Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 27
July 12, 2004

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 1
    • Third-Part Windows Apps
    • 6 (#2)
    • Linux
    • 1
    • BSD
    • 1
    • UNIX
    • 1
    • Cross Platform
    • 12 (#1)
    • Web Application
    • 11
    • Network Device
    • 3

******************** Security Training Update *************************

Highlighted Security Training For This Week

SANS largest Fall conference will be in Las Vegas this year - September 28 to October 6. The 400,000 brochures started arriving two weeks ago. Network Security has seventeen immersion tracks and many special intense one day programs plus a big vendor expo.

http://www.sans.org/ns2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
BSD
Unix
Cross Platform
Web Application
Network Device

********************** SPONSORED LINKS ********************************

Note: these links may take you to non-SANS sites.

(1) PROPRIETARY INFORMATION? Would you know if proprietary information has left your network today? FREE WHITEPAPER http://www.sans.org/info.php?id=512

***********************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: MySQL Authentication Bypass Vulnerability
  • Affected:
    • MySQL versions 4.1.0, 4.1.1, 4.1.2 and early builds of version 5.0

  • Description: MySQL is a widely used, open-source database with reported five million installations world-wide. The database runs on a number of operating systems and is typically deployed as a back-end database for web applications. The software contains multiple vulnerabilities in its authentication module, specifically in the "check_scramble_323" function. An attacker can specify a certain value for the "client capability" flag, and obtain unauthorized access to the database via a null password. The attacker can obtain the privileges of any user on the MySQL server, provided the user name is correctly guessed. The attacker can also trigger a stack-based buffer overflow by providing an overlong password string. The overflow may be exploitable on a few platforms to execute arbitrary code. Note that the flaws cannot be exploited by using the available MySQL clients. The attacker would have to create a custom MySQL client. The technical details required to leverage the flaws and multiple exploits have been publicly posted.

  • Status: Vendor confirmed. Upgrade to version 4.1.3 and newer builds of version 5.0. A workaround is to provide access to the MySQL server port 3306/tcp to only trusted hosts in the network.

  • Council Site Actions: Four of the reporting council sites are running the affected software. One site is waiting for vendor updates for products they use. The second site is not widely using MySQL but will patch the systems during the next regularly scheduled system update process. The third site chose only to notify their system support group of the workarounds and let them decide how to proceed. The final site scanned their network for systems running MySQL on port 3306 shortly after they received the original advisory. Of the several hundred systems they found running MySQL, only a handful were running the affected version. The system administrators of these systems were advised to move to a non-vulnerable version. A large fraction of the systems were Linux systems running a Red Hat distribution, which uses version 3.23.*. They will address some of the vulnerable systems by downgrading from 4.1.* to 3.23.*, so that they can resume using the patch process provided by their operating-system vendor.

  • References:
Other Software
  • (2) MODERATE: Mozilla shell: URI Handler Vulnerability
  • Affected:
    • Only Windows installations of:
    • Mozilla version prior to 1.7.1
    • Firefox version prior to 0.9.2
    • Thunderbird version prior to 0.7.2

  • Description: The Mozilla project's Mozilla and Firefox web browsers, and Thunderbird email client for Windows contain a vulnerability in handling the "shell:" URIs. A malicious webpage or an HTML email can launch any executables present on a client system via specially crafted "shell:" URIs. Note that arbitrary command-line arguments cannot be passed to the launched executables, which limits the malicious actions an attacker can perform on the client system. Another attack vector has also been discussed to exploit this flaw. The "shell:" URL handler invokes various applications based on the file extension. For example, "shell:my.mp3" URL will launch the media player. It may be possible to trigger a buffer overflow in some applications by passing an overlong filename. It is reported that URL of the form "shell:AAA (over 221 characters).grp" triggers a buffer overflow in the "grpconv.exe" application. These buffer overflows may possibly be exploited to execute arbitrary code on the client system. The technical details required to exploit the vulnerability have been posted.

  • Status: Vendor confirmed, patches available. Upgrade to Mozilla 1.7.1, Firefix 0.9.2 and Thunderbird 0.7.2. It is worthwhile to note that Mozilla project group fixed the problems within a day of being reported.

  • Council Site Actions: We were unable to solicit council site input for this item.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 27, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3528 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.27.1 - CVE: CAN-2004-0549
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Script Execution
  • Description: Microsoft Internet Explorer is affected by a security weakness in the "Shell.Application" object, which may permit malicious HTML documents the ability to execute script code. All current versions are affected.
  • Ref: http://www.kb.cert.org/vuls/id/713878
  • 04.27.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Lotus Domino Server Remote Denial of Service
  • Description: Lotus Domino Server is a suite of collaborative software tools. It has been reported that Lotus Domino Server is vulnerable to a denial of service attack. The issue expresses itself when a specially crafted email is viewed through the web interface. When viewed, the server will attempt to decode the malicious contents, resulting in an unhandled exception, thus crashing the server.
  • Ref: http://www.securityfocus.com/archive/1/367761
  • 04.27.3 - CVE: CAN-2004-0577, CAN-2004-0578
  • Platform: Third Party Windows Apps
  • Title: WinGate Information Disclosure
  • Description: Qbik WinGate is an Internet connection sharing proxy server. Improper sanitization of the "/" character in the user-supplied URL exposes an information disclosure issue. WinGate version 5.2.3 build 901 and version 6.0 beta 2 build 942 are affected.
  • Ref: http://www.idefense.com/application/poi/display?id=113&type=vulnerabilities&
    amp;flashstatus=true
  • 04.27.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Easy Chat Server Multiple Denial of Service Vulnerabilities
  • Description: Easy Chat Server is a web-based chat application for Windows. It is reported to be vulnerable to a denial of service condition. The issue exists due to insufficient boundary checking of the "username" parameter and the number of logins per chat room. Easy Chat Server versions 1.0, 1.1 and 1.2 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0013.html
  • 04.27.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Fastream NetFile Directory Traversal
  • Description: Fastream NetFile is an FTP and HTTP server implementation for Windows. The server is reported to be vulnerable to a directory traversal issue. Due to insufficient sanitization of user-supplied data, an attacker can create, view and delete arbitrary files outside the web root. Fastream NetFile FTP/Web server versions 6.7.2.1085 and earlier are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0037.html
  • 04.27.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Mozilla Arbitrary File Execution
  • Description: Windows versions of Mozilla products pass URIs using the "shell:" scheme to the operating system. It is possible to launch executables in known locations or trigger the default handlers for file extensions. Mozilla version 1.7.1, Firefox version 0.9.2 and Thunderbird version 0.7.2 have been released to fix this issue.
  • Ref: http://mozilla.org/security/shell.html
  • 04.27.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Symantec Norton Antivirus Denial of Service
  • Description: Symantec Norton Antivirus is reported to be vulnerable to a denial of service condition. The issue exists when the antivirus product scans a compressed archive that contains a malicious executable in each of 49647 or more directories. Norton Antivirus 2003 and 2002 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0089.html
  • 04.27.8 - CVE: CAN-2004-0497
  • Platform: Linux
  • Title: Linux Kernel Group Ownership Vulnerability
  • Description: It is reported that the Linux kernel version 2.6 contains a flaw which allows users to improperly change the group ownership on arbitrary files. The issue is only exposed when the kernel NFS server is active. A remote user may be able to modify the ownership information of the files inside the "proc" directory.
  • Ref: http://www.suse.de/de/security/2004_20_kernel.html
  • 04.27.9 - CVE: CAN-2004-0640
  • Platform: BSD
  • Title: SSLTelnetd Remote Syslog Format String Vulnerability
  • Description: SSLTelentd is a utility that implements the telnet protocol over SSL. Insufficient sanitization in the "syslog()" function, when called from the "SSL_set_verify()" function, exposes a format string issue. SSLTelnetd versions 0.13-1 and earlier are affected.
  • Ref: http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities
  • 04.27.10 - CVE: Not Available
  • Platform: Unix
  • Title: PureFTPd Remote Denial of Service
  • Description: PureFTPd is an FTP server based on Troll-FTPd. Due to an issue in the "accept_client()" function, an attacker can cause a denial of service to legitimate users. PureFTPd versions 1.0.18 and earlier are affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200407-04.xml
  • 04.27.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Qualcomm Eudora MIME Attachment Spoofing
  • Description: The Eudora email client is reportedly vulnerable to a MIME attachment spoofing issue. A user of Eudora could potentially be tricked into unknowingly sending sensitive files as attachments to forwarded email. This issue was reported for version 6.1.2 of Eudora.
  • Ref: http://www.securityfocus.com/archive/1/368157
  • 04.27.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Dr. Web Unspecified Buffer Overflow Vulnerability
  • Description: Dr. Web is antivirus software. It has been reported that an unspecified buffer overflow vulnerability exists in the "scanMail" function. Version 4.31.4 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10628/info/
  • 04.27.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Ethereal iSNS, SMB and SNMP Vulnerability
  • Description: Ethereal is a network protocol analyzer. Insufficient sanitization of malformed iSNS, SMB and SNMP packets can lead to memory corruption and subsequent denial of service. Ethereal version 0.10.5 has been released to address this issue.
  • Ref: http://www.ethereal.com/appnotes/enpa-sa-00015.html
  • 04.27.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AppWeb HTTP Server Multiple Vulnerabilities
  • Description: Mbedthis Software AppWeb HTTP Server is an embedded web server solution. It is reportedly vulnerable to multiple security issues including unauthorized access to restricted web pages and the ability to view the source code of web CGI scripts. Mbedthis Software AppWeb HTTP Server versions 1.1.2 and prior were reported to be vulnerable.
  • Ref: http://www.mbedthis.com/products/appWeb/doc/newFeatures.html
  • 04.27.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Websphere Edge Server Denial of Service
  • Description: IBM Websphere Edge Server is reportedly vulnerable to a denial of service condition in the "Caching Proxy" component. When configured in a certain way, the proxy crashes while processing a specially crafted HTTP GET request. The vendor has released a patch to address this issue.
  • Ref: http://www.securityfocus.com/archive/1/368496
  • 04.27.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MySQL Authentication Bypass Vulnerability
  • Description: MySQL database server is vulnerable to an authentication bypass issue. When zero-length password strings are used in authentication packets, an application logic error is exposed that leads to successful authentication. This issue is known to exist in MySQL 4.1 (beta) releases prior to version 4.1.3 and MySQL 5.0 (alpha).
  • Ref: http://www.nextgenss.com/advisories/mysql-authbypass.txt
  • 04.27.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MySQL Password Length Remote Buffer Overflow
  • Description: MySQL is vulnerable to a remotely exploitable stack-based buffer overflow. Insufficient sanitization of the password length parameter in the client authentication packet exposes this issue. MySQL version 4.1 releases prior to 4.1.3 and MySQL version 5.0 are affected.
  • Ref: http://www.nextgenss.com/advisories/mysql-authbypass.txt
  • 04.27.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Symantec Brightmail Information Disclosure
  • Description: Symantec Brightmail anti-spam is reported to be vulnerable to an unauthorized message disclosure issue. A remote attacker can access arbitrary emails by providing a valid value for the "id" parameter of the "viewMsgDetails.do" script. Symantec Brightmail anti-spam version 6.0 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12010/
  • 04.27.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: 12Planet Chat Server Cross-Site Scripting
  • Description: 12Planet Chat Server is a web-based Java chat application. 12Planet Chat Server version 2.9 is vulnerable to a cross-site scripting issue due to insufficient sanitization of the "page" argument in the "one2planet.infolet.InfoServlet" servlet.
  • Ref: http://www.autistici.org/fdonato/advisory/12PlanetChatServer2.9-a dv.txt
  • 04.27.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Internet Browser Weaknesses
  • Description: Internet browsers from multiple vendors are reportedly vulnerable to a weakness that allows users to commit unintentional actions. By predicting or influencing user clicks, malicious sites can trick users into clicking on pop-up dialog boxes. This could be used to install ActiveX adware/malware objects on the user's machine.
  • Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=162020
  • 04.27.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Unreal IRCD IP Address Disclosure
  • Description: Unreal ircd is a popular IRC server. Due to a weakness in the algorithm used to cloak IP addresses in "cloak.c", an attacker can disclose a user's IP address. Unreal ircd versions 3.2 and earlier are vulnerable.
  • Ref: http://www.bandecon.com/advisory/unreal.txt
  • 04.27.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Address Bar URL Spoofing
  • Description: The Opera web browser is vulnerable to an address bar spoofing issue. This allows an attacker to manipulate the URL displayed in the address bar when the browser renders a malicious web page. Opera web browser version 7.52 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12028/
  • 04.27.23 - CVE: Not Available
  • Platform: Web Application
  • Title: jaws Directory Traversal
  • Description: jaws is a content management system for building dynamic web sites. jaws is vulnerable to a directory traversal issue due to insufficient user-input sanitization in the "gadget" parameter of the "index.php" script. jaws version 0.3 is known to be vulnerable.
  • Ref: http://www.jaws.com.mx/index.php?gadget=blog&action=single_view&id=8
  • 04.27.24 - CVE: Not Available
  • Platform: Web Application
  • Title: Open WebMail Remote Command Execution
  • Description: Open WebMail is a web mail application written in Perl. Open WebMail is vulnerable to a remote code execution issue in the "vacation.pl" script. All versions of Open WebMail released before June 29, 2004 are vulnerable.
  • Ref: http://sourceforge.net/forum/message.php?msg_id=2640281
  • 04.27.25 - CVE: Not Available
  • Platform: Web Application
  • Title: Netegrity IdentityMinder Cross-Site Scripting Vulnerabilities
  • Description: Netegrity IdentityMinder allows management of user account information. Due to insufficient sanitization of user-supplied input, it is vulnerable to multiple cross-site scripting issues. These can be used to steal cookie-based authentication credentials from legitimate users. This issue was reported for the Netegrity IdentityMinder WebEdition 5.x series.
  • Ref: http://secunia.com/advisories/12000/
  • 04.27.26 - CVE: Not Available
  • Platform: Web Application
  • Title: SCI Photo Chat Server Cross-Site Scripting
  • Description: SCI Java Photo Chat Server supports multimedia pictures, sounds, and videos. It is vulnerable to a cross-site scripting issue due to insufficient user-input sanitization. Version 3.4.9 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/367863
  • 04.27.27 - CVE: Not Available
  • Platform: Web Application
  • Title: Centre Online School Software Multiple Vulnerabilities
  • Description: Centre is a free student management web application for schools. Centre is vulnerable to multiple issues such as arbitrary file include, sql injection and directory traversal. Centre version 1.0 is known to be vulnerable.
  • Ref: http://lists.netsys.com/pipermail/full-disclosure/2004-July/023416.html
  • 04.27.28 - CVE: Not Available
  • Platform: Web Application
  • Title: Nguyen Guestbook BBCode HTML Injection
  • Description: Tri Dung Nguyen Guestbook is a web-based guestbook application. Due to insufficient user-input sanitization in the BBCode implementation, an attacker could inject malicious HTML code into the web site. Guestbook version 1.25 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10665
  • 04.27.29 - CVE: Not Available
  • Platform: Web Application
  • Title: Open WebMail Email Header HTML Injection
  • Description: Open WebMail is reported to be vulnerable to an email header HTML injection issue. This issue is due to a failure of the application to properly sanitize user-supplied email header strings. OpenWebmail versions 2.32 and prior are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/11778/
  • 04.27.30 - CVE: Not Available
  • Platform: Web Application
  • Title: IlohaMail HTML Injection
  • Description: IlohaMail is a webmail package. Insufficient sanitization of the "Content-Type" header field exposes an HTML injection issue. IlohaMail versions 0.8.12 and earlier are affected.
  • Ref: http://xforce.iss.net/xforce/xfdb/16285
  • 04.27.31 - CVE: Not Available
  • Platform: Web Application
  • Title: BasiliX Webmail Email Header HTML Injection
  • Description: BasiliX is a web-based mail application. It is reported to be vulnerable to an email header HTML injection due to insufficient sanitization of the email headers. An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials. Basil versions 1.1.0 and 1.1.1 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10666
  • 04.27.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Comersus Cart Multiple Vulnerabilities
  • Description: Comersus Cart is an ASP-based e-commerce shopping cart application. Insufficient sanitization of user-supplied input in the "message" parameter of certain scripts exposes a cross-site scripting issue. These scripts are vulnerable: "store/comersus_customerAuthenticateForm.asp", "backofficeLite/comersus_backoffice_message.asp" and "store/comersus_supportError.asp". Comersus Cart version 5.09 is affected.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0068.html
  • 04.27.34 - CVE: Not Available
  • Platform: Network Device
  • Title: Zoom 5560 X3 Modem Backdoor
  • Description: Zoom 5560 X3 Ethernet ADSL modem is reported to contain a default backdoor account. This account can be accessed by TCP port 254 with the password "DEFAULT".
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-07/0061.html
  • 04.27.35 - CVE: Not Available
  • Platform: Network Device
  • Title: Enterasys XSR Router Denial of Service
  • Description: Enterasys XSR router family has firewall, VPN and standard router capabilities built in. When these devices process packets with the IP record route option, they will reportedly crash. The XSR-1800 series of routers with firmware version 7.0.0.0 are affected.
  • Ref: http://www.enterasys.com/support/security/incidents/2004/07/11036.html
  • 04.27.36 - CVE: Not Available
  • Platform: Network Device
  • Title: Nokia 3560 Handset Text Message Denial of Service
  • Description: Nokia 3560 handset is reported to be vulnerable to a remote denial of service condition. The issue is triggered when a specially crafted text message is sent to the device.
  • Ref: http://seclists.org/lists/fulldisclosure/2004/Jul/0350.html

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

It was the most interesting and educational training I've ever attended. I learned more in this week than in the past year.
-Michael McAndrews, Irwin Mortgage Corp.

Securing the Internet of Things - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd