[gull-annonces] Résumé SecurityFocus Newsletter #259

[Marc SCHAEFER]

Extropia WebStore Remote Command Execution Vulnerability
BugTraq ID: 10744
Remote: Yes
Date Published: Jul 17 2004
Relevant URL: http://www.securityfocus.com/bid/10744
Summary:
eXtropia WebStore is prone to a remote command execution
vulnerability.

This issue is due to insufficient input validation and may permit
execution of commands in the context of the hosting Web server.

Anton Raharja PlaySMS Unspecified SQL Injection Vulnerabilit...
BugTraq ID: 10751
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10751
Summary:
An SQL injection vulnerability is identified in the application that
may allow attackers to pass malicious input to database queries,
resulting in the modification of query logic or other attacks.

This vulnerability exists due to insufficient sanitization of
user-supplied input.  It may be possible for a remote user to inject
arbitrary SQL queries into the underlying database used by the
application. This could permit remote attackers to pass malicious
input to database queries, resulting in modification of query logic or
other attacks.

Successful exploitation could result in compromise of the application,
disclosure or modification of data or may permit an attacker to
exploit vulnerabilities in the underlying database implementation.

This issue is reported to exist in PlaySMS 0.6.  Other versions may be
affected as well.

[ SMS gateway engine ]

Anton Raharja PlaySMS Unspecified File Include Vulnerability
BugTraq ID: 10752
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10752
Summary:
A vulnerability is reported to exist in the software that may allow an
attacker to include malicious files containing arbitrary code to be
executed on a vulnerable computer. The issue exists due to improper
validation of user-supplied data. Remote attackers could potentially
exploit this issue via a vulnerable variable to include a remote
malicious script, which will be executed in the context of the server
hosting the vulnerable software.

This issue is reported to exist in PlaySMS 0.6. Other versions may be
affected as well.

Outblaze Webmail HTML Injection Vulnerability
BugTraq ID: 10756
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10756
Summary:
It is reported that Outblaze Webmail is susceptible to an HTML
injection vulnerability. This issue is due to a failure of the
application to properly sanitize user-supplied HTML email content.

It is possible to inject HTML and script code into the application
through HTML email as it is not properly sanitized.

An attacker can exploit this issue to gain access to an unsuspecting
user's cookie based authentication credentials; disclosure of personal
email is possible. Other attacks are also possible.

[ licence ? langage ? ]

Lexmark Network Printer HTTP Server Denial Of Service Vulner...
BugTraq ID: 10765
Remote: Yes
Date Published: Jul 20 2004
Relevant URL: http://www.securityfocus.com/bid/10765
Summary:
Several Lexmark network printers that contain a built-in web server
have been reported to contain a buffer overflow vulnerability.

This vulnerability is reported to exist in the printers HTTP header
parsing code.

The vulnerability can be exploited to crash the printers web server,
denying service to legitimate users. The possibility to execute
arbitrary code on the printer may also be present.

Model T522 was reported to be affected by this vulnerability. Due to
code sharing across products, other printer models are likely affected
as well. It is reported that some Dell branded printers also use the
same firmware, implying that other vendors may also be vulnerable.

This BID will be updated with further vendor, model, and version
information as new information is disclosed.

It is conjectured that this BID is related to BID 1290. Lexmark
printers may use a vulnerable version of the Allegro RomPager embedded
web server.

[ firmware. Tiens, donc les imprimantes Dell sont des LexMarks OEM. ]

Cisco ONS Multiple Vulnerabilities
BugTraq ID: 10768
Remote: Yes
Date Published: Jul 21 2004
Relevant URL: http://www.securityfocus.com/bid/10768
Summary:
Cisco ONS platforms are prone to multiple vulnerabilities.  Most of
the reported issues are related to handling of malformed packets,
resulting in a denial of service condition.  However, an
authentication bypass vulnerability has also been reported to affect
some platforms.

[ firmware ]

Conceptronic CADSLR1 ADSL Router Denial Of Service Vulnerabi...
BugTraq ID: 10769
Remote: Yes
Date Published: Jul 21 2004
Relevant URL: http://www.securityfocus.com/bid/10769
Summary:
The Conseptronic CADSLR1 router is reported to contain a denial of
service vulnerability.

This vulnerability reportedly presents itself in the embedded HTTP
server used for web-based administration of the router. When presented
a large malformed request, the device will reportedly crash and
reboot.

This vulnerability could be exploited by a remote attacker to deny
service to legitimate users.

Due to code reuse across products, other Conseptronic devices may also
be vulnerable to similar issues.

[ firmware ]

Imatix Xitami Server Side Includes Cross-Site Scripting Vuln...
BugTraq ID: 10778
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10778
Summary:
It is reported that Imatix Xitami is affected by a cross-site
scripting vulnerability in the server side includes test script.  This
issue is due to a failure of the application to properly sanitize
user-supplied input.

Successful exploitation of this issue will allow an attacker to
execute arbitrary script code in the browser of an unsuspecting user.
This may potentially be exploited to hijack web content or steal
cookie-based authentication credentials from legitimate users.

[ serveur WWW portable embarqué open source ]

Imatix Xitami Malformed Header Remote Denial of Service Vuln...
BugTraq ID: 10785
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10785
Summary:
A vulnerability is identified in the handling of certain types of
requests by Xitami. Because of this, it is possible for a remote
attacker to deny service to legitimate users of a vulnerable server.

Xitami 2.5c1 is reported prone to this issue, however, other versions
may be affected as well.

Linux kernel Equalizer Load Balancer device driver Local Den...
BugTraq ID: 10730
Remote: No
Date Published: Jul 15 2004
Relevant URL: http://www.securityfocus.com/bid/10730
Summary:
The Linux kernel is reported to be prone to a local denial of service
vulnerability. The issue is reported to exist in the 'eql.c' source
file.

An unprivileged local attacker may exploit this issue by crafting a
program that calls the vulnerable functions on a slave device name
that does not exist.

This vulnerability is reported to exist in version 2.6.7 of the Linux
kernel. It is likely that other versions are also affected.

Linux kernel Multiple Unspecified Local Privilege Escalation...
BugTraq ID: 10779
Remote: No
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10779
Summary:
The Linux kernel is reported prone to multiple unspecified privilege
escalation vulnerabilities.  These vulnerabilities may allow a local
attacker to gain elevated privileges or disclose kernel memory.

These vulnerabilities were referenced in a SuSE advisory, however,
further details are not currently available.  It is possible that
these issues are related to BID 10566 (Linux kernel Multiple Device
Driver Vulnerabilities).  This BID will be updated or retired as more
information becomes available.

It is reported that these issues present themselves in Linux kernel
2.6.

Linux kernel Unspecified Local Denial of Service Vulnerabili...
BugTraq ID: 10783
Remote: No
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10783
Summary:
The Linux kernel is reported prone to an unspecified local denial of
service vulnerability.  It is reported that issue only affects ia64
systems.  A local attacker can exploit this issue by dereferencing a
NULL pointer and causing a kernel panic.  Successful exploitation will
lead to a denial of service condition in a vulnerable computer.

No further details are available at this time.  This issue will be
updated as more information becomes available.

Samba Web Administration Tool Base64 Decoder Buffer Overflow...
BugTraq ID: 10780
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10780
Summary:
It has been reported that Samba Web Administration Tool (SWAT) is
affected by a base64 decoder buffer overflow vulnerability. This issue
is due to a failure of the application to properly validate buffer
boundaries when copying user-supplied input into a finite buffer.

Successful exploitation of this issue will allow a remote,
unauthenticated attacker to execute arbitrary code on the affected
computer with the privileges of the affected process; Samba typically
runs with superuser privileges.

[ version >= 3.x ]

Samba Filename Mangling Method Buffer Overrun Vulnerability
BugTraq ID: 10781
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10781
Summary:
Samba is reported prone to an undisclosed buffer overrun
vulnerability, the buffer overrun is reported to exist when Samba is
handling file name mangling with the "hash" method.

It is conjectured that this vulnerability may present itself when the
affected server handles a filename that is sufficient to trigger the
vulnerability. To exploit this vulnerability, an attacker may require
sufficient access so that they may write a file to a published samba
share.

It is reported that the vulnerability does not exist in default Samba
configurations; by default, Samba is configured to employ "hash2" name
mangling. The "hash2" method is not vulnerable.

This vulnerability is reported to affect Samba version 3.0.0 and
later.

Nessus Insecure Temporary File Creation Vulnerabiliry
BugTraq ID: 10784
Remote: No
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10784
Summary:
Nessus is reported to be vulnerable to an insecure temporary file
creation vulnerability.

This vulnerability presents itself in the 'nessus-adduser'
script. This script is used to add users to the Nessus
application. These users are independent of the system user database,
and are used to define access roles and limits in the application.

When creating new users, Nessus insecurely creates a temporary file.

A non-privileged user with interactive access could overwrite any file
on the system with superuser privileges. The attacker does not control
the data being written, just the location of the file.

An attacker could also exploit this issue to modify the rules assigned
to the new nessus user, allowing or denying access to scan hosts
within Nessus.

Versions of 2.0.x prior to 2.0.12 and the experimental version 2.1.0
are reported to be vulnerable to this issue.