Summary of Security Items from December 29, 2004 through January 4, 2005
This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans. Updates to items appearing in previous
bulletins are listed in bold text. The text in the Risk column appears in
red for vulnerabilities ranking High. The risks
levels applied to vulnerabilities in the Cyber Security Bulletin are based on
how the "system" may be impacted. The Recent Exploit/Technique table contains a
"Workaround or Patch Available" column that indicates whether a workaround or
patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities
that have been identified, even if they are not being exploited. Complete
details about patches or workarounds are available from the source of the
information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple
Operating Systems section.
Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.
The Risk levels
defined below are based on how the system may be impacted:
High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges.
Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file.
Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.
A vulnerability exists that could allow a remote user to determine valid usernames. A remote user can also conduct unlimited password guessing attempts.
The vendor has issued a fixed version (1.4.2.1) to correct the username disclosure issue. No solution was available at the time of this entry for the unlimited password guessing issue.
A Proof of Concept exploit has been published.
ArGoSoft FTP Server Discloses Username Status to Remote Users
Medium
SecurityTracker Alert ID: 1012744, December 31, 2004
Crystal Art Software
Crystal FTP Pro 2.8
A buffer overflow vulnerability exists due to a boundary error in the handling of file extensions in response to 'LIST' requests, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
Crystal FTP Pro Buffer Overflow
High
Securiteam, December 19, 2004
Packetstorm, December 31, 2004
GFi
MailEssentials 8.x, 9, 10.x
A denial of service vulnerability exists that could allow a remote user to stop GFI MailSecurity and GFI MailEssentials due to a bug in the Microsoft HTML parser library. A remote user can send a specially crafted HTML-based e-mail to trigger a flaw in the Microsoft HTML parser, causing GFI MailSecurity and GFI MailEssentials to stop processing. As a result, e-mail messages will be stuck in the Microsoft IIS or Exchange queues. A specially crafted javascript string in an e-mail subject, body, or attachment can trigger the crash.
SecurityTracker Alert ID: 1012755, January 3, 2005
GlobalSCAPE, Inc.
CuteFTP 6.0
Multiple buffer overflow vulnerabilities exist in the command and response functionality due to insufficient validation of user-supplied strings prior to copying them into finite process buffers, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.
No workaround or patch available at time of publishing.
SecurityTracker Alert ID, 1012366, November 30, 2004
Packetstorm, December 31, 2004
Macallan
Macallan Mail Solution 4.0.6.8 (Build 786)
A denial of service vulnerability exists that could allow a remote user to crash the web and POP3 services. A remote user can supply a specially crafted URL that begins with a question mark to cause the target service to crash.
Macallan Mail Solution Denial of Service Vulnerability
Low
CIRT Security Advisory, December 31, 2004
Microsoft
Internet Explorer (Windows XP with SP2 is not affected)
A vulnerability exists due to an input validation error in the handling of FTP file transfers. This can be exploited by a malicious FTP server to create files in arbitrary locations via directory traversal attacks by tricking a user into downloading malicious files (e.g. by dragging or copying a file or folder).
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
Microsoft Internet Explorer FTP Download Directory Traversal
High
Secunia, SA13704, January 3, 2005
Microsoft
Windows NT Server 4.0 SP 6a, NT Server 4.0 Terminal Server Edition SP 6, Windows 2000 Server SP 3 & SP4, Windows Server 2003, 2003 64-Bit Edition
A vulnerability exists due to an unchecked buffer in the handling of the 'Name' parameter from certain packets, which could let a remote malicious user execute arbitrary code.
Microsoft Security Bulletin, SB04-045, December 14, 2004
US-CERT Vulnerability Note, VU#378160, December 16, 2004
Packetstorm, January 2, 2005
Microsoft
Windows NT Server 4.0, Windows NT Server 4.0 Enterprise Edition, Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows 98, Windows 98 SE, Windows ME; Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, (MSS) 2.0,
S3400 Message Application Server,
S8100 Media Servers
A remote code execution vulnerability exists in the NetDDE services because of an unchecked buffer. A malicious user who successfully exploited this vulnerability could take complete control of an affected system. However, the NetDDE services are not started by default and would have to be manually started for an attacker to attempt to remotely exploit this vulnerability. This vulnerability could also be used to attempt to perform a local elevation of privileges or remote Denial of Service.
Microsoft Security Bulletin MS04-031, October 12, 2004
US-CERT Cyber Security Alert SA04-286A, October 12, 2004
US-CERT Vulnerability Note VU#640488, October 13, 2004
SecurityFocus, October 18, 2004
Packetstorm, January 2, 2005
Mozilla
Bugzilla 2.x
A vulnerability exists which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed in HTTP requests is not properly sanitized before being returned to users in error messages when an internal error is encountered. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Fixes are reportedly available in the CVS repository.
Currently we are not aware of any exploits for this vulnerability.
Several vulnerabilities were reported in WHM AutoPilot. A remote user can execute arbitrary commands on the target system, conduct cross-site scripting attacks, or obtain information about the target system. Several scripts do not properly validate user-supplied input. A remote user can load several scripts and supply a specially crafted 'server_inc' value to cause the script to include and execute arbitrary PHP code. The PHP code, including operating system commands, will run with the privileges of the target web service.
Benchmark Designs WHM AutoPilot 'server_inc' Include File Flaw
High
GulfTech Security Advisory, December 27, 2004
Conectiva
Conectiva Linux 9 - netpbm
A vulnerability exist in netpbm which can be exploited by malicious, local users to escalate their privileges on a vulnerable system. The vulnerability is caused due to insecure creation of temporary files, which can be exploited via symlink attacks.
Currently we are not aware of any exploits for this vulnerability.
Conectiva netpbm Privilege Escalation
Medium
Secunia, SA13682, December 30, 2004
GNU
CUPS 1.x
A vulnerability has been reported in CUPS, which potentially can be exploited by malicious people to compromise a vulnerable system. Successful exploitation may potentially allow execution of arbitrary code with the privileges of the print spooler, when a specially crafted PDF document is printed.
Currently we are not aware of any exploits for this vulnerability.
GNU CUPS xpdf "doImage()" Buffer Overflow Vulnerability
High
Secunia SA13668, December 26, 2004
Mandrakesoft, MDKSA-2004:164, December 29, 2004
GNU
CVSTrac 1.x
Vulnerabilities exist due to a lack of input validation in "main.c" and "login.c". This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Currently we are not aware of any exploits for this vulnerability.
GNU CVSTrac Cross-Site Scripting Vulnerabilities
High
CVSTrac, Check in Numbers 320, 321, December 17, 2004
GNU
Xpdf prior to 3.00pl2
A buffer overflow vulnerability exists that could allow a remote user to execute arbitrary code on the target user's system. A remote user can create a specially crafted PDF file that, when viewed by the target user, will trigger an overflow and execute arbitrary code with the privileges of the target user.
Mandrakesoft, MDKSA-2004:161,162,163,165, 166, December 29, 2004
IBM
AIX 5.x
Multiple vulnerabilities exist in AIX, which can be exploited by malicious, local users to gain escalated privileges. These vulnerabilities exist in the 'paginit' utility, the '/bin/Dctrl' utility, the 'uname' utility, and the 'grep' utility. Successful exploitation of the vulnerabilities allows execution of arbitrary code with 'root' privileges.
Currently we are not aware of any exploits for this vulnerability.
KDE kio_ftp FTP Command Injection Vulnerability
Medium
KDE Advisory Bug 95825, December 26, 2004
Multiple Vendors
Linux Kernel 2.4 - 2.4.28, 2.6 - 2.6.9
A vulnerability was reported in the Linux kernel in the auxiliary message (scm) layer. A local malicious user can cause Denial of Service conditions. A local user can send a specially crafted auxiliary message to a socket to trigger a deadlock condition in the __scm_send() function.
iSEC Security Research Advisory 0019, December 14, 2004
SecurityFocus, December 25, 2004
Secunia, SA13706, January 4, 2005
Multiple Vendors
Linux Kernel 2.4 - 2.4.28, 2.6 - 2.6.9
Several vulnerabilities exist in the Linux kernel in the processing of IGMP messages. A local user may be able to gain elevated privileges. A remote user can cause the target system to crash. These are due to flaws in the ip_mc_source() and igmp_marksources() functions.
iSEC Security Research Advisory 0018, December 14, 2004
SecurityFocus, December 25, 2005
Secunia, SA13706, January 4, 2005
Multiple Vendors
Linux Kernel 2.6.x
Some potential vulnerabilities exist with an unknown impact in the Linux Kernel. The vulnerabilities are caused due to boundary errors within the 'sys32_ni_syscall()' and 'sys32_vm86_warning()' functions and can be exploited to cause buffer overflows. Immediate consequences of exploitation of this vulnerability could be a kernel panic. It is not currently known whether this vulnerability may be leveraged to provide for execution of arbitrary code.
Multiple vulnerabilities exist which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the file system. When a Perl script is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.
SUSE Security Summary Report, SUSE-SR:2004:002, November 30, 2004
Red Hat RHSA-2004:586-15, December 20, 2004
Mandrakesoft, MDKSA-2004:159, December 29, 2004
MySQL
Eventum 1.3.1
Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and potentially bypass certain security restrictions. 1) Input passed to the "email" parameter in "index.php" and"forgot_password.php", and the "title" and "outgoing_sender_name" parameters in "projects.php" is not properly sanitized before being returned to users. 2) Input passed to the "full_name", "sms_email", "list_refresh_rate", and "emails_refresh_rate" parameters in "preferences.php" is not properly sanitized 3) Eventum has a undocumented default administrator account.
No vendor solution is available.
Currently we are not aware of any exploits for this vulnerability.
MySQL Eventum Multiple Vulnerabilities
High
CIRT-200404 and CIRT-200405: December 28, 2004
Nullsoft
SHOUTcast 1.9.4
A format string vulnerability exists that could allow a remote user to execute arbitrary code on the target system. A remote user can supply a specially crafted request to the target server containing format string characters to cause the target service to crash or execute arbitrary code.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
Nullsoft SHOUTcast Format String Flaw
High
SecurityTracker Alert ID: 1012675, December 24, 2004
Packetstorm, December 31, 2004
phpBB Group
phpBB 2.0.0-2.0.10
A vulnerability exists in the 'urldecode' function due to insufficient input validation, which could let a remote malicious user execute arbitrary PHP script.
No workaround or patch available at time of publishing.
Additional exploit scripts have been published.
PHPBB Remote URLDecode Input Validation
High
Bugtraq, November 13, 2004
SecurityFocus, November 23, 2004
SecurityFocus December 25, 2004
Toshiaki Kanosue
HtmlHeadLine.sh
A vulnerability exists due to multiple temporary files being created insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the vulnerable script.
A vulnerability exists in PHProjekt, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "path_pre" parameter in "authform.inc.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.
Currently we are not aware of any exploits for this vulnerability.
Albrecht Günther PHProjekt "path_pre" Parameter Arbitrary File Inclusion Vulnerability
High
PHProjekt Security Advisory, December 28, 2004
Gentoo, GLSA 200412-27, December 30, 2004
All Enthusiast, Inc.
PhotoPost PHP Pro 4.x
Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. 1) Input passed to the "page", "cat", and "si" parameters in "showgallery.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" and "ppuser" parameters in "showgallery.php" isn't sanitized properly before being used in a SQL query.
Currently we are not aware of any exploits for this vulnerability.
All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection
High
GulfTech Security Research Team, January 3, 2005
All Enthusiast, Inc.
ReviewPost PHP Pro 2.x
Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. 1) Input passed to the "si" parameter in "showcat.php", "cat" and "page" parameters in "showproduct.php", and "report" parameter in "reportproduct.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" parameter in "showcat.php" and "product" parameter in "addfav.php" isn't properly sanitized before being used in a SQL query. 3) An error in the handling of file uploads for filenames with multiple extensions (e.g. "test.jpg.php.jpg.php") can be exploited.
Currently we are not aware of any exploits for this vulnerability.
All Enthusiast ReviewPost PHP Pro Multiple Vulnerabilities
High
GulfTech Security Research Team, January 3, 2005
Ben3W
2Bgal 2.4 and 2.5.1
A vulnerability exists that can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id_album" parameter is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
No workaround or patch available at time of publishing.
A vulnerability exists which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to the astats script creating some PNG images and the aStats-Graphic-Signature-Generation file insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the
vulnerable script.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
Colin Stéphane aStats Insecure Temporary File Creation
Medium
Secunia, SA13679, December 29, 2004
GForge
Limbo 1.0.2
Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks, and potentially compromise a vulnerable system. 1) Input passed to the "searchword" parameter in "index.php" isn't properly sanitized before being returned to the user. 2) Input passed to "gb_name", "gb_email", "gb_url", "gb_country", "gb_title", and "gb_message" is not properly sanitized before being used.
The vulnerabilities have been fixed in version 1.0.3 alpha.
A Proof of Concept exploit has been published.
GForge Limbo Multiple Vulnerabilities
High
TheBillyGoatCurse.com, December 27, 2004
Glandrake.com
MyCart
A vulnerability exists that could permit a remote user to view the configuration file. A remote user can directly request the 'settings.ini' file, which includes database passwords and other potentially sensitive system information.
A fixed version (version as of March 19, 2001) is available at:
SecurityTracker Alert ID: 1012752, January 3, 2005
GNU
FlatNuke 2.5.1
A vulnerability exists in which a remote user can gain administrative access on the application. A remote user can also execute arbitrary PHP code on the target system. The 'index.php' script does not properly validate user-supplied input in the 'url_avatar' field. A remote user can submit a specially crafted value to register as an administrative user.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
GNU FlatNuke Input Validation Flaw in 'url_avatar'
High
SecurityTracker Alert ID: 1012758, January 3, 2005
GNU
Moodle 1.4.2 and prior versions
Multiple vulnerabilities exist that could permit a remote user to obtain session ID files. A remote user can also conduct cross-site scripting attacks. The '/mod/forum/view.php' script does not properly validate user-supplied input in the $search variable. Also, a remote user can invoke 'file.php' to obtain session data stored in the 'moodledata' directory. The 'pathname' variable is not properly validated.
The session file disclosure vulnerability was patched on December 14, 2004 in version 1.4.3. No solution was available at the time of this entry for the cross-site scripting vulnerabilities, but a fix is planned (potentially for the future version 1.5).
A Proof of Concept exploit has been published.
GNU Moodle Input Validation Vulnerability
High
SecurityTracker Alert ID: 1012710, December 28, 2004
GNU
Owl Intranet Engine prior to 0.74.0
An input validation vulnerability exists in the Owl intranet engine that could permit a remote user to conduct cross-site scripting attacks and SQL injection attacks. A remote user can also cause arbitrary scripting code to be executed by the target user's browser.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
GNU Owl Intranet Engine Input Validation Holes
High
Nessus Reference: 16063
GNU
PHP-Calendar
A vulnerability exists that could allow a remote user to execute arbitrary commands on the target system. The software does not properly validate user-supplied input in the 'phpc_root_path' variable. If the php globals configuration is set, then a remote user can supply a specially crafted URL to cause arbitrary PHP code from a remote site to be included and executed by the target system.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
GNU PHP-Calendar Include File Flaw
High
GulfTech Security Advisory, December 29, 2004
GNU
ViewCVS 0.9.2
Multiple vulnerabilities exist that could allow a remote user to conduct cross-site scripting attacks. The 'viewcvs.py' script does not properly validate user-supplied input in the 'content-type' and the 'content-length' parameters. A remote user can create a specially craft URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
GNU ViewCVS Input Validation Holes
High
SecurityTracker Alert ID: 1012750, January 2, 2005
Google
Gmail
A vulnerability exists that could allow a remote user to send a large amount of e-mail to the target user's secondary address. The Gmail service 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's secondary e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
Google Gmail 'forgot your password?' Vulnerability
Low
SecurityTracker Alert ID: 1012749, January 2, 2005
GRASS Development Team
GRASS 5.7.x
Multiple vulnerabilities exist which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to multiple scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
A vulnerability exists that could allow a remote user to view files on the target system. A remote user can specify a value for the 'ar_file' auto-reply parameter to cause the target server to send an arbitrary file to the remote user.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
Joe Lumbroso Jack's FormMail.php File Access Vulnerability
Medium
SecurityTracker Alert ID: 1012747, January 1, 2005
korWeblog 1.6.2-cvs and prior versions
Multiple input validation vulnerabilities exist that could allow a remote user to execute arbitrary commands on the target system. The '/install/index.php' script does not properly validate the user-supplied 'lng' parameter. A remote user can create a specially crafted URL to cause the target server to include and execute arbitrary PHP code located on a remote server. A remote user can also view files on the target system.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
KorWeblog 'install/index.php' Include File Flaw
High
SecurityTracker Alert ID: 1012745, January 1, 2005
Mozilla
Mozilla 1.7.3
A heap overflow vulnerability exists in the processing of NNTP URLs. A remote user can execute arbitrary code on the target system. A remote user can create a specially crafted 'news://' URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The flaw resides in the *MSG_UnEscapeSearchUrl() function in 'nsNNTPProtocol.cpp'.
Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0
A vulnerability exists which can be exploited by malicious people to spoof the source displayed in the Download Dialog box. The problem is that long sub-domains and paths aren't displayed correctly, which therefore can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Mozilla / Mozilla Firefox Download Dialog Source Spoofing
Medium
Secunia SA13599, January 4, 2005
QNX Software Systems
QNX RTOS 2.4, 4.25, 6.1.0, 6.2.0 (+ Update Patch A)
A vulnerability exists in the QNX operating system in crttrap. A local user can read and write arbitrary files on the target system. A local user can invoke crttrap with the '-c' command option and the 'trap' flag to write a trap file to an arbitrary location with root privileges.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
QNX crttrap '-c' Lets Local Users Read or Write Arbitrary Files
High
SecurityTracker Alert ID: 1012712, December 29, 2004
Simon Tatham
PuTTY for Symbian OS 1.x
A vulnerability exists which potentially can be exploited by malicious people to compromise a user's system.
Currently we are not aware of any exploits for this vulnerability.
Simon Tatham PuTTY for Symbian OS "SSH2_MSG_DEBUG" Buffer Overflow
Unknown
Secunia, SA13678, January 4, 2005
SIR
GNUBoard 3.40 and prior version
An input validation vulnerability exists that could allow a remote user with file upload privileges to upload arbitrary scripting code to the target system. The 'gbupdate.php' script does not properly validate the file extensions of uploaded files, performing only a case-sensitive check. A remote user can upload files containing scripting code and having a file extension commonly associated with scripting files (e.g., php, pl, cgi). Then, the remote user can cause the web server to execute the uploaded file.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
SIR GNUBoard Case-Sensitive File Extension Validation Vulnerability
High
STG Security, January 2005
Symantec
Symantec Nexland Firewall Appliances 1.x
Three vulnerabilities exist in the Nexland Firewall Appliances, which can be exploited by malicious people to cause a DoS (Denial of Service), identify active services, and manipulate the firewall configuration.
Update to firmware build 16U: http://www.symantec.com/techsupp/
Currently we are not aware of any exploits for this vulnerability.
A vulnerability exists because it is possible to access CVSROOT and forbidden directories via the tarball generation functionality, which could let malicious user bypass security restrictions.
ViewCVS Ignores 'hide_cvsroot' and 'forbidden' Settings
Medium
SecurityTracker Alert ID, 1012431, December 6, 2004
Gentoo Advisory GLSA 200412-26, December 28, 2004
Xanga.com
Xanga
An input validation vulnerability exists that could allow a remote user to conduct cross-site scripting attacks. 'sitemessage.aspx' does not properly validate user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
Xanga 'sitemessage.aspx' Input Validation Flaw
High
SecurityTracker Alert ID: 1012751, January 2, 2005
ZyXEL
B-240 Wireless Ethernet Adapter
A remote cross-site scripting vulnerability exists due to a failure of the application to properly sanitize URI input prior to including it in dynamic content. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the Web administration page.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published.
ZyXEL B-240 Wireless Ethernet Adapter Web Interface Vulnerability
High
SecurityFocus, Bugtraq ID 12142, December 31, 2004
The table below
contains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.
Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.
Date of
Script (Reverse Chronological
Order)
Exploit
name
Workaround or Patch Available
Script
Description
January 2, 2005
viewcvs.txt
No
Exploit for ViewCVS 0.9.2 cross site scripting and HTTP-response splitting flaws.
January 2, 2005
sugarCRM.txt
No
Exploit for cross site scripting and possible code execution vulnerabilities in SugarCRM versions 1.x.
January 2, 2005
OWL-Intranet.txt
No
Exploit for OWL versions 0.7 and 0.8 cross site scripting and SQL injection vulnerabilities.
January 2, 2005
wins.c
Yes
Exploit for Remote Microsoft Windows 2000 WINS exploit that has connectback shellcode. Works on SP3/SP4.
January 2, 2005
HOD-ms04031-netdde-expl.c
Yes
Remote proof of concept exploit for the NetDDE buffer overflow vulnerability as described in MS04-031. Tested on: Windows XP Professional SP0, Windows XP Professional SP1, Windows 2000 Professional SP2, Windows 2000 Professional SP3, Windows 2000 Professional SP4, Windows 2000 Advanced Server SP4.
January 2, 2005
KorWeblog.txt
No
Exploit for KorWeblog directory traversal vulnerability that enables malicious attackers to access files and include malicious php files. Versions 1.6.2-cvs and below are susceptible.
January 2, 2005
ftpd-iexpl.c
No
Proof of concept exploit for Internet Explorer version 6.0.3790.0 that demonstrates an FTP download path disclosure flaw.
January 2, 2005
isec-0020-mozilla.txt
Yes
Exploit for a heap overflow vulnerability in Mozilla browser versions 1.7.3 and below in the NNTP code that may allow for arbitrary code execution.
January 2, 2005
phpcalendar.txt
No
Exploit for PHP-Calendar file inclusion vulnerability.
January 2, 2005
WHM-autopilot.txt
Yes
Exploit for WHM AutoPilot version 2.4.6.5 information disclosure, cross site scripting, and file inclusion vulnerabilities.
January 2, 2005
moodle142.txt
Yes
Exploit for Moodle versions 1.4.2 and below cross site scripting and file inclusion vulnerabilities.
January 2, 2005
netcat-exp.txt
Yes
Exploit for buffer overflow in netcat.
January 2, 2005
CMDExe.txt
Yes
Exploit for Internet Explorer remote command execution that is a variant of the Auto SP2 RC exploit.
January 2, 2005
ANI-DoS.txt
No
Exploit for Microsoft Windows Kernel ANI file parsing denial of service vulnerability.
January 2, 2005
PhpIncludeWorm.txt
No
PHP based worm that targets any vulnerable page or script with a remote file inclusion vulnerability.
January 2, 2005
SantyB.php.txt
No
Santy.b phpBB worm that affects versions 2.0.10 and below and installs a bot. Uses AOL/Yahoo search.
January 1, 2005
MSXPSP2-ieEXP.txt
No
Exploit for Internet Explorer HTML Help Control Local Zone bypass that can be used against Microsoft Windows XP versions SP2 and below.
January 1, 2005
yacyXSS.txt
Yes
Exploit for yacy version 0.31 cross site scripting attack vulnerability.
December 31, 2005
raptor_udf.c
No
Local root exploit that makes use of the dynamic library for do_system() in MySQL UDF. Tested on MySQL 4.0.17.
December 31, 2005
bruteforce.webmin.txt
Yes
Exploit for Webmin remote bruteforce and command execution.
December 31, 2005
exploitphpbb.zip
No
Perl script exploit extracted from the phpBB worm.
December 31, 2005
ibod_bof.c
No
Proof of concept buffer overflow exploit for IBOD 1.5.0 and below.
December 31, 2005
eboard40.txt
No
Exploit for e_Board version 4.0 directory traversal attack vulnerability.
December 31, 2005
cuteftpexpl.c
No
Exploit for CuteFTP Professional version 6.0 local denial of service vulnerability.
December 31, 2005
hijack_apache-0.1a.tar.gz
Yes
Tool to hijack HTTP connections under Apache and Apache2 with mod_php.
December 31, 2005
2bgalSQL.txt
No
Exploit for 2Bgal 2.5.1 SQL injection vulnerability.
December 31, 2005
php-openlog.txt
No
Proof of concept exploit for the PHP openlog() vulnerability inherent in PHP 4.3.x.
December 31, 2005
angelDust.c
Yes
Exploit for Snort 2.2.10 and below remote denial of service vulnerability.
Remote exploit for phpMyChat 0.14.5 that adds an administrative account.
December 31, 2005
raptor_chown.c
Yes
Local exploit for a flaw in Linux kernel that allows for group ownership change and possible system compromise. Tested against Linux kernel versions 2.4.x through 2.4.27-rc3 and 2.6.x through 2.6.7-rc3.
December 31, 2005
raptor_ldpreload.c
No
Local root exploit for a stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9.
December 31, 2005
raptor_libdthelp.c
No
Local root exploit for a buffer overflow in CDE libDtHelp library.
December 31, 2005
raptor_libdthelp2.c
No
Local root exploit for a buffer overflow in CDE libDtHelp library.
December 31, 2005
raptor_passwd.c
No
Local root exploit for a vulnerability in the passwd circ() function under Solaris/SPARC 8/9.
December 31, 2005
raptor_rlogin.c
No
Remote root exploit for rlogin on Solaris/SPARC 2.5.1/2.6/7/8.
December 31, 2005
phpbbworm2.tgz
No
New version of the phpBB worm that successfully works against a patched phpBB 2.0.11.
December 31, 2005
SSA-20041220-16.txt
No
Exploit for input validation flaw in ZeroBoard versions 4.1pl4 and below.
December 31, 2005
phpbb-url.pl
N/A
Simple tool to automate the creation of the URL needed to exploit phpBB versions below 2.0.11 using the viewtopic.php vulnerability.
December 31, 2005
shoutcast194.c
No
Exploit for SHOUTcast DNAS/Linux version 1.9.4 format string vulnerability.
December 31, 2005
WPkontakt.txt
Yes
Exploit for WPKontakt versions 3.0.1 and below parsing error.
December 31, 2005
crystalPoC.c
No
Proof of concept exploit for Crystal FTP Pro version 2.8 flaw in the LIST command.
December 30, 2005
lsmcode.txt
Yes
Local root command execution exploit for lsmcode on AIX 5.1 to 5.3.
December 30, 2005
paginit.c
Yes
Local stack overflow exploit for /usr/bin/paginit on AIX versions 5.3/5.2/5.1.
December 30, 2004
ultrix_dxterm_4.5_exploit.c
No
Exploit for Ultrix 4.5/MIPS dxterm local root vulnerability.
December 30, 2004
ubbXSS.txt
No
Exploit for the cross site scripting vulnerabilities in the UBBThreads versions 6.2.3 and 6.5.
December 30, 2004
sugarSales.txt
No
Exploit for multiple vulnerabilities in the open source customer relationship management software SugarSales. These vulnerabilities include full path disclosure, file inclusion, remote command execution, and SQL injection attacks.
December 30, 2004
lithsock.zip
No
Remote denial of service proof of concept exploit for the Lithtech game engine that is susceptible to a denial of service.
December 30, 2004
isec-0018-igmp.txt
Yes
Exploit for local and remote vulnerabilities in the Linux IGMP networking module and the corresponding user API. Linux kernels 2.4 up to and include 2.4.28 and 2.6 up to and including 2.6.9 are affected.
December 30, 2004
isec-0019-scm.txt
Yes
Exploit for flaw in the Linux socket layer that allows a local user to hang a vulnerable machine. Kernel version 2.4 up to and including 2.4.28 and 2.6 up to and including 2.6.9 are susceptible.
December 30, 2004
firstclass.txt
Yes
OpenText FirstClass version 8.0 httpd /Search remote denial of service exploit.
December 30, 2004
phpGroupWare.txt
No
Exploit for phpGroupWare version 0.9.16.003 full path disclosure, cross site scripting, and SQL injection attacks.
December 30, 2004
aspSQL.txt
No
Exploit for asp-rider SQL injection attack vulnerability.
December 30, 2004
SSA-20041214-14.txt
Yes
Exploit for GNUBoard versions 3.39 and below suffer PHP injection vulnerability that allows for arbitrary command execution.
December 30, 2004
iwebnegar.txt
No
Exploit for SQL injection attack vulnerability in iwebnegar, the farsi weblog software.
December 30, 2004
wgettrap.txt
No
Proof of concept exploit for the wget directory traversal vulnerability that affects versions 1.8 and below.
December 30, 2004
rpcl_icmpdos.c
No
Exploit for RICOH Aficio 450/455 PCL 5e printer ICMP remote denial of service vulnerability.
December 30, 2004
un-aftpd.c
No
Exploit for Ability ftpd version 2.34 remote root vulnerability.
December 30, 2004
winrar341.txt
No
WinRAR proof of concept buffer overflow exploit for version 3.41 and below.
December 30, 2004
cscopesym.c
Yes
Local symlink exploit for cscope versions 15.5 and below.
December 30, 2004
kayako.txt
Yes
Exploit for Kayako eSupport version 2.x cross site scripting and SQL injection flaws.
December 25, 2004
phpbb_urldecode_poc.pl
No
Exploit for the PHPBB Remote URLDecode Input Validation vulnerability.
Poll: IT spending expected to fall. IT spending in 2005 is expected to fall somewhat according to a new poll from CIO magazine. However, there are certain sectors, including security and storage, that are reportedly expected to rise. Only 6.7 percent of poll respondents indicated that they expected IT spending to increase in 2005, which was a decline of 1.7 percent from the poll's November results (8.4 percent). IT security spending is on the upswing with 60.9 percent of poll respondents indicating that they were planning on increasing spending over the next 12 months. The expected growth in security spending represents a 7.7 percent increase over November expectations (53.2 percent). A number of different studies in 2004 painted a very vivid picture of enterprises' attitudes toward IT security spending. A September Ernst & Young report noted that only 17 percent said spending would increase significantly, and 52 percent thought it would increase only slightly. In July, research firm IDC reported that 59 percent of its survey base indicated that IT security spending would increase. For more information:
http://www.internetnews.com/stats/article.php/3453831
Suspicious probes target WINS servers. The Bethesda, Md.-based SANS Internet Storm Center (ISC) said it and other organizations have seen a sharp uptick in probes against WINS servers since December 31.
An attacker who successfully exploits the flaws in unpatched machines could take over the system to install programs; view, change or delete data; or create new accounts with full privileges. Microsoft issued fixes for the WINS security holes last month.
Microsoft offered potential workarounds for those who are unable to patch systems immediately: Users can block TCP port 42 and UDP port 42 at the firewall or remove WINS altogether if it isn't needed. For more information: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1041758,00.html
A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported since last week), and approximate date first
found.
Rank
Common
Name
Type
of Code
Trends
Date
1
Netsky-P
Win32 Worm
Stable
March 2004
2
Sober-I
Win32 Worm
Stable
November 2004
3
Zafi-B
Win32 Worm
Stable
June 2004
4
Bagle-AU
Win32 Worm
Increase
October 2004
5
Bagle-AA
Win32 Worm
Increase
April 2004
6
Netsky-D
Win32 Worm
Decrease
March 2004
7
Netsky-Q
Win32 Worm
Slight Decrease
March 2004
8
Bagle.AT
Win32 Worm
Stable
October 2004
9
Netsky-Z
Win32 Worm
Decrease
April 2004
10
Bagle.BB
Win32 Worm
New to Table
September 2004
Table
Updated January 4, 2005
Viruses or
Trojans Considered to be a High Level of Threat
The following table
provides, in alphabetical order, a list of new viruses, variations of previously
encountered viruses, and Trojans that have been discovered during the period
covered by this bulletin. This information has been compiled from the following
anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates,
Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.
NOTE: At
times, viruses and Trojans may contain names or content that may be considered
offensive.