Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 41
October 18, 2004

SANS Newsletters Home

This is a very big issue of @RISK reflecting an equally tough week for people responsible for securing Windows systems. Two we rate as Critical and three as High plus a Veritas vulnerability rated as High. If you want additional, in-depth information, including information about several vulnerabilities not covered here in depth, see the Internet Storm Center summary at http://isc.sans.org/presentations/MS04Oct.ppt.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 7 (#2, #3, #4, $5, #7, #8, #9, #13)
    • Microsoft Office
    • 1 (#6)
    • Other Microsoft Products
    • 8 (#1)
    • Third Party Windows Apps
    • 4
    • Linux
    • 2 (#11, #12)
    • Unix
    • 2 (#10)
    • Cross Platform
    • 13
    • Web Application
    • 19
    • Network Device
    • 2

****************** This Issue Sponsored by Radware **********************

Radware Intrusion Prevention Switch protects against worms, viruses, malicious intrusions, Denial of Service attacks and Trojans - securing networked applications at 3-Gbps. Featuring inline security switching and accelerated, stateful and deep-packet inspection, DefensePro isolates attacks and dynamically moderates bandwidth to stop propagation across the network.

Download DefensePro whitepaper http://www.radware.com/content/products/dp/whtpaper/_download-20040204b/form.asp

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application
Network Device

************************** SPONSORED LINKS ******************************

Privacy notice: Sponsored links redirect to non-SANS web pages.

(1) Stop Cyber Attacks Now. FREE White Paper: How to Evaluate Intrusion Prevention Systems http://www.sans.org/info.php?id=617

(2) Simple, secure alternative to NIS/NIS+ and LDAP for UNIX/Linux user account and password management. FREE downloads. http://www.sans.org/info.php?id=618

******************** Security Training Update *************************

Featured Training program of the Week: SANS Cyber Defense Initiative -- CDI South in New Orleans November 1-4 ( http://www.sans.org/cdisouth04 )"> http://www.sans.org/cdisouth04 ) and CDI East in Washington, DC, December 7-14 ( http://www.sans.org/cdieast04 )"> http://www.sans.org/cdieast04 )

New Orleans offers a whole new type of program that many people have asked us to provide: 18 one and two day courses on issues shaping the future of information security, from the newest hacker tools to changes in legal issues surrounding security. Perfect for people who have taken SANS courses and want updates and for people who just don't have time to attend a full class. More information and http://www.sans.org/cdisouth04

Washington DC is SANS most popular venue, so make your reservations early to get space in one of the thirteen tracks. Early registration deadline is on the 26th. CDI East features SANS top instructors: Eric Cole will be teaching the uniquely effective new SANS +S Training Course for CISSP® (a registered trademark of ISC2) and the top teachers of SANS Security Essentials, Hacker Exploits, Firewalls, Auditing, Management tracks and several more will all be in Washington, as well.

More information at http://www.sans.org/cdieast04

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) CRITICAL: Microsoft NNTP Server Buffer Overflow
  • Affected:
    • Windows NT Server 4.0 SP 6a
    • Windows 2000 Server SP3/SP4
    • Windows Server 2003 including 64-Bit Edition
    • Exchange 2000 SP3
    • Exchange Server 2003 including SP1

  • Description: The Network News Transfer Protocol (NNTP) is used for distribution, retrieval and posting of news articles. The "XPAT" command, defined in the NNTP Extensions, can be used to retrieve news articles based on pattern matching on articles' headers. Microsoft's NNTP server contains a heap-based buffer overflow vulnerability in its XPAT command implementation. The overflow can be triggered by supplying an overlong (over 1950 bytes) pattern string to the XPAT command. The flaw can be exploited by an unauthenticated attacker to execute arbitrary code with administrative privileges. It is also reported that the "SEARCH" command contains a similar buffer overflow. Proof-of-concept exploit and technical details have been publicly posted.

  • Status: Microsoft security advisory MS04-036 references a fix for this vulnerability. Note that the vulnerable component is not installed by default along with IIS server on Windows NT/2000/2003. Exchange 2000 and 2003 servers have the component installed but it's enabled by default only on the Exchange 2000 server. Hence, Exchange 2000 servers should be patched first. If the NNTP functionality is not required, either disable the service or block the ports 119/tcp and 563/tcp (NNTP over SSL) at the network perimeter.

  • Council Site Actions: A few of the council sites have a small number of IIS systems running NNTP. Some of these sites will be deploying the patch on an accelerated basis. One site plans to either patch the systems or disable the NNTP service. They have only internal systems running with the vulnerable configuration.

  • References:
  • (3) HIGH: Microsoft Compressed Folder Processing Overflow
  • Affected:
    • Windows XP including SP 1
    • Windows XP 64-Bit Edition SP 1/2003
    • Windows Server 2003 including 64-Bit Edition

  • Description: Windows XP/2003 includes a zip utility suitable for compressing files and folders. It is reported that this utility contains a stack-based overflow in its "dunzip32.dll" component. The overflow can be triggered by a compressed folder containing a filename longer than 32768 bytes. Opening a crafted compressed folder may lead to execution of arbitrary code with the privileges of the currently logged-on user. In order to exploit this flaw, an attacker has to entice a victim to open the malicious compressed folder. An attacker can either send the folder in an email attachment, or host it on a website or a shared folder. The technical details and a proof-of-concept zip file have been posted. Note that eEye advisory claims that dunzip32.dll is affected, whereas another security researcher claims that the DLL affected is zipfldr.dll.

  • Status: Microsoft security advisory MS04-034 references a fix for this vulnerability. Users should be advised not to open zip files from untrusted sources.

  • Council Site Actions: Most of the council sites are responding to this vulnerability and will be deploying the patch on different schedules - some on an accelerated basis and some during their next regularly scheduled system update process. One site said the majority of their affected systems have obtained the update through the public Windows Update site or their local SUS server. They are having some challenges with Windows XP SP1 systems since the users are hesitant to update because they are unsure of the process for obtaining any updates while avoiding an installation of SP2.

  • References:
  • (4) HIGH: Microsoft NetDDE Service Buffer Overflow
  • Affected:
    • Windows NT Server 4.0 SP 6a
    • Windows NT Server 4.0 Terminal Server Edition SP 6
    • Windows 2000 SP3/SP4
    • Windows XP including SP1
    • Windows XP 64-Bit Edition SP1/2003
    • Windows Server 2003 including 64-Bit Edition
    • Windows 98/SE/ME

  • Description: The Microsoft NetDDE (Network Dynamic Data Exchange) protocol allows applications running on different systems to transparently communicate with each other. The NetDDE service, which is not enabled by default, contains a buffer overflow. The overflow can be exploited by an anonymous user to execute arbitrary code with "SYSTEM" privileges. The discoverers of the flaw have not posted any technical details yet. Since the service uses DCE/RPC protocol, it is likely that the overflow is similar in nature to the buffer overflow vulnerabilities found in other services such as LSASS, Messenger or Workstation.

  • Status: Apply the patch referenced in the MS04-031 advisory. A workaround is to block ports 135/tcp, 139/tcp and 445/tcp at the network perimeter.

  • Council Site Actions: All of the reporting council sites are responding to this vulnerability in the same manner as item 3 above. The only exception is a site that is requiring either the systems to be patched or the service to be disabled.

  • References:
  • (5) HIGH: Microsoft Windows Shell Remote Code Execution
  • Affected:
    • Windows NT Server 4.0 SP 6a
    • Windows NT Server 4.0 Terminal Server Edition SP 6
    • Windows 2000 SP3/SP4
    • Windows XP including SP1
    • Windows XP 64-Bit Edition SP1/2003
    • Windows Server 2003 including 64-Bit Edition
    • Windows 98/SE/ME

  • Description: (a) Windows grpconv.exe program is used to convert Windows 3.1 groups to folders while upgrading to Windows 95 or later. This program contains a buffer overflow that can be triggered by an overlong (over 221 bytes) filename with ".grp" extension. The flaw may be exploited via "shell:" URIs to execute arbitrary code on a client system. In order to exploit the flaw, an attacker has to entice a user to click a link in an email or visit a webpage. The technical details regarding the overflow have been publicly posted since July 2004. (b) Windows Explorer and Internet Explorer contain a buffer overflow in handling network share names. The flaw can be triggered when a Windows client connects to a malicious file server that contains a share with a name longer than 259 bytes. The server can leverage the vulnerability to execute arbitrary code on the client. In order to exploit the flaw, the attacker has to entice a client (by way of specially crafted email or web page) to connect to his malicious file server. The technical details and a proof-of-concept exploit have been posted since April 2004.

  • Status: Apply the fix referenced in the Microsoft MS04-037 advisory.

  • Council Site Actions: All of the reporting council sites responded to this item in the same manner as item 3 above.

  • References:
  • (6) HIGH: Microsoft Excel Buffer Overflow
  • Affected:
    • Microsoft Office 2000 SP3/XP SP2
    • Microsoft Office 2001/v.X for Mac

  • Description: Microsoft Excel contains a stack-based buffer overflow that can be triggered by a specially crafted Excel file. The problem occurs due to the lack of sanitization of one of the length values declared in an Excel file. By setting a certain length value to a large number triggers the overflow, which can be exploited to execute arbitrary code on a client system with the privileges of the currently logged-on user. In order to exploit the flaw, an attacker can send the malicious Excel file in an email, or entice a victim to visit a webpage hosting the file. Note that Internet Explorer automatically opens an Excel document, hence the flaw can be exploited easily via HTTP. The technical details have been posted.

  • Status: Apply the fix referenced in the Microsoft MS04-033 advisory. Users should be advised not to open untrusted Excel file attachments.

  • Council Site Actions: All of the reporting council sites are responding to this issue. Most of them plan to deploy the patch on either an accelerated basis or during their next regularly scheduled system update process. One site is not requiring this fix due to the difficulty factor of deploying MS Office updates. They will rely on their anti-virus strategy. A final site will only rely on communication to the users urging them to go to the Office Update site to get the patches. They do provide active support for Microsoft Office updates and they suspect the percentage of users who us the Office Update site is low (less than 20%).

  • References:
  • (7) MODERATE: Microsoft SMTP Server DNS Response Processing Overflow
  • Affected:
    • Windows XP 64-Bit Edition Version 2003
    • Windows Server 2003 including 64-Bit Edition
    • Exchange Server 2003 including SP1 on Windows Server 2003
    • Exchange Server 2003 on Windows 2000 SP3/SP4
    • Exchange Routing Component (Can be installed on Windows 2000)

  • Description: The Microsoft SMTP server contains a buffer overflow that can be triggered by certain DNS responses. The overflow may be exploited to execute arbitrary code with administrative privileges. No technical details regarding how to trigger the overflow have been posted. Microsoft advisory lists blocking port 53/tcp traffic as a workaround. Usually, the DNS lookups use UDP protocol and the TCP DNS look-ups are associated with large DNS responses. Hence, it is likely that an overlong DNS response would trigger the overflow. In order to exploit the flaw, an attacker has to force the SMTP server to query a DNS name that can be resolved by a DNS server under the attacker's control.

  • Status: Apply the fix contained in the Microsoft MS04-035 advisory. A workaround, as listed above, is to block port 53/tcp at the network perimeter.

  • Council Site Actions: Most of the reporting council sites are responding to this issue by installing the patch - either on an accelerated basis or during their next regularly schedule system update process. A few sites said they are addressing (or have addressed) Internet-exposed systems first. One site is relying on the public Windows Update site and their local SUS server.

  • References:
  • (8) MODERATE: Microsoft Windows Metafile Processing Overflow
  • Affected:
    • Windows NT Server 4.0 SP 6a
    • Windows NT Server 4.0 Terminal Server Edition SP 6
    • Windows 2000 SP3/SP4
    • Windows XP including SP1
    • Windows XP 64-Bit Edition SP1/2003
    • Windows Server 2003 including 64-Bit Edition
    • Windows 98/SE/ME

  • Description: Windows metafiles are used to store graphics in a device independent format. GDI32.dll, the DLL that handles the Windows metafiles, contains a buffer overflow vulnerability. This flaw may be exploited to execute arbitrary code on a client system with the privileges of the user viewing the metafiles. In order to exploit the flaw, an attacker has to host a webpage or a network share containing a malicious metafile, and entice a victim to visit the webpage or the shared folder. Alternatively, an attacker can send an HTML email, or a document containing the malicious metafile to the victim. No technical details regarding the overflow have been posted.

  • Status: Apply the fix contained in the Microsoft MS04-032 advisory. The patch also fixes other local privilege escalation vulnerabilities.

  • Council Site Actions: Most of the reporting council sites are responding to this issue and will install the patch during their next regularly scheduled system update process. One site is relying on the public Windows Update site and their local SUS server.

  • References:
  • (9) LOW: Microsoft asycpict.dll JPEG Processing Vulnerabilities
  • Affected: Windows XP and possibly prior

  • Description: Windows asypict.dll reportedly contains multiple vulnerabilities that can be triggered by specially crafted JPEG files. The flaws can be exploited to cause a DoS to the client machine (a reboot is supposedly required), and possibly execute arbitrary code (not confirmed). The problems arise because the DLL does not sufficiently check the declared width and height fields in a JPEG image. Instances of the DLL failing to check other JPEG image attributes are listed in the advisory. The DLL is used by the Microsoft ActiveX Image control, and hence the flaw can be easily exploited via a webpage or an HTML email. Proof-of-concept exploit is included in the posted advisory.

  • Status: Microsoft has not confirmed, no updates are available.

  • Council Site Actions: All council sites are awaiting confirmation and a patch from the vendor. Should the vendor confirm, they will distribute the patch during their next regularly scheduled system update process.

  • References:
Other Software
  • (10) HIGH: Veritas Cluster Server Remote Root Compromise
  • Affected:
    • Veritas Cluster Server for UNIX platforms

  • Description: Veritas Cluster Server solution is used for balancing workloads between servers and provide a failover capability. The cluster server contains a vulnerability that may be exploited by a remote unauthenticated attacker to obtain "root" privileges. No technical details have been posted; more details may be possibly obtained by comparing the fixed and the vulnerable versions of the software. Note that the vulnerability has been rated "HIGH" (even though no technical details are available) due to the fact that the cluster server solution is used in mission-critical environments.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: Due to late breaking nature of the issue, we were unable to solicit council site input for this item.

  • References:
  • (12) MODERATE: phpMyAdmin Remote Command Execution
  • Affected: phpMyAdmin version 2.6.0-pl1 and prior

  • Description: phpMyAdmin is a PHP-based tool widely used to administer MySQL databases via HTTP. The phpMyAdmin MIME transformation plug-ins are used to display the contents of a SQL column in any chosen format when viewed in the PhpMyAdmin browsing mode. The plug-in contains a vulnerability that may be exploited to execute arbitrary commands on the web server hosting phpMyAdmin, if the PHP safe mode is off (not a typical configuration). The technical details can be obtained via comparing the fixed and the vulnerable software packages.

  • Status: Vendor reported the issue and has provided an updated version 2.6.0-pl2.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
  • (13) Windows XP SP2 Firewall Bypass

  • Description: A proof-of-concept Trojan code has been posted that may be reportedly used to bypass any advanced Windows XP SP2 firewall configuration.

  • Council Site Updates: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary. One site stated they were still in the process of testing SP2 prior to its deployment.

  • Reference:
  • Posting by americanidiot
  • http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0339.html
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 41, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3782 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.41.1 - CVE: CAN-2004-0206
  • Platform: Windows
  • Title: Windows NetDDE Remote Buffer Overflow Vulnerability
  • Description: Microsoft Windows NetDDE service is a legacy mechanism designed to facilitate communication between applications over a network. It is affected by a remote buffer overflow vulnerability. An attacker can exploit this issue to execute arbitrary code on the remote computer with SYSTEM privileges. Microsoft has issued security bulletin MS04-038 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
  • 04.41.2 - CVE: CAN-2004-0209
  • Platform: Windows
  • Title: Microsoft Windows WMF/EMF Image Format Buffer Overflow
  • Description: Microsoft Windows supports Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats. Windows WMF/EMF image rendering library is affected by a remote buffer overflow vulnerability. Microsoft has issued security bulletin MS04-032 that addresses this issue.
  • Ref: http://www.securityfocus.com/bid/11375/info/
  • 04.41.3 - CVE: CAN-2004-0569
  • Platform: Windows
  • Title: Microsoft RPC Runtime Library Multiple Vulnerabilities
  • Description: The Microsoft Windows RPC Runtime Library is vulnerable to an information disclosure and denial of service issue when processing specially crafted messages. Microsoft has issued security bulletin MS04-029 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx
  • 04.41.4 - CVE: Not Available
  • Platform: Windows
  • Title: Windows Asycpict.dll JPEG Handling Denial of Service
  • Description: Microsoft Windows is reported to be vulenrable to multiple denial of service issues when handling malformed JPEG files. Currently all versions of Windows XP are reported to be vulnerable, but it is likely that other operating systems are vulnerable as well.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-10/0126.html
  • 04.41.5 - CVE: CAN-2004-0575
  • Platform: Windows
  • Title: Microsoft Windows Compressed Folder Buffer Overflow
  • Description: The Microsoft Compressed (zipped) folders feature allows files and folders to be stored in a compressed format. It is reported to be vulnerable to a buffer overflow issue when a long filename is used. Windows XP SP1, 2003 and Windows Me are vulnerable. Microsoft has issued security bulletin MS04-034 that addresses this issue.
  • Ref: http://www.eeye.com/html/research/advisories/AD20041012A.html
  • 04.41.6 - CVE: CAN-2004-0840
  • Platform: Windows
  • Title: Microsoft SMTP Buffer Overflow
  • Description: A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups. An attacker could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. Microsoft has issued security bulletin MS04-035 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-035.mspx
  • 04.41.7 - CVE: CAN-2004-0574
  • Platform: Windows
  • Title: Microsoft NNTP Component Buffer Overflow Vulnerability
  • Description: The Microsoft NNTP Component which is part of Internet Information Services could allow a remote user to execute arbitrary code in the context of the process accessing the vulnerable component. Microsoft has issued security bulletin MS04-036 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-036.mspx
  • 04.41.8 - CVE: CAN-2004-0846
  • Platform: Microsoft Office
  • Title: Microsoft Excel File Handler Unspecified Buffer Overflow
  • Description: Microsoft Excel is reported to be vulnerable to an unspecified buffer overflow issue. The issue presents itself when the vulnerable software handles a malicious Excel file. All versions of Microsoft Excel except Microsoft Excel 2002 SP3, 2003 SP1 and 2003 are affected. Microsoft has issued security bulletin MS04-033 that addresses this issue.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-10/0112.html
  • 04.41.9 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Local XML Document Disclosure
  • Description: Reportedly, Microsoft Internet Explorer is affected by a vulnerability that could expose sensitive information from client computers. This issue is due to an access validation error that allows a malicious web page to read XML documents on a client computer. This was reported for version 6.0 of Internet Explorer.
  • Ref: http://www.securityfocus.com/bid/11345/credit/
  • 04.41.10 - CVE: CAN-2004-0843
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Address Bar Spoofing
  • Description: A spoofing vulnerability exists in Internet Explorer's processing of plug-in navigations. This vulnerability could result in an incorrect URL being listed in the address bar that is not the actual Web page that is appearing in Internet Explorer. Microsoft has issued security bulletin MS04-038 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
  • 04.41.11 - CVE: CAN-2004-0845
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer SSL Caching Vulnerability
  • Description: A spoofing vulnerability exists in the way that Internet Explorer validates cached content from SSL protected web sites. This vulnerability could allow an attacker to run script of their choice on security-enhanced web sites. All current versions of Internet Explorer are affected.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
  • 04.41.12 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: ASP.NET URL Canonicalization Information Disclosure
  • Description: Microsoft ASP.NET is a collection of technologies that supports a range of common HTTP tasks. It is reported to be vulnerable to a remote information disclosure issue. ASP.NET, ASP.NET 1.0 and ASP.NET 1.1 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11342
  • 04.41.13 - CVE: CAN-2003-0718
  • Platform: Other Microsoft Products
  • Title: Microsoft IIS Server Denial of Service
  • Description: Microsoft Internet Information Services (IIS) is reported to be vulnerable to a denial of service condition. This issue occurs when the WebDAV component is present. Reportedly, attackers could send specially crafted WebDAV requests that consume all available memory and CPU resources on the vulnerable host. Microsoft has issued security bulletin MS04-030 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-030.mspx
  • 04.41.14 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer showHelp Zone Bypass
  • Description: A vulnerability in the cross domain security model exists in Internet Explorer due to the way it handles navigation methods by functions that have similar names. If a user is logged on with administrative privileges, an attacker could take complete control of an affected system. Microsoft has issued security bulletin MS04-038 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
  • 04.41.15 - CVE: CAN-2004-0216
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer ActiveX Control Buffer Overflow
  • Description: Microsoft Internet Explorer's Install Engine (Inseng.dll) is vulnerable to a buffer overflow condition. This could allow a remote attacker to execute arbitrary code on the vulnerable system via a malicious web page or an email. Microsoft has issued security bulletin MS04-038 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
  • 04.41.16 - CVE: CAN-2004-0844
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Address Bar Spoofing
  • Description: A spoofing vulnerability exists in Internet Explorer's processing of URLs on double byte character set systems. This vulnerability could result in an incorrect URL being displayed in the address bar that is not the actual web page displayed by Internet Explorer. Microsoft has issued security bulletin MS04-038 that addresses this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx
  • 04.41.17 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ShixxNOTE Remote Buffer Overflow
  • Description: ShixxNOTE is a personal organizer application. It is reportedly vulnerable to a remote buffer overflow condition. An attacker may leverage this issue to execute arbitrary code on a vulnerable computer with the privileges of the user running the vulnerable application. The vulnerability has been confirmed on version 6.net (build 117) of ShixxNOTE.
  • Ref: http://aluigi.altervista.org/adv/shixxbof-adv.txt
  • 04.41.18 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Lithtech Game Engine Remote Buffer Overflow
  • Description: Monolith Lithtech game engine is used by many Monolith games. It is reported vulnerable to a buffer overflow issue when an attacker sends a secure Gamespy query followed by at least 68 chars. No official fix was released.
  • Ref: http://aluigi.altervista.org/adv/lithsec-adv.txt
  • 04.41.19 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailEnable Multiple Remote Denial of Service
  • Description: MailEnable is a POP3, IMAP and SMTP server. MailEnable is vulnerable to two denial of service issues that could allow an attacker to crash the SMPT or IMAP server. MailEnable version 1.5e has been release to fix these issues.
  • Ref: http://www.mailenable.com/professionalhistory.html
  • 04.41.20 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Yak! Chat Client FTP Server Directory Traversal
  • Description: Yak! is a chat client distributed by Digicraft Software. Insufficient sanitization of the "../" characters exposes a directory traversal issue in the application. Yak! versions 2.1.2 and earlier are affected.
  • Ref: http://aluigi.altervista.org/adv/yak-adv.txt
  • 04.41.21 - CVE: CAN-2004-0803
  • Platform: Linux
  • Title: LibTIFF Multiple Buffer Overflows
  • Description: LibTIFF is a library designed to facilitate the reading and manipulation of Tag Image File Format (TIFF) files. It is reported to be vulnerable to multiple buffer overflow issues. Currently LibTIFF version 3.6.1 is reported to be vulnerable.
  • Ref: http://lwn.net/Articles/106377/
  • 04.41.22 - CVE: Not Available
  • Platform: Linux
  • Title: MediaWiki Multiple Remote Input Validation Vulnerabilities
  • Description: MediaWiki is web application software. Versions earlier than 1.3.6 are vulnerable to multiple cross-site scripting, HTML injection, and SQL injection issues due to improper user input validation.
  • Ref: http://wikipedia.sourceforge.net/
  • 04.41.23 - CVE: Not Available
  • Platform: Unix
  • Title: BNC Buffer Overflow Vulnerability
  • Description: The BNC proxy server is reportedly vulnerable to a buffer overflow condition. This issue is present in the "sbuf_getmsg()" network message parsing routine. It is conjectured that this can be triggered by data coming from a malicious IRC server. BNC versions prior to 2.8.9 are reported to be vulnerable.
  • Ref: http://www.gotbnc.com/changes.html#2.8.9
  • 04.41.24 - CVE: Not Available
  • Platform: Unix
  • Title: Renattach Potential Command Execution Vulnerability
  • Description: Renattach malicious email-attachments filter is reportedly vulnerable to a command execution vulnerability. This issue occurs because its "popen()" function uses the "/bin/sh" shell to process the input. This allows the use of special shell characters than can be used to execute arbitrary commands on the system. Renattach versions 1.2.0 and 1.2.1 are reported to be vulnerable.
  • Ref: http://www.pc-tools.net/unix/renattach/2004-10-03.txt
  • 04.41.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: JRun Management Console HTML Injection Vulnerability
  • Description: Macromedia JRun is a J2EE application server for Microsoft IIS 4/5 or Apache on Unix/Linux systems. It is vulnerable to an HTML injection issue in its management console. Attackers may exploit this issue to steal session ids. JRun versions 3.0, 3.1 and 4.0 are affected.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html
  • 04.41.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 Unspecified Vulnerability
  • Description: IBM DB2 is reported vulnerable to an unspecified vulnerability when DTS to string conversion is carried out. It is conjectured that this issue could allow for a remote denial of service attack or even code execution. IBM DB2 versions 8.1 Fixpak 7 and earlier are reported to be vulnerable. IBM has updated Fixpak 6 and 7 to 6a and 7a to include fixes for these flaws.
  • Ref: http://www.securityfocus.com/bid/11400/credit/
  • 04.41.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 JDBC Buffer Overflow
  • Description: IBM DB2 is affected by a remotely exploitable buffer overflow vulnerability. The issue is due to insufficient bounds checking of data included in requests that are passed to the JDBC service. The vendor has released FixPak 6a and 7a to address this issue.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg1IY61492
  • 04.41.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: DB2 Universal Database Remote Buffer Overflow
  • Description: DB2 is a database server available from IBM. It is vulnerable to a remote buffer overflow vulnerability, caused by its failure to validate input strings under certain configurations. An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application.
  • Ref: http://www-1.ibm.com/support/docview.wss?rs=71&context=SSEPGG&uid=swg211
    79535&loc=en_US&cs=utf-8=en
  • 04.41.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Yeemp File Transfer Public Key Verification Bypass
  • Description: Yeemp is a decentralized instant messaging system. It is reported to be vulnerable to a public key verification bypass issue. The issue exists due to unencrypted initial public key transfer. Yeemp versions 0.9.9 and earlier are affected by this issue.
  • Ref: http://deekoo.net/technocracy/yeemp/
  • 04.41.32 - CVE: CAN-2004-0885
  • Platform: Cross Platform
  • Title: Apache mod_ssl Access Validation Vulnerability
  • Description: mod_ssl provides an interface for accessing the OpenSSL libraries from within Apache. The version of mod_ssl included with Apache 2.0.35 - 2.0.52 is vulnerable to an access validation issue when it is configured to be used with the "SSLCipherSuite" directive. This issue can allow an attacker to bypass security policies and access potentially sensitive data.
  • Ref: http://www.securityfocus.com/advisories/7327
  • 04.41.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ColdFusion MX Java Extensibility Weakness
  • Description: ColdFusion MX is an application server infrastructure from Macromedia. ColdFusion MX is vulnerable to an issue that allows all developers to utilize the "CFOBJECT" tag and the "CreateObject" function to execute potentially malicious code in the context of the affected application server. ColdFusion MX versions 6.0 and 6.1 are affected.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb04-10.html
  • 04.41.34 - CVE: CAN-2004-0918
  • Platform: Cross Platform
  • Title: Squid Proxy SNMP ASN.1 Parser Denial of Service
  • Description: Squid is web proxy software. Insufficient sanitization of negatives values in the "asn_parse_header()" function while parsing UDP datagrams exposes a denial of service condition in the software. Squid versions 2.5-STABLE6 and earlier and 3.0-PRE3-20040702 are affected.
  • Ref: http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities&
    amp;flashstatus=true
  • 04.41.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Acrobat Reader Remote Access Validation Vulnerability
  • Description: Adobe Acrobat Reader allows users to read Portable Document Format (PDF) files. It is vulnerable to an access validation vulnerability which will allow an attacker to send local files from the victim's machine to a remote server through a malicious SWF file embedded in a PDF document. Adobe Acrobat Reader version 6.x is affected.
  • Ref: http://www.securityfocus.com/archive/1/378314
  • 04.41.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NatterChat SQL Injection
  • Description: NatterChat is a chat application implemented in CGI/Perl. Insufficient sanitization of user supplied input exposes an SQL injection issue in the application. NatterChat version 1.12 is affected.
  • Ref: http://secunia.com/advisories/12834/
  • 04.41.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MySQL Remote FULLTEXT Denial of Service
  • Description: MySQL is vulnerable to a remote denial of service issue in its "FULLTEXT" search functionality. An attacker can exploit this issue to cause the database server to crash. MySQL version 4.0.20 is affected.
  • Ref: http://bugs.mysql.com/bug.php?id=3870
  • 04.41.38 - CVE: Not Available
  • Platform: Web Application
  • Title: FuseTalk Forum Cross-Site Scripting
  • Description: FuseTalk is an online web-based forum. Insufficient sanitization of user supplied parameters exposes various cross-site scripting issues in the application. FuseTalk versions 2.x, 3.x and 4.x are affected.
  • Ref: http://secunia.com/advisories/12823/
  • 04.41.39 - CVE: Not Available
  • Platform: Web Application
  • Title: SCT Campus Pipeline Cross-Site Scripting
  • Description: Campus Pipeline is a web-based information management system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of the "utf" URL parameter to the "render.UserLayoutRootNode.uP" script.
  • Ref: http://secunia.com/advisories/12826/
  • 04.41.40 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMyAdmin Remote Command Execution
  • Description: phpMyAdmin is a web interface to administrate a MySQL database. phpMyAdmin is vulnerable to a remote command execution issue due to a problem in the MIME-based transformation system with "external" transformations. phpMyAdmin version 2.6.0-pl1 and earlier are known to be vulnerable.
  • Ref: http://sourceforge.net/forum/forum.php?forum_id=414281
  • 04.41.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Project Logger Data Corruption Vulnerability
  • Description: Project Logger is a web-based project collaboration system. Insufficient sanitization of the "companyid" parameter in the software could lead to corruption of data on the server. Project Logger 1.0RC1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/11395/info/
  • 04.41.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Pinnacle Systems ShowCenter Cross-Site Scripting
  • Description: Pinnacle Systems ShowCenter web-application is reported to be vulnerable to a cross-site scripting issue. This is due to insufficient sanitization of data supplied via URL parameters. This could be used towards theft of cookie-based authentication parameters from legitimate clients. Pinnacle Systems version chain 1.x is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12613/
  • 04.41.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Traffic Trader PHP Input Validation Vulnerabilities
  • Description: Turbo Traffic Trader PHP is reportedly vulnerable to multiple input validation issues. These include cross-site scripting, and SQL injection attacks. These can be used towards theft of cookie-based authentication parameters, and compromising the remote backend database. Turbo Traffic Trader PHP version 1.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11358/discussion/
  • 04.41.44 - CVE: Not Available
  • Platform: Web Application
  • Title: CJOverkill Cross-Site Scripting
  • Description: CJOverkill is a traffic trading script. Insufficient sanitization of the "tms" URL parameter in the "trade.php" script exposes a cross-site scripting issue. CJOverkill version 4.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/11359
  • 04.41.45 - CVE: Not Available
  • Platform: Web Application
  • Title: GoSmart Board Input Validation Vulnerabilities
  • Description: GoSmart Message Board is a web-based message board application implemented in ASP. It is reported to be vulnerable to multiple input validation vulnerabilities. These issues exist due to improper sanitization of user-supplied input.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-10/0073.html
  • 04.41.46 - CVE: Not Available
  • Platform: Web Application
  • Title: ZanfiCmsLite Remote File Include
  • Description: ZanfiCmsLite is a web-based content management system. ZanfiCmsLite version 1.1 is vulnerable to a remote file include issue due to lack of user-supplied data sanitization.
  • Ref: http://www.proxysky.com/vulz/show.php?id=3
  • 04.41.47 - CVE: Not Available
  • Platform: Web Application
  • Title: DUware Multiple Remote Vulnerabilities
  • Description: DUware includes various web applications like DUclassmate, DUclassified, and DUforum. Insufficient sanitization of user supplied inputs in these applications exposes various SQL injection and cross site-scripting issues. DUclassified version 4.2, DUclassmate version 1.1 and DUforum version 3.1 is affected.
  • Ref: http://www.securitytracker.com/alerts/2004/Oct/1011596.html
  • 04.41.48 - CVE: Not Available
  • Platform: Web Application
  • Title: ocPortal Content Management System Remote File Include
  • Description: ocPortal is a typical web-based content management application. It is reported to be vulnerable to a remote file include issue. The problem exists due to improper sanitization of "req_path" variable through URL input. ocPortal versions 1.0, 1.0.1, 1.0.2 and 1.0.3 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-10/0094.html
  • 04.41.49 - CVE: Not Available
  • Platform: Web Application
  • Title: IceWarp Web Mail Multiple Input Validation Vulnerabilities
  • Description: IceWarp Web Mail is web based access software for the IceWarp email server. IceWarp Web Mail is vulnerable to multiple unspecified remote input validation issues due to insufficient user-supplied input validation. IceWarp Web Mail version 5.3.0 fixes these issues.
  • Ref: http://www.icewarp.com/Products/IceWarp_Web_Mail/releasenotes_webmail.txt
  • 04.41.50 - CVE: Not Available
  • Platform: Web Application
  • Title: AliveSites Forum Multiple Unspecified Vulnerabilities
  • Description: Alivesites Forum is a component (COM) object tool to implement web forums. It is reported to be vulnerable to multiple unspecified input validation, SQL injection and cross-site scripting issues. These issues exist due to improper sanitization of user-supplied input. AliveSites Forum 2.0 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12844/
  • 04.41.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Express-Web Cross-Site Scripting
  • Description: Express-Web is a content management application. Insufficient sanitization of user supplied input exposes a cross-site scripting issue. All current versions are affected.
  • Ref: http://secunia.com/advisories/12839/
  • 04.41.52 - CVE: Not Available
  • Platform: Web Application
  • Title: CyberStrong eShop Shopping Cart Cross-Site Scripting
  • Description: The CyberStrong eShop ASP Shopping Cart is reported to be vulnerable to a cross-site scripting issue. This is due to insufficient sanitization of data supplied via URL parameters before it is rendered to clients. This issue could be used towards theft of cookie based authentication credentials.
  • Ref: http://secunia.com/advisories/12842/
  • 04.41.53 - CVE: Not Available
  • Platform: Web Application
  • Title: DevoyBB Forum Multiple Input Validation
  • Description: DevoyBB Forum is a web-based forum application. Insufficient sanitization of user-supplied input exposes various SQL injection and cross-site scripting issues. DevoyBB Forum version 1.x is affected.
  • Ref: http://secunia.com/advisories/12840/
  • 04.41.54 - CVE: Not Available
  • Platform: Web Application
  • Title: WeHelpBUS Undisclosed Remote Command Execution
  • Description: WeHelpBUS is a web-based help browser. It is reported to be vulnerable to remote command execution. The issue exists due to improper sanitization of user-supplied input. WebHelpBUS version 0.2 has been released to address this issue.
  • Ref: http://secunia.com/advisories/12831/
  • 04.41.55 - CVE: Not Available
  • Platform: Web Application
  • Title: WowBB Forum Multiple Input Validation
  • Description: WowBB web-based forum is reportedly vulnerable to multiple unspecified input validation security issues. These include SQL injection and cross-site scripting conditions. These could be used towards a theft of cookie based authentication credentials and compromising the backend database remotely. WowBB Forum version 1.61 is affected.
  • Ref: http://secunia.com/advisories/12843/
  • 04.41.56 - CVE: Not Available
  • Platform: Web Application
  • Title: DMXReady Site Chassis Manager Cross-Site Scripting and SQL Injection
  • Description: DMXReady Site Chassis Manager is a dynamic web site management application. It is reported to be vulnerable to cross-site scripting and a SQL injection issue. These issues are present due to improper sanitization of user-supplied input. All current versions are affected.
  • Ref: http://secunia.com/advisories/12841/
  • 04.41.57 - CVE: Not Available
  • Platform: Network Device
  • Title: 3Com 3CRADSL72 Information Disclosure
  • Description: 3Com 3CRADSL72 is an ADSL 11g wireless router. A remote attacker could retrieve some sensitive information such as the router name, WEP encryption key, primary and secondary DNS servers due to insufficiant permissions on the "app_sta.stm" file. 3CRADSL72 firmware versions 1.x are vulnerable.
  • Ref: http://secunia.com/advisories/12846/
  • 04.41.58 - CVE: Not Available
  • Platform: Network Device
  • Title: 3Com OfficeConnect Multiple Vulnerabilities
  • Description: 3Com OfficeConnect ADSL Wireless 11g firewall router combines an ADSL modem, router, 802.11g wireless access point, four-port switch, and firewall into one device. Firmware versions earlier than 1.27 of this device are vulnerable to multiple unspecified vulnerabilities which can be exploited remotely.
  • Ref: http://www.3com.com/support/en_US/index3.html

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

SANS is hands down the best bang for the buck available, no one else even comes close!
-Derek Masseth, University of Arizona

GIAC GMOB Certification

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc