[gull-annonces] Résumé SecurityFocus Newsletter #234

Tue Feb 3 09:11:02 CET 2004

Cherokee Error Page Cross Site Scripting Vulnerability
BugTraq ID: 9496
Remote: Yes
Date Published: Jan 26 2004
Relevant URL: http://www.securityfocus.com/bid/9496
Summary:
Cherokee is a web server distributed under the GNU public license.  It is
available for numerous platforms, including Microsoft Windows and
Unix/Linux variants.

Cherokee has been reported to contain a cross-site scripting
vulnerability.  This issue is due to the server failing to check and
filter user-supplied strings issued to the server in a web request, which
are then included directly in error output.

An attacker can exploit this issue by crafting a URI link containing the
malevolent HTML or script code, and enticing a user to follow it.  If this
link were followed, the hostile code may be rendered in the web browser of
the victim user. This would occur in the security context of the affected
web server and may allow for theft of cookie-based authentication
credentials or other attacks.

TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerabi...
BugTraq ID: 9507
Remote: Yes
Date Published: Jan 27 2004
Relevant URL: http://www.securityfocus.com/bid/9507
Summary:
tcpdump is a freely available, open source network monitoring tool. It is
available for the Unix, Linux, and Microsoft Windows operating systems.

A vulnerability has been identified in the software that may allow a
remote attacker to cause a denial of service condition in the software.
The issue occurs due to the way tcpdump decodes Internet Security
Association and Key Management Protocol (ISAKMP) packets.  A remote
attacker may cause the software to enter an infinite loop by sending
malformed ISAKMP packets resulting in a crash or hang.

Although unconfirmed, due to the nature of this issue, an attacker may
leverage the issue by exploiting an unbounded memory copy operation to
overwrite the saved return address/base pointer, causing an affected
procedure to return to an address of their choice. Successful exploitation
of this issue may allow an attacker to execute arbitrary code with the
privileges of the tcpdump process in order to gain unauthorized access.

tcpdump versions prior to 3.8.1 have been reported to be prone to this
issue.

Third-party CVSup Binary Insecure ELF RPATH Library Replacem...
BugTraq ID: 9523
Remote: No
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9523
Summary:
CVSup is a network file distribution utility that is intended to be used
with CVS repositories.  It is available for various Unix/Linux
derivatives.

It has been reported that some third-party vendor-supplied CVSup binaries
may have an insecure ELF RPATH that includes world-writeable directories
in the path.  This variable is used to specify the run-time search path
for ELF objects.  A local attacker could exploit this issue by placing
malicious libraries in these directories, which would be dynamically
linked against at run-time when the cvsup, cvsupd or cvpasswd programs are
executed.  This would result in execution of arbitrary code with elevated
privileges.

This issue was reported to affect CVSup RPMs that ship with SuSE Linux.
Other distributions may also be affected.  In the instance of SuSE, the
/home/anthon and /usr/src/packages directories included in the search path
may be world-writeable, depending on the value of the PERMISSIONS_SECURITY
setting in the /etc/sysconfig/security configuration file.  Statically
linked versions of the software should not be affected by this version.

CPAN WWW::Form HTML Injection Vulnerability
BugTraq ID: 9526
Remote: Yes
Date Published: Jan 29 2004
Relevant URL: http://www.securityfocus.com/bid/9526
Summary:
CPAN WWW::Form is an extendable Perl module that allows developers to
handle HTML form validation.

A vulnerability has been reported in the software that may allow a remote
attacker to execute HTML and script code in a user's browser. The problem
is reported to exist due to improper sanitizing of user-supplied data in
the Perl module.  It may be possible for an attacker to include malicious
HTML code in one of the vulnerable fields. The injected code could then be
interpreted by the browser of a user visiting the vulnerable site. This
attack would occur in the security context of the affected site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.

CPAN WWW::Form versions 1.12 and prior have been reported to be vulnerable
to this issue.