[gull-annonces] Résumé SecurityFocus Newsletter #264

Marc SCHAEFER schaefer at alphanet.ch
Sat Sep 4 14:11:01 CEST 2004


KDE Konqueror Cookie Domain Validation Vulnerability
BugTraq ID: 10991
Remote: Yes
Date Published: Aug 21 2004
Relevant URL: http://www.securityfocus.com/bid/10991
Summary:
It is reported that Konqueror is susceptible to a vulnerability while
validating cookie domains, allowing web servers to receive potentially
sensitive cookie data not intended for them.

This vulnerability presents itself when Konqueror allows a web site to
set a cookie with domain restrictions containing certain
country-specific top-level domains.

Attackers may exploit this vulnerability to inject cookie data into
the domains of third party web servers. This may allow for denial of
service attacks against other web services, by injecting invalid or
conflicting cookie data. Other attacks are also likely possible,
depending on the design of targeted web services.

Further details are unknown at this time. This BID will be updated as
further information is disclosed.

Sympa New List HTML Injection Vulnerability
BugTraq ID: 10992
Remote: Yes
Date Published: Aug 21 2004
Relevant URL: http://www.securityfocus.com/bid/10992
Summary:
An HTML injection vulnerability is reported in Sympa. The problem
occurs due to a failure of the application to properly sanitize
user-supplied input data.

Unsuspecting users viewing the affected page will have
attacker-supplied malicious code interpreted by their browser in the
security context of the website hosting Sympa.

Attackers may potentially exploit this issue to manipulate web content
or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.

Versions 4.1, and all 4.1.x releases are reported vulnerable to this
issue.

Davenport XML Expansion Denial Of Service Vulnerability
BugTraq ID: 11001
Remote: Yes
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11001
Summary:
Davenport is reportedly affected by a denial of service vulnerability
in its XML parsing functionality.  This issue is due to a failure of
the application to properly handle exceptional conditions.

Exploitation of this issue will allow an attacker to cause the
affected application to hang, denying service to legitimate users.

[ licence?  langage?  dans le doute je laisse ]

sredird Multiple Remote Vulnerabilities
BugTraq ID: 11002
Remote: Yes
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11002
Summary:
sredird is reported prone to multiple vulnerabilities.  These issue
may allow a remote attacker execute arbitrary code on a vulnerable
computer to gain unauthorized access.

The issues include a format string vulnerability and a remote buffer
overflow vulnerability.  Successful exploitation of these issues may
allow an attacker to gain unauthorized access to a vulnerable computer
in the context of the affected process.

sredird versions 2.2.1 and prior are reportedly affected by these
vulnerabilities.

This BID is now split into BIDs 11031 and 11033. This one will be
retired shortly.

[ redirection de port série sur réseau, standard RFC ]

FIDOGATE Logfile Path Input Validation Vulnerability
BugTraq ID: 11005
Remote: No
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11005
Summary:
FIDOGATE is prone to an input validation error that may permit local
users to append to or create files with the privileges of the program.
The source of the problem is that the attacker may control the
location of the logfile.  Since the program is typically setuid
'news', this could be exploited to append to or create files in the
context of that user.

This issue would only affect versions of the software for UNIX/Linux
variants.

[ passerelle FTN, je préférais ifgate à l'époque ]

musicd LOAD Command File Disclosure Vulnerability
BugTraq ID: 11006
Remote: Yes
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11006
Summary:
musicd is reported prone to a remote file disclosure
vulnerability. The vulnerability presents itself due to a lack of
sufficient sanitization performed on Music daemon command arguments.

A remote attacker may exploit this vulnerability in order to disclose
the contents of files with the privilege of the Music daemon (musicd)
process.

It is reported that if a binary file is specified as an argument for
the affected command the attacker may cause the affected daemon to
crash.

imwheel Predictable Temporary File Creation Vulnerability
BugTraq ID: 11008
Remote: No
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11008
Summary:
imwheel is reported prone to a predictable temporary file creation
vulnerability.  This issue is a race condition error and may allow a
local attacker to carry out denial of service attacks against other
users and possibly gain elevated privileges.

This vulnerability was identified in imwheel 1.0.0pre11, however,
other versions may be affected as well.

Axis Network Camera And Video Server Multiple Vulnerabilitie...
BugTraq ID: 11011
Remote: Yes
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11011
Summary:
Multiple vulnerabilities are reported to exist in multiple Axis
network video and camera servers.

The first reported issue is a shell metacharacter command execution
vulnerability. This is reported to allow an anonymous user download
the contents of the '/etc/passwd' file on the device. Other commands
are also likely to work, facilitating other attacks.

The first vulnerability is reported to affect:
   - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions
     2.34 thru 2.40

   - Axis 2130 network cameras

   - Axis 2401, and 2401 video servers

The second vulnerability is a directory traversal vulnerability in
HTTP POST requests. This attack is demonstrated by an anonymous user
calling protected administration scripts. This allows remote
adminitration of the devices by anonymous users, bypassing
authentication checks.

The second vulnerability is reported to affect:
   - Axis 2100, 2110, 2120, 2420 network cameras with firmware versions 2.12
     thru 2.40
   - Axis 2130 network cameras
   - Axis 2401, and 2401 video servers

The third vulnerability is reported to be a hard-coded backdoor
administrative user. This allows remote attackers to administer
affected devices, and it likely cannot be disabled.

The third vulnerability is reported to affect:
   - Axis StorePoint CD E100 CD-ROM Server with firmware version 5.30

Other products and versions of firmware are likely affected by one or
more of these vulnerabilities.

[ firmware ]

Hitachi Job Management Partner 1 Multiple Remote Vulnerabili...
BugTraq ID: 11012
Remote: Yes
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11012
Summary:
Reportedly Hitachi Job Management Partner 1 is affected by multiple
remote vulnerabilities.  These issues are likely due to a failure of
the application to handle exceptional conditions.

These issue include a denial of service vulnerability in the bundled
FTP server, allowing attackers to stop the affected server and deny
service to legitimate users.

The second issue is an unspecified vulnerability surrounding the login
authentication functionality of which the impact is currently unknown.

[ firmware ]

EnderUNIX Hafiye Remote Terminal Escape Sequence Filtering W...
BugTraq ID: 11014
Remote: Yes
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11014
Summary:
EnderUNIX Hafiye is affected by a remote terminal escape sequence
weakness.  This issue is caused by a failure of the application to
properly sanitize user-supplied input.

An attacker might leverage this issue to inject terminal escape
sequences into data that will be displayed on in a terminal window; if
the terminal is vulnerable to escape sequence issues code execution is
possible.

[ EnderUNIX est un groupe de développeurs turcs développant en C, C++
et Perl ]

Mozilla Network Security Services Library Remote Heap Overfl...
BugTraq ID: 11015
Remote: Yes
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11015
Summary:
NSS is reported prone to a remote heap overflow vulnerability.  This
issue arises due to insufficient boundary checks performed by the
application.  Successful exploitation of this issue may result in
arbitrary code execution leading to an attacker gaining unauthorized
access to a vulnerable computer.

The NSS library is commonly used by Netscape Enterprise Server and Sun
One/iPlanet servers.  The SSLv2 protocol is not enabled by default on
these servers.  Other products may be affected as well.

PostgreSQL Debian GNU/Linux Specific Local Information Discl...
BugTraq ID: 11019
Remote: No
Date Published: Aug 23 2004
Relevant URL: http://www.securityfocus.com/bid/11019
Summary:
The version of PostgreSQL contained in Debian/GNU Linux is reported
susceptible to an information disclosure vulnerability. This issue is
due to improper file permissions in the default installation of the
PostgreSQL package.

This may aid attackers in further system compromise.

Versions up to, and including version 7.4.3-3 of the Debian package
for PostgreSQL are reported affected by this vulnerability.

Icecast Server Status Display Cross-Site Scripting Vulnerabi...
BugTraq ID: 11021
Remote: Yes
Date Published: Aug 24 2004
Relevant URL: http://www.securityfocus.com/bid/11021
Summary:
Reportedly Icecast Server is affected by a cross-site scripting
vulnerability in the status display functionality.  This issue is due
to a failure of the application to properly sanitize user-supplied
input.

As a result of this vulnerability, it is possible for a remote
attacker to create a malicious link containing script code that will
be executed in the browser of an unsuspecting user when followed. This
may facilitate the theft of cookie-based authentication credentials as
well as other attacks.

GNU a2ps File Name Command Execution Vulnerability
BugTraq ID: 11025
Remote: No
Date Published: Aug 24 2004
Relevant URL: http://www.securityfocus.com/bid/11025
Summary:
Reportedly GNU a2ps is affected by a file name command execution
vulnerability.  This issue is due to a failure of the application to
properly sanitize filenames.

This issue might be leveraged by an attacker to execute arbitrary
shell commands with the privileges of an unsuspecting user running the
vulnerable application.

Although this issue reportedly affects only a2ps version 4.13 it is
likely that other versions are affected as well.

OpenBSD Bridged Network ICMP Denial Of Service Vulnerability
BugTraq ID: 11044
Remote: Yes
Date Published: Aug 25 2004
Relevant URL: http://www.securityfocus.com/bid/11044
Summary:
The implementation of bridging in OpenBSD is reportedly susceptible to
a denial of service vulnerability.

This vulnerability presents itself when an OpenBSD host is configured
to bridge two or more networks. Additionally, the 'link2' flag must be
set on the bridging device. This flag is designed to transparently
join multiple networks via an IPSec VPN tunnel.

This vulnerability may allow an attacker to crash or reboot affected
computers, denying service to legitimate users.

A fix was applied in CVS to OpenBSD-current on 18 Aug 2004.

Network Everywhere NR041 Router DHCP Log HTML Injection Vuln...
BugTraq ID: 11046
Remote: Yes
Date Published: Aug 25 2004
Relevant URL: http://www.securityfocus.com/bid/11046
Summary:
It is reported that the Network Everywhere NR041 Router is susceptible
to an HTML injection vulnerability in its DHCP log.

An attacker can craft successive DHCP requests, which when viewed by
the administrator, will be combined to create longer strings of HTML
that are interpreted by the administrator's web browser.

The injected HTML can be used to cause the administrator to make
unintended changes to the configuration of the router. Other attacks
may be possible.

[ firmware ]

Cisco Secure Access Control Server Multiple Vulnerabilities
BugTraq ID: 11047
Remote: Yes
Date Published: Aug 25 2004
Relevant URL: http://www.securityfocus.com/bid/11047
Summary:
Cisco Secure Access Control Server and Secure Access Control Server
Solution Engine are reported prone to multiple vulnerabilities.  These
vulnerabilities may allow remote attackers to cause denial of service
conditions and gain unauthorized access to AAA clients and ACS
administration interface.

The following specific vulnerabilities were reported by the vendor:

A remote attacker can trigger a denial of service condition in ACS
Windows and ACS Solution Engine by establishing a large amount of TCP
connections to the CSAdmin application.

Cisco Secure ACS is reported prone to another denial of service
vulnerability when handling Light Extensible Authentication Protocol
(LEAP) authentication requests.

Cisco Secure ACS is reported prone to an authentication bypass
vulnerability when configured to communicate to a Novell Directory
Services (NDS) database for authenticating NDS users.

Another vulnerability affecting ACS may allow remote attackers to gain
unauthenticated access to the administration interface of the service.

[ firmware ]

RealVNC Server Remote Denial of Service Vulnerability
BugTraq ID: 11048
Remote: Yes
Date Published: Aug 25 2004
Relevant URL: http://www.securityfocus.com/bid/11048
Summary:
RealVNC server is reported prone to a remote denial of service
vulnerability.  This issue presents itself when an attacker
establishes a large amount connections to the server.

This issue was reportedly tested on RealVNC 4.0 running on Microsoft
Windows 2000.

Top Layer Attack Mitigator IPS 5500 Denial Of Service Vulner...
BugTraq ID: 11049
Remote: Yes
Date Published: Aug 25 2004
Relevant URL: http://www.securityfocus.com/bid/11049
Summary:
The Attack Mitigator IPS 5500 is reportedly susceptible to a denial of
service vulnerability.

This vulnerability presents itself when the device is bombarded with a
very high volume of HTTP traffic.

The vendor reports that in certain configurations, it is possible for
the devices overload protection feature to incorrectly activate,
causing a denial of service condition. Once this condition has
occurred, the device is reportedly unable to process HTTP traffic.

The IPS 5500 with firmware versions prior to 3.11.014 are reported
susceptible to this vulnerability.

[ firmware ]

zlib Compression Library Denial Of Service Vulnerability
BugTraq ID: 11051
Remote: Yes
Date Published: Aug 25 2004
Relevant URL: http://www.securityfocus.com/bid/11051
Summary:
The zlib compression library is reportedly susceptible to a denial of
service vulnerability. This vulnerability is caused by a failure of
the application to properly handle malformed input during the
decompression process.

This vulnerability is reported to exist in version 1.2.1 of the
library. Other versions are also likely affected.

Linux Kernel Process Spawning Race Condition Environment Var...
BugTraq ID: 11052
Remote: No
Date Published: Aug 25 2004
Relevant URL: http://www.securityfocus.com/bid/11052
Summary:
The Linux Kernel is prone to a race condition that may potentially
expose information about the environment of a process.

The race condition is reported to occur while a process is spawning.
If the condition is successfully exploited, an attacker could read
environment variables associated with a process they do not own.

Samba Remote Print Change Notify Denial Of Service Vulnerabi...
BugTraq ID: 11055
Remote: Yes
Date Published: Aug 26 2004
Relevant URL: http://www.securityfocus.com/bid/11055
Summary:
Samba is reportedly vulnerable to a remote denial of service
vulnerability in the processing of print change notify requests.  This
issue is due to a failure of the application to handle out of sequence
requests.

An attacker might leverage this issue to cause the affected server to
crash, denying service to legitimate users.

Gaim Multiple Vulnerabilities
BugTraq ID: 11056
Remote: Yes
Date Published: Aug 26 2004
Relevant URL: http://www.securityfocus.com/bid/11056
Summary:
Gaim version 0.82 has been released.  This version addressed various
security vulnerabilities.

The following specific issues have been disclosed by the vendor:

Gaim is reported prone to a remote arbitrary command execution
vulnerability during the installation of a smiley theme.

The Gaim client is reported prone to a remote heap overflow
vulnerability when processing data from a groupware server.

A remote buffer overflow vulnerability exists in the URI parsing
utility.

A buffer overflow vulnerability arises when the application performs a
DNS query to obtain a hostname when signing on to zephyr.

Another buffer overflow presents itself when the application processes
Rich Text Format (RTF) messages.

A malicious server can trigger a buffer overflow vulnerability in Gaim
by supplying an excessive value for the 'content-length' header.

These issues affect Gaim versions prior to 0.82.  Some of these issues
may have been reported previously.  This BID will be updated and
divided into individual BIDs as more information becomes available.

Mozilla/Netscape/Firefox Browsers XPCOM Plug-In For Apple Ma...
BugTraq ID: 11059
Remote: Yes
Date Published: Aug 26 2004
Relevant URL: http://www.securityfocus.com/bid/11059
Summary:
Browsers based on the Gecko engine are reported prone to a content
spoofing vulnerability when they are running on the Apple Mac OS X
platform. It is reported that the vulnerability occurs when the
browser is configured to employ 'Tabbed Browsing' functionality.

In essence, an XPCOM plug-in that is invoked in one tab will be drawn
into the environment of alternate tabs that are open in the same
browser window.

This vulnerability may be eexploited to spoof content and to aid in
phishing style attacks.

[ le logiciel est libre; mais la plateforme vulnérable ne l'est pas. ]

Cisco IOS Telnet Service Remote Denial of Service Vulnerabil...
BugTraq ID: 11060
Remote: Yes
Date Published: Aug 27 2004
Relevant URL: http://www.securityfocus.com/bid/11060
Summary:
Cisco IOS telnet service is reported prone to a remote denial of
service vulnerability.  It is reported that an attacker can trigger
this issue by sending a specially crafted TCP packet to a telnet or
reverse telnet port of a Cisco device running IOS.

All Cisco devices running IOS with a telnet or reverse telnet service
are affected by this issue.

[ firmware ]




More information about the gull-annonces mailing list