Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 30
August 2, 2004

SANS Newsletters Home

The Internet Explorer vulnerabilities announced Friday were important enough for Microsoft to make a special, unscheduled warning. That reinforces our HIGH priority rating and suggests a rapid response. CheckPoint Firewall and VPN users should definitely read Critical Vulnerability number 2.

There is also a gift enclosed for you to distribute to your unsophisticated users. It's a summary of the most important current viruses, phishing announcements, and damaging hoaxes - written without jargon. We're experimenting with it as a possible new service for security officers to distribute to users. You'll find it at the end of this issue. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 3 (#1)
    • Third-Party Windows Apps
    • 1
    • Linux
    • 1 (#3, #6)
    • HP-UX
    • 2
    • Solaris
    • 2
    • Unix
    • 4
    • Cross Platform
    • 10 (#2, #4, #5)
    • Web Application
    • 18

******************** Security Training Update *************************

Featured Security Training Program: SANS Network Security 2004 Las Vegas, NV September 28 - October 6, 2004

The largest training conference in the world with 16 immersion training tracks and a large security exposition. Great courses for security managers and CISOs, for security experts, for auditors, for forensics scientists, and even for those just starting out. And Las Vegas is a great place to visit in the fall.

Register soon to get a seat at your choice of courses. http://www.sans.org/ns2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
HP-UX
Solaris
Unix
Cross Platform
Web Application
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Microsoft Internet Explorer Multiple Vulnerabilities
  • Affected:
    • Internet Explorer version 5.01, 5.5 and 6.0

  • Description: Microsoft released a cumulative update, MS04-025, which fixes multiple vulnerabilities in the Internet Explorer. These vulnerabilities can be exploited by a malicious webpage or an HTML email to compromise a client system. (a) Internet Explorer contains a cross-domain vulnerability that can be triggered when handling a frame, a "modal dialog box" that is invoked from the frame, and a webserver "redirect" that points to a local file on the client computer. This vulnerability can be exploited to execute arbitrary code on the client system. The flaw has been leveraged in the wild by the "JS.Scob" Trojan. The exploit code has been publicly posted since early June 2004. (b) Internet Explorer contains an integer overflow vulnerability that can be triggered by a specially crafted bitmap (.bmp) image file. A malicious webpage can exploit this flaw to possibly execute arbitrary code on a client system with the privileges of the currently logged-on user. A proof-of-concept bitmap file has been publicly posted since February 2004. (c) Internet Explorer contains a "double free" vulnerability (the flaw resulting from the same memory being freed twice) that is triggered by certain GIF files. The flaw can be exploited by a malicious webpage to possibly compromise a client system. The "double free" bugs are known to be platform dependant and harder to exploit. Hence, a large-scale attack leveraging this vulnerability is unlikely. The technical details regarding the flaw have been posted since 2003.

  • Status: Microsoft has confirmed all the vulnerabilities. The patch MS04-025 should be installed on an expedited basis.

  • Council Site Actions: Due to the late breaking nature of the Microsoft patch announcement, we were unable to solicit the council site input from all the council sites. One of the sites reported that they will update all their desktops with this patch as soon as they finish their internal testing of the patch.

  • References:
  • (2) HIGH: CheckPoint VPN-1 ISAKMP ASN.1 Decoding Vulnerability
  • Affected:
    • VPN-1/FireWall-1 NG with Application Intelligence R54, R55 or R55W
    • VPN-1/FireWall-1 Next Generation FP3
    • VPN-1/FireWall-1 VSX FireWall-1 GX
    • VPN-1 SecuRemote/SecureClient All Versions

  • Description: The Internet Security Association and Key Management (ISAKMP) protocol is used for exchanging security keys and authentication data to set up a secure VPN connection. The protocol contains multiple fields that are encoded using the ASN.1 format. The CheckPoint VPN-1 server contains a heap-based buffer overflow that can be triggered by a specially crafted ASN.1 field in an ISAKMP packet. The flaw can be exploited by an unauthenticated attacker to possibly execute arbitrary code on the VPN-1 server with the privileges of the VPN process, typically "root" or "SYSTEM". Limited technical details regarding how to trigger the flaw have been publicly posted. Note that the same flaw exists in the CheckPoint VPN clients and can be exploited by a malicious VPN server. Hence, if an attacker obtains control of a VPN server, all connecting clients may be compromised.

  • Status: CheckPoint has confirmed the flaw, updates available. If the "Aggressive mode" IKE negotiation is enabled, the flaw can be exploited by a single spoofed UDP packet. Hence, this mode should be disabled.

  • Council Site Actions: Only one of the reporting council sites is using the affected software. They plan to distribute the patch/update during their next regularly scheduled system update process.

  • References:
Other Software
  • (3) CRITICAL: eSeSIX ThinTune Clients Remote Root Access
  • Affected: Linux based ThinTune clients with firmware version 2.4.38 and prior

  • Description: ThinTune Linux-based client appliances contain a vulnerability that can be exploited to obtain a remote root access. The problem occurs because the appliances run a backdoor process that listens on port 25072/tcp. An attacker can authenticate to this process via the hard-coded password "jstwo", and invoke a root shell. The posted advisory shows how to exploit the flaw.

  • Status: Vendor confirmed, upgrade to the firmware version 2.4.39.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: Citadel UX/BBS USER Command Overflow
  • Affected: Citadel/UX version 6.23 and prior

  • Description: Citadel/UX is a room-based bulletin board system (BBS) that has been in popular use since 1988. The Citadel/UX server, which runs of port 504/tcp by default, reportedly contains a stack-based buffer overflow. The flaw can be triggered by the "USER" command with an overlong argument (over 97 bytes), and possibly exploited to execute arbitrary code. Writing an exploit for this vulnerability is challenging because only lower case characters can be utilized for such a purpose. The posted advisory contains a proof-of-concept exploit.

  • Status: Vendor notified but has not responded. No patches available.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) LOW: Mozilla Browsers Certificate Spoofing
  • Affected: Mozilla Firefox version 0.9.1 and 0.9.2
    • Mozilla version 1.7.1

  • Description: This vulnerability in Mozilla allows a malicious website to spoof its SSL certificate, and appear to be a trusted site. The problem occurs because the Mozilla browsers cache the certificate of a trusted site, and display the "secure lock" even when the trusted site is replaced by a malicious site via "refresh" and "onunload" functions. The vulnerability can be exploited to conduct phishing attacks by enticing a victim to visit a malicious site. A proof-of-concept exploit has been posted.

  • Status: Vendor confirmed, patches available. The users should also be advised to not click links in suspicious emails.

  • Council Site Actions: Most of the council sites are starting to use the Mozilla Firefox browser, although the number of installations remains very small, except at one site. Several sites plan no action due to their limited deployment. Three sites plan to install the patch/update once it is available. The remaining site has a large installation of the software; however, they don't feel this vulnerability poses a significant threat. They update Mozilla every few months and don't plan a special update for this problem.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3615 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.30.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Systems Management Server (SMS) Remote Denial of Service
  • Description: Microsoft Systems Management Server (SMS) is remote administration tool for Microsoft Windows. It has been reported that SMS is vulnerable to a denial of service issue. An attacker can send malicious packets that will cause the server to crash. Arbitrary code execution is unlikely given the nature of the exploit. SMS client version 2.50.2726.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/368911
  • 04.30.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Style Tag Comment Memory Corruption
  • Description: Insufficient sanitization of an un-terminated comment "/*" character after a "STYLE" tag exposes memory corruption issues in Microsoft Internet Explorer. Internet Explorer versions 5.x to SP3 and Internet Explorer versions 6.1 SP1 is affected.
  • Ref: http://www.securiteam.com/windowsntfocus/5XP051FDFM.html
  • 04.30.3 - CVE: CAN-2004-0549,CAN-2004-0566,CAN-2003-1048
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Security Bulletin MS04-025
  • Description: Microsoft has released a security update (MS04-025) to fix three critical Internet Explorer vulnerabilities. The navigation method cross-domain vulnerability allows remote code execution due to the way Internet Explorer handles navigation methods. The malformed BMP file buffer overrun and the malformed GIF file double free vulnerabilities also allow remote code execution.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx
  • 04.30.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Mozilla Firefox Refresh Security Property Spoofing
  • Description: Mozilla Firefox web browser is reportedly vulnerable to URI and SSL certificate spoofing issues on Microsoft Windows. This could allow attackers to steal information from unsuspecting web clients. This issue was reported for Firefox versions 0.9.1 and 0.9.2.
  • Ref: http://www.securityfocus.com/archive/1/369953
  • 04.30.5 - CVE: Not Available
  • Platform: Linux
  • Title: Thintune Thin Client Devices Multiple Vulnerabilities
  • Description: eSeSIX Thintune are thin client appliances for server based computing. Thintune Linux-based devices are vulnerable to multiple security issues such as privilege escalation, remote backdoor, password bruteforcing and information disclosure. Firmware versions 2.4.38 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/369833
  • 04.30.6 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX XFS Remote Unauthorized Access
  • Description: An unspecified access bypass vulnerability was reported for HP-UX running "xfs". HP-UX versions B11.00, B11.11, B.11.22, and B11.23 were reported by the vendor to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/advisories/6982
  • 04.30.7 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX SMTKFONT Remote Unauthorized Access
  • Description: HP has reported an unauthorized access vulnerability in HP-UX running "stmkfont" which may allow a remote attacker to gain unauthorized access to a vulnerable computer. HP-UX versions B11.00, B11.11, B.11.22, and B11.23 are affected.
  • Ref: http://www.securityfocus.com/advisories/6982
  • 04.30.8 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Java System Calendar Privilege Escalation
  • Description: Sun Java System Calendar Server is a web-based team collaboration, and time and resource management utility. It is reported to be vulnerable to an authentication bypass issue. The issue exists due to a failure of the application to validate access credentials. All current versions are vulnerable.
  • Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57586&zone_32=cate
    gory%3Asecurity
  • 04.30.9 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris ypbind Unspecified Buffer Overflow
  • Description: ypbind is an RPC service that allows Network Information Service (NIS) clients to locate NIS services on a network. Insufficient sanitization of user supplied input exposes buffer overflow issues in the software. Versions of Solaris prior to Solaris 8 01/01, or Solaris 8 Maintenance Update 3 are affected.
  • Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/203&
    ;type=0&nav=sec.sba
  • 04.30.10 - CVE: Not Available
  • Platform: Unix
  • Title: Unreal IRCd Multiple Vulnerabilities
  • Description: Unreal ircd is an IRC server. It has been reported that it is subject to multiple vulnerabilities. In particular, it is subject to buffer overflows, format string attacks and arbitrary program execution. Unreal ircd version 3.2.1 is reported to be vulnerable, but it is possible that previous versions are similarly affected.
  • Ref: http://www.securityfocus.com/bid/10811/info/
  • 04.30.11 - CVE: Not Available
  • Platform: Unix
  • Title: Pavuk Remote Digest Authentication Buffer Overflow
  • Description: Pavuk is a web spider application. Insufficient sanitization of user-supplied input exposes a buffer overflow issue in the application. Pavuk versions 0.9.28-r2 and earlier are affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200407-19.xml
  • 04.30.12 - CVE: Not Available
  • Platform: Unix
  • Title: OpenFTPD Format String Vulnerability
  • Description: OpenFTPD is a FTP server. Insufficient sanitization of user-supplied input exposes a format string issue in the software. OpenFTPD versions 0.30.2 and earlier are affected.
  • Ref: http://www.void.at/advisories/VSA0402_openftpd.txt
  • 04.30.13 - CVE: Not Available
  • Platform: Unix
  • Title: Dropbear SSH Server Authentication Bypass
  • Description: Dropbear SSH Server is a secure shell server. An authentication bypass issue exists in the software, which can allow malicious users to manipulate authentication credentials in order to take control of the process' execution flow. All current versions are affected.
  • Ref: http://matt.ucc.asn.au/dropbear/dropbear.html
  • 04.30.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser URL Obfuscation Weakness
  • Description: Opera Web Browser is reported to be vulnerable to URL obfuscation weakness. The issue exists when the link is designed to open a web page in a new browser window and replace the text in the address bar using "window.location.replace()" method. Currently Opera version 7.53 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12162/
  • 04.30.15 - CVE: CAN-2004-0039
  • Platform: Cross Platform
  • Title: Check Point VPN-1 ASN.1 Buffer Overflow
  • Description: Check Point VPN-1 is a firewall and virtual private network software package. Insufficient sanitization in the parsing of the Abstract Syntax Notation One (ASN.1) data exposes a heap overflow in the VPN-1 software. Check Point FireWall-1 GX 2.x, Provider-1, Network Extender, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1/Firewall-1 NG and VSX NG are affected.
  • Ref: http://www.checkpoint.com/techsupport/alerts/asn1.html
  • 04.30.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi Web Page Generator Denial of Service
  • Description: Hitachi Web Page Generator is an suite of web collaboration tools. It has been reported that it is subject to an unspecified denial of service weakness. By sending specially crafted requests in quick succession it is possible to crash the affected server.
  • Ref: http://www.hitachi-support.com/security_e/vuls_e/HS04-002_e/index-e.html
  • 04.30.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi Web Page Generator Cross-Site Scripting /Information Disclosure
  • Description: Hitachi Web Page Generator is an inter-system clue service for web collaboration. It is reported to be vulnerable to cross-site scripting and information disclosure issues. These issues exist due to improper sanitization of user-supplied input. These vulnerabilities are only present when "DEBUG_MODE=on", and the default error template is used. Currently all the versions are reported to be vulnerable.
  • Ref: http://www.hitachi-support.com/security_e/vuls_e/HS04-003_e/01-e.html
  • 04.30.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Xitami Server Cross-Site Scripting
  • Description: Xitami is a web server package distributed by Imatix. Insufficient sanitization of "HTTP_USER_AGENT" and "HTTP_REFERER" parameters in the "testssi.ssi" script exposes a cross-site scripting issue in the software. Xitami version 2.5c1 is affected.
  • Ref: http://www.oliverkarow.de/research/xitami25c1_testssi_XSS.txt
  • 04.30.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Xitami Malformed Header Remote Denial of Service
  • Description: Xitami is a web server package distributed by Imatix. It has been reported that a vulnerability exists in its URL handling code. A maliciously crafted "HTTP GET" request can cause the server to crash. Xitami version 2.5c1 has been reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10785/info/
  • 04.30.20 - CVE: CAN-2004-0718
  • Platform: Cross Platform
  • Title: Mozilla and Mozilla Firefox Interface Spoofing
  • Description: Mozilla and Mozilla Firefox are affected by an interface spoofing issue. This is because JavaScript code is allowed to hide the Mozilla Firefox status bar by default. The XUL API permits an attacker to create a relatively complete fake Mozilla Firefox interface. Mozilla versions 0.x through 1.7.x and Mozilla Firefox version 0.x are affected.
  • Ref: http://www.nd.edu/~jsmith30/xul/test/spoof.html
  • 04.30.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Subversion Access Control Bypass
  • Description: Subversion is version control system. Subversion is vulnerable to multiple access control bypass vulnerabilities in its "mod_authz_svn" Apache module. These issues are only present when using the WebDAV access method with the Apache "mod_authz_svn" module and the "AuthzSVNAccessFile" configuration directive. Versions 1.0.5 and earlier are known to be vulnerable.
  • Ref: http://subversion.tigris.org/security/mod_authz_svn-copy-advisory.txt
  • 04.30.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: APC PowerChute Denial of Service
  • Description: APC PowerChute is a software package that safely shuts down computer systems when the UPS power starts to fail. Insufficient sanitization in the software exposes a denial of service issue, preventing authorized users from accessing the management console. APC PowerChute versions 6.0 through 7.0.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/369792
  • 04.30.23 - CVE: CAN-2004-0235
  • Platform: Cross Platform
  • Title: Clearswift MailSweeper Web Server Directory Traversal
  • Description: Clearswift MailSweeper is an e-mail security product. Insufficient sanitization of ".." character sequences in the HTTP GET request exposes a directory traversal issue. All products using the web server are affected.
  • Ref: http://www.securityfocus.com/bid/10243
  • 04.30.24 - CVE: Not Available
  • Platform: Web Application
  • Title: Leigh Web HelpDesk SQL Injection
  • Description: Leigh Business Enterprises Web HelpDesk runs on Microsoft Windows. Insufficient sanitization of the "id" parameter of the "jobedit.asp" script exposes an SQL injection issue. Leigh HelpDesk versions 4.0.0.80 and earlier are affected.
  • Ref: http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html
  • 04.30.25 - CVE: Not Available
  • Platform: Web Application
  • Title: Mensajeitor Tag Board Authentication Bypass
  • Description: Mensajeitor Tag Board is reportedly vulnerable to an authentication bypass issue. This is due to a failure of the application to properly handle authentication controls. This allows attackers to have administrative access to the board. All current versions are reportedly vulnerable.
  • Ref: http://www.securiteam.com/unixfocus/5UP0R0ADFW.html
  • 04.30.26 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMyFAQ Image Manager Authentication Bypass
  • Description: phpMyFAQ is a FAQ manager web-application. Insufficient authentication exposes issues by which remote anonymous users can upload or delete images in the phpMyFAQ application. phpMyFAQ version 1.4 is affected.
  • Ref: http://www.phpmyfaq.de/advisory_2004-07-27.php
  • 04.30.27 - CVE: Not Available
  • Platform: Web Application
  • Title: AntiBoard Multiple Input Validation Vulnerabilities
  • Description: The AntiBoard web-based bulletin board is reportedly vulnerable to SQL injection and cross-site scripting issues. This is due to insufficient sanitization of user-input supplied through URI parameters of certain scripts. AntiBoard versions 0.7.2 and prior are affected by these issues.
  • Ref: http://secunia.com/advisories/12137/
  • 04.30.28 - CVE: Not Available
  • Platform: Web Application
  • Title: RiSearch Open Proxy Vulnerability
  • Description: RiSearch search engine package allows unauthenticated proxying capability through its "show.pl" script. This is due to insufficient sanitization of input supplied through the "url" parameter. RiSearch 1.0.01 and RiSearch Pro 3.2.06 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12173/
  • 04.30.29 - CVE: Not Available
  • Platform: Web Application
  • Title: EasyWeb FileManager Directory Traversal
  • Description: EasyWeb is a third-party plug-in for PostNuke CMS. It has been reported that EasyWeb is subject to a directory traversal vulnerability due to improper input sanitization. If exploited, an attacker could read arbitrary files on the system. EasyWeb FileManager 1.0 RC-1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/369832
  • 04.30.30 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke Install Script Administrator Password Disclosure
  • Description: PostNuke is a web-based content management system. It is reported to be vulnerable to administrator authentication credentials disclosure. The issue exists because the application fails to remove "install.php" after installation. PostNuke versions 0.73 to 0.75 Gold are reported to be vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Jul/1010755.html
  • 04.30.31 - CVE: Not Available
  • Platform: Web Application
  • Title: EasyIns Stadtportal Site Parameter Remote File Include
  • Description: EasyIns Stadtportal is reportedly vulnerable to a remote file include issue. This is exposed due to insufficient sanitization of user-input supplied to the "site" parameter of the "stadtportal-path/index.php" script. EasyIns Stadtportal version 4 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/369840
  • 04.30.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Nucleus CMS action.php SQL Injection
  • Description: Nucleus CMS is a content management application. It has been reported that Nucleus CMS is subject to an SQL injection attack due to improper sanitization of its "action.php" script. Nucleus CMS 3.0rc through 3.1 are considered vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/369956
  • 04.30.33 - CVE: Not Available
  • Platform: Web Application
  • Title: XLineSoft ASPRunner Multiple Vulnerabilities
  • Description: XLineSoft ASPRunner is reported to be vulnerable to SQL injection, cross-site scripting, information disclosure and unauthorized access to database files. These issues exist due to a failure of the application to properly sanitize user-supplied input. ASPRunner versions 2.4 and prior are reported to be vulnerable.
  • Ref: http://ferruh.mavituna.com/article/?574
  • 04.30.34 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke Reviews Module Cross-Site Scripting
  • Description: The PostNuke "Reviews" module is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-input supplied via the "title" parameter. Exploitation could allow for theft of cookie-based authentication credentials. PostNuke versions 0.726-3 and 0.75-RC were reported to be vulnerable.
  • Ref: http://www.swp-zone.org/archivos/advisory-10.txt
  • 04.30.35 - CVE: Not Available
  • Platform: Web Application
  • Title: MoinMoin Privilege Escalation Vulnerability
  • Description: MoinMoin is a Wiki web commenting program written in Python. It has been reported that MoinMoin is subject to an unspecified privilege escalation vulnerability. MoinMoin version 1.2.3 has been released to remedy the issue.
  • Ref: http://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801
  • 04.30.36 - CVE: CAN-2004-0359
  • Platform: Web Application
  • Title: Invision Power Board Index.php Cross-Site Scripting
  • Description: Invision Power Board is web forum software. It is reported to be vulnerable to cross-site scripting attacks. The issue exists due to improper sanitization of user-supplied input. Invision Power Board versions 2.0 , 2.0 Alpha 3, 2.0 PDR3, 2.0 PF1 and 2.0 PF2 are reported to be vulnerable.
  • Ref: http://marc.theaimsgroup.com/?l=bugtraq&m=107851589701916&w=2
  • 04.30.37 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenDocMan Access Control Bypass
  • Description: The OpenDocMan document management system is reportedly vulnerable to an access control bypass issue. This occurs since the "commitchange.php" does not check for authorization before allowing remote clients to make changes. OpenDocMan versions prior to 1.2 are reported to be vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=255785
  • 04.30.38 - CVE: Not Available
  • Platform: Web Application
  • Title: DansGuardian Hex Encoded Content Filter Bypass
  • Description: DansGuardian is a web content filter based on the Squid HTTP proxy server. Insufficient sanitization of hex characters in the content filter function exposes an access restriction bypass issue. DansGuardian versions 2.7.x and 2.8.x are affected.
  • Ref: http://secunia.com/advisories/12191/
  • 04.30.39 - CVE: CAN-2004-0681,CAN-2004-0682
  • Platform: Web Application
  • Title: Comersus Cart SQL Injection Vulnerability
  • Description: Comersus Cart is an e-commerce shopping cart application. It is reportedly affected by a remote SQL injection vulnerability. The issue exists due to improper sanitization of user-supplied input to the "username" field. Comersus Cart versions 4.x and 5.x are affected.
  • Ref: http://secunia.com/advisories/12026/
  • 04.30.40 - CVE: Not Available
  • Platform: Web Application
  • Title: JAWS ControlPanel.PHP SQL Injection
  • Description: The JAWS content management system is reportedly vulnerable to an SQL injection issue. This is due to insufficient sanitization of user-input supplied to through the "user" and "password" parameters of the "controlpanel.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/370411
  • 04.30.41 - CVE: Not Available
  • Platform: Web Application
  • Title: LinPHA Session Cookie SQL Injection
  • Description: LinPHA is a web application for photo galleries. Insufficient sanitization of the "linpha_userid" and "linpha_password" cookie variables in the "session.php" script exposes a SQL injection issue. LinPHA versions 0.9.4 and earlier are affected.
  • Ref: http://secunia.com/advisories/12189/

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

=============== A Gift For Your Unsophisticated Users ===================

OUCH: The Report On Identity Theft and Attacks On Computer Users August 2, 2004

Every day, thousands of people are fooled by emails from criminals trying to steal their identities or infect and take over their computers. This update is our attempt to help you avoid being one of the victims.

Part 1. Subject Lines You May See In Emails That Are Trying To Hurt You

I. Emails from people trying to infect your system and steal your friends' email addresses for spam I.1 Pictures of Osama Bin Laden hanging or Arnold Schwarzenegger's suicide note I.2. Email from your system administrator or other familiar sender that says your email could not be delivered, or some similar statement. I.3. Email with subject "Against!" or "Revenge" I.4. Email with subject Re_ and body with animals or foto or other subjects

II. Emails from people trying to steal your identity (and your money) II.1. Update Your Billing Information (from eBay) II.2. Your account at eBay has been suspended II.3. Your account at Wells Fargo has been suspended II.4. Notification of US Bank Internet Banking II.5. Attn: Citibank Update

III. Emails from people trying to fool you into hurting yourself or your friends and coworkers III.1 Subject: "jdbg" Virus: how to detect and remove.

Part 2. More Details About Each Attack

Part I: Emails from people trying to infect your system and steal your friends' names for spam

I.1. Name: Hackarmy

The bait: An email or news article claiming to offer you copies of pictures of Osama Bin Laden being hanged. A second form comes claiming to have a suicide note from Arnold Shwarzenegger.

How it infects your system: You click on a link that downloads a zip file. You execute the file thinking you will see the pictures.

What it does to you: Gives attackers remote control of your computer so they can use it in attacks on other people, or harvest email names for spam.

Where to find detailed information: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.d.html

I.2. Name: Mydoom-O

The bait: An email from your mail or system administrator or other familiar sender with any one of the following subjects: (1) say helo to my litl friend, (2) click me baby, (3) one more time, (4) hello, (5) error, (6) status, (7) test, (8) report, delivery failed, (9) Message could not be delivered, (10) Mail System Error - Returned Mail, (11) Delivery reports about your e-mail, (12) Returned mail: see transcript for details, (13) Returned mail: Data format error. Each has an attachment.

How it infects your system: you download and open the attachment.

What it does to you: steals all email addresses from you to be sold to spammers, spreads to other sites from your machine. It also uses your system to send requests to search engines like Google to look for more email addresses.

Where to find more detailed information: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html

I.3. Name: Atak-C

The bait: An email that arrives with the subject "Attack!" or "Revenge" and a zipped attachment

How it infects your system: you download and open the attachment.

What it does to you: steals all email addresses from you to be sold to spammers.

Where to find more detailed information: http://www.sophos.com/virusinfo/analyses/w32atakc.html

I.4. Name: Beagle

The bait: An email that arrives subject Re_ and with an attachment.

How it infects your system: you download and open the attachment.

What it does to you: disables antivirus and other important software, mass mails itself to others, steals email addresses from throughout your files, gives attacker remote control of your computer to use to attack other systems.

Where to find more detailed information: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39641

II. Emails from people trying to steal your identity (and your money)

II.1 Update Your Billing Information (from eBay)

The bait: An email coming from eBay saying the company has "detected a slight error in your billing information" and saying that you must fix it within 48 hours to continue to buy or sell on eBay.

What it tries to make you do: click on a link and tell them your eBay and paypal username and password, and your credit/debit card information

Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-27-04%20Ebay%20(Update%20Your%20
Billing%20Informations).html

II.2 Your account at eBay has been suspended

The bait: An email coming from eBay saying your account has been suspended and "We had to block your eBay account"

What it tries to make you do: click on a link and tell them your eBay and paypal username and password, and your credit/debit card information

Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-26-04_Ebay_(your_account_at_ebay
_has_been_suspended).html

II.3 Your account at Wells Fargo has been suspended

The bait: An email coming from eBay saying your account has been suspended and "Your account has been compromised by outside parties."

What it tries to make you do: click on a link and tell them your username, password, and credit card information

Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/06-29-04_Wells_Fargo_(Your_account_
at_Wells_Fargo_has_been_suspended).html

II.4. Notification of US Bank Internet Banking

The bait: An email coming from US Bank saying, "as a preventative measure, we have temporarily limited access to some features"

What it tries to make you do: click on a link and tell them username, password, credit card data or debit card data.

Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-23-04_US_Bank_(Notification_of_U
S_Bank_Internet_Banking).html

II.5. Attn: Citibank Update

The bait: "Click here" link in an email that seems to come from Citibank.

What it tries to make you do: click on a link and tell them personal information and credit card or debit card data.

Where you can see how it actually appears: http://www.fraudwatchinternational.com/fraud_alerts/040721_1046_citibank.htm http://www.antiphishing.org/phishing_archive/07-21-04_Citibank_(Attn_Citibank_Up
date).html

II.6 Confirm AOL Billing Info

The bait: An email coming from AOL saying your billing information is out of date and asking you to "spend several minutes and update your billing records"

What it tries to make you do: click on a link and tell them personal information and credit card or debit card data.

Where you can see how it actually appears: http://www.antiphishing.org/phishing_archive/07-20-04_AOL_(Confirm_AOL_billing_i
nfo).html

III. Emails from people trying to fool you into hurting yourself or your friends and coworkers

III. 1. jdbg Hoax

The bait: An email telling you about a virus and how to remove it.

Example: "Subject: "jdbg" Virus: how to detect and remove." May also talk about finding a teddy bear on the machine - because the file has a bear as a symbol.

What it is trying to make you do: remove a file that is not harmful

Where to find more information: http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

==end==

Thanks to CipherTrust for helping to providing some of the data on which this issue was based.

Copyright, 2004. The SANS Institute. Information security officers have permission to redistribute this material to employees of their organizations. Anyone else wanting to redistribute it must get prior written approval by telling us the groups to whom you would redistribute it and requesting approval. Email info@sans.org with subject "Permission to redistribute security awareness newsletter."

Real life - real solutions changed the way I look at security.
-Richard B. Williams, US Army ALTESS

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU