[gull-annonces] Résumé SecurityFocus Newsletter #279

Marc SCHAEFER schaefer at alphanet.ch
Sat Dec 25 13:52:20 CET 2004


ViewCVS Multiple Information Disclosure Vulnerabilities
BugTraq ID: 11819
Remote: Yes
Date Published: Dec 06 2004
Relevant URL: http://www.securityfocus.com/bid/11819
Summary:
ViewCVS is reportedly prone to multiple information disclosure
vulnerabilities when repositories are exported to tar archives.

Reportedly, certain configuration directives are not properly honored
when creating tar archives for users to download. This allows remote
attackers to gain access to potentially sensitive files located in
restricted directories. The contents of these files may aid them in
further attacks.

This issue is only exploitable if the package is configured to allow
tar archive generation. This is enabled by setting the 'tar_archive'
configuration directive to '1'.

Mozilla/Netscape/Firefox Browsers JavaScript IFRAME Renderin...
BugTraq ID: 11823
Remote: Yes
Date Published: Dec 06 2004
Relevant URL: http://www.securityfocus.com/bid/11823
Summary:
Mozilla/Netscape and Firefox browsers are reported prone a remote
denial of service vulnerability. It is reported that the affected
browsers will crash as a result of a NULL pointer dereference when a
JavaScript function attempts to print an IFRAME that is embedded in
the page.

KDE Konqueror FTP URI Arbitrary FTP Server Command Execution...
BugTraq ID: 11827
Remote: Yes
Date Published: Dec 06 2004
Relevant URL: http://www.securityfocus.com/bid/11827
Summary:
KDE Konqueror is reported prone to an arbitrary FTP server command
execution vulnerability. This issue is due to a failure of the
application to properly sanitize user-supplied URI input prior to
utilizing it to execute FTP commands on remote servers.

This vulnerability allows attackers to embed arbitrary FTP server
commands in malicious URIs. Upon following this malicious URI, the
victim users Web browser will reportedly connect to the
attacker-specified FTP server, and the malicious commands will be sent
to the server. This may allow malicious files to be downloaded to the
victims computer without their knowledge. Other attacks are also
likely possible.

[ exemple d'autres attaques: dès que l'attaquant (le serveur) peut
contrôler ce qu'écrit le client dans le canal de commande FTP, on peut
imaginer des choses comme ouvrir n'importe quel port TCP >= 1024 pour
l'attaquant sur la machine, etc si un firewall intelligent avec
analyse de paquets (p.ex. Linux iptables masquerading/NAT) est
utilisé pour permettre l'active FTP.
]

imlib Multiple XPM Image Decoding Buffer Overflow Vulnerabil...
BugTraq ID: 11830
Remote: Yes
Date Published: Dec 06 2004
Relevant URL: http://www.securityfocus.com/bid/11830
Summary:
Multiple buffer overflow vulnerabilities are reported to exist in the
imlib library. These issues may be triggered when handling malformed
XPM images.

These vulnerabilities could be exploited by a remote attacker to cause a denial of service in applications that use the vulnerable library to render images. It is also reported that these vulnerabilities may be exploited to execute code arbitrary code.

These issues may be related to BID 11084. This BID will be updated as
further information is disclosed.

imlib Multiple Remote Integer Overflow Vulnerabilities
BugTraq ID: 11837
Remote: Yes
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11837
Summary:
Multiple remote integer overflow vulnerabilities affect the imlib
graphics library.  These issues are due to a failure of the
application to properly handle the management of numeric data found in
image files.

An attacker may leverage these issues to gain local access to a
computer running an application that implements the vulnerable
library. This issue may also be used to facilitate privilege
escalation.

Gentoo MirrorSelect Local Insecure File Creation Vulnerabili...
BugTraq ID: 11835
Remote: No
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11835
Summary:
A local insecure file creation vulnerability affects Gentoo
mirrorselect. This issue is likely due to a design error that causes
the application to fail to verify the existence of a file before
writing to it.

An attacker may leverage this issue to overwrite arbitrary files with
the privileges of an unsuspecting user that activates the vulnerable
utility.

Linux Kernel AIO_Free_Ring Local Denial Of Service Vulnerabi...
BugTraq ID: 11842
Remote: No
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11842
Summary:
The Linux Kernel is reported prone to a local denial of service
vulnerability. It is reported that the vulnerability exists due to a
failure by 'aio_free_ring' to handle exceptional conditions.

This vulnerability requires that mmap() is employed to map the maximum
amount of process memory that is possible, before the vulnerability
can be triggered.

It is reported that when handing 'io_setup' syscalls that are passed
large values, the Linux kernel 'aio_setup_ring' will attempt to
allocate a structure of page pointers.

When a subsequent 'aio_setup_ring' mmap() call fails, 'aio_free_ring'
attempts to clean up the page pointers, it will crash during this
procedure triggering a kernel panic.

MySQL MaxDB WAHTTP Server Remote Denial Of Service Vulnerabi...
BugTraq ID: 11843
Remote: Yes
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11843
Summary:
A remote denial of service vulnerability has been reported to affect
the MySQL MaxDB WAHTTP server.  This issue is due to a failure of the
server to handle malformed requests.

An attacker may leverage this issue to cause the affected Web server
to crash, denying service to legitimate users.

MySQL MaxDB WebDav Handler Overwrite Header Remote Buffer Ov...
BugTraq ID: 11844
Remote: Yes
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11844
Summary:
MySQL MaxDB WebDav Handler is reported prone to a remote buffer
overflow vulnerability.  This issue results from insufficient boundary
checks performed by the application when handling malformed
user-supplied data.  It is possible that an attacker may leverage this
issue to execute arbitrary code on a vulnerable computer.

This issue arises when the WebDav handler processes an excessive
'Overwrite' header.  MaxDB versions 7.5.00.18 and prior are affected
by this vulnerability.

Linux Kernel 64 Bit ELF Header Local Denial Of Service Vulne...
BugTraq ID: 11846
Remote: No
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11846
Summary:
A local denial of service vulnerability affects the ELF header
processing functionality on 64 bit systems of the Linux kernel.  This
issue is due to a failure of the affected kernel to properly handle
malformed ELF headers.

A local attacker may leverage this issue to cause a computer running
the affected kernel to crash, denying service to legitimate users.

Darryl Burgdorf WebLibs Directory Traversal Vulnerability
BugTraq ID: 11848
Remote: Yes
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11848
Summary:
It is reported that WebLibs is prone to a remote directory traversal
vulnerability.  This issue is due to a failure of the application to
properly filter user-supplied input.

WebLibs 1.0 is affected by this vulnerability.

MD5 Message Digest Algorithm Hash Collision Weakness
BugTraq ID: 11849
Remote: No
Date Published: Dec 07 2004
Relevant URL: http://www.securityfocus.com/bid/11849
Summary:
The MD5 algorithm is reported prone to a hash collision weakness. This
weakness reportedly allows attackers to create multiple, differing
input sources that, when the MD5 algorithm is used, result in the same
output fingerprint.

It has been demonstrated that attackers can create multiple input
sources to MD5 that result in the same output fingerprint. Reportedly,
at this time, attackers cannot generate arbitrary collisions. At this
time, it is also reported that only a very limited number of
individual bits in an input message may be altered while maintaining
an identical output fingerprint.

This weakness may allow attackers to create two messages, or
executable binaries such that their MD5 fingerprints are
identical. One of these messages or binaries would be innocent, and
the other malicious. The innocent message or binary may be digitally
signed, and then later would have the malicious file substituted into
its place. This attack may allow malicious code to be executed, or
non-repudiation properties of messages to be broken.

At this time, preimage attacks are not reportedly possible.

It is recommended that cryptosystems that utilize the MD5 algorithm should be reviewed, and the measures should be taken to protect against this weakness. Other hashing algorithms may possibly be utilized in replacement to, or in conjunction with MD5 to decrease the likelihood of a successful attack.

[ Recommandations de Bruce Schneider: toujours modifier un petit peu
tout message que l'on nous demande de signer. Ce rend les attaques
à pré-image plus difficile, surtout celles où on a dû ajouter pas mal de
remplissage pour créer les deux textes différents avec le même hash MD5.
]

KDE Konqueror Remote Window Hijacking Vulnerability
BugTraq ID: 11853
Remote: Yes
Date Published: Dec 08 2004
Relevant URL: http://www.securityfocus.com/bid/11853
Summary:
Konqueror is reported prone to a vulnerability that may allow a Web
site to hijack the contents of a trusted window.  This issue may allow
a remote attacker to carry out phishing style attacks.

This issue arises as a user visits a malicious site and follows a link
to a trusted site.  Once the link to the trusted site is followed, the
victim must open a pop up window from the trusted site that can be
influenced by the attacker's site.

If successful, the contents of the target site's window can be spoofed
resulting in phishing style attacks.

Konqueror 3.2.2-6 is reported vulnerable to this issue, however, it is
possible that other versions are affected as well.

Mozilla Browser and Mozilla Firefox Remote Window Hijacking ...
BugTraq ID: 11854
Remote: Yes
Date Published: Dec 08 2004
Relevant URL: http://www.securityfocus.com/bid/11854
Summary:
Mozilla Browser and Mozilla Firefox are reported prone to a
vulnerability that may allow a Web site to hijack the contents of a
trusted window.  This issue may allow a remote attacker to carry out
phishing style attacks.

This issue arises as a user visits a malicious site and follows a link
to a trusted site.  Once the link to the trusted site is followed, the
victim must open a pop up window from the trusted site that can be
influenced by the attacker's site.

If successful, the contents of the target site's window can be spoofed
resulting in phishing style attacks.

KDE Plaintext Password Disclosure Vulnerability
BugTraq ID: 11866
Remote: No
Date Published: Dec 09 2004
Relevant URL: http://www.securityfocus.com/bid/11866
Summary:
KDE is reported prone to a plaintext password disclosure
vulnerability.  This issue presents itself when a link to a remote
file is created by various KDE applications including Konqueror Web
browser.  The URI may contain authentication credentials to access the
remote resource such as a Samba share.

An attacker can disclose these credentials by accessing the
potentially world readable link reference file created by KDE.

GNU wget Multiple Remote Vulnerabilities
BugTraq ID: 11871
Remote: Yes
Date Published: Dec 10 2004
Relevant URL: http://www.securityfocus.com/bid/11871
Summary:
Multiple remote vulnerabilities reported affects GNU wget.  These
issues are due to a failure of the application to properly sanitize
user-supplied input and to properly validate the existence of files
prior to writing to them..

The first issue is a potential directory traversal issue. The second
issue is an arbitrary file overwriting vulnerability. The final issue
is weakness caused by a failure of the application to filter
potentially malicious characters from server-supplied input.

These issues may be exploited by a malicious server to arbitrarily
overwrite files in the current directory and potentially write outside
of the current directory.  This may facilitate file corruption, denial
of service and further attacks against the affected computer.  Any
file overwriting would take place with the privileges of the user that
activates the vulnerable application.




More information about the gull-annonces mailing list