Last Day to Save $400 on SANS Network Security 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 33
August 23, 2004

Internet Explorer has another critical vulnerability (#1 below) even when Service Pack 2 of Windows XP is installed. Microsoft is slow to respond.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 2 (#1, #3)
    • Third Party Windows Application
    • 2 (#2, #6)
    • Linux
    • 1
    • Unix
    • 6
    • Cross Platform
    • 7 (#4, #5)
    • Web Application
    • 13
    • Network Device
    • 2

******************** Security Training Update *************************

Featured Security Training Program: SANS Network Security 2004 Las Vegas, NV September 28 - October 6, 2004

The largest training conference in the world with 16 immersion training tracks and a large security exposition. Great courses for security managers and CISOs, for security experts, for auditors, for forensics scientists, and even for those just starting out. And Las Vegas is a great place to visit in the fall.

Register soon to get a seat at your choice of courses. http://www.sans.org/ns2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Linux
Unix
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) MODERATE: Adobe Acrobat ActiveX Control Buffer Overflow
  • Affected:
    • Adobe Acrobat and Adobe Acrobat Reader version 5.0.5
    • Adobe Acrobat and Adobe Reader version 6.0.x
  • Description: The Adobe Acrobat Reader for Windows ships with an ActiveX control (pdf.ocx) that is responsible for displaying a PDF document within a web browser. This ActiveX control contains a heap-based buffer overflow. The flaw can be triggered by an overlong PDF filename that contains a URL-encoded null (%00) character. A malicious webpage or an HTML email may exploit this flaw to execute arbitrary code on a client system. Viewing the malicious webpage or the email is sufficient to trigger the flaw i.e. no user interaction is necessary, because the PDF file name can be enclosed in an image or a frame tag. The technical details required to exploit the vulnerability have been publicly posted.

  • Status: Adobe reported that the Adobe Reader version 6.0.2 is not vulnerable; the vulnerability reporters claim otherwise. A suggested workaround is to disable the "Display PDF in browser" Internet setting in the Adobe Acrobat and Acrobat Reader.

  • Council Site Actions: Most sites are awaiting additional vendor response to this item before they plan a remediation. Several sites are already running version 6.0.2. One site will rely on Acrobat Reader's built-in update functionality, in which the application periodically checks an adobe.com site for newer versions and asks the user whether to update, as their primary update method.

  • References:
  • (3) LOW: Internet Explorer Address Bar Spoofing
  • Affected:
    • Internet Explorer version 6.0
    • Possibly older versions of Internet Explorer
  • Description: This vulnerability in Internet Explorer allows a malicious webpage to spoof the location address bar, such that it appears to be a trusted site. The problem can be triggered by forcing Internet Explorer to open an unknown protocol URL multiple times, and using the "history.back()" function. For instance, the proof-of-concept exploit uses "res2res://", an unknown protocol. The flaw can be exploited by enticing the users to visit a specially crafted webpage. An attacker can potentially steal information like usernames, passwords or other personal information. Note that a large number of "phishing" scams have been reported that exploit similar vulnerabilities (Visit http://www.antiphishing.org).

  • Status: Microsoft has not confirmed, no patches available. Windows XP SP2 is reportedly not vulnerable. Users should be advised not to enter personal information on any webpage that they visit by clicking a link in an email or another webpage.

  • Council Site Actions: All council sites submitted a similar response for this item. They are waiting for a patch to be released and will distribute during one of their normal system update process or use Microsoft's automatic update method. Some sites are investigating deploying an alternate browser such as Firebox, while others are limited to IE due to internal applications. Some sites sent out an email notification to the users.

  • References:
Other Software
  • (5) MODERATE: Multiple FTP Servers Signal Handling Vulnerabilities
  • Affected:
    • lukemftpd alias tnftpd version prior to 20040810
    • Heimdal ftpd version 0.6.2
    • KerberosV ftpd, assumed current version
  • Description: lukemftpd server ships with NetBSD, FreeBSD, MacOS and some flavors of Linux. The code base also has similarities with the Heimdal FTP server and the KerberosV FTP server. All the FTP servers contain multiple vulnerabilities in handling "signals", which may be delivered to the server via out-of-band TCP data. The flaws can be exploited by authenticated users, and in certain cases even by anonymous users to obtain root privileges on the server. The technical details have been publicly posted.

  • Status: Vendor(s) confirmed, updates available from some vendors. A workaround is to disable anonymous access and run the ftp server with non-root privileges.

  • Council Site Actions: Only two council sites responded to this issue. One site has very minimal use of FTP and has only sent an alert to the system support staff. The second site plans to update their system configurations within the next 30 days. They also have a few MacOS systems which will be updated using Apple's Software Update facility once a patch or new version is available.

  • References:
  • (6) LOW: Clearswift MAILsweeper Mail Attachment Bypass
  • Affected: MAILsweeper version prior to 4.3.15
  • Description: Clearswift's MAILsweeper product is designed to delete viruses, Trojans and other malware included in the emails at an organization's SMTP gateway. The product also supports policies that can be used to block attachments such as executables. However, the MAILsweeper does not decode many of the popularly used file compression formats. As a result, malware that has been compressed using certain compression formats may not be detected. This flaw may result in a virus or a Trojan infection in an enterprise relying on the MAILsweeper for protection. A list of undetected compression formats has been publicly posted.

  • Status: Vendor has confirmed and released a hotfix for the version 4.3.15.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 33, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3663 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 04.33.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Drag And Drop File Installation Vulnerability
  • Description: Microsoft Internet Explorer is reported prone to a vulnerability that may allow unauthorized installation of malicious executables. It is reported that drag and drop along with browser style functionality may be employed by an attacker to install a file onto a victim's system with some degree of user interaction. Microsoft Internet Explorer versions 5.01, 5.5 and 6 are affected.
  • Ref: http://secunia.com/advisories/12321/

  • 04.33.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Spoofed Address Bar Vulnerability
  • Description: It has been reported that Microsoft Internet Explorer allows a malicious web page to spoof the URL displayed in the address bar. Malicious sites could effect information theft or other attacks on unsuspecting users by posing as legitimate sites. The issue was reported for Microsoft Internet Explorer 6.0 and 6.0 SP1.
  • Ref: http://umbrella.name/originalvuln/msie/NullyFake/nullyfake-content.txt

  • 04.33.3 - CVE: Not Available
  • Platform: Linux
  • Title: MySQL Potential Remote Buffer Overflow
  • Description: MySQL is vulnerable to a potential remote buffer overflow issue. The issue exists due to insufficient sanitization of user-supplied input to the "mysql_real_connect" function. MySQL versions 4.0.20 and prior are reported to be vulnerable.
  • Ref: http://bugs.mysql.com/bug.php?id=4017

  • 04.33.4 - CVE: Not Available
  • Platform: Unix
  • Title: tnftpd Signal Handler Remote Superuser Vulnerabilities
  • Description: tnftpd is an FTP demon for Unix systems. It has been revealed that tnftpd is subject to multiple remote administration compromise vulnerabilities. Due to the application's handling of out-of-band TCP data, "transflag" signals can be sent during the login process which can result in superuser privileges. tnftpd versions prior to 10 Aug 2004 are reported vulnerable.
  • Ref: http://www.frasunek.com/lukemftpd.txt

  • 04.33.5 - CVE: Not Available
  • Platform: Unix
  • Title: Sympa Administration Authentication Bypass
  • Description: Sympa is a mailing list manager. It has been revealed that the web page administrative interface is subject to an authentication bypass vulnerability when creating new mailing lists. The ramifications of this vulnerability include the creation of unauthorized mailing lists, as well as the potential for unauthorized forwarding of messages. Sympa versions 3.x through 4.1.2 are reported to be vulnerable.
  • Ref: http://www.sympa.org/distribution/current/NEWS

  • 04.33.6 - CVE: Not Available
  • Platform: Unix
  • Title: gv Postscript and PDF Viewer Multiple Remote Buffer Overflows
  • Description: gv is a PDF and PostScript (PS) viewing utility. It is available for Unix and Linux systems. Insufficient sanitization of the "BoundingBox", "PS", "Orientation" and "Pages" header fields exposes multiple buffer overflow conditions. gv versions 3.5.8 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/371773

  • 04.33.7 - CVE: Not Available
  • Platform: Unix
  • Title: SpamAssassin Malformed Email Remote Denial of Service
  • Description: SpamAssassin is a mail filter designed to identify and process spam. It is reported vulnerable to an undisclosed remote denial of service condition. SpamAssassin versions prior to 2.64 are reported vulnerable to this issue.
  • Ref: http://www.securityfocus.com/advisories/7044

  • 04.33.8 - CVE: CAN-2004-0777
  • Platform: Unix
  • Title: Courier-IMAP Remote Format String Weakness
  • Description: Courier MTA is a UNIX mail transport agent (MTA). It has been reported that Courier-IMAP is subject to a remote format string vulnerability that manifests itself when the application is configured with "DEBUG_LOGIN" value equal to 1 or 2 in its configuration file. A remote attacker can use this vulnerability before authenticating to execute arbitrary code on the affected server. Courier-IMAP versions 1.6.0 through to 2.2.1 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0821.html

  • 04.33.9 - CVE: Not Available
  • Platform: Unix
  • Title: xv Multiple Vulnerabilities
  • Description: xv is an image manipulation utility for the X Window System. Insufficient sanitization of user-supplied input in the "xvbmp.c" source file exposes a buffer overflow issue. Multiple problems in "xviris.c" expose various integer handling problems. These issues can lead to denial of service conditions or even code execution attacks. xv versions 3.10a and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/372345

  • 04.33.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealNetwork RealPlayer Unspecified Remote Vulnerability
  • Description: RealNetwork RealPlayer contains an unspecified vulnerability that allows for execution of arbitrary code in the context of the user running the player. All current versions are affected.
  • Ref: http://www.securitytracker.com/alerts/2004/Aug/1010931.html

  • 04.33.11 - CVE: CAN-2004-0629
  • Platform: Cross Platform
  • Title: Acrobat Reader URL Request Heap Buffer Overflow
  • Description: Acrobat Reader is an application for reading PDF files. The application's ActiveX control "pdf.ocx" is reported to be vulnerable to a heap-based buffer overrun issue. The issue exists due to improper sanitization of user supplied input of URL data to GET requests. Acrobat version 5.0.5 is reported to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=126&type=vulnerabilities&
    amp;flashstatus=true

  • 04.33.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Xephyrus Java Directory Traversal
  • Description: Xephyrus Java Simple Template Engine is a Java environment for creating dynamic content. Insufficient sanitization of user supplied URL input exposes various directory traversal issues in the application. Xephyrus Java versions 3.x and earlier are reported to be affected.
  • Ref: http://www.xephyrus.com/jst/security-advisory-001.html

  • 04.33.13 - CVE: CAN-2004-0778
  • Platform: Cross Platform
  • Title: CVS History Flag Information Disclosure
  • Description: It has been reported that CVS is subject to an information disclosure weakness when its undocumented "history" command flag is used. The vulnerability expresses itself when a remote attacker uses the "history" flag to retrieve information for files that are readable by the CVS server. CVS versions prior to 1.11.17 in the 1.11 branch and prior to 1.12.9 in the 1.12 branch are considered to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=130&type=vulnerabilities

  • 04.33.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Resource Detection Reconnaissance
  • Description: It has been reported that the Opera Web Browser has a weakness in its handling of "IFRAME" content that would allow a remote attacker to verify the existence of resources by monitoring error messages returned by the browser. This could be leveraged by a remote attacker to gain reconnaissance information on a host allowing further attacks. Opera versions 7.53 and prior are considered vulnerable on all platforms that Opera supports.
  • Ref: http://www.greymagic.com/security/advisories/gm009-op/

  • 04.33.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Inter7 Vpopmail Multiple Vulnerabilities
  • Description: Inter7 vpopmail is reported vulnerable to multiple buffer overflow vulnerabilities and a format string weakness. These issues could lead to denial of service attacks or even remote code execution. vpopmail versions 5.4.2 and prior are affected by these issues.
  • Ref: http://www.securityfocus.com/archive/1/372257

  • 04.33.16 - CVE: CAN-2004-0691, CAN-2004-0692, CAN-2004-0693
  • Platform: Cross Platform
  • Title: Multiple Qt Image Handling Heap Overflow
  • Description: Qt is an application development framework that includes libraries for rendering various image types. Multiple heap overflows have been reported to exist in the Qt QImage library. These could be exploited to effect denial of service or even code execution attacks on applications that use this library to render images. Versions 3.3.2 and prior are reported to be vulnerable.
  • Ref: http://scary.beasts.org/security/CESA-2004-004.txt

  • 04.33.17 - CVE: Not Available
  • Platform: Web Application
  • Title: TikiWiki Unauthorized Page Access
  • Description: TikiWiki is a content management system that is implemented in PHP. It is vulnerable to an issue that may permit users to gain unauthorized access. TikiWiki versions 1.8, 1.8.1, 1.8.2 and 1.8.3 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10972/info/

  • 04.33.18 - CVE: Not Available
  • Platform: Web Application
  • Title: PlaySMS Valid Function SQL Injection
  • Description: PlaySMS is a SMS gateway application. It is reportedly vulnerable to a SQL injection issue. This is due to insufficient sanitization of user supplied input, passed via cookies, that is used to construct SQL queries in the "valid" function. This issue is reported to exist in PlaySMS versions 0.7 and prior.
  • Ref: http://secunia.com/advisories/12103/

  • 04.33.19 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPMyWebHosting SQL Injection Vulnerability
  • Description: PHPMyWebHosting is a set of web hosting management utilities written in PHP. It is reported to be vulnerable to an SQL injection issue. The weakness exists due to insufficient sanitization of user-supplied input in the "pmwh.php" file. PHPMyWebHosting version 0.3.4 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0207.html

  • 04.33.20 - CVE: Not Available
  • Platform: Web Application
  • Title: CuteNews Cross-Site Scripting Vulnerability
  • Description: CuteNews is a news management system. Due to a weakness in its URL sanitization code, it has been revealed that CuteNews is subject to cross-site scripting attacks in its "show_archives.php" script. This weakness could allow for theft of authentication credentials. Version 1.3.1 of CuteNews is reported to be affected.
  • Ref: http://secunia.com/advisories/12260/

  • 04.33.21 - CVE: Not Available
  • Platform: Web Application
  • Title: QuiXplorer Item Parameter Directory Traversal Vulnerability
  • Description: QuiXplorer is a web application written in PHP that facilitates browsing of files and directories. Due to insufficient sanitization of user input, it has been reported that QuiXplorer is subject to a directory traversal weakness that would allow an attacker to read arbitrary files. QuiXplorer versions 2.3 and previous are reported to be affected.
  • Ref: http://www.securityfocus.com/archive/1/371716

  • 04.33.22 - CVE: Not Available
  • Platform: Web Application
  • Title: AWStats Rawlog Plugin Multiple Vulnerabilities
  • Description: AWStats is a CGI log analyzer that generates statistical reports based on HTTP, SMTP, or FTP logs. The AWStats Rawlog Plugin is reportedly vulnerable to multiple issues including remote command execution and directory traversal. These are due to insufficient sanitization of the "logfile" URL parameter. AWStats versions 5.0 through 6.1 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10950/

  • 04.33.23 - CVE: Not Available
  • Platform: Web Application
  • Title: PScript PForum User Profile HTML Injection
  • Description: PScript PForum is web forum software written in PHP. It is reported to be vulnerable to an HTML injection issue. The issue exists due to insufficient sanitization of "IRC Server" and "AIM ID" fields. PForum versions 1.24 and 1.25 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0218.html

  • 04.33.24 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki Remote File Include Vulnerability
  • Description: MediaWiki is editing software designed to run Wikipedia. It is reportedly vulnerable to an undisclosed remote PHP file include issue. This allows attackers to execute arbitrary code on the vulnerable target. The vendor has released a new version that addresses this issue.
  • Ref: http://sourceforge.net/project/shownotes.php?group_id=34373&release_id=25996
    5

  • 04.33.25 - CVE: Not Available
  • Platform: Web Application
  • Title: RaXnet Cacti Auth_Login.PHP SQL Injection
  • Description: RaXnet Cacti is a front-end to RRDTool. Insufficient sanitization of the "username" URL parameter of the "auth_login.php" script exposes an SQL injection issue in the application. RaXnet Cacti version 0.x is affected.
  • Ref: http://secunia.com/advisories/12308/

  • 04.33.26 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNuke Cross-Site Scripting Vulnerabilities
  • Description: PHPNuke is a web-based portal system. It is reported to be vulnerable to a cross-site scripting issue with the "friend.php" and "index.php" scripts. The issue exists due to insufficient sanitization of user supplied input of the "title" and "fname" parameters. PHPNuke versions 6.x and 7.1 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12271/

  • 04.33.27 - CVE: Not Available
  • Platform: Web Application
  • Title: Merak Mail Server Webmail Multiple Vulnerabilities
  • Description: Merak Mail Server is a mail server package. Its web mail access component is reported to be vulnerable to multiple security issues including cross-site scripting, HTML injection, SQL injection and PHP script source code disclosure. Merak Mail Server versions prior to 7.5.2 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/371964

  • 04.33.28 - CVE: Not Available
  • Platform: Web Application
  • Title: Gallery Remote Server-Side Script Execution
  • Description: Gallery is a web application designed to allow users to manage images on their web site. When a user uploads a file to Gallery, the application does not immediately verify the file type as an image file, allowing uploading of malicious script. Gallery versions 1.4.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/10968/info/

  • 04.33.29 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Fusion Information Disclosure Vulnerability
  • Description: PHP-Fusion is a web content system written in PHP. It has been reported that due to the predictable naming convention of backup files coupled with the fact that backups are not protected, PHP-Fusion is subject to an information disclosure weakness. If an attacker is able to guess or brute force the name for the backup, they will have access to the contents of the PHP-Fusion database data. PHP-Fusion version 4.00 is reported to be vulnerable.
  • Ref: http://seclists.org/lists/bugtraq/2004/Aug/0247.html

  • 04.33.30 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS OSPF Remote Denial of Service
  • Description: Cisco IOS is reported to be vulnerable to a denial of service issue. The issue presents itself when a malformed OSPF packet is sent to the vulnerable router. The attacker will require the knowledge of the "area number", "netmask", "hello" and "dead timers" parameters before exploiting this vulnerability. Cisco IOS series 12.0S, 12.2, and 12.3 are reported to be vulnerable.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml

  • 04.33.31 - CVE: Not Available
  • Platform: Network Device
  • Title: Netgear DG834G Default Account Password
  • Description: Netgear DG834G devices are combination wireless and Internet routers. It has been reported that the Netgear DG834G devices have a default administration password. An attacker with the ability to connect to the router could leverage this to deny service to legitimate users.
  • Ref: http://www.securityfocus.com/archive/1/371575

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.