SecurityFocus Microsoft Newsletter #107

From: Marc Fossi (mfossi@securityfocus.com)
Date: 10/08/02


Date: Tue, 8 Oct 2002 07:30:08 -0600 (MDT)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>


SecurityFocus Microsoft Newsletter #107
---------------------------------------

This Issue Sponsored by: Wiley and Sons

SPECIAL FREE PREVIEW OF NEW KEVIN MITNICK BOOK

See what Publishers Weekly called a "tour de force, a series of tales of
how some old-fashioned blarney and high-tech skills can pry any
information from anyone..." For more information and how to order "The Art
of Deception : Controlling the Human Element of Security", visit

Please visit us at:

http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?userid=5OZAUOSEB
Z&isbn=0471237124&displayonly=excerpt

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Assessing Internet Security Risk, Part Four: Custom Web...
     2. Evaluating Network Intrusion Detection Signatures, Part Two
     3. One Patch to Rule Them All
     4. SecurityFocus DPP Program
     5. IIR's 3G Fraud & Security Forum
     6. InfoSec World Conference and Expo/2003
II. MICROSOFT VULNERABILITY SUMMARY
     1. Zope Incorrect XML-RPC Request Information Disclosure Vulnerability
     2. Microsoft PPTP Server Buffer Overflow Vulnerability
     3. BEA WebLogic Server and Express HTTP Response Information...
     4. VBulletin Calendar.PHP Command Execution Vulnerability
     5. Jetty Servlet Engine Cross Site Scripting Vulnerability
     6. EmuMail Web Root Path Disclosure Vulnerability
     7. EmuMail Email Form Script Injection Vulnerability
     8. Bugzilla Group Creation With Elevated Privileges Vulnerability
     10. Nullsoft Winamp 3 Skin File Buffer Overflow Vulnerability
     12. Microsoft Internet Explorer Document Reference Zone Bypass...
     13. Bugzilla Bugzilla_Email_Append.pl Arbitrary Command Execution...
     14. Bugzilla Account Creation SQL Injection Vulnerability
     15. SafeTP Passive Mode Internal IP Address Revealing Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. SecurityFocus Microsoft Newsletter #106 (Thread)
IV. MICROSOFT PRODUCTS
     1. Active Administrator
     2. SecureIIS Application Firewall
     3. VigilEnt User Manager/Password Management
V. MICROSOFT TOOLS
     1. CIA Unerase Private v1.0
     2. MOVEit Freely v2.1.0.0
     3. Inzider 1.2
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Assessing Internet Security Risk, Part Four: Custom Web Applications
By Charl van der Walt

This article is the fourth in a series that is designed to help readers to
assess the risk that their Internet-connected systems are exposed to. This
installment will discuss a relatively unexplored aspect of Internet
security, custom Web applications.

http://online.securityfocus.com/infocus/1631

2. Evaluating NID Signatures, Part Two
byKaren Kent Frederick

In this series of articles, we present recommendations that will help
readers to evaluate the quality of network intrusion detection (NID)
signatures, either through hands-on testing or through careful
consideration of third-party product reviews and comparisons. The first
installment discussed some of the basics of evaluating NID signature
quality, as well selecting attacks to be used in testing. This article
will conclude the discussion on criteria for choosing attacks and then
provide recommendations for generating attacks and creating a good testing
environment. We begin by discussing some methods of acquiring attacks and
attack traffic.

http://online.securityfocus.com/infocus/1630

3. One Patch to Rule Them All
By Tim Mullen

A recent XP security hole begs the question, do we really want Microsoft
to release individual fixes for every bug?

http://online.securityfocus.com/columnists/112

4. SecurityFocus DPP Program

Attention Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. IIR's 3G Fraud & Security Forum (21-23 October, London)

A specialized conference designed specifically for Fraud and Security
Managers in the 3G and mobile commerce space. This year's agenda focuses
on technical strategies for detecting and minimizing the fraud risks in 3G
services: what will be the key vulnerabilities in 3G and how can you
manage the increased risks of content partner fraud, transaction-based
roaming and m-commerce fraud? We will also be devoting a whole day to 3G
network security - penetration testing, third party access risks, IDS,
with even a live hack demonstration of Internet fraud.

Key speakers include Radicchio, Orange, Optimus, Vodafone, Visa, BTexact,
CFCA, with a keynote from security guru Charles Brookson, Chair of the GSM
Association Security Group.

For more details please visit http://www.iir-conferences.com/3GFraud

6. InfoSec World Conference and Expo/2003

March 10-12, 2003, Orlando, FL
Optional Workshops March 8, 9, 12, 13, & 14
Vendor Expo March 10 & 11

Solutions to today's security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities…InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.h

II. BUGTRAQ SUMMARY
-------------------
1. Zope Incorrect XML-RPC Request Information Disclosure Vulnerability
BugTraq ID: 5806
Remote: Yes
Date Published: Sep 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5806
Summary:

Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.

A vulnerability has been reported for Zope 2.5.1 and earlier. Reportedly,
Zope does not handle XML-RPC requests properly. Specially crafted XML-RPC
requests may cause Zope to respond to a request with an error page with
system specific details.

An attacker can exploit this vulnerability by making a special XML-RPC
request to the Zope server. Zope will fail when attempting to process this
request and will divulge sensitive information to the attacker.

It has also been reported that this vulnerability exists even when starting
Zope without the '-D' option.

This could result in information disclosure, and could potentially be used
to gain intelligence in launching an attack against a system.

2. Microsoft PPTP Server Buffer Overflow Vulnerability
BugTraq ID: 5807
Remote: Yes
Date Published: Sep 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5807
Summary:

A buffer overflow vulnerability has been reported for Microsoft's PPTP
(Point to Point Tunneling Protocol) implementation. The vulnerability
reportedly exists in both the PPTP server and client applications. The PPTP
service listens to traffic on TCP port 1723.

Reportedly it is possible to exploit the buffer overflow condition prior to
authentication. A remote attacker who sends a specially crafted PPTP packet
to a vulnerable system may be able to cause the application to corrupt
kernel memory.

It is also possible for an attacker to include malicious shell code and
have it execute with the privileges of the PPTP process.

This vulnerability has been reported for PPTP implementations in Microsoft
Windows 2000 and Windows XP operating systems.

3. BEA WebLogic Server and Express HTTP Response Information Disclosure Vulnerability
BugTraq ID: 5819
Remote: Yes
Date Published: Sep 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5819
Summary:

BEA Systems WebLogic Server is a web and wireless application server for
Microsoft Windows and most Unix and Linux distributions. BEA WebLogic
Express provides a platform for serving dynamic data to web and wireless
applications.

BEA WebLogic Server and Express are reported to be prone to an issue which
has the potential to disclose sensitive information to malicious parties.
The vulnerable software occasionally returns two responses for a HTTP
request. This condition has to do with how the affected software buffers
HTTP response data.

As a result, two users may receive responses from a single user's request,
which may unintentionally expose sensitive information to a malicious
party. The nature of the information disclosed is entirely dependent on
what resource was requested when the condition occurs.

It has been reported by the vendor that there is no way for an attacker to
trigger this vulnerability, and that the condition may occur randomly.

4. VBulletin Calendar.PHP Command Execution Vulnerability
BugTraq ID: 5820
Remote: Yes
Date Published: Sep 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5820
Summary:

vBulletin is commercial web forum software written in PHP and back-ended by
a MySQL database. It will run on most Linux and Unix variants, as well as
Microsoft operating systems.

A remote command execution vulnerability has been reported for vBulletin.
The vulnerability is due to vBulletin failing to properly sanitize
user-supplied input from URI parameters.

The vulnerability occurs in the 'calendar.php' file included with
vBulletin. Reportedly, modifying certain URI parameters may result in the
execution of attacker-supplied commands on the vulnerable system with the
privileges of the webserver process.

5. Jetty Servlet Engine Cross Site Scripting Vulnerability
BugTraq ID: 5821
Remote: Yes
Date Published: Sep 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5821
Summary:

Jetty is a freely available, open source Java Web Server and Servlet
Container. It is available for Linux, Unix, and Microsoft Windows
platforms.

A problem with Jetty may make it possible for users to launch cross-site
scripting attacks.

It has been reported that Jetty does not properly sanitize requests. This
could result in a user clicking a malicious link that would execute script
or HTML code in the security context of the site hosted by the Jetty
server. An attacker could exploit this vulnerability to gain
authentication cookies, or other sensitive information.

This vulnerability occurs when the script code is appended with two hex
linefeed (0a) characters in the requested URL. This vulnerability may
affect other versions of Jetty.

6. EmuMail Web Root Path Disclosure Vulnerability
BugTraq ID: 5823
Remote: Yes
Date Published: Sep 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5823
Summary:

Emumail is an open source web mail application. It is available for the
Unix, Linux, and Microsoft Windows operating systems.

A problem with Emumail could make it possible for an attacker to gain
sensitive information.

Under some conditions, Emumail may reveal sensitive configuration
information. When unexpected characters are inserted into some fields in
web mail forms, the form generates an error. The error page returned may
contain the directory to the web root on the Emumail server.

7. EmuMail Email Form Script Injection Vulnerability
BugTraq ID: 5824
Remote: Yes
Date Published: Sep 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5824
Summary:

Emumail is an open source web mail application. It is available for the
Unix, Linux, and Microsoft Windows operating systems.

A problem with EmuMail could make it possible for a user to execute
arbitrary script code.

It has been reported that EmuMail does not properly sanitize input. Under
some conditions, it is possible to pass an email containing script or html
code through the EmuMail web mail interface. This would result in
execution of the script code in the security context of the EmuMail site.

This could allow an attacker to potentially steal cookie information.

8. Bugzilla Group Creation With Elevated Privileges Vulnerability
BugTraq ID: 5843
Remote: Yes
Date Published: Oct 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5843
Summary:

Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Operating Systems.

A vulnerability has been reported for Bugzilla. This vulnerability affects
sites that use the 'usebuggroups' feature of Bugzilla. This feature, when
enabled, allows sites to track bugs based on products and allows site
administrators to restrict access to bugs on a per-product basis. The
'editgroups.cgi' page will show a listing of all current groups.

The vulnerability is the result of improper mathematical calculations done
when a site has 47, or more, bug groups. When a new product is added to a
site that has 47, or more, bug groups, the new group will be created with
extra privileges set. Any new users that are added to this group will
automatically gain access to other group privileges.

An attacker can exploit this vulnerability to obtain access to a privileged
group and perform actions pertaining to that group.

Site administrators may be able to find groups with extra privileges by
viewing the 'editgroups.cgi' page and looking for 'bit' values that end in
'0'. A large value such as, '4503599627370480', is indicative of an error
in large integer math. Administrators may be able to change the group bit
values and check permissions of users belonging to the offending groups.

This vulnerability affects Mozilla Bugzilla 2.14.3 and earlier and Bugzilla
2.16 and earlier.

9. BEA WebLogic Server and Express Inadvertent Security Removal Weakness
BugTraq ID: 5846
Remote: Yes
Date Published: Oct 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5846
Summary:

BEA Systems WebLogic Server is an enterprise level web and wireless
application server for Microsoft Windows and most Unix and Linux
distributions.

Under some circumstances, BEA WebLogic Server and Express are prone to a
weakness which may inadvertently cause security constraints to be removed.

This issue occurs when applications containing Servlets or EJBs are
deployed on multiple servers. When such an application is undeployed from
one server, the specified security constraints and role mappings for
Servlets or EJBs will be removed on all servers. The consequence of this
weakness is that all Servlets or EJBs will be left exposed.

Applications will be undeployed when a server shuts down or when the
application is untargetted from the server. This issue is present during
the time period when an appropriate application has been undeployed. The
application may be re-deployed when the server is restarted or when it is
targetted on another server.

10. Nullsoft Winamp 3 Skin File Buffer Overflow Vulnerability
BugTraq ID: 5832
Remote: Yes
Date Published: Sep 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5832
Summary:

Nullsoft Winamp is a skinable media player for Microsoft Windows supporting
MP3 and other filetypes. Winamp 3 skin files use a .wal extension by
default.

The .wal file is an archive that contains images and configuration files
for the skin. When these files are downloaded through a web browser, they
are in turn automatically opened and applied to the Winamp player.

The .wal file typically contains a skin.xml file with configuration
information for the skin. This file contains <include file=""/> tags which
point to other XML configuration files for the skin. This information is
processed by wsabi.dll for Winamp.

By supplying an exceptionally long string for the path, it is possible to
overrun the buffer in wsabi.dll, causing memory to be to be corrupted with
attacker-supplied data. Execution of code is possible in the security
context of the user running the Winamp application.

11. Trolltech Qt Assistant Default Port Unauthorized Access Weakness
BugTraq ID: 5833
Remote: Yes
Date Published: Sep 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5833
Summary:

Qt is a C++ toolkit for application development. It is designed for use
with various platforms including Linux and Unix variants as well as
Microsoft Windows operating environments.

A weakness has been reported for the Qt Assistant. The Qt Assistant is a
browser for the Qt documentation and is typically used in conjuntion with
Qt Designer. Reportedly, the Qt Assistant opens port 7358 for communication
with Qt Designer. This port, however, can be accessed remotely.

An attacker can exploit this weakness by connecting to a vulnerable system
on port 7358 and making requests for HTML pages. The requests will be
processed by the Qt Assistant and will be displayed on the screen of the
user that is currently using the Assistant.

Numerous simultaneous requests may cause the Qt Assistant from responding
to legitimate requests in a timely manner.

12. Microsoft Internet Explorer Document Reference Zone Bypass Vulnerability
BugTraq ID: 5841
Remote: Yes
Date Published: Oct 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5841
Summary:

A vulnerability has been reported in Microsoft Internet Explorer that may
allow for remote attackers to execute script code in the context of other
domains/security Zones.

The cause appears to be a lack of access control checks when access to a
document object is attempted through a separate reference to it. A
malicious webmaster may exploit this vulnerability by creating a reference
to the method "document.location.assign" of the target child window. The
attacker may then have the child window open a website in a different
domain/Zone while retaining the ability to execute
"document.location.assign()" by reference. As the domain/Zone is different
in the child window, this should not be possible.

Exploitation of this vulnerability may allow for theft of cookie
information, website impersonation or disclosure of local files.

13. Bugzilla Bugzilla_Email_Append.pl Arbitrary Command Execution Vulnerability
BugTraq ID: 5844
Remote: Yes
Date Published: Oct 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5844
Summary:

Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Operating Systems.

A problem with Bugzilla could make it possible to execute arbitrary
commands.

Under some circumstances, it may be possible to execute arbitrary commands
on a Bugzilla server. A user may be able to insert maliciously formatted
entries into the Bugzilla database that would be handled by the
bugzilla_email_append.pl script. A maliciously formatted entry passed to
this script could result in the execution of arbitrary commands.

This problem could allow a remote user to execute arbitrary code on a
Bugzilla server. This could lead to a remote attacker gaining access to
the system with the privileges of the web server process.

14. Bugzilla Account Creation SQL Injection Vulnerability
BugTraq ID: 5842
Remote: Yes
Date Published: Oct 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5842
Summary:

Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Operating Systems.

Bugzilla is prone to SQL injection attacks. This issue is due to
insufficient sanitization of apostrophes (') from e-mail addresses during
account creation. Maliciously formatted SQL injected via the e-mail
address field will be included in a SQL query.

An attacker could exploit this condition to modify the logic of SQL
queries, potentially resulting in disclosure of sensitive information or
database corruption. SQL injection may also enable a remote attacker to
exploit other existing vulnerabilities in the underlying datbase
implementation.

15. SafeTP Passive Mode Internal IP Address Revealing Vulnerability
BugTraq ID: 5822
Remote: Yes
Date Published: Sep 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5822
Summary:

SafeTP is a freely available, open source secure ftp client-server software
package. It is available for Unix, Linux, and Microsoft Operating Systems.

A problem with SafeTP may result in the disclosure of sensitive
information.

It has been reported that under some circumstances, the SafeTP server may
reveal sensitive network information. When a passive session is initiated
in a specific manner, SafeTP may return the address of a system serving
files that is behind at NAT firewall.

This disclosure of information could give an attacker limited information
about network configuration behind a NAT firewall. It could be used to
launch further, directed attacks against network resources.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #106 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/293696

IV. MICROSOFT PRODUCTS
----------------------
1. Active Administrator
by SmallWonders Software
Platforms: Windows 2000, Windows XP
Relevant URL:
http://www.smallwonders.com/default.asp?c=activeadministrator/welcome
Summary:

Active Administrator allows administrators to manage Active Directory
Security and Group Policies more efficiently, reducing the total cost of
ownership for Windows® 2000.

2. SecureIIS Application Firewall
by eEye
Platforms: Windows 2000, Windows NT
Relevant URL:
http://www.eeye.com/html/Products/SecureIIS/index.html
Summary:

Developed by eEye Digital Security as the first-ever IIS application
firewall, SecureIIS operates within IIS to actively inspect all incoming
requests at each stage of data processing. In this way, SecureIIS prevents
potentially damaging network traffic ? whether encrypted or unencrypted ?
from penetrating your servers.

3. VigilEnt User Manager/Password Management
by PentaSafe
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.pentasafe.com/products/vum.htm
Summary:

VigilEnt User Manager provides users with access to multiple systems while
increasing enterprise security through the enforcement of stronger password
policy. Instead of having to go through the tedious process of logging into
each application to conduct password changes, VigilEnt User Manager's
password synchronization capabilities allow an end user to initiate a
password change across all their systems and applications with a single
action from the Web-based interface. Once a password has been validated,
the password change request is disseminated to all applicable user login
systems ensuring a synchronized enterprise-wide password. The password
change process is complete when users are notified of successful changes.

V. MICROSOFT TOOLS
-------------------
1. CIA Unerase Private v1.0
by Datapol GmbH
Relevant URL:
http://www.ciaunerase.com
Platforms: Windows 2000, Windows NT, Windows XP
Summary:

CIA Unerase is an easy to use unerase and data recovery tool for
WinNT/2000/XP. It unerases files even without having to be installed before
the disaster happened. Using the unique "CIS technology" it is capable to
unerase up to 20 more files than any other solution. It supports FAT as
well as NTFS and recovers files on physical, local logical, dynamic and
RAID disks. Encrypted files, compressed files and files using streams are
also supported. More then 95% of all deleted files are restored completely
by CIA Unerase even if their status is "poor". The PRIVATE Edition works on
all Workstation-Versions of Windows NT, Windows 2000 and Windows XP. A
german version is offered on our German website http://www.datapol.de

2. MOVEit Freely v2.1.0.0
by Standard Networks
Relevant URL:
http://www.stdnet.com/moveitfreely
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

MOVEit Freely is a secure, "drop-in" replacement for ftp.exe, the
non-secure command line FTP client in Windows XP, 2000, ME, 98, 95, and NT
4.0 systems.

Unlike Microsoft's FTP client, MOVEit Freely can safely exchange files with
secure FTP servers using 128-bit key SSL (Secure Socket Layer) encryption,
the highest level of protection currently available for Internet
communications.

3. Inzider 1.2
by Arne Vidstrom
Relevant URL:
http://ntsecurity.nu/toolbox/inzider/
Platforms: Windows 95/98, Windows NT
Summary:

This is a very useful tool that lists the current processes in your Windows
system and which ports they listen on. It is written to work on Windows NT
and Windows 9x. There have been some stability problems on Windows 9x, but
they seem to have been solved now. On Windows NT, inzider is unable to
check processes that are started as services.

VI. SPONSORSHIP INFORMATION
---------------------------
This Issue Sponsored by: Wiley and Sons

SPECIAL FREE PREVIEW OF NEW KEVIN MITNICK BOOK

See what Publishers Weekly called a "tour de force, a series of tales of
how some old-fashioned blarney and high-tech skills can pry any
information from anyone..." For more information and how to order "The Art
of Deception : Controlling the Human Element of Security", visit

Please visit us at:

http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?userid=5OZAUOSEB
Z&isbn=0471237124&displayonly=excerpt

-------------------------------------------------------------------------------