SecurityFocus Microsoft Newsletter #120

From: Marc Fossi (mfossi@securityfocus.com)
Date: 01/15/03

Next message: Tom Sutherland: "RE: AD replication over WAN"

Previous message: Chris Weiscopf: "RE: AD replication over WAN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 15 Jan 2003 13:07:14 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #120
---------------------------------------

This issue is sponsored by: Qualys

Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Instant Insecurity: Security Issues of Instant Messaging
     2. Intelligence Gathering: Watching a Honeypot at Work
     3. Closing the Floodgates: DDoS Mitigation Techniques
     4. Strikeback, Part Deux
     5. SecurityFocus DPP Program
     6. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
     1. DCP-Portal Remote File Include Vulnerability
     2. CGIHTML Form Data File Corruption Vulnerability
     3. Horde IMP Database Files SQL Injection Vulnerabilities
     4. myPHPNuke Information Disclosure Vulnerability
     5. CommuniGate Pro Webmail File Disclosure Vulnerability
     6. CGIHTML Insecure Form-Data Temporary File Vulnerability
     7. Active PHP Bookmarks Multiple File Include Vulnerabilities
     8. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
     9. Mambo Site Server Arbitrary File Upload Vulnerability
     10. AN HTTPD Cross Site Scripting Vulnerability
     11. Multiple Vendor Network Device Driver Frame Padding...
     12. Microsoft Windows Fontview Denial of Service Vulnerability
     13. KaZaA Advertisement Local Zone Vulnerability
     14. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
     15. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox...
     16. AN HTTPD HTTP Request Buffer Overflow Vulnerability
     17. S8Forum Remote Command Execution Vulnerability
     18. FormMail Cross-Site Scripting Vulnerability
     19. Bea Systems WebLogic ResourceAllocationException System...
     20. DCP-Portal Unauthorized Account Access Vulnerability
     21. cgihtml Signed Integer Content-Length Memory Corruption...
     22. cgihtml Denial Of Service Vulnerability
     23. A.ShopKart Multiple SQL Injection Vulnerabilities
     24. Business Objects WebIntelligence Application Session Hijacking...
III. MICROSOFT FOCUS LIST SUMMARY
     1. AD replication over WAN (Thread)
     2. FW: Tools for changing WMI namespace ACL's (Thread)
     3. SecurityFocus Microsoft Newsletter #120 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. i.Secure Drive
     2. Adhaero Transit
     3. CipherPack Pro
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. K9 v1.0
     2. GFI LANguard Network Security Scanner (N.S.S.) v3.0
     3. Demarc PureSecure v1.6
VI. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Instant Insecurity: Security Issues of Instant Messaging
By Neal Hindocha

Instant messaging services are becoming an increasingly popular form of
communication, both in the personal and the professional spheres. This
paper will describe instant messaging and offer a brief overview of some
of the security threats associated with the service.

http://online.securityfocus.com/infocus/1657

2. Intelligence Gathering: Watching a Honeypot at Work
By Toby Miller

The purpose of this article is share with the security community the data
the author collected from his honeypot. This discussion will include the
attacker's recon, the attack, the attempted cover-up, and the reason for
the attack on the honeypot.

http://online.securityfocus.com/infocus/1656

3. Closing the Floodgates: DDoS Mitigation Techniques
by Matthew Tanase

To be on the receiving end of a distributed denial of service (DDoS)
attack is a nightmare scenario for any network administrator, security
specialist or access provider. It begins instantly, without warning, and
continues relentlessly: machines down, jammed bandwidth, overloaded
routers. An effective, immediate response is often difficult and may
depend on third parties, such as ISPs. With these challenges in mind, this
article will explore some techniques that systems administrators and
security professionals can employ should they ever find themselves in this
rather undesirable situation.

http://online.securityfocus.com/infocus/1655

4. Strikeback, Part Deux
By Tim Mullen

Why I should have the right to kill a malicious process on your machine.

http://online.securityfocus.com/columnists/134

5. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

6. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY
-------------------
1. DCP-Portal Remote File Include Vulnerability
BugTraq ID: 6525
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6525
Summary:

DCP-Portal is a freely available content management system implemented in
PHP. It is available for a variety of platforms including Microsoft
Windows and Linux variants.

DCP-Portal is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the 'library/editor/editor.php' and 'library/lib.php' scripts included
with DCP-Portal.

An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the '$root'
parameter.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known
whether earlier versions are affected.

2. CGIHTML Form Data File Corruption Vulnerability
BugTraq ID: 6550
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6550
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.

When handling uploaded form-data, cgihtml creates a temporary file to
store this data in /tmp or another user-specified directory. The software
uses the client supplied filename when creating the temporary file. If
the attacker supplies a malicious filename, such as one pre-pended with
dot-dot-slash (../) directory traversal sequences, it may be possible to
corrupt files outside of the specified temporary directory.

The cause of this issue trust in user-supplied input. The routines use a
client-supplied filenames when creating temporary file. The routines then
do not sufficiently validate that the filename does not contain directory
traversal sequences or has a name that may conflict with existing system
files.

For this attack to be successful, the targetted files must be writeable by
a server process that utilizes the vulnerable cgihtml routines.

3. Horde IMP Database Files SQL Injection Vulnerabilities
BugTraq ID: 6559
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6559
Summary:

IMP is a web-based mail interface/client developed by members of the Horde
project. It is implemented in PHP and runs on a number of operating
systems, including Unix and Linux variants and Microsoft Windows operating
systems.

It has been reported that IMP is prone to multiple SQL injection
vulnerabilities.

IMP, in some cases, does not sufficiently sanitize user-supplied input
which is used when constructing SQL queries to execute on the underlying
database. As a result, it is possible to manipulate SQL queries. This
may allow a remote attacker to modify query logic or potentially corrupt
the database. Consequences will vary depending on the queries used and
the capabilities of the underlying database implementation.

These issues occur throughout the database command files for different
database implementations, for example 'lib/db.pgsql'. These files contain
syntax for constructing queries with using database implementations.

SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.

4. myPHPNuke Information Disclosure Vulnerability
BugTraq ID: 6541
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6541
Summary:

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operatining system.

An information disclosure vulnerability has been reported for myPHPNuke.
The vulnerability exists due to insufficient checks performed in the
system_footer.php script file. Specifically, the system_footer.php script,
found in the 'admin/' subdirectory, calls the phpinfo() function without
checking who the user is.

An attacker can exploit this vulnerability by making a request for the
system_footer.php script. The system will respond by disclosing
information to a remote attacker.

Information obtained in this manner may be used by an attacker to launch
attacks against a vulnerable system.

5. CommuniGate Pro Webmail File Disclosure Vulnerability
BugTraq ID: 6542
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6542
Summary:

CommuniGate Pro is an internet messaging server. CommuniGate Pro includes
a webmail service to allow access to mailboxes via HTTP. It is available
for a number of platforms including Unix and Linux variants and Microsoft
Windows operating systems.

A file disclosure vulnerability has been reported in the CommuniGate Pro
webmail component.

A specially crafted web request containing dot-dot-slash (../) directory
traversal sequences may break out of the document root and disclose
arbitrary web server readable files that exist on the underlying host.

Exploitation of this vulnerability may lead to disclosure of sensitive
information that may be useful in mounting further attacks on the host
system. The impact of this vulnerability is compounded by the fact that
CommuniGate Pro runs as root by default, though may be configured to drop
privileges. This issue was reported for CommuniGate Pro on FreeBSD. It
is likely that the software is affected on other platforms as well.

6. CGIHTML Insecure Form-Data Temporary File Vulnerability
BugTraq ID: 6552
Remote: No
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6552
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.

When handling uploaded form-data, cgihtml creates a temporary file to
store this data in /tmp or another user-specified directory. A client
supplied filename is used when the temporary file is created. This
presents a security vulnerability since the name of the temporary file can
be anticipated by the attacker.

A local attacker may take advantage of this condition to create a symbolic
link in place of the temporary file, which points to another file on the
system which is writeable by a server process which utilizes the
vulnerable routines. The vulnerable routines will follow any symbolic
links provided in place of a temporary file. The attacker may then submit
a malicious form-data upload, using the attacker-supplied filename, and
cause local files to be corrupted.

If custom data can be written to files, it is possible to gain elevated
privileges.

7. Active PHP Bookmarks Multiple File Include Vulnerabilities
BugTraq ID: 6545
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6545
Summary:

Active PHP Bookmarks (APB) is a web-based application for managing a
collection of bookmarks. APB is available for Unix and Linux variants as
well as Microsoft Windows operating systems.

APB is prone to multiple issues which may allow a remote attacker to cause
a malicious external file to be included and interpreted.

Attackers may influence include paths for a number of APB scripts. By
specifying a path to a resource (such as a malicious PHP script) on a
remote attacker-controlled server, it is possible to cause arbitrary
commands to be executed with the privileges of the webserver process.

This issue is known to exist in the following scripts:

head.php
apb_common.php
apb_view_class.php

8. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 6571
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6571
Summary:

Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.

Mambo Site Server does not adequately filter HTML code thus making it
prone to cross-site scripting attacks. It is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user. All code will be executed
within the context of the website running Mambo Site Server.

The following files were reported to be prone to cross site scripting attacks:
administrator/popups/sectionswindow.php
administrator/gallery/gallery.php
administrator/gallery/navigation.php
administrator/gallery/uploadimage.php
administrator/gallery/view.php
administrator/upload.php
themes/mambosimple.php
upload.php
emailfriend/emailarticle.php
emailfriend/emailfaq.php
emailfriend/emailnews.php

This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.

This vulnerability was reported for Mambo Site Server 4.0.12 BETA and
earlier.

9. Mambo Site Server Arbitrary File Upload Vulnerability
BugTraq ID: 6572
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6572
Summary:

Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.

A problem with Mambo Site Server may make it possible for remote attackers
to upload files to a vulnerable system.

Due to inadequate security checks performed by some PHP scripts, an
attacker is able to upload arbitrary files to the system. The following
scripts have been reported to be vulnerable to this issue:
administrator/gallery/uploadimage.php administrator/upload.php upload.php

Specifically, the scripts only check to see whether certain image
extensions, such as '.jpg' and '.gif', exist in the filename. As such any
file that includes the allowed extensions may be uploaded. Any uploaded
files will be stored in the 'images/stories' directory on the system.

Given the ability to upload arbitrary files to the host, an attacker can
exploit this vulnerability to upload malicious applications to the
vulnerable system or use the system for the storage of files.

This vulnerability was reported for Mambo Site Server 4.0.12 BETA and
earlier.

10. AN HTTPD Cross Site Scripting Vulnerability
BugTraq ID: 6529
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6529
Summary:

AN HTTPD is a Web server designed for use on Microsoft Windows operating
systems.

AN HTTPD does not adequately filter HTML code thus making it prone to
cross-site scripting attacks. It is possible for a remote attacker to
create a malicious link containing script code which will be executed in
the browser of a legitimate user. All code will be executed within the
context of the website running AN HTTPD.

This vulnerability was reported for AN HTTPD 1.41e.

11. Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability
BugTraq ID: 6535
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6535
Summary:

Network device drivers for several vendors have been reported to disclose
potentially sensitive information to attackers.

Frames that are smaller than the minimum frame size should have the unused
portion of the frame buffer padded with null (or other) bytes. Some
device drivers do not do this adequately, leaving the data that was stored
in the memory comprising the buffer prior to its use intact.
Consequently, this data may be transmitted within frames across ethernet
segments. As the ethernet frame buffer is allocated in kernel memory
space, sensitive data may be leaked.

An attacker can exploit this vulnerability by sending a simple ICMP packet
to a vulnerable machine. A response to such a query will involve a packet
that has been padded to a sufficient length. It may be that the
information that is padded is of a sensitive nature. An attacker may use
the information obtained in this manner to launch other attacks against a
vulnerable system.

This vulnerability has been reported to affect the atp.c, axnet_cs.c,
xirc2ps_cs.c and the rtl8139.c network device drivers for Linux variant
systems. Older NetApp systems using the 'Gigabit Ethernet Controller I'
are vulnerable to this issue.

Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.

12. Microsoft Windows Fontview Denial of Service Vulnerability
BugTraq ID: 6536
Remote: No
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6536
Summary:

Microsoft Windows uses fontview.exe as the default font viewer.

Windows is vulnerable to a denial of service condition when certain
malformed OpenType font files (.otf) are viewed with the default font
viewer. Attempting to view the font file causes a page fault, resulting
in the system Blue Screening and rebooting.

Since this issue results in an invalid memory reference by the kernel,
there is a possibility that it may be exploitable to cause code execution,
however, this has not been confirmed.

The exact cause of this issue is not currently known, however, this record
will be updated if and when more details become available.

This vulnerability is reported to affect Windows 2000 and XP, but other
versions may also be affected.

13. KaZaA Advertisement Local Zone Vulnerability
BugTraq ID: 6543
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6543
Summary:

KaZaA Media Desktop is a peer to peer file sharing utility, available for
Microsoft Windows based systems. A potential remote command execution
vulnerability has been reported in some versions of KaZaA Media Desktop.

By default all Internet content such as websites and advertisments are run
within the 'Internet Zone'. Local content is run within the 'Local Zone'
and is run with lower restrictions then the Internet Zone.

It has been reported that KaZaA advertisement content is rendered in the
systems Local Zone. This presents a security risk as it is possible for
the content to execute arbitrary commands on the local system. This issue
may also be exploited to disclose the contents of system files.

14. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
BugTraq ID: 6544
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6544
Summary:

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operating systems.

Reportedly, myPHPNuke does not adequately filter HTML code thus making it
prone to cross-site scripting attacks. It is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user. All code will be executed
within the context of the website running myPHPNuke.

The vulnerability exists in the chatheader.php and partner.php script
files included with myPHPNuke. Specifically, malicious HTML code is not
properly sanitized from the value for the 'Default_Theme' URI parameter.

This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier.

15. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox Escaping Vulnerability
BugTraq ID: 6566
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6566
Summary:

ColdFusion MX Enterprise Edition is the application server developing and
hosting infrastructure distributed by Macromedia. It is available as a
standalone product for Unix, Linux, and Microsoft Operating Systems.

A problem with ColdFusion MX Enterprise Edition may allow users to access
restricted files.

A vulnerability in the use of the cfinclude and cfmodule Tags exists in
ColdFusion MX. In environments that are sandboxed, it may be possible for
a script to access files outside of the sandboxed directory. This could
lead to unauthorized access to files on the host.

The problem is in the handling of relative paths. Due to insufficient
checking of input in custom tags, it is possible to upload a file using
custom tags and containing relative paths that will access files outside
of a sandboxed directory. This could allow an attacker to access
unauthorized and potentially sensitive information.

It should be noted that this vulnerability will only reveal the contents
of files to which the ColdFusion server has read access to.

16. AN HTTPD HTTP Request Buffer Overflow Vulnerability
BugTraq ID: 6528
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6528
Summary:

AN HTTPD is a Japanese language Web server designed for use on Microsoft
Windows operating systems.

A buffer overflow vulnerability has been reported for AN HTTPD. The
vulnerability exists when AN HTTPD receives overly long HTTP requests.

An attacker can exploit this vulnerability by issuing a long HTTP request,
consisting of at least 1024 characters, to any CGI or BAT script on the
vulnerable server. When AN HTTPD attempts to process this request, it will
crash.

Although unconfirmed, it may be possible to cause the vulnerable web
server to execute malicious attacker-supplied code.

This vulnerability was reported for AN HTTPD 1.41e.

17. S8Forum Remote Command Execution Vulnerability
BugTraq ID: 6547
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6547
Summary:

S8Forum is web forum software. It employs a local flat-file database for
storing user information. It is available for Unix and Linux variants as
well as Microsoft Windows operating systems.

S8Forum is prone to a remote command execution vulnerability.

When a user registers with the forum, a file is created locally with the
specified username. The contents of this file will be the data entered by
the user. As a result, a malicious user could create a file with an
arbitrary name and PHP (.php) extension that contains valid PHP code.
The attacker may then cause this file to be executed by requesting it via
HTTP.

This may result in execution of arbitrary commands with the privileges of
the webserver process. An attacker may exploit this condition to gain
local, interactive access to the system hosting the vulnerable software.

18. FormMail Cross-Site Scripting Vulnerability
BugTraq ID: 6570
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6570
Summary:

FormMail is a web-based e-mail gateway, which allows form-based input to
be emailed to a specified user. It is written in Perl and will run on most
Linux and Unix variants, in addition to Microsoft Windows operating
systems.

FormMail is allegedly prone to cross-site scripting attacks.

The FormMail script does not sufficiently sanitize HTML tags and script
code from query strings, which in turn are output into pages generated by
the software. As a result, a remote attacker may construct a malicious
link to the script which contains arbitrary script code. If this link is
visited by a web user, the attacker-supplied script code may be
interpreted by their browser in the context of the site hosting the
software.

This may allow an attacker to steal cookie-based authentication
credentials or manipulate web content. Other attacks are also possible.

This issue was reported in FormMail 1.92. Other versions may also be
affected.

19. Bea Systems WebLogic ResourceAllocationException System Password Disclosure Vulnerability
BugTraq ID: 6586
Remote: Yes
Date Published: Jan 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6586
Summary:

BEA Systems WebLogic Server is an enterprise level web and wireless
application server for Microsoft Windows and most Unix and Linux
distributions.

A vulnerability in BEA Systems WebLogic Server may, under some
circumstances, result in the disclosure of system passwords if exceptions
are output.

BEA Systems has reported that WebLogic Server will throw an exception when
an application attempts to route a JMS message across a bridge and an
error occurs. This exception will include the supplied system password,
in plaintext.

Applications that output exceptions may inadvertently disclose password
values. This may ultimately result in a remote party gaining access to
affected systems.

20. DCP-Portal Unauthorized Account Access Vulnerability
BugTraq ID: 6526
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6526
Summary:

DCP-Portal is a freely available content management system implemented in
PHP. It is available for a variety of platforms including Microsoft
Windows and Linux variants.

DCP-Portal does not sufficiently sanitize user-supplied input for URI
parameters.

An attacker can exploit this vulnerability by supplying values for the
'dcp5_member_admin' or 'dcp5_member_id' parameters with the appropriate
values. This will allow an attacker to obtain access to user accounts on
the vulnerable site hosting DCP-Portal.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known
whether earlier versions are affected.

21. cgihtml Signed Integer Content-Length Memory Corruption Vulnerability
BugTraq ID: 6551
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6551
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.

A vulnerability has been discovered in cgihtml which may result in memory
corruption. The problem occurs when reading a user-supplied Content-Length
value for POST data.

An attacker is able to create a situation where memory may be overwritten
by passing a negative length as the Content-Length value in a POST
request. By passing excessive POST data it is possible for the attacker to
overrun the allocated buffer, effectively overwriting heap memory. This
may cause the affected program to crash.

Although not yet confirmed, it may be possible to exploit this
vulnerability to execute arbitrary code. Placing a malicious malloc header
in heap memory may potentially allow an attacker to overwrite a GOT
address to point to shellcode.

22. cgihtml Denial Of Service Vulnerability
BugTraq ID: 6555
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6555
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be
run on a number of platforms, including Unix and Linux variants and
Microsoft Windows.

A vulnerability has been discovered in cgihtml when processing Multipart
HTTP headers. It has been reported that, when processing a multipart
header, cgihtml fails to sufficiently verify the sanity of the header
structure. This may result in an affected application reading invalid
values supplied 38 bytes within a malicious header.

If this situation were to occur it may be possible for the attacker to
cause the application to crash. Although it has not yet been confirmed, it
is speculated that cgihtml contains other vulnerabilities similar to this
issue.

23. A.ShopKart Multiple SQL Injection Vulnerabilities
BugTraq ID: 6558
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6558
Summary:

a.shopKart is a freely available shopping cart system. It is implemented
in ASP and is available for Microsoft Windows operating systems.

a.shopKart is prone to multiple SQL injection vulnerabilities.

Due to insufficient sanitization of user-supplied input passed to SQL
queries, it may be possible to manipulate the logic of SQL queries.
Depending on the nature of the individuals queries and the underlying
database implementation, it may be possible to cause database corruption
or disclose sensitive information from within the database.

Multiple instances of these vulnerabilities exist in the following
scripts:

addcustomer.asp
addprod.asp
process.asp

It was reported that the "zip", "state", "country", "phone" and "fax"
fields in the 'addcustomer.asp' script may allow for SQL injection.
Further details about the other vulnerable scripts were not provided.

SQL injection attacks may also potentially be used to exploit latent
vulnerabilities in the underlying database implementation.

24. Business Objects WebIntelligence Application Session Hijacking Vulnerability
BugTraq ID: 6569
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6569
Summary:

WebIntelligence is an analysis tool for business intelligence. It is
distributed by Business Objects, and available for the Unix and Microsoft
Windows platforms.

A problem with the WebIntelligence application could make it possible for
remote users to hijack sessions.

It has been reported that WebIntelligence uses an insecure model for
ensuring session security. The application uses web-type security
features that may be prone to hijacking. This could allow a remote user
to gain unauthorized access to another user's session.

The problem is that the application uses cookies with guessable values to
secure user sessions. It has also been suggested that a remote attacker
may use other means to steal cookie-based authentication credentials from
legitimate users. By gaining access to the application's session cookie,
another user could gain complete access to the user's session, and perform
all actions with the privileges of the victim. This vulnerability however
does not permit the changing of user passwords.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. AD replication over WAN (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/306287

2. FW: Tools for changing WMI namespace ACL's (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/305471

3. SecurityFocus Microsoft Newsletter #120 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/305354

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. i.Secure Drive
by Archisoft Security Solutions Limited
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.archisoft.com.hk/securedrive.html
Summary:

i.Secure Drive is a security storage module for Windows. To ensure that
your system storage is fully secure, i.Secure Drive creates a secure
virtual hard drive on your system, any data written on this virtual hard
drive will be securely protected. The solutions utilizes PKI technologies
together with personal Smart Token to promote supreme security. The
product is fully integrated with Microsoft Windows NT/2000/XP and provides
a transparent interface to users. Applications can utilize i.Secure Drive
just like any ordinary hard drive.

2. Adhaero Transit
by Adhaero Utilities
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.adhaeroutilities.com/transit.htm
Summary:

Adhaero Transit uses file encryption and compression to produce an
executable package (a 'SEED') which may then be safely transferred to the
recipient by email, on disk, etc. Adhaero Transit uses the AES algorithm.

3. CipherPack Pro
by BrainTree Security Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.braintree.co.uk/pages/cipherpack.htm
Summary:

CipherPack Pro quickly and simply compresses and encrypts files or folders
producing a stand-alone Windows executable file. This file contains the
decompression and decryption code as well as the encrypted file contents.
All that is required is for the correct key to be entered for the data to
be recreated. Without the correct key, there is no way that the original
contents can ever be viewed.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. K9 v1.0
by ROBOTA
Relevant URL:
http://www.robota.net/proyectos.asp?id=172
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

K9 is a Windows tool for passive OS detection. It uses WinPCAP to capture
network traffic and a user friendly interface to handle results,
fingerprint database, etc

2. GFI LANguard Network Security Scanner (N.S.S.) v3.0
by GFI
Relevant URL:
http://www.gfisoftware.com/lannetscan/index.htm
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

GFI LANguard Network Security Scanner (N.S.S.) is a tool that checks your
network for all potential methods that a hacker might use to attack your
network. By analyzing the operating system and the applications running on
your network, GFI LANguard N.S.S. identifies possible security holes in
your network. In other words, it plays the devil's advocate and alerts you
to weaknesses before a hacker can find them, enabling you to deal with
these issues before a hacker can exploit them.

3. Demarc PureSecure v1.6
by DEMARC Security
Relevant URL:
http://www.demarc.com/
Platforms: BSDI, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Perl (any system
supporting perl), UNIX, Windows 2000, Windows NT, Windows XP
Summary:

Instead of having one program perform file integrity

VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
-------------------------------------------------------------------------------

Next message: Tom Sutherland: "RE: AD replication over WAN"
Previous message: Chris Weiscopf: "RE: AD replication over WAN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]