Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 26
July 5, 2004

SANS Newsletters Home

The new Internet Explorer patch appears to be too little, too late, as modified exploits have already been released that circumvent the patch. (Number 2 below)

MySQL users who employ phpMyAdmin users quickly upgraded or worked around a flaw that allowed remote users to execute arbitrary code on web servers. (Number 4 below)

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#2)
    • Other Microsoft Products
    • 1 (#1)
    • Third-Part Windows Apps
    • 1 (#3)
    • Linux
    • 2 (#5)
    • HP-UX
    • 2 (#6)
    • UNIX
    • 3
    • Cross Platform
    • 6 (#1)
    • Web Application
    • 13 (#4)
    • Network Device
    • 3 (#7)

******************** Security Training Update *************************

SANS largest Fall conference will be in Las Vegas this year - September 28 to October 6. The brochures started arriving last week. Network Security has seventeen immersion tracks and many special intense one day programs plus a big vendor expo.

http://www.sans.org/ns2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Linux
HP-UX
Unix
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: Multiple Browsers Frame Injection Vulnerability
  • Affected:
    • Internet Explorer versions 5, 5.01 and 6
    • Opera version 7.5x
    • Mozilla version 1.6
    • Mozilla Firebird versions 0.7 and 0.8
    • Netscape version 7.1
    • Safari version 1.2.2

  • Description: An old vulnerability has been rediscovered in multiple browsers including the widely used Internet Explorer. This vulnerability permits a malicious website to inject a "frame" into the browser window of another website. For example, the content from http://www.malicious.com can be loaded into another window displaying the content from http://www.msdn.com. The flaw can be exploited by a malicious webpage to spoof its identity as a trusted site. This may lead to stealing sensitive user information such as passwords, or further compromise of the user system. Proof-of-concept exploit has been publicly posted.

  • Status: Vendors have not confirmed, no patches available. Mozilla Firefox version 0.9 and Mozilla version 1.7 are reportedly not vulnerable. Council Site Actions: Four of the reporting council sites are using the affected software. All sites are waiting for confirmation from the vendors before taking further action. In the mean time, they are doing additional analysis to determine the potential impact of the problem. If the vendors confirm the problem, most sites plan to roll out the patches during one of their regularly scheduled system update process.

  • References:
Other Software
  • (3) HIGH: Cisco Collaboration Server Arbitrary File Upload
  • Affected:
    • Cisco Collaboration Server versions prior to 5.0

  • Description: Cisco Collaboration Server (CCS) provides solutions for interactive customer services as well as tools for e-commerce sales management. The server uses the "ServletExec", a third party software that provides java servlets and java server pages. Specifically, the ServletExec's "UploadServlet" java servlet can be invoked by a remote unauthenticated attacker to upload any file to the CCS. The attacker can also invoke the uploaded file, and possibly obtain the administrative privileges on the server. The technical details required to exploit the flaw have been posted.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: phpMyAdmin Remote PHP Code Injection
  • Affected: phpMyAdmin version 2.5.1 through 2.5.7

  • Description: phpMyAdmin, a PHP-based tool to manage MySQL databases, contains multiple vulnerabilities. An attacker can add an arbitrary MySQL server to the list of pre-configured SQL servers by issuing a specially crafted HTTP request. Further, if the "$cfg['LeftFrameLight']" variable is set to FALSE in the "config.inc.php" file (not a default configuration), an attacker may be able to execute arbitrary PHP code on the web server. In order to exploit the PHP code injection vulnerability, an attacker would need to add a malicious server to the phpMyAdmin configuration. Then, the attacker would need to issue an HTTP request that would result in the PhpMyAdmin server contacting the attacker controlled server. The posted advisory shows how to craft the various HTTP requests, and contains the exploit code that can be used to set up the malicious server.

  • Status: Vendor confirmed, upgrade to version 2.5.7-pl1. A workaround is to ensure that the firewall configuration does not permit the phpMyAdmin server to initiate outbound TCP connections.

  • Council Site Actions: Several sites were running the affected version of software. They have already upgraded to a corrected version.

  • References:
  • (5) MODERATE: MPlayer GUI Filename Handling Overflow
  • Affected:
    • All versions of MPlayer prior to 1.0pre4 compiled with GUI support

  • Description: MPlayer, a Linux movie player, reportedly contains a stack-based buffer overflow. The flaw can be triggered when MPlayer attempts to open media files with overlong names. An attacker can exploit this flaw, by enticing a client to visit a webpage or click a link in an email, to execute arbitrary code on the client system. An exploit has been publicly posted. Note that the GUI support is available by default in MPlayer on some RedHat and FreeBSD systems.

  • Status: Vendor confirmed. Version 1.0 pre5 will fix this overflow and other vulnerabilities that were discovered during the code review for fixing this bug.

  • Council Site Actions: Only one of the reporting council sites is running the affected software on 200-300 systems; however, the software is not supported by their central IT department. They don't have any straightforward way to determine which systems have an unpatched version of MPlayer installed and they think that exploitation of this vulnerability is relatively unlikely. Therefore, they don't plan any actions at this time.

  • References:
  • (6) MODERATE: HP-UX Multiple Vulnerabilities
  • Affected:
    • HP-UX B.11.11 running ObAM 5.0
    • HP-UX B.11.23, B.11.22, B.11.11, B.11.00 with Netscape

  • Description: HP has released 2 security bulletins regarding the vulnerabilities in HP-UX systems. 1) The Netscape browser, which is bundled with HP-UX, contains multiple vulnerabilities that may be exploited by a remote attacker to execute arbitrary code on HP-UX client systems. HP is no longer supporting the Netscape upgrade. Hence, users are advised to migrate to Mozilla web browser. 2) HP Object Action Manager (ObAM) is an HP internal tool, which is the interface technology between the GUI and many system management applications. The version of Apache server included with ObAM contains multiple vulnerabilities that may allow an attacker to compromise the server. Note that this Apache server is used to provide remote administration functionality for popularly used HP software like Servicecontrol Manager and Partition Manager. Limited technical details regarding the exact nature of the vulnerabilities have been posted.

  • Status: Vendor confirmed. A workaround for the ObAM vulnerability is to stop the Apache server. For further details, please refer to the HP advisories.

  • Council Site Actions: Several of the reporting council sites have HP-UX systems; however, they don't believe they are running the affected software. One site felt was relatively unlikely that there would be any widespread exploit code targeting Netscape and that it was unlikely there would be widespread use of an Apache exploit against HP-UX. Thus, they don't plan any action for this vulnerability.

  • References:
  • (7) LOW: Juniper Packet Forwarding Engine Ipv6 DoS
  • Affected:
    • JunOS with Packet Forwarding Engine released after February 24, 2004

  • Description: All Juniper routers running the JunOS contain a vulnerability in processing certain IPv6 packets. The Packet Forwarding Engine (PFE) responsible for forwarding packets to the router interfaces leaks memory upon handling specially crafted IPv6 packets. This can be exploited to exhaust the router's memory, which causes the router to reboot. Repeatedly performing the attack would cause an effective DoS against a Juniper router. Very limited technical details regarding how to exploit the flaw are publicly available.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 26, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3515 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.26.1 - CVE: Not Available
  • Platform: Linux
  • Title: FreeS/WAN Certificate Verification Vulnerability
  • Description: FreeS/WAN is an open-source IPSec VPN which implements X.509 certificate based authentication. FreeS/WAN is vulnerable to a certificate verification issue. A fake certificate could be used to authenticate to a FreeS/WAN VPN server.
  • Ref: http://lists.openswan.org/pipermail/dev/2004-June/000370.html
  • 04.26.2 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel IPTables Denial of Service
  • Description: The Linux kernel supports netfilter and iptables. It has been reported to be prone to a denial of service vulnerability. The issue exists due to failure in handling certain TCP packet header values. An attacker can send a malformed TCP packet to cause the iptables implementation to consume all CPU resources due to an infinite loop, denying service to legitimate users.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0462.html
  • 04.26.3 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX ObAM WebAdmin Unauthorized Access
  • Description: HP-UX ObAM WebAdmin is reportedly vulnerable to an unauthorized access issue. This issue may allow a remote attacker to gain unauthorized access to a vulnerable computer. HP-UX version B.11.11 was reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/6901
  • 04.26.4 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX Netscape Web Browser Multiple Vulnerabilities
  • Description: The bundled Netscape browser that comes with HP-UX operating systems has been reported to be vulnerable to multiple attacks, such as denial of service, information disclosure, and potentially allowing remote attackers the ability to execute arbitrary code. Netscape for HP-UX versions B.11.00 through B.11.23 are reported vulnerable.
  • Ref: http://www5.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0202-182
  • 04.26.5 - CVE: Not Available
  • Platform: Unix
  • Title: popclient Buffer Overflow Vulnerability
  • Description: popclient is a tool for downloading mail messages from POP email servers. A buffer overflow has been found in its e-mail message handling functions. Successfully exploiting this vulnerability can cause a denial of service, and in some unique cases allow execution of arbitrary code.
  • Ref: http://www.grok.org.uk/advisories/popclient.html
  • 04.26.6 - CVE: Not Available
  • Platform: Unix
  • Title: GNATS syslog() Format String Vulnerability
  • Description: GNU GNATS is a bug tracking system. A format string vulnerability has been discovered in the GNATS package which could be exploited to execute arbitrary commands. GNU GNATS version 4.0 is known to be vulnerable.
  • Ref: http://www.zone-h.org/en/advisories/read/id=4889/
  • 04.26.7 - CVE: Not Available
  • Platform: Unix
  • Title: Pavuk Remote Buffer Overrun Vulnerability
  • Description: Pavuk is a Unix utility that is used to mirror file trees. Insufficient boundary checks in handling of HTTP status-code 305 data from the server exposes a stack-based memory corruption issue. Pavuk versions 0.9.28-r1 and earlier are affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200406-22.xml
  • 04.26.8 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun JRE Denial of Service
  • Description: The Java Runtime Environment (JRE) is the virtual platform on which all Java applications are run. It is reported to be vulnerable to an assertion failure denial of service. The issue exists due to a failure in the processing of exceptional conditions in font objects. The JRE versions 1.4.1 through 1.4.2 are vulnerable; however older versions may be affected.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0437.html
  • 04.26.9 - CVE: CAN-2004-0493
  • Platform: Cross Platform
  • Title: Apache 2 Memory Allocation Denial of Service
  • Description: Apache Web Server is vulnerable to a denial of service issue due to a failure in handling large HTTP header strings. Apache versions up to 2.0.49 are known to be vulnerable.
  • Ref: http://www.apache.org/dist/httpd/Announcement2.html
  • 04.26.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Browsers Cross-Domain Frame Loading
  • Description: Web browsers from multiple vendors are reportedly vulnerable to a cross-domain frame spoofing issue. A malicious site can render arbitary HTML content into the victim's browser. The attacker could leverage this issue to steal sensitive information from the legitimate user.
  • Ref: http://secunia.com/advisories/11978/
  • 04.26.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MPlayer GUI Buffer Overflow
  • Description: MPlayer is a multimedia player application. The MPlayer GUI is vulnerable to a buffer overflow condition due to insufficient sanitization of user-supplied input strings. This issue could be leveraged to cause a denial of service condition or even arbitrary code execution. All versions of MPlayer are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/367301
  • 04.26.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ServletExec Unauthorized Access Vulnerability
  • Description: ServletExec is a Java web application server; however this issue is reported to only affect versions running on Windows 2000 and Windows NT. It has been reported that unauthorized users can upload arbitrary files and then execute the code within these files due to an access validation error.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml
  • 04.26.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino IMAP Quota Changing Vulnerability
  • Description: IBM Lotus Domino server is an e-mail server distributed by Lotus. IBM Lotus Domino is reported to improperly allow users to alter their own mail storage quota values. By issuing a "setquota" command to the mail server through an IMAP connection, the attacker may change the quota of the email account. Domino version 6.5.0 and 6.5.1 are reported vulnerable to this issue.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0471.html
  • 04.26.14 - CVE: Not Available
  • Platform: Web Application
  • Title: PowerPortal Multiple Input Validation Vulnerabilities
  • Description: PowerPortal is a web portal system written in PHP. It has been reported that PowerPortal is subject to multiple input sanitization vulnerabilities allowing remote users to instigate cross-site scripting attacks, as well as perform information disclosure attacks. PowerPortal versions 1.1b through 1.3 are considered vulnerable.
  • Ref: http://www.swp-zone.org/archivos/advisory-07.txt
  • 04.26.15 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPMyFamily Authentication Bypass Vulnerability
  • Description: PHPMyFamily is a web-based genealogy application. It is reported to be vulnerable to an authentication bypass. The issue exists when the "registers_globals" PHP configuration directive is enabled. This will grant the remote user the ability to edit the site content. PHPMyFamily versions 1.3 and prior are known to be vulnerable.
  • Ref: http://www.phpmyfamily.net/
  • 04.26.16 - CVE: Not Available
  • Platform: Web Application
  • Title: CuteNews Cross-Site Scripting Vulnerability
  • Description: CuteNews is a web-based news management system. Due to insufficient sanitization of user input, it is vulnerable to cross-site scripting issues in multiple scripts. This can be leveraged to steal authentication credentials from legitimate users. All versions of CuteNews are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/367289
  • 04.26.17 - CVE: Not Available
  • Platform: Web Application
  • Title: WebLogic Application Role Unauthorized Access Vulnerability
  • Description: WebLogic Server And WebLogic Express are vulnerable to a security bypass. This vulnerability can occur when a web application has specified a role of name * in a "role-name" tag contained within a "security-constraint" tag. BEA has released a patch to fix this issue.
  • Ref: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_64.00.jsp
  • 04.26.18 - CVE: Not Available
  • Platform: Web Application
  • Title: i-mall.cgi Remote Command Execution
  • Description: i-mall.cgi is an e-commerce shopping cart system. Insufficient sanitization of user-supplied input allows a remote attacker to pass arbitrary shell commands to the vulnerable script. All current versions are reported to be vulnerable.
  • Ref: http://www.zone-h.org/advisories/read/id=4904
  • 04.26.19 - CVE: Not Available
  • Platform: Web Application
  • Title: Newsletter ZWS Administration Authentication Bypass
  • Description: Newsletter ZWS is a news and mailing list management application. It has been reported that its administrative interface is subject to an authentication bypass vulnerability in its "admin.php" script.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0395.html
  • 04.26.20 - CVE: Not Available
  • Platform: Web Application
  • Title: SWSoft Confixx Backup Script Information Disclosure
  • Description: SWSoft Confixx is a control panel system for web sites, which is implemented in PHP. By issuing a malicious backup request, an attacker can download potentially sensitive information from the server. This information may aid the attacker in further attacks. SWSoft Confixx Pro Version 2 and 3 are vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Jun/1010584.html
  • 04.26.21 - CVE: Not Available
  • Platform: Web Application
  • Title: vBulletin Cross-Site Scripting Vulnerability
  • Description: vBulletin is a web-based bulletin board. Due to insufficient sanitization of user-supplied input, it is vulnerable to a cross-site scripting issue. This could allow for the theft of authentication credentials from legitimate users. All current versions of the application are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/11937/
  • 04.26.22 - CVE: Not Available
  • Platform: Web Application
  • Title: WebSoft HelpDesk PRO SQL Injection
  • Description: HelpDesk PRO is a web-based help desk application. Insufficient sanitization of user-supplied input in the login form exposes a SQL injection issue in the application. HelpDesk PRO versions 2.0 and earlier are affected.
  • Ref: http://www.zone-h.org/en/advisories/read/id=4891/
  • 04.26.23 - CVE: Not Available
  • Platform: Web Application
  • Title: Infinity WEB SQL Injection Vulnerability
  • Description: It has been revealed that Infinity WEB is subject to an SQL injection vulnerability due to insufficient sanitization of user supplied input in its login form. Infinity WEB version 1.0 has been reported as vulnerable.
  • Ref: http://www.zone-h.org/en/advisories/read/id=4892/
  • 04.26.24 - CVE: Not Available
  • Platform: Web Application
  • Title: Cart32 GetLatestBuilds Cross-Site Scripting
  • Description: Cart32 is a web-based shopping cart system. Insufficient sanitization of user-supplied input in the "cart32" parameter of the "GetLatestBuilds" script exposes a cross-site scripting issue. Cart32 versions 5.0 and earlier are affected.
  • Ref: http://www.securitytracker.com/alerts/2004/Jun/1010594.html
  • 04.26.25 - CVE: Not Available
  • Platform: Web Application
  • Title: csFAQ Path Disclosure
  • Description: CGIScript.net csFAQ is a web-based FAQ publishing system. It has been revealed that a remote user can disclose the installation path of csFAQ by supplying an invalid URL request to the csFAQ.cgi program. All current versions of csFAQ are vulnerable to this issue.
  • Ref: http://www.swp-zone.org/archivos/advisory-08.txt
  • 04.26.26 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMyAdmin Code Injection Vulnerability
  • Description: phpMyAdmin is a web interface for MySQL administration. phpMyAdmin version 2.5.7 is vulnerable to a remote PHP code injection due to insufficient sanitization of user-supplied data in "config.inc.php".
  • Ref: http://eagle.kecapi.com/sec/fd/phpMyAdmin.html
  • 04.26.27 - CVE: Not Available
  • Platform: Network Device
  • Title: D-Link AirPlus DI-614+ Denial of Service
  • Description: The D-Link AirPlus DI-614+ is a wireless broadband router. When the device is flooded with specially crafted DHCP requests, the device consumes all available memory and will eventually reboot. DI-614+ with firmware revision 2.30 was reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0430.html
  • 04.26.28 - CVE: Not Available
  • Platform: Network Device
  • Title: ZyXEL Prestige 650HW-31 Remote Denial of Service
  • Description: The ZyXEL Prestige 650HW-31 DSL router is reportedly vulnerable to a remote denial of service condition. This issue occurs due to insufficient boundary checks on user-supplied password strings. Using long password strings during authentication will cause the appliance to reset.
  • Ref: http://secunia.com/advisories/11984/
  • 04.26.29 - CVE: CAN-2004-0468
  • Platform: Network Device
  • Title: Juniper JUNOS IPv6 Denial of Service
  • Description: Juniper routers running JUNOS use a Packet Forwarding Engine (PFE) to forward packets to specified destinations. In certain situations the PFE fails to generate ICMPv6 responses to the ICMPv6 requests and the original IPv6 packet buffer is not released causing memory exhaustion. JUNOS PFE IPv6 released after February 24, 2004 is affected.
  • Ref: http://www.kb.cert.org/vuls/id/658859

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

Excellent, relevant, immediately useful information. I can't wait to get back to the office to try it out.
-Steve Zehl, USGS

SANS Golden Gate 2013 - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc