[gull-annonces] Résumé SecurityFocus Newsletter #207

Marc SCHAEFER schaefer at alphanet.ch
Wed Jul 30 18:41:08 CEST 2003 

Apache HTTP Server Multiple Vulnerabilities
BugTraq ID: 8226
Remote: Yes
Date Published: Jul 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8226
Summary:

Apache HTTP Server is a open-source web server designed to run on a number
of different platforms.

Apache HTTP Server version 1.3.28 has been released in response to
multiple vulnerabilities discovered. Apache is vulnerable to three
potential security issues. The impact of these vulnerabilities includes
denial of service, file descriptor leakage, and logging failures.

Under Windows and OS/2 systems, it may be possible to cause Apache to send
special control characters, namely a 0x1A character, over a pipe. This
could potentially cause Apache to cease logging and exit.

It has also been reported that attackers may be able to send specially
crafted requests that cause Apache to go into an internal loop and
eventually crash.

Additionally, Apache may under certain circumstances leak file descriptors
from a parent process to a child process. This could result in varying
degrees of unauthorized access.

Multiple BIDs are currently pending for these issues. When individual BIDs
are available, this BID will be retired.

GnuPG Group Root File Corruption Vulnerability
BugTraq ID: 8228
Remote: No
Date Published: Jul 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8228
Summary:

gnupg is an encryption utility that is available for a number of
platforms, including Unix/Linux variants.

gnupg is reported to be prone to an issue that could permit a malicious
local user to corrupt files owned by the root group.  This issue is
reportedly the result of gnupg having setgid root privileges.  The issue
was reported for Gentoo Linux, though other distributions may have a
similar default installation and be prone to this issue.

This vulnerability may potentially be exploited to corrupt critical or
sensitive files for a denial of service.  The possibility of privilege
escalation also exists.

CGI.pm Start_Form Cross-Site Scripting Vulnerability
BugTraq ID: 8231
Remote: Yes
Date Published: Jul 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8231
Summary:

CGI.pm is a module for Perl that allows for dynamic creation of web forms
and parsing of CGI input.

CGI.pm is prone to cross-site scripting attacks under some circumstances.
This issue occurs because the start_form() function (or other functions
which use this function such as start_multipart_form()) does not
sufficiently sanitize HTML and script code when a form action is not
specified.  This could expose scripts that use the function to cross-site
scripting attacks.

This issue could be exploited to cause hostile HTML and script code to be
rendered in the browser of a user who is enticed to visit a malicious link
to a vulnerable script.  The code would be interpreted in the context of
the vulnerable site.  Exploitation could allow theft of cookie-based
authentication credentials or other attacks.

GNU GNATS Queue-PR Database Command Line Option Buffer Overflow 
Vulnerability
BugTraq ID: 8232
Remote: No
Date Published: Jul 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8232
Summary:

GNU GNATS is a freely available bug tracking system. It is available for a
variety of Linux and Unix variant operating environments.

The queue-pr utility is shipped as part of GNATS and is intended as a
tool, used to manage the GNATS queue. The queue-pr utility is a setuid
utility typically with UID 'gnats' privileges.

A stack overflow vulnerability has been reported for the queue-pr utility.
The vulnerability occurs due to insufficient bounds checks performed on
the database name passed to the '-d' commandline option.

An attacker may invoke the queue-pr utility passing a malicious database
name (>=1148 bytes of data), in a manner sufficient to trigger the
vulnerability.

Successful exploitation may result in the execution of attacker-supplied
code with potentially elevated privileges.

It should be noted that on some systems, the queue-pr utility might be
installed with setuid 'root' privileges.

It should be noted that although this vulnerability has been reported to
affect GNATS version 3.113.1_6, other versions might be affected.

Multiple Linux 2.4 Kernel Vulnerabilities
BugTraq ID: 8233
Remote: Yes
Date Published: Jul 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8233
Summary:

Red Hat has released an advisory reporting the existence of multiple
vulnerabilities in the Linux 2.4 kernel.  The following issues were
reported:

/proc/tty/driver/serial may expose sensitive information to local
attackers by revealing the exact character count for serial links.  This
information could permit a malicious local user to infer password lengths
and the timing between keystrokes when entering passwords.  This might aid
in brute-force attacks that attempt to compromise another user's password.

A race condition in the implementation of the execve() system was
reported.  This issue is described in BID 8042.

The kernel RPC code was reported to have recently changed, causing the
reuse flag on newly created sockets to be set.  This introduced a
vulnerability that could permit unprivileged users to bind to UDP ports
used for related services, such as nfsd.

A vulnerability in the implementation of the execve() system could permit
malicious local users to gain read access to restricted file descriptors.
This occurs because the file descriptor of the executable process is
stored in the file table of the calling process.  This could be exploited
to gain access to sensitive information.  This is related to the race
condition in execve() and is also discussed in BID 8042.

A flaw in the /proc filesystem could be exploited to gain access to
sensitive information.  If /proc/self entries are opened before executed a
setuid program, the program may fail to change the ownership and
permissions of entries that are already open.

The STP protocol on Red Hat was disabled due to lack of security.  This
could be an issue on other distributions.  An additional issue with STP
was reported in the kernel that may permit denial of service attacks, due
to insufficient length checking.

It was reported that the kernel Forwarding table may be spoofed if forged
packets are received that have the same source IP address as the host.

These issues will be divided into separate BIDs when further analysis is
complete.

Drupal Cross-Site Scripting Vulnerability
BugTraq ID: 8235
Remote: Yes
Date Published: Jul 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8235
Summary:

Drupal is an open-source content management system.  Drupal is available
for a number of platforms including Microsoft Windows operating systems
and Unix/Linux variants.

The Drupal content management system is prone to a cross-site scripting
vulnerability.  This issue is exposed through the main page and through
other sub-pages.  An attacker may exploit this issue by including hostile
HTML and script code in a malicious link to Drupal.  This code may be
rendered in the web browser of a user who visits the link.  This would
occur in the security context of the site hosting Drupal.

The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials.  An attacker could also exploit this issue to
control how the site is rendered to the user.

[ langage indéterminé ]

Top Home Environment Variable Local Buffer Overflow Vulnerability
BugTraq ID: 8239
Remote: No
Date Published: Jul 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8239
Summary:

top is a freely available, open source process monitoring utility.  It is
available for various Unix and Linux platforms.

A buffer overflow condition has been reported in top when handling
environment variables of excessive length.  This may result in an attacker
potentially executing arbitrary code.

The problem is in the checking of bounds on the HOME environment variable.
top does not properly handle input of excessive length in the HOME
environment variable.  By placing a string of excessive length (1100
bytes) in this environment variable, an attacker may be able to corrupt
sensitive process memory, and potentially execute arbitrary code with the
privileges of the top program.

It should be noted that top is typically installed with the setuid root
bit set.

Additionally, although top versions less than or equal to version 2.0.11
have been reported vulnerable, it should be noted that other versions
might also be vulnerable.

MySQL AB ODBC Driver Plain Text Password Vulnerability
BugTraq ID: 8245
Remote: No
Date Published: Jul 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8245
Summary:

A vulnerability has been reported in the MySQL AB ODBC (Open Data Base
Connectivity) driver implementation. Reportedly, ODBC credentials are
stored in the system registry using plain text format.

When creating ODBC connections, the MySQL ODBC driver reportedly stores
plain text credentials used to connect to the specified database in the
system registry. ODBC SYSTEM-DSN entries are stored in the
HKEY_LOCAL_MACHINE branch of the system registry, unlike USER-DSN entries
which are stored in HKEY_LOCAL_USER registry branch. This may exaggerate
the impact of the vulnerability when relating to MySQL ODBC SYSTEM-DSN
entries, because the data may be accessible to a greater number of users.

If a local user has read access to the registry key that contains the
sensitive data, the credentials may be disclosed and used to connect to
the target database.

It should be noted that this issue might be configuration specific. Other
ODBC drivers may also be prone to the same issue, though this is not
confirmed.

[ probablement closed source; mais pas sûr ]

FDClone Local Insecure Temporary Directory Creation Vulnerability
BugTraq ID: 8247
Remote: No
Date Published: Jul 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8247
Summary:

fdclone is a freely available, open source file management tool.  It is
available for the Linux platform.

A problem has been reported in the creation of temporary directories by
fdclone.  Because of this, an attacker may be able to gain access to
potentially sensitive information.

The problem is in the creation of directories by the fdclone program in
the /tmp directory.  fdclone does not properly check for the existence of
temporary directories prior to execution, and does not validate
permissions on already existing directories.  Because of this, an attacker
may be able to gain access to the contents of temporary files created by
fdclone.  It may also be possible to launch symbolic link attacks with
this vulnerability.

3Com DSL Router Administrative Interface Long Request Router Denial Of 
Service Vulnerability
BugTraq ID: 8248
Remote: Yes
Date Published: Jul 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8248
Summary:

The 812 OfficeConnect is one of a series of DSL routers distributed and
maintained by 3Com.

A vulnerability in the 3Com 812 OfficeConnect has been reported that may
result in the router becoming unstable.  Because of this, an attacker may
be able to deny service to legitimate users of the vulnerable router.

The problem is in the handling of requests of excessive length by the
administrative interface.  When an attacker sends a string of 512 or more
bytes to the administrative interface on port 80, the router reboots.
This could be exploited repeatedly, resulting in an prolonged denial of
service.

It should be noted that the administrative interface is reachable only via
the LAN interface of the DSL router, and cannot be accessed by the
untrusted network side by default.

It should also be noted that this issue is likely a memory corruption
vulnerability.  Although unconfirmed, a possibility exists that this issue
may be exploitable to execute arbitrary code.  This issue may also affect
other 3Com routers.

[ hardware ]

More information about the gull-annonces mailing list