SecurityFocus Microsoft Newsletter #108

From: Marc Fossi (mfossi@securityfocus.com)
Date: 10/15/02


Date: Tue, 15 Oct 2002 11:54:28 -0600 (MDT)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #108
---------------------------------------

This Issue is Sponsored By: SpiDynamics

ALERT! - Cross-site scripting vulnerabilities in web applications allow
hackers to compromise confidential information, manipulate or steal
cookies, and create requests that can be mistaken for those of a valid
user!! All via port 80 and 443! Download this *FREE* white paper from SPI
Dynamics for a complete guide to protection!

Please visit us at:
http://www.spidynamics.com/mktg/xss1/

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Footprints in the Sand, Part One
     2. Assessing Internet Security Risk, Part Five: Custom Web Applications
     3. Shutting Down Spyware Loopholes
     4. SecurityFocus DPP Program
     5. InfoSec World Conference and Expo/2003
II. MICROSOFT VULNERABILITY SUMMARY
     1. ArGoSoft Mail Server Pro E-Mail HTML Injection Vulnerability
     2. Microsoft IIS Malformed HTTP HOST Header Field Denial Of...
     3. Microsoft Content Management Server 2001 Cross-Site Scripting...
     4. Microsoft Windows 2000 NetDDE Privilege Escalation Vulnerability
     5. Microsoft Windows Help Facilities Vulnerabilities...
     6. Microsoft Windows Help Facility ActiveX Control Buffer Overflow...
     7. Multiple Microsoft Services for Unix 3.0 Interix SDK...
     8. Microsoft Malformed RPC Packet Buffer Overflow Vulnerability
     9. Microsoft Invalid RPC Request Denial Of Service Vulnerability
     10. Xerox DocuShare Weak Default Configuration Vulnerability
     11. phpMyNewsLetter Remote File Include Vulnerability
     12. BearShare File Disclosure Variant Vulnerability
     13. Cooolsoft PowerFTP Server Remote Denial Of Service Vulnerability
     14. Microsoft IIS IDC Extension Cross Site Scripting Vulnerability
     15. Oracle 9i Application Server Web Cache Administration Tool...
     16. Zope Failed Login Information Disclosure Vulnerability
     17. Symantec VelociRaptor Denial of Service Vulnerability
     18. Multiple Vendor ZIP Files Long Filename Buffer Overflow...
     19. Microsoft Compressed Folders Hostile Decompression Path...
     20. Xerox DocuShare Information Leakage Vulnerability
     21. Apache Web Server Scoreboard Memory Segment Overwriting...
     22. Apache AB.C Web Benchmarking Buffer Overflow Vulnerabilities
     23. PHPBB2 Avatar Images Information Disclosure Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Can I delete Wscript.exe? (Thread)
     2. Security issues, purchasing a new, pre-loaded, Windows XP...
     3. Security issues, purchasing a new, pre-loaded, Windows XP com...
     4. SecurityFocus Microsoft Newsletter #107 (Thread)
     5. Summary (was Security issues ... pre-loaded, Windows XP...
     6. FW: Can I delete Wscript.exe? (Thread)
     7. AW: Can I delete Wscript.exe? (Thread)
     8. Security issues, purchasing a new, pre-loaded, Windows XP...
IV. MICROSOFT PRODUCTS
     1. Odyssey
     2. CryptoGram Secure Login
     3. Preventon Veto
V. MICROSOFT TOOLS
     1. K9 v1.0
     2. 007 SafetyNet 1.0
     3. Form Scalpel
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Footprints in the Sand, Part One - Fingerprinting Exploits in System
   and Application Log Files
By Eric Hines, Alan Neville and Joseph Kelly

Forensic analysts must be able to understand and recognize footprints that
exploits leave on system logfiles. Identifying these signatures, is the
key to understanding what took place. This article will focus on the
identification of the footprints that exploits leave on system logfiles
and what they mean, as well as some of the most common traces that some
recent exploits leave.

http://online.securityfocus.com/infocus/1633

2. Assessing Internet Security Risk, Part Five: Custom Web Applications
   Continued
by Charl van der Walt

This article is the fifth and final in a series that is designed to help
readers to assess the risk that their Internet-connected systems are
exposed to. In the first installment, we established the reasons for doing
a technical risk assessment. In the second article, we started to discuss
the methodology that we follow in performing this kind of assessment. The
third part discussed methodology in more detail, focussing on visibility
and vulnerability scanning. The fourth installment discussed a relatively
unexplored aspect of Internet security, custom Web applications. This
article will conclude the discussion of security risks of Web
applications.

http://online.securityfocus.com/infocus/1632

3. Shutting Down Spyware Loopholes
By Mark Rasch

I have this terrible recurring nightmare. One night, there is a knock on
the door, and Bill Gates and Steve Ballmer are there. When I ask why, they
reply, "We are here for your kidney. Don't you remember the contract you
clicked on when you downloaded the beta version of Internet Explorer?
Don't you read those things?"

http://online.securityfocus.com/columnists/113

4. SecurityFocus DPP Program

Attention Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. IIR's 3G Fraud & Security Forum (21-23 October, London)

A specialized conference designed specifically for Fraud and Security
Managers in the 3G and mobile commerce space. This year's agenda focuses
on technical strategies for detecting and minimizing the fraud risks in 3G
services: what will be the key vulnerabilities in 3G and how can you
manage the increased risks of content partner fraud, transaction-based
roaming and m-commerce fraud? We will also be devoting a whole day to 3G
network security - penetration testing, third party access risks, IDS,
with even a live hack demonstration of Internet fraud.

Key speakers include Radicchio, Orange, Optimus, Vodafone, Visa, BTexact,
CFCA, with a keynote from security guru Charles Brookson, Chair of the GSM
Association Security Group.

For more details please visit http://www.iir-conferences.com/3GFraud

II. BUGTRAQ SUMMARY
-------------------
1. ArGoSoft Mail Server Pro E-Mail HTML Injection Vulnerability
BugTraq ID: 5906
Remote: Yes
Date Published: Oct 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5906
Summary:

ArGoSoft Mail Server is an SMTP, POP3 and Finger server for Microsoft
Windows environments. ArGoSoft has a built-in webserver to enable remote
access to mail.

The ArGoSoft Mail Server Pro web mail system does not sufficiently
sanitize HTML from e-mail messages. It is possible for a remote attacker
to inject arbitrary HTML and script code into e-mail messages, which will
be rendered in the user's web client when the malicious message is viewed.
The attacker-supplied code will execute in the context of the site hosting
the web mail system.

A remote attacker could potentially exploit this condition to steal
cookie-based authentication credentials from a legitimate user of the web
mail system. Additionally, it has been reported that user credentials are
stored in plaintext in cookies. An attacker could use these credentials
to gain unauthorized access to web mail accounts.

2. Microsoft IIS Malformed HTTP HOST Header Field Denial Of Service Vulnerability
BugTraq ID: 5907
Remote: Yes
Date Published: Oct 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5907
Summary:

Microsoft Internet Information Server (IIS) is reported to be prone to a
remotely exploitable denial of service.

This condition occurs upon receipt of a malformed HOST field in a HTTP
request for 'shtml.dll'. It is possible to reproduce this condition by
sending a HTTP POST request with a HOST header field that is composed of
an excessive number of slashes (/). It is reported that the server will
not respond to the request in a timely manner. Further disruption of
service may also occur.

The problem likely exists in 'shtml.dll' and may be reproducible via other
types of malformed requests.

Further details are not known at this time. This entry will be updated if
further details become available.

3. Microsoft Content Management Server 2001 Cross-Site Scripting Vulnerability
BugTraq ID: 5922
Remote: Yes
Date Published: Oct 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5922
Summary:

Microsoft Content Management Server (MCMS) 2001 is a .NET Enterprise
Server product for development and management of e-business websites.

Microsoft Content Management Server 2001 is reported to be prone to
cross-site scripting attacks.

An attacker could construct a malicious link to a vulnerable host that
contains arbitrary HTML and script code. If this link is visited by a web
user, the attacker-supplied code will be rendered in their browser, in the
security context of the vulnerable site.

This issue is present in the 'ManualLogin.asp' script. An attacker could
inject malicious script code via the 'REASONTXT' URI parameter of the
script.

This vulnerability can be exploited to steal cookie-based credentials from
authenticated users. Other attacks are also possible.

4. Microsoft Windows 2000 NetDDE Privilege Escalation Vulnerability
BugTraq ID: 5927
Remote: No
Date Published: Oct 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5927
Summary:

This vulnerability is a variant of the Microsoft Windows Window Message
Subsystem Design Error Vulnerability (BID 5408).

The Winlogon process creates a hidden window on a logged in user's desktop
called the Network Dynamic Data Exchange (NetDDE) Agent. This allows data
exchange between applications running on different computers on a network.
Since it is created by the Winlogon process, it runs with Local System
privileges.

It is possible to leverage the Window Message Subsystem Vulnerability
against the NetDDE Agent using a WM_COPYDATA message. Typically, when a
WM_COPYDATA message is sent, the SendMessage function will allocate a
block of memory and copy the data from the caller's address space to this
block. The message is then sent to the destination window.
COPYDATASTRUCT then copies the data structure into the address space of
the receiving application and a pointer to this structure is given to the
application. By default, this data is valid only during the processing of
this message. If the data must be accessed by the receiving application
after SendMessage returns, the data must be copied into a buffer in the
local application.

In the case of NetDDE, the received data is not copied into memory, but
directly into the application stack. When the function that processes the
received data returns, the data remains on the stack. If shell code is
pushed onto the NetDDE stack utilizing WM_COPYDATA, a call to that area of
the stack through a WM_TIMER message containing the address of the
returned pointer will cause the code to be executed immediately with the
privilege level of NetDDE.

5. Microsoft Windows Help Facilities Vulnerabilities
BugTraq ID: 5872
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5872
Summary:

Microsoft has reported two vulnerabilities in its Windows Help Facilities.

The first vulnerability is in a function exposed in an ActiveX control.
Attackers may invoke and exploit the control through a malicious webpage
or HTML email. The vulnerability is a buffer overflow condition and may
be levaraged by attackers to execute arbitrary code on victim systems.
Any code executed would run in the security context of Explorer.

The second vulnerability involves Compiled Help Files (chm) and may allow
for attackers to execute commands on the victim host. The Help Facilities
component will execute potentially malicious .chm files in the Temporary
Internet Files folder. This behaviour has been corrected in a patch
developed by Microsoft.

**Note: This database entry is temporary. New vulnerabilities are to be
given unique Bugtraq IDs and alerts will be published for each individual
issue. This BID will be retired when analysis is complete.

6. Microsoft Windows Help Facility ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 5874
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5874
Summary:

The Microsoft Windows Help Center is mainly implemented through a single
ActiveX control.

The ActiveX control is invoked through a showHelp method which takes a URI
as an argument. This method contains an unchecked buffer, the size of
which varies between different Windows versions. This vulnerability could
be leveraged by an attacker to execute arbitrary code in the security
context of the current user.

It is important to note that this ActiveX control may be invoked by
viewing a web page or HTML email.

This vulnerability was reported in BugTraq ID 5872, Microsoft Windows Help
Facilities Vulnerabilities.

7. Multiple Microsoft Services for Unix 3.0 Interix SDK Vulnerabilities
BugTraq ID: 5869
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5869
Summary:

Microsoft Services for Unix (SFU) 3.0 Interix SDK is a development
environment used to port Unix applications to the Microsoft Windows
Platform. Three vulnerabilities have been reported to affect applications
built with SFU 3.0 Interix SDK. The issues are related to the Interix
implementation of SunRPC.

The first vulnerability is an integer overflow in the function that
allocates memory for an External Data Representation (XDR) array. This
vulnerability may be exploited to cause a denial of service or possibly
execute arbitrary code. This vulnerability is BID 5356.

The second vulnerability is a denial of service. It is possible for RPC
clients to transmit data in fragments of variable size. By sending
malformed fragments, it is possible to leave the target server in an
unresponsive state. This may be because the server is waiting for a final
fragment which the attacker intentionally does not send. When the target
server is hung, it will not respond to other clients.

The third vulnerability is also related to handling of client-supplied
packet fragments. According to Microsoft, the SunRPC implementation does
not correctly check the size of received packets. By transmitting
malformed data to a target server, an attacker may create a denial of
service condition.

It should be noted that only applications developed using the Interix SDK
are vulnerable.

**Note: This database entry is temporary. New vulnerabilities are to be
given unique Bugtraq IDs and alerts will be published for each individual
issue. This BID will be retired when analysis is complete.

8. Microsoft Malformed RPC Packet Buffer Overflow Vulnerability
BugTraq ID: 5879
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5879
Summary:

Microsoft Services for Unix (SFU) 3.0 Interix SDK is a development
environment used to port Unix applications to the Microsoft Windows
Platform. A vulnerability has been reported to affect applications built
with SFU 3.0 Interix SDK. The issue is related to the Interix
implementation of SunRPC.

This vulnerability is the result of RPC clients transmitting data in
variable sized fragments. When RPC servers receive malformed fragments,
the buffer overflow condition is triggered which results in the RPC server
from responding to further requests.

As this vulnerability is due to a buffer overflow condition, it may be
possible to cause the RPC server to execute malicious attacker-supplied
code. This, however, has not been confirmed.

It should be noted that only applications developed using the Interix SDK
are vulnerable to this issue.

This vulnerability was first described in BugTraq ID 5869, Multiple
Microsoft Services for Unix 3.0 Interix SDK Vulnerabilities.

9. Microsoft Invalid RPC Request Denial Of Service Vulnerability
BugTraq ID: 5880
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5880
Summary:

Microsoft Services for Unix (SFU) 3.0 Interix SDK is a development
environment used to port Unix applications to the Microsoft Windows
Platform. A vulnerability has been reported to affect applications built
with SFU 3.0 Interix SDK. The issue is related to the Interix
implementation of SunRPC.

This vulnerability is the result of RPC applications improperly checking
the size of TCP requests. RPC clients that use the Sun RPC library are
expected to have TCP requests that specify the size of the record that
follows. Due to a flaw in the way the RPC server handles client packets,
it is possible for an attacker to send a malformed request to the RPC
server.

When RPC servers receive malformed TCP requests, it results in the server
failing to respond to further requests for service.

It should be noted that only applications developed using the Interix SDK
are vulnerable to this issue.

This vulnerability was first described in BugTraq ID 5869, Multiple
Microsoft Services for Unix 3.0 Interix SDK Vulnerabilities.

10. Xerox DocuShare Weak Default Configuration Vulnerability
BugTraq ID: 5883
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5883
Summary:

Xerox DocuShare is a document management application, which enables remote
users to manage, retrieve, and distribute information. It is available for
multiple platforms including Unix and Microsoft operating systems.

A vulnerability has be discovered in Xerox DocuShare v2.2.

Reportedly anonymous users can create an account or group and upload files
by default. By exploiting this issue a remote attacker could create an
account, and upload arbitrary files, possibly resulting in further
compromise of the vulnerable system or the disclosure of sensitive user
information.

It should be noted that it is not yet known whether later versions of the
software are vulnerable to this issue.

11. phpMyNewsLetter Remote File Include Vulnerability
BugTraq ID: 5886
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5886
Summary:

phpMyNewsletter is a publically available newsletter management script
written in php. It is available for multiple platforms including Microsoft
Windows and Linux.

A vulnerability has been discovered in phpMyNewsLetter.

Reportedly, it is possible to pass an attacker-specified file include
location to a CGI parameter of the 'customize.php' script.

Exploitation of this issue may allow an attacker to execute arbitrary
commands with the privileges of the webserver by including a malicious PHP
script from an attacker-supplied host.

Additionally, an attacker may exploit this problem to view local webserver
readable files.

12. BearShare File Disclosure Variant Vulnerability
BugTraq ID: 5888
Remote: Yes
Date Published: Oct 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5888
Summary:

BearShare is a file-sharing utility for Microsoft Windows operating
systems.

BearShare can be run in Website mode, which allows users to host files via
a webserver which is bundled in the product.

The BearShare webserver is prone to directory traversal attacks. This may
allow remote attackers to break out of the web root directory and browse
the filesystem of the host running the software. An attacker may
accomplished this by sending a malicious web request uses URL encoded
values, such as:

http://target:6346/%5c..%5c..%5c..%5cwindows%5cwin.ini

This issue is a variant of the vulnerability described in Bugtraq ID 2672.
The variant issue was unsuccessfully addressed in version 4.0.6. It is
still possible to disclose files with a URL encoded request to the
webserver. The following variant of the attack will still work on
BearShare 4.0.6:

http://target:6346/%5c..%5c..%5c..%5cwindows%5cwin%2eini

13. Cooolsoft PowerFTP Server Remote Denial Of Service Vulnerability
BugTraq ID: 5899
Remote: Yes
Date Published: Oct 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5899
Summary:

PowerFTP server is a shareware ftp server available for the Microsoft
Windows platform. It is distributed and maintained by Cooolsoft.

A problem with PowerFTP server could make it possible for remote users to
deny service to legitimate users of the server.

It has been reported that PowerFTP server does not properly handle long
user names. When a user name of 3000 or more characters is entered, the
server becomes unstable. Exploitation of this vulnerability typically
results in a crash of the server, requiring a manual restart to resume FTP
service.

It is possible that this vulnerability is an exploitable buffer overflow.
If this overflow does prove to be exploitable, a user could execute
arbitrary code with the privileges of the PowerFTP server. This service
would typically run with SYSTEM privileges.

14. Microsoft IIS IDC Extension Cross Site Scripting Vulnerability
BugTraq ID: 5900
Remote: Yes
Date Published: Oct 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5900
Summary:

A vulnerability in Microsoft Internet Information Server (IIS) may make
cross-site scripting attacks possible.

A problem has been reported in the Microsoft IIS Internet Database
Connector (.idc) file handling. idc files are a component of the
Microsoft Frontpage infrastructure. idc files are used to facilitate
communication with Microsoft Databases, and supply information to the web
server.

When IIS receives a request for an .idc file, the server typically returns
a 404 message when the page does not exist. However, when a request
containing a long URL and ending in the .idc extension is received by IIS,
the entire contents of the URL are returned on the error page without the
sanitizing of input. This could result in the execution of arbitrary
script code.

This vulnerability could allow an attacker to execute script code in the
security context of a vulnerable site. This vulnerability requires that
an URL of 334 bytes followed by script code in the URL be entered to be
exploited. It is not known if this vulnerability affects previous version
of IIS.

15. Oracle 9i Application Server Web Cache Administration Tool Denial Of Service Vulnerability
BugTraq ID: 5902
Remote: Yes
Date Published: Oct 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5902
Summary:

Oracle 9i Application Server (9iAS) allows remote administration via a web
access module. This vulnerability affects Oracle 9iAS running on
Microsoft Windows.

It has been reported that an issue in the Web Administration module
included with 9iAS could lead to a denial of service.

When a custom request is sent to the Web Administration module, the module
may react unpredictably. By sending a malicious custom request to the
module, it is possible to cause the administration server to crash. A
manual restart of the server is required to resume service.

It should be noted that this issue only affects the web administration
module. The web administration module runs on it's on dedicated port.

16. Zope Failed Login Information Disclosure Vulnerability
BugTraq ID: 5903
Remote: Yes
Date Published: Oct 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5903
Summary:

Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.

Reportedly, Zope will disclose path information if a user hits 'Cancel'
after a failed login attempt to the management interface. This
information is leaked in a stack trace that is output after the error.

If an attacker can gain information about the details of the filesystem,
this information may be useful in further attacks against the host.

17. Symantec VelociRaptor Denial of Service Vulnerability
BugTraq ID: 5909
Remote: Yes
Date Published: Oct 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5909
Summary:

VelociRaptor Firewall is an enterprise level firewall originally developed
by Axent Technologies and is maintained and distributed by Symantec. It is
available for Microsoft Windows and Unix operating systems.

Symantec has reported that VelociRaptor firewalls are vulnerable to a
memory leak bug, that could potentially result in a denial of service
attack. Other security issues may also exist that were also corrected by
the fix.

Precise technical details regarding this bug are still unknown. Updates
will occur as more information regarding this issue becomes available.

18. Multiple Vendor ZIP Files Long Filename Buffer Overflow Vulnerability
BugTraq ID: 5873
Remote: No
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5873
Summary:

A vulnerability has been reported that affects many libraries and
applications that decompress ZIP files.

Reportedly, some clients behave unpredictably upon processing ZIP files
that contain files with overly long names. The vulnerability has different
effects depending on the decompressing utility.

Exploitation of this vulnerability requires user interaction, as the
victim of the attack must still decompress a malicious zipped file using
one of the vulnerable clients.

The effects of this vulnerability typically result in the client crashing
and, in some situations, there exists a possibility for code execution.

This vulnerability was reported in BugTraq ID 5870, Microsoft Windows
98/ME/XP File Decompression Vulnerabilities.

19. Microsoft Compressed Folders Hostile Decompression Path Vulnerability
BugTraq ID: 5876
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5876
Summary:

Microsoft Windows 98 with Plus! Pack, Windows ME, and Windows XP are prone
to a vulnerability related to the Compressed Folders feature.

The Compressed Folders feature allows zipped archives to be treated as
folders. The vulnerability is the result of a flaw in the decompression
routine. An attacker who exploits this vulnerability may be able to
specify a hostile path for files when a zipped archive is decompressed.

An attacker can exploit this vulnerability to decompress files to a
directory that is neither the user-specified directory or a child of the
user-specified direcotry. This will allow an attacker to decompress files
and store the files in an attacker-specified directory on the filesystem.

Exploitation of this issue requires user interaction, as the victim of the
attack must still decompress a malicious zipped file.

Compressed Folders are not enabled by default on Windows 98/ME, but are
enabled on Windows XP.

This vulnerability was first reported in BugTraq ID 5870, Microsoft
Windows 98/ME/XP File Decompression Vulnerabilities.

20. Xerox DocuShare Information Leakage Vulnerability
BugTraq ID: 5881
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5881
Summary:

Xerox DocuShare is a document management application, which enables remote
users to manage, retrieve, and distribute information. It is available for
multiple platforms including Unix and Microsoft operating systems.

A vulnerability has been discovered in Xerox DocuShare v2.2.

Reportedly it is possible for an attacker to obtain server information
through the Upload Helper Utility, including sensitive network information
such as internal ip addressing. It is possible to access this information
as an anonymous user.

Exploitation of this issue could allow a remote attacker to gain sensitive
information required to launch further attacks against a target network.

It should be noted that it is not yet known whether later versions of the
software are vulnerable to this issue.

21. Apache Web Server Scoreboard Memory Segment Overwriting SIGUSR1 Sending Vulnerability
BugTraq ID: 5884
Remote: No
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5884
Summary:

Apache is a freely available webserver for Unix and Linux variants, as
well as Microsoft operating systems.

A problem with Apache may make it possible for a local user to deny
service to legitmate users of a server.

A vulnerability in the handling of the Apache scorecard has been reported.
A user with the privileges of the Apache user could attach to an httpd
process, and overwrite the parent[].pid and parent[].last_rtime shared
memory segments. By overwriting these, a signal may be sent to an
arbitrary process with administrative privileges.

It should be noted that the signal sent is a SIGUSR1. This is a
user-defined signal that is handled as specified in an application. Some
applications default to SIGTERM when this signal is caught.

22. Apache AB.C Web Benchmarking Buffer Overflow Vulnerabilities
BugTraq ID: 5887
Remote: Yes
Date Published: Oct 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5887
Summary:

Apache is a freely available webserver for Unix and Linux variants, as
well as Microsoft operating systems.

Potentially exploitable buffer overflows have been reported in the ab.c
web benchmarking support utility provided with Apache webserver.

It may be possible for a malicious webserver to exploit one of these
overflows when the benchmarking utility is run against it. Data sent by a
malicious server during the benchmarking process could cause memory to be
corrupted with attacker-supplied values.

A malicious server could exploit this condition to execute code with the
privileges of the user running the utility.

23. PHPBB2 Avatar Images Information Disclosure Vulnerability
BugTraq ID: 5923
Remote: Yes
Date Published: Oct 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5923
Summary:

phpBB2 is an open-source web forum application that is written in PHP and
backended by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

It has been reported that phpBB2 reveals a user's IP address. This
vulnerability is due to phpBB2's file naming scheme for avatar files.
Avatar files are typically GIF images files uploaded by users that wish to
personalize their posts.

When a user elects to upload an avatar file to a system using phpBB2, the
system will save the file with a random name. This random name consists of
the user's IP address, encoded in hexadecimal values, followed by other
characters.

A malicious attacker can exploit this vulnerability to find out IP
addresses of the users of the system hosting phpBB2. This information may
be used by attackers to launch attacks against users of the system hosting
phpBB2 forums.

This vulnerability was reported for phpBB2 2.0.0 to 2.0.3. Other versions
may also be affected.

24. Microsoft Windows XP System Restore Folder Permissions Weakness
BugTraq ID: 5894
Remote: No
Date Published: Oct 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5894
Summary:

Microsoft Windows XP contains a feature called System Restore that allows
a user to roll the system back to a certain point in case of problems
arising from installation of software or hardware drivers. This feature
stores information in a folder called 'System Volume Information'. This
folder in turn contains subfolders for each restore point, including
registry information that is normally not accessible by an unprivileged
user.

The 'System Volume Information' folder is only accessible by users with
administrative permissions. However, the subfolders within do not contain
any access controls and can be accessed by unpivileged users.

An unprivileged user can obtain the path to these subfolders with a
registry query such as: > reg query
"HKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup" /v
"System Restore"

Once the user obtains this information, they can browse directly to that
directory, bypassing the access controls on the parent folder. The
unprivileged user will then have full access to all files and folders
contained within that folder.

IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Can I delete Wscript.exe? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294385

2. Security issues, purchasing a new, pre-loaded, Windows XP computer (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294415

3. Security issues, purchasing a new, pre-loaded, Windows XP com puter (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294386

4. SecurityFocus Microsoft Newsletter #107 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294239

5. Summary (was Security issues ... pre-loaded, Windows XP computer) (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294260

6. FW: Can I delete Wscript.exe? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294262

7. AW: Can I delete Wscript.exe? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294296

8. Security issues, purchasing a new, pre-loaded, Windows XP computer (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/294293

IV. MICROSOFT PRODUCTS
----------------------
1. Odyssey
by Funk Software
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.funk.com/radius/wlan/wlan_radius.asp
Summary:

Odyssey is a complete wireless LAN security solution based on the IEEE
security standard 802.1x. Odyssey not only permits users to securely
access wireless LANs (WLANs), but also can be easily and widely deployed
and managed across an enterprise network. Odyssey includes client and
server software. It secures the authentication and connection of WLAN
users, ensuring that only authorized users can connect, that connection
credentials will not be compromised, and that data privacy will be
maintained.

2. CryptoGram Secure Login
by CryptoGram SA
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cryptogram-fr.com/english/securelogin.htm
Summary:

As computer crime rises (computer theft, fraud, piracy, etc.) secure
access to information has become a key factor in the architecture of
computer systems. To combat these threats, only a hardware based
authentication solution can fully protect access to your computers. With
CryptoGram Secure Login, users must possess a token and provide
information to be authenticated. Using the latest cryptographic and
biometric technologies, the CryptoGram Secure Login solution protects
access to your Windows NT 4.0, Windows 2000 and Windows XP computers and
keeps all unauthorized users out

3. Preventon Veto
by Prevention Technologies LTD.
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.preventon.com/veto/
Summary:

With its user-friendly interface you can control exactly what Windows®
programs may be run on your computer - and more importantly - those that
can't! Preventon Veto can be used to prevent unauthorised software by
providing a complete 'lockdown' of your machine, and can even help fight
against Trojans and viruses.

V. MICROSOFT TOOLS
-------------------
1. K9 v1.0
by ROBOTA
Relevant URL:
http://www.robota.net/proyectos.asp?id=172
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

K9 is a Windows tool for passive OS detection. It uses WinPCAP to capture
network traffic and a user friendly interface to handle results,
fingerprint database, etc

2. 007 SafetyNet 1.0
by WebGrip, Inc
Relevant URL:
http://www.sitecensor.com/
Platforms: Windows NT
Summary:

SafetyNet was designed for parents, educators, and employers who need to
ensure that their computers and networks are not compromised, either
intentionally or not, by exposure to web sites, pictures, or software that
they find objectionable.

3. Form Scalpel
by curryman
Relevant URL:
http://ugc.org.uk/~curryman
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:

"Form Scalpel" is designed to aid security professionals to assess the
resilience of a web sites forms to various forms of attack. Supports
HTTP/HTTPS, Proxy servers, Cookies, Java/javascript/vbscript/XML pages and
forms - GUI interface. Detailed analysis of certificates and real-time
manipulation of HTML data.

VI. SPONSORSHIP INFORMATION
---------------------------
This Issue is Sponsored By: SpiDynamics

ALERT! - Cross-site scripting vulnerabilities in web applications allow
hackers to compromise confidential information, manipulate or steal
cookies, and create requests that can be mistaken for those of a valid
user!! All via port 80 and 443! Download this *FREE* white paper from SPI
Dynamics for a complete guide to protection!

Please visit us at:
http://www.spidynamics.com/mktg/xss1/

-------------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter #211
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Kernel Local Denial of Service Vulnerabili... ... OCPortal Content Management System Remote File Include Vulne... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #198
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows 2000 Media Player Control Media Preview Sc... ... Microsoft Windows HTML Help Heap Overflow Vulnerability ... Microsoft IIS 4 Redirect Remote Buffer Overflow Vulnerabilit... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #224
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Indexing Service Buffer Overflow Vulnerabi... ... Apple ITunes Playlist Buffer Overflow Vulnerability ... JohnyTech Encrypted Messenger Plug-In Remote Denial Of Servi... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #163
    ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #131
    ... MICROSOFT VULNERABILITY SUMMARY ... Advanced Poll Remote Information Disclosure Vulnerability ... PHPNuke News Module Article.PHP SQL Injection Vulnerability ...
    (Focus-Microsoft)