[gull-annonces] Résumé SecurityFocus Newsletter #238
Marc SCHAEFER
schaefer at alphanet.ch
Tue Mar 2 18:21:02 CET 2004
XFree86 Direct Rendering Infrastructure Buffer Overflow Vuln...
BugTraq ID: 9701
Remote: Yes
Date Published: Feb 20 2004
Relevant URL: http://www.securityfocus.com/bid/9701
Summary:
XFree86 is a freely available open-source implementation of the X Window
System.
It has been reported that XFree86 is prone to a denial of service. The
condition reportedly can be caused by clients connecting to the X server
using the GLX extension and Direct Rendering Infrastructure. The client
may cause the X server to fail due to insufficient bounds checking on
array indexes and integer sign errors.
Precise details of this vulnerability are not currently known. This
record will be updated when more information becomes available.
PSOProxy Remote Buffer Overflow Vulnerability
BugTraq ID: 9706
Remote: Yes
Date Published: Feb 20 2004
Relevant URL: http://www.securityfocus.com/bid/9706
Summary:
PSOProxy is a web server designed to work with the Gamecube web browser
facilitating copying and formatting Phantasy Star Online snapshot files to
a PC on the same network. Implemented in C++, it has been designed to run
on Windows, Mac OS X, Unix and Unix like operating systems.
It has been reported that PSOProxy is prone to a remote buffer overflow
vulnerability. The issue is due to the insufficient boundary checking of
all remote server requests. Requests sent to the server of excessive
size, approximately one kilobyte, may trigger an overflow condition,
causing the process to raise an exception. The immediate consequence of
such an exception is denial of service to legitimate users.
A malicious user may exploit this condition to potentially corrupt
sensitive process memory in the affected process and ultimately execute
arbitrary code with the privileges of the web server.
This issue has been reported to affect version 0.91 of the software, it is
likely however that this issue affects earlier version as well.
Jabber Software Jabber Gadu-Gadu Transport Multiple Remote D...
BugTraq ID: 9710
Remote: Yes
Date Published: Feb 21 2004
Relevant URL: http://www.securityfocus.com/bid/9710
Summary:
Jabber Gadu-Gadu Transport is a gateway that bridges the Jabber and
Gadu-Gadu instant messaging protocols, facilitating communication between
applications using the different protocols.
Multiple denial of service vulnerabilities have been identified in Jabber
Gadu-Gadu Transport. These issues are due to the application failing to
handle exceptional conditions.
Activation of the 'roster import' functionality will cause the gateway to
crash when implemented using the Gadu-Gadu library libgadu 1.0 or greater,
ultimately denying service to legitimate users. This issue is due to the
application failing to deal with the reduced functionality in the later
versions of the library.
The application fails to properly deal with registered users that attempt
to re-register. If a user that is previously registered attempts to
re-register, the application will enter an infinite loop, ultimately
denying service to legitimate users.
Messages sent to the software that contain no '<priority/>' tag will cause
the application to fail, resulting in a denial of service condition.
Successful exploitation of any of these issues may cause the affected
server to crash, denying service to legitimate users.
[ licence ? ]
W3C Jigsaw Unspecified Remote URI Parsing Vulnerability
BugTraq ID: 9711
Remote: Yes
Date Published: Feb 21 2004
Relevant URL: http://www.securityfocus.com/bid/9711
Summary:
Jigsaw is an HTTP server produced by W3C. It is implemented in Java, and
will run on a wide range of systems, including Microsoft Windows, Linux
and other Unix based systems.
Jigsaw is prone to an unspecified remote URI parsing vulnerability. This
issue is reportedly due to a failure of the application to properly parse
and sanitize user supplied URI input.
The problem revolves around the web server failing to properly handle URI
separators.
The results of successful exploitation of this issue are currently
unknown, however it is conjectured that this issue may be leveraged to
compromise web server readable files outside of the server root directory.
This BID will be updated as further details regarding this issue are
disclosed.
Synaesthesia Insecure File Creation Vulnerability
BugTraq ID: 9713
Remote: No
Date Published: Feb 22 2004
Relevant URL: http://www.securityfocus.com/bid/9713
Summary:
Synaesthesia is an application designed to represent sounds visually. It
is designed to run under Unix and Unix like platforms and has been ported
to run under Windows as well.
An insecure file creation vulnerability exists in Synaesthesia. This
issue arises due to the creation of a configuration file by the process
while running with root privileges.
Upon execution the application creates the file '.synaesthesia' in the
home directory of the executing user while holding root privileges. This
issue is due to the software failing to properly determine if the file
exists before attempting to create it.
A local attacker could exploit this issue by creating a symbolic link
titled './synaesthesia' pointing to a target system file. Upon execution,
the Synaesthesia software will then write to the configuration file
symbolic link, potentially destroying sensitive system data at the end of
the link, which could result in denial of service.
Samhain Labs HSFTP Remote Format String Vulnerability
BugTraq ID: 9715
Remote: No
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9715
Summary:
hsftp is an ftp emulator, designed to provide the look and feel of ftp,
while providing secure network communication via the ssh protocol. The
application is freely available under the GNU General Public license and
supports Linux and Unix like platforms.
hsftp has been found to be prone to a remote print format string
vulnerability. The problem presents itself when hsftp reads the contents
of a directory and a file contained within has been labeled with a
malicious name containing embedded format string specifiers. The source
of the problem is incorrect use of a formatted printing function. As a
result, format specifiers supplied in this manner will be interpreted
literally and may result in attacker-specified memory being corrupted or
disclosed.
Ultimately this vulnerability could allow for execution of arbitrary code
on the system implementing the affected software, which would occur in the
security context of the server process.
It should be noted that when hsftp is installed with set SUID root
permissions it only uses the escalated privileges to acquire locked memory
containing the user password, and relinquishes them immediately
afterwards.
nCipher Hardware Security Module Firmware Secrets Disclosure...
BugTraq ID: 9717
Remote: Yes
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9717
Summary:
nCipher HSM(Hardware Security Module) is a software/appliance solution,
for a security infrastructure.
nCipher HSM firmware has been reported prone to a vulnerability that may
provide for the disclosure of infrastructure and application keys. It has
been reported that an attacker who has the ability to invoke commands with
a vulnerable nCipher HSM may potentially exploit this vulnerability to
peruse the affected module's run-time memory and disclose sensitive keys.
Information disclosed by an attacker in this manner may then be used to
aid in further attacks launched against the affected system.
It has been reported that only some versions of the nCipher HSM firmware
are vulnerable to this issue. The commands needed to exploit the issue are
available in some nCipher's `nForce' series key-management HSMs and later
only made available in the CodeSafe (SEE) procedures of the 'nShield'
series of HSMs. These versions are only vulnerable if the GeneralSEE
feature set has been enabled.
[ firmware ]
LiveJournal CSS HTML Injection Vulnerability
BugTraq ID: 9727
Remote: Yes
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9727
Summary:
LiveJournal is freely available web based personal journal application
distributed under the GNU Public License. It is implemented using Perl
scripts and requires a MySQL database back end.
LiveJournal is reportedly prone to HTML injection via Cascading Style
Sheet (CSS) tags. This issue is due to insufficient sanitization of
journal input supplied in CSS styles. This may be exploited by creating a
malicious style sheet with embedded script code in the journal entry,
which also includes a reference to the style using the HTML CLASS
attribute. In this manner, it is possible to inject hostile HTML and
script code into journal entries.
This could potentially be exploited to steal cookies from other site
users. Other attacks are also possible.
Confirm E-Mail Header Remote Command Execution Vulnerability
BugTraq ID: 9728
Remote: Yes
Date Published: Feb 23 2004
Relevant URL: http://www.securityfocus.com/bid/9728
Summary:
Confirm is a Procmail script to prevent unsolicited e-mail using a
whitelist.
Confirm is prone to a remote command execution vulnerability. The source
of the vulnerability is that Confirm does not sufficiently sanitize
malicious input before passing it through an external shell when invoking
other programs. This issue is exposed when the script handles malicious
input such as shell metacharacters in e-mail headers.
Successful exploitation will allow for execution of shell commands in the
context of the user invoking the script.
Gigabyte Gn-B46B Wireless Router Authentication Bypass Vulne...
BugTraq ID: 9740
Remote: Yes
Date Published: Feb 24 2004
Relevant URL: http://www.securityfocus.com/bid/9740
Summary:
Gigabyte Gn-B46B is a wireless router appliance. The appliance provides a
web-based interface for router configuration; this interface is protected
with an authentication procedure.
Gigabyte Gn-B46B has been reported prone to an authentication bypass
vulnerability. It has been reported that an attacker may save the router
HTML menu on a local machine, the attacker may then use this menu to
access and configure an accessible router without requiring prior
authentication.
An attacker may exploit this issue to disclose sensitive information, or
potentially to make configuration changes to the affected appliance.
[ firmware ]
Alcatel OmniSwitch 7000 Series Security Scan Denial Of Servi...
BugTraq ID: 9745
Remote: Yes
Date Published: Feb 25 2004
Relevant URL: http://www.securityfocus.com/bid/9745
Summary:
The Alcatel OmniSwitch 7000 series switches are multi-layer switching
appliances.
A vulnerability has been reported in the handling of specific types of
network traffic by OmniSwitch 7000 series systems. Because of this, an
attacker may be able to deny service to legitimate users of a vulnerable
switch.
The problem is in the handling of scans by third-party security software.
It has been reported that several services run by default on an affected
switch (Ports 80, 260, 261 and 443). When the affected services of
OmniSwitch 7000 series systems are scanned by third-party security
software, the switch firmware becomes unstable. As a result of such scans,
the switch reportedly reboots, impacting performance. In some
circumstances the attack may result in a denial of service to the switched
network.
An attacker may exploit this issue to deny network services to hosts on a
vulnerable switched network.
It should be noted that although the OmniSwitch 7000 series (7700,7800)
switches have been reported prone to this vulnerability, other versions
including the OmniSwitch 8800 series might also be vulnerable.
[ firmware ]
MTools MFormat Privilege Escalation Vulnerability
BugTraq ID: 9746
Remote: No
Date Published: Feb 25 2004
Relevant URL: http://www.securityfocus.com/bid/9746
Summary:
Mtools are a collection of tools designed to allow users to access MS-DOS
formatted discs from Linux operating systems. MFormat is a utility
designed to enable the addition of an MS-DOS filesystem to a low-level
formatted diskette. They are freely available under the GNU Public
License.
It has been reported that mformat is prone to an insecure file creation
vulnerability when installed as a setUID application. This issue is due
to a design error allowing a user to create any arbitrary files with
permissions 0666 as the root user.
It has also been reported that the application retains root privileges
when reading local configuration files.
A local attacker could exploit this issue by forcing the creation of
sensitive system files that already exist. When the application formats
the specified files, the target system file will be overwritten,
destroying sensitive system data. Since the files that are given
permissions 0666 and owned by root, the attacker may alter overwritten
system configuration files, allowing for a escalation of privileges.
Mozilla Browser Zombie Document Cross-Site Scripting Vulnera...
BugTraq ID: 9747
Remote: Yes
Date Published: Feb 25 2004
Relevant URL: http://www.securityfocus.com/bid/9747
Summary:
Mozilla is a freely available web browser designed for a number of
platforms, including Microsoft Windows and Linux.
Mozilla has been reported to be prone to a cross-site scripting
vulnerability. This issue is due to a design error that allows event
handlers in a web document from one domain to be executed in the context
of another.
This issue is due to the browser allowing a new web page to interact with
a previously visited web page before the new page is completely loaded;
producing a zombie document. This allows any script events that are
activated within a certain time frame to be invoked in the context of the
new web page, and thus facilitate cross-site scripting attacks.
The problem surrounds the use of event handlers inside HTML tags. Mozilla
does attempt to deactivate these, however they are possible to bypass.
This could permit a remote attacker to create a malicious web page that
includes hostile event handling script code. If this page were to redirect
to a target page when certain event handling code was activated, the
hostile code may be rendered in the web browser of the victim user. This
would occur in the security context of the new page and may allow for
theft of cookie-based authentication credentials or other attacks.
CalaCode @mail Webmail System Cross-Site Scripting Vulnerabi...
BugTraq ID: 9748
Remote: Yes
Date Published: Feb 26 2004
Relevant URL: http://www.securityfocus.com/bid/9748
Summary:
@mail Webmail System is a web based e-mail software package. It can be
installed with a SQL database or flat files.
A cross-site scripting vulnerability has been identified in the software
that may allow an attacker to execute HTML or script code in a user's
browser.
It has been reported that the @mail 'util.pl' script is prone to a
cross-site scripting vulnerability. The issue arises due to the script
failing to properly sanitize user-supplied information. The 'Displayed
Name' field is not properly sanitized of HTML tags. This could allow for
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable web page. This would occur in the security context of
the site hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
It has been reported that this issue affects @mail version 3.64, however,
earlier versions may also be vulnerable.
[ licence? ]
More information about the gull-annonces
mailing list