Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 32
August 16, 2004

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#9)
    • Other Microsoft Products
    • 2
    • Third Party Windows Apps
    • 5 (#1)
    • Linux
    • 1
    • Solaris
    • 1
    • Unix
    • 5 (#2, #6, #7)
    • Cross Platform
    • 8 (#3, #4)
    • Web Application
    • 15 (#5)
    • Network Device
    • 3
    • Hardware
    • 1

******************** Security Training Update *************************

Featured Security Training Program: SANS Network Security 2004 Las Vegas, NV September 28 - October 6, 2004

The largest training conference in the world with 16 immersion training tracks and a large security exposition. Great courses for security managers and CISOs, for security experts, for auditors, for forensics scientists, and even for those just starting out. And Las Vegas is a great place to visit in the fall.

Register soon to get a seat at your choice of courses. http://www.sans.org/ns2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
Solaris
Unix
Cross Platform
Web Application
Network Device
Hardware

************************** SPONSORED LINK ***************************

Note: some of these links take you to a non-SANS site.

(1) Free Download - Take full control of remote access & support security with NetOp Remote Control from CrossTec http://www.sans.org/info.php?id=554

***********************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) MODERATE: Adobe Acrobat Reader Uudecode Multiple Vulnerabilities
  • Affected: Adobe Acrobat Reader version 5.05 and 5.06 on UNIX platforms

  • Description: Adobe Acrobat Reader, the popularly used PDF viewer, reportedly contains multiple vulnerabilities in its "uudecoding" feature. The uuencode function converts binary data to ASCII printable characters. For instance, this function is typically used to convert binary e-mail attachments to the text format. The uudecode function converts the uuencoded data back to the original binary. Adobe Acrobat Reader automatically attempts to decode a uuencoded PDF file. The decoding function contains the following vulnerabilities: (a) The Adobe Acrobat Reader contains a buffer overflow that can be triggered by an overlong file name. (b) The Adobe Acrobat Reader contains a remote command injection vulnerability that can be triggered by a specially crafted filename i.e. a filename containing shell metacharacters. A malicious webpage or an email attachment may exploit these flaws to execute arbitrary code on a client system with the privileges of the logged-on user.

  • Status: Vendor has not confirmed the flaw publicly but the version 5.0.9 is reportedly not vulnerable.

  • Council Site Actions: Only two reporting sites are using the affected software on UNIX platforms. They are not treating this as a high priority and will distribute the patches during their next regularly scheduled system update process.

  • References:
Other Software
  • (4) HIGH: GNU Cfengine RSA Authentication Heap Corruption
  • Affected: cfservd versions 2.0.0 to 2.1.7p1

  • Description: Cfengine, or the "configuration engine", is used to build expert systems that administer and configure large computer networks of UNIX/Linux systems. The cfengine server (cfservd) contains a heap-based buffer overflow vulnerability in its RSA authentication module. The flaw can be exploited by an unauthenticated attacker to possibly execute arbitrary code with the privileges of the cfservd daemon, typically root. In a typical site configuration however, the central cfengine server only allows connections from systems that are being managed. Thus, an attacker would need to compromise or masquerade as one of these authorized systems in order to wage a successful attack. A proof of concept exploit has been publicly posted.

  • Status: Vendor confirmed, version cfengine-2.1.8 contains the fixes. Traffic to the cfengine server port (5308/tcp by default) can also be blocked at the network perimeter. Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (6) MODERATE: Xine "vcd:" Input Source Identifier Buffer Overflow
  • Affected: Xine-lib version 1-rc5 and prior

  • Description: Xine is a multimedia player for Linux systems that can play CDs, VCDs or DVDs. The player contains a stack-based overflow that can be triggered by a specially crafted media file. The problem occurs because xine does not perform a bounds checking on the source associated with the "vcd://" URL in a media file. A malicious media file posted on a website or attached to an email may exploit the flaw to execute arbitrary code on a client system. Exploit code has been publicly posted.

  • Status: Vendor confirmed, a fixed version of the source code can be downloaded via the CVS. Note that Xine ships by default with some flavors of Linux. Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
  • (7) CVS Sever ArgumentX Command Buffer Overflow Exploit

  • Description: An exploit has been posted for the CVS server ArgumentX command implementation vulnerability, which was discussed in a prior issue of the @RISK newsletter. The exploit reportedly works on Redhat 8.0, and spawns a command shell on port 30464/tcp. Council Site Updates: No actions reported by the council sites on this vulnerability.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 32, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3651 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.32.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Internet Connection Firewall Filter Bypass
  • Description: Microsoft Windows Internet Connection Firewall is a network packet filter that ships with recent Windows releases. Due to a race condition upon booting, it has been reported that the firewall portion of Windows will be inactive while services are available to query. Windows XP SP2 has been released to remedy this issue.
  • Ref: http://www.microsoft.com/athome/security/protect/default.aspx
  • 04.32.2 - CVE: CAN-2004-0203
  • Platform: Other Microsoft Products
  • Title: Microsoft Exchange Outlook Web Access Script Injection Vulnerability
  • Description: Microsoft Exchange Outlook Web Access (OWA) is subject to a script injection issue. Insufficient sanitization of input supplied through HTML redirect queries exposes this issue. Exchange Server 5.5 is reported to be affected.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx
  • 04.32.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer mms Protocol Handler Vulnerability
  • Description: Microsoft Internet Explorer (IE) has been reported to be vulnerable to a remote command execution issue due to insufficent sanitization of "mms" protocol URLs. Malicious links, once followed, could execute arbitrary commands on the affected client computer. All current versions of IE are considered to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/370959
  • 04.32.4 - CVE: CAN-2004-0163
  • Platform: Third Party Windows Apps
  • Title: Sygate Secure Enterprise Remote Denial of Service
  • Description: Sygate Secure Enterprise is a set of security products, consisting of a server and multiple agents, which include intrusion detection, firewall, enterprise security policy management. Weak security measures in the communication of the agents with the server can allow a malicious user to cause a denial of service. Sygate Secure Enterprise versions earlier than 3.5MR3 are affected.
  • Ref: http://www.corsaire.com/advisories/c031120-001.txt
  • 04.32.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Shuttle FTP Directory Traversal Vulnerability
  • Description: Shuttle FTP Suite is a Microsoft Windows application that contains multiple network services. It is reported to be vulnerable to a directory traversal issue. The issue presents itself when a path contains "../" directory traversal characters or absolute paths. Version 3.2 has been reported susceptible to this vulnerability.
  • Ref: http://secunia.com/advisories/12270/
  • 04.32.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AOL Instant Messenger Away Message Remote Buffer Overflow
  • Description: AOL Instant Messenger is reportedly vulnerable to a remote buffer overflow issue. This condition is exposed when an overly long "Away" message is sent to the application. This could cause at least a denial of service condition, or potentially even remote code execution on the vulnerable host. AOL Instant Messenger version 5.5.3595 is reported to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities&
    amp;flashstatus=true
  • 04.32.7 - CVE: CAN-2003-0105
  • Platform: Third Party Windows Apps
  • Title: ServerMask Improper Header Anonymization Weakness
  • Description: ServerMask from port80 is an IIS web server ISAPI filter used as an HTTP response header anonymizer. It is reported to have a weakness that allows servers to be identified as IIS. The "ETag", "Allow" and HTTP error 404 status messages are left untouched by ServerMask. ServerMask versions 2.2 and prior are reported to contain this weakness.
  • Ref: http://seclists.org/lists/vulnwatch/2004/Jul-Sep/0021.html
  • 04.32.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Clearswift MAILsweeper SMTP Denial of Service
  • Description: MAILsweeper for SMTP is an application for filtering e-mail content. It has been reported that MAILsweeper is vulnerable to a denial of service condition when processing malformed Microsoft Powerpoint files. MAILsweeper for SMTP versions 4.3.14 and earlier are considered vulnerable to this issue.
  • Ref: http://download.mimesweeper.com/www/Patches/MAILsweeper_Patches_495ReadMe.htm
  • 04.32.9 - CVE: Not Available
  • Platform: Linux
  • Title: YaST2 Utility Library Buffer Overflow
  • Description: YaST2 is the default package manager for the SuSE Linux platform. The YaST2 utility library "liby2util" is affected by a buffer overflow vulnerability due to insufficient file validation. A maliciously constructed file could result in the execution of arbitrary code when YaST2 attempts to utilize it. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/10867/info/
  • 04.32.10 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris XDMCP Unspecified Denial Of Service
  • Description: XDMCP (X Display Manager Control Protocol) is the protocol used in X-Windows display managers to handle remote network connections. Sun Solaris xdm(1) daemon is reported to be vulnerable to an unspecified denial of service issue when handling malformed XDMCP UDP datagrams. Solaris 7, 8, and 9 for both SPARC, and x86 platforms are reported to be vulnerable.
  • Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57619
  • 04.32.11 - CVE: Not Available
  • Platform: Unix
  • Title: KDE Konqueror Cross-Domain Frame Loading Vulnerability
  • Description: Konqueror is a web browser distributed by the KDE project. A cross-domain frame loading issue is exposed due to a failure of the application to verify that all of the frame contents of a page originate from the same source. KDE Konqueror versions 3.2.3 and earlier are vulnerable.
  • Ref: http://www.osvdb.org/displayvuln.php?osvdb_id=7867
  • 04.32.12 - CVE: CAN-2004-0630
  • Platform: Unix
  • Title: Acrobat Reader Shell Metacharacter Remote Code Execution
  • Description: Adobe Acrobat Reader is an application for reading PDF files. The application automatically converts uuencoded documents into their original formats, but fails to check for a backtick shell metacharacter in the file name of the document allowing remote code execution. Adobe Acrobat Reader version 5.0 for Unix platforms is affected.
  • Ref: http://www.idefense.com/application/poi/display?id=124&type=vulnerabilities&
    amp;flashstatus=true
  • 04.32.13 - CVE: Not Available
  • Platform: Unix
  • Title: xine-lib Remote Buffer Overflow
  • Description: Xine is a multimedia player that uses the xine-lib library. Insufficient sanitization of the "filename" parameter via the "vcd://" URL exposes a buffer overflow issue. xine-lib rc-5 and earlier versions are affected. Xine versions 0.99.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/10890
  • 04.32.14 - CVE: Not Available
  • Platform: Unix
  • Title: SpamAssassin GTUBE Denial of Service
  • Description: SpamAssassin is a mail filter that identifies and processes spam. Incorrect processing of mails with the GTUBE string exposes an access circumvention weakness and subsequent denial of service in the application. SpamAssassin versions 2.64 and earlier are reported to be affected.
  • Ref: http://www.securityfocus.com/advisories/7044
  • 04.32.15 - CVE: Not Available
  • Platform: Unix
  • Title: Rsync Path Escaping Vulnerability
  • Description: The rsync program is used to synchronize files and directory structures across a network. It is reported to be vulnerable to read/write files outside of the configured module path. The issue exists due to improper sanitization of user-supplied input to the "sanitize_path()" function.
  • Ref: http://rsync.samba.org/#security_aug04
  • 04.32.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GeNUGate Multiple Denial Of Service
  • Description: Genuva GeNUGate is a firewall product that supports application level proxying and packet filtering. It has been revealed that GeNUGate is susceptible to two unspecified denial of service vulnerabilities. Components that utilize OpenSSL are considered vulnerable, as well as its processing of ISAKMP packets. All current versions are reported as being vulnerable.
  • Ref: http://www.genua.de/support/ggc/patches/patches_5_0_html
  • 04.32.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Graphics Driver Remote Denial of Service
  • Description: It has been reported that the graphics device drivers from multiple vendors are vulnerable to a denial of service condition. This issue is exposed when a JPEG image is loaded into a browser via an HTML IMG tag with height and width dimensions of 9999999. This causes an affected platform to take up 100% of the CPU processing cycles and results in a denial of service condition.
  • Ref: http://www.securityfocus.com/bid/10913/credit/
  • 04.32.18 - CVE: CAN-2004-0775
  • Platform: Cross Platform
  • Title: WIDCOMM Bluetooth Communication Software Buffer Overflow
  • Description: WIDCOMM provides Bluetooth Communication Software for embedded devices. Insufficient sanitization of service requests made by remote users can expose a denial of service condition. These issues have been verified in BTStackServer version 1.3.2.7 and 1.4.2.10 running on Microsoft Windows XP and Windows 98, HP IPAQ 5450 running WinCE 3.0 with Bluetooth software version 1.4.1.03.
  • Ref: http://www.pentest.co.uk/documents/ptl-2004-03.html
  • 04.32.19 - CVE: CAN-2004-0500
  • Platform: Cross Platform
  • Title: Gaim Multiple MSN Protocol Buffer Overflows
  • Description: Gaim is an instant messaging client. It is reported that there are multiple unspecified buffer overflow vulnerabilities in the MSN protocol module in Gaim. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/10865
  • 04.32.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Neon WebDAV Client Library Unspecified Vulnerability
  • Description: Neon is a client side library supporting HTTP and WebDAV interfaces. An unspecified vulnerability was reported for the library. It is conjectured, though not confirmed, that this issue could allow remote code execution. Neon client library versions 0.19.3 through 0.24.5 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7021
  • 04.32.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Tabbrowser Preferences (TBP) Mozilla Extension Information Disclosure
  • Description: Bradley Chapman Tabbrowser Preferences (TBP) is an extension for Mozilla Firefox browsers. When the "Load URLs in new tabs" option is selected, the newly opened URLs will receive an HTTP referrer URL of the site in the previous tab and cause an information disclosure issue. TBP versions 0.6.7 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/10896/info/
  • 04.32.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GNU Cfengine AuthenticationDialogue Heap Based Buffer Overrun
  • Description: GNU Cfengine is a software application for automating administration and maintenance of large networks. As part of its components, included is cfservd, which is reported to be vulnerable to a remote heap-based buffer overrun issue. The issue exists due to insufficient boundary checks performed on challenge data in the "AuthenticationDialogue()" function. Versions 2.0.0 to 2.1.7p1 are reported to be vulnerable.
  • Ref: http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=10
  • 04.32.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kerio Mailserver Multiple Unspecified Vulnerabilities
  • Description: Kerio MailServer is a mail server designed for use with Microsoft Windows, Linux and Unix variant systems. It is reported to be vulnerable to multiple unspecified issues. All versions prior to 6.0.1 are considered to be vulnerable.
  • Ref: http://www.kerio.com/kms_download.html
  • 04.32.24 - CVE: Not Available
  • Platform: Web Application
  • Title: MIMEsweeper Web Server Directory Traversal
  • Description: Clearswift MIMEsweeper is an e-mail filtering product. A directory traversal weakness has been revealed due to insufficient sanitization of user-supplied input in its web administration interface. This vulnerability affects MIMESweeper Web 5.0.1 and has been fixed as of version 5.0.4.
  • Ref: http://www.securityfocus.com/archive/1/371459/2004-08-10/2004-08-16/2
  • 04.32.25 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple Form Mail Relay Vulnerability
  • Description: Simple Form is a web application for form processing. It has been reported that attackers can use this application as a mail relay due to insufficient sanitization of user-supplied URL arguments. Simple Form versions 1.0 through 2.1 are considered to be vulnerable. The vendor has released version 2.2 to remedy the issue.
  • Ref: http://worldcommunity.com/opensource/utilities/simple_form.html
  • 04.32.26 - CVE: Not Available
  • Platform: Web Application
  • Title: MapInfo Discovery Multiple Remote Vulnerabilities
  • Description: MapInfo Discovery is a web application for map cataloging and viewing. It is designed to work with MapInfo Professional (a map making application). It is reported vulnerable to multiple issues. The issues exist due to improper sanitization of user supplied input. MapInfo Discovery versions 1.0 and 1.1 are reported to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=122&type=vulnerabilities&
    amp;flashstatus=true
  • 04.32.27 - CVE: Not Available
  • Platform: Web Application
  • Title: Softcart CGI Buffer Overflow Vulnerability
  • Description: Mercantec SoftCart is a web based shopping cart package. It has been reported that SoftCart is susceptible to a remotely exploitable buffer overrun in its URL processing handlers. This could allow for remote code execution. Softcart version 4.00b on BSDi/4.3 systems is known to be vulnerable.
  • Ref: http://www.metasploit.com/projects/Framework/exploits.html#mercantec_softcart
  • 04.32.28 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke God Admin Access Bypass
  • Description: PHP-Nuke is a freeware content management system. Insufficient sanitization of uers supplied input exposes an access bypass issue. PHP Nuke versions 7.3 and earlier are affected.
  • Ref: http://www.geocities.com/y3d1ps/adv/adv01-2004.txt
  • 04.32.29 - CVE: Not Available
  • Platform: Web Application
  • Title: IceWarp Web Mail Multiple Undisclosed Remote Vulnerabilities
  • Description: IceWarp Web Mail is a web mail application. It is reportedly vulnerable to multiple unspecified issues including SQL injection, account manipulation, cross-site scripting, information disclosure and local file-system access. All versions of IceWarp Web Mail prior to 5.2.8 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12269/
  • 04.32.30 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Fetch All SQL Injection
  • Description: phpBB Fetch All is an API for phpBB. It facilitates the inclusion of phpBB forum data in PHP pages. It is reportedly vulnerable to an SQL injection weakness due to insufficient user input sanitization. Properly exploited, this could allow for the manipulation of sensitive data in the underlying database. phpBB Fetch All versions prior to 2.0.12 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10868
  • 04.32.31 - CVE: Not Available
  • Platform: Web Application
  • Title: CVSTrac filediff Remote Command Execution
  • Description: CVSTrac is a web-based bug tracking system for CVS. CVSTrac is subject to a remote command execution vulnerability due to insufficent input validation. CVSTrac versions 1.1 through 1.1.3 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/370955
  • 04.32.32 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Login.php Cross-Site Scripting Weakness
  • Description: phpBB is a web forum application written in PHP. It has been reported that phpBB is susceptible to a cross-site scripting vulnerability in its "login.php" script due to insufficient sanitization of user-supplied input. All current versions are considered to be vulnerable.
  • Ref: http://www.phpbb.com/support/documents.php?mode=changelog
  • 04.32.33 - CVE: Not Available
  • Platform: Web Application
  • Title: PluggedOut Blog Blog_Exec.PHP Cross-Site Scripting
  • Description: PluggedOut Blog is a web-based online journal and diary. The "blog_exec.php" is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of the "blogid" URL parameter. PluggedOut Blog versions 1.51 beta and 1.60 alpha are reported to be vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Aug/1010894.html
  • 04.32.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Moodle post.php Cross-Site Scripting
  • Description: Moodle is a course management system (CMS) designed for online courseware and e-learning. Insufficient sanitization of the "reply" variable in the "post.php" script exposes a cross-site scripting issue. Moodle versions 1.3 and earlier are affected.
  • Ref: http://secunia.com/advisories/12262/
  • 04.32.35 - CVE: Not Available
  • Platform: Web Application
  • Title: YaPiG Remote Server-Side Script Execution
  • Description: Yet Another PHP Image Gallery (YaPiG) is an image gallery web application. It has been reported that a vulnerability exists in YaPiG's "add_comment.php" script due to insufficient sanitization of user-supplied input. Successfully leveraged, this weakness would allow a remote attacker to execute malicious script code on a vulnerable server. YaPiG version 0.92b is reported to be vulnerable.
  • Ref: http://yapig.sourceforge.net/index.php
  • 04.32.36 - CVE: Not Available
  • Platform: Web Application
  • Title: PluggedOut Blog Calendar Module Cross-Site Scripting
  • Description: The PluggedOut blog is reportedly vulnerable to a cross-site scripting issue in its "calendar" module. This occurs due to insufficient user-input sanitization of the URL parameters supplied to the module. This could lead to theft of cookie-based authentication credentials. PluggedOut blog versions 1.60 alpha and 1.51 beta are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10894/
  • 04.32.37 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPGroupWare Authentication Credential Disclosure
  • Description: PHPGroupWare is a groupware system. Through the process of administration and setup passwords are transmitted in plaintext cookies, thus allowing man-in-the-middle authentication theft attacks. PHPGroupWare versions earlier than 0.9.16.002 are affected.
  • Ref: http://www.securityfocus.com/bid/10895/info/
  • 04.32.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Keene Digital Media Server Multiple Vulnerabilities
  • Description: Keene Digital Media Server (DMS) is reportedly vulnerable to multiple security issues. A directory traversal condition is exposed when "%2e%2e/" character sequences are used in HTTP GET requests to escape out of the web-root directory. An authentication bypass condition is exposed when the administrative script "/dms/adminusers.aspx" is accessed directly. Reportedly, no authentication is required to access this script, which can be used to administrate the application. Version 1.0.2 of the software is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12272/
  • 04.32.39 - CVE: CAN-2004-0593
  • Platform: Network Device
  • Title: Sygate Enforcer Bypass Vulnerability
  • Description: The Sygate Enforcer firewall device is reportedly vulnerable to an authentication bypass issue. It is supposed to act as a packet filter, limiting internal-nerwork access to only authenticated hosts. However, it fails to filter external broadcast traffic from reaching the internal hosts. Sygate Enforcer versions prior to 3.5MR1 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/371340
  • 04.32.40 - CVE: Not Available
  • Platform: Network Device
  • Title: Nokia IPSO Unspecified Remote Denial of Service
  • Description: The Nokia IP Security Operating System (IPSO) is reported to be vulnerable to a remote denial of service condition when exposed to a SYN flood attack. IPSO versions 3.5 through 3.8 are affected by this issue.
  • Ref: http://secunia.com/advisories/12280/
  • 04.32.41 - CVE: Not Available
  • Platform: Network Device
  • Title: Symantec Clientless VPN Gateway 4400 Series Multiple Vulnerabilities
  • Description: Symantec Clientless VPN Gateway is a remote access appliance that facilitates VPN access. Various cross-site scripting, ActiveX and HTML file browser issues have been identified in version 5.0 of the 4400 series.
  • Ref: ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt
  • 04.32.42 - CVE: CAN-2004-0641
  • Platform: Hardware
  • Title: SpeedTouch Modem TCP Sequence Number Predictability
  • Description: Thomson SpeedTouch is an ADSL Modem. A weakness in the TCP algorithm in the modem generates predictable initial TCP sequence numbers. This allows attackers to inject packets into TCP data streams. SpeedTouch firmware versions GV8BAA3.270 (1003825) and earlier are affected.
  • Ref: http://www.idefense.com/application/poi/display?id=120&type=vulnerabilities&
    amp;flashstatus=true

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

I learned more at this conference than 2 other training conferences I have attended combined.
-Steve Farmer, LANL

Community SANS Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.