulnerability are currently unknown. This BID will
be updated as more information becomes available.

These vulnerabilities were reported for Mutt 1.3.28 and earlier.

Sendmail Address Prescan Memory Corruption Vulnerability
BugTraq ID: 7230
Remote: Yes
Date Published: Mar 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7230
Summary:

It has been reported that Sendmail is affected by a memory corruption
condition that is likely remotely exploitable.  The flaw is present in the
prescan() procedure, one that is used for processing e-mail addresses in
SMTP headers.  This function is implemented in the source code file
"parseaddr.c".  It is at least theoretically possible that this condition
may be exploited by remote attackers to execute instructions on target
systems.  This vulnerability is due to a logic error in the conversion of
a char to an integer value.

The condition occurs when Sendmail converts an externally supplied
character byte to an integer type.  It is possible for the byte to be
converted to a special control value (-1) that will result in disabling of
bounds checking.  This is because the integer type is assigned to the
value of a signed char without casting it as unsigned:

c = *p++;

The char value 0xFF will cause c to be assigned to the integer
representation of -1, the 'NOCHAR' control value.  Bounds checking is
disabled when the value of the current character (c) is 'NOCHAR'.

This leads to the potential for malicious data to be written beyond the
boundaries of the buffer allocated to store it.  Attackers may exploit
this condition to overwrite potentially sensitive values on the stack with
some degree of control.

The discoverer of this condition has reported that it was successfully
exploited to execute code locally.  It is likely that this vulnerability
can be exploited remotely as well.

This vulnerability is eliminated in Sendmail version 8.12.9.
Administrators are advised to upgrade as soon as possible.

CCLog HTTP Header HTML Injection Vulnerability
BugTraq ID: 7238
Remote: Yes
Date Published: Mar 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7238
Summary:

CCLog is a script that logs all hits to a certain web site.

It has been reported that CCLog does not sufficiently filter user-supplied
values for some HTTP headers. Specifically, the script, cc_log.pl, does
not sanitize the values for the 'User-Agent' and 'Referer' HTTP headers.
As a result, attackers may embed malicious script code or HTML into
specially crafted HTTP requests. When CCLog is used to assemble a HTML
version of web site hits and is viewed by another user, the
attacker-supplied code will be interpreted in their web browser in the
security context of the site hosting the software.

This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials. Other attacks are also possible.

SAP DB RPM Install World Writable Binary Vulnerability
BugTraq ID: 7242
Remote: No
Date Published: Mar 31 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7242
Summary:

SAP DB is a free enterprise level database available for Microsoft
Windows, Linux, Solaris, AIX, Tru64, and HP-UX platforms.

When SAP DB is installed using RPM packages, insecure permissions are left
on two binaries.

After performing the installation, the lserver and dbmsrv binaries have
'777' permissions.  This allows any user on the system to write to the
binaries.

It should be noted that this vulnerability only exists when SAP DB is
installed using RPM packages.  Installing SAP DB from tgz packages will
leave these binaries with '755' permissions.

Red Hat Linux 9 vsftpd Compiling Error Weakness
BugTraq ID: 7253
Remote: Yes
Date Published: Apr 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7253
Summary:

vsftpd is a GPL licensed secure FTP server for UNIX and Linux platforms.

tcp_wrappers is an IP packet filtering facility for UNIX and Linux
platforms.

In Red Hat Linux 9, vsftpd was switched to a standalone service instead of
being run by xinetd.  When this change was made, vsftpd was not compiled
against tcp_wrappers.

Because of this, the vsftpd user is unable to perform any IP packet
filtering on access to the FTP server.

This issue only affects Red Hat Linux 9 boxed sets that were manufactured
for sale in the United States.  The affected part numbers are RHF0120US
and RHF0121US.  Versions of Red Hat 9 that were downloaded or purchased
from international boxed sets are not affected.



More information about the gull-annonces mailing list