SecurityFocus Microsoft Newsletter #135
From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 05/05/03
- Previous message: Free, Bob: "RE: SuS update's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 5 May 2003 12:54:43 -0600 (MDT) To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #135
---------------------------------------
This issue is sponsored by: KaVaDo
The only integrated Web Application Security Suite
==================================================
ScanDo - Web Application Scanner
InterDo - Web Application Firewall
KaVaDo Inc., Web Application Security without Compromise
Read more at: http://www.securityfocus.com/Kavado-ms-secnews
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Honeypots: Simple, Cost-Effective Detection
2. Madonna's Borderline MP3 Tactics
3. Auditing Web Site Authentication, Part Two
II. MICROSOFT VULNERABILITY SUMMARY
1. Bugzilla Local Dependency Graph HTML Injection Vulnerability
2. Bugzilla Default HTML Template Cross-Site Scripting...
3. Bugzilla Insecure Temporary File Handling Vulnerabilities
4. VisNetic ActiveDefense Multiple GET Request Denial of...
5. Alt-N MDaemon POP Server DELE Command Buffer Overflow...
6. Alt-N MDaemon IMAP Server Folder Creation Buffer Overflow...
7. Opera JavaScript Console Single Quote Attribute Injection...
8. 3D-FTP Client Buffer Overflow Vulnerability
9. Opera 6/7 Remote Heap Corruption Vulnerability
10. Truegalerie Unauthorized Administrative Access Vulnerability
11. Multiple PHP-Nuke HTML Injection Vulnerabilities
12. Macromedia ColdFusion MX Error Message Path Disclosure...
13. Netscape Navigator Directory Cross-Domain Scripting Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Outlook Security Settings removed (Thread)
2. AD Question (Thread)
3. SecurityFocus Microsoft Newsletter #135 (Thread)
4. Windows 2003 Security Guides (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Steganos InternetTrace-Destructor 6
2. iView Security Analytics
3. Preventon Web Protect
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Jeb Perl Ping Stats v1.4.4
2. proDETECT v0.2b
3. WaveLock v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Honeypots: Simple, Cost-Effective Detection
By Lance Spitzner
This is the fourth article in an ongoing series on honeypots. This article
will examine the role of honeypots in detection.
http://www.securityfocus.com/infocus/1690
2. Madonna's Borderline MP3 Tactics
By Mark Rasch
The material girl's foul-mouthed revenge on music traders could be
interpreted as a deceptive trade practice, or even outright fraud.
http://www.securityfocus.com/columnists/158
3. Auditing Web Site Authentication, Part Two
By Mark Burnett
This is the second part of a two-part series addressing both of those
issues by establishing a standard audit procedure by which to measure your
own security. This article will explore issues surrounding user privacy,
session authentication, user security, and cookies.
http://www.securityfocus.com/infocus/1691
II. BUGTRAQ SUMMARY
-------------------
1. Bugzilla Local Dependency Graph HTML Injection Vulnerability
BugTraq ID: 6861
Remote: Yes
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6861
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.
Bugzilla versions 2.16 and later include a feature that allows users to
generate bug dependency graphs on their local system via the GraphViz
suite.
HTML will not be sanitized when these graphs are generated locally.
Malicious HTML and script may be included in bug summaries. When the
dependency graph is generated, the HTML and script code may be contained
in the ALT and NAME attributes to the AREA tags in the client-side image
map.
This may be exploited to cause HTML or script code to be interpreted by
the web client of a user who generates a dependency graph which contains
malicious data. Though unconfirmed, in some browsers this may result in
HTML/script code being executed with relaxed permissions if it is executed
in a local context. If this is possible, it may be possible to gain
unauthorized access to local resources.
Earlier versions of Bugzilla which are configured use a remote server to
generate dependency graphs are not affected by this vulnerability.
2. Bugzilla Default HTML Template Cross-Site Scripting Vulnerabilities
BugTraq ID: 6868
Remote: Yes
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6868
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.
Multiple cross-site scripting vulnerabilities exist in the default HTML
templates for Bugzilla. User-supplied input is not sanitized of HTML and
script code before being output by Bugzilla. Hostile script code and HTML
could be passed through Bugzilla and interpreted in the browser of a web
user who visits a Bugzilla site. This will occur in the security context
of the site hosting Bugzilla.
Successful exploitation may allow for theft of cookie-based authentication
credentials or other attacks which could compromise the integrity or other
security properties of the bug tracking system.
Default HTML templates were not prone to these issues in Bugzilla versions
prior to 2.16. English, Russian and German HTML template localizations
are reported to be affected, though templates for other languages may also
be affected.
3. Bugzilla Insecure Temporary File Handling Vulnerabilities
BugTraq ID: 7412
Remote: Unknown
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7412
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Windows operating systems.
Bugzilla creates temporary files insecurely. Multiple instances of this
problem were reported. An attacker could exploit this issue by creating a
symbolic link named after one of the temporary files created by Bugzilla.
If the symbolic link points to a file which is writeable by the web server
hosting Bugzilla, file corruption could result when Bugzilla attempts to
perform temporary file operations on attacker-created symbolic links.
Although unconfirmed, there is a potential for privilege escalation if the
attacker can cause files to be corrupted with custom data via symbolic
link attacks. Loss of critical data is also possible if this issue is
successful, which could also result in a denial of service.
4. VisNetic ActiveDefense Multiple GET Request Denial of Service Vulnerability
BugTraq ID: 7428
Remote: Yes
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7428
Summary:
VisNetic ActiveDefense is a network-based intrusion detection system
designed to run on web and email servers. Its capabilities include web and
email traffic filtering. ActiveDefense is available for the Microsoft
Windows operating system.
A vulnerability has been discovered in ActiveDefense when running on a
Microsoft IIS web server. The problem occurs while processing a multitude
of malicious HTTP requests.
The issue can be triggered by sending 90 subsequent HTTP requests to the
IIS server, each containing approximately 100 bytes of data. When
processed, these packets will trigger a condition that will crash the
affected system.
An attacker could exploit this issue to deny other legitimate users from
accessing HTTP services.
The system must be restarted to restore regularly functionality.
This denial of service is known to affect VisNetic ActiveDefense 1.3.1. It
is likely that earlier versions are similarly affected.
5. Alt-N MDaemon POP Server DELE Command Buffer Overflow Vulnerability
BugTraq ID: 7445
Remote: Yes
Date Published: Apr 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7445
Summary:
Alt-N MDaemon is a Microsoft Windows based mail server product.
A buffer overflow vulnerability has been reported for MDaemon. The
vulnerability is due to inadequate bounds checking on the 'DELE' POP
server command.
An attacker can exploit this vulnerability by submitting a very large
value for the DELE command to the POP server. When the POP server receives
this command, it will trigger the overflow condition and will cause
MDaemon to crash.
Although unconfirmed, it may be possible for a remote attacker to exploit
this issue to execute arbitrary system commands with the privileges of the
MDaemon process.
This vulnerability was reported for MDaemon versions 6.0.7 and later.
This issue is very similar to the issue described in BID 6053.
6. Alt-N MDaemon IMAP Server Folder Creation Buffer Overflow Vulnerability
BugTraq ID: 7446
Remote: Yes
Date Published: Apr 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7446
Summary:
Alt-N MDaemon is a Microsoft Windows based mail server product.
A buffer overflow vulnerability has been reported for the MDaemon IMAP
server. The vulnerability exists when IMAP folders are created.
Specifically, MDaemon does not perform adequate bounds checks when
processing the the CREATE command.
A malicious IMAP user is able to issue a CREATE command with an overly
long value, consisting of greater than 2000 characters, to the vulnerable
MDaemon server. Upon processing this malicious user-input, the buffer
overflow condition will be triggered which may result in code execution
with elevated privileges.
This vulnerability was reported to affect MDaemon 6.7.5 and later.
7. Opera JavaScript Console Single Quote Attribute Injection Vulnerability
BugTraq ID: 7449
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7449
Summary:
Opera is a web client available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been reported for Opera 7 browsers for Microsoft
Windows operating systems. The vulnerability exists in Opera's JavaScript
console program. The console program consists of three HTML files, one of
which is 'console.html'. Any unhandled exceptions thrown by any JavaScript
are listed in the console and are converted into clickable links.
The vulnerability is present in the regular expressions used by
'console.html' to format exception messages. Specifically, exception
messages are not parsed for quote characters. It is possible, by inserting
of single quote (') characters, to add additional attributes to URIs that
may make it possible to execute arbitrary attacker-supplied script code
through the file:// URI handler. This may lead to disclosure of local
file contents to remote attackers.
This issue is a variant of the vulnerability described in BID 6755, using
single quote characters instead of double quotes. It is reported that
this variant also affects patched versions of the browser. Opera 7.10
attempts to address this issue by sanitizing single quote characters, but
is still prone to the issue if the hexadecimal code for the single quote
HTML entity is used.
8. 3D-FTP Client Buffer Overflow Vulnerability
BugTraq ID: 7451
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7451
Summary:
3D-FTP is a lightweight FTP client application for Microsoft Windows.
It has been reported that 3D-FTP client may be prone to a buffer overflow
condition. This issue is due to the client not implementing sufficient
bounds checking on banner data copied into local memory buffers.
When the FTP client receives a FTP banner that contains an excessive
amount of data it becomes unstable. It has been reported that this
vulnerability can be reproduced by sending an FTP banner of 8192 bytes or
more to a vulnerable client. When the client reads in the banner,
sensitive regions of memory may be corrupted with attacker-supplied
values.
It may be possible for attackers to leverage this vulnerability to execute
instructions. Any code executed would be in the security context of the
FTP client process.
9. Opera 6/7 Remote Heap Corruption Vulnerability
BugTraq ID: 7450
Remote: Yes
Date Published: Apr 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7450
Summary:
Opera is a web browser available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been reported for Opera versions 7.10 and earlier, on
the Microsoft Windows platform. The problem is said to occur due to
insufficient bounds checking on filename extensions. As a result, it may
be possible for an attacker to corrupt heap-based memory. This may allow
for the execution of arbitrary code or a prolonged denial of service.
If this issue were exploited, Opera may continuously crash until the
'dcache4.url' file has been deleted. This is due to the malicious filename
being stored within the cache-index.
10. Truegalerie Unauthorized Administrative Access Vulnerability
BugTraq ID: 7427
Remote: Yes
Date Published: Apr 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7427
Summary:
Truegalerie is web-based photo album software implemented in PHP and is
available for a variety of platforms including Microsoft Windows and Linux
variant systems.
A vulnerability has been reported for Truegalerie that may result in
unauthorized administrative access. The vulnerability exists due to
insufficient sanitization of some URI values. Specifically, the values for
the URI parameter 'loggedin' are not properly verified.
An attacker can exploit this vulnerability by manipulating the 'loggedin'
URI parameter to obtain administrative access to the site hosting
Truegalerie.
This vulnerability was reported for Truegalerie 1.0.
11. Multiple PHP-Nuke HTML Injection Vulnerabilities
BugTraq ID: 7432
Remote: Yes
Date Published: Apr 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7432
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
Multiple HTML injection vulnerabilities have been reported in PHP-Nuke.
PHP-Nuke does not sufficiently sanitize HTML and script code from various
input fields. This input may be displayed throughout various places in
the forum, private messages, user profiles, comments, news and possibly
other modules.
In some instances, hostile HTML and script code will not be sanitized from
HTML elements which are considered safe to use. Form fields for certain
modules may also permit injection of HTML and script code.
Code that is injected through exploitation of these issues may be rendered
by web clients visiting the site hosting PHP-Nuke. This will occur in the
context of the site. Exploitation could allow theft of cookie-based
authentication credentials or other attacks.
These issues were reported in PHP-Nuke 6.5 Final. Other versions may also
be affected.
12. Macromedia ColdFusion MX Error Message Path Disclosure Vulnerability
BugTraq ID: 7443
Remote: Yes
Date Published: Apr 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7443
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
A vulnerability has been reported for Macromedia ColdFusion MX that may
reveal the physical path information to attackers.
When certain malformed URL requests are received by the server, an error
message is returned containing the full path of the ColdFusion
installation. Specifically, when a request for the /CFIDE/probe.cfm page
is made on the server process on port 8500, an error message is returned
which contains path information.
Information obtained in this manner may be used by an attacker to launch
further attacks against a vulnerable system.
13. Netscape Navigator Directory Cross-Domain Scripting Vulnerability
BugTraq ID: 7456
Remote: Yes
Date Published: Apr 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7456
Summary:
Netscape is a web browser which is available for a number of platforms,
including Microsoft Windows and Unix and Linux variants.
A vulnerability has been reported that could allow an attacker to fool
Netscape into running script in a foreign domain. If a dot (.) is
appended to the end of the hostname in a URI, Netscape may accept the
directory name as the actual domain. This could permit a malicious web
page to access the DOM (Document Object Model) of another foreign domain.
An attacker could exploit this by enticing a user to visit a malicious URI
and then running malicious script code which can access the properties of
a foreign domain. This could lead to theft of cookie-based authentication
credentials, information disclosure or other attacks.
This issue was reported for Netscape Navigator 7.02. It is likely that
other versions of Netscape are vulnerable to this issue. As well, browsers
based on Mozilla may be vulnerable too.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Outlook Security Settings removed (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320115
2. AD Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320113
3. SecurityFocus Microsoft Newsletter #135 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/319876
4. Windows 2003 Security Guides (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/319711
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Steganos InternetTrace-Destructor 6
by Steganos
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.steganos.com/en/itd/info.htm
Summary:
Steganos InternetTrace-Destructor 6 helps protect users online and offline
privacy. The latest version of Steganos software features enhanced browser
support, including for AOL, as well as Internet Explorer and Netscape; the
one-click elimination of even more traces of online and offline PC
activity, including from AOL, Office 2000, Windows XP, various media
players, WinZip and Google Toolbar; the prevention of XP user data from
being transmitted to Microsoft; the management and destruction of cookies;
the destruction of history data, logs and cache; the elimination of
temporary files that slow down PCs; and the permanent destruction of
confidential documents.
2. iView Security Analytics
by The Illumen Group
Platforms: N/A
Relevant URL:
http://www.illumen.com/products.cfm?detailsid=2
Summary:
iView Security Analytics software provides detailed, easy-to-read and
interpret reports of Internet data traffic for today's connected
enterprise. iView uses highly optimized algorithms that process and
classify firewall's raw information to generate reports accurately and
efficiently. Developed by The Illumen Group, Inc., a trusted veteran in
the ever-changing Internet security market, iView's reports can be
leveraged to help secure and protect an organization while improving
Internet resource utilization. With iView, you have the power to...
- DEVELOP and enforce acceptable use policies
- DETERMINE whether Internet
bandwidth is adequate for the organization's needs.
- QUANTIFY and deploy
bandwidth shaping policies
- REVEAL denied events and attempted intrusions
- DOCUMENT and investigate attacks from both internal and external
sources
- COMBAT those attacks with more comprehensive security policies
3. Preventon Web Protect
by PreventonTechnologies Ltd.
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.preventon.com/webprotect/
Summary:
Preventon Web Protect is an advanced defence system for protecting your
website against attack! This exceptional security software provides
control over the communications between the Internet and your web server
by filtering out malicious attacks that it recognises, including: worm
attacks, buffer overflows attacks, unauthorised page uploads, and many
others!
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Jeb Perl Ping Stats v1.4.4
by Jean-Edouard BABIN Jeb@jeb.com.fr
Relevant URL:
http://www.jeb.be/codingstuff/
Platforms: N/A
Summary:
JPPS (Jeb Perl Ping Stats) is a Perl script which extracts statistics from
the output generated by the 'ping' command.
2. proDETECT v0.2b
by Egemen Tas egemen@ipipi.com or egemen@usaf.org
Relevant URL:
http://www.cmpe.boun.edu.tr/~tas/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
proDETECT is an open source promiscious mode scanner with a GUI.It uses
ARP packet analyzing technique to detect adapters in promiscious mode.This
tool can be used by security administrators to detect sniffers in a LAN.It
can be scheduled for regular scanning over periods.It also has some
advanced reporting capabilities such as SMTP reporting.Full source code is
included.
3. WaveLock v1.0
by SecureWave http://www.securewave.com
Relevant URL:
http://www.securewave.com/products/free_utilities/wavelock.html
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Windows 2000 and Windows XP come with drivers for several wireless LAN
("WLAN") adapters; installation requires only insertion of one of those
adapters. Administrative privileges are not required, as no new drivers
must be registered with the operating system. WaveLock assists in
enforcing security policies by blocking access to these adapters, making
it harder to circumvent firewalls, filters, proxies, and other required
safeguards.
To install WaveLock, download and uncompress wavelock.zip. Execute the
resulting wavelock.msi file (a Windows Installer setup), which installs
wavelock.sys. Reboot to load and activate WaveLock.
A list of the wireless network adapters supported out-of-the-box on
Windows 2000 and Windows XP can be found below. Note that WaveLock cannot
know about and will therefore not block additional drivers installed by
administrators.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: KaVaDo
The only integrated Web Application Security Suite
==================================================
ScanDo - Web Application Scanner
InterDo - Web Application Firewall
KaVaDo Inc., Web Application Security without Compromise
Read more at: http://www.securityfocus.com/Kavado-ms-secnews
-------------------------------------------------------------------------------
-----------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------------
- Previous message: Free, Bob: "RE: SuS update's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
