Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 42
October 25, 2004

SANS Newsletters Home

One of Microsoft's patches from last week already has been worked around by hackers, at least on some platforms. See Item 1. The zip-file vulnerability in most anti-virus programs (See Item 2) will probably be corrected automatically in your AV systems if patching is automatic, but this problem gives you another opportunity to remind your users about not downloading and opening a file from email unless they were expecting the specific file. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Microsoft Office
    • 1
    • Other Microsoft Products
    • 3 (#1, #9, #10, #11)
    • Third Party Windows Apps
    • 4 (#2, #6)
    • Linux
    • 2 (#3, #8)
    • Unix
    • 4
    • Cross Platform
    • 18 (#5, #7)
    • Web Application
    • 9 (#4)
    • Network Device
    • 1
Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application
Network Device

************************** SPONSORED LINKS ******************************

Privacy notice: Sponsored links redirect to non-SANS web pages. Simple, secure alternative to NIS/NIS+ and LDAP for UNIX/Linux user account and password management. FREE downloads. http://www.sans.org/info.php?id=624

*************************************************************************

Featured Training program of the Week: Washington, DC, December 7-14 ( http://www.sans.org/cdieast04 )"> http://www.sans.org/cdieast04 ) Early registration deadline is on the 26th (but email registration@sans.org if you need a few extra days). Our first "all boot camp" training program will be held in Washington, DC in early December. Boot camp gives you more hands on time, more time with the instructor, more confidence in using what you learned. Thirteen tracks for auditors, managers, beginners and everyone who has hands-on responsibility for security. SANS top instructors will be there: Eric Cole will be teaching the uniquely effective new SANS +S Training Course for CISSP(R) (a registered trademark of ISC2), and the top teachers of SANS Security Essentials, Hacker Exploits, Firewalls, Auditing, Management tracks and several more will all be in Washington, as well. More information at http://www.sans.org/cdieast04

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Internet Explorer Drag and Drop Vulnerability
  • Affected:
    • Internet Explorer 6.0 on fully patched XP SP2

  • Description: A variation of the "drag and drop" vulnerability has beenreported that may be exploited to compromise a Windows client via amalicious web page or an HTML email. The exploitation proceeds asfollows:

    (a) A specially crafted HTML "style" sheet is used to access a localfolder on a Windows client.

    (b) An IMG element with its "src" set to a filename (without anyextension) is dragged and dropped to the local folder opened in step(a). IE's cumulative patch MS04-038 released last week prevents an IMGelement with its src set to an executable file from being dragged.However, the patch does not prevent the "drag and drop" of an image withthe src attribute set to other file formats such as pdf, xml etc.Further, if no extension is used for the IMG element's src file, IEautomatically creates a file with the file type extension after the dragand drop operation. Thus, an attacker can create a malicious file witha ".htm" extension on the client's local file system.

    (c) The malicious HTML file is invoked via the HTML Help ActiveX control(hhctrl.ocx). This leads to execution of arbitrary code on the clientsystem.A proof-of-concept exploit has been publicly posted. The PoC exploitdemonstrates how to use "ADODB.recordset" object to write arbitraryfiles on the client's local system. Although this exploit requires userinteraction, it may be possible to rewrite the exploit such that no userinteraction is required. Note that the Akak Trojan exploited the earliervariation of this vulnerability in the wild.

  • Status: Microsoft has not confirmed. An unofficial fix has been postedthat sets the kill bit for the "Shell.Explorer" ActiveX control. Thiscontrol is responsible for displaying the folders in IE. Setting thekill bit prevents displaying any folders, and prevents exploitation viathe published attack vector. The fix can be downloaded from: http://www.pivx.com/research/freefixes/neutershellexplorer.reg

  • Council Site Actions: All reporting council sites are responding to thisvulnerability. Most are waiting for confirmation and a patch from thevendor. One site is evaluating the pros and cons of deploying the fixprovided by pivx (referenced under Status, above).

  • References:
  • (2) MODERATE: Multiple Anti-Virus Products Zip Detection Bypass
  • Affected:
    • McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV Anti-virus
    • products

  • Description: A number of anti-virus products contain a vulnerabilitythat may be exploited to bypass scanning of certain zip files. Theproblem occurs when scanning specially crafted zip files that have a zipfile header with the "compressed file length" parameter set to zero.Windows, however, unzips these files normally. Hence, an email virus mayexploit this flaw to evade detection by the anti-virus software, andinfect a client machine.

  • Status: All vendors except RAV have confirmed and have released updates.

  • Council Site Actions: Most of the reporting council sites have alreadypatched their systems. One site has notified their system support groupand directed them to contact the vendors for the appropriate patch fortheir email AV servers. Another site uses the auto-update feature ofMcAfee and they believe most of their systems have been updated.

  • References:
  • (3) LOW: Mozilla Browser Memory Corruption
  • Affected:
    • Mozilla browser, all versions
    • Possibly Firefox browser and Thunderbird email client

  • Description: Mozilla browser contains a memory corruption vulnerabilitythat can be triggered by specially crafted HTML pages. The problemoccurs when the browser processes web pages with certain HTML tags thatare followed by a "null" character. The memory corruption may beexploited to possibly execute arbitrary code on the client (notconfirmed). The technical details regarding the flaws and proof-of-concept exploits have been posted.

  • Status: The flaws have reportedly been fixed in Mozilla snapshots.

  • Council Site Actions: Mozilla is not yet in widespread use at most ofthe council sites. A few of the sites have already installed patches fortheir small user base. Several sites have only a handful of users anddon't plan any action. On site does support Mozilla for UNIX and willprovide an update in early November. However, they do not provide anysupport for their Window or Macintosh users, but believe the users willobtain a new version on their own.

  • References:
Other Software
  • (4) HIGH: SalesLogix Server Multiple Vulnerabilities
  • Affected:
    • SalesLogix Corporation SalesLogix 2000.0.0

  • Description: SalesLogix server, a customer relationship managementsolution, reportedly contains multiple vulnerabilities. (a) Bymanipulating cookie variables, it is possible to obtain administrativeaccess to the SalesLogix web server. (b) The web server contains a SQLinjection vulnerability that can be exploited to execute arbitrary SQLcode on the back-end database. (c) It is possible to obtain read andwrite privileges to the backend database by examining responses from theweb server. (d) In addition, the server contains a directory traversalvulnerability that may be exploited to upload arbitrary files. Theposted advisory shows how to exploit these flaws.

  • Status: Vendor has confirmed, service packs are available.

  • Council Site Actions: The affected software is not in production orwidespread use at any of the council sites. They reported that no actionwas necessary.

  • References:
  • (5) MODERATE: Gaim Client MSN SLP Message Overflow
  • Affected:
    • Gaim version prior to 1.0.2

  • Description: Gaim is a multi-protocol instant messaging client forLinux, BSD, MacOS X and Windows platforms. The client contains anoverflow that can be triggered by a sequence of MSN "SLP" protocolmessages. The SLP protocol is similar to the widely used "SIP" protocolin Voice-over-IP communications. The overflow may be exploited topossibly execute arbitrary code. The technical details regarding theflaw can be obtained by examining the fixed code.

  • Status: Vendor has confirmed, upgrade to version 1.0.2. Updates havebeen provided by RedHat, Mandrake and Fedora Linux distributions.

  • Council Site Actions: Only one council site is using the affectedsoftware. Most of their systems regularly obtain updates from the Linuxvendor through an automated process. They also have a substantial numberof Red Hat Enterprise Linux systems for which an administrator mustmanually trigger updates, and this update (RHSA-2004:604-05) will mostlikely occur in early November. Another site said that although theydon't use this package, their systems would still be updated by theirRed Hat Up2Date server.

  • References:
  • (6) MODERATE: Code-crafters Ability Server Overflow
  • Affected:
    • Ability server version 2.34

  • Description: Ability server, a Windows-based Web, SMTP and FTP server,contains a buffer overflow in its FTP server component. An authenticatedattacker can trigger the overflow by supplying an overlong argument tothe "STOR" command. The flaw can be exploited to execute arbitrary codeon the server for which the exploit code has been publicly posted. TheFTP servers configured for anonymous access face the maximum risk fromthis vulnerability.

  • Status: Unknown.

  • Council Site Actions: The affected software is not in production orwidespread use at any of the council sites. They reported that no actionwas necessary.

  • References:
  • (7) MODERATE: Altiris Deployment Software Client Compromise
  • Affected:
    • Clients managed via Altiris Deployment server versions 5.x and 6.x

  • Description: Altiris deployment server is designed to manage operatingsystem patches and other software deployment on servers, desktops,notebooks etc. The systems managed by the Altiris Deployment server areinstalled with the Altiris agent software. The agent software does notperform any credential checks on the Deployment server prior toreceiving the updates. In the configuration, when the agents locate theDeployment server via broadcast, it may be possible for an attacker inthe same network to impersonate the Deployment server. The attacker canpossibly obtain administrative privileges over any managed systems.

  • Status: Vendor has been contacted, no patches are available.

  • Council Site Actions: Two of the reporting council sites are using theaffected software. One site is waiting for patch from the vendor. Theother site does not use the multicast option; thus, they believe theyare not vulnerable.

  • References:
  • (8) MODERATE: Xpdf Multiple Integer Overflows
  • Affected:
    • Xpdf version 3.00-r2 and prior
    • KDE Kpdf on KDE version 3.2.x, 3.3.0 and 3.3.1
    • CUPS version 1.1.20-r3 and prior

  • Description: Xpdf is an open source viewer for PDF files. The viewercontains multiple integer overflow vulnerabilities. A malicious PDFdocument may exploit the buffer overflow flaws to execute arbitrary codeon a UNIX client. Note that Xpdf may be configured as a helperapplication for web browsers, in which case, the flaw may be triggeredwhen a user clicks a link pointing to a malicious PDF file. Note thatthe Common UNIX printing system (CUPS) uses code from the Xpdf project.Hence, printing the malicious PDF file on a CUPS printer may result inan execution of code on the print server. The technical detailsregarding the flaw have not been posted.

  • Status: Multiple Linux vendors such as Gentoo, RedHat, Mandrake haveconfirmed the flaws, and released updated packages.

  • Council Site Actions: Only one of the reporting council sites is usingthe affected software. However, most of the systems execute xpdf froma central installation accessed through a distributed filesystem. Theyplan to update this copy of xpdf soon. They do not have any plans toaddress xpdf downloads made by individuals for their own personalsystems.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 42, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3807 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.42.1 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Outlook 2003 Security Policy Bypass
  • Description: Microsoft Outlook 2003 is vulnerable to a security policy bypass issue. An attacker can craft a special email with a base64 encoded image. The attacker labels the image using "Content-ID" to make Outlook render the image automatically when the user views the email, thus bypassing the security policy.
  • Ref: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/s
    ecurity/default.asp
  • 04.42.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Outlook Express Plaintext Email Security Policy Bypass
  • Description: Microsoft Outlook Express is reported to be vulnerable to a security policy bypass issue. The issue exists due to improper sanitization of a "cid:" parameter. Currently all outlook express versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11447/info/
  • 04.42.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Drag and Drop Embedded Code Vulnerability
  • Description: It has been reported that the MS04-038 Microsoft cumulative Internet Explorer patch does not completely resolve the original security issue. Certain file types are still permitted for drag and drop operations which could allow execution of arbitrary code on the vulnerable host. This will effectively allow hostile script to be executed in the Local Zone on the affected computer.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-10/0203.html
  • 04.42.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer HTML Help Control Privilege Escalation
  • Description: Microsoft Windows XP SP2 and Internet Explorer 6 SP2 have enhanced "Local Zone" security restrictions. Due to an issue in the software it is possible to force Internet Explorer to open remote HTML help content within the Windows help system, thus bypassing restrictions that would normally exist in the Local Zone.
  • Ref: http://secunia.com/advisories/12321/
  • 04.42.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Twister Anti-TrojanVirus Scan Evasion
  • Description: The Twister Anti-TrojanVirus package is affected by a scan evasion vulnerability. Files named with reserved MS-DOS device names such as COM1, CON, LPT1 etc are skipped by the scanner. This issue was reported for version 5.5 of the software.
  • Ref: http://www.securityfocus.com/archive/1/378634
  • 04.42.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SalesLogix Multiple Remote Vulnerabilities
  • Description: Best Software SalesLogix is a business to customer application. Multiple issues in the software could allow an attacker to manipulate database contents through SQL injection attacks, steal authentication credentials and bypass authentication. SalesLogix 2000.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/378637
  • 04.42.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: unarj Remote Directory Traversal
  • Description: ARJ Software unarj is a file decompression utility. Reportedly, it allows an attacker to overwrite arbitrary files on a host that uses the vulnerable software. This is because the software fails to prevent directory traversal using "../" sequences specified in filename attributes. unarj version 1.65 was reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11436/credit/
  • 04.42.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Age of Sail II Remote Buffer Overflow
  • Description: Akella Privateer's Bounty: Age of Sail II is a real time strategy game. It is reportedly vulnerable to a remote buffer overflow condition that is exposed when an overly long nickname is used at login. An attacker could use this to execute arbitrary code on the vulnerable game server host.
  • Ref: http://aluigi.altervista.org/adv/aos2bof-adv.txt
  • 04.42.9 - CVE: CAN-2004-0816
  • Platform: Linux
  • Title: Linux Kernel IPTables Logging Underflow
  • Description: The Linux kernel supports netfilter and iptables that provide packet filtering, network address translation and other services. An integer underflow vulnerability was reported in the iptables logging rules. Linux kernel version 2.6 is affected while version 2.4 is not vulnerable.
  • Ref: http://www.netfilter.org/security/2003-08-01-listadd.html
  • 04.42.10 - CVE: CAN-2004-0814
  • Platform: Linux
  • Title: Linux Kernel Terminal Locking Race Condition
  • Description: A race condition exists in the terminal subsystem of Linux Kernel. This issue can be used to create a remote denial of service by sending specially crafted packets. This issue has been addressed in version 2.6.9 of the Linux Kernel. Patches are also available for 2.4.x releases.
  • Ref: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131672
  • 04.42.11 - CVE: Not Available
  • Platform: Unix
  • Title: Gnofract 4D Remote Script Code Execution
  • Description: Gnofract 4D is a graphic application to generate fractal images. Gnofract 4D is vulnerable to a remote script code execution issue. A remote attacker can exploit this issue to execute arbitrary script code. Gnofract 4D versions 2.1 and earlier are vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=275738
  • 04.42.12 - CVE: Not Available
  • Platform: Unix
  • Title: Links Malformed Table Denial of Service
  • Description: Links is vulnerable to a denial of service issue when handling specially crafted HTML tables. Links versions 0.99 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/378632
  • 04.42.13 - CVE: Not Available
  • Platform: Unix
  • Title: MPG123 Remote URL Open Buffer Overflow
  • Description: mpg123 is a media file player for Linux and Unix platforms. mpg123 is vulnerable to a remote buffer overflow issue. An attacker can leverage this issue to execute arbitrary code on an affected computer.
  • Ref: http://www.mpg123.de/
  • 04.42.14 - CVE: CAN-2004-0913
  • Platform: Unix
  • Title: Ecartis Remote Undisclosed Privilege Escalation
  • Description: Ecartis is a mailing list manager. It is reportedly vulnerable to an undisclosed privilege escalation issue. This allows an attacker who resides in the same domain as the list administrator to gain administrative access to the list.
  • Ref: http://www.debian.org/security/2004/dsa-572
  • 04.42.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AntiVir MS-DOS Name Scan Evasion
  • Description: AntiVir is an anti-virus software package distributed by H+BEDV. It is reported to be vulnerable to an MS-DOS name scan evasion issue. The issue presents itself when malicious files are named after a reserved MS-DOS device name. AntiVir versions 6.28 .00.03, 6.28 .01.03 and 6.28 .00.01 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-10/0185.html
  • 04.42.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Protector Plus AntiVirus MS-DOS Name Scan Evasion
  • Description: Proland Software Protector Plus is anti-virus software. Protector Plus is vulnerable to a scan evasion issue when handling files with MS-DOS reserve device names. Proland Software Protector Plus 2000 version 7.2 F07 is known to be vulnerable.
  • Ref: http://secway.org/Advisory/Ad20041009.txt
  • 04.42.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: cPanel Front Page Extension Information Disclosure
  • Description: cPanel is a multi-platform web hosting control panel. It is reported to be vulnerable to an information disclosure issue. cPanel version 9.9.1-RELEASE-3 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-10/0167.html
  • 04.42.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Multiple Memory Corruption Vulnerabilities
  • Description: Multiple memory corruption vulnerabilities have been reported in Mozilla. These issues are related to malformed HTML involving the TEXTAREA, INPUT, FRAMESET, and IMG tags. Mozilla versions 1.0 through 1.8 are affected.
  • Ref: http://www.securityfocus.com/archive/1/378632
  • 04.42.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Memory Corruption
  • Description: Opera is reported to be vulnerable to a memory corruption issue. The issue presents itself when an excessive "COL SPAN" (column span) is specified in the "TBODY" (table body) tag. Currently all the Opera web browser versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/378632
  • 04.42.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Lynx Malformed HTML Infinite Loop Denial of Service
  • Description: The Lynx web browser is vulnerable to a denial of service condition while handling certain malformed HTML pages. This issue sends the software into an infinite loop, consuming CPU resources for the system.
  • Ref: http://www.securityfocus.com/archive/1/378632
  • 04.42.21 - CVE: CAN-2004-0932, CAN-2004-0933, CAN-2004-0934,CAN-2004-0937, CAN-2004-0935, CAN-2004-0936
  • Platform: Cross Platform
  • Title: Multiple Antivirus Vendors Zip File Evasion
  • Description: Multiple Vendor antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. This issue is reported to affect products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. The latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue.
  • Ref: http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&
    amp;flashstatus=true
  • 04.42.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino Cross-Site Scripting
  • Description: IBM Lotus Domino Server is vulnerable to a cross-site scripting vulnerability due to insufficient sanitization of user supplied data. Lotus Domino versions 6.5.2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/378694
  • 04.42.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Tonecast Remote Denial of Service
  • Description: Vypress Tonecast is a streaming audio application. Insufficient sanity checks made while processing the audio stream exposes a denial of service condition in the application. Vypress Tonecast version 1.0 is affected.
  • Ref: http://aluigi.altervista.org/adv/toneboom-adv.txt
  • 04.42.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple J2ME Device Vulnerabilities
  • Description: Java 2, Micro Edition is a Java release for various embedded computing platforms and mobile devices. Multiple vulnerabilities exist in J2ME that can potentially affect various devices running J2ME. These vulnerabilities could be exploited by a malicious user to circumvent security measures of a device and take unauthorized actions.
  • Ref: http://www.securityfocus.com/archive/1/379117
  • 04.42.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LANDesk Management Suite Denial of Service
  • Description: LANDesk Management Suite provides the automation of systems management tasks. It is reported to be vulnerable to a denial of service issue. LANDesk Management Suite version 8 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11464/info/
  • 04.42.26 - CVE: CAN-2004-0955
  • Platform: Cross Platform
  • Title: LibPNG Image Height Integer Overflow
  • Description: LibPNG is the Portable Network Graphics (PNG) reference library. LibPNG is vulnerable to an integer overflow in the image height parameter. Debian has released a patch to fix this issue. The issue is fixed in version 1.0.12-3.woody.
  • Ref: http://www.debian.org/security/2004/dsa-570
  • 04.42.27 - CVE: CAN-2004-0891
  • Platform: Cross Platform
  • Title: Gaim MSN SLP Message Denial of Service
  • Description: Gaim is an instant messaging client. Insufficient sanity checks of MSN SLP messages exposes a denial of condition issue in the application. Gaim versions 0.x and 1.x are affected.
  • Ref: http://gaim.sourceforge.net/security/index.php?id=7
  • 04.42.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Veritas NetBackup Privilege Escalation
  • Description: Veritas NetBackup Java GUI is susceptible to an exploit which could allow a user to execute commands with root authority. Veritas has released a workaround.
  • Ref: http://www.debian.org/security/2004/dsa-570
  • 04.42.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Nortel Contivity VPN Client Certificate Check Failure
  • Description: Nortel Contivity VPN Client provides client functionality for accessing Contivity VPN gateways. It is vulnerable to a certificate check failure because a VPN connection is established before the user permits the connection through a gateway certificate validity pop-up dialog. This issue was reported for Nortel Contivity VPN Client version 4.91.
  • Ref: http://secunia.com/advisories/12881/
  • 04.42.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenSkat Multiple Unspecified Vulnerabilities
  • Description: OpenSkat is a cryptographically secure implementation of a card game called Skat. OpenSkat is reported prone to multiple unspecified issues related to non-interactive zero knowledge protocols. OpenSkat versions 1.1 through 1.9 are affected.
  • Ref: http://www.securityfocus.com/bid/11499
  • 04.42.31 - CVE: CAN-2004-0888, CAN-2004-0889
  • Platform: Cross Platform
  • Title: Xpdf Multiple Integer Overflow Vulnerabilities
  • Description: pdftops is a utility for Xpdf to convert pdf files to postscript. It is reported to be vulnerable to multiple integer overflow issues. The issues exist due to improper sanitization of user-supplied input.
  • Ref: http://secunia.com/advisories/12917/
  • 04.42.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Web Browser Phishing Vulnerabilities
  • Description: Web browsers from multiple vendors have been reported to be vulnerable to cross-domain window form field focus spoofing and cross-domain dialog box spoofing issues. The former allows the attacker's web page to access form fields of legitimate sites the user is browsing. The latter allows an attacker's web page to display a spoofed dialog box that seemingly comes from the trusted site. These issues can trick the user into providing sensitive content to the malicious web site, and thereby aid in phishing style attacks.
  • Ref: http://secunia.com/multiple_browsers_form_field_focus_test http://secunia.com/multiple_browsers_dialog_box_spoofing_test
  • 04.42.33 - CVE: Not Available
  • Platform: Web Application
  • Title: cPanel Installation File Ownership
  • Description: cPanel is a multi-platform web hosting control panel. cPanel is affected by a file ownership vulnerability allowing hackers full access to potentially sensitive files. cPanel version 9.4.1-RELEASE-64 is affected.
  • Ref: http://www.securityfocus.com/archive/1/378639
  • 04.42.34 - CVE: Not Available
  • Platform: Web Application
  • Title: cPanel Remote Backup Information Disclosure
  • Description: cPanel is a web hosting control panel system. Its remote backup function is vulnerable to an information disclosure issue allowing attackers to download a complete backup of the hosted environment. cPanel version 9.4.1-RELEASE-64 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/378638
  • 04.42.35 - CVE: Not Available
  • Platform: Web Application
  • Title: YaPiG Comment Field HTML Injection
  • Description: Yet Another PHP Image Gallery (YaPiG) is an image gallery application. Insufficient sanitization of the "Comment" field exposes a HTML injection issue. YaPiG 0.93u has been released to address this issue.
  • Ref: http://secunia.com/advisories/12858/
  • 04.42.36 - CVE: Not Available
  • Platform: Web Application
  • Title: CoolPHP Multiple Input Validation Vulnerabilities
  • Description: CoolPHP is a web-based portal system. Insufficient sanitization of user-supplied input exposes various cross-site scripting and remote execution issues. CoolPHP version 1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/378617
  • 04.42.37 - CVE: Not Available
  • Platform: Web Application
  • Title: cabextract Remote Directory Traversal
  • Description: cabextract is a utility that extracts Microsoft cabinet files (.cab). Insufficient sanitization of "../" sequences exposes a directory traversal issue in the software. cabextract versions 1.0 and earlier are affected.
  • Ref: http://www.kyz.uklinux.net/cabextract.php#changes
  • 04.42.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Jebuch HTML Injection
  • Description: Jan Erdmann Jebuch is a guest book application. Jebuch is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied data in the "eintragen.php3" script. Jebuch version 1.0 is known to be vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Oct/1011774.html
  • 04.42.39 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki Title.php Cross-Site Scripting
  • Description: MediaWiki is editing software designed to run Wikipedia. It is vulnerable to a cross-site scripting issue due to insufficient user data sanitization. MediaWiki versions 1.3.6 and prior are affected by this vulnerability.
  • Ref: http://sourceforge.net/project/shownotes.php?group_id=34373&release_id=27593
    4
  • 04.42.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Coppermine Photo Gallery Voting Restriction Failure
  • Description: Coppermine Photo Gallery is a web-based application implemented in PHP. It has a design flaw which allows users to cast multiple votes for a picture by disabling cookies in their browser. All versions of Coppermine Photo Gallery are considered vulnerable.
  • Ref: http://sourceforge.net/projects/coppermine/
  • 04.42.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Serendipity Undisclosed HTTP Response Splitting
  • Description: Serendipity is web blog software. It is reported to be vulnerable to an undisclosed HTTP response splitting issue. Serendipity 0.7-beta4 and prior versions are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12909/
  • 04.42.42 - CVE: Not Available
  • Platform: Network Device
  • Title: 3Com OfficeConnect Router Authentication Bypass
  • Description: 3Com OfficeConnect ADSL Wireless 11g Firewall Router is a wireless network access point,modem and router. The administrative interface does authentication validation based solely on the IP address of the client. However, for failed login attempts it reports the IP address of the current authenticated administrator as well. This allows attackers to spoof IP addresses and gain administrative access to the router.
  • Ref: http://www.securityfocus.com/bid/11438/info/

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner. ==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters. To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2004. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

This instructor had an impressive, solid background and does an excellent job presenting the material in a way that geek wannabes can understand
-Julie Stroud, U.S. Department of Energy

vLive FOR508

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP