[gull-annonces] Résumé SecurityFocus Newsletter #314-318

Marc SCHAEFER schaefer at alphanet.ch
Wed Oct 5 23:29:23 CEST 2005


SqWebMail HTML Email IMG Tag Script Injection Vulnerability
BugTraq ID: 14676, 14744
Remote: Yes
Date Published: 2005-08-29, 2005-09-06
Relevant URL: http://www.securityfocus.com/bid/14676, http://www.securityfocus.com/bid/14744
Summary:
SqWebMail is affected by a vulnerability that may allow remote attackers to 
inject and execute arbitrary script code in a user's browser. 
This may allow for various attacks including session hijacking due to the 
theft of user credentials.

SqWebMail 5.0.4 is reportedly vulnerable to this issue.  It is possible that 
other versions are affected as well.

maildrop lockmail Local Privilege Escalation Vulnerability
BugTraq ID: 14696
Remote: No
Date Published: 2005-08-30
Relevant URL: http://www.securityfocus.com/bid/14696
Summary:
lockmail is affected by a local privilege escalation vulnerability.

A local attacker can execute arbitrary commands with group mail privileges.

maildrop 1.5.3 is affected by this issue.  Other versions may be vulnerable 
as well.

FreeStyle Wiki Arbitrary Perl Command Execution Vulnerability
BugTraq ID: 14698
Remote: Yes
Date Published: 2005-08-30
Relevant URL: http://www.securityfocus.com/bid/14698
Summary:
FreeStyle Wiki is prone to an arbitrary command execution vulnerability.  
This issue is due to a failure in the application to properly sanitize 
user-supplied input.

An attacker can exploit this vulnerability to execute arbitrary Perl 
commands in the context of the affected application.

3Com Network Supervisor Directory Traversal Vulnerability
BugTraq ID: 14715
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14715
Summary:
Network Supervisor is prone to a directory traversal vulnerability.

The application fails to properly sanitize input supplied through HTTP GET 
requests.

Exploitation of this vulnerability could lead to a loss of confidentiality 
as arbitrary files are disclosed to an attacker.  It should be noted that 
all files on the affected drive can be disclosed by a successful attack.

Linux Kernel SCSI ProcFS Denial Of Service Vulnerability
BugTraq ID: 14790
Remote: No
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14790
Summary:
The Linux kernel is prone to a denial of service vulnerability.  The kernel 
is affected by a memory leak which eventually can result in a denial of 
service.

A local attacker can exploit this vulnerability by making repeated reads to 
the '/proc/scsi/sg/devices' file and exhaust kernel memory, resulting in a 
denial of service.

Linux Kernel Netfilter Ipt_recent Remote Denial of Service Vulnerability
BugTraq ID: 14791
Remote: Yes
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14791
Summary:
Linux Kernel is reported prone to a local denial of service vulnerability.

An attacker can exploit this issue by sending specially crafted packets to a 
vulnerable computer employing the 'ipt_recent' module.

A successful attack can cause a denial of service condition.

Linux Kernel EXT2/EXT3 File System Access Control Bypass Vulnerability
BugTraq ID: 14793
Remote: No
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14793
Summary:
Linux Kernel is prone to an access control bypass vulnerability when using 
the EXT2/EXT3 file systems.

Successful attacks may involve data corruption and modification, information 
disclosure, and execution of arbitrary code.

Linux Kernel ZLib Local Null Pointer Dereference Denial of Service 
Vulnerability
BugTraq ID: 14720
Remote: No
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14720
Summary:
The Linux kernel is prone to a denial of service vulnerability.  This issue 
is due to a failure in the application to properly handle malformed 
compressed files.

An attacker can exploit this vulnerability to cause a kernel crash, 
effectively denying service to legitimate users.

Linux Kernel USB Subsystem Local Denial Of Service Vulnerability
BugTraq ID: 14955
Remote: No
Date Published: 2005-09-27
Relevant URL: http://www.securityfocus.com/bid/14955
Summary:
A local denial of service vulnerability affects the USB subsystem of the 
Linux kernel. This issue is due to a failure of the kernel to properly 
handle unexpected conditions when attempting to handle URBs (USB Request 
Blocks).

This vulnerability may be exploited by local users to trigger a kernel 
'Oops' on computers where the vulnerable USB subsystem is enabled. This may 
be used to deny service to legitimate users.

Linux Kernel sendmsg() Local Buffer Overflow Vulnerability
BugTraq ID: 14785
Remote: No
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14785
Summary:
Linux kernel is prone to a local buffer overflow vulnerability.

The vulnerability affects 'sendmsg()' when malformed user-supplied data is 
copied from userland to kernel memory.

A successful attack can allow a local attacker to trigger an overflow, which 
may lead to a denial of service condition due to memory corruption. 
Arbitrary code execution resulting in privilege escalation is possible as 
well.

Linux Kernel raw_sendmsg() Kernel Memory Access Vulnerability
BugTraq ID: 14787
Remote: No
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14787
Summary:
Linux Kernel is prone to a kernel memory access vulnerability.

This issue affecting the 'raw_sendmsg()' function can allow a local attacker 
to disclose kernel memory or manipulate the hardware state due to 
unauthorized access to IO ports.

Linux kernel 2.6.10 is reportedly vulnerable, however, other versions are 
likely to be affected as well.

Linux Kernel 64-Bit SMP routing_ioctl() Local Denial of Service 
Vulnerability
BugTraq ID: 14902
Remote: No
Date Published: 2005-09-22
Relevant URL: http://www.securityfocus.com/bid/14902
Summary:
A local denial of service vulnerability affects the Linux on 64 bit 
Symmetric Multi-Processor (SMP) platforms.

Specifically, the vulnerability presents itself due to an omitted call to 
the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()' 
function.

The 32-bit compatible 'tiocgdev ioctl()' function on x86-64 platforms is 
affected by this issue as well. 

Apache mod_ssl SSLVerifyClient Restriction Bypass Vulnerability
BugTraq ID: 14721
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14721
Summary:
Apache 2.x mod_ssl is prone to a restriction bypass vulnerability. This 
issue presents itself when mod_ssl is configured to be used with the 
'SSLVerifyClient' directive.

This issue allows attackers to bypass security policies to gain access to 
locations that are configured to be forbidden for clients without a valid 
client certificate.

apachetop Insecure Temporary File Creation Vulnerability
BugTraq ID: 14982
Remote: No
Date Published: 2005-09-30
Relevant URL: http://www.securityfocus.com/bid/14982
Summary:
apachetop creates temporary files in an insecure manner. This may allow a 
local attacker to perform symbolic link attacks.

Successful exploitation may result in sensitive data or configuration files 
being overwritten.  This may result in a denial of service; other attacks 
may also be possible.

OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
BugTraq ID: 14727
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14727
Summary:
OpenSSH is susceptible to a vulnerability that causes improper activation of 
the 'GatewayPorts' option, allowing unintended hosts to utilize the SSH 
SOCKS proxy.

Specifically, if the 'DynamicForward' option is activated, 'GatewayPorts' is 
also unconditionally enabled.

This vulnerability allows remote attackers to utilize the SOCKS proxy to 
make arbitrary TCP connections through the configured SSH session, allowing 
them to attack computers and services through a connection that was 
inappropriately thought to be secure.

This issue affects OpenSSH 4.0, and 4.1.

OpenSSH GSSAPI Credential Disclosure Vulnerability
BugTraq ID: 14729
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14729
Summary:
OpenSSH is susceptible to a GSSAPI credential delegation vulnerability.

Specifically, if a user has GSSAPI authentication configured, and 
'GSSAPIDelegateCredentials' is enabled, their Kerberos credentials will be 
forwarded to remote hosts. This occurs even when the user uses 
authentication methods other than GSSAPI to connect, which is not what is 
usually expected.

This vulnerability allows remote attackers to improperly gain access to 
GSSAPI credentials, allowing them to utilize the credentials to access 
resources granted to the original principal.

This issue affects versions of OpenSSH prior to 4.2.

FileZilla FTP Client Hard-Coded Cipher Key Vulnerability
BugTraq ID: 14730
Remote: No
Date Published: 2005-09-02
Relevant URL: http://www.securityfocus.com/bid/14730
Summary:
FileZilla FTP client may allow local attackers to obtain user passwords and 
access remote servers.

The application uses a hard-coded cipher key to decrypt the password, which 
is stored in an XML file or the Windows Registry.

This can allow the attacker to gain access to an FTP server with the 
privileges of the victim.

Squid Proxy SSLConnectTimeout Remote Denial Of Service Vulnerability
BugTraq ID: 14731
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14731
Summary:
A remote denial of service vulnerability affects the Squid Proxy. This issue 
is due to a failure of the application to properly handle exceptional 
network requests.

A remote attacker may leverage this issue to crash the affected Squid Proxy, 
denying service to legitimate users.

Plain Black Software WebGUI Remote Perl Command Execution Vulnerabilities
BugTraq ID: 14732
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14732
Summary:
WebGUI may be exploited to execute arbitrary Perl commands. This issue 
presents itself due to insufficient sanitization of user-supplied data.

Remote attackers may execute arbitrary Perl commands in the context of the 
Web server hosting the vulnerable application. This can facilitate 
unauthorized remote access.

Versions of WebGUI prior to 6.7.3 are vulnerable.

[ CMS en Perl ]

rdiff-backup Directory Access Restriction Bypass Vulnerability
BugTraq ID: 14804
Remote: Yes
Date Published: 2005-09-12
Relevant URL: http://www.securityfocus.com/bid/14804
Summary:
rdiff-backup is affected by a directory access restriction bypass 
vulnerability.

A successful attack can allow an attacker to obtain directory listings and 
write files outside the restricted path.

rdiff-backup 1.0 and prior versions are vulnerable to this issue.

KAudioCreator CDDB Arbitrary File Overwrite Vulnerability
BugTraq ID: 14805
Remote: Yes
Date Published: 2005-09-12
Relevant URL: http://www.securityfocus.com/bid/14805
Summary:
KAudioCreator is prone to an arbitrary file overwrite vulnerability.  This 
issue is due to a failure in the application to properly sanitize 
user-supplied input.

An attacker can exploit this vulnerability to overwrite arbitrary files in 
the security context of the user running the vulnerable application.

XFree86 pixmap Allocation Local Privilege Escalation Vulnerability
BugTraq ID: 14807
Remote: No
Date Published: 2005-09-12
Relevant URL: http://www.securityfocus.com/bid/14807
Summary:
XFree86 is prone to a buffer overrun in its pixmap processing code.

This issue can potentially result in arbitrary code execution and facilitate 
privileges escalation.  It is possible that an attacker may gain superuser 
privileges by exploiting this issue.

SMC SMC7904WBRA Wireless Router Remote Denial Of Service Vulnerability
BugTraq ID: 14809
Remote: Yes
Date Published: 2005-09-12
Relevant URL: http://www.securityfocus.com/bid/14809
Summary:
A remote denial of service vulnerability affects the SMC SMC7904WBRA 
Wireless Router. This issue is due to a failure of the application to handle 
anomalous network traffic.

The problem is reported to present itself when copious amounts of network 
traffic are targeted at the router. Apparently the router fails to handle 
the network traffic and reboots. Further information is not available, 
however this BID will be updated when more details are released.

An attacker may leverage this issue to cause the affected router to crash, 
denying service to legitimate users.

Due to code reuse among devices, other products are also likely affected.

[ firmware ]

snort PrintTcpOptions Remote Denial Of Service Vulnerability
BugTraq ID: 14811
Remote: Yes
Date Published: 2005-09-12
Relevant URL: http://www.securityfocus.com/bid/14811
Summary:
snort is reported prone to a remote denial of service vulnerability. The 
vulnerability is reported to exist in the 'PrintTcpOptions()' function of 
'log.c', and is a result of a failure to sufficiently handle malicious TCP 
packets.

A remote attacker may trigger this vulnerability to crash a remote snort 
server and in doing so may prevent subsequent malicious attacks from being 
detected.

It should be noted that the vulnerable code path is only executed when snort 
is run with the '-v' (verbose) flag. Due to the performance penalty of 
running the snort application in verbose mode, it is likely that most 
production installations of the application are not vulnerable to this issue.

Update: Further messages have stated that other paths to the vulnerable code 
may be possible. Using the 'frag3' preprocessor, ASCII mode logging, the '-A 
fast' command-line option, and possibly other options may expose Snort to 
this vulnerability. Please see the referenced messages for further 
information.

Mark D. Roth pam_per_user Authentication Bypass Vulnerability
BugTraq ID: 14813
Remote: Yes
Date Published: 2005-09-12
Relevant URL: http://www.securityfocus.com/bid/14813
Summary:
pam_per_user is prone to an authentication bypass vulnerability. This issue 
is due to a design error in the module.

Successful exploitation could allow an unauthorized user to bypass 
authentication, allowing them to gain administrative access to affected 
computers.

It should be noted that only certain executables that utilize PAM are 
vulnerable to this issue, due to the method of calling it. The 'login' 
program is identified as one program that may be exploited, but other 
programs may also be exploitable in conjunction with this module.

This vulnerability affects pam_per_user versions prior to 0.4.

util-linux umount Remounting Filesystem Option Clearing Vulnerability
BugTraq ID: 14816
Remote: No
Date Published: 2005-09-12
Relevant URL: http://www.securityfocus.com/bid/14816
Summary:
util-linux is susceptible to a filesystem option clearing vulnerability. 
This issue is due to a design flaw that improperly clears mounted-filesystem 
options in certain circumstances.

This vulnerability allows attackers to clear mounted-filesystem options, 
allowing them to execute setuid applications to gain elevated privileges. 
Other attacks are also possible.

Linksys WRT54G Wireless Router Multiple Remote Vulnerabilities
BugTraq ID: 14822
Remote: Yes
Date Published: 2005-09-13
Relevant URL: http://www.securityfocus.com/bid/14822
Summary:
Multiple vulnerabilities have been identified in Linksys WRT54G routers. 
These issue all require that an attacker have access to either the wireless, 
or internal LAN network segments of the affected device. Exploitation from 
the WAN interface is only possible if the affected device has remote 
management enabled.

This issue allows attackers to:
- Download and replace the configuration of affected routers.
- Execute arbitrary machine code in the context of the affected device.
- Utilize HTTP POST requests to upload router configuration and firmware 
files without proper authentication
- Degrade the performance of affected devices and cause the Web server to 
become unresponsive, potentially denying service to legitimate users.

[ firmware, aka GNU/Linux ]

common-lisp-controller Cache Arbitrary Code Injection Vulnerability
BugTraq ID: 14829
Remote: No
Date Published: 2005-09-14
Relevant URL: http://www.securityfocus.com/bid/14829
Summary:
common-lisp-controller is prone to an arbitrary code injection vulnerability.

Successful exploitation may facilitate privilege escalation; other attacks 
are also possible.

TWiki TWikiUsers Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 14834
Remote: Yes
Date Published: 2005-09-14
Relevant URL: http://www.securityfocus.com/bid/14834
Summary:
A remote command execution vulnerability affects the application.

The revision control function of the TWikiUsers script uses the backtick 
shell metacharacter to construct a command line.  An attacker may use a 
specially crafted URI to execute arbitrary commands through the shell. 
This attack would occur in the context of the vulnerable application and can 
facilitate unauthorized remote access.

TWiki TWikiUsers INCLUDE Function Remote Arbitrary Command Execution 
Vulnerability
BugTraq ID: 14960
Remote: Yes
Date Published: 2005-09-28
Relevant URL: http://www.securityfocus.com/bid/14960
Summary:
A remote command execution vulnerability affects the application.

The revision control function of the TWikiUsers script uses the backtick 
shell metacharacter to construct a command line.  An attacker may use a 
specially crafted URI to execute arbitrary commands through the shell. 
This attack would occur in the context of the vulnerable application and can 
facilitate unauthorized remote access.

GTKDiskFree Insecure Temporary File Creation Vulnerability
BugTraq ID: 14849
Remote: No
Date Published: 2005-09-15
Relevant URL: http://www.securityfocus.com/bid/14849
Summary:
GtkDiskFree creates temporary files in an insecure manner. The issue exists 
in the 'src/mount.c' file.

Exploitation would most likely result in loss of data or a denial of service 
if critical files are overwritten in the attack. Other attacks may be 
possible as well.

Turquoise SuperStat Date Parser Remote Buffer Overflow Vulnerability
BugTraq ID: 14852
Remote: Yes
Date Published: 2005-09-15
Relevant URL: http://www.securityfocus.com/bid/14852
Summary:
Turquoise SuperStat is prone to a buffer overflow in its NNTP response 
mechanism.

The vulnerability presents itself when a malicious NNTP server supplies 
excessive data to the application that is handled by the date parsing 
routines.

A successful attack may result in a remote compromise.

[ FidoNet legacy ]

SimpleCDR-X Insecure Temporary File Creation Vulnerability
BugTraq ID: 14855
Remote: No
Date Published: 2005-09-15
Relevant URL: http://www.securityfocus.com/bid/14855
Summary:
SimpleCDR-X creates temporary files in an insecure manner.

A local attacker would most likely take advantage of this vulnerability by 
creating a malicious symbolic link in a directory where the temporary files 
will be created. 

Exploitation would most likely result in loss of data or a denial of service 
if critical files are overwritten in the attack. Other attacks may also be 
possible.

SimpleCDR-X 1.3.3 is reported to be vulnerable.  Other versions may also be 
affected.

GNOME Workstation Command Center gwcc_out.txt Insecure Temporary File 
Creation Vulnerability
BugTraq ID: 14857
Remote: No
Date Published: 2005-09-16
Relevant URL: http://www.securityfocus.com/bid/14857
Summary:
GNOME Workstation Command Center creates temporary files in an insecure 
manner.

A local attacker would most likely take advantage of this vulnerability by 
creating a malicious symbolic link in a directory where the temporary files 
will be created. 

Exploitation would most likely result in loss of data or a denial of service 
if critical files are overwritten in the attack. Other attacks may also be 
possible.

GNOME Workstation Command Center version 0.98 is reported to be vulnerable.  
Other earlier versions may also be affected.

ncompress Insecure Temporary File Creation Vulnerability
BugTraq ID: 14859
Remote: No
Date Published: 2005-09-16
Relevant URL: http://www.securityfocus.com/bid/14859
Summary:
ncompress creates temporary files in an insecure manner. 

A local attacker would most likely take advantage of this vulnerability by 
creating a malicious symbolic link in a directory where the temporary files 
will be created. 
Exploitation would most likely result in loss of data or a denial of service 
if critical files are overwritten in the attack. Other attacks may also be 
possible.

The vulnerability is reported in version 4.2.4. Other versions may also be 
affected.

SuSE YaST Local Buffer Overflow Vulnerability
BugTraq ID: 14861
Remote: No
Date Published: 2005-09-16
Relevant URL: http://www.securityfocus.com/bid/14861
Summary:
SuSE YaST is affected by a local buffer overflow vulnerability.

A local attacker may exploit this issue to execute arbitrary code with 
superuser privileges.

SuSE Linux 9.3 is reported to be vulnerable.  Other versions may be affected 
as well.

arc Insecure Temporary File Creation Vulnerability
BugTraq ID: 14863
Remote: No
Date Published: 2005-09-16
Relevant URL: http://www.securityfocus.com/bid/14863
Summary:
arc creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to view 
files and obtain privileged information.  The attacker may also perform 
symlink attacks, overwriting arbitrary files in the context of the affected 
application.

Exploitation would most likely result in loss of confidentiality and theft 
of privileged information. Successful exploitation of a symlink attack may 
result in sensitive configuration files being overwritten.  This may result 
in a denial of service; other attacks may also be possible.

arc 5.21j and earlier versions are reported to be vulnerable.

Py2Play Object Unpickling Remote Python Code Execution Vulnerability
BugTraq ID: 14864
Remote: Yes
Date Published: 2005-09-17
Relevant URL: http://www.securityfocus.com/bid/14864
Summary:
Py2Play is prone to a vulnerability that may let remote attackers execute 
arbitrary Python code in the context of the program.  
This issue could be exploited by remote peers.

Tofu Object Unpickling Remote Python Code Execution Vulnerability
BugTraq ID: 14865
Remote: Yes
Date Published: 2005-09-17
Relevant URL: http://www.securityfocus.com/bid/14865
Summary:
Tofu is prone to a vulnerability that may let remote attackers execute 
arbitrary Python code in the context of the program.  
This issue could be exploited by remote peers.

ClamAV UPX Compressed Executable Buffer Overflow Vulnerability
BugTraq ID: 14866
Remote: Yes
Date Published: 2005-09-16
Relevant URL: http://www.securityfocus.com/bid/14866
Summary:
ClamAV is prone to a remote buffer overflow vulnerability.  This condition 
occurs when the program processes malformed UPX compressed executables.

Successful exploitation may result in execution of arbitrary code in the 
context of the application.

ClamAV FSG Compressed Executable Infinite Loop Denial Of Service 
Vulnerability
BugTraq ID: 14867
Remote: Yes
Date Published: 2005-09-16
Relevant URL: http://www.securityfocus.com/bid/14867
Summary:
ClamAV is prone to a remote denial of service vulnerability.  This issue 
occurs when the application handles a malformed FSG compressed executable.  
Exploitation could cause the application to enter an infinite loop, 
resulting in a denial of service.

Cisco IOS Multiple Unspecified EIGRP Vulnerabilities
BugTraq ID: 14877
Remote: Yes
Date Published: 2005-09-19
Relevant URL: http://www.securityfocus.com/bid/14877
Summary:
Cisco IOS is susceptible to multiple unspecified EIGRP vulnerabilities.

Further details are currently unavailable. This BID will be updated as more 
information is disclosed.

Due to the nature of the protocol, attackers likely require access to hosts 
in networks operating with the vulnerable protocol.

[ firmware ]

Cisco CSS 11500 Series SSL Authentication Bypass Vulnerability
BugTraq ID: 14783
Remote: Yes
Date Published: 2005-09-08
Relevant URL: http://www.securityfocus.com/bid/14783
Summary:
Cisco CSS (Content Services Switches) 11500 Series devices are prone to an 
authentication bypass vulnerability.  This issue may occur when the device 
uses SSL for encryption and client authentication.

Successful exploitation may permit unauthorized access to content.

This issue affects Cisco CSS 11500/11501 devices with the 
CSS5-SSL-K9/CSS11501S-K9 modules installed respectively.

[ firmware ]

Cisco IOS Firewall Authentication Proxy Buffer Overflow Vulnerability
BugTraq ID: 14770
Remote: Yes
Date Published: 2005-09-07
Relevant URL: http://www.securityfocus.com/bid/14770
Summary:
Cisco IOS Firewall Authentication Proxy is prone to a buffer overflow 
condition.  Successful exploitation of this issue could cause a denial of 
service or potential execution of arbitrary code.

This issue affects the FTP and Telnet protocols, but not HTTP.

[ firmware ]

Bacula Insecure Temporary File Creation Vulnerabilities
BugTraq ID: 14881
Remote: No
Date Published: 2005-09-20
Relevant URL: http://www.securityfocus.com/bid/14881
Summary:
Bacula creates temporary files in an insecure manner.

An attacker with local access could potentially exploit this issue to view 
files and obtain privileged information.  The attacker may also perform 
symlink attacks, overwriting arbitrary files in the context of the affected 
application.

Exploitation would most likely result in loss of confidentiality and theft 
of privileged information. Successful exploitation of a symlink attack may 
result in sensitive configuration files being overwritten.  This may result 
in a denial of service; other attacks may also be possible.

Mozilla Browser/Firefox Arbitrary Command Execution Vulnerability
BugTraq ID: 14888
Remote: Yes
Date Published: 2005-09-20
Relevant URL: http://www.securityfocus.com/bid/14888
Summary:
Mozilla Browser/Firefox are affected by an arbitrary command execution 
vulnerability. 
This attack would occur in the context of the user running the vulnerable 
application and may facilitate unauthorized remote access. 
Mozilla Firefox 1.0.6 running on UNIX based platforms is reportedly 
vulnerable.  Other versions and applications employing Firefox functionality 
may be vulnerable as well.

Mozilla Browser 1.7.x versions and Thunderbird 1.x versions are also 
vulnerable to this issue.

Mozilla/Netscape/Firefox Browsers Domain Name Remote Buffer Overflow Vulnerability
BugTraq ID: 14784
Remote: Yes
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14784
Summary:
Mozilla/Netscape/Firefox are reported prone to a remote buffer overflow 
vulnerability when handling a malformed URI.

A successful attack may result in a crash or the execution of arbitrary code.

Firefox 1.0.6 and 1.5 Beta 1 are vulnerable to this issue.  Mozilla 1.7.11 
and Netscape 8.0.3.3 and 7.2 are affected as well. 
Mozilla Browser/Firefox XBM Image Processing Heap Overflow Vulnerability
BugTraq ID: 14916
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14916
Summary:
Mozilla and Firefox browsers are prone to a heap overflow when processing 
malformed XBM images.  Successful exploitation can result in arbitrary code 
execution.

Mozilla Browser/Firefox JavaScript Engine Integer Overflow Vulnerability
BugTraq ID: 14917
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14917
Summary:
Mozilla Browser/Firefox are affected by an integer overflow vulnerability in 
their JavaScript engine.

This issue may be exploited by a remote attacker who entices a user to visit 
a malicious site.

A successful attack may facilitate unauthorized remote access to a 
vulnerable computer.

Netscape Browser 8.0.3.3, Netscape 7.2, and K-Meleon 0.9 are vulnerable to 
this issue as well.

Mozilla Browser/Firefox Zero-Width Non-Joiner Stack Corruption 
Vulnerability
BugTraq ID: 14918
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14918
Summary:
Mozilla and Firefox are prone to a stack corruption vulnerability.  
Successful exploitation could potentially result in arbitrary code execution.

Mozilla Browser/Firefox Chrome Window Spoofing Vulnerability
BugTraq ID: 14919
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14919
Summary:
Mozilla and Firefox browsers are prone to a window spoofing vulnerability.

An attacker can exploit this vulnerability to enhance phishing-style attacks.

Mozilla Browser/Firefox Chrome Page Loading Restriction Bypass Privilege Escalation Weakness
BugTraq ID: 14920
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14920
Summary:
Mozilla Browser/Firefox are prone to a potential arbitrary code execution 
weakness. 
Specifically, an attacker can load privileged 'chrome' pages from an 
unprivileged 'about:' page.  This issue does not pose a threat unless it is 
combined with a same-origin violation issue.

If successfully exploited, this issue may allow a remote attacker to execute 
arbitrary code and gain unauthorized remote access to a computer.  This 
would occur in the context of the user running the browser. 

Mozilla Browser/Firefox DOM Objects Spoofing Vulnerability
BugTraq ID: 14921
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14921
Summary:
Mozilla and Firefox are prone to a DOM object spoofing vulnerability.  
Successful exploitation could allow a remote attacker to execute arbitrary 
script code with elevated privileges.

Mozilla Browser/Firefox Arbitrary HTTP Request Injection Vulnerability
BugTraq ID: 14923
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14923
Summary:
Mozilla and Firefox browsers are prone to a vulnerability that permits the 
injection of arbitrary HTTP requests.  This issue is due to a failure in the 
application to properly sanitize user-supplied input.

This issue can be used to exploit server or proxy flaws from the user's 
machine, or to fool a server or proxy into thinking a single request is a 
stream of separate requests.

Multiple Browser Proxy Auto-Config Script Handling Remote Denial of 
Service Vulnerability
BugTraq ID: 14924
Remote: Yes
Date Published: 2005-09-23
Relevant URL: http://www.securityfocus.com/bid/14924
Summary:
Multiple browsers are affected by a remote denial of service vulnerability 
when handling proxy auto-config scripts.

This can cause a crash in the instance of the browser.

Firefox 1.0.6 and prior versions, Netscape Browser 8.0.3.3, and Mozilla 
1.7.11 and prior versions are affected by this issue.

Webmin / Usermin Remote PAM Authentication Bypass Vulnerability
BugTraq ID: 14889
Remote: Yes
Date Published: 2005-09-20
Relevant URL: http://www.securityfocus.com/bid/14889
Summary:
Webmin and Usermin are susceptible to a remote PAM authentication bypass 
vulnerability. This issue is present in the 'miniserv.pl' Web server that is 
bundled with these applications.

Due to insufficient input validation, shell metacharacters may be employed 
to bypass the authentication mechanism.

Due to the nature of these applications, full system compromise is very 
likely after gaining access.

MasqMail Local Privilege Escalation Vulnerabilities
BugTraq ID: 14890
Remote: No
Date Published: 2005-09-21
Relevant URL: http://www.securityfocus.com/bid/14890
Summary:
MasqMail is prone to two local privilege escalation vulnerabilities.

The application is affected by a command execution vulnerability that arises 
due to insufficient sanitization of user-supplied data.

The application is also affected by symbolic link attacks due to a design 
error.

MasqMail 0.2.18 is known to be vulnerable to these issues.  Other versions 
may be affected as well.

[ SMTP server for dialup connections ]

HylaFAX Insecure Temporary File Creation Vulnerability
BugTraq ID: 14907
Remote: No
Date Published: 2005-09-22
Relevant URL: http://www.securityfocus.com/bid/14907
Summary:
HylaFAX creates temporary files in an insecure manner. This may allow a 
local attacker to perform symbolic link attacks.

Successful exploitation may result in sensitive data or configuration files 
being overwritten.  This may result in a denial of service; other attacks 
may also be possible.

Yukihiro Matsumoto Ruby SAFE Level Restriction Bypass Vulnerability
BugTraq ID: 14909
Remote: Yes
Date Published: 2005-09-22
Relevant URL: http://www.securityfocus.com/bid/14909
Summary:
Ruby is susceptible to a SAFE level restriction bypass vulnerability. This 
issue is due to a flaw in the logic that implements the SAFE level checks.

This issue allows attackers to bypass the expected SAFE level restrictions, 
possibly allowing them to execute unauthorized script code in the context of 
affected applications.

The specific impact of this issue depends on the implementation of scripts 
that utilize SAFE level security checks.

Ruby versions prior to 1.8.3 are vulnerable to this issue.

rsyslog Syslog Message SQL Injection Vulnerability
BugTraq ID: 14942
Remote: Yes
Date Published: 2005-09-26
Relevant URL: http://www.securityfocus.com/bid/14942
Summary:
rsyslog is prone to an SQL injection vulnerability.  This issue is due to a 
failure in the application to properly sanitize user-supplied input before 
using it in an SQL query.

Successful exploitation could result in a compromise of the application, 
disclosure or modification of data, or may permit an attacker to exploit 
vulnerabilities in the underlying database implementation.

qpopper Local Arbitrary File Modification Vulnerability
BugTraq ID: 14944
Remote: No
Date Published: 2005-09-26
Relevant URL: http://www.securityfocus.com/bid/14944
Summary:
qpopper is a POP3 mail server available for Linux and Unix based systems.

qpopper is susceptible to a local arbitrary file modification vulnerability. 
This issue is due to insecure file handling in the 'poppassd' 
setuid-superuser application.

A local attacker could exploit this vulnerability to alter the permissions 
on, overwrite and alter arbitrary files with superuser privileges. Depending 
on the purpose of the modified files, this may cause system crashes, or 
allow attackers to gain elevated privileges.

Nokia 3210 And 7610 Remote OBEX Denial Of Service Vulnerability
BugTraq ID: 14948
Remote: Yes
Date Published: 2005-09-26
Relevant URL: http://www.securityfocus.com/bid/14948
Summary:
A remote denial of service vulnerability affects Nokia 3210 and 7610 phones. 
This issue is due to a failure of the operating system to handle certain 
filename characters in Bluetooth OBEX transfers.

An attacker may leverage this issue to cause affected Nokia devices to fail 
to respond to further Bluetooth OBEX communications. Further communication 
likely fails until the affected phone is restarted.

Due to code reuse among devices, other phones may also be affected.

[ firmware ]

Astaro Security Linux PPTP Server Unspecified Remote Denial of Service 
Vulnerability
BugTraq ID: 14950
Remote: Yes
Date Published: 2005-09-26
Relevant URL: http://www.securityfocus.com/bid/14950
Summary:
Astaro Security Linux Point-to-Point Tunneling Protocol (PPTP) server is 
affected by an unspecified remote denial of service vulnerability.

It is conjectured that a remote attacker may exploit this issue by sending 
specially crafted data to the PPTP server and causing the application to 
crash.

Due to a lack of details, further information cannot be provided at the 
moment.  This BID will be updated when more details are available.

Polipo Off-By-One Buffer Overflow Vulnerability
BugTraq ID: 14961
Remote: Yes
Date Published: 2005-09-28
Relevant URL: http://www.securityfocus.com/bid/14961
Summary:
Polipo is prone to an off-by-one buffer overflow vulnerability.  

An attacker may be able to exploit this issue to trigger a denial of service 
condition.  It is conjectured that arbitrary code execution may be possible 
as well.

polipo Web Root Restriction Bypass Vulnerability
BugTraq ID: 14970
Remote: Yes
Date Published: 2005-09-28
Relevant URL: http://www.securityfocus.com/bid/14970
Summary:
polipo is prone to a vulnerability that permits access to files outside the 
Web root.  Very little information is available regarding this vulnerability 
other than the application may cause the Web server to expose files outside 
the local root.  This BID will be updated as further information becomes 
available.

Successful exploitation of this vulnerability will result in information 
disclosure.  Information obtained may aid in further attacks; other attacks 
are also possible.

[ http://www.pps.jussieu.fr/~jch/software/polipo/. HTTP cacheing proxy ]

AbiWord RTF File Processing Buffer Overflow Vulnerability 
BugTraq ID: 14971
Remote: Yes
Date Published: 2005-09-29
Relevant URL: http://www.securityfocus.com/bid/14971
Summary:
AbiWord is susceptible to a buffer overflow vulnerability. This issue is due 
to a failure of the application to properly bounds check user-supplied data 
prior to copying it to an insufficiently sized memory buffer while importing 
RTF files.

This issue likely allows attackers to execute arbitrary machine code in the 
context of the user running the affected application.

sblim-sfcb Malformed Header Denial Of Service Vulnerability
BugTraq ID: 14972
Remote: Yes
Date Published: 2005-09-29
Relevant URL: http://www.securityfocus.com/bid/14972
Summary:
sblim-sfcb is prone to a denial of service vulnerability.  This issue is due 
to a failure in the application to handle malformed headers.

An attacker can exploit this vulnerability to deny service to legitimate 
users.

[ Standards Based Linux Instrumentation ]

BackupNinja Insecure Temporary File Creation Vulnerability
BugTraq ID: 14978
Remote: No
Date Published: 2005-09-30
Relevant URL: http://www.securityfocus.com/bid/14978
Summary:
backupninja creates temporary files in an insecure manner.  This may allow a 
local attacker to perform symbolic link attacks.

Successful exploitation may result in sensitive data or configuration files 
being overwritten.  This may result in a denial of service; other attacks 
may also be possible.

ntlmaps Authorization Proxy Server Insecure Configuration File Permissions 
Vulnerability
BugTraq ID: 14979
Remote: No
Date Published: 2005-09-30
Relevant URL: http://www.securityfocus.com/bid/14979
Summary:
NTLM Authorization Proxy Server (ntlmaps) is prone to a vulnerability 
regarding insecure permissions on the configuration file.  This issue is due 
to a configuration error in the post-installation script.

A local attacker can exploit this vulnerability to retrieve the username and 
password to the Microsoft Windows NT system that ntlmaps connects to.

IceWarp Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 14980
Remote: Yes
Date Published: 2005-09-30
Relevant URL: http://www.securityfocus.com/bid/14980
Summary:
IceWarp is prone to multiple cross-site scripting vulnerabilities.  These 
issues are due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage these issues to have arbitrary script code executed 
in the browser of an unsuspecting user in the context of the affected site.  
These may facilitate the theft of cookie-based authentication credentials as 
well as other attacks.

blender Command Line Processing Buffer Overflow Vulnerability 
BugTraq ID: 14983
Remote: Yes
Date Published: 2005-09-30
Relevant URL: http://www.securityfocus.com/bid/14983
Summary:
Blender is susceptible to a buffer overflow vulnerability. This issue is due 
to a failure of the application to properly bounds check user-supplied data 
prior to copying it to an insufficiently sized memory buffer while handling 
command line arguments.

This issue likely allows attackers to execute arbitrary machine code in the 
context of the user running the affected application.

This issue is reported in version 2.37a of Blender; other versions may also 
be affected.

GNU cfengine Insecure Temporary File Creation Vulnerability
BugTraq ID: 14994
Remote: No
Date Published: 2005-10-01
Relevant URL: http://www.securityfocus.com/bid/14994
Summary:
GNU cfengine is prone to an insecure temporary file creation vulnerability.  
Exploitation may allow arbitrary files to be overwritten.

Bugzilla config.cgi Information Disclosure Vulnerability
BugTraq ID: 14995
Remote: Yes
Date Published: 2005-10-01
Relevant URL: http://www.securityfocus.com/bid/14995
Summary:
Bugzilla is prone to an information disclosure issue exposed through 
config.cgi.  This may allow an unauthorized user to access product names 
that are supposed to be confidential.

Bugzilla versions 2.18rc1 to 2.18.3, 2.19 to 2.20rc2, and 2.21 are affected.

Bugzilla User-Matching Information Disclosure Vulnerability
BugTraq ID: 14996
Remote: Yes
Date Published: 2005-10-01
Relevant URL: http://www.securityfocus.com/bid/14996
Summary:
Bugzilla is prone to an information disclosure vulnerability when 
user-matching is turned on.  This could allow an attacker to enumerate 
usernames on the system.

Bugzilla 2.19.1 to 2.20rc2 and 2.21 are prone to this vulnerability.

KDE kcheckpass Local Privilege Escalation Vulnerability
BugTraq ID: 14736
Remote: No
Date Published: 2005-09-05
Relevant URL: http://www.securityfocus.com/bid/14736
Summary:
KDE kcheckpass is prone to a local privilege escalation vulnerability.  
Successful exploitation could allow an attacker to gain superuser privileges.

All KDE versions from 3.2.0 to 3.4.2 inclusive are vulnerable to this issue.

Gentoo Net-SNMP Local Privilege Escalation Vulnerability
BugTraq ID: 14745
Remote: No
Date Published: 2005-09-06
Relevant URL: http://www.securityfocus.com/bid/14745
Summary:
Gentoo Net-SNMP is affected by a local privilege escalation vulnerability.

A local attacker with portage group privileges may create a shared object 
that would be loaded by Net-SNMP Perl modules, potentially resulting in 
arbitrary code execution in the context of the user running the Perl script.

Gentoo Net-SNMP versions prior to 5.2.1.2-r1 are affected by this 
vulnerability.  This issue does not affect the Net-SNMP suite.

man2web Multiple Scripts Command Execution Vulnerability
BugTraq ID: 14747
Remote: Yes
Date Published: 2005-09-06
Relevant URL: http://www.securityfocus.com/bid/14747
Summary:
man2web is affected by a command execution vulnerability affecting multiple 
scripts.

A remote attacker can supply arbitrary commands to the application through 
HTTP GET requests that may be executed with the privileges of an affected 
Web server.

This can facilitate a remote compromise.

Feedback Form Perl Script CHFeedBack.PL Unauthorized Mail Relay 
Vulnerability
BugTraq ID: 14749
Remote: Yes
Date Published: 2005-09-06
Relevant URL: http://www.securityfocus.com/bid/14749
Summary:
chfeedback.pl is prone to a vulnerability that allows the application to be 
abused as a mail relay.

An attacker can exploit this issue to inject arbitrary SMTP headers by using 
CR and LF sequences.  
If successful, it becomes possible to abuse the application as a mail relay. 
Email may be sent to arbitrary computers. This could be exploited by 
spammers or other malicious parties.

smb4k Insecure Temporary File Creation Vulnerability
BugTraq ID: 14756
Remote: No
Date Published: 2005-09-07
Relevant URL: http://www.securityfocus.com/bid/14756
Summary:
smb4k is prone to an insecure temporary file creation vulnerability.  
Successful exploitation of this issue could allow a local attacker to gain 
access to sensitive information.

[ The SMB/CIFS Share Browser for KDE ]

Open WebMail OpenWebmail-main.PL Cross-Site Scripting Vulnerability
BugTraq ID: 14771
Remote: Yes
Date Published: 2005-09-07
Relevant URL: http://www.securityfocus.com/bid/14771
Summary:
Open WebMail is prone to a cross-site scripting vulnerability. This issue is 
due to a lack of proper sanitization of user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed 
in the browser of an unsuspecting user in the context of the affected site.  
This may facilitate the theft of cookie-based authentication credentials as 
well as other attacks.

[ Crap. Dropped from Debian. Don't use. ]

FreeRADIUS Multiple Remote Vulnerabilities
BugTraq ID: 14775
Remote: Yes
Date Published: 2005-09-08
Relevant URL: http://www.securityfocus.com/bid/14775
Summary:
FreeRADIUS is susceptible to multiple remote vulnerabilities.

The first issues are memory handling vulnerabilities. These issues may allow 
remote attackers to crash affected services, or possibly execute arbitrary 
machine code in the context of the vulnerable application.

FreeRADIUS is also affected by a possible file descriptor leak. This may be 
exploited to gain access to files that an attacker may not normally have 
access to.

The LDAP module contains a flaw whereby attacker-specified data may be 
passed on to the configured LDAP database without proper input sanitization.

These issues are all reported to affect version 1.0.4 of FreeRADIUS, 
previous versions are also likely vulnerable to one or more of these issues.

Update: The vendor has posted a response to these issues, please see 
"Response to Suse Audit Report on FreeRADIUS" for further details.

Sawmill Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 14789
Remote: Yes
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14789
Summary:
Sawmill is prone to an unspecified cross-site scripting vulnerability.  This 
issue is due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed 
in the browser of an unsuspecting user in the context of the affected site.  
This may facilitate the theft of cookie-based authentication credentials as 
well as other attacks.

[ log analyser ]

GNU mailutils mmap4d Search Command Remote Format String Vulnerability
BugTraq ID: 14794
Remote: Yes
Date Published: 2005-09-09
Relevant URL: http://www.securityfocus.com/bid/14794
Summary:
imap4d is prone to a remote format string vulnerability.

The issue presents itself when the service handles malicious search commands 
from a client.

A successful attack may result in arbitrary code execution. This may 
facilitate unauthorized access or privilege escalation in the context of the 
server. 
This issue has been confirmed in GNU Mailutils 0.6.  It is likely that other 
versions are vulnerable as well.




More information about the gull-annonces mailing list