SecurityFocus Microsoft Newsletter #135

From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 05/05/03

  • Next message: Edward Smith: "p2p and ISA"
    Date: Mon, 5 May 2003 12:54:43 -0600 (MDT)
    To: Focus-MS <focus-ms@securityfocus.com>
    
    

    SecurityFocus Microsoft Newsletter #135
    ---------------------------------------

    This issue is sponsored by: KaVaDo

    The only integrated Web Application Security Suite
    ==================================================
    ScanDo - Web Application Scanner
    InterDo - Web Application Firewall

    KaVaDo Inc., Web Application Security without Compromise
    Read more at: http://www.securityfocus.com/Kavado-ms-secnews
    -------------------------------------------------------------------------------

    I. FRONT AND CENTER
         1. Honeypots: Simple, Cost-Effective Detection
         2. Madonna's Borderline MP3 Tactics
         3. Auditing Web Site Authentication, Part Two
    II. MICROSOFT VULNERABILITY SUMMARY
         1. Bugzilla Local Dependency Graph HTML Injection Vulnerability
         2. Bugzilla Default HTML Template Cross-Site Scripting...
         3. Bugzilla Insecure Temporary File Handling Vulnerabilities
         4. VisNetic ActiveDefense Multiple GET Request Denial of...
         5. Alt-N MDaemon POP Server DELE Command Buffer Overflow...
         6. Alt-N MDaemon IMAP Server Folder Creation Buffer Overflow...
         7. Opera JavaScript Console Single Quote Attribute Injection...
         8. 3D-FTP Client Buffer Overflow Vulnerability
         9. Opera 6/7 Remote Heap Corruption Vulnerability
         10. Truegalerie Unauthorized Administrative Access Vulnerability
         11. Multiple PHP-Nuke HTML Injection Vulnerabilities
         12. Macromedia ColdFusion MX Error Message Path Disclosure...
         13. Netscape Navigator Directory Cross-Domain Scripting Vulnerability
    III. MICROSOFT FOCUS LIST SUMMARY
         1. Outlook Security Settings removed (Thread)
         2. AD Question (Thread)
         3. SecurityFocus Microsoft Newsletter #135 (Thread)
         4. Windows 2003 Security Guides (Thread)
    IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
         1. Steganos InternetTrace-Destructor 6
         2. iView Security Analytics
         3. Preventon Web Protect
    V. NEW TOOLS FOR MICROSOFT PLATFORMS
         1. Jeb Perl Ping Stats v1.4.4
         2. proDETECT v0.2b
         3. WaveLock v1.0
    VI. SPONSOR INFORMATION

    I. FRONT AND CENTER
    -------------------
    1. Honeypots: Simple, Cost-Effective Detection
    By Lance Spitzner

    This is the fourth article in an ongoing series on honeypots. This article
    will examine the role of honeypots in detection.

    http://www.securityfocus.com/infocus/1690

    2. Madonna's Borderline MP3 Tactics
    By Mark Rasch

    The material girl's foul-mouthed revenge on music traders could be
    interpreted as a deceptive trade practice, or even outright fraud.

    http://www.securityfocus.com/columnists/158

    3. Auditing Web Site Authentication, Part Two
    By Mark Burnett

    This is the second part of a two-part series addressing both of those
    issues by establishing a standard audit procedure by which to measure your
    own security. This article will explore issues surrounding user privacy,
    session authentication, user security, and cookies.

    http://www.securityfocus.com/infocus/1691

    II. BUGTRAQ SUMMARY
    -------------------
    1. Bugzilla Local Dependency Graph HTML Injection Vulnerability
    BugTraq ID: 6861
    Remote: Yes
    Date Published: Apr 24 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/6861
    Summary:

    Bugzilla is a freely available, open source bug tracking software package.
    It is available for Linux, Unix, and Microsoft Windows operating systems.

    Bugzilla versions 2.16 and later include a feature that allows users to
    generate bug dependency graphs on their local system via the GraphViz
    suite.

    HTML will not be sanitized when these graphs are generated locally.
    Malicious HTML and script may be included in bug summaries. When the
    dependency graph is generated, the HTML and script code may be contained
    in the ALT and NAME attributes to the AREA tags in the client-side image
    map.

    This may be exploited to cause HTML or script code to be interpreted by
    the web client of a user who generates a dependency graph which contains
    malicious data. Though unconfirmed, in some browsers this may result in
    HTML/script code being executed with relaxed permissions if it is executed
    in a local context. If this is possible, it may be possible to gain
    unauthorized access to local resources.

    Earlier versions of Bugzilla which are configured use a remote server to
    generate dependency graphs are not affected by this vulnerability.

    2. Bugzilla Default HTML Template Cross-Site Scripting Vulnerabilities
    BugTraq ID: 6868
    Remote: Yes
    Date Published: Apr 24 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/6868
    Summary:

    Bugzilla is a freely available, open source bug tracking software package.
    It is available for Linux, Unix, and Microsoft Windows operating systems.

    Multiple cross-site scripting vulnerabilities exist in the default HTML
    templates for Bugzilla. User-supplied input is not sanitized of HTML and
    script code before being output by Bugzilla. Hostile script code and HTML
    could be passed through Bugzilla and interpreted in the browser of a web
    user who visits a Bugzilla site. This will occur in the security context
    of the site hosting Bugzilla.

    Successful exploitation may allow for theft of cookie-based authentication
    credentials or other attacks which could compromise the integrity or other
    security properties of the bug tracking system.

    Default HTML templates were not prone to these issues in Bugzilla versions
    prior to 2.16. English, Russian and German HTML template localizations
    are reported to be affected, though templates for other languages may also
    be affected.

    3. Bugzilla Insecure Temporary File Handling Vulnerabilities
    BugTraq ID: 7412
    Remote: Unknown
    Date Published: Apr 24 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7412
    Summary:

    Bugzilla is a freely available, open source bug tracking software package.
    It is available for Linux, Unix, and Microsoft Windows operating systems.

    Bugzilla creates temporary files insecurely. Multiple instances of this
    problem were reported. An attacker could exploit this issue by creating a
    symbolic link named after one of the temporary files created by Bugzilla.
    If the symbolic link points to a file which is writeable by the web server
    hosting Bugzilla, file corruption could result when Bugzilla attempts to
    perform temporary file operations on attacker-created symbolic links.

    Although unconfirmed, there is a potential for privilege escalation if the
    attacker can cause files to be corrupted with custom data via symbolic
    link attacks. Loss of critical data is also possible if this issue is
    successful, which could also result in a denial of service.

    4. VisNetic ActiveDefense Multiple GET Request Denial of Service Vulnerability
    BugTraq ID: 7428
    Remote: Yes
    Date Published: Apr 24 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7428
    Summary:

    VisNetic ActiveDefense is a network-based intrusion detection system
    designed to run on web and email servers. Its capabilities include web and
    email traffic filtering. ActiveDefense is available for the Microsoft
    Windows operating system.

    A vulnerability has been discovered in ActiveDefense when running on a
    Microsoft IIS web server. The problem occurs while processing a multitude
    of malicious HTTP requests.

    The issue can be triggered by sending 90 subsequent HTTP requests to the
    IIS server, each containing approximately 100 bytes of data. When
    processed, these packets will trigger a condition that will crash the
    affected system.

    An attacker could exploit this issue to deny other legitimate users from
    accessing HTTP services.

    The system must be restarted to restore regularly functionality.

    This denial of service is known to affect VisNetic ActiveDefense 1.3.1. It
    is likely that earlier versions are similarly affected.

    5. Alt-N MDaemon POP Server DELE Command Buffer Overflow Vulnerability
    BugTraq ID: 7445
    Remote: Yes
    Date Published: Apr 26 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7445
    Summary:

    Alt-N MDaemon is a Microsoft Windows based mail server product.

    A buffer overflow vulnerability has been reported for MDaemon. The
    vulnerability is due to inadequate bounds checking on the 'DELE' POP
    server command.

    An attacker can exploit this vulnerability by submitting a very large
    value for the DELE command to the POP server. When the POP server receives
    this command, it will trigger the overflow condition and will cause
    MDaemon to crash.

    Although unconfirmed, it may be possible for a remote attacker to exploit
    this issue to execute arbitrary system commands with the privileges of the
    MDaemon process.

    This vulnerability was reported for MDaemon versions 6.0.7 and later.

    This issue is very similar to the issue described in BID 6053.

    6. Alt-N MDaemon IMAP Server Folder Creation Buffer Overflow Vulnerability
    BugTraq ID: 7446
    Remote: Yes
    Date Published: Apr 26 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7446
    Summary:

    Alt-N MDaemon is a Microsoft Windows based mail server product.

    A buffer overflow vulnerability has been reported for the MDaemon IMAP
    server. The vulnerability exists when IMAP folders are created.
    Specifically, MDaemon does not perform adequate bounds checks when
    processing the the CREATE command.

    A malicious IMAP user is able to issue a CREATE command with an overly
    long value, consisting of greater than 2000 characters, to the vulnerable
    MDaemon server. Upon processing this malicious user-input, the buffer
    overflow condition will be triggered which may result in code execution
    with elevated privileges.

    This vulnerability was reported to affect MDaemon 6.7.5 and later.

    7. Opera JavaScript Console Single Quote Attribute Injection Vulnerability
    BugTraq ID: 7449
    Remote: Yes
    Date Published: Apr 28 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7449
    Summary:

    Opera is a web client available for a number of platforms, including
    Microsoft Windows, Linux and Unix variants and Apple MacOS.

    A vulnerability has been reported for Opera 7 browsers for Microsoft
    Windows operating systems. The vulnerability exists in Opera's JavaScript
    console program. The console program consists of three HTML files, one of
    which is 'console.html'. Any unhandled exceptions thrown by any JavaScript
    are listed in the console and are converted into clickable links.

    The vulnerability is present in the regular expressions used by
    'console.html' to format exception messages. Specifically, exception
    messages are not parsed for quote characters. It is possible, by inserting
    of single quote (') characters, to add additional attributes to URIs that
    may make it possible to execute arbitrary attacker-supplied script code
    through the file:// URI handler. This may lead to disclosure of local
    file contents to remote attackers.

    This issue is a variant of the vulnerability described in BID 6755, using
    single quote characters instead of double quotes. It is reported that
    this variant also affects patched versions of the browser. Opera 7.10
    attempts to address this issue by sanitizing single quote characters, but
    is still prone to the issue if the hexadecimal code for the single quote
    HTML entity is used.

    8. 3D-FTP Client Buffer Overflow Vulnerability
    BugTraq ID: 7451
    Remote: Yes
    Date Published: Apr 28 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7451
    Summary:

    3D-FTP is a lightweight FTP client application for Microsoft Windows.

    It has been reported that 3D-FTP client may be prone to a buffer overflow
    condition. This issue is due to the client not implementing sufficient
    bounds checking on banner data copied into local memory buffers.

    When the FTP client receives a FTP banner that contains an excessive
    amount of data it becomes unstable. It has been reported that this
    vulnerability can be reproduced by sending an FTP banner of 8192 bytes or
    more to a vulnerable client. When the client reads in the banner,
    sensitive regions of memory may be corrupted with attacker-supplied
    values.

    It may be possible for attackers to leverage this vulnerability to execute
    instructions. Any code executed would be in the security context of the
    FTP client process.

    9. Opera 6/7 Remote Heap Corruption Vulnerability
    BugTraq ID: 7450
    Remote: Yes
    Date Published: Apr 28 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7450
    Summary:

    Opera is a web browser available for a number of platforms, including
    Microsoft Windows, Linux and Unix variants and Apple MacOS.

    A vulnerability has been reported for Opera versions 7.10 and earlier, on
    the Microsoft Windows platform. The problem is said to occur due to
    insufficient bounds checking on filename extensions. As a result, it may
    be possible for an attacker to corrupt heap-based memory. This may allow
    for the execution of arbitrary code or a prolonged denial of service.

    If this issue were exploited, Opera may continuously crash until the
    'dcache4.url' file has been deleted. This is due to the malicious filename
    being stored within the cache-index.

    10. Truegalerie Unauthorized Administrative Access Vulnerability
    BugTraq ID: 7427
    Remote: Yes
    Date Published: Apr 25 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7427
    Summary:

    Truegalerie is web-based photo album software implemented in PHP and is
    available for a variety of platforms including Microsoft Windows and Linux
    variant systems.

    A vulnerability has been reported for Truegalerie that may result in
    unauthorized administrative access. The vulnerability exists due to
    insufficient sanitization of some URI values. Specifically, the values for
    the URI parameter 'loggedin' are not properly verified.

    An attacker can exploit this vulnerability by manipulating the 'loggedin'
    URI parameter to obtain administrative access to the site hosting
    Truegalerie.

    This vulnerability was reported for Truegalerie 1.0.

    11. Multiple PHP-Nuke HTML Injection Vulnerabilities
    BugTraq ID: 7432
    Remote: Yes
    Date Published: Apr 24 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7432
    Summary:

    PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
    for a range of systems, including Unix, Linux, and Microsoft Windows.

    Multiple HTML injection vulnerabilities have been reported in PHP-Nuke.
    PHP-Nuke does not sufficiently sanitize HTML and script code from various
    input fields. This input may be displayed throughout various places in
    the forum, private messages, user profiles, comments, news and possibly
    other modules.

    In some instances, hostile HTML and script code will not be sanitized from
    HTML elements which are considered safe to use. Form fields for certain
    modules may also permit injection of HTML and script code.

    Code that is injected through exploitation of these issues may be rendered
    by web clients visiting the site hosting PHP-Nuke. This will occur in the
    context of the site. Exploitation could allow theft of cookie-based
    authentication credentials or other attacks.

    These issues were reported in PHP-Nuke 6.5 Final. Other versions may also
    be affected.

    12. Macromedia ColdFusion MX Error Message Path Disclosure Vulnerability
    BugTraq ID: 7443
    Remote: Yes
    Date Published: Apr 26 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7443
    Summary:

    ColdFusion MX is the application server for developing and hosting
    infrastructure distributed by Macromedia. It is available as a standalone
    product for Unix, Linux, and Microsoft Operating Systems.

    A vulnerability has been reported for Macromedia ColdFusion MX that may
    reveal the physical path information to attackers.

    When certain malformed URL requests are received by the server, an error
    message is returned containing the full path of the ColdFusion
    installation. Specifically, when a request for the /CFIDE/probe.cfm page
    is made on the server process on port 8500, an error message is returned
    which contains path information.

    Information obtained in this manner may be used by an attacker to launch
    further attacks against a vulnerable system.

    13. Netscape Navigator Directory Cross-Domain Scripting Vulnerability
    BugTraq ID: 7456
    Remote: Yes
    Date Published: Apr 29 2003 12:00AM
    Relevant URL:
    http://www.securityfocus.com/bid/7456
    Summary:

    Netscape is a web browser which is available for a number of platforms,
    including Microsoft Windows and Unix and Linux variants.

    A vulnerability has been reported that could allow an attacker to fool
    Netscape into running script in a foreign domain. If a dot (.) is
    appended to the end of the hostname in a URI, Netscape may accept the
    directory name as the actual domain. This could permit a malicious web
    page to access the DOM (Document Object Model) of another foreign domain.

    An attacker could exploit this by enticing a user to visit a malicious URI
    and then running malicious script code which can access the properties of
    a foreign domain. This could lead to theft of cookie-based authentication
    credentials, information disclosure or other attacks.

    This issue was reported for Netscape Navigator 7.02. It is likely that
    other versions of Netscape are vulnerable to this issue. As well, browsers
    based on Mozilla may be vulnerable too.

    III. MICROSOFT FOCUS LIST SUMMARY
    ---------------------------------
    1. Outlook Security Settings removed (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/320115

    2. AD Question (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/320113

    3. SecurityFocus Microsoft Newsletter #135 (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/319876

    4. Windows 2003 Security Guides (Thread)
    Relevant URL:

    http://www.securityfocus.com/archive/88/319711

    IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
    ----------------------------------------
    1. Steganos InternetTrace-Destructor 6
    by Steganos
    Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
    Relevant URL:
    http://www.steganos.com/en/itd/info.htm
    Summary:

    Steganos InternetTrace-Destructor 6 helps protect users online and offline
    privacy. The latest version of Steganos software features enhanced browser
    support, including for AOL, as well as Internet Explorer and Netscape; the
    one-click elimination of even more traces of online and offline PC
    activity, including from AOL, Office 2000, Windows XP, various media
    players, WinZip and Google Toolbar; the prevention of XP user data from
    being transmitted to Microsoft; the management and destruction of cookies;
    the destruction of history data, logs and cache; the elimination of
    temporary files that slow down PCs; and the permanent destruction of
    confidential documents.

    2. iView Security Analytics
    by The Illumen Group
    Platforms: N/A
    Relevant URL:
    http://www.illumen.com/products.cfm?detailsid=2
    Summary:

    iView Security Analytics software provides detailed, easy-to-read and
    interpret reports of Internet data traffic for today's connected
    enterprise. iView uses highly optimized algorithms that process and
    classify firewall's raw information to generate reports accurately and
    efficiently. Developed by The Illumen Group, Inc., a trusted veteran in
    the ever-changing Internet security market, iView's reports can be
    leveraged to help secure and protect an organization while improving
    Internet resource utilization. With iView, you have the power to...

     - DEVELOP and enforce acceptable use policies
     - DETERMINE whether Internet
       bandwidth is adequate for the organization's needs.
     - QUANTIFY and deploy
       bandwidth shaping policies
     - REVEAL denied events and attempted intrusions
     - DOCUMENT and investigate attacks from both internal and external
       sources
     - COMBAT those attacks with more comprehensive security policies

    3. Preventon Web Protect
    by PreventonTechnologies Ltd.
    Platforms: Windows 2000, Windows 95/98, Windows XP
    Relevant URL:
    http://www.preventon.com/webprotect/
    Summary:

    Preventon Web Protect is an advanced defence system for protecting your
    website against attack! This exceptional security software provides
    control over the communications between the Internet and your web server
    by filtering out malicious attacks that it recognises, including: worm
    attacks, buffer overflows attacks, unauthorised page uploads, and many
    others!

    V. NEW TOOLS FOR MICROSOFT PLATFORMS
    -------------------------------------
    1. Jeb Perl Ping Stats v1.4.4
    by Jean-Edouard BABIN Jeb@jeb.com.fr
    Relevant URL:
    http://www.jeb.be/codingstuff/
    Platforms: N/A
    Summary:

    JPPS (Jeb Perl Ping Stats) is a Perl script which extracts statistics from
    the output generated by the 'ping' command.

    2. proDETECT v0.2b
    by Egemen Tas egemen@ipipi.com or egemen@usaf.org
    Relevant URL:
    http://www.cmpe.boun.edu.tr/~tas/
    Platforms: Windows 2000, Windows NT, Windows XP
    Summary:

    proDETECT is an open source promiscious mode scanner with a GUI.It uses
    ARP packet analyzing technique to detect adapters in promiscious mode.This
    tool can be used by security administrators to detect sniffers in a LAN.It
    can be scheduled for regular scanning over periods.It also has some
    advanced reporting capabilities such as SMTP reporting.Full source code is
    included.

    3. WaveLock v1.0
    by SecureWave http://www.securewave.com
    Relevant URL:
    http://www.securewave.com/products/free_utilities/wavelock.html
    Platforms: Windows 2000, Windows NT, Windows XP
    Summary:

    Windows 2000 and Windows XP come with drivers for several wireless LAN
    ("WLAN") adapters; installation requires only insertion of one of those
    adapters. Administrative privileges are not required, as no new drivers
    must be registered with the operating system. WaveLock assists in
    enforcing security policies by blocking access to these adapters, making
    it harder to circumvent firewalls, filters, proxies, and other required
    safeguards.

    To install WaveLock, download and uncompress wavelock.zip. Execute the
    resulting wavelock.msi file (a Windows Installer setup), which installs
    wavelock.sys. Reboot to load and activate WaveLock.

    A list of the wireless network adapters supported out-of-the-box on
    Windows 2000 and Windows XP can be found below. Note that WaveLock cannot
    know about and will therefore not block additional drivers installed by
    administrators.

    VI. SPONSOR INFORMATION
    -----------------------
    This issue is sponsored by: KaVaDo

    The only integrated Web Application Security Suite
    ==================================================
    ScanDo - Web Application Scanner
    InterDo - Web Application Firewall

    KaVaDo Inc., Web Application Security without Compromise
    Read more at: http://www.securityfocus.com/Kavado-ms-secnews
    -------------------------------------------------------------------------------

    -----------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-focus-ms
    ------------------------------------------------------------------------------


  • Next message: Edward Smith: "p2p and ISA"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter # 87
      ... Meeting IT Security Benchmarks Through IT Audits ... MICROSOFT VULNERABILITY SUMMARY ... Bypassing Windows 2000 Domain Password settings ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #114
      ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... IISPop Remote Buffer Overflow Denial of Service Vulnerability ... platforms, including Microsoft Windows, Linux and Unix variants and Apple ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #180
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Media Services Remote Denial of Service Vu... ... Microsoft MSN Messenger Information Disclosure Vulnerability ... IBM WebSphere Unspecified Security Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter # 149
      ... MICROSOFT VULNERABILITY SUMMARY ... EveryBuddy Long Message Denial Of Service Vulnerability ... Intellitactics Network Security Manager ... Windows operating systems. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #67
      ... WHAT'S THE BIGGEST SECURITY PROBLEM FOR IT MANAGERS? ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft UPnP NOTIFY Buffer Overflow Vulnerability ... Microsoft Windows C Runtime Library Format String Vulnerability ...
      (Focus-Microsoft)