@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software:

• (1) MODERATE: Apple MacOS X DHCP Response Root Compromise Affected Products: MacOS X version 10.2-10.3 MacOS X Server version 10.2-10.3 Description:MacOS X is reported to contain a vulnerability in handling DHCP responses. The problem arise

Other Software:

• (2) HIGH: phpBB Bulletin Board search.php SQL Injection Affected Products: phpBB version 2.06 Description: phpBB is a popular open source bulletin board software which integrates with multiple backend databases. The "search.php" s
• (3) HIGH: Virtual Programming VP-ASP Shopping Cart SQL Injection Vulnerabilities Affected Products: VP-ASP Shopping Cart version 5.0 Description: The VP-ASP shopping cart software is reported to contain SQL injection vulnerabili
• (4) HIGH: My_eGallery Remote File Include Vulnerability Affected Products: My_eGallery versions prior to 3.1.1.g Description: My_eGallery is a PHP module used to create and manage galleries on a web site. The "displayCategory.php"
• (5) MODERATE: Applied Watch Command Center Authentication Bypass Affected Products: Applied Watch Command Center Server version prior to 1.4.5 Description: Applied Watch Command Center software suite is designed to be a management solution

Update:

• (6) HIGH: Microsoft Internet Explorer Multiple Vulnerabilities Posted on November 27, 2003 in @RISK Volume 2, Week 48 (Item #1) Affected Products: Internet Explorer 6.0 Possibly Internet Explorer versions 5.01 and 5.5 Description: Mult

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 03.49.1 CV - Macromedia JRun Administrative Interface Multiple Cross-Site Scripting Vulnerabilities
• 03.49.2 CV - Sun ONE Web Server Denial-of-Service Vulnerability
• 03.49.3 CV - Yahoo! Messenger yauto.dll Buffer Overflow Vulnerability

Mac Os

• 03.49.4 CV - Apple MacOS X DHCP Response Root Compromise Vulnerability

Linux

• 03.49.5 CV - Linux kernel do_brk() function integer overflow

Unix

• 03.49.6 CV - ISC BIND Cache Poisoning Denial Of Service
• 03.49.7 CV - GNU Screen Escape Sequence Buffer Overrun Vulnerability
• 03.49.8 CV - Traceroute Detection Tool Format String Vulnerability
• 03.49.9 CV - OpenCA Signature Verification Vulnerabilities

Cross Platform

• 03.49.10 C - GnuPG External HKP Format String Vulnerability
• 03.49.11 C - IBM Directory Server 4.1 Web Admin Gui (ldacgi.exe) XSS Vulnerability
• 03.49.12 C - Apache mod_python Module Malformed Query Denial of Service Vulnerability
• 03.49.13 C - Surfboard Web Server File Disclosure Vulnerability

Web Application

• 03.49.14 C - My_eGallery Module Command Injection Vulnerability
• 03.49.15 C - RNN Guestbook Multiple Vulnerabilities
• 03.49.16 C - RemotelyAnywhere Autologon.HTML Cross-Site Scripting Vulnerability
• 03.49.17 C - Bitfolge Snif Downloads Directory Traversal Vulnerability
• 03.49.18 C - phpBB Search SQL Injection Vulnerability
• 03.49.19 C - PieterPost Unauthorized E-mail Account Access Vulnerability
• 03.49.20 C - CuteNews Debug Query Information Disclosure Weakness
• 03.49.21 C - VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities

Network Device

• 03.49.22 C - SNMP Trap Reveals WEP Key in Cisco Aironet Access Point

PART I Critical Vulnerabilities

[Compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description on the process may be found at http://www.sans.org/newsletters/cva/#process Archives at http://www.sans.org/newsletters/Table of Contents]

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 49, 2003

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3101 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that can not be scanned remotely.

• 03.49.1 CV - Not Available
• Platform: Third Party Windows Apps
• Title: Macromedia JRun Administrative Interface Multiple Cross-Site Scripting Vulnerabilities
• Description: Macromedia JRun includes a web-based administrative console which listens on TCP port 8000, several of the administration scripts are vulnerable to cross site scripting attacks.
• Ref: http://www.securityfocus.com/bid/9112

• 03.49.2 CV - CAN-2003-0970
• Platform: Third Party Windows Apps
• Title: Sun ONE Web Server Denial-of-Service Vulnerability
• Description: A vulnerability in the Sun ONE Web Server may be exploited to crash the web server. The web server exits unexpectedly with no error messages written to log files. This issue only affects the Sun ONE/iPlanet Web Server running on the Windows Platform.
• Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57423& zone_32=category%3Asecurity

• 03.49.3 CV - Not Available
• Platform: Third Party Windows Apps
• Title: Yahoo! Messenger yauto.dll Buffer Overflow Vulnerability
• Description: yauto.dll contains a function named Open(String Url) that will cause a buffer overflow if argument Url is passed with a long string. Because it's an activeX component, the vulnerability can be exploited with a malicious web page that will execute code with the privileges of the browser user. Ref: http://www.securityfocus.com/archive/1/346343/2003-11-30/2003-12-06/0

• 03.49.4 CV - Not Available
• Platform: Mac Os
• Title: Apple MacOS X DHCP Response Root Compromise Vulnerability
• Description: A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings. Malicious DHCP response can grant root access.
• Ref: http://www.carrel.org/dhcp-vuln.html

• 03.49.5 CV - CAN-2003-0961
• Platform: Linux
• Title: Linux kernel do_brk() function integer overflow
• Description: A "flaw in bounds checking" in the do_brk function for Linux kernel 2.4.22 and earlier allows local users to gain root privileges.
• Ref: http://www.kb.cert.org/vuls/id/301156

• 03.49.6 CV - CAN-2003-0914
• Platform: Unix
• Title: ISC BIND Cache Poisoning Denial Of Service
• Description: It has been reported that BIND is vulnerable to an unspecified cache poisoning condition which may be exploited to perform a denial of service against legitemate users of the system.
• Ref: http://www.kb.cert.org/vuls/id/734644

• 03.49.7 CV - Not Available
• Platform: Unix
• Title: GNU Screen Escape Sequence Buffer Overrun Vulnerability
• Description: Screen is a virtual terminal application, it has been reported that escape sequences containing 2-gigabytes or more of semi-colons (;) will trigger a buffer overflow condition.
• Ref: http://www.securityfocus.com/archive/1/345844

• 03.49.8 CV - Not Available
• Platform: Unix
• Title: Traceroute Detection Tool Format String Vulnerability
• Description: Snosoft has reported that the detecttr.c utility is vulnerable to a format string issue which could potentially lead to the execution of arbitrary code with the privileges of the user who invoked the tool, usually root.
• Ref: http://www.securityfocus.com/archive/1/345842

• 03.49.9 CV - CAN-2003-0960
• Platform: Unix
• Title: OpenCA Signature Verification Vulnerabilities
• Description: Multiple flaws have been reported in OpenCA which cumulatively could cause a revoked or expired certificate to be accepted. This could present a serious security risk in situations where digital signatures are used to verify the authenticity of content or in access validation. The result of these issues is that a malicious party in possession of a revoked or expired certificate could possibly sign something that may verify, which can be abused to establish a false sense of trust, leading to a variety of other attacks.
• Ref: http://www.openca.org/news/CAN-2003-0960.txt

• 03.49.10 C - Not Available
• Platform: Cross Platform
• Title: GnuPG External HKP Format String Vulnerability
• Description: There exists a format string vulnerability in 'gpgkeys_hkp' utility which would allow a malicious keyserver in the worst case to execute an arbitrary code on the user's machine. The external HKP interface is not enabled by default in the GnuPG 1.2 stable branch but has been enabled in the 1.3 development branch.
• Ref: http://www.s-quadra.com/advisories/Adv-20031203.txt

• 03.49.11 C - Not Available
• Platform: Cross Platform
• Title: IBM Directory Server 4.1 Web Admin Gui (ldacgi.exe) XSS Vulnerability
• Description: IBM's Directory Server 4.1 Web Admin Gui is vulnerable to a cross-site scripting attack. The vulnerabiltiy exists in ldacgi.exe that does not validate the input regarding the script code. Ref: http://www.securityfocus.com/archive/1/346181/2003-11-30/2003-12-06/0

• 03.49.12 C - CAN-2003-0973
• Platform: Cross Platform
• Title: Apache mod_python Module Malformed Query Denial of Service Vulnerability
• Description: Apache's mod_python is a module which allows the web server to interpret Python scripts. Apache has reported that some versions of mod_python may be prone to denial of service attacks when handling malformed queries. The details regarding this vulnerability are currently unknown, however the vendor has stated that a remote user may be capable of crashing a vulnerable Apache server. Ref: http://www.modpython.org/pipermail/mod_python/2003-November/004005.html

• 03.49.13 C - Not Available
• Platform: Cross Platform
• Title: Surfboard Web Server File Disclosure Vulnerability
• Description: Surfboard is a freely available web server implementation for Unix/Linux variants. By submitting directory traversal sequences in a web request, it is possible to break out of the server root directory and browse the file system. A remote attacker may exploit this vulnerability to gain access to sensitive server-readable files on the system hosting the software.
• Ref: http://aluigi.altervista.org/adv/surfd-adv.txt

• 03.49.14 C - Not Available
• Platform: Web Application
• Title: My_eGallery Module Command Injection Vulnerability
• Description: A vulnerability has been identified in the handling of input by My_eGallery which may make it possible for a remote user to gain unauthorized access to a system using the vulnerable software.
• Ref: http://www.securityfocus.com/archive/1/345790

• 03.49.15 C - Not Available
• Platform: Web Application
• Title: RNN Guestbook Multiple Vulnerabilities
• Description: Multiple vulnerabilities have been reported to exist in the RNN Guestbook software that may permit remote command execution, unauthorized administrative access, information disclosure and HTML injection.
• Ref: http://www.securityfocus.com/archive/1/345845

• 03.49.16 C - Not Available
• Platform: Web Application
• Title: RemotelyAnywhere Autologon.HTML Cross-Site Scripting Vulnerability
• Description: RemotelyAnywhere is reported to be vulnerable to a cross-site scripting issue in the autologon.html, the authentication interface.
• Ref: http://www.securityfocus.com/bid/9120

• 03.49.17 C - Not Available
• Platform: Web Application
• Title: Bitfolge Snif Downloads Directory Traversal Vulnerability
• Description: Bitfolge snif has been reported vulnerable to a directory traversal issue, an attacker may browse data outside the web tree, exposing potentially sensitive informaiton to the attacker.
• Ref: http://www.securityfocus.com/bid/9121

• 03.49.18 C - Not Available
• Platform: Web Application
• Title: phpBB Search SQL Injection Vulnerability
• Description: A vulnerability has been reported to exist in search functionality that may allow a remote user to inject potentially malicious SQL commands into database queries.
• Ref: http://www.securityfocus.com/archive/1/345872

• 03.49.19 C - Not Available
• Platform: Web Application
• Title: PieterPost Unauthorized E-mail Account Access Vulnerability
• Description: PieterPost is a web interface application designed to allow remote users access to POP3 mailboxes. The vulnerability lies in the fact that no authentication is required when attempting to log in as the 'virtual' user. This could potentially allow an unauthorized person to make use of the interface for the purpose of sending "spoofed" e-mails. The affected login mechanism can allegedly be accessed by supplying the 'action=login' parameter to the pp.php script file.
• Ref: http://www.securityfocus.com/archive/1/345960

• 03.49.20 C - Not Available
• Platform: Web Application
• Title: CuteNews Debug Query Information Disclosure Weakness
• Description: CuteNews is a news management system implemented in PHP. An information disclosure weakness has been reported in CuteNews 1.3, that may expose sensitive server configuration data. The issue can be triggered by passing the debug parameter to the index.php script file. The parameter will be handled by carrying out a sequence of operations, which includes a call to phpinfo().
• Ref: http://www.securiteinfo.com/attaques/hacking/cutenews1_3.shtml

• 03.49.21 C - Not Available
• Platform: Web Application
• Title: VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities
• Description: VP-ASP is vulnerable to some SQL injection vulnerabilities that could be used to disclose sensitive information and could lead to gain administrative access to the installed VP-ASP Shopping Cart software or execute arbitrary commands on a target's system.
• Ref: http://www.s-quadra.com/advisories/Adv-20031128.txt

• 03.49.22 C - Not Available
• Platform: Network Device
• Title: SNMP Trap Reveals WEP Key in Cisco Aironet Access Point
• Description: Cisco Aironet Access Points running Cisco IOS software will send any static WEP key in the cleartext to the SNMP server if the snmp-server enable traps wlan-wep command is enabled. ( This command is disabled by default ) Ref: http://www.cisco.com/warp/public/707/cisco-sa-20031202-SNMP-trap.shtml

(c) 2003. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==END OF PART II==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2003. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.