Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 28
July 19, 2004

SANS Newsletters Home

An enormous number of Windows flaws this week reqire rapid action, as does a PHP vulnerability that affects a large fraction of Apache web servers.

A note for those of you who are considering earning a CISSP credential. We have found the two most effective CISSP instructors in the United States. One of them has an extraordinary record of 97.2% passing rate by his students on their *first* try. The second teacher has a record exceeding 90%. We are going to be offering several immersion classes for people seeking CISSP, but once people learn how good they are, they'll all be full. This is an advanced notice for @RISK readers to give you and your coworkers a chance to sign up early. The first two are scheduled for Washington DC July 26-31 ( http://www.sans.org/washingtondc04/description.php?tid=13 ) And Las Vegas September 29- August 4 ( http://www.sans.org/ns2004/description.php?tid=61 ) We are also scheduling in-house classes if you have 25 folks who want to master the common body of knowledge tested in the CISSP exam. http://www.sans.org/onsite/

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 2 (#1, #3)
    • Other Microsoft Products
    • 10 (#2, #5, #6, #8)
    • Third-Party Windows Apps
    • 5 (#7)
    • MacOS
    • 2 (#9)
    • Linux
    • 1
    • Cross Platform
    • 7
    • Web Application
    • 9 (#4)

************ The Most Useful Security Webcasts **************************

SANS "What Works" Webcasts take you inside leading organizations to learn what actually works in important areas of information security.

Your next opportunity to attend is Wednesday, July 28 at 1:00 PM EST (1700 UTC) where you'll hear from Los Alamos National Laboratory Senior Security Analyst Paul Criscuolo on how the lab found a very effective solution to the Intrusion Prevention problem. SANS' Director of Research Alan Paller will interview Paul and then you'll have a chance to ask questions as well.

Intrusion prevention is one of the most important technologies that every organization should be implementing or evaluating. This webcast can save you time and help you avoid mistakes.

Register at www.sans.org/webcasts

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Cross Platform
Web Application
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Microsoft Task Scheduler Buffer Overflow
  • Affected:
    • Windows 2000/XP
    • Internet Explorer version 6.0

  • Description: The Microsoft Task Scheduler (mstask.dll) allows a user or an administrator to schedule a task (certain commands) to be run at a specific time on a Windows system. The Task Scheduler stores the task information such as the command name in a ".job" file. The scheduler contains a stack-based buffer overflow that can be triggered by an overlong command in the .job file. An attacker can exploit this flaw by creating a specially crafted .job file in a shared folder, and enticing a client (via email or webpage) to browse the folder. Successful exploitation will result in the execution of arbitrary code on the client system with the privileges of the currently logged-on user. The exploit code has been publicly posted.

  • Status: Microsoft confirmed, patches available. Blocking ports 139/tcp and 445/tcp at the network perimeter will prevent access to the remote network shares.

  • Council Site Actions: All reporting council sites are responding to this vulnerability. Some sites have already completed the deployment of the patch; others are in the process of deploying the patch. The remaining few sites plan to deploy the patch during their next regularly scheduled systems update process. Some sites commented they are blocking 139/tcp and 445/tcp at their network perimeter control points. Several sites also said they have recently begun blocking various filenames and extensions (like .job) at their proxy servers.

  • References:
  • (3) MODERATE: Windows HTML Help Remote Code Execution
  • Affected:
    • Windows 2000/XP/2003
    • Windows NT with Internet Explorer 5.5 or 6.0

  • Description: The Microsoft Security Bulletin MS04-023 fixes two vulnerabilities in the HTML Help application (hh.exe). (a) The HTML application does not properly validate a compiled help file (CHM). This allows a file with any extension to be launched as a help file by using the "showHelp" method. For more details regarding this vulnerability please refer to a previous issue of the @RISK newsletter. Note that the exploit code has been publicly available since January 2004. (b) The HTML application does not validate the length parameters declared in a CHM file. A specially crafted CHM file can exploit this flaw to trigger a heap-based buffer overflow. The flaw can be exploited to execute arbitrary code with the privileges of the user viewing the malicious CHM file. In order to exploit the flaw, an attacker has to place the malicious file on the victim's system either by enticing the victim to download the file, or by exploiting other IE vulnerabilities. Limited technical details regarding how to trigger the overflow have been posted.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: All council sites are responding to this vulnerability in a similar fashion as item 1 above.

  • References:
  • (4) MODERATE: PHP memory_limit Remote Code Execution
  • Affected:
    • PHP version 4.3.7 and prior
    • PHP5 version 5.0.0RC# and prior

  • Description: PHP, a popularly used language for web development, is reportedly installed on 50% of the Apache servers used world-wide. PHP can be configured with the "memory_limit" directive, which sets the maximum amount of memory any script is allowed to use. The function that checks the "memory_limit" contains a vulnerability. The problem arises because the memory allocation can be terminated at unsafe stages such as when certain hash tables are initialized. This flaw may be exploited to control heap memory and execute arbitrary code on the server. The technical details required to exploit the flaw have been posted. The discoverer of the flaw has developed exploits that can compromise Apache and other servers running PHP. These exploits have not been publicly posted.

  • Status: Vendor confirmed, patches available. Version 4.3.8 fixes the flaw. Many Linux vendors such as Mandrake and Gentoo have also released updates.

  • Council Site Actions: Only two council sites are using the affected software and only in a limited manner. One site has notified the individual webmasters and they will do their own patching. The other site has several hundred web servers running PHP exposed to the Internet, most of which are Linux systems. Their update status depends on the Linux distribution. Systems running the "unstable" version of Debian GNU/Linux are already updated to PHP 4.3.8 in many cases. Systems running Mandrake Linux already have the MDKSA-2004:068 update, which resolves the problem, in many cases. Their Red Hat systems remain vulnerable (except in a few cases where the system administrator has chosen to replace PHP without using a Red Hat RPM package), as no update is available at this time. The few systems running Solaris are in the process of being upgraded as well.

  • References:
  • (5) MODERATE: Windows Shell Remote Code Execution
  • Affected:
    • Windows NT/2000/XP/2003

  • Description: This vulnerability has been discussed in a prior @RISK newsletter as the "Internet Explorer File Extension Spoofing". The vulnerability can be exploited to trick a user into downloading a malicious file even when the IE download dialogue displays a "safe extension". Note that proof-of-concept exploits have been posted on the Internet since February 2004.

  • Status: Microsoft confirmed, patches available.

  • Council Site Actions: All council sites are responding to this vulnerability. Most sites plan to deploy the patch during their next regularly scheduled system update process. A few sites are in the process of distributing the patches now or have already completed the patch cycle process.

  • References:
  • (6) MODERATE: Microsoft IIS Redirection Buffer Overflow
  • Affected:
    • IIS version 4.0
    • Windows NT

  • Description: The IIS redirection function allows the web server to redirect an HTTP request to another web server or a virtual directory on the same server. Depending on the IIS configuration, the redirected URL may contain sections of the original URL. This redirection function contains a buffer overflow vulnerability, which can be exploited to execute arbitrary code on the IIS server. Limited technical details regarding how to trigger the buffer overflow have been posted. The Microsoft advisory suggests that setting a maximum URL length of 16KB mitigates the attack; hence, a possible attack vector may be issuing overlong HTTP requests to the IIS server.

  • Status: Microsoft confirmed, patches available.

  • Council Site Actions: Most of the reporting council sites still have some NT4 IIS servers and are either in the process of patching the systems or will patch during their next regularly scheduled system update process.

  • References:
  • (7) MODERATE: Adobe Reader File Extension Buffer Overflow
  • Affected:
    • Adobe Reader version 6.0 on Windows platform

  • Description: Adobe Reader, a popular PDF file viewer, contains a stack-based buffer overflow. The flaw can be triggered by a malicious filename containing NULL characters and an overlong extension. A webpage or an email delivering a malicious adobe file may exploit the flaw to execute arbitrary code with the privileges of the currently logged-on user. Limited technical details have been posted to the Internet.

  • Status: Adobe confirmed, upgrade to version 6.0.2. The release notes for this version say "Security update to further restrict malicious code execution."

  • Council Site Actions: Most of the reporting council sites plan to upgrade to the corrected version during their next regularly scheduled system update process. One site does not upgrade the end systems but does provide a download site for the software. They will place the new version on the download site. A few sites are running the affected software but don't plan any action at this time.

  • References:
  • (8) LOW: Microsoft Outlook Object Tag Vulnerability
  • Affected:
    • Outlook 2000 or 2003

  • Description: This vulnerability affects the installations of Outlook 2000 or 2003 that use Word 2000 or 2003 as their email editor. The problem occurs because Word downloads the URL specified in the "data" attribute of an unclosed "OBJECT" tag, prior to forwarding an email. An attacker can exploit this flaw to execute arbitrary code on a user's computer by enticing the user to forward a specially crafted email. The code would execute with the privileges of the Outlook user irrespective of any Outlook security settings. Some spam emails are reportedly exploiting this flaw. Note that Outlook 2003 has Word 2003 set as the default email editor unlike the Outlook 2000. The posted advisories contain a proof-of-concept exploit.

  • Status: Microsoft has been notified, and may fix the vulnerability in future Office releases. A workaround is to disable Word as the email editor.

  • Council Site Actions: Most of the council sites plan to install the patches once released by the vendor. Some sites are investigating implementing the workaround in the mean time. One site commented that they turned off Word as the default editor a long time ago.

  • References:
Other Software
  • (9) HIGH: 4D WebSTAR FTP Server Overflow
  • Affected:
    • 4D WebSTAR version 5.3.2 and prior

  • Description: The 4D WebSTAR software suite offers web, mail, webDAV and FTP servers for the Mac OS X operating system. The FTP server is vulnerable to a stack-based buffer overflow in handling overlong commands. Remote unauthenticated attackers can exploit the flaw to execute arbitrary code with the privileges of the "webstar" user. The attacker may further exploit a privilege escalation vulnerability to obtain administrative access to the server. The posted advisory contains technical details required to leverage the flaw. Note that an exploit for a similar vulnerability (FTP password overflow) is available on the Internet.

  • Status: Vendor confirmed. Upgrade to version 5.3.3.

  • Council Site Actions: Only one council site is using the affected software on a very small number of systems. They are investigating if these systems have the FTP server enabled.

  • References:
  • (10) LOW: HP OpenVMS RPC Buffer Overflow
  • Affected:
    • DCE/RPC version 3.1-SSB for HP OpenVMS Versions 7.3, V7.3-1 and V7.3-2

  • Description: HP has reported a buffer overflow vulnerability in the OpenVMS DCE/RPC implementation. The overflow is triggered by the exploit code for the Microsoft RPC DCOM Interface buffer overflows. It is not clear at this point if the flaw can be exploited to execute arbitrary code on the OpenVMS systems.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: Only three of the reporting council sites are using the affected software. One site does not plan to take action at this time. One site is currently testing the patch for installation within the next two weeks and the third site plans to deploy the patch during their next regularly scheduled patching cycle.

  • References:
Patches
  • (11) MODERATE: Mozilla shell: URI Handler Vulnerability
  • Affected:
    • Only Windows installations of:
    • Mozilla version prior to 1.7.1
    • Firefox version prior to 0.9.2
    • Thunderbird version prior to 0.7.2

  • Description: The Mozilla project's Mozilla and Firefox web browsers, and Thunderbird email client for Windows contain a vulnerability in handling the "shell:" URIs. A malicious webpage or an HTML email can launch any executables present on a client system via specially crafted "shell:" URIs. Note that arbitrary command-line arguments cannot be passed to the launched executables, which limits the malicious actions an attacker can perform on the client system. Another attack vector has also been discussed to exploit this flaw. The "shell:" URL handler invokes various applications based on the file extension. For example, "shell:my.mp3" URL will launch the media player. It may be possible to trigger a buffer overflow in some applications by passing an overlong filename. It is reported that URL of the form "shell:AAA (over 221 characters).grp" triggers a buffer overflow in the "grpconv.exe" application. These buffer overflows may possibly be exploited to execute arbitrary code on the client system. The technical details required to exploit the vulnerability have been posted.

  • Status: Vendor confirmed, patches available. Upgrade to Mozilla 1.7.1, Firefox 0.9.2 and Thunderbird 0.7.2. It is worthwhile to note that Mozilla project group fixed the problems within a day of being reported.

  • Council Site Actions: Five of the reporting council sites have small deployments of the affected software. Three of these sites have already upgraded to the corrected versions. The fourth site has sent email to the users requesting them to upgrade. The last site, which has about 200 affected users, is currently considering how to address the issue since they do note have an automated method for updates. They may just display a local security advisory on the web pages of their central IT department, with the advisory appearing only if the client User-Agent indicates Mozilla on Windows.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 28, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3572 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.28.1 - CVE: CAN-2004-0201
  • Platform: Windows
  • Title: Microsoft Windows HTML Help Heap Overflow
  • Description: A remote code execution vulnerability exists in the processing of a specially crafted "showHelp" URL. The vulnerability could allow malicious code to run in the Local Machine security zone in Internet Explorer, which could allow an attacker to take complete control of an affected system. All current Windows platforms are affected.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx
  • 04.28.2 - CVE: CAN-2004-0212
  • Platform: Windows
  • Title: Microsoft Windows Task Scheduler Buffer Overflow
  • Description: The Microsoft Task Scheduler enables a program to run at a designated time. A buffer overflow condition exists in Task Scheduler due to lack of sufficient validation performed on application name data provided to it. This issue was reported for Microsoft Windows 2000 Service Packs 2 through 4, XP, XP Service Pack 1, and XP 64-Bit Edition Service Pack 1.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx
  • 04.28.3 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Outlook Security Setting Bypass
  • Description: Microsoft Outlook is reportedly vulnerable to a security setting bypass issue when Microsoft Word is used as its default editor. When a victim attempts to forward a certain maliciously crafted email that has an unclosed "OBJECT" tag, Outlook fails to block any embedded ActiveX controls. This issue occurs with the default "Restricted Zone" settings. This issue was reported for Microsoft Outlook 2003/2000 when Microsoft Word 2003/2000 is employed as the email editor.
  • Ref: http://www.securityfocus.com/archive/1/368492
  • 04.28.4 - CVE: CAN-2004-0215
  • Platform: Other Microsoft Products
  • Title: Outlook Express Email Header Denial of Service
  • Description: Microsoft Outlook Express is vulnerable to a remotely exploitable denial of service vulnerability when processing emails with malformed header data. The issue exists due to insufficient sanitization of email header fields. This issue is only reported to affect Outlook Express 5.5 and 6.0.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx
  • 04.28.5 - CVE: CAN-2004-0205
  • Platform: Other Microsoft Products
  • Title: IIS 4 Redirect Remote Buffer Overflow
  • Description: Microsoft IIS 4.0 is reported prone to a buffer overflow vulnerability when handling HTTP redirect requests. Insufficient sanitization of HTTP redirect requests exposes this buffer overflow issue.
  • Ref: http://www.kb.cert.org/vuls/id/717748
  • 04.28.6 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft JVM Cross-Domain Applet Unauthorized Communication
  • Description: Microsoft JVM is vulnerable to an access validation error that may result in a violation of its security policy. Java applets downloaded from different servers and associated with different domains should each be executed in isolation. This is by design to prevent applets from interfering with each other. If properly exploited a hostile applet could garner sensitive information from trusted applets.
  • Ref: http://www.securityfocus.com/archive/1/368586
  • 04.28.7 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Cross-Domain Scripting
  • Description: A vulnerability exists in Microsoft Internet Explorer that may allow cross-domain scripting attacks by overloading function names. When a new JavaScript function is assigned to another trusted existing function with the same name, Internet Explorer marks the new function as safe, and fails to apply security checks to it. This issue was reported for Internet Explorer versions 6.0 and 6.0 SP1.
  • Ref: http://www.securityfocus.com/archive/1/368671
  • 04.28.8 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Mouse Event Hijacking
  • Description: A vulnerability exists in Microsoft Internet Explorer that may permit a malicious web page to hijack mouse events by calling the "Popup.show()" method in the "mousedown" even handler. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/368652
  • 04.28.9 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Outlook Express Script Execution Vulnerability
  • Description: Outlook Express has been reported to be vulnerable to an unauthorized execution issue. When Outlook Express processes emails, it will filter out script code in the "window.document" object, however script contained in other object components may not be filtered, resulting in arbitrary script execution. Microsoft Outlook Express version 6.0 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/368670
  • 04.28.10 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer File Download Obfuscation Vulnerability
  • Description: A vulnerability exists in Microsoft Internet Explorer that may permit a remote attacker to obfuscate file properties in download dialogs. The issue presents itself when attacker specified content is placed on top of a window or dialog box using the "Window.createPopup()" function. IE versions 5.5 and 6.0 are reported to be vulnerable.
  • Ref: http://www.guninski.com/popspoof.html
  • 04.28.11 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer JavaScript Null Pointer Exception Denial of Service
  • Description: Internet Explorer is vulnerable to a denial of service issue due to a null-pointer dereference exception. When Internet Explorer attempts to render JavaScript using a "for()" loop containing a conditional variable that is not declared it will crash. Internet Explorer version 6.0 SP1 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/368651
  • 04.28.12 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Windows 2000 Media Preview Script Execution
  • Description: Microsoft Windows 2000 is reported to be vulnerable to a script code execution issue. The vulnerability manifests itself when a user previews media in Internet Explorer. Insufficent security checks result in the execution of arbitrary script code in the context of the security zone that the media player is executed in.
  • Ref: http://www.securityfocus.com/archive/1/368650
  • 04.28.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Gattaca Server 2003 Multiple Path Disclosures
  • Description: Gattaca Server 2003 provides email and web services. Insufficient sanitization of NULL bytes in the "LANGUAGE" argument of the URL exposes a path disclosure issue in the software. Gattaca Server 2003 version 1.1.10.0 and earlier are affected.
  • Ref: http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt
  • 04.28.14 - CVE: CAN-2004-0632
  • Platform: Third Party Windows Apps
  • Title: Adobe Acrobat File Name Handler Buffer Overflow
  • Description: Adobe Acrobat and Reader are reportedly vulnerable to a stack-based buffer overflow condition. This issue is exposed when a file with an unhandled file-type and a specially crafted malformed file-name is opened. This vulnerability has been reported for Adobe Acrobat and Reader 6.x releases on the Microsoft Windows platforms.
  • Ref: http://www.idefense.com/application/poi/display?id=116&type=vulnerabilities
  • 04.28.15 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Gattaca Server 2003 Denial of Service
  • Description: Multiple vulnerabilities have been identified in Gattaca Server 2003. Issuing large arguments to the "LIST", "RETR", and "UIDL" commands or more than 600 simultaneous connections to the SMTP/POP3 ports will cause the application to crash. Malicious HTTP requests cause the application to consume 100% of the CPU. Gattaca Server 2003 versions 1.1.10.0 and earlier are affected.
  • Ref: http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt
  • 04.28.16 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ability Mail Server Multiple Vulnerabilities
  • Description: Code-Crafters Ability Mail Server is reportedly vulnerable to multiple security issues. A cross-site scripting issue occurs due to insufficient sanitization of user-input supplied through the "errormsg" URI parameter. A denial of service condition is exposed when an attacker repeatedly connects to any of its services about 150-200 times. Ability Mail Server version 1.18 was reported to be vulnerable.
  • Ref: http://members.lycos.co.uk/r34ct/main/Ability_mail_server_1.18.txt
  • 04.28.17 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: INweb Mail Server Remote Denial of Service
  • Description: INweb Mail Server is an SMTP and POP server for Windows. A denial of service vulnerability has been identified in its connection handling functions. By repeatedly and exhaustively connecting to the server, it is possible to eventually crash the server. INweb Mail Server version 2.40 is reported to be vulnerable.
  • Ref: http://members.lycos.co.uk/r34ct/main/inwebmail.txt
  • 04.28.18 - CVE: Not Available
  • Platform: Mac Os
  • Title: 4D WebStar Remote FTP Buffer Overflow
  • Description: 4D WebStar is an application providing web, FTP and email services for Apple Mac OS X. It has been revealed that WebStar is subject to a remote, pre-authentication buffer overflow in its FTP server. This is due to insufficient sanitization of user input, and could result in the execution of arbitrary code. 4D WebStar FTP server versions 5.3.2 and prior are reported to be vulnerable.
  • Ref: http://www.atstake.com/research/advisories/2004/a071304-1.txt
  • 04.28.19 - CVE: Not Available
  • Platform: Mac Os
  • Title: 4D WebStar Multiple Remote Information Disclosures
  • Description: 4D WebStar is an application providing web, FTP and email services for Apple Mac OS X. It is reported to be vulnerable to multiple information disclosure vulnerabilities. The issues exist due to failure of sanitization user-supplied requests. Successful exploitation will allow an attacker to access arbitrary directories and files such as "php.ini". 4D WebStar version 5.3.2 and below are reported to be vulnerable.
  • Ref: http://www.atstake.com/research/advisories/2004/a071304-1.txt
  • 04.28.20 - CVE: Not Available
  • Platform: Linux
  • Title: wvWare Library Remote Buffer Overflow
  • Description: wvWare is a library which allows access to Microsoft Word files on Unix based systems. It is reported to be vulnerable to a remote buffer overflow issue. The issue exists due to insufficient boundary checks performed by the "wvHandleDateTimePicture" function in "field.c". This issue affects wvWare 0.7.4. Versions 0.7.5, 0.7.6 and 1.0.0 are also affected by a variant of this issue.
  • Ref: http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities&
    amp;flashstatus=true
  • 04.28.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Java Virtual Machine Font.createFont Insecure Temporary File Creation
  • Description: Sun Java Virtual Machine (JVM) is a component of the Sun Java infrastructure that executes Java based code. It has been reported that the JVM is vulnerable to an insecure temporary file creation issue. It could be possible to place code on a machine using this method, and then execute the code using other known vulnerabilities.
  • Ref: http://seclists.org/lists/fulldisclosure/2004/Jul/0434.html
  • 04.28.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AnomicHTTPProxy Directory Traversal Vulnerability
  • Description: AnomicHTTPProxy is an HTTP proxy and search engine. AnomicHTTPProxy is reportedly vulnerable to a directory traversal issue. By utilizing "../" style directory traversal techniques, it is possible to gain access to files outside of the document root. AnomicHTTPProxy version 0.21_build20040627 is reported vulnerable.
  • Ref: http://www.anomic.de/AnomicHTTPProxy/News.html
  • 04.28.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Half-Life Engine Remote Denial of Service
  • Description: Half-Life is a game server that allows multiple users to game across a network. When the game server processes a malformed TCP packet containing 8 bytes of data it crashes. All versions of Half-Life released before July 7, 2004 are affected.
  • Ref: http://aluigi.altervista.org/adv/hlboom-adv.txt
  • 04.28.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Lotus Notes Multiple Unspecified Client Vulnerabilities
  • Description: Lotus Notes is a server for email, calendar, scheduling and collaboration tasks. Three vulnerabilities with an unknown impact on the Lotus Notes clients have been reported due to unspecified errors when handling Java applets.
  • Ref: http://secunia.com/advisories/12046/
  • 04.28.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Browser Cache File Unsafe Script Execution
  • Description: Mozilla Browser is reportedly vulnerable to multiple security issues. When the browser is used to view locally cached files, embedded scripts could be executed in the Local Zone under relaxed security settings. The Mozilla Browser is also vulnerable to the classic NULL byte based file-name spoofing attack. This could be used to open files with arbitrary extensions without requiring any user interaction. These issues were reported for all current versions of Mozilla and Firefox browsers.
  • Ref: http://www.securityfocus.com/archive/1/368739
  • 04.28.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AnomicHTTPProxy Authentication Bypass
  • Description: AnomicHTTPProxy is a HTTP proxy and search engine. During the startup process there exists a window of opportunity where the administrative password is unset which can result in authentication bypass. AnomicHTTPProxy proxy version 0.21_build20040627 is reported vulnerable.
  • Ref: http://www.osvdb.org/7713
  • 04.28.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache mod_ssl Log Function Format String
  • Description: mod_ssl provides an interface for accessing the OpenSSL libraries from Apache. Insufficient sanitization of user supplied data in the "ssl_log()" function exposes a format string issue. mod_ssl versions 2.x and earlier are affected.
  • Ref: http://secunia.com/advisories/12077/
  • 04.28.28 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Multiple SQL Injections
  • Description: phpBB is a web forum application. Insufficient sanitization of user supplied input in the "admin_board.php" script exposes a SQL injection issue. phpBB versions 2.0.9 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/10722
  • 04.28.29 - CVE: CAN-2004-0595
  • Platform: Web Application
  • Title: PHP strip_tags() Function Bypass
  • Description: The "strip_tags()" function in PHP allows developers to sanitize user input supplied though web pages. It has been reported that it is possible to bypass this input filtering functionality. By including ' characters (ticks) in HTML tags, it is reported that PHP's "strip_tags()" function will improperly leave tags in place. Further, certain browsers including Microsoft Internet Explorer process these HTML tags even though they are invalid/malformed. This issue is fixed in PHP verson 4.3.8.
  • Ref: http://security.e-matters.de/advisories/122004.html
  • 04.28.30 - CVE: CAN-2004-0594
  • Platform: Web Application
  • Title: PHP memory_limit Remote Code Execution
  • Description: PHP modules compiled with "memory_limit" support are affected by a remote code execution vulnerability. Improper handling of "memory_limit" requests exposes this issue. PHP4 versions 4.3.7 and earlier as well as PHP5 versions 5.0.0RC3 and earlier are affected.
  • Ref: http://security.e-matters.de/advisories/112004.html
  • 04.28.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Multiple Bugzilla Vulnerabilities
  • Description: Bugzilla is a web based bug tracking system. Multiple vulnerabilities have been recently announced, spanning the spectrum of cross-site scripting, SQL injection, sensitive information disclosure and privilege escalation. Bugzilla versions 2.16.6 through 2.18rc1 are reported to be affected by some or all of these problems.
  • Ref: http://www.securityfocus.com/archive/1/368647
  • 04.28.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Gattaca Server 2003 Cross-Site Scripting
  • Description: The Gattaca Server 2003 is reportedly vulnerable to a cross-site scripting issue. This is due to insufficient sanitization of user input supplied via the "TEMPLATE" or "LANGUAGE" URI parameters of the "web.tmpl" page. Gattaca Server 2003 version 1.1.10.0 has been reported to be vulnerable.
  • Ref: http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt
  • 04.28.33 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB viewtopic.php SQL Injection
  • Description: phpBB is a web forum application. It has been revealed that in phpBB's "viewtopic.php" script, a SQL injection vulnerability exists. The issue manifests itself when user-supplied input in URL parameters is not properly sanitized before it is used to construct SQL queries.
  • Ref: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=209797
  • 04.28.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Mozilla PSM Certificate Handling Denial of Service
  • Description: Mozilla Internet Browser Personal Security Manager (PSM) is reported vulnerable to an issue that may permit a remote malicious attacker to silently import an invalid certificate into the Mozilla Personal Security Manager certificate store. An attacker may exploit this vulnerability to corrupt the Mozilla PSM certificate storage and as a result deny HTTPS service. Mozilla Browser 1.7.1 and prior are reported to be vulnerable to this issue.
  • Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=249004
  • 04.28.35 - CVE: Not Available
  • Platform: Web Application
  • Title: Moodle Help Cross Site Scripting
  • Description: Moodle is a course management system for online courseware and e-learning. Insufficient sanitization of the "file" variable in the "help.php" script exposes a cross-site scripting issue in the application. Moodle versions 1.3.2 and 1.4 dev are affected.
  • Ref: http://www.securityfocus.com/archive/1/368749

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

This course opened my eyes and gave new perspectives of web app penetration testing.
-Ji Lee, Seamless Web

SEC505: Securing Windows and Resisting Malware

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU