Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 34
August 30, 2004

SANS Newsletters Home

Flaws in Internet Explorer allow phishing to succeed even if Active Scripting is turned off. It is important to remind your users about not providing any sensitive data to web sites sent them to via email.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1
    • Other Microsoft Products
    • 2 (#9)
    • Third Party Windows Apps
    • 17 (#1, #6, #7)
    • Mac Os
    • 2
    • Linux
    • 4 (#10)
    • BSD
    • 1
    • Unix
    • 0 (#5)
    • Novell
    • 1
    • Cross Platform
    • 9 (#2, #3)
    • Web Application
    • 19 (#8)
    • Network Device
    • 3
    • Hardware
    • 1 (#4)

******************** Security Training Update *************************

Highlighted Security Training For This Week

SANS largest Fall conference will be in Las Vegas this year - September 28 to October 6. The 400,000 brochures started arriving two weeks ago. Network Security has seventeen immersion tracks and many special intense one day programs plus a big vendor expo.

http://www.sans.org/ns2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
BSD
Unix
Novell
Cross Platform
Web Application
Network Device
Hardware

********************** SPONSORED LINKS ********************************

Note: these links may take you to non-SANS sites.

(1) Free Download - Take full control of remote access & support security with CrossTec NetOp Remote Control http://www.sans.org/info.php?id=565

(2) Worried about today's constantly evolving network threats? Download McAfee® intrusion prevention white papers today. http://www.sans.org/info.php?id=566

***********************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Nullsoft Winamp Arbitrary Code Execution
  • Affected:
    • Winamp version 5.04 and version 3.x

  • Description: Winamp, a popular Windows media player, has been downloaded over 3 million times. The player's user interface can be enhanced by installing "skin" files. Winamp contains a vulnerability in handling the skin files that can be exploited to execute arbitrary code on user's system. The exploitation scenario proceeds as follows: (a) An unsuspecting user clicks a malicious link in an email or a webpage that points to a file with a ".wsz" extension (skin file). The skin file format is similar to that of a zip file. If the browser is Internet Explorer, the skin file is downloaded silently to the client system. (b) Winamp decompresses the .wsz skin file, and reads the "skin.xml" file. The "skin.xml" invokes an HTML file in the zip archive, which is opened in the security context of the "local computer" zone. This HTML file leads to the execution of arbitrary code on the client system with the privileges of the currently logged-on user. This flaw is reportedly being exploited in the wild. Exploit code has been publicly posted.

  • Status: Nullsoft has confirmed the flaw. Upgrade to Winamp version 5.05. It is important to note that since the Internet Explorer downloads the Winamp skin file without any user prompting, IE users are at the greatest risk. Council Site Actions: Several sites have the vulnerable software running, but not have programs in place to upgrade client software. Some mentioned they are hoping that personal firewalls or general user awareness may make users too careful to get infected.

  • References:
  • (2) MODERATE: Netscape NSS Library SSLv2 Buffer Overflow
  • Affected:
    • All known versions of:
    • Netscape Enterprise Server
    • Netscape Certificate Management Server
    • Netscape Directory Server
    • Netscape Personalization Engine
    • Netscape Administration Server
    • Sun ONE/iPlanet Webserver
    • Any application using the Netscape NSS library prior to version 3.9.2

  • Description: The Netscape Network Security Services (NSS) library is designed to support multiple security standards such as SSL version 2 and 3, TLS, X.509 etc. The library is used by web servers like the Netscape Enterprise server and the Sun Java System Web Server (formerly Sun ONE). The NSS library contains a heap-based buffer overflow in handling the SSL version 2 connections. The overflow can be triggered by the initial "client_hello" packet containing an overlong "challenge" length. The flaw can be possibly exploited to execute arbitrary code with the privileges of the application using the NSS library. The technical details required to leverage the flaw have been posted. Immunity has released a working exploit in the CANVAS product for the Sun ONE server.

  • Status: Netscape confirmed, NSS library version 3.9.2 fixes the flaw. A workaround is to disable the SSLv2 protocol support in the affected application/servers. Note that although the SSLv2 support is not enabled in the default configuration of the Sun ONE or the Netscape Enterprise server, it is reported that enabling the SSLv2 support is a common practice. Council Site Actions: Two sites are using this software but they do not believe that SSLv2 is enabled.

  • References:
  • (3) MODERATE: Entrust LibKmp ISAKMP Buffer Overflow
  • Affected:
    • Symantec Enterprise Firewall/VPN version 8.0
    • Symantec Enterprise Firewall/VPN version 7.0.x
    • Symantec Gateway Security version 1.0 and 2.0
    • Symantec VelociRaptor version 1.5
    • Any other products using Entrust's LibKmp ISAKMP library

  • Description: Entrust's LibKmp library is designed to handle IKE/ISAKMP communications for setting up a secure tunnel. LibKmp is used by multiple firewall and VPN software vendors including Symantec. This library contains a heap-based buffer overflow that can be triggered by specially crafted ISAKMP packets. An attacker may exploit this flaw to possibly execute arbitrary code on the vulnerable device/application. A remote compromise of a VPN server or an enterprise firewall may open up the enterprise network for further exploitation. Very limited technical details regarding the vulnerability have been publicly posted.

  • Status: Entrust has confirmed the flaw and released updates. Symantec has released updates for its multiple products. The status of other vendors that use Entrust's LibKmp library is not known at the present. Council Site Actions: Although none of the Council sites report using vulnerable Symantec software, and therefore none is taking action, the Internet Storm Center team reports that Libkmp is used in Cisco's VPN and Oracle's PKI and believes those products are also vulnerable.

  • Reference:
  • X-Force Advisory
  • http://xforce.iss.net/xforce/alerts/id/181
  • Entrust Security Advisory (Requires customer login credentials)
  • https://www.entrust.com/trustedcare/troubleshooting/bulletins.htm
  • Symantec Security Advisory
  • http://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.html
  • Symantec Product Updates Page
  • http://www.symantec.com/techsupp/enterprise/select_product_updates.html
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/11039
Other Software
  • (4) HIGH: Axis Network Camera Administrative Access
  • Affected:
    • Axis Network Camera models 2100, 2110, 2120, 2420, 2130
    • Axis Video Server models 2400, 2401

  • Description: Axis network camera and video server products are used world-wide for surveillance purposes. The pictures/videos captured by the camera or video server can be accessed via a webserver. This webserver reportedly contains multiple vulnerabilities. An unauthenticated attacker can execute arbitrary shell commands, obtain the password file for the webserver as well as bypass authentication to obtain an administrative access. Thus, the attacker can possibly obtain a complete control over the surveillance system. The posted advisory shows how to craft the malicious HTTP requests to exploit the flaws.

  • Status: Vendor contacted, no fixes available yet. Note that a list of vulnerable camera servers can be obtained via a simple "google" search. A workaround is to block access to the camera's web sever from the Internet. Council Site Actions: The two Council sites using the vulnerable software report that their cameras are either not Internet-facing or that they are viewing only public areas and therefore are not security threats.

  • References:
  • (5) MODERATE: xv Multiple Buffer Overflow Vulnerabilities
  • Affected: xv version 3.10a and prior

  • Description: xv is an image manipulation program for UNIX systems that can handle a large number of image formats such as gif, jpeg, tiff etc. The program ships by default with many Linux distributions, and can be configured as a default image viewer for web browsers. The program contains multiple stack and heap-based buffer overflows that can be triggered by specially crafted image files. A malicious webpage or an email may exploit these flaws to execute arbitrary code on the client system. Exploit code that creates a malicious BMP file has been publicly posted.

  • Status: Vendor not confirmed, no patches available. Council Site Actions: Some Council sites report as many s 2,500 copies of xv running. Because of limited resources and because this vulnerability is not known to be actively exploited, they are no taking action.

  • References: Posting by infamoun41md (Includes the exploit code)
  • (6) MODERATE: Ipswitch WhatsUp Gold Buffer Overflow
  • Affected: WhatsUp Gold version 8.03

  • Description: Ipswitch Whatsup Gold is a network management system, which maps the network and alerts an administrator of any network problems. The software has a built-in webserver that facilitates remote network management. This webserver contains a buffer overflow that can be triggered by providing an overlong "instancename" parameter to the "_maincfgret.cgi" script. The flaw can be possibly exploited to execute arbitrary code on the server. Note that the webserver is not enabled in the default configuration of the software.

  • Status: Vendor confirmed. Upgrade to version 8.03 Hotfix 1. A workaround is to either disable or restrict access to the WhatsUp Gold webserver from the Internet. Council Site Actions: Several sites are patching these systems in the regular update cycle. They report that vulnerable systems are not accessible from the Internet or their deployment is very limited.

  • References:
  • (7) LOW: Cisco Secure ACS Multiple Vulnerabilities
  • Affected:
    • Cisco Secure ACS version 3.2, 3.2(2) Build 15 and 3.2(3)

  • Description: Cisco Secure Access Control Server (ACS) for Windows and the Cisco Secure ACS Solution Engine are designed to manage user access for Cisco VPNs, routers, VoIP services, DSL and dialup services etc. These products contain the following vulnerabilities that can be exploited to either cause a denial-of service or obtain an unauthorized access. (a) The Cisco Secure ACS products runs a management server on port 2002/tcp that can be rendered unresponsive by initiating a large number of TCP connections. This may result in disrupting the ACS authentication services. (b) If configured as a LEAP RADIUS proxy, the ACS may crash when handling LEAP authentication requests. (c) The ACS Solutions Engine can authenticate users against other databases such as Novell Directory Services (NDS). If the NDS accepts "anonymous bind" requests, an attacker can authenticate to the ACS using a blank password. The attacker, however, would need to guess a right username.

  • Status: Vendor confirmed, patches available. Possible workaround for the denial-of service vulnerability is to restrict access to the management webserver on port 2002/tcp.

  • Council Site Actions: We were unable to solicit council site input for this item.

  • References:
  • (8) LOW: Epixtech Webpac SQL Injection Vulnerabilities
  • Affected: Webpac, assumed current version

  • Description: Epixtech Webpac software provides a web-based catalogue solution that is used by a large number of libraries. The software reportedly contains multiple SQL injection vulnerabilities that may be exploited to execute commands on the back-end server, or bypass authentication. No technical details regarding the flaws have been posted.

  • Status: Vendor has been contacted, no fixes available. Council Site Actions: This software is not in use at Council sites.

  • References:
Exploit Code
  • (9) Internet Explorer Phishing Flaws

  • Description: Multiple proof-of-concept examples have been posted that can be reportedly modified to conduct phishing attacks against Internet Explorer version 6.0 on Windows XP SP2. These attacks could be used to steal sensitive user information. Note that the attacks would work even when the "Active Scripting" option is disabled. Users should be advised not to enter login information and other credentials on web pages visited via clicking links in an email or another webpage. Council Site Actions: Nearly all sites report they are using some combination of user awareness programs and waiting for Microsoft to deliver patches.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 34, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3671 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.34.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft NTP Time Synchronization Spoofing
  • Description: It has been revealed that Microsoft's NTP implementation is susceptible to spoofing attacks. It is reported that the NTP implementation in Microsoft operating systems is vulnerable to time spoofing attacks. All current ActiveDirectory implementations are reported to be vulnerable.
  • Ref: http://www.security.nnov.ru/advisories/timesync.asp
  • 04.34.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer IMG DYNSRC Cross Domain Scripting
  • Description: Microsoft Internet Explorer is reported to be vulnerable to a cross domain scripting issue. The issue is reported to present itself when a malicious MHTML file is rendered when it is invoked locally. IMG tags with DYNSRC attributes that contain JavaScript code can be used to exploit this issue. All current versions of Internet Explorer are affected.
  • Ref: http://www.securityfocus.com/bid/10979/
  • 04.34.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Outlook Express BCC Field Information Disclosure
  • Description: Microsoft Outlook Express does not properly handle BCC headers and discloses the email address on the blind carbon copy list to the "To:" and "CC:" field recipients. Microsoft Outlook Express 6.0 is known to be affected by this issue.
  • Ref: http://support.microsoft.com/default.aspx?scid=kb;EN-US;843555
  • 04.34.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Gadu-Gadu File Download Filename Obfuscation Weakness
  • Description: Gadu-Gadu is a Polish instant messaging application. When an attacker sends a file with a filename containing a large number of spaces before the true file extension, it may be possible to obfuscate the true extension from unsuspecting users. Gadu-Gadu Instant Messenger 6.0 is affected.
  • Ref: http://securityfocus.com/archive/82/372660/2004-08-20/2004-08-26/0
  • 04.34.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Gaucho Client Header Buffer Overflow
  • Description: NakedSoft Gaucho is an email client. Gaucho is vulnerable to an email header buffer overflow issue due to a failure of the application to properly validate user input string lengths. An attacker could execute arbitray code by exploiting this vulnerabiltity. Gaucho version 1.4 build 145 is known to be vulnerable.
  • Ref: http://www.security.org.sg/vuln/gaucho140.html
  • 04.34.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BadBlue Web Server Denial of Service
  • Description: Working Resources BadBlue web server is reportedly vulnerable to a denial of service condition when it receives about 24 simultaneous HTTP connections. BadBlue web server version 2.5 is reported to be affected.
  • Ref: http://www.securityfocus.com/archive/1/372470
  • 04.34.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Painkiller Remote Buffer Overflow
  • Description: Painkiller is a computer game for Windows that includes support for network play. It is reported to be vulnerable to a remote buffer overflow issue. The issue exists due to improper boundary checks during a connection request. Painkiller versions 1.3.1 and prior are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0333.html
  • 04.34.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: HP OpenView Omniback II Arbitrary Command Execution
  • Description: HP OpenView Omniback provides data protection and disaster recovery for Windows platforms. OpenView Omniback II is reportedly prone to an unspecified remote command execution vulnerability which can allow a remote attacker to gain superuser privileges on a vulnerable computer. All versions of OpenView Omniback II are considered vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/11032/
  • 04.34.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Nihuo Web Log Analyzer HTML Injection
  • Description: Nihuo Web Log Analyzer is a web server log analysis application. It is reported to be vulnerable to an HTML injection issue due to insufficient user supplied data sanitization. Nihuo Web Log Analyzer version 1.6 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/372438
  • 04.34.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: aGSM Half-Life Server Buffer Overflow
  • Description: The aGSM game server browser utility is reportedly vulnerable to a buffer overflow condition. This issue is due to insufficient boundary checks performed in the information parsing routines for Half-Life game servers. aGSM version 2.35c is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10989/
  • 04.34.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Bird Chat Remote Denial of Service
  • Description: Bird Chat is a client-server chat utility. It is reported to be vulnerable to a denial of service issue. The issue exists due to improper sanitization of user-supplied input with the "username" field. Version 1.61 of Bird Chat is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0304.html
  • 04.34.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Easy File Sharing Web Server Access Control Bypass
  • Description: Easy File Sharing Web Server is a web server software package. It is reported to be vulnerable to an access control bypass issue. The issue exists when an attacker makes a request for the name of a virtual folder on the web server. Easy File Sharing Web Server v1.25 is reported to be vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00045-08242004
  • 04.34.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Easy File Sharing Web Server Remote Denial of Service
  • Description: Easy File Sharing Web Server is file sharing software that allows users to upload/download files easily through a web browser. The server experiences a denial of service condition when it receives large HTTP requests. Easy File Sharing Web Server version 1.25 is known to be vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00045-08242004
  • 04.34.15 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IgnitionServer Remote Denial of Service
  • Description: ignitionServer is an Internet Relay Chat (IRC) server. It is reportedly vulnerable to a remote denial of service condition. This issue is exposed when the server fails to handle exceptional conditions while processing "SERVER" commands. This causes the server to crash, denying access to legitimate users. Versions 0.1.2 through 0.3.1 of the software are reported to be affected.
  • Ref: http://secunia.com/advisories/12374/
  • 04.34.16 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Cisco Secure Access Control Server Multiple Vulnerabilities
  • Description: Cisco Secure Access Control Server (ACS Windows) and Secure Access Control Server Solution Engine (ACS Solution Engine) offer authentication, authorization, and accounting (AAA) services. Multiple issues in the product expose various authentication bypass and denial of service vulnerabilities. Cisco Secure ACS versions 3.x and earlier are affected.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20040825-acs.shtml
  • 04.34.17 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RealVNC Server Remote Denial of Service
  • Description: RealVNC (Virtual Network Computing) allows users to access remote computers for administration purposes. It is reportedly vulnerable to a remote denial of service condition. This issue is exposed when an attacker makes 60 simultaneous connections with the server. The server eventually crashes, denying service to legitimate users. RealVNC version 4.0 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0346.html
  • 04.34.19 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Nullsoft Winamp .WSZ File Remote Code Execution
  • Description: Winamp is a media player for Windows. Winamp does not process files with .WSZ extensions correctly. As a result, malicious HTML/scripts embedded in a ZIP file renamed as .WSZ would be executed. Winamp versions 5.04 and earlier are affected.
  • Ref: http://secunia.com/advisories/12381/
  • 04.34.20 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ground Control II Remote Denial of Service
  • Description: Ground Control II is a game which is reported to be vulnerable to a remote denial of service issue. The issue exists when a game client or server receives a packet larger than 512 bytes. Ground Control II versions 1.0.0.7 and prior are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0375.html
  • 04.34.21 - CVE: Not Available
  • Platform: Mac Os
  • Title: Safari/WebCore HTTP Content Filtering Bypass
  • Description: Apple Safari is a web browser that uses WebCore for embedding KHTML. When WebCore receives a file with a "Content-Type" of "text/plain" or "text/HTML", it reads the contents of the file to determine if the file is HTML. This is described as content sniffing and is discouraged in RFC 2616. Safari versions 1.0 and 1.1 are affected.
  • Ref: http://lists.netsys.com/pipermail/full-disclosure/2004-August/025589.html
  • 04.34.22 - CVE: Not Available
  • Platform: Mac Os
  • Title: Navigator Tabbed Browsing Cross-Domain Scripting
  • Description: Netscape Navigator is reportedly prone to a cross-domain scripting vulnerability. Content from a web site could hijack other browser tabs that already had loaded documents from other domains. This vulnerability is reported to exist in Netscape version Gecko/20040804 7.2, when installed on an Apple MacOS X version 10.3.5 platform.
  • Ref: http://secunia.com/advisories/12392/
  • 04.34.23 - CVE: Not Available
  • Platform: Linux
  • Title: GYach Enhanced Multiple Undisclosed Vulnerabilities
  • Description: GYach Enhanced is a Yahoo client for Linux platform with voice chat capabilities. It is reported to be vulnerable to a denial of service and multiple undisclosed issues. The denial of service issue exists due to improper sanitization of conference packets that contain error messages. GYach Enhanced versions 1.0.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/10975/info/
  • 04.34.24 - CVE: CAN-2004-0746
  • Platform: Linux
  • Title: KDE Konqueror Cross-Domain Cookie Injection
  • Description: KDE Konqueror web server can potentially be exploited by attackers to conduct session fixation attacks. It allows users to set cookies for certain country-specific secondary top-level domains. This can be exploited to fix a session by setting a known session ID in a cookie. This vulnerability affects KDE versions up to 3.2.3.
  • Ref: http://secunia.com/advisories/12341
  • 04.34.25 - CVE: Not Available
  • Platform: Linux
  • Title: SERCD, SREDIRD Buffer Overflow Vulnerability
  • Description: SERCD and SREDIRD are vulnerable to a buffer overflow issue. This allows an attacker to execute arbitrary code remotely with the privileges of the affected package. Versions of SERCD prior to 2.3.1, and all known versions of SREDIRD are reported to be susceptible to this vulnerability.
  • Ref: http://www.securitytracker.com/alerts/2004/Aug/1011038.html
  • 04.34.26 - CVE: CAN-2004-0797
  • Platform: Linux
  • Title: Zlib Compression Library Denial of Service
  • Description: The zlib compression library is a library designed for fast compression and decompression of data. It is reported to be vulnerable to a denial of service issue. The issue exists due to a improper sanitization in "inflate.c" and "infback.c". Version 1.2.1 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0370.html
  • 04.34.27 - CVE: Not Available
  • Platform: BSD
  • Title: OpenBSD Bridged Network ICMP Denial of Service
  • Description: OpenBSD contains support for bridging networks. When an ICMP ping packet travels through the OpenBSD bridge, the system interrupt priority level is changed by a call to "splsoftnet()" which blocks all soft network interrupts. Under certain circumstances, the "bridge_ipsec()" function will not re-enable these interrupts again, causing a kernel panic. A fix was applied in CVS to OpenBSD-current on 18 Aug 2004.
  • Ref: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/016_bridge.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/028_bridge.patch
  • 04.34.28 - CVE: Not Available
  • Platform: Unix
  • Title: Hafiye Remote Terminal Escape Sequence Injection
  • Description: EnderUNIX Hafiye is a network packet sniffing tool. Hafiye is affected by a remote terminal escape sequence issue due to a failure of the application to properly sanitize user-supplied input. An attacker could execute arbitrary code on the affected system.
  • Ref: http://www.enderunix.org/hafiye/hafiye-1.0/ChangeLog
  • 04.34.29 - CVE: Not Available
  • Platform: Unix
  • Title: SERCD Format String Vulnerability
  • Description: SERCD is the serial communications daemon. Its logging facility reportedly has a format string vulnerability. If exploited properly, this could allow an attacker to execute arbitrary code on the vulnerable host. Versions prior to 2.3.1 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11031/
  • 04.34.30 - CVE: Not Available
  • Platform: Unix
  • Title: SARA Remote Buffer OverFlow
  • Description: SARA (SGML Aware Retrieval Application) listening on port 7000 has a buffer overflow vulnerability, which can be leveraged to execute arbitrary code on a vulnerable machine. All current versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/372331
  • 04.34.31 - CVE: Not Available
  • Platform: Unix
  • Title: Inter7 Vpopmail Multiple SQL Injection Vulnerabilities
  • Description: Inter7 Vpopmail allows administrators to manage Qmail or Postfix mail servers. Insufficient sanitization of user supplied input exposes SQL injection issues in the application. Vpopmail versions 5.4.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/10990/
  • 04.34.32 - CVE: Not Available
  • Platform: Unix
  • Title: Sredird Multiple Remote Vulnerabilities
  • Description: Sredird is a serial port redirector that is compliant with the RFC 2217 (Telnet Com Port Control Option protocol). This protocol lets you share a serial port through the network. Sredird is vulnerable to a remote arbitrary code execution issue. Sredird versions 2.2.1 and earlier are known to be vulnerable.
  • Ref: http://secunia.com/advisories/12351/
  • 04.34.33 - CVE: Not Available
  • Platform: Novell
  • Title: Novell NetWare Web Manager Unspecified Vulnerability
  • Description: Novell NetWare Web Manager is a web-based application used to access various Web services and tools in NetWare 6.5. It is reported to be vulnerable to an unspecified issue. Novell Netware 6.5 is reported to be vulnerable.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10094233.htm
  • 04.34.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla NSS Library Remote Heap Overflow
  • Description: Mozilla Network Security Services library (NSS) is a set of libraries designed to support cross-platform development of security-enabled client/server applications. It is reported to be vulnerable to a remote heap overflow issue. The issue exists due to insufficient boundary checks of the SSLv2 "hello" message. The NSS library is commonly used by Netscape Enterprise Server and Sun One/iPlanet servers. NSS versions prior to 3.9.2 are reported to be vulnerable.
  • Ref: http://xforce.iss.net/xforce/alerts/id/180
  • 04.34.36 - CVE: CAN-2004-0781
  • Platform: Cross Platform
  • Title: Icecast Server Status Display Cross-Site Scripting
  • Description: Icecast Server is affected by a cross-site scripting vulnerability in the status display functionality. This issue is due to a failure of the application to properly sanitize user-supplied input. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Icecast versions 1.3.10 and earlier are vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Aug/1011046.html
  • 04.34.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Web Browser JavaScript Denial of Service
  • Description: Web browsers from multiple different vendors are reportedly susceptible to a denial of service condition. This issue is exposed when a browser processes a JavaScript segment that creates an infinite number of IFRAMEs pointing to "%systemroot%system32". This causes the browser to use up to 100% of the CPU processing and to eventually crash. All versions of Mozilla Firefox, Microsoft Internet Explorer, and Opera are affected by this vulnerability.
  • Ref: http://www.securityfocus.com/bid/10998/
  • 04.34.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Music Daemon Remote File Disclosure
  • Description: Music daemon is prone to a remote file disclosure vulnerability due to a lack of sufficient sanitization performed on LOAD command arguments. An attacker may specify an arbitrary file as an argument for the LOAD Music daemon command; the attacker may then reveal the contents of this file using the Music daemon SHOWLIST command. It is reported that if a binary file is specified as an argument for the LOAD command the attacker may cause the affected daemon to crash.
  • Ref: http://www.securityfocus.com/archive/1/372647
  • 04.34.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Battle.net Information Disclosure
  • Description: PvPGN Battle.net allows an attacker to request information about any arbitrary user contained in the server. The information that an attacker can retrieve includes password hashes, which allows an attacker to gain access to any account. PvPGN versions prior to 1.6.4 are vulnerable to this issue.
  • Ref: http://forums.pvpgn.org/index.php?showtopic=2655
  • 04.34.40 - CVE: CAN-2004-0369
  • Platform: Cross Platform
  • Title: Symantec Remote ISAKMPD Denial of Service
  • Description: Symantec Internet Security Association and Key Management Protocol Daemon (ISAKMPD) is a service that manages Security Associations and cryptographic keys in various Symantec security products. It is reported to be vulnerable to an unspecified denial of service issue. Symantec Enterprise Firewall 8.0, 7.0.x, VelociRaptor 1.5, Gateway Security 1.0 - 5300 series and Gateway Security 2.0 - 5400 series are reported to be vulnerable.
  • Ref: http://xforce.iss.net/xforce/alerts/id/181
  • 04.34.41 - CVE: CAN-2004-0784, CAN-2004-0754, CAN-2004-0785
  • Platform: Cross Platform
  • Title: Gaim Multiple Vulnerabilities
  • Description: The Gaim instant messenger client was reported by the vendor to be vulnerable to multiple security issues including a remote arbitrary command execution and multiple remote buffer overflows. Gaim version 0.82 has been released to address these issues.
  • Ref: http://gaim.sourceforge.net/security/index.php
  • 04.34.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SugarCRM Unspecified Login Authentication Vulnerability
  • Description: SugarCRM is a CRM suite implemented in JAVA and PHP. It is reported to be vulnerable to an unspecified issue. SugarCRM versions 1.1e and prior are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12364/
  • 04.34.43 - CVE: Not Available
  • Platform: Web Application
  • Title: PhotoADay Pad_selected Parameter Cross-Site Scripting
  • Description: PhotoADay is Web based photo album. Insufficient sanitization of the "pad_selected" parameter of the "Photo_A_Day" module exposes a cross-site scripting issue. All current versions of PhotoADay are vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Aug/1011027.html
  • 04.34.44 - CVE: Not Available
  • Platform: Web Application
  • Title: eGroupWare Multiple Input Validation Vulnerabilities
  • Description: eGroupWare is susceptible to multiple cross-site scripting and HTML injection vulnerabilities. An attacker can exploit these issues by creating a malicious link to the affected script containing HTML and script code as a value for the vulnerable parameter, and send this link to a vulnerable user. eGroupWare versions 1.0.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/372603
  • 04.34.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Ulog-php Port.PHP SQL Injection
  • Description: INL Ulog-php is a firewall log analysis web interface. It is reportedly vulnerable to a SQL injection issue. This is due to insufficient sanitization of user-supplied input passed through the "proto" URL parameter to the "port.php" script. Versions prior to 0.8.2 are reported to be affected.
  • Ref: http://www.securityfocus.com/bid/11018/
  • 04.34.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Hastymail HTML Attachment Script Execution
  • Description: Hastymail is an IMAP/SMTP email client application implemented in PHP. It is reported to be vulnerable to a script execution issue. Hastymail stable version 1.0.1 and development version 1.1 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0322.html
  • 04.34.47 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Fusion Information Disclosure Vulnerability
  • Description: PHP-Fusion is a web content management system. It has been reported that due to the predictable naming convention of backup files, PHP-Fusion is subject to an information disclosure weakness. If an attacker is able to guess or brute force the name for the backup, they will have access to the contents of the PHP-Fusion database data. PHP-Fusion version 4.00 is reported to be vulnerable.
  • Ref: http://echo.or.id/adv/adv04-y3dips-2004.txt
  • 04.34.48 - CVE: Not Available
  • Platform: Web Application
  • Title: SWsoft Plesk Reloaded Cross-Site Scripting
  • Description: SWsoft Plesk Reloaded is a web-based application that allows server administration for hosting. It is reportedly vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input passed through the "login_name" parameter to the "login_up.php3" script. This issue could allow theft of cookie-based authentication parameters. The demo version of Plesk Reloaded 7.1 was reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11024/
  • 04.34.49 - CVE: Not Available
  • Platform: Web Application
  • Title: WebAPP Directory Traversal
  • Description: WebAPP (Web Automated Perl Portal) is a web portal application written in Perl. Insufficient sanitization of the "../" character sequence in the "index.cgi" script exposes a directory traversal issue. WebAPP versions 0.9.9 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/372731
  • 04.34.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Zixforum ZixForum.mdb Database Disclosure
  • Description: Zixforum is a web based forum application implemented in ASP. It is reported to be vulnerable to a database disclosure issue. A remote user may download the database file "ZixForum.mdb" by sending a direct GET request to the file. All versions of Zixforum are considered vulnerable to this issue.
  • Ref: http://www.securitytracker.com/alerts/2004/Aug/1010994.html
  • 04.34.51 - CVE: Not Available
  • Platform: Web Application
  • Title: MySQL Backup Pro Undisclosed Vulnerability
  • Description: Ben Yacoub Hatem MySQL Backup Pro is a PHP web application to backup and restore MySQL databases. It is reported to contain an undisclosed vulnerability in its "getbackup()" function. This issue may allow an attacker to download backup files without proper authorization. Versions prior to 1.0.8-pre1 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10986/info/
  • 04.34.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Sympa New List HTML Injection
  • Description: Sympa is a mailing list manager written in Perl. It is reported to be vulnerable to an HTML injection issue. The issue exists due to an improper sanitization of user-supplied input of "Description" field. Sympa versions 4.1 and all 4.1.x releases are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0293.html
  • 04.34.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Mantis Remote Server-Side Script Execution
  • Description: Mantis is a web-based bug tracking system. Mantis is vulnerable to a remote server-side script execution issue. An attacker could exploit this vulnerability to execute arbitrary code in the context of the server where Mantis is installed. Mantis version 0.19.0a is known to be vulnerable.
  • Ref: http://www.mantisbt.org/
  • 04.34.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Mantis Multiple Cross-Site Scripting
  • Description: Mantis is a web-based bug tracking system. It is reportedly vulnerable to multiple cross-site scripting issues. These are due to insufficient sanitization of user-supplied input to various URL parameters used to create SQL queries. These are fixed in the CVS version of Mantis as of 1 Aug 2004.
  • Ref: http://www.securityfocus.com/archive/1/372502
  • 04.34.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Mantis New Account Signup Mass Emailing Vulnerability
  • Description: Mantis is a web-based bug tracking system. Insufficient sanitization of the "email" argument in the "signup.php" script allows an attacker to give multiple email addresses to which Mantis will send account conformation emails. In this way an attacker can send junk mails that would originate from a Mantis server to a huge number of recipients. Mantis versions 0.19.0a and earlier are affected.
  • Ref: http://secunia.com/advisories/12338/
  • 04.34.56 - CVE: Not Available
  • Platform: Web Application
  • Title: MyDMS SQL Injection and Directory Traversal
  • Description: MyDMS SQL is vulnerable to a SQL injection issue due to insufficient sanitization of the "folderid" parameter in the "out/out.ViewFolder.php" script. The software is also affected by a "../" directory traversal sequence. MyDMS SQL versions 1.4.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/372636
  • 04.34.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Compulsive Media CNU5 News.mdb Database Disclosure
  • Description: Compulsive Media CNU5 is a web-based news forum. It is reportedly vulnerable to a database file disclosure issue. Due to insufficient web-access control and lack of encryption within the file, remote users can gain access to the "news.mdb" database file. This could leak potentially sensitive information about the clients. CNU5 version 1.2 is reported to be vulnerable to this issue.
  • Ref: http://www.securitytracker.com/alerts/2004/Aug/1011028.html
  • 04.34.58 - CVE: Not Available
  • Platform: Web Application
  • Title: JShop E-Commerce Suite Page.PHP Cross-Site Scripting
  • Description: JShop E-Commerce Suite is a web-based e-commerce system. Insufficient sanitization of the "xPage" parameter in the "page.php" script exposes a cross-site scripting issue. All current versions are affected.
  • Ref: http://indohack.sourceforge.net/drponidi/jshop-vuln.txt
  • 04.34.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Dynix WebPac Multiple SQL Injection
  • Description: Dynix WebPac is a web-based software designed for library cataloging. It is reportedly vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied URL parameters used to form SQL queries. These could be used to compromise the backend database and gain access to sensitive information.
  • Ref: http://www.securityfocus.com/archive/1/372956
  • 04.34.60 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Code Snippet Library Multiple Cross-Site Scripting
  • Description: PHP Code Snippet Library (PHP-CSL) provides a common area to store code snippets, functions and classes. Insufficient sanitization of the "cat_select" and "show" URL parameters in the "index.php" script exposes multiple cross-site scripting issues. All current versions are affected.
  • Ref: http://nikyt0x.webcindario.com/0001.txt
  • 04.34.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Keene Digital Media Server Directory Traversal
  • Description: Keene Digital Media Server (DMS) is a web application designed for sharing of media files. Insufficient sanitization of the "%2E%2E%5C" character sequence exposes a directory traversal issue in the software. Keene DMS versions 1.0.2 and earlier are affected.
  • Ref: http://secunia.com/advisories/12272/
  • 04.34.62 - CVE: Not Available
  • Platform: Network Device
  • Title: NR041 Router DHCP Log HTML Injection
  • Description: Network Everywhere NR041 is a broadband router. It is reported to be vulnerable to an HTML injection issue in its log. The issue exists due to improper sanitization of the "DHCP HOSTNAME" parameter. Version 1.2 Release 03 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12393/
  • 04.34.63 - CVE: Not Available
  • Platform: Network Device
  • Title: IPS 5500 Denial of Service
  • Description: Mitigator IPS 5500 is susceptible to a denial of service vulnerability when the device is flooded with a very high volume of HTTP traffic. Once this condition has occurred, the device is reportedly unable to process HTTP traffic. The IPS 5500 with firmware versions prior to 3.11.014 are reportedly susceptible to this vulnerability.
  • Ref: http://www.checksum.org/mla/7/message/5899.htm
  • 04.34.64 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS Telnet Service Remote Denial of Service
  • Description: Cisco devices use Telnet, RSH, SSH, and HTTP for remote management. The Cisco IOS telnet service is reportedly vulnerable to a remote denial of service condition. This issue is exposed when an attacker sends a specially crafted TCP packet to the telnet or reverse telnet port. This causes the device to crash and stop responding to further connection attempts on various services. All Cisco devices running IOS with a telnet or reverse telnet service are affected by this issue.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
  • 04.34.65 - CVE: CAN-2004-0334
  • Platform: Hardware
  • Title: Axis Network Camera and Video Server Multiple Vulnerabilities
  • Description: Axis Network Camera and Video Server include a web-based administration interface which is vulnerable to remote arbitrary code execution. It's also reported to allow a remote attacker to bypass Basic Authorization via an HTTP request.
  • Ref: http://www.securityfocus.com/archive/1/372643

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

...class was well done, and I genuinely appreciate you "breathing life" into 7799. The anecdotal stories were worth the trip as were the experiences of those in classroom who shared.
-Liam Doyle, Regions Financial Corporation

GIAC GSEC Certification

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County