|
[GN][News:] GN SecNews #5
|
Vijay Kumar
|
Feb 25, 2003 17:54 PST
|
GN SecNews Vol #5
-----------------
News Article Type: Weekly
Author: vijay (vijay-@users.sourceforge.net)
Date: Tue Feb 25 09:36:15 IST 2003
Please send in your comments and suggestions for improvement.
Disclaimer: This is a compilation of Security News Articles/Advisories from various GNU/Linux Providers, Developers and Users. The Author(s) of this article makes no warranties of any kind whatsoever with respect to the information contained from the sources. The information given here is as is from the source with the PGP signature if available.
===============================================================================
Contents
========
1.) SecurityFocus Newsletter #185
2.) SecurityFocus Linux Newsletter #120
3.) [SCSA-007] Cross Site Scripting Vulnerabilities in WWWBoard
4.) [RHSA-2003:057-06] Updated shadow-utils packages fix exposure
5.) [RHSA-2003:041-12] Updated VNC packages fix replay and cookie
vulnerabilities
===============================================================================
1.)SecurityFocus Newsletter #185
===============================================================================
SecurityFocus Newsletter #185
-----------------------------
This issue sponsored by Verisign-The Value Of Trust
Secure Your Servers
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your corporate intranets and authenticate
your Web sites. 128-bit SSL is serious security for your online business.
Get it now! Secure your servers with 128-bit SSL encryption! Grab your
copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n09440117580057000
---------------------------------------------------------------------------
I. FRONT AND CENTER
1. Exchange 2000 in the Enterprise: Tips and Tricks Part Three
2. Secure MySQL Database Design
3. Richard Clarke's Legacy of Miscalculation
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. BUGTRAQ SUMMARY
1. Util-Linux mcookie Cookie Generation Weakness
2. IndyNews delMediaFile() File Deletion Vulnerability
3. IndyNews manageMedia() File Deletion Vulnerability
4. IndyNews HTML Injection Vulnerability
5. Apple MacOS Classic TruBlueEnvironment Environment Variable...
6. Apple File Protocol iDrive Administrator Login Weakness
7. PHP-Board User Password Disclosure Vulnerability
8. Kietu Hit.PHP Remote File Inclusion Vulnerability
9. DotBr PHPInfo Environment Information Disclosure Vulnerability
10. DotBr Config.Inc Information Disclosure Vulnerability
11. DotBr Exec.PHP3 Remote Command Execution Vulnerability
12. DotBr System.PHP3 Remote Command Execution Vulnerability
13. IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
14. IBM Lotus Domino Web Server iNotes s_ViewName/Foldername...
15. IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
16. BisonFTP Long Command Denial of Service Vulnerability
17. BisonFTP Information Disclosure Vulnerability
18. Microsoft Riched20.dll Attribute Buffer Overflow Vulnerability
19. PHP CGI SAPI Code Execution Vulnerability
20. Netcharts Server Chunked Encoding Information Leakage...
21. D-Forum Remote File Include Vulnerability
22. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Airport limo firm allegedly hobbled by revenge hack
2. How to get an ATM PIN number in 15 guesses
3. Crypto attack against SSL outlined
4. States take step toward sharing cyberthreat data
IV. SECURITYFOCUS TOP 6 TOOLS
1. PlexCrypt v3.1
2. Traffik tool Troll v0.7
3. LinuxMagic magic-smtpd v0.7.0
4. snortalog v1.7.0
5. labrea v2.5b1
6. Looper Event / Alert System v0.20
V. SECURITYJOBS LIST SUMMARY
1. Technical security reconciliation (Thread)
2. Internship in São Paulo / Brazil (Thread)
3. Forensic and Information Security Analyst Looking for a home in...
4. Systems Engineer - Application Level Security (Thread)
5. Security Sales Professionals Needed (Thread)
6. Looking for Job in Italy (Thread)
7. Network Security Engineer - NJ (Thread)
8. Needed Penetration Testers (Thread)
9. Senior Security Consultant needed in Washington DC (Thread)
10. looking for Security Professionals in India (Thread)
11. Infrastructure Security Manager- Rhode Island (Thread)
12. Sunny Florida - Application Security Engineer (Thread)
VI. INCIDENTS LIST SUMMARY
1. Scans on TCP port 135 (Thread)
2. Weird Profile in Documents and Settings (Thread)
3. Distributed spam-based DoS in progress (Thread)
4. Dead thread -- Distributed spam-based DoS in progress (Thread)
5. port 17300 probe fingerprint analysis (Thread)
6. Kuang2 strikes again, is it just me? (Thread)
7. www.nopop.net (Thread)
8. Web Defacement (Thread)
9. mIRC Trojan Variant - port 445 worm/Trojan (Thread)
10. an-@ano.com ftpd dip.t-dialin.net (Thread)
11. Incidents list administrivia and introductions... (Thread)
12. Spies on Your PC HDrv (Thread)
13. ICMP Destination Unreachable, Administratively Prohibited...
14. S4T4N1C Web Defacement (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Call For Papers Announcement: Black Hat Briefings Amsterdam
2. VisualBasic auditing2 (Thread)
3. VisualBasic auditing (Thread)
4. Is this an off-by-one overflow? (Thread)
5. [argv] BitchX-353 Vulnerability (Thread)
6. A different bash blues (Thread)
7. glibc glob_filename() recurse call stack overflow (Re[2]: Bash...
8. glibc glob_filename() recurse call stack overflow (Re[2]: Bash...
9. Windows 2000 Static arp not static (Thread)
10. Administrivia: Bash Blues (Thread)
11. Bash Blues. (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Windows2000 QuickLaunch (Thread)
2. MS Software Update Service (Thread)
3. AW: MS Software Update Service (Thread)
4. Restricting CmdExec Rights to Sysadmin (Thread)
5. Windows station permissions, remote control programs,lower...
6. AW: Restricting CmdExec Rights to Sysadmin (Thread)
7. [despammed] Defeating password cracking (Thread)
8. Windows station permissions, remote control programs, lower...
9. Defeating password cracking (Thread)
10. Website inside or outside domain (Thread)
11. Ye Olde OWA Topic (Was Website inside or outside domain)...
12. Unhappy face icon on NT 4 workstation (Thread)
13. SecurityFocus Microsoft Newsletter #125 (Thread)
14. website inside or outside the domain? (Thread)
15. Windows 2000 Static arp not static (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 02.21.03
X. LINUX FOCUS LIST SUMMARY
1. entropy + openSSL question (Thread)
2. LKM Trojan installed (Thread)
3. openSSL Key generation (Thread)
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Exchange 2000 in the Enterprise: Tips and Tricks Part Three
By Timothy M. Mullen
This is the second installment in a two-part series on securing Exchange
2000 in the enterprise. The last segment addressed the security
ramifications of publishing mail content to the Internet via Outlook Web
Access. This installment will discuss configuring IPSec between front-end
and back-end OWA Servers as well as headers.
http://online.securityfocus.com/infocus/1668
2. Secure MySQL Database Design
by Kristy Westphal
When it comes to installing software, secure design is often the last
consideration. The first goal is usually just to get it to work. This is
particularly true of databases. Databases are commonly referred to the
keys to the kingdom: meaning that once they are compromised, all the
valuable data that is stored there could fall into the hands of the
attacker. With this in mind, this article will discuss various methods to
secure databases, specifically one of the most popular freeware databases
in use today, MySQL.
http://online.securityfocus.com/infocus/1667
3. Richard Clarke's Legacy of Miscalculation
By George Smith
The outgoing cybersecurity czar will be remembered for his steadfast
belief in the danger of Internet attacks, even while genuine threats
developed elsewhere.
http://online.securityfocus.com/columnists/143
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Util-Linux mcookie Cookie Generation Weakness
BugTraq ID: 6855
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6855
Summary:
util-linux is a freely available, open source software package that
provides some implementations of standard UNIX utilities, such as login.
Included with util-linux is the mcookie utility that is used to generate
random cookies for use with X authentication.
A weakness has been reported for the mcookie utility where cookies may be
generated in a predictable manner. The weakness occurs because mcookie
uses /dev/urandom to generate cookies.
This may be exploited by an attacker to guess cookie values to steal
credentials of users who use X authentication.
Information obtained in this manner may be used by the attacker to launch
further attacks against vulnerable systems and users.
2. IndyNews delMediaFile() File Deletion Vulnerability
BugTraq ID: 6856
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6856
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the delMediaFile() function and may allow
an unauthorized attacker to delete media files. The susceptible files are
only those that have been included in an approved article. This issue
could be exploited to obstruct a website's ability to distribute various
files.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
3. IndyNews manageMedia() File Deletion Vulnerability
BugTraq ID: 6857
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6857
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. The problem occurs in the manageMedia() function and may allow
an unauthorized attacker to delete or modify various files.
Exploitation of this issue may allow an attacker to influence the upload
location of remote PHP files, potentially making it possible to execute
arbitrary PHP commands.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
4. IndyNews HTML Injection Vulnerability
BugTraq ID: 6858
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6858
Summary:
IndyNews is a module designed for integration with the PHP-Nuke web portal
software.
A vulnerability has been discovered in the IndyNews module available for
PHP-Nuke. Due to insufficient sanitization of HTML tags it is possible to
embed HTML code within the 'alt' tags of a news article. When the news
article is viewed by an unsuspecting user the embedded code will be
executed within the context of the site visited.
This issue could be exploited by taking advantage of a bug found in the
editMediaDescr() and editMediaTempDescr() functions. Through the malicious
use of these functions it is possible for an unauthorized user to modify
the 'alt' tags of a proposed or already displayed news article.
The precise technical details regarding this vulnerability are currently
unknown. This BID will be updated accordingly as more information is made
available.
5. Apple MacOS Classic TruBlueEnvironment Environment Variable Privilege Escalation Vulnerability
BugTraq ID: 6859
Remote: No
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6859
Summary:
Apple MacOS X includes a Classic emulator to support applications written
for Classic versions of the operating system.
Apple has released a client security update which details a vulnerability
in the Apple MacOS Classic environment for MacOS X, which may lead to
elevation of privileges. This issue exists in TruBlueEnvironment, which
is included in the emulator.
It has been reported that an environment variable used by
TruBlueEnvironment may be changed to cause arbitrary local files to be
overwritten or created. The environment variable is used to define a
location to output debugging information to a file.
TruBlueEnvironment will create or overwrite the debugging file with
world-writeable privileges, depending on the umask of the process creating
the file. The file will not be executable when it is created. However, a
facility such as cron may potentially run the file through a shell
interpreter. This may cause the file to run with elevated privileges,
resulting in privilege escalation. A denial of service is also possible
if critical system files are corrupted by the attacker.
6. Apple File Protocol iDrive Administrator Login Weakness
BugTraq ID: 6860
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6860
Summary:
Apple File Protocol (AFP) is used with Apple's 'iDisk' feature to allow
systems to store files on Apple's site.
The AFP allows a system administrator to log onto a system as a normal
user using administration credentials. This is the default behaviour. When
authenticating, it is possible for an attacker to obtain the administrator
credentials by intercepting data.
Further details about this issue are not known at this time. This BID will
be updated as further information becomes available.
7. PHP-Board User Password Disclosure Vulnerability
BugTraq ID: 6862
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6862
Summary:
php-board is web forum software.
A vulnerability has been reported in php-board which may disclose
sensitive information to remote attackers. This flaw exists in the
'login.php' script.
php-board user information is stored in flat files on the system hosting
the software. Access to the files via the web is not sufficiently
restricted. Remote attackers may request user files and gain access to
php-board user and administrative passwords. The attacker must know the
name of the user whose file they are requesting.
The attacker may use the disclosed credentials to perform actions on the
php-board system as the user.
8. Kietu Hit.PHP Remote File Inclusion Vulnerability
BugTraq ID: 6863
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6863
Summary:
Kietu is web-based software to tracking web site usage statistics. It is
implemented in PHP.
A flaw exists in the Kietu 'hit.php' script may permit remote attackers to
include malicious remote files. Remote users may influence the include
path for the 'config.php' configuration file. An attacker may exploit
this to include a malicious PHP script named 'config.php' from a remote
host, resulting in execution of arbitrary commands with the privileges of
the webserver process.
9. DotBr PHPInfo Environment Information Disclosure Vulnerability
BugTraq ID: 6864
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6864
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host a poll.
DotBr may disclose sensitive information to remote attackers about the
environment of the system hosting the software. This is due to the use of
the PHP phpinfo() function in the 'foo.php3' script. This may disclose
version information and path information to the attacker.
This information may be helpful in mounting further attacks against the
system.
10. DotBr Config.Inc Information Disclosure Vulnerability
BugTraq ID: 6865
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6865
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls. DotBr is backended by a MySQL database.
The DotBr configuration file (config.inc) may potentially disclose
sensitive information to remote attackers. This issue occurs because the
configuration file does not have the proper PHP file extension in the
default installation, and may be displayed by the webserver instead of
handled by the PHP interpreter. Database authentication credentials and
other information may be disclosed as a result.
The attacker may use this information in attempts to gain unauthorized
access to other resources.
11. DotBr Exec.PHP3 Remote Command Execution Vulnerability
BugTraq ID: 6867
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6867
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'exec.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP passthru() function. If
exploited, the function will invoke the underlying shell with
attacker-supplied parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
12. DotBr System.PHP3 Remote Command Execution Vulnerability
BugTraq ID: 6866
Remote: Yes
Date Published: Feb 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6866
Summary:
DotBr is a web application implemented in PHP. It includes features to
allow websites to host polls.
The DotBr 'system.php3' script is prone to a remote command execution
vulnerability. This is due to insufficient sanitization of user-supplied
data before it is passed through the PHP system() function. If exploited,
the function will invoke the underlying shell with attacker-supplied
parameters.
Exploitation may result in execution of arbitrary shell commands with the
privileges of the webserver process.
13. IBM Lotus Domino HTTP Redirect Buffer Overflow Vulnerability
BugTraq ID: 6870
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6870
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
It has been reported that Lotus Domino 6 is affected by a buffer overflow
vulnerability. The condition occurs when the server constructs a HTTP
redirect response.
According to the report, the client-supplied "HOST" HTTP header field is
copied into a local buffer without bounds checking. Consequently, a
buffer overflow occurs if the HOST parameter is of excessive length.
Attackers may exploit this vulnerability by identifying and then
requesting, with a malicious HOST parameter in the request header, a
specific document that causes the server to respond with a redirect.
Successful exploitation of this vulnerability may result in attackers
gaining control of affected servers.
14. IBM Lotus Domino Web Server iNotes s_ViewName/Foldername Buffer Overflow Vulnerability
BugTraq ID: 6871
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6871
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
Lotus Domino iNotes Web Server does not perform adequate bounds checking
on the s_ViewName/Foldername options of the PresetFields parameter. A
buffer overflow condition can occur if excessively long strings are
supplied as values for these fields when requesting web based mail
services. This could result in sensitive areas of memory being
overwritten to allow attacker-supplied code to be executed. This code
would be executed in the security context of the account running the
Domino Web Services.
15. IBM Lotus iNotes ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 6872
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6872
Summary:
IBM Lotus iNotes is a web based messaging/collaboration application.
Installation of support for iNotes on client systems includes an ActiveX
control, "Lotus Domino Session ActiveX Control".
A buffer overflow vulnerability is reportedly present in this control.
The condition is in the method "InitializeUsingNotesUserName()" and may be
triggered if the method is called with a parameter of excessive length.
Maclious web content may invoke the control and exploit the vulnerability
to execute instructions on target client systems. Furthermore, other
applications which use the MSIE HTML rendering component may also be
vulnerable if ActiveX support is enabled. It should be noted that any
code executed would run with the privileges of the user who started MSIE.
16. BisonFTP Long Command Denial of Service Vulnerability
BugTraq ID: 6869
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6869
Summary:
BisonFTP is an FTP daemon available for Windows based systems.
The BisonFTP daemon is prone to a denial of service condition when issued
certain commands by the remote client.
If the client issues an FTP command such as 'cwd' or 'ls' containing 4300
bytes of data or more, the CPU usage on the system will increase to 100%.
This results in the host being unavailable until the connection is closed
by the client.
17. BisonFTP Information Disclosure Vulnerability
BugTraq ID: 6873
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6873
Summary:
BisonFTP Server is an FTP daemon that is available for Windows based
systems.
The BisonFTP server does not properly sanitize directory traversal
sequences from user input. This allows users to issue an 'ls' command
using the sequence '@../' in order to gain a file listing outside of the
FTP root. Information obtained could be used to mount further attacks
against the system.
18. Microsoft Riched20.dll Attribute Buffer Overflow Vulnerability
BugTraq ID: 6874
Remote: No
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6874
Summary:
Rich Text Format (RTF) files are parsed by the riched20.dll library on
Windows platforms. This library is included in most versions of Windows
and may also be installed by other applications that are required to parse
.rtf files.
Reportedly, it is possible to overrun a buffer in riched20.dll, causing
the calling application (such as Microsoft Outlook or Word) to fail.
This buffer can be overrun by including more than 65536 bytes of data in
an attribute label contained in the .rtf file. Arbitrary code execution
may be possible.
This vulnerability may be related to BID 807.
** Some reports indicate that this vulnerability could not be reproduced
on riched20.dll v.3.0 (5.30.23.1200) running on Windows NT.
19. PHP CGI SAPI Code Execution Vulnerability
BugTraq ID: 6875
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6875
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
An unspecified vulnerability has been reported in the CGI SAPI of PHP
version 4.3.0.
Direct access to the CGI binary can be prevented by using the
configuration option '--enable-force-cgi-redirect' and the php.ini option
'cgi.force_redirect'.
The report states that an unspecified bug could render these options
useless, allowing a remote user to directly access the CGI binary. This
could allow an attacker to read any file that is readable by the web
server user, or to potentially execute arbitrary PHP code. The attacker
would have to be able to inject the PHP code into a file accessible by the
CGI binary, such as the web server access logs.
20. Netcharts Server Chunked Encoding Information Leakage Vulnerability
BugTraq ID: 6877
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6877
Summary:
NetCharts Server provides multi-platform data connectivity. Combined
servlet engine, graphics engine and scheduling features.
It has been reported that Netcharts Server is unable to sufficiently
handle invalid chunked encoded HTTP requests.
Although Query-Response communication timing is reportedly difficult to
predict, One scenario may be; An attacker attempting to desynchronize the
Netcharts server in an attempt to lead valid Netcharts Server users to a
specified response. The attacker may achieve this condition by flooding
the Netcharts Server communication channels with an attacker-supplied
response.
This may lead to sensitive information leakage or network performance
degradation as a result of the attackers attempts to exploit this
condition.
21. D-Forum Remote File Include Vulnerability
BugTraq ID: 6879
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6879
Summary:
D-Forum is a freely available discussion forum written in PHP.
D-Forum is prone to an issue which may allow remote attackers to include
files located on remote servers. This issue is present in the header.php3
and footer.php3 pages existing in the /includes folder.
Under some circumstances, it is possible for remote attackers to influence
the include path for these scripts to point to an external file on a
remote server by manipulating the '$my_header' and '$my_footer' URI
parameters.
If the remote file is a malicious file, this may be exploited to execute
arbitrary system commands in the context of the webserver.
22. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
BugTraq ID: 6880
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6880
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A problem with BitchX could make it possible for a malicious IRC server to
crash a vulnerable client.
It has been reported that BitchX does not properly handle some types of
replies contained in the RPL_NAMREPLY numeric. When a malformed reply is
received by the client, the client crashes, resulting in a denial of
service.
The problem occurs through the handling of the 353 IRC numeric. It is
suspected that this vulnerability may also make possible the execution of
arbitrary code. In the event that this is possible, code executed through
this vulnerability would be in the context of the BitchX user. This could
allow a remote attacker access to the system on which the affected client
is running with the privileges of the BitchX user.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Airport limo firm allegedly hobbled by revenge hack
By Kevin Poulsen
Terminated network administrator is charged with a retaliatory strike
against former employer's systems.
http://online.securityfocus.com/news/2567
2. How to get an ATM PIN number in 15 guesses
By John Leyden, The Register
Cambridge researchers have documented a worrying PIN cracking technique
against the hardware security modules commonly used by bank ATMs.
http://online.securityfocus.com/news/2584
3. Crypto attack against SSL outlined
By John Leyden, The Register
Swiss security researchers have discovered an attack against
implementations of the ubiquitous SSL protocol that could potentially
compromise email passwords, though not ecommerce transactions.
http://online.securityfocus.com/news/2583
4. States take step toward sharing cyberthreat data
By William Jackson, TechNews.com
Thirteen states, led by New York, last weekend conducted a communications
exercise that could lead to a new, multistate information sharing and
analysis center.
http://online.securityfocus.com/news/2553
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. PlexCrypt v3.1
by plexobject
Relevant URL:
http://www.plexobject.com/software/plexcrypt/index.html
Platforms: AIX, HP-UX, IRIX, Linux, POSIX, Solaris, SunOS, Windows 2000,
Windows 95/98, Windows NT
Summary:
PlexCrypt is a GUI that allows a set of files or folders to compress using
the Zip format. In addition, it encrypts and decrypts a set of files or a
set of folders using AES, Blowfish, CAST, DES, ElGamal, IDEA, IES, RC4,
RC6, RSA, Rijndael, Serpent Skipjack, Twofish, etc. It allows users to
create digital signatures and digest and verify them. It also allows users
to create and manage digital certificates for encryption and signatures.
2. Traffik tool Troll v0.7
by Alexander Newald alexa-@newald.de
Relevant URL:
http://linux.newald.de/
Platforms: N/A
Summary:
The Traffik Tool Troll is a traffic monitoring and managing skript.
Traffic statistics are generated by port, hour, day, month, and year. You
can define a special period for your needs. The script is written in Perl
and uses iptables and MySQL to get and store the traffic.
3. LinuxMagic magic-smtpd v0.7.0
by LinuxMagic Inc. magic-@linuxmagic.com
Relevant URL:
http://www.linuxmagic.com/opensource/magicmail/magic-smtpd/
Platforms: Linux, POSIX
Summary:
MAGIC-SMTPD is a drop-in replacement for Dan Bernstein's qmail-smtpd, and
was originally designed to be part of the LinuxMagic Magic Mail Server.
This opensource version has been released to allow others to benefit from
its anti-spam components, and valid user checking to reduce server loads
and spam volumes. It is designed to support stock qmail installations,
qmail/vpopmail installations, and database connectivity. Designed for ISP
service, this will work for all mail servers large and small.
4. snortalog v1.7.0
by jeremy chartier
Relevant URL:
http://jeremy.chartier.free.fr/snortalog/
Platforms: UNIX
Summary:
Snortalog (formerly known as Snort-ng) is a powerful Perl script that
summarizes Snort logs, making it easy to view any network attacks detected
by Snort. It can generate charts in HTML. It works with all versions of
Snort, and can analyze logs in two formats: syslog alerts and text alerts.
It does not include a database for maximum performance.
5. labrea v2.5b1
by Tom Liston tlis-@hackbusters.net
Relevant URL:
http://labrea.sourceforge.net/
Platforms: Os Independent
Summary:
labrea is a program that creates a "sticky honeypot" by taking over unused
IP addresses on a network and creating virtual machines that answer to
connection attempts. labrea answers those connection attempts in a way
that causes the machine at the other end to get "stuck", sometimes for a
very long time.
6. Looper Event / Alert System v0.20
by Mohit Muthanna bu-@muthanna.com
Relevant URL:
http://looper.sourceforge.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, OpenBSD, Solaris, SunOS
Summary:
Looper is a highly modularized application designed to simplify the event
/ alert model. Primarily used for Network Management, this application can
be used to accomplish a variety of tasks related to logging and alerting
such as listening for SNMP traps and logging to a file or sending
notification to Netcool (a la "trapd probe"), reading a log file for
alerts and sending notification via e-mail, parsing syslogs and sending
notifications to Netcool (a la "syslog probe"), etc. Looper can also be
used as an ad-hoc Netcool probe or Gateway.
V. SECURITY JOBS SUMMARY
------------------------
1. Technical security reconciliation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312642
2. Internship in São Paulo / Brazil (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312601
3. Forensic and Information Security Analyst Looking for a home in NYC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312574
4. Systems Engineer - Application Level Security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312573
5. Security Sales Professionals Needed (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312478
6. Looking for Job in Italy (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312475
7. Network Security Engineer - NJ (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312418
8. Needed Penetration Testers (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312384
9. Senior Security Consultant needed in Washington DC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312375
10. looking for Security Professionals in India (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312374
11. Infrastructure Security Manager- Rhode Island (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/312373
12. Sunny Florida - Application Security Engineer (Thread)
Relevant URL:
http://online.securityfocus.com/archive/77/311925
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Scans on TCP port 135 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312587
2. Weird Profile in Documents and Settings (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312586
3. Distributed spam-based DoS in progress (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312469
4. Dead thread -- Distributed spam-based DoS in progress (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312422
5. port 17300 probe fingerprint analysis (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312366
6. Kuang2 strikes again, is it just me? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312277
7. www.nopop.net (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312115
8. Web Defacement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312088
9. mIRC Trojan Variant - port 445 worm/Trojan (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312086
10. an-@ano.com ftpd dip.t-dialin.net (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312000
11. Incidents list administrivia and introductions... (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/311980
12. Spies on Your PC HDrv (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/312181
13. ICMP Destination Unreachable, Administratively Prohibited (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/311955
14. S4T4N1C Web Defacement (Thread)
Relevant URL:
http://online.securityfocus.com/archive/75/311952
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Call For Papers Announcement: Black Hat Briefings Amsterdam (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312492
2. VisualBasic auditing2 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312496
3. VisualBasic auditing (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312507
4. Is this an off-by-one overflow? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312501
5. [argv] BitchX-353 Vulnerability (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/312223
6. A different bash blues (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311992
7. glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311991
8. glibc glob_filename() recurse call stack overflow (Re[2]: Bash Blues ) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311990
9. Windows 2000 Static arp not static (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311931
10. Administrivia: Bash Blues (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311892
11. Bash Blues. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/82/311863
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Windows2000 QuickLaunch (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312594
2. MS Software Update Service (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312595
3. AW: MS Software Update Service (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312591
4. Restricting CmdExec Rights to Sysadmin (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312598
5. Windows station permissions, remote control programs,lower priviledge accounts (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312551
6. AW: Restricting CmdExec Rights to Sysadmin (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312547
7. [despammed] Defeating password cracking (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312549
8. Windows station permissions, remote control programs, lower priviledge accounts (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312548
9. Defeating password cracking (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312358
10. Website inside or outside domain (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312264
11. Ye Olde OWA Topic (Was Website inside or outside domain) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312267
12. Unhappy face icon on NT 4 workstation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312266
13. SecurityFocus Microsoft Newsletter #125 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312265
14. website inside or outside the domain? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312248
15. Windows 2000 Static arp not static (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/312241
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 02.21.03
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. entropy + openSSL question (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312405
2. LKM Trojan installed (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312387
3. openSSL Key generation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312270
XI. SPONSOR INFORMATION
-----------------------
This issue sponsored by: Sponsored by Verisign-The Value Of Trust
Secure Your Servers
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your corporate intranets and authenticate
your Web sites. 128-bit SSL is serious security for your online business.
Get it now! Secure your servers with 128-bit SSL encryption! Grab your
copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and
you'll learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n09440117580057000
***********************************************************************
************************** End of Doc #1 ******************************
***********************************************************************
===============================================================================
2.) SecurityFocus Linux Newsletter #120
===============================================================================
SecurityFocus Linux Newsletter #120
-----------------------------------
This Issue is sponsored by: Captus Networks
Instantly identify and automatically stop:
- DDoS Attacks
- Port Scans
- Exploits from Unknown Worms and Viruses
With precise, real-time responses. Hands-on, online demo--launch and
mitigate live attacks. Visit us at:
http://www.captusnetworks.com/landing_pages/sflx
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Secure MySQL Database Design
2. Richard Clarke's Legacy of Miscalculation
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. LINUX VULNERABILITY SUMMARY
1. HP-UX Bastille sendmail.cf Information Disclosure Weakness
2. Suckbot Remote Denial Of Service Vulnerability
3. Util-Linux mcookie Cookie Generation Weakness
4. PHP CGI SAPI Code Execution Vulnerability
5. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. entropy + openSSL question (Thread)
2. LKM Trojan installed (Thread)
3. openSSL Key generation (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORM
1. eTrust Antivirus
2. F-Secure Anti-Virus Total Suite
3. NetVigil
V. NEW TOOLS FOR LINUX PLATFORMS
1. LinuxMagic magic-smtpd v0.7.0
2. Looper Event / Alert System v0.20
3. Webanalyse v0.9
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Secure MySQL Database Design
by Kristy Westphal
When it comes to installing software, secure design is often the last
consideration. The first goal is usually just to get it to work. This is
particularly true of databases. Databases are commonly referred to the
keys to the kingdom: meaning that once they are compromised, all the
valuable data that is stored there could fall into the hands of the
attacker. With this in mind, this article will discuss various methods to
secure databases, specifically one of the most popular freeware databases
in use today, MySQL.
http://online.securityfocus.com/infocus/1667
2. Richard Clarke's Legacy of Miscalculation
By George Smith
The outgoing cybersecurity czar will be remembered for his steadfast
belief in the danger of Internet attacks, even while genuine threats
developed elsewhere.
http://online.securityfocus.com/columnists/143
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. HP-UX Bastille sendmail.cf Information Disclosure Weakness
BugTraq ID: 6878
Remote: Yes
Date Published: Feb 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6878
Summary:
The Bastille Hardening System attempts to impelement various security
measures on various Unix operating systems. It is currently available for
the Linux and HP-UX operating systems.
A security weakness has been discovered in version B.02.00.00 of the
Bastille Hardening System which may result in information disclosure. This
issue occurs when Bastille is used in conjunction with the HP-UX operating
system and the Sendmail daemon.
HP has reported that a security weakness exists in the sendmail.cf even
after Bastille has been used to disable the feature. Specifically,
Bastille fails to enable the 'novrfy' and 'noexpn' options. Exploiting
this configuration error would have the same affects as a configuration
which has not disabled the use of the 'vrfy' and 'expn' SMTP commands.
This issue poses a security threat as it may allow an unauthorized remote
attacker to obtain sensitive username and alias information from a target
server. As a result a system administrator applying the Bastille system
may have a false sense of security as to the confidentiality of system
information.
It has been confirmed that Bastille available for the Linux operating
system is not affected by this issue.
2. Suckbot Remote Denial Of Service Vulnerability
BugTraq ID: 6854
Remote: Yes
Date Published: Feb 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6854
Summary:
Suckbot is an IRC bot program written using the C programming language. It
is available for the Linux, FreeBSD, and Solaris operating systems.
A vulnerability has been discovered in SuckBot. A denial of service may
occur when calling the rquote_cmd() function located in the
mod_mysql_logger shared object file.
Specifically when the function attempts to request a row, from the backend
MySQL database, it fails to check that a row was successfully returned. If
this situation occurs when the invalid row is accessed by the process a
segmentation violation will occur, causing the program to crash.
This issue could potentially be exploited by a malicious IRC user to crash
a target Suckbot IRC bot.
This issue affects Suckbot version 0.006 and earlier.
3. Util-Linux mcookie Cookie Generation Weakness
BugTraq ID: 6855
Remote: Yes
Date Published: Feb 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6855
Summary:
util-linux is a freely available, open source software package that
provides some implementations of standard UNIX utilities, such as login.
Included with util-linux is the mcookie utility that is used to generate
random cookies for use with X authentication.
A weakness has been reported for the mcookie utility where cookies may be
generated in a predictable manner. The weakness occurs because mcookie
uses /dev/urandom to generate cookies.
This may be exploited by an attacker to guess cookie values to steal
credentials of users who use X authentication.
Information obtained in this manner may be used by the attacker to launch
further attacks against vulnerable systems and users.
4. PHP CGI SAPI Code Execution Vulnerability
BugTraq ID: 6875
Remote: Yes
Date Published: Feb 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6875
Summary:
PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.
An unspecified vulnerability has been reported in the CGI SAPI of PHP
version 4.3.0.
Direct access to the CGI binary can be prevented by using the
configuration option '--enable-force-cgi-redirect' and the php.ini option
'cgi.force_redirect'.
The report states that an unspecified bug could render these options
useless, allowing a remote user to directly access the CGI binary. This
could allow an attacker to read any file that is readable by the web
server user, or to potentially execute arbitrary PHP code. The attacker
would have to be able to inject the PHP code into a file accessible by the
CGI binary, such as the web server access logs.
5. BitchX Malformed RPL_NAMREPLY Denial Of Service Vulnerability
BugTraq ID: 6880
Remote: Yes
Date Published: Feb 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6880
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A problem with BitchX could make it possible for a malicious IRC server to
crash a vulnerable client.
It has been reported that BitchX does not properly handle some types of
replies contained in the RPL_NAMREPLY numeric. When a malformed reply is
received by the client, the client crashes, resulting in a denial of
service.
The problem occurs through the handling of the 353 IRC numeric. It is
suspected that this vulnerability may also make possible the execution of
arbitrary code. In the event that this is possible, code executed through
this vulnerability would be in the context of the BitchX user. This could
allow a remote attacker access to the system on which the affected client
is running with the privileges of the BitchX user.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. entropy + openSSL question (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312405
2. LKM Trojan installed (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312387
3. openSSL Key generation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/91/312270
IV. NEW PRODUCTS FOR LINUX PLATFORM
-----------------------------------
1. eTrust Antivirus
by Computer Associates International, Inc.
Platforms: Linux, MacOS, Netware, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL:
http://www3.ca.com/Solutions/ProductFamily.asp?ID=156
Summary:
eTrust Antivirus is a set of award-winning antivirus solutions, providing
superior protection against today's most prevalent security threat -
viruses. Based on advanced technology, eTrust Antivirus reduces virus
infections, simplifies and automates updating, and eases administration.
eTrust Antivirus is certified by ICSA Labs for detecting 100% of "in the
wild" viruses.
2. F-Secure Anti-Virus Total Suite
by F-Secure Corporation
Platforms: DOS, Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.f-secure.com/products/anti-virus/totalsuite/
Summary:
F-Secure Anti-Virus Total Suite includes all critical components for
corporate virus security. By using F-Secure's award winning workstation,
file server, email server and firewall anti-virus products, you are always
protected even against the latest threats. All F-Secure Anti-Virus Total
Suite products are centrally manageable with one easy to use management
solution, F-Secure Policy Manager.
3. NetVigil
by Fidelia
Platforms: Linux, Solaris, Windows NT
Relevant URL:
http://www.fidelia.com/products/index.phtml
Summary:
Fidelia NetVigil is a real-time integrated fault and performance
management tool that provides end-to-end business visibility of your
company's IT infrastructure. Fidelia NetVigil's unique architecture will
scale with your organization and allow you to view and correlate data
across your servers, applications and network devices. Fidelia NetVigil's
instant configuration capabilities and multi-level views combine to
expedite isolation and repair of IT problems, minimize downtime and reduce
the cost of labor and implementation. This translates into savings for
your bottom line.
V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. LinuxMagic magic-smtpd v0.7.0
by LinuxMagic Inc. magic-@linuxmagic.com
Relevant URL:
http://www.linuxmagic.com/opensource/magicmail/magic-smtpd/
Platforms: Linux, POSIX
Summary:
MAGIC-SMTPD is a drop-in replacement for Dan Bernstein's qmail-smtpd, and
was originally designed to be part of the LinuxMagic Magic Mail Server.
This opensource version has been released to allow others to benefit from
its anti-spam components, and valid user checking to reduce server loads
and spam volumes. It is designed to support stock qmail installations,
qmail/vpopmail installations, and database connectivity. Designed for ISP
service, this will work for all mail servers large and small.
2. Looper Event / Alert System v0.20
by Mohit Muthanna bu-@muthanna.com
Relevant URL:
http://looper.sourceforge.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, OpenBSD, Solaris, SunOS
Summary:
Looper is a highly modularized application designed to simplify the event
/ alert model. Primarily used for Network Management, this application can
be used to accomplish a variety of tasks related to logging and alerting
such as listening for SNMP traps and logging to a file or sending
notification to Netcool (a la "trapd probe"), reading a log file for
alerts and sending notification via e-mail, parsing syslogs and sending
notifications to Netcool (a la "syslog probe"), etc. Looper can also be
used as an ad-hoc Netcool probe or Gateway.
3. Webanalyse v0.9
by Ranx ra-@nanobody.net
Relevant URL:
http://www.nanobody.net/
Platforms: Linux, POSIX
Summary:
Webanalyse is a Web site traffic statistics tool written in PHP 4. It
doesn't use any databases or Apache logs. Its reports include Web site
statistics by day, week, month, and year, referer, host, IP, browser. The
big advantage lies primarily in detail of each visit--you can follow the
pages or articles which are visited on your site. WebAnalyse can be added
very easily on all the pages where you wish to follow the activity.
VI. SPONSORSHIP INFORMATION
---------------------------
This Issue is sponsored by: Captus Networks
Instantly identify and automatically stop:
- DDoS Attacks
- Port Scans
- Exploits from Unknown Worms and Viruses
With precise, real-time responses. Hands-on, online demo--launch and
mitigate live attacks. Visit us at:
http://www.captusnetworks.com/landing_pages/sflx
-------------------------------------------------------------------------------
***********************************************************************
************************** End of Doc #2 ******************************
***********************************************************************
===============================================================================
3.)[SCSA-007] Cross Site Scripting Vulnerabilities in WWWBoard
===============================================================================
________________________________________________________________________
Security Corporation Security Advisory [SCSA-007]
________________________________________________________________________
PROGRAM: WWWBoard
HOMEPAGE: http://www.scriptarchive.com
VULNERABLE VERSIONS: 2.0A2.1 and prior
________________________________________________________________________
DESCRIPTION
________________________________________________________________________
WWWBoard is "A threaded discussion forum that allows users to post
new messages, followup to existing ones and more. Includes a basic
admin to maintain the board."
(direct quote from WWWBoard website)
DETAILS
________________________________________________________________________
A Cross-Site Scripting vulnerability have been found in WWWBoard
which allow attackers to inject script codes into the forum and use them
on clients browser as if they were provided by the site.
This Cross-Site Scripting vulnerability are found in the page for
posting messages.
An attacker can input specially crafted links and/or other
malicious scripts.
EXPLOIT
________________________________________________________________________
A vulnerability was discovered in the page for posting messages,
at this adress :
http://[target]/wwwboard/wwwboard.html#post
The vulnerability is at the level of the interpretation of the "Message"
field.
Indeed, the insertion of a hostile code script in this field makes it
possible to a malicious user to carry out this script on the navigator
of the visitors.
The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]
(open a window with the cookie of the visitor.)
(replace [] by <>)
SOLUTIONS
________________________________________________________________________
No solution for the moment.
VENDOR STATUS
________________________________________________________________________
The vendor has reportedly been notified.
LINKS
________________________________________________________________________
http://www.security-corp.org/index.php?ink=4-15-1
Version Française :
http://www.security-corp.org/advisories/SCSA-007-FR.txt
------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
------------------------------------------------------------
***********************************************************************
************************** End of Doc #3 ******************************
***********************************************************************
===============================================================================
4.) [RHSA-2003:057-06] Updated shadow-utils packages fix exposure
===============================================================================
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated shadow-utils packages fix exposure
Advisory ID: RHSA-2003:057-06
Issue date: 2003-02-12
Updated on: 2003-02-18
Product: Red Hat Linux
Keywords: mail mailspool
Cross references:
Obsoletes:
CVE Names: CAN-2002-1509
---------------------------------------------------------------------
1. Topic:
Updated shadow-utils packages correct a bug that caused the useradd tool to
create mail spools with incorrect permissions.
2. Relevant releases/architectures:
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
3. Problem description:
The shadow-utils package includes programs for converting UNIX password
files to the shadow password format, plus programs for managing user and
group accounts. One of these programs is useradd and is used to create or
update new user information.
When creating a user account, the version of useradd included in Red Hat
Linux 7.2, 7.3, and 8.0 creates a mailbox file with incorrectly-set
group ownership. Instead of setting the file's group ownership to the
'mail' group, it is set to the user's primary group.
On systems where other users share the same primary group, this would allow
those users to be able to read and write other user mailboxes.
These erratum packages contain an updated patch to useradd. Where a 'mail'
group exists, mailboxes will be created with group 'mail' having read and
write permissions. Otherwise the mailbox file will be created without
group read and write permissions.
All users of Red Hat Linux are advised to update to these erratum packages
and to also check the /var/spool/mail directory to ensure that all mailbox
files have appropriate permissions.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
59810 - useradd creates mail writable for group!!! (PATCH in duplicate bug)
6. RPMs required:
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/shadow-utils-20000902-9.7.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/shadow-utils-20000902-9.7.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/shadow-utils-20000902-9.7.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/shadow-utils-20000902-9.7.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/shadow-utils-20000902-9.7.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/shadow-utils-20000902-12.8.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/shadow-utils-20000902-12.8.i386.rpm
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
175d0d2e8a47c91a3746aca0054bc46b 7.2/en/os/SRPMS/shadow-utils-20000902-9.7.src.rpm
f6d1854e5155dc933b01fd4b701edf2e 7.2/en/os/i386/shadow-utils-20000902-9.7.i386.rpm
115bfb6de248ecf59a4a50d85c7cb43e 7.2/en/os/ia64/shadow-utils-20000902-9.7.ia64.rpm
175d0d2e8a47c91a3746aca0054bc46b 7.3/en/os/SRPMS/shadow-utils-20000902-9.7.src.rpm
f6d1854e5155dc933b01fd4b701edf2e 7.3/en/os/i386/shadow-utils-20000902-9.7.i386.rpm
0a4abea30939daf0c2f432efca7e35e9 8.0/en/os/SRPMS/shadow-utils-20000902-12.8.src.rpm
6dd61ab968afbc537e25faea914788bc 8.0/en/os/i386/shadow-utils-20000902-12.8.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1509
9. Contact:
The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
***********************************************************************
************************** End of Doc #4 ******************************
***********************************************************************
===============================================================================
5.) [RHSA-2003:041-12] Updated VNC packages fix replay and cookie
vulnerabilities
===============================================================================
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated VNC packages fix replay and cookie vulnerabilities
Advisory ID: RHSA-2003:041-12
Issue date: 2003-02-07
Updated on: 2003-02-20
Product: Red Hat Linux
Keywords: vnc challenge replay cookie mkcookie
Cross references:
Obsoletes:
CVE Names: CAN-2002-1336 CAN-2002-1511
---------------------------------------------------------------------
1. Topic:
Updated VNC packages are available to fix a challenge replay vulnerability
and a weak cookie vulnerability.
2. Relevant releases/architectures:
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
3. Problem description:
VNC is a tool for providing a remote graphical user interface. Two
vulnerabilities have been found in versions of VNC shipped by Red Hat.
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.
The VNC DES authentication scheme is implemented using a challenge-response
architecture, producing a random and different challenge for each
authentication attempt. A bug in the function for generating the random
challenge caused the random seed to get reset to the current time on every
authentication attempt. Therefore, two authentication attempts within the
same second could receive the same challenge. An eavesdropper could
exploit this vulnerability by replaying the response, thereby gaining
authentication.
All users of VNC are advised to upgrade to these erratum packages, which
contain patches to correct these issues.
Note that when using VNC on an untrusted network, always make sure to
tunnel it through a secure authenticated protocol such as SSH.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
78828 - Upgrade to tightVNC 1.2.7 from 1.2.2
6. RPMs required:
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/vnc-3.3.3r2-28.2.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/vnc-3.3.3r2-28.2.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/vnc-server-3.3.3r2-28.2.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/vnc-doc-3.3.3r2-28.2.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/vnc-3.3.3r2-39.2.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/vnc-3.3.3r2-39.2.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/vnc-server-3.3.3r2-39.2.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/vnc-doc-3.3.3r2-39.2.i386.rpm
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
9238c1864c7571432c232b35d4047cbd 7.0/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm
c159b4fa8ac650a799e64acbebb3934e 7.0/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
7087a97e858bd5d38bccb4e69ce2ebdc 7.0/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm
678cbceba744439bca85bb3d01279e59 7.0/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
9238c1864c7571432c232b35d4047cbd 7.1/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm
c159b4fa8ac650a799e64acbebb3934e 7.1/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
7087a97e858bd5d38bccb4e69ce2ebdc 7.1/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm
678cbceba744439bca85bb3d01279e59 7.1/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
9238c1864c7571432c232b35d4047cbd 7.2/en/os/SRPMS/vnc-3.3.3r2-18.6.src.rpm
c159b4fa8ac650a799e64acbebb3934e 7.2/en/os/i386/vnc-3.3.3r2-18.6.i386.rpm
7087a97e858bd5d38bccb4e69ce2ebdc 7.2/en/os/i386/vnc-doc-3.3.3r2-18.6.i386.rpm
678cbceba744439bca85bb3d01279e59 7.2/en/os/i386/vnc-server-3.3.3r2-18.6.i386.rpm
10bbe07038a2a122affc6c5583b83c11 7.3/en/os/SRPMS/vnc-3.3.3r2-28.2.src.rpm
535f8e6e8b531efafc3906a09a7be81e 7.3/en/os/i386/vnc-3.3.3r2-28.2.i386.rpm
cdb33d3b5367de1afe34d3b758096aa9 7.3/en/os/i386/vnc-doc-3.3.3r2-28.2.i386.rpm
40bc575df1a4360d14e0624013e89ecf 7.3/en/os/i386/vnc-server-3.3.3r2-28.2.i386.rpm
7cf3f738c2277cdcece3076c8c629e6e 8.0/en/os/SRPMS/vnc-3.3.3r2-39.2.src.rpm
6b20a3a761015ca503128cea711605a4 8.0/en/os/i386/vnc-3.3.3r2-39.2.i386.rpm
db2ca9e3207bb536c80f3cc360f594c6 8.0/en/os/i386/vnc-doc-3.3.3r2-39.2.i386.rpm
900346576f15c15591e67f4284b4beb0 8.0/en/os/i386/vnc-server-3.3.3r2-39.2.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
8. References:
http://marc.theaimsgroup.com/?l=bugtraq&m=102753170201524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1511
9. Contact:
The Red Hat security contact is <secu-@redhat.com>. More contact
details at http://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
***********************************************************************
************************** End of Doc #5 ******************************
***********************************************************************
===============================================================================
End of GN SecNews #5
===============================================================================
--
-vi
|
|
 |
|
