[gull-annonces] Résumé SecurityFocus Newsletter #258

Marc SCHAEFER schaefer at alphanet.ch
Thu Jul 29 18:41:02 CEST 2004 

Multiple Mozilla Bugzilla Vulnerabilities
BugTraq ID: 10698
Remote: Yes
Date Published: Jul 12 2004
Relevant URL: http://www.securityfocus.com/bid/10698
Summary:
Multiple vulnerabilities are reported to exist in the Bugzilla
software. The issues include cross-site scripting, SQL injection,
privilege escalation, and information disclosure.

An information disclosure vulnerability is reported to affect Bugzilla
installations under certain circumstances. It is reported that when
the SQL server is halted, and the HTTP server continues to run, a
remote attacker may disclosure the database password.

An attacker, may employ the harvested password information to
authenticate to the SQL database.

A privilege escalation vulnerability is reported to affect Bugzilla.

A privileged attacker may exploit this vulnerability to gain
membership to other Bugzilla groups.

An additional information disclosure vulnerability is reported to
affect Bugzilla. It is reported that hidden products may be revealed
using vulnerable CGI scripts.

An attacker may employ the vulnerable scripts in order to disclose
product listings that are marked as confidential.

Bugzilla is reported prone to multiple cross-site scripting
vulnerabilities. These issues exist due to a lack of sanitization
performed on user supplied URI data before this data is incorporated
into dynamically generated error messages.

These cross-site scripting issues could permit a remote attacker to
create a malicious URI link that includes hostile HTML and script
code.  If a user follows the malicious link, the attacker-supplied
code executes in the web browser of the victim computer.

An additional information disclosure vulnerability is reported to
affect Bugzilla. It is reported that a Bugzilla user's password may be
embedded as a part of an image URI, the password may be saved into and
be visible in web server or web proxy logs.

An attacker who has access to the web server logs may harvest
credentials.

Finally, Bugzilla is reported prone to an SQL injection
vulnerability. The issue is due to a failure of the application to
properly sanitize user-supplied input.

As a result of this issue a privileged attacker could modify the logic
and structure of database queries.

Mozilla Personal Security Manager Certificate Handling Denia...
BugTraq ID: 10703
Remote: Yes
Date Published: Jul 12 2004
Relevant URL: http://www.securityfocus.com/bid/10703
Summary:
Mozilla Internet Browser Personal Security Manager (PSM) is reported
prone to a vulnerability that may permit a remote malicious attacker
to silently import an invalid certificate into the Mozilla Personal
Security Manager certificate store.

An attacker may exploit this vulnerability to corrupt the Mozilla PSM
certificate store and as a result deny HTTPS service.

Mozilla Browser Cache File Multiple Vulnerabilities
BugTraq ID: 10709
Remote: Yes
Date Published: Jul 13 2004
Relevant URL: http://www.securityfocus.com/bid/10709
Summary:
Mozilla Browser is reported prone to multiple vulnerabilities that
could eventually allow for code execution on the local computer.

These vulnerabilities do not represent a significant threat on their
own, however, code execution in the context of the user is possible if
the two issues are combined.

By combining these issues, an attacker can eventually execute
arbitrary HTML or script code in the local zone.  The attacker would
likely exploit these issues by crafting a malicious Web site
containing HTML and script code and entice a user to visit the site.
If a user visits the site, the malicious page will be cached in a
known directory with a known file name.  The attacker may then craft a
link to this cached local file and entice a user to follow this link.
Due to a flaw in Mozilla that allows cached files to be opened in the
local zone as HTML documents the attack may lead to arbitrary code
execution in the local zone.

It should be noted that this issue is reported to exist in all
versions of Mozilla and Firefox browsers, however, Symantec was not
able to reproduce this on Firefox 0.9.2.  Furthermore, the directory
names may vary with different platforms.

Update: New reports have stated that the Mozilla Browser is not
vulnerable to the first issue as it uses random names for cache
directories.  This issue does however affect Firefox.  It is also
reported that an attacker does not have to use a file extension for
the second vulnerability as long as a NULL byte is placed after the
file name.  Arbitrary extensions may be applied as well.

[ Microsoft Windows uniquement ? ]

Opti3 EasyDisk Portable USB Hard Drive Unauthorized Access V...
BugTraq ID: 10702
Remote: No
Date Published: Jul 12 2004
Relevant URL: http://www.securityfocus.com/bid/10702
Summary:
EasyDisk is reported prone to an unauthorized access vulnerability.
It is reported that a local user can gain access to password protected
files without supplying a valid 'Passid'.

[ firmware ]

IM-Switch Insecure Temporary File Handling Symbolic Link Vul...
BugTraq ID: 10717
Remote: No
Date Published: Jul 13 2004
Relevant URL: http://www.securityfocus.com/bid/10717
Summary:
It is reported that im-switch is prone to a local insecure temporary
file handling symbolic link vulnerability. This issue is due to a
design error that allows the application to insecurely write to a
temporary file that is created with a predictable file name.

The im-switch utility will write to this temporary file before
verifying its existence; this would facilitate a symbolic link attack.

An attacker may exploit this issue to corrupt arbitrary files. This
corruption may potentially result in the elevation of privileges, or
in a system wide denial of service.

aterm Terminal Permission Weakness
BugTraq ID: 10723
Remote: No
Date Published: Jul 13 2004
Relevant URL: http://www.securityfocus.com/bid/10723
Summary:
It is reported that aterm incorrectly sets the permission on the users
terminal device.

This flaw may allow an attacker with local interactive access to sent
arbitrary data to aterm. An attacker may use this ability to exploit
vulnerabilities in aterm, such as BID 6949 (ATerm Menu Bar Escape
Sequence Command Execution Vulnerability).

[ me semble une vieille ]

AnomicHTTPProxy Directory Traversal Vulnerability
BugTraq ID: 10732
Remote: Yes
Date Published: Jul 15 2004
Relevant URL: http://www.securityfocus.com/bid/10732
Summary:
It is reported that AnomicHTTPProxy is prone to a directory traversal
vulnerability.

This issue would allow an attacker to view arbitrary files on the
affected computer that the UID of AnomicHTTPProxy is running as. This
may aid an attacker in conducting further attacks against the
vulnerable computer.

Version 0.21_build20040627 is reported vulnerable. Prior versions may
also be affected.

AnomicHTTPProxy Administrative Interface Authentication Bypa...
BugTraq ID: 10733
Remote: Yes
Date Published: Jul 15 2004
Relevant URL: http://www.securityfocus.com/bid/10733
Summary:
It is reported that AnomicHTTPProxy is prone to an administrative
interface authentication bypass vulnerability.

An attacker can exploit this issue to gain full administrative access
to AnomicHTTPProxy.

Version 0.21_build20040627 is reported vulnerable. Prior versions may
also be affected.

AnomicHTTPProxy Administrative Interface Denial Of Service V...
BugTraq ID: 10735
Remote: Yes
Date Published: Jul 15 2004
Relevant URL: http://www.securityfocus.com/bid/10735
Summary:
It is reported that AnomicHTTPProxy is prone to an administrative
interface denial of service vulnerability.

In certain circumstances, the web-based administrative interface can
reportedly be blocked. This denies service to the administrator of the
application.

Version 0.21_build20040627 is reported vulnerable. Prior versions may
also be affected.

BoardPower Forum ICQ.CGI Cross-Site Scripting Vulnerability
BugTraq ID: 10734
Remote: Yes
Date Published: Jul 15 2004
Relevant URL: http://www.securityfocus.com/bid/10734
Summary:
BoardPower Forum is reportedly affected by a cross-site scripting
vulnerability in the icq.cgi script. This issue is due to a failure of
the application to properly sanitize user-supplied URI input.

A remote attacker can exploit this issue by creating a malicious link
to the vulnerable application that includes hostile HTML and script
code. If this link were followed, the hostile code may be rendered in
the web browser of the victim user. This would occur in the security
context of the web server and may allow for theft of cookie-based
authentication credentials or other attacks.

[ langage ? licence ? maintenu ? ]

Apache mod_ssl Log Function Format String Vulnerability
BugTraq ID: 10736
Remote: Yes
Date Published: Jul 16 2004
Relevant URL: http://www.securityfocus.com/bid/10736
Summary:
Reportedly mod_ssl is affected by a format string vulnerability within
its logging function.  This issue is due to a failure of the
application to properly implement a formatted string function.

Successful exploitation of this issue will most likely allow an
attacker to gain control of the execution flow of the affected process
and execute arbitrary code on the affect computer.  It should be noted
that although this quite likely, it has not been verified.

More information about the gull-annonces mailing list