[gull-annonces] Résumé SecurityFocus Newsletter #288

Marc SCHAEFER schaefer at alphanet.ch
Sat Feb 26 17:57:03 CET 2005 

WWWBoard Password Database Disclosure Vulnerability
BugTraq ID: 12453
Remote: Yes
Date Published: Feb 05 2005
Relevant URL: http://www.securityfocus.com/bid/12453
Summary:
WWWBoard does not sufficiently secure the password database file. This
issue is due to lack of access controls to prevent remote users from
requesting the database file. It is possible for remote attackers to
request the database file and gain access to sensitive information
such as encrypted administrative credentials for WWWBoard.

Mike Neuman OSH Command Line Argument Buffer Overflow Vulner...
BugTraq ID: 12455
Remote: No
Date Published: Feb 05 2005
Relevant URL: http://www.securityfocus.com/bid/12455
Summary:
A buffer overflow vulnerability is reported for osh when processing
superfluous command line arguments. The problem likely occurs due to
insufficient bounds checking when copying command line argument data
into an internal memory buffer.

This buffer overflow may be exploited to execute arbitrary code with
superuser privileges.

Linux Kernel ntfs_warning() and ntfs_error() Local Denial of...
BugTraq ID: 12460
Remote: No
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12460
Summary:
Linux Kernel is reported prone to a local denial of service
vulnerability.

It is reported that this vulnerability exists in the 'ntfs_warning()'
and 'ntfs_error()' functions when compiled without debug.

Further details are not currently available.  This BID will be updated
when more information becomes available.

Linux Kernel 2.6.11-rc2 is reported vulnerable to this issue.  All 2.6
versions are likely vulnerable as well.

Multiple Web Browser International Domain Name Handling Site...
BugTraq ID: 12461
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12461
Summary:
Multiple Web browsers are reported prone to vulnerabilities that
surround the handling of International Domain Names.

The vulnerabilities exist due to inconsistencies in how International
Domain Names are processed. Reports indicate that this inconsistency
can be leveraged to spoof address bar, status-bar, and SSL certificate
values.

These vulnerabilities may be exploited by a remote attacker to aid in
phishing style attacks. This may result in the voluntary disclosure of
sensitive information to a malicious website due to a false sense of
trust.

Although these vulnerabilities are reported to affect Web browsers,
mail clients that depend on the Web browser to generate HTML code may
also be affected.

[ le problème est p.ex. que blabla.ch peut être écrit blabla.ch, avec
  le a ayant la même tête que le a usuel mais codé différemment via
  un jeu UNICODE étrange. Son codage DNS (punycode) xn-- sera donc
  différent. Ce domaine peut avoir été certifié indépendamment et
  ne créera donc pas de mise en garde par le client WWW.
  Work-around: supprimer le support international.
  SOLUTION REELLE à toute cette classe de problèmes: consulter les
  informations du certificat, vérifier
  le nom de l'organisme à qui le certificat a été vérifié *et vérifier
  l'empreinte du certificat* par un autre moyen: réseau de confiance,
  téléphone, courrier, etc.
]

Emacs Movemail POP3 Remote Format String Vulnerability
BugTraq ID: 12462
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12462
Summary:
The movemail utility of Emacs is reported prone to a remote format
string vulnerability.  This issue arises because the application fails
to sanitize user-supplied data prior to passing it as the format
specifier to a formatted printing function.

A remote attacker may leverage this issue to write to arbitrary
process memory, facilitating code execution. Any code execution would
take place with setgid mail privileges.

3Com 3CServer Multiple Remote Buffer Overflow Vulnerabilitie...
BugTraq ID: 12463
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12463
Summary:
Multiple remote buffer overflow vulnerabilities affect 3Com 3CServer.
These issues are due to a failure of the application to securely copy
user-supplied input into process buffers.

An attacker may leverage this issue to execute arbitrary code on an affected computer with SYSTEM privileges.  This may facilitate unauthorized access or privilege escalation.

[ firmware ]

Mozilla Mozilla/Firefox Cross-Domain Tab Window Script Execu...
BugTraq ID: 12465
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12465
Summary:
Mozilla Mozilla/Firefox are reported prone to a cross-domain script
execution vulnerability.  The issue is reported to exist because the
browsers fail to prevent JavaScript that originates from one tab from
accessing properties of a site contained in another tab.  Typically,
the Javascript security manager prevents a 'javascript:' URI from one
domain to be opened in the context of a site from another window,
however tabbed browsing can be used to bypass this security
restriction.

This issue is reported to affect Firefox 1.0, however, it is possible
that other versions are affected as well.  Mozilla 1.7.5 was also
reported vulnerable.

Mozilla Firefox About Configuration Hidden Frame Remote Conf...
BugTraq ID: 12466
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12466
Summary:
A remote configuration manipulation vulnerability affects Mozilla
Firefox.  This issue is due to a failure of the application to
properly secure sensitive configuration scripts from being activated
by remote attackers.

An attacker may leverage this issue to alter an unsuspecting user's
configuration settings; this may lead to a false sense of security as
sensitive settings may be manipulated without the user's knowledge.

Mozilla Firefox Drag And Drop Security Policy Bypass Vulnera...
BugTraq ID: 12468
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12468
Summary:
Mozilla Firefox is reported prone to a security vulnerability that
could allow a malicious website to bypass drag-and-drop functionality
security policies.

It is demonstrated that it is possible to exploit this vulnerability
with an image that renders correctly in the Firefox browser but that,
when dragged and dropped onto the local file system, will be saved
with a '.bat' file extension.

Because the batch file interpreter on Microsoft Windows is
particularly lenient when it comes to syntax, batch commands appended
to the image file will be executed if the image that was dragged and
dropped is invoked.

Update: Netscape 7.2 is reported vulnerable to this issue as well.  It
is possible that other versions may also be affected.

Multiple Mozilla Browser enable.IDN Setting Weakness
BugTraq ID: 12470
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12470
Summary:
Mozilla, Firefox, and Camino browsers contain a weakness in certain
configuration settings.  When the International Domain Name (IDN)
setting is disabled in the Web browser, the setting is not retained
after the browser is closed and started again.  The browser
configuration will still show the setting as being disabled.

This weakness could lead to a false sense of security if it is used as
a workaround for BID 12461.

PerlDesk SQL Injection Vulnerability
BugTraq ID: 12471
Remote: Yes
Date Published: Feb 07 2005
Relevant URL: http://www.securityfocus.com/bid/12471
Summary:
PerlDesk is reportedly affected by an SQL injection vulnerability.
This issue is due to the application failing to properly sanitize
user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the
application, disclosure or modification of data or may permit an
attacker to exploit vulnerabilities in the underlying database
implementation.

Frox Access Control List Bypass Vulnerability
BugTraq ID: 12493
Remote: Yes
Date Published: Feb 08 2005
Relevant URL: http://www.securityfocus.com/bid/12493
Summary:
It is reported that an ACL bypass vulnerability exists in frox because
frox fails to parse 'Deny' ACL entries correctly.

This may lead to a false sense of security because ftp clients may use
the frox proxy to access services that a network administrator
intended to block.

This vulnerability is reported to exist in frox versions 0.7.16 and
0.7.17.

[ proxy FTP ]

Ulrik Petersen Emdros Database Engine MQL Parsing Denial Of ...
BugTraq ID: 12498
Remote: Yes
Date Published: Feb 09 2005
Relevant URL: http://www.securityfocus.com/bid/12498
Summary:
A denial of service vulnerability affects Emdros.  This issue is due
to a failure of the application to properly manage memory.

Apparently this issue is distinct from that reported in BID 11143
(Ulrik Petersen Emdros Database Engine Denial Of Service
Vulnerability).  It should also be noted that if the affected
application is run as a daemon, a remote attacker could exploit this
issue.

An attacker may leverage this issue to cause the affected application
to crash, denying service to legitimate users.

[ text database engine for annotated or analyzed text ]

XView Multiple Unspecified Local Buffer Overflow Vulnerabili...
BugTraq ID: 12500
Remote: No
Date Published: Feb 09 2005
Relevant URL: http://www.securityfocus.com/bid/12500
Summary:
It is reported that a number of unspecified buffer overflow
vulnerabilities exist in the xview library. These issues could allow a
local user to execute arbitrary code via linked executables that are
installed with setuid privileges.

Debian has identified these issues in xview-3.2p1.4.  Other versions
affecting various platforms may be vulnerable as well.

GNU Mailman Remote Directory Traversal Vulnerability
BugTraq ID: 12504
Remote: Yes
Date Published: Feb 09 2005
Relevant URL: http://www.securityfocus.com/bid/12504
Summary:
Mailman, when hosted on a web server that does not strip extra slashes
from URLs (i.e. Apache 1.3.x), is reported prone to a remote directory
traversal vulnerability.

The remote attacker may exploit this vulnerability to disclose the
contents of web server readable files. Symantec has received reports
of the username and password databases of public mailing lists being
compromised through the exploitation of this vulnerability.

Information that is harvested by leveraging this vulnerability may be
used to aid in further attacks against a target computer or victim
user.

Conexant AccessRunner DSL Console Default Backdoor Account V...
BugTraq ID: 12507
Remote: Yes
Date Published: Feb 09 2005
Relevant URL: http://www.securityfocus.com/bid/12507
Summary:
It has been reported that Conexant AccessRunner DSL Console software
has built-in administrative access that cannot be disabled.

This vulnerability reportedly allows remote attackers to reset the
router to default settings, denying legitimate users network
access. Other attacks are also likely possible.

It is unknown at this time if remote attackers can access the
administrative interface via the WAN interface of affected devices.

Mentor MR4C/UK devices are reported susceptible to this
vulnerability. Due to code reuse across products, it is likely that
other devices are also affected.

[ firmware ]

Yongguang Zhang hztty Local Arbitrary Command Execution Vuln...
BugTraq ID: 12518
Remote: No
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12518
Summary:
A local, arbitrary command execution vulnerability affects Yongguang
Zhang hztty.  The underlying cause of this issue is currently
unknown. This BID will be updated as more information is released.

An attacker may leverage this issue to execute arbitrary commands with
the privileges of the 'utmp' group, potentially facilitating privilege
escalation.

Apache mod_python Module Publisher Handler Information Discl...
BugTraq ID: 12519
Remote: Yes
Date Published: Feb 10 2005
Relevant URL: http://www.securityfocus.com/bid/12519
Summary:
The mod_python module publisher handler is prone to a remote
information disclosure vulnerability.  This issue may allow remote
unauthorized attackers to gain access to sensitive objects.

Information disclosed through the exploitation of this issue may aid
in launching further attacks against an affected server.

All versions of mod_python are considered vulnerable at the moment.

xpcd Local Buffer Overflow Vulnerability
BugTraq ID: 12523
Remote: No
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12523
Summary:
A local buffer overflow vulnerability affects xpcd pcdsvgaview.  This
issue is due to a failure of the application to securely copy
user-supplied input into finite process buffers.

An attacker may leverage this issue to execute arbitrary code with
superuser privileges.

Netkit rwho Packet Size Denial Of Service Vulnerability
BugTraq ID: 12524
Remote: Yes
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12524
Summary:
The Netkit rwho daemon is prone to a denial of service vulnerability.
This condition occurs when the server processes packets with malformed
sizes.

The vulnerability is only reported to affect the software running on
little endian platforms.

It is not known if this condition is due to a boundary condition error
or if it may further be leveraged to execute arbitrary code.

KDE Library dcopidling Insecure Temporary File Creation Vuln...
BugTraq ID: 12525
Remote: No
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12525
Summary:
A local insecure file creation vulnerability affects KDE Library
'dcopidling'.  This issue is due to a failure of the application to
validate the existence of a file prior to writing to it.

An attacker may leverage this issue to corrupt arbitrary files with
the privileges of a user that activates an application that implements
the affected script.

OpenPGP Cipher Feedback Mode Chosen-Ciphertext Partial Plain...
BugTraq ID: 12529
Remote: Yes
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12529
Summary:
OpenPGP is reported prone to a vulnerability that may theoretically
allow attackers to retrieve partial plaintexts from encrypted OpenPGP
messages.

It is reported that a proof of concept chosen-ciphertext attack method
has been developed that exploits a flaw in OpenPGP to retrieve partial
plaintexts from OpenPGP messages encrypted with symmetric encryption.
Apparently when messages are encrypted with the CFB mode, a design
flaw in an integrity check feature can be exploited.

The attack is also limited in the amount of information that can be
disclosed from an encrypted message.  Apparently, only partial
disclosure of a message is possible.

The OpenPGP standard is reported vulnerable to this issue.  It is not
known whether PGP or GNU Privacy Guard or other implementations are
vulnerable.  This BID will be updated when more information becomes
available.

Gentoo Portage-Built Webmin Binary Package Build Host Root P...
BugTraq ID: 12532
Remote: Yes
Date Published: Feb 11 2005
Relevant URL: http://www.securityfocus.com/bid/12532
Summary:
It is reported that the Gentoo Portage-built Webmin binary package
discloses the build host's root password to remote users.

Any users who build the affected Webmin binary and share it with other
users are at a risk of compromise.

Gentoo app-admin/webmin packages prior to 1.170-r3 are vulnerable to
this issue.

More information about the gull-annonces mailing list