I. FRONT AND CENTER 1. Automating Windows Patch Mngt: Part II 2. Knock, Knock, Knock II. BUGTRAQ SUMMARY 1. JelSoft VBulletin Search.PHP Cross-Site Scripting Vulnerabil... 2. Sami FTP Server Multiple Denial Of Service Vulnerabilities 3. Microsoft Internet Explorer Unspecified CHM File Processing ... 4. Multiple ASP Portal Vulnerabilities 5. Microsoft IIS Unspecified Remote Denial Of Service Vulnerabi... 6. Paul Daniels SignatureDB sdbscan Local Buffer Overflow Vulne... 7. Symantec AntiVirus Scan Engine For Red Hat Linux Insecure Te... 8. Microsoft Internet Explorer Bitmap Processing Integer Overfl... 9. Voice Of Web AllMyPHP Remote File Include Vulnerabilities 10. Computer Associates eTrust Antivirus Malicious Code Detectio... 11. ACLogic CesarFTP Remote Resource Exhaustion Vulnerability 12. mnoGoSearch UdmDocToTextBuf Buffer Overflow Vulnerability 13. XLight FTP Server Remote Send File Request Denial Of Service... 14. EarlyImpact ProductCart Multiple Vulnerabilities 15. ShopCartCGI Remote File Disclosure Vulnerability 16. Freeform Interactive Purge/Purge Jihad Game Client Remote Bu... 17. RobotFTP Server Username Buffer Overflow Vulnerability 18. Microsoft Outlook Express Arbitrary Program Execution Vulner... 19. YABB SE Quote Parameter SQL Injection Vulnerability 20. RhinoSoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulne... 21. Ecommerce Corporation Online Store Kit More.PHP Multiple Vul... 22. YaBB Information Leakage Weakness 23. Vizer Web Server Remote Denial of Service Vulnerability 24. KarjaSoft Sami hxxp Server GET Request Buffer Overflow Vulne... 25. TransSoft Broker FTP Server Denial of Service Vulnerabilitie... 26. APC SmartSlot Web/SNMP Management Card Default Password Vuln... 27. Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul... 28. Snort Signature Mislabeling Weakness 29. SmallFTPD Remote Denial Of Service Vulnerability 30. Microsoft Windows XP Help And Support Center Interface Spoof... 31. Linux Kernel do_mremap Function VMA Limit Local Privilege Es... 32. Ecommerce Corporation Online Store Kit Multiple SQL Injectio... 33. Linksys WAP55AG SNMP Community String Insecure Configuration... 34. Owl's Workshop Multiple Remote File Disclosure Vulnerabiliti... 35. Linux Kernel Vicam USB Driver Userspace/Kernel Memory Copyin... 36. Linux Kernel NCPFS ncp_lookup() Unspecified Local Privilege ... 37. Metamail Multiple Buffer Overflow/Format String Handling Vul... 38. WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulne... 39. Microsoft Windows NtSystemDebugControl() Kernel API Function... 40. Linux Kernel execve() Malformed ELF File Unspecified Local D... 41. Zone Labs ZoneAlarm SMTP Remote Buffer Overflow Vulnerabilit... 42. PunkBuster Database Remote SQL Injection Vulnerability 43. AOL Instant Messenger Buddy Icon Predictable File Location W... 44. Cisco ONS Platform Vulnerabilities 45. LiveJournal HTML Injection Vulnerability III. SECURITYFOCUS NEWS ARTICLES 1. U.S. info-sharing program draws fire 2. Exploit based on leaked Windows code released 3. Software Bug Contributed to Blackout 4. E-crime costs UK business billions 5. Firewall VPN sales soar 6. Sex, drugs and cans of spam IV. SECURITYFOCUS TOP 6 TOOLS 1. Yet Another antiVirus Recipe v1.9.4 2. GeneSyS v1.0 3. aNTG v2.1 4. Openwall Linux kernel patch v2.4.25-ow1 5. BBclone v0.33.5p3 6. Zabbix v1.0beta14 (dev) V. SECURITYJOBS LIST SUMMARY 1. Principal Engineer, Tactical Communications Radio IN... (Thread) 2. kernel and compiler opportunity (Thread) 3. MICROSOFT GENERAL MANAGER-IT SECURITY FOR MICROSOFT#... (Thread) 4. Security Response Engineer - Dublin, Ireland (Thread) 5. SE - Midwest (Chicago) based (Thread) 6. SE - Metro DC based (Thread) 7. Windows 2000 PKI Specialist (Thread) 8. NYC/Security Engineer/Financial Services/100K+ (Thread) 9. Manager IT Audit Services- Ft. Worth, TX (Thread) 10. VP Engineering Need - Network Security (Thread) 11. Seeking IP Engineer with solid security background (Thread) 12. Director Quality Assurance Silicon Valley (Thread) 13. National Account Manger (Service Provider)-Boston (Thread) 14. CISSP +6 years of experience with infosec/advanced s... (Thread) 15. IT Security Administrator vacancy (Thread) 16. RSA Conference 2004 (Thread) 17. Technical IT Security Architects/Consultants, London... (Thread) 18. How much weight should be placed in googling a poten... (Thread) 19. Google for researching new hires - Thread is dead (Thread) 20. Security Solutions Engineer - NY Metro (Thread) 21. LURHQ looking for Business Development Managers in C... (Thread) 22. Ref: Security Engineer With DITSCAP Experience (Thread) 23. Application Security Architect (Thread) 24. NYC / Director Network Security (Thread) 25. Project Management Officer - Security, London UK (Thread) 26. Manager, IT Security Transformation Project, London ... (Thread) 27. Sr. Consultant (Audit)- Kansas City (Thread) 28. Ethical Hacker/Senior Network Security R&D Engineer (Thread) 29. Fw: Technical Security Manager seeking new opportun... (Thread) 30. Wash. DC. - Computer Security Analyst-Secret Clearan... (Thread) 31. Repost - NJ - Check Point NG Firewall Systems Engine... (Thread) 32. Seeking Employment (Thread) 33. 2nd Position/New Requirements! Software Engineer at ... (Thread) 34. Sales Engineering Jobs (CISSP) (Thread) 35. Software Development Engineer at Sourcefire - Columb... (Thread) 36. SW Vulnerability Detection Engineer Silicon Valley ... (Thread) 37. New Position: Intrusion Prevention Expert - Security... (Thread) 38. USC student seeking a job. (Thread) 39. Security Software Sales Manager (New York, NY) (Thread) 40. Vulnerabilty Detction/Analysis Engineer (Thread) 41. Resume: Colorado CISSP, Telecomm/Linux background, A... (Thread) 42. Information Assurance Engineers Needed Immediately!!... (Thread) 43. Vice President of Marketing NJ (Thread) VI. INCIDENTS LIST SUMMARY 1. OpenSSH anomaly (Thread) 2. buddylinks worm (Thread) 3. Something new? bind dos? exploit? (Thread) 4. New virus: Alua! (Bagle.B) (Thread) 5. WebDav Worm? (Thread) VII. VULN-DEV RESEARCH LIST SUMMARY 1. Help, problems finding addresses with format strings (Thread) 2. Messenger Pro 3 from Clickatell.{Allows you to spoof... (Thread) 3. Serv-U 4.1 Memory Corruption / Whatever (Thread) 4. iis 5 %00 null weirdness (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY 1. Controlling Admin Access (Thread) 2. Preventing OS Detection (Thread) 3. SecurityFocus Microsoft Newsletter #176 (Thread) 4. PPTP versus L2TP and possible attacks (Thread) IX. SUN FOCUS LIST SUMMARY 1. Hearing the truth?? (Thread) 2. Assigning host route to loopback (Thread) 3. Limit NFS on network adapter (Thread) X. LINUX FOCUS LIST SUMMARY 1. how to change OS idenfication? (Thread) XI. UNSUBSCRIBE INSTRUCTIONS
I. FRONT AND CENTER ------------------- 1. Automating Windows Patch Mngt: Part II By Jonathan Hassell
In this segment of the Windows Patch Management series, you'll learn what happens on the client computers when SUS is active, how to monitor the client's patching activities, and how to fix or work around some common problems.
hxxp://www.securityfocus.com/infocus/1762
2. Knock, Knock, Knock By Kelly Martin
If hundreds of thousands of people are still blindly clicking on attachments in their email, is there any hope of mitigating the threat of hundreds of thousands of compromised systems with open backdoors?
hxxp://www.securityfocus.com/columnists/221
II. BUGTRAQ SUMMARY ------------------- 1. JelSoft VBulletin Search.PHP Cross-Site Scripting Vulnerabil... BugTraq ID: 9656 Remote: Yes Date Published: Feb 13 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9656 Summary: VBulletin is a commercially available web based bulletin board application. It is implemented in PHP and may be run on Unix and Unix like operating systems as well as Windows.
It has been reported that VBulletin is prone to a cross-site scripting vulnerability in the 'search.php' script. This issue is reportedly due to a failure to sanitize user input and so allow HTML and script code that may facilitate cross-site scripting attacks.
This issue is reported to affect the 'query' parameter of the 'search.php' script, which is passed through a URI.
This could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the web server and may allow for theft of cookie-based authentication credentials or other attacks.
This issue is reported to affect version 3.0.0 candidate 4, however it may affect previous versions of the software as well.
2. Sami FTP Server Multiple Denial Of Service Vulnerabilities BugTraq ID: 9657 Remote: Yes Date Published: Feb 13 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9657 Summary: Sami FTP Server is an FTP server solution for Microsoft Windows platforms.
Sami FTP Server has been reported prone to multiple remote denial of service vulnerabilities. It has been reported that an attacker who has sufficient credentials to access a vulnerable server, may cause the pmsystem.exe executable to raise a fatal exception by making unexpected FTP requests.
The following requests will trigger an exception in the affected server, causing the software to fail. cd ~ cd /../ get %Filename that does not exist% ftp://user:pass@ftp.example.com////
A remote attacker may exploit these vulnerabilities to deny service to legitimate users of the FTP server.
3. Microsoft Internet Explorer Unspecified CHM File Processing ... BugTraq ID: 9658 Remote: Yes Date Published: Feb 13 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9658 Summary: Microsoft Internet Explorer has been reported prone to an unspecified vulnerability when handling CHM files. The issue is reportedly exploitable to provide for automatic delivery and execution of an arbitrary executable. This would occur when malicious web content is rendered in Internet Explorer.
The issue is believed to be a variant of the vulnerabilities described in BID 9107 (Microsoft Internet Explorer Browser MHTML Redirection Local File Parsing Vulnerability) and BID 9105 (Microsoft Internet Explorer MHTML Forced File Execution Vulnerability), in this case however MHTML redirection occurs through the MS-ITS InfoTech Protocol. The vulnerability is reportedly exploited with the following syntax:
It is conjectured that this could be used to cause a hostile CHM file to be executed in the context of the Local Zone on a client system.
It has been reported that this vulnerability is actively being exploited as an infection vector for malicious code that has been temporarily dubbed 'Ibiza'.
According to new information, by employing a malformed CLSID parameter this vulnerability may allow malicious applications to be downloaded without user intervention.
4. Multiple ASP Portal Vulnerabilities BugTraq ID: 9659 Remote: Yes Date Published: Feb 14 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9659 Summary: ASP Portal is a web portal system implemented in ASP. ASP Portal has been reported to be prone to multiple vulnerabilities.
The first issue results from a lack of sufficient sanitization performed on user supplied data that is later incorporated into dynamic content. An attacker may reportedly inject HTML code into ASP Portal details page by supplying JavaScript and HTML code as the value for the "Photograph URI" form field in a users details page. An attacker may exploit this vulnerability to potentially have arbitrary HTML or script code executed in the browser of an unsuspecting user when a vulnerable region of the site is viewed.
The second issue, also results from a lack of sufficient sanitization performed on 'inc', 'inc=profile&searchtext' and 'inc=forumread&article=' URI parameters. It has been reported that an attacker may craft a link to the ASP Portal 'index.asp' page, passing script code and HTML content as the value for the 'inc', 'inc=profile&searchtext' or 'inc=forumread&article=' URI parameters. This malicious code will be executed in the browser of a user who follows the link in the context of the vulnerable site.
The third vulnerability again results from a lack of sufficient sanitization. When collecting user-supplied data that will be later incorporated into an SQL query statement, the software fails to filter certain control characters. An attacker may provide SQL statements as a value for the 'inc=blog&pageid' and 'inc=downloadssub&downloadscat' URI parameters that are passed to the 'index.asp' script. As a result of this issue an attacker may be able to modify the logic and structure of database queries. This may provide for other attacks, such as gaining access to sensitive information.
The fourth vulnerability again results from a lack of sufficient sanitization. When collecting user-supplied data from the 'thenick' cookie parameter that will be later incorporated into an SQL query statement, the software fails to filter certain control characters. An attacker may provide SQL statements as a value for the 'thenick' cookie parameter. As a result of this issue an attacker may be able to modify the logic and structure of database queries. This may provide for other attacks, such as gaining access to sensitive information.
Finally a vulnerability in the methods used to store session cookies has been reported. The issue presents itself due to the 'thenick' parameter associated with the current session being stored in plaintext format. An attacker may modify the 'thenick' parameter so that it reads 'Admin', and may thereby elevate session privileges.
5. Microsoft IIS Unspecified Remote Denial Of Service Vulnerabi... BugTraq ID: 9660 Remote: Yes Date Published: Feb 14 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9660 Summary: Microsoft IIS is a web server implementation for Microsoft Windows systems.
Microsoft IIS has been reported prone to a remote denial of service vulnerability. It has been reported that an exploit developed as a proof-of-concept for the issues described in BID 8732(OpenSSL ASN.1 Parsing Vulnerabilities), when invoked against Microsoft IIS 5.0, will trigger a denial of service. Specifically, when processing the exploit data LSASS.EXE reportedly consumes system memory resources in an exponential manner until it finally fails.
Although unconfirmed this issue may be related to the issues described in BID 9633 (Microsoft ASN.1 Library Length Integer Mishandling Memory Corruption Vulnerability) and BID 9635 (Microsoft Windows ASN.1 Library Bit String Processing Integer Handling Vulnerability).
An attacker may potentially exploit this condition to deny hxxpS service to legitimate users.
This issue is reported to affect Microsoft Windows 2000 Server (Korean Release) + IIS 5.0, other versions might also be affected.
This BID will be updated, as further analysis of this issue is complete.
6. Paul Daniels SignatureDB sdbscan Local Buffer Overflow Vulne... BugTraq ID: 9661 Remote: No Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9661 Summary: SignatureDB is a signature database used to provide signatures/fingerprints of common annoying emails/files, not specifically viruses. SignatureDB is composed of two components, a signature database and a signatureID (sdbscan) program, used to scan files.
SignatureDB 'sdbscan' program has been reported to be prone to a local buffer overflow vulnerability. The condition is present due to insufficient boundary checking. The issue may be exploited by supplying an excessive value for the 'key' parameter of 'ringsearch.c' file. It has been reported that an attacker can specify a configuration file containing an excessively long path for the database file to be used by the 'sdbscan' program. This path to the file is used by 'ringsearch.c' file via the 'key' parameter. Immediate consequences of an attack may result in a denial of service condition.
A local attacker may leverage the issue by exploiting an unbounded memory copy operation to overwrite the saved return address/base pointer, causing the affected procedures to return to an address of their choice. Successful exploitation may allow an attacker to ultimately execute arbitrary code in the context of the affected application.
7. Symantec AntiVirus Scan Engine For Red Hat Linux Insecure Te... BugTraq ID: 9662 Remote: No Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9662 Summary: Multiple issues related to insecure creation of temporary files were reported in Symantec AntiVirus Scan Engine for Red Hat Linux. These issues are exposed during installation and prior to the software being run for the first time.
The following specific issues were reported:
Log files for LiveUpdate are created in /tmp using a predictable name (LiveUpdate.log) by default when the software is first run. If a malicious local user were to create a symbolic link that was named after the temporary file, then it would be possible to corrupt a file pointed to by the symbolic link when the LiveUpdate is first run. LiveUpdate would typically be run as the 'symantec' user but could also be run as root under some circumstances.
Various temporary directories are also created with predictable names during the software installation. In particular, one directory is created using the PID, for example: symcinstXXXX (where XXXX equals the process ID). Another directory will also be created in /tmp using a static name (savsetmp).
A temporary directory (with a name derived from the current Unix time) created by LiveUpdate will be given world-writeable permissions when it is created.
These issues could potentially allow malicious local users to corrupt files in the context of the user invoking the software, most likely resulting in a denial of service or loss of data.
8. Microsoft Internet Explorer Bitmap Processing Integer Overfl... BugTraq ID: 9663 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9663 Summary: Microsoft Internet Explorer has been reported prone to an integer overflow vulnerability. The issue presents itself in bitmap file processing procedures and is due to the use of a signed integer employed during boundary checking routines.
An attacker may reportedly create a malicious bitmap that is crafted in a manner to cause the affected integer to wrap to a negative value when the malicious bitmap file is processed. When this integer is later used in a procedure to read data into a 1024 byte buffer, the procedure may read excessive data into the buffer invariably resulting in a stack buffer overflow. Ultimately an attacker may exploit this condition to corrupt a saved instruction or stack frame base pointer, to influence execution flow of the affected browser into attacker-supplied instructions.
This vulnerability has been reported to affect Internet Explorer version 5, other versions may also be affected. Internet Explorer version 6 is reported not vulnerable to this issue.
This issue could also be exposed via other software that uses Internet Explorer to render images, such as Outlook, though this has not been confirmed.
9. Voice Of Web AllMyPHP Remote File Include Vulnerabilities BugTraq ID: 9664 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9664 Summary: The AllMyPHP family of products are script template applications designed to be implemented within third party web applications. AllMyGuests is a web based guest book application, AllMyLinks is a web based menu application and AllMyVisitors is a hit counter application. All of the AllMyPHP family of products are developed in PHP and may be implemented on Unix and Unix like platforms as well as Windows.
Reportedly the AllMyGuests, AllMyLinks and AllMyVisitors are prone to a remote file include vulnerability. This issue is due to insufficient filtering of URI passed variables that are used in a 'require_once()' call.
Within the AllMyGuests application the issue revolves around the '$_AMGconfig[cfg_serverpath]' URI parameter of the 'info.inc.php' script. Within the AllMyLinks application the issue revolves around the '$_AMLconfig[cfg_serverpath]' URI parameter of the 'footer.inc.php' script. Within the AllMyVisitors applications the issue revolves around the '$_AMVconfig[cfg_serverpath]' URI parameter of the 'info.inc.php' script.
In all cases the affected parameter is used, without prior sanitization, in a 'require_once()' function call. This may allow an attacker to include a malicious script in the vulnerable software. Upon successful exploitation of this issue, an attacker may allow be able to execute arbitrary commands on the affected system with the privileges of the web server. Other attacks may be possible as well.
10. Computer Associates eTrust Antivirus Malicious Code Detectio... BugTraq ID: 9665 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9665 Summary: eTrust Antivirus is antivirus software that is maintained and distributed by Computer Associates.
A vulnerability has been reported to exist in the software that may allow malicious code to bypass scanning. The issue is reported to present itself when a ZIP archive containing a password-protected file is scanned. It has been reported that the software fails to scan any files once the password-protected file has been scanned. This issue may allow malicious code to bypass detection.
11. ACLogic CesarFTP Remote Resource Exhaustion Vulnerability BugTraq ID: 9666 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9666 Summary: CesarFTP is a freely available FTP server application built for the Windows platform.
It has been reported that CesarFTP is prone to a remote resource exhaustion vulnerability. This issue is due to the application failing to properly validate user input.
The problem revolves around the buffer allocated to contain the directory request string supplied by the user. An authenticated user supplying a string that is excessively long may cause the server to hang due to CPU resource exhaustion. This will cause the server to be unable to service other requests and thus denying access to legitimate users.
Successful exploitation of this issue may cause the affected server to hang, denying service to legitimate users. It has been conjectured that this issue may be due to a boundary management problem that may lead to arbitrary code execution, however this has yet to be verified.
This issue has been reported to affect version 0.99e of the software, however earlier versions may be affected as well.
12. mnoGoSearch UdmDocToTextBuf Buffer Overflow Vulnerability BugTraq ID: 9667 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9667 Summary: mnoGoSearch is multi-platform web search engine software for Intranet and Internet servers. mnoGoSearch stores every document that is indexed, by splitting the document into four sections and storing these sections in a database. When this content is retrieved, a function concatenates all of the sections and presents it to the client.
The function UdmDocToTextBuf() used to concatenate the sections has been reported prone to a buffer overflow condition. The issue exists due to a lack of sufficient boundary checks performed before copying concatenated data into a reserved stack based buffer.
A remote attacker may exploit this condition by indexing a malicious large document that is sufficient to trigger this issue, and then making a request for that same document. When the sections of this document are processed, data that exceeds the size of the reserved buffer in stack-based memory may be written past the end of the buffer corrupting adjacent memory. If memory adjacent to this buffer contains saved values that are crucial to controlling execution flow of the affected service, the attacker may replace these values with attacker supplied values, ultimately influencing execution flow into attacker-controlled memory. This may lead to the execution of attacker-supplied instructions in the context of the vulnerable mnoGoSearch server.
13. XLight FTP Server Remote Send File Request Denial Of Service... BugTraq ID: 9668 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9668 Summary: XLight FTP server is a commercially available FTP server application built for the Windows platform.
A remote denial of service vulnerability has been reported to exist in the Send File Request functionality of the XLight FTP server. Due to this issue a remote attacker may be able cause the affected server to crash, denying service to legitimate users. This issue is due to insufficient bounds checking.
This issue presents itself when an attacker sends a specially crafted directory request when submitting a send file request containing an excessively long string value to the affected server. When submitted the process will request authentication, once sufficient credentials are supplied the server process will crash.
It is conjectured that, however implausible, this could be a boundary condition error with the potential for exploitation. However, no conclusive proof exists.
Although this issue has been reported to affect version 1.52 of the software, it is likely that it affects previous versions as well.
14. EarlyImpact ProductCart Multiple Vulnerabilities BugTraq ID: 9669 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9669 Summary: EarlyImpact ProductCart is e-commerce software that is implemented in ASP and available for Microsoft Windows systems.
EarlyImpact ProductCart is reportedly prone to multiple vulnerabilities. The specific issues include SQL injection, cross-site scripting and cryptographic weaknesses. These issues could expose sensitive data such as user credentials and allow for execution of hostile script code and HTML. These issues could allow for full compromise of the software.
The following specific issues were reported:
A cryptographic weakness in the user credential encryption routines was reported. In particular, the keystream used for the stream cipher is prone to a chosen plaintext attack. Credentials are encrypted (and decrypted) using a bitwise XOR operation with the keystream and the plaintext or ciphertext (respective to whether the data is being encrypted or decrypted). If the keystream can be determined, then it is trivial to decrypt credentials for customers and administrators of the software. The attacker would of course be required to have prior access to this data, but this may be accomplished through exploitation of the SQL injection vulnerability described below.
An SQL injection vulnerability has been reported in the advSearch_h.asp script. Data supplied via URI parameters to this script will be used directly in SQL queries without adequate input validation. This could allow for various attacks, such as disclosing encrypted user credentials (which could be decrypted via the previously mentioned cryptographic weakness). Other attacks are also possible.
A cross-site scripting issue was reported in the Custva.asp script. Input supplied to the 'redirectUrl' URI parameter will be included in dynamically generated pages without adequate sanitization of HTML and script code. An attacker could exploit this issue by embedding hostile HTML and script code via this parameter in a malicious link. If unsuspecting users following this link, the attacker-supplied code may be rendered in the web browser in the security context of the site. This could be exploited to steal cookie-based authentication credentials or to mount other attacks.
15. ShopCartCGI Remote File Disclosure Vulnerability BugTraq ID: 9670 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9670 Summary: ShopCartCGI is a commercially available collection of CGI scripts implemented using Perl and intended to form the foundation for a web based shopping cart application.
It has been reported that ShopcartCGI is prone to a remote file disclosure vulnerability. This issue is due to insufficient validation of user-supplied input passed via a URI parameter.
The problem revolves around the 'gotopage.cgi' and 'getindexpage.cgi' scripts. An attacker may be able to submit a request to the affected application while specifying the file to be viewed. The application fails to validate the location of the requested file and will display any files on the system, which are readable by the web server.
This issue has been reported to affect version 2.3 of the software, however it is possible that earlier versions are affected as well.
Upon successful exploitation of this issue and attacker may be able to gain access to sensitive system files, potentially facilitating further attacks.
16. Freeform Interactive Purge/Purge Jihad Game Client Remote Bu... BugTraq ID: 9671 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9671 Summary: Purge and Purge Jihad games are computer games distributed and maintained/developed by Freeform Interactive. It includes features that allow users to game locally or across a network.
Purge and Purge Jihad game clients have been reported prone to a remotely exploitable buffer overflow condition.
The issue presents itself in the client network connection routines used by the client to negotiate a connection to a Purge/Purge Jihad game server. Due to a lack of sufficient bounds checking performed on the parameters; battle type and map name. Specifically, data up to 256 bytes may be supplied by an attacker as a value for one of the aforementioned fields. This data is copied into a buffer 64 bytes in size. A malicious server may exploit this condition to potentially corrupt sensitive process memory in the affected game client and ultimately execute arbitrary code with the privileges of the user who invoked the game.
The impact of the issue is exaggerated due to the procedures used to connect to a remote game server. It has been reported that when the Multiplayer screen is launched in the game, the client will transmit a query packet to all of the game servers that are listed in the Master Server's list. The client will then await a reply from each of the servers. If a remote attacker can manage to place a malicious server into the Master Server's list then every client that launches a multi-player game may potentially be exploited.
This vulnerability has been reported to affect Purge versions up to and including version 1.4.7 and Purge Jihad versions up to and including version 2.0.1.
17. RobotFTP Server Username Buffer Overflow Vulnerability BugTraq ID: 9672 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9672 Summary: RobotFTP Server is an FTP Server for Microsoft Windows operating systems.
A vulnerability has been reported for RobotFTP Server. The problem likely occurs due to insufficient bounds checking when processing 'USER' command arguments of excessive length.
By exploiting this issue to modify sensitive stack variables, an anonymous remote attacker may be capable of exploiting this issue to execute arbitrary code. This however has not been confirmed. Failed exploit attempts may result in a denial of service.
18. Microsoft Outlook Express Arbitrary Program Execution Vulner... BugTraq ID: 9673 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9673 Summary: Microsoft Outlook Express uses Internet Explorer to render HTML e-mail and newsgroup messages by default. A vulnerability may exist in the software that may allow a remote attacker to execute arbitrary applications on a vulnerable system. This issue may be exploited by embedding an object in an HTML e-mail. It may be possible for an attacker to place a file in a known folder through other means and have it executed through this method.
Due to a lack of information, further details are not available at the moment. This BID will be updated as more information becomes available. This issue may be related to the vulnerability described as Microsoft Outlook and Outlook Express Arbitrary Program Execution Vulnerability (BID 6923).
19. YABB SE Quote Parameter SQL Injection Vulnerability BugTraq ID: 9674 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9674 Summary: YaBB SE is a freely available, open source port of Yet Another Bulletin Board (YaBB). It is available for Unix, Linux, and Microsoft Operating Systems.
A vulnerability in YaBB SE could make it possible for a remote user to launch SQL injection attacks.
It has been reported that the issue exists due to insufficient sanitizing of the 'quote' URI parameter, it is possible for a remote user to inject arbitrary SQL queries into the database used by YaBB SE. This could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
Successful exploitation could result in compromise of the YaBB SE, disclosure or modification of data or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Proof of concept supplied within the reported allows an attacker to gain access to users' password hash.
YaBB SE versions 1.5.4 and 1.5.5 have been reported to be affected by this issue, however, other versions could be affected as well.
20. RhinoSoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulne... BugTraq ID: 9675 Remote: Yes Date Published: Feb 16 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9675 Summary: RhinoSoft Serv-U FTP Server is designed for use with Microsoft Windows operating systems.
RhinoSoft Serv-U FTP Server has been reported prone to a remote post-authentication buffer overflow vulnerability.
The vulnerability is reported to exist when a malicious filename argument is passed to the SITE CHMOD command. It has been reported that excessive data passed to the SITE CHMOD command in this manner, will overrun the bounds of a reserved buffer in memory. This will ultimately result in the two least significant bytes of a saved pointer value being corrupted with attacker-supplied values.
An attacker may potentially exploit this condition to control the location of write into a somewhat limited range of memory. The immediate consequences of this may be a denial of service. Although unconfirmed it may be possible for an attacker to leverage this condition to have arbitrary code executed in the context of the affected service.
This issue is not dependant on write permission on the affected FTP server.
21. Ecommerce Corporation Online Store Kit More.PHP Multiple Vul... BugTraq ID: 9676 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9676 Summary: Online Store Kit is a web based shopping cart application written in PHP.
Multiple vulnerabilities have been identified in the software due to improper sanitization of user-supplied input. The following specific issues have been reported:
A vulnerability in Online Store Kit could make it possible for a remote user to launch SQL injection attacks. It has been reported that the issue exists due to insufficient sanitizing of the 'id' URI parameter of 'more.php' script. It is possible for a remote user to inject arbitrary SQL queries into the database used by Online Store Kit. This could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
Successful exploitation could result in compromise of the Online Store Kit, disclosure or modification of data or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
The 'id' parameter of 'more.php' script has been reported to be prone to a cross-site scripting vulnerability as well. An attacker may exploit this vulnerability by creating a specially crafted URL that includes malicious HTML code as a value for the affected parameter. The malicious script code may be rendered in a user's browser upon visiting the link. This attack would occur in the security context of the affected site. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible.
Online Store Kit version 3.0 has been reported to be prone to these issues.
22. YaBB Information Leakage Weakness BugTraq ID: 9677 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9677 Summary: YaBB (Yet Another Bulletin Board) is freely available web forum software that is written in Perl. YaBB will run on most Unix/Linux variants, Mac OS, and Microsoft Windows platforms.
YaBB is prone to a weakness that may permit remote users to enumerate usernames. The cause of this issue is that YaBB returns different responses based on whether or not a guessed username is valid or invalid when the user attempts to log in. This information could aid in further attacks.
It should be noted that this issue would only present a security risk on installations that do not allow guests or anonymous web users to browse the forum, in which case remote users would not be privy to usernames. Otherwise this information would already be publicly accessible.
This issue was reported in YaBB 1 Gold - SP 1.3.1. Other versions may also be affected.
23. Vizer Web Server Remote Denial of Service Vulnerability BugTraq ID: 9678 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9678 Summary: Vizer Web Server is an open source web server application written in Visual Basic.
It has been reported that Vizer Web Server is prone to a remote denial of service vulnerability. An attacker may exploit this issue to cause the affected server to crash, denying service to legitimate users. The issue presents itself when the server receives malformed hxxp GET requests consisting of improper syntax. The server is unable to properly deal with these exceptional conditions and will therefore crash or hang.
It is also possible to crash the server by sending malformed hxxp GET requests containing excessively long string values. This could be a boundary condition error with the potential for exploitation, however, this has not been verified at the moment.
Vizer Web Server 1.9.1 has been reported to be affected by this issue.
24. KarjaSoft Sami hxxp Server GET Request Buffer Overflow Vulne... BugTraq ID: 9679 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9679 Summary: KarjaSoft Sami hxxp server is a web server available for the Windows operating system.
A vulnerability has been reported for Sami hxxp server. The problem occurs due to insufficient bounds checking when handling GET requests. Specifically, making a GET request including approximately 4096 bytes of data will effectively overrun the bounds of the internal memory buffer used to store this request.
As a result, an attacker may be capable of corrupting sensitive data such as a return address, and thereby effectively control the execution flow of the program. This would ultimately allow for the execution of arbitrary code. Immediate consequences of exploitation of this issue may result in denial of service.
This vulnerability is said to affect Sami hxxp Server version 1.0.4 , however, earlier versions may also be affected.
25. TransSoft Broker FTP Server Denial of Service Vulnerabilitie... BugTraq ID: 9680 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9680 Summary: Transoft Broker FTP Server is an FTP server for the Windows platform.
Multiple denial of service vulnerabilities have been identified in the software. These issues could allow an attacker to cause the server to crash or hang, affectively denying service to legitimate users.
It has been reported that it may be possible to cause an exceptional condition in TsFtpSrv.exe by establishing a connection and immediately disconnecting to Broker FTP server's Message Server on TCP port 8701.
It is also possible to cause the server to crash or hang by exhausting CPU resources. This condition may be exploited by establishing and maintaining a connection to the server without sending any data afterwards. This issue may cause the server to consume a large amount of CPU time leading to a denial of service condition.
Broker FTP Server version 6.1.0.0 has been reported to be prone to these issues, however, other versions may be affected as well.
26. APC SmartSlot Web/SNMP Management Card Default Password Vuln... BugTraq ID: 9681 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9681 Summary: APC SmartSlot Web/SNMP Management Card provides a remote administration solution for APS SmartSwitch and UPS products. APC SmartSlot Web/SNMP Management Card provides for Serial Console, TELNET, hxxp, and SNMP access.
APC SmartSlot Web/SNMP Management Card has been reported prone to a default password vulnerability. This password is reportedly used during initial card configuration, prior to public distribution. It has been reported that an attacker may access any of the affected services, if they are available, by passing the following case sensitive password to the authentication procedures: TENmanUFactOryPOWER It does not matter if the attacker passes a valid username or not. Once authenticated an attack scenario has been demonstrated, where by employing memory enumeration an attacker may potentially reveal stored plaintext authentication credentials.
The impact of this issue may be exaggerated if the same authentication credentials are used to access multiple hosts.
27. Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul... BugTraq ID: 9682 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9682 Summary: Ipswitch IMail is an e-mail server that serves clients their mail via a web interface. It runs on Microsoft Windows operating systems. IMail ships with an LDAP daemon.
The Ipswitch LDAP daemon has been reported prone to a remote buffer overflow vulnerability. The vulnerability exists due to a lack of sufficient boundary checks performed on user supplied LDAP tags. When attacker-supplied data containing large LDAP tags is processed by the affected service, a stack based buffer overflow condition will be triggered. An attacker may exploit this condition to control variables that are used as an offset from the active stack frame pointer, in a write operation as follows: mov byte ptr [ebp+ecx+var_4], dl
Because the location of the write is controlled, the remote attacker may overwrite the Global Exception Handler to ultimately redirect the execution flow of the affected service into attacker-supplied instructions. The attacker's payload would be executed in the security context of the affected service.
28. Snort Signature Mislabeling Weakness BugTraq ID: 9683 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9683 Summary: A weakness has been identified in Snort that may cause an analyst or the correlation engine to improperly identify a signature that was triggered by the IDS. This issue may lead to mischaracterization of potentially malicious network traffic, resulting in leaving the system vulnerable due to false assumptions.
It has been reported that due to unspecified circumstances, the application may incorrectly classify network traffic with a "MS-SQL Worm propagation attempt" label or other labels. This issue could present a security risk in a situation where many false positives for MS-SQL Worm propagation (or other mislabeled alerts) are generated, this problem may lead to misreported traffic mistakenly flagged as innocuous if not expected thoroughly via some other means such as manual examination of packets.
Snort versions 2.0.6 and 2.1.0 have been reported to be prone to this weakness.
29. SmallFTPD Remote Denial Of Service Vulnerability BugTraq ID: 9684 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9684 Summary: SmallFTPD is a freely available FTP server application built for the Windows platform.
It has been reported that SmallFTPD is prone to a remote denial of service vulnerability. This issue is due to the application failing to properly validate user input.
The problem revolves around the buffer allocated to contain the directory request string supplied by the user. An authenticated user supplying a string that is excessively long may cause the server to crash due to a memory exception. This will cause the server to be unable to service other requests and thus denying access to legitimate users.
Successful exploitation of this issue may cause the affected server to crash, denying service to legitimate users. It has been conjectured that this issue may be due to a boundary management problem that may lead to arbitrary code execution, however this has yet to be verified.
This issue has been reported to affect version 1.0.3 of the software, however earlier versions may be affected as well.
30. Microsoft Windows XP Help And Support Center Interface Spoof... BugTraq ID: 9685 Remote: Yes Date Published: Feb 17 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9685 Summary: A weakness has been alleged in Microsoft Windows XP that could reportedly allow aspects of the Help and Support Center interface to be spoofed via a malicious link. By spoofing this interface, an attacker could potentially present misleading or hostile content to a user in a manner which may cause the user to trust it. This weakness employs the connection.htm error page to present attacker-specified web pages in the interface with various misleading properties, such as an arbitrary title (Windows Update is used in the example) and instructional text.
Symantec has not been able to reproduce this alleged weakness.
31. Linux Kernel do_mremap Function VMA Limit Local Privilege Es... BugTraq ID: 9686 Remote: No Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9686 Summary: A vulnerability involving the do_mremap system function has been reported in the Linux kernel, allowing for local privilege escalation. The mremap(2) system call is used to resize and relocate Virtual Memory Areas (VMA).
It has been reported that in order to move a part of the virtual memory from inside a VMA area to a new location, it is required that a new VMA descriptor is created and the underlying page table entries are copied as described by the VMA from the old to the new location in the process's page table. The do_mremap function is responsible for this task and it calls the calls the kernel do_munmap() function to eliminate the old virtual memory mapping and any existing virtual memory mapping in the new location. The issue presents itself because the return value of the do_munmap() function is not properly verified. If the maximum amount of VMAs (65535) for a process has been achieved and part of an existing memory mapping is unmapped, the maximum number of available VMA descriptors may be exceeded. The missing return value check allows the corresponding page table entries from one VMA to be inserted into the page table location described by the previous VMA are therefore subject to the previous VMA's page protection flags.
Furthermore, it has been reported that due to two other unchecked calls by do_mremap() to do_munmap() another exploitable incidence of do_munmap() may be presented. This occurs when the VMA to be remapped is truncated.
Successful exploitation of this issue may allow a local attacker with limited privileges on a host to fully compromise the system because special privileges are not required to use the mremap(2) system call. The issue may also allow a denial of service condition on available system memory.
32. Ecommerce Corporation Online Store Kit Multiple SQL Injectio... BugTraq ID: 9687 Remote: Yes Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9687 Summary: Online Store Kit is a commercially available web based shopping cart application. Implemented in PHP, it can be deployed on Unix and Unix like platforms as well as Windows.
It has been reported that Online Store Kit is prone to multiple SQL injection vulnerabilities. These issues arise due to insufficient sanitation of user-supplied input via the URI.
It has been reported that these issues surround the 'cat' parameter of the 'shop.php' script, the 'cat_manufacturer' parameter of the 'shop_by_brand.php' script and the 'id' parameter of the 'listing.php' script.
As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It has been reported that an attacker may be able to disclose the administrator password hash by exploiting this issue.
This issue is reported to affect version 3.0 of the software, it is likely however that this issue will affect earlier version as well.
33. Linksys WAP55AG SNMP Community String Insecure Configuration... BugTraq ID: 9688 Remote: Yes Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9688 Summary: Linksys WAP55AG is a wireless routing appliance. SNMP (Simple Network Management Protocol) is used to allow remote configuration of hardware. Configuration is accomplished through read and write strings.
Linksys WAP55AG appliance has been reported prone to an insecure default configuration vulnerability.
It has been reported that all SNMP MIB (Management Information Base) community strings, even read/write strings may be disclosed to a remote attacker if the attacker queries OID 1.3.6.1.4.1.3955.2.1.13.1.2.
An attacker may disclose specific information, such as MAC hardware addresses, route table data and other configuration details for hosts that are on the internal protected network. It may also be possible for the attacker to manipulate the appliance configuration through writeable strings.
Exploitation of this vulnerability may be used to aid in further attacks against the victim network.
34. Owl's Workshop Multiple Remote File Disclosure Vulnerabiliti... BugTraq ID: 9689 Remote: Yes Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9689 Summary: Owl's Workshop is a freely available web based educational tool facilitating creation of exercises, readings and online presentations. Implemented in PHP, it can be deployed on Unix and Unix like platforms as well as Windows.
It has been reported that Owl's Workshop is prone to multiple remote file disclosure vulnerabilities. These issues are due to insufficient validation of user-supplied input passed via a URI parameter.
It has been reported that these issues surround the 'file' and 'filename' URI paramters in the 'index.php' script, the 'filename' URI parameter of the 'resultsignore.php' script, the 'editfile' URI parameter of the 'gloassary.php' script and the 'editfile' URI parameter of the 'newmultiplechoice.php' script.
Upon successful exploitation of these issues an attacker may be able to gain access to sensitive system files, potentially facilitating further attacks.
35. Linux Kernel Vicam USB Driver Userspace/Kernel Memory Copyin... BugTraq ID: 9690 Remote: No Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9690 Summary: It has been reported that the Vicam USB driver does not access userspace memory in a safe manner. The source of the problem is that the copy_from_user function is not used by the driver. This function is used to copy a block of memory from userspace into kernel memory. This is reported to present unspecified local security risks.
Though unconfirmed, this could theoretically present a situation where memory in userspace is copied into kernel memory in a manner that causes kernel structures or other sensitive variables in kernel memory to be corrupted. This type of issue could possibly lead to privilege escalation or a denial of service condition, though this is also not confirmed.
This issue is reported to exist in kernel versions prior to 2.4.25.
Further technical details related to this issue are not known at this time. This BID will be updated as more information is made available.
36. Linux Kernel NCPFS ncp_lookup() Unspecified Local Privilege ... BugTraq ID: 9691 Remote: No Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9691 Summary: NCPFS is a suite of programs that allow users to access a Novell server. NetWare servers can be mounted under Linux by NCPFS and functionality to print with NetWare printers is provided.
An unspecified local privilege escalation vulnerability has been reported to exist due to the ncp_lookup() function of NCPFS. This issue may allow for a local user to gain elevated privileges. Exploitation of this vulnerability may result in a compromise of root access by local attackers.
Due to a lack of details further information cannot be provided at the moment. This BID will be updated as more information becomes available.
37. Metamail Multiple Buffer Overflow/Format String Handling Vul... BugTraq ID: 9692 Remote: Yes Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9692 Summary: Metamail is a multi-platform utility that was originally developed by Bellcore, but is no longer maintained. Metamail parses and decodes MIME encoded email.
Metamail has been reported prone to multiple vulnerabilities that may provide for arbitrary code execution.
The first issue, a format string handling vulnerability, is reported to present itself when metamail handles a message that consists of a multipart/alternative data type. Format specifiers that exist as a value for the Content-Type header in one of the message body parts will be interpreted literally, providing for arbitrary writes into process memory. The issue exists due to programmatical errors in fprintf() calls in the function SaveSquirrelFile() of the source file metamail.c.
The second issue, again a format string handling vulnerability, is reported to present itself when a processed email message contains specially encoded non-ASCII characters including malicious format specifiers in the email header. This vulnerability may provide a conduit for an attacker to influence arbitrary writes into process memory space. The issue exists due to programmatical errors in a printf() call in the function PrintHeader() of the source file metamail.c.
A third issue, resulting from a lack of sufficient boundary checks has been reported to exist due to a unsafe strcpy() call in the function PrintHeader() of the source file metamail.c. The issue is triggered when the value in an email message header used to identify a character set is of excessive length, it has been reported that the message headers must also consist of encoded non-ASCII characters.
The final vulnerability exists in the splitmail executable. This issue is due to a lack of sufficient boundary checks performed on Subject values contained in email headers. The issue may be triggered if the splitmail executable is used to process a malicious email that contains a Subject line of sufficient length to overflow the bounds of a reserved buffer in process memory. The issue exists due to an unsafe strcpy() call in the function ShareThisHeader() of the source file splitmail.c.
This BID will be broken up into unique BIDs, as further analysis of these issues is completed. The following CVE IDs have been associated with these vulnerabilities (CAN-2004-0104) and (CAN-2004-0105).
38. WebCortex WebStores2000 Error.ASP Cross-Site Scripting Vulne... BugTraq ID: 9693 Remote: Yes Date Published: Feb 18 2004 Relevant URL: hxxp://www.securityfocus.com/bid/9693 Summary: WebCortex WebStores2000 is shopping cart software implemented in ASP. It is available for Microsoft Windows operating environments.
It has been reported that WebStores2000 is prone to a cross-site scripting vulnerability. This issue is reportedly due to a failure to sanitize user input and so allow HTML and script code that may facilitate cross-site scripting attacks.
This issue is reported to affect the 'Message_id' parameter of the 'error.asp' script.
This could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the host
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
