[gull-annonces] Résumé SecurityFocus Newsletter #253

Marc SCHAEFER schaefer at alphanet.ch
Wed Jun 16 22:51:03 CEST 2004


cPanel Killacct Script Customer Account DNS Information Dele...
Multiple CPanel Perl Script Failure To Implement Taint Mode ...
cPanel Passwd Remote SQL Injection Vulnerability
BugTraq ID: 10468, 10479, 10505
Remote: Yes
Date Published: Jun 05 2004
Relevant URL: http://www.securityfocus.com/bid/10468
Summary:
cPanel is prone to a vulnerability that can allow a remote
authenticated administrator to delete customer account DNS information
for customers that are not administered by that administrator.  This
attack can allow an attacker to cause a denial of service condition
against vulnerable Web sites.

Multiple Perl scripts that are distributed with cPanel are reported
prone to a security weakness. The issues are reported to exist because
the scripts do not run with taint mode. These weaknesses may be
exploited in conjunction with the weakness described in BID 10478 in
order to elevate privileges on a vulnerable system.

cPanel is reportedly affected by a remote SQL injection vulnerability
in the passwd script.  This issue is due to a failure of the
application to properly sanitize user-supplied URI parameter input
before using it in an SQL query.

The problem presents itself when malicious SQL statements are passed
to the 'passwd' script through URI parameters.

As a result of this a malicious user may influence database queries in
order to view or modify sensitive information, potentially
compromising the software or the database.

PostgreSQL ODBC Driver Unspecified Remote Buffer Overflow Vu...
BugTraq ID: 10470
Remote: Yes
Date Published: Jun 07 2004
Relevant URL: http://www.securityfocus.com/bid/10470
Summary:
PostgreSQL ODBC driver is reportedly prone to a remote buffer overflow
vulnerability.  This vulnerability was reported in a Debian advisory
and may allow a remote attacker to crash a Web server used with the
application.  It is reported that this issue can be exploited by using
a malicious script in order to cause a denial of service condition in
the Web server.

Due to a lack of details, further information is not available at the
moment.  This BID will be updated as more information becomes
available.

PostgreSQL version 7.2.1 is confirmed to be vulnerable at the moment,
however, it is likely that other versions are affected as well.

Webmin Multiple Unspecified Vulnerabilities
BugTraq ID: 10474
Remote: Yes
Date Published: Jun 07 2004
Relevant URL: http://www.securityfocus.com/bid/10474
Summary:
Webmin is prone to multiple unspecified vulnerabilities that may allow
an attacker to disclose sensitive information and carry out denial of
service attacks against legitimate users of the application.

The first issue can allow a user to disclose sensitive configuration
information about any module regardless of the user's privileges.  The
second issue can allow an attacker to send fake credentials to the
application that results in locking out legitimate users of Webmin.

Webmin versions 1.140 and prior are affected by these issues.

IBM GSKit SSL Handshake Unspecified Denial of Service Vulner...
BugTraq ID: 10475
Remote: Yes
Date Published: Jun 07 2004
Relevant URL: http://www.securityfocus.com/bid/10475
Summary:
IBM Global Security Toolkit (GSKit) is susceptible to an unspecified
denial of service vulnerability.

IBM has reported that during SSL handshakes, malformed packets can
either crash the affected application, or cause a performance
degradation.

Multiple applications incorporate GSKit, and are therefore all
affected by this vulnerability.

Linksys Web Camera Software Next_file Parameter File Disclos...
BugTraq ID: 10476
Remote: Yes
Date Published: Jun 07 2004
Relevant URL: http://www.securityfocus.com/bid/10476
Summary:
It is reported that Linksys Web Camera software is prone to a remote
file disclosure vulnerability that may allow a remote attacker to
disclose sensitive files.

Linksys Web Camera software version 2.10 is reportedly prone to this
issue, however, it is possible that other versions are affected as
well.

[ firmware ]

ClueCentral Apache Suexec Patch Security Weakness
BugTraq ID: 10478
Remote: No
Date Published: Jun 07 2004
Relevant URL: http://www.securityfocus.com/bid/10478
Summary:
cluecentral Apache suexec patch is reported prone to a local security
weakness. It is reported that the patch that is applied to Apache
suexec makes suexec insecure. The patch reportedly removes security
checks on insecure directory permissions and permits the execution of
files owned by arbitrary users, by the 'nobody' user.

A local attacker who has permissions to create, publish and request
PHP web content on the affected system may exploit this weakness in
conjunction with other security vulnerabilities to achieve some degree
of privilege escalation.

FreeBSD jail() Process Unauthorized Routing Table Modificati...
BugTraq ID: 10485
Remote: No
Date Published: Jun 07 2004
Relevant URL: http://www.securityfocus.com/bid/10485
Summary:
FreeBSD improperly allows routing updates from superuser processes
inside jail() environments.

An attacker that gains superuser privileges inside of a jailed process
can send routing table changes. An attacker could corrupt the routing
table of the server, denying network services to legitimate users.
Attackers may also be able to perform connection-hijacking and
redirection attacks, such as the SSH man-in-the-middle attack.

Blosxom Writeback Plug-in HTML Injection Vulnerability
BugTraq ID: 10488
Remote: Yes
Date Published: Jun 08 2004
Relevant URL: http://www.securityfocus.com/bid/10488
Summary:
Blosxom is prone to an HTML injection vulnerability.  This issue
presents itself when Blosxom is used in combination with the
'writeback' plug-in.

This can allow an attacker to inject HTML and script code when posting
comments on a vulnerable site.  A successful attack can allow an
attacker to steal cookie-based authentication credentials.  Other
attacks are possible as well.

Blosxom version 2.0 is affected by this issue, however, other versions
could be vulnerable as well.

U.S. Robotics Broadband Router 8003 Administration Web Inter...
BugTraq ID: 10490
Remote: Yes
Date Published: Jun 08 2004
Relevant URL: http://www.securityfocus.com/bid/10490
Summary:
U.S. Robotics Broadband Router 8003 is affected by an administration
web interface insecure password vulnerability.  This issue is due to a
design error that allows the device's administrator password to be
read in plain text.

This issue would allow an attacker to gain administrative access to
the affected device allowing for the manipulation of such things as
Internet access controls. This might also aiding further attacks
against computers on the local area network.

[ firmware ]

Roundup Remote File Disclosure Vulnerability
BugTraq ID: 10495
Remote: Yes
Date Published: Jun 08 2004
Relevant URL: http://www.securityfocus.com/bid/10495
Summary:
Roundup is prone to a remote file disclosure vulnerability.  A remote
user can disclose files on a vulnerable computer by using the
/home/@@file/ prefix and '../' directory traversal sequences.

This vulnerability affects Roundup 0.6.11 and prior versions.

[ Un système de gestion de tickets en Python ]

OpenBSD ISAKMPD Security Association Piggyback Delete Payloa...
BugTraq ID: 10496
Remote: Yes
Date Published: Jun 08 2004
Relevant URL: http://www.securityfocus.com/bid/10496
Summary:
It is reported that OpenBSD's isakmpd daemon is susceptible to a
remote denial of service vulnerability.

An attacker is able to delete security associations and policies from
IPSec VPN's by sending a malformed UDP ISAKMP packet to a vulnerable
server. The malformed packet contains payloads for both setting up a
new tunnel and deleting a tunnel. Isakmpd improperly acts upon the
delete payload and terminates the associations and policys relating to
the tunnel.

It is possible to destroy security associations, effectively
eliminating the VPN connection between gateways, denying service to
legitimate users of the VPN.

GNU Aspell Stack Buffer Overflow Vulnerability
BugTraq ID: 10497
Remote: No
Date Published: Jun 08 2004
Relevant URL: http://www.securityfocus.com/bid/10497
Summary:
It is reported that the word-list-compress utility, which is a part of
aspell contains a buffer overflow vulnerability.

The word-list-compress utility is used for the compression and
decompression of word lists. Improper bounds checking allows a buffer
overflow condition allowing code execution in the context of the
victim's account.

An attacker would have to have access to influence the contents of
another user's dictionary to successfully exploit this
issue. Potentially through social engineering, improper file
permissions, or a file association vulnerability.

CVS Multiple Vulnerabilities
BugTraq ID: 10499
Remote: Yes
Date Published: Jun 09 2004
Relevant URL: http://www.securityfocus.com/bid/10499
Summary:
CVS is prone to multiple vulnerabilities.  The issues include a double
free vulnerability, format string vulnerabilities, and integer
overflows.  There is also a null termination issue in the security
patch for BID 10384, potentially leading to a server crash.  Some of
these issues may be leveraged to execute arbitrary code, while other
issues may only result in a denial of service.

Squid Proxy NTLM Authentication Buffer Overflow Vulnerabilit...
BugTraq ID: 10500
Remote: Yes
Date Published: Jun 09 2004
Relevant URL: http://www.securityfocus.com/bid/10500
Summary:
Squid Web Proxy Cache is reportedly affected by a buffer overflow
vulnerability when processing NTLM authentication credentials.  This
issue is due to a failure of the application to properly validate
buffer boundaries when copying user-supplied input.

This would allow an attacker to modify stack based process memory in
order to cause a denial of service condition and execute arbitrary
code in the context of the vulnerable web proxy.  This will most
likely facilitate unauthorized access to the affected computer.

Horde IMP Unspecified Input Validation Vulnerability
BugTraq ID: 10501
Remote: Yes
Date Published: Jun 09 2004
Relevant URL: http://www.securityfocus.com/bid/10501
Summary:
Horde IMP is reportedly affected by an unspecified input validation
vulnerability.  This issue is due to input validation errors that
arise when the application processes user-supplied input.

This issue might be leveraged by an attacker to execute arbitrary HTML
or script code in the browser of an unsuspecting user, facilitating
session hijacking and theft of cookie-based authentication
credentials.

Symantec Gateway Security 360R Wireless VPN Bypass Weakness
BugTraq ID: 10502
Remote: Yes
Date Published: Jun 09 2004
Relevant URL: http://www.securityfocus.com/bid/10502
Summary:
Symantec Gateway Security 360R may be prone to a weakness that could
allow a remote attacker to establish an insecure wireless connection
with an internal computer.

This weakness reportedly affects Symantec Gateway Security 360R
firmware 2.1 build 300 and build 415.

[ firmware ]

Cisco CatOS TCP-ACK Denial Of Service Vulnerability
BugTraq ID: 10504
Remote: Yes
Date Published: Jun 09 2004
Relevant URL: http://www.securityfocus.com/bid/10504
Summary:
It has been reported that Cisco CatOS is vulnerable to a denial of
service attack. Improper initial TCP handshakes can cause affected
devices to cease functioning and reboot.

These improper connections can originate from spoofed source
addresses, making it easier for an attacker to accomplish a denial of
service attack.

This vulnerability is only accessible if the device is running telnet,
HTTP, or SSH services. IOS is not affected by this vulnerability.

[ firmware ]

Apache Mod_Proxy Remote Negative Content-Length Buffer Overf...
BugTraq ID: 10508
Remote: Yes
Date Published: Jun 10 2004
Relevant URL: http://www.securityfocus.com/bid/10508
Summary:
A remote buffer overflow vulnerability exists in Apache mod_proxy.

The source of this issue is that a negative user-specified length
value may be used in a memory copy operation, allowing for corruption
of memory.  This may triggered if a remote server returns a negative
Content-Length: HTTP header field to be passed through the proxy.

Exploitation will likely result in a denial of service, though there
is an unconfirmed potential for execution of arbitrary code on some
platforms (such as BSD implementations).  Versions that have the
optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be
exploitable on some platforms.

This issue affects Apache servers 1.3.26 through 1.3.31 that have
mod_proxy enabled and configured.  Apache 2.0.x releases are not
affected by this issue.

smtp.proxy Remote Format String Vulnerability
BugTraq ID: 10509
Remote: Yes
Date Published: Jun 10 2004
Relevant URL: http://www.securityfocus.com/bid/10509
Summary:
smtp.proxy is prone to a remotely exploitable format string
vulnerability.

The vulnerability occurs in routines that log SMTP headers in email
passed through the proxy.  This issue may be exploited to execute
arbitrary code.

Billion BIPAC-640 AE Administrative Interface Authentication...
BugTraq ID: 10510
Remote: Yes
Date Published: Jun 10 2004
Relevant URL: http://www.securityfocus.com/bid/10510
Summary:
Billion BIPAC-640 AE is reported prone to an authentication bypass
vulnerability. The issue is reported to exist when a Mozilla Firefox
or Opera Web Browser is used to access the Billion BIPAC-640 AE
administrative interface.

This vulnerability is reported to affect Billion BIPAC-640 AE firmware
version 3.33, other versions might also be affected.

[ firmware, apparemment ils ont une sécurité qui laisse passer si le
  client n'est pas Microsoft IE ]

Edimax 7205APL 802.11b Wireless Access Point Default Backdoo...
BugTraq ID: 10512
Remote: Yes
Date Published: Jun 10 2004
Relevant URL: http://www.securityfocus.com/bid/10512
Summary:
The Edimax 7205APL is reported to contain a default backdoor account.

This account is hard coded and cannot be removed. This account can be
used to log into the device and create a backup of the configuration.

This configuration contains all users and their corresponding
passwords, allowing an attacker to then log into the device as
administrator.

The reported vulnerable device had firmware revision 2.40a-00. Other
revisions may also contain similar backdoor accounts.

[ firmware ]

ksymoops ksymoops-gznm Insecure Temporary File Handling Symb...
BugTraq ID: 10516
Remote: No
Date Published: Jun 10 2004
Relevant URL: http://www.securityfocus.com/bid/10516
Summary:
Ksymoops ships with several scripts, one of these scripts is
'ksymoops-gznm'. It is reported that the 'ksymoops-gznm' script is
prone to a local insecure temporary file handling symbolic link
vulnerability. This issue is due to a design error that allows the
application to insecurely write to a temporary file that is created
with a predictable file name. The script will write to this file
before verifying its existence; this would facilitate a symbolic link
attack.

Subversion SVN Protocol Parser Remote Integer Overflow Vulne...
BugTraq ID: 10519
Remote: Yes
Date Published: Jun 11 2004
Relevant URL: http://www.securityfocus.com/bid/10519
Summary:
It is reported that Subversion is prone to a remote integer overrun
vulnerability. The issue exists in the svn protocol parser and is due
to a lack of sufficient bounds checking performed on svn URI strings
that are transmitted by the client.

If the URI string recieved is long enough an integer overrun may occur
where the size value of the URI string will wrap and be
misrepresented. This may potentially result in corruption of heap
memory management structures.

Usermin HTML Email Script Code Execution Vulnerability
BugTraq ID: 10521
Remote: Yes
Date Published: Jun 11 2004
Relevant URL: http://www.securityfocus.com/bid/10521
Summary:
Usermin is reportedly affected by a script code execution
vulnerability when rendering HTML email messages.  This issue is due
to a failure to sanitize HTML email messages.

This issue will allow an attacker to execute arbitrary script code in
the browser of an unsuspecting user; facilitating theft of cookie
based authentication credentials.  This could potentially allow
unauthorized access to user accounts on the computer.

Webmin Configuration Module Information Disclosure Vulnerabi...
BugTraq ID: 10522
Remote: Yes
Date Published: Jun 11 2004
Relevant URL: http://www.securityfocus.com/bid/10522
Summary:
Webmin is reportedly prone to a vulnerability that allow for
unauthorized disclosure of the configuration of a module.  This issue
is due to an access validation error.

This issue may allow an attacker to view the configuration of a module
for the affected application that may facilitate further attacks
against the affected system.

Webmin And Usermin Account Lockout Bypass Vulnerability
BugTraq ID: 10523
Remote: Yes
Date Published: Jun 11 2004
Relevant URL: http://www.securityfocus.com/bid/10523
Summary:
Webmin and Usermin are affected by an account lockout bypass
vulnerability.  This issue is due to a failure of the application to
properly sanitize user-supplied input.

This issue may be leveraged to carry out brute force authentication
attacks against the affected computer; facilitating unauthorized
access to the Webmin and Usermin accounts as well as the affected
computer.  It has been reported that this issue can also be leveraged
to prevent users from logging in, although how this occurs is
unspecified.

NetBSD Swapctl() Local Denial Of Service Vulnerability
BugTraq ID: 10529
Remote: No
Date Published: Jun 11 2004
Relevant URL: http://www.securityfocus.com/bid/10529
Summary:
NetBSD's swapctl() system call is reported susceptible to a local
denial of service vulnerability.

It manifests itself as an integer overflow condition in in the
swapctl() system call. This issue may be exploited by local users to
trigger a kernel panic, effectively denying service to legitimate
users.

This has been fixed in NetBSD-current, and the NetBSD-2-0 branch of CVS.



More information about the gull-annonces mailing list