SecurityFocus Microsoft Newsletter #142

• Previous message: Jonathan R. Thompson : "RE: Filtering DHCP Assignments by MAC Address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 23 Jun 2003 12:06:27 -0600 (MDT)
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #142
---------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT: "How a Hacker Uses SQL Injection to Steal Your Data"

It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
Firewalls and IDS will not stop such attacks because SQL Injections are
NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics
for a complete guide to protection!

http://www.securityfocus.com/SPIDynamics-ms-secnews4
-------------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Tracking Down the Phantom Host
     2. From the Booby Hatch
II. MICROSOFT VULNERABILITY SUMMARY
     1. WebcamNow Plain Text Password Storage Weakness
     2. Mollensoft Enceladus Server Suite Clear Text Password Storage...
     3. silentThought Simple Web Server Directory Traversal...
     4. Mollensoft Enceladus Server Suite HTACCESS File Access Weakness
     5. FakeBO Syslog Format String Vulnerability
     6. Mollensoft Software Enceladus Server Suite Guestbook HTML...
     7. MySQL libmysqlclient Library mysql_real_connect() Buffer...
     8. WebBBS Pro Malicious GET Request Denial Of Service Vulnerability
     9. PostNuke Modules.PHP Multiple Cross-Site Scripting Vulnerabilities
     10. PostNuke User.PHP UNAME Cross-Site Scripting Vulnerability
     11. Methodus 3 FTP Server File Disclosure Vulnerability
     12. Mollensoft Hyperion FTP/Enceladus Server Suite Multiple Remote...
     13. MikMod Long File Name Local Buffer Overflow Vulnerability
     14. Progress Database DBAgent InstallDir Local Privilege Elevation...
     15. myServer Signal Handling Denial Of Service Vulnerability
     16. Snitz Forums Search.ASP Cross-Site Scripting Vulnerability
     17. PHPBB Admin_Styles.PHP Theme_Info.CFG File Include Vulnerability
     18. Microsoft Internet Explorer Custom HTTP Error HTML Injection...
     19. MiniHTTPServer WebForums Server Remote Directory Traversal...
     20. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
     22. Methodus 3 Web Server File Disclosure Vulnerability
     23. Progress Database Environment Variable Local Privilege...
     25. Snitz Forum Cookie Authentication Bypass Vulnerability
     26. Mailtraq Remote Format String SMTP Resource Consumption...
     27. Pod.Board Forum_Details.PHP Multiple HTML Injection...
     28. Internet Security Systems BlackICE Defender Cross-site...
     29. CesarFTP Remote CWD Denial of Service Vulnerability
     30. Mailtraq Remote Directory Traversal Vulnerability
     31. Snitz Forums Password.ASP Password-Reset Vulnerability
     32. Mailtraq Webmail Remote HTML Injection Vulnerability
     33. Pod.Board New_Topic.PHP Multiple HTML Injection Vulnerabilities
     34. Microsoft Internet Explorer MSXML XML File Parsing Cross-Site...
     35. Armida Databased Web Server Long Request Denial Of Service...
     36. MyServer HTTP Server Directory Traversal Vulnerability
     37. Proxomitron Proxy Server Long Get Request Remote Denial Of...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Filtering DHCP Assignments by MAC Address (Thread)
     2. Windows Event Logs (Thread)
     3. NTRootkit (Thread)
     4. Article Announcement: Tracking Down the Phantom Host (Thread)
     5. Question regarding su.exe (Thread)
     6. Administrivia: OOO Messages (Thread)
     7. SecurityFocus Microsoft Newsletter #141 (Thread)
     8. Local User Permissions in a Public, Domain Environment? (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. Netsecure Log
     2. AccessGuard
     3. Intellitactics Network Security Manager
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. Star v1.5a15
     2. Logrep v1.3.2
     3. Monitoring Application for Resources and Servers v2.2.1
VI. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Tracking Down the Phantom Host
By John Payton

This article explains techniques on how to locate a problem host when you
are not sure where it is physically located.

http://www.securityfocus.com/infocus/1705

2. From the Booby Hatch
By George Smith

Senator Orrin Hatch says he wants to destroy music swappers' computers,
but what he really means is that kids today have no respect for their
elders.

http://www.securityfocus.com/columnists/168

II. BUGTRAQ SUMMARY
-------------------
1. WebcamNow Plain Text Password Storage Weakness
BugTraq ID: 7884
Remote: No
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7884
Summary:

WebcamNow is a streaming image service available for Microsoft Windows
operating systems.

WebcamNow stores usernames and associated passwords using plaintext
format, in the Windows registry. Specifically, WebcamNow stores
authentication credentials in the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Password

As a result, these credentials could be exposed to other local users who
have the permissions to access the registry.

2. Mollensoft Enceladus Server Suite Clear Text Password Storage Weakness
BugTraq ID: 7886
Remote: No
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7886
Summary:

Enceladus Server Suite is a commercially available HTTP and FTP server
distributed by Mollensoft Software. It is available for the Microsoft
Windows platform.

A problem in the software may expose potentially sensitive information.

It has been reported that Enceladus Server Suite does not securely store
user credentials. This may allow an unauthorized user to gain access to
potentially sensitive information.

Enceladus does not securely store user passwords. Instead, the program
stores passwords in clear text on the local system. An attacker with
access to the directory could harvest username and password pairs from an
installation.

3. silentThought Simple Web Server Directory Traversal Vulnerability
BugTraq ID: 7888
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7888
Summary:

silentThought Simple Web Server is a HTTP server designed for use on
Microsoft Windows operating environments.

It has been reported that Simple Web Server fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.

An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.

Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.

This vulnerability has been reported for silentThought Simple Web Server
version 1.0 for the Microsoft Windows platform.

4. Mollensoft Enceladus Server Suite HTACCESS File Access Weakness
BugTraq ID: 7889
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7889
Summary:

Enceladus Server Suite is a commercially available HTTP and FTP server
distributed by Mollensoft Software. It is available for the Microsoft
Windows platform.

A problem in the software may expose potentially sensitive information.

It has been reported that Enceladus Server Suite does not securely store
certain user credentials. This may allow users, who are authorized to
access the "Security File Downloads" directory, to gain access to
potentially sensitive information.

Specifically, an htaccess file is stored without access restrictions,
making it exposable to users who can access the directory. This specific
htaccess file contains all credentials of users who have access to the
specific directory.

Access to this information may aid an attacker in launching further
attacks against a target user or the server.

5. FakeBO Syslog Format String Vulnerability
BugTraq ID: 7882
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7882
Summary:

FakeBO is a utility to log common trojan attempts in an effort to possibly
emulate one. It may also be used in a honeypot setup to facilitate
security monitoring. It is available for Microsoft Windows, Linux, and
Unix variant operating systems.

A vulnerability has been reported for FakeBO that may result in an
attacker obtaining elevated privileges on a target system.

Due to a programming error, it may be possible to exploit a format string
vulnerability in the affected utility. Specifically, a logging function in
FakeBO contains insecure syslog() calls. This could result in the
execution of attacker-supplied code.

The vulnerability occurs when FakeBO resolves a carefully constructed
hostname that include malicious format string specifiers. In the event
that this vulnerability is exploited, an attacker could cause arbitrary
locations in memory to be corrupted with attacker-specified data and
execute code with elevated privileges.

This vulnerability was reported for FakeBO 0.4.1.

6. Mollensoft Software Enceladus Server Suite Guestbook HTML Injection Vulnerability
BugTraq ID: 7885
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7885
Summary:

Enceladus Server Suite is a Web and FTP server designed for use with
Microsoft Windows operating systems.

Enceladus Server Suite is prone to HTML injection attacks. The
vulnerability exists in the Guestbook, shipped as part of the web server,
and is a result of insufficient sanitization of malicious HTML code from
user-supplied input. HTML and script code may be echoed back when an
victim user chooses the view the system's Guestbook. It is possible that
code injected through this issue could be displayed and rendered by other
users.

Successful exploitation could permit a malicious attacker to cause the
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable site hosting the vulnerable guestbook software. This
would occur in the security context of the site.

Exploitation could allow for attacks that steal cookie-based
authentication credentials. Other attacks are also possible.

This vulnerability was reported for Enceladus Server Suite 3.9.11. It is
likely that other versions are also affected by this vulnerability.

7. MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
BugTraq ID: 7887
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7887
Summary:

MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.

MySQL contains a library called libmysqlclient. A problem exists in the
sql_real_connect() function of the libmysqlclient library that could
result in a buffer being overrun.

The problem likely occurs due to insufficient bounds checking of
user-supplied parameters and could allow an attacker to corrupt sensitive
process memory. It is possible to trigger this condition by supplying a
parameter containing approximately 350 or more bytes of data.

An attacker could potentially be capable of exploiting this issue to
execute arbitrary code on a remote system. It should be noted that this
issue would be required to be exploited in conjunction with an unrelated
remote SQL injection attack or possibly used on a system which allows for
the uploading of scripts.

8. WebBBS Pro Malicious GET Request Denial Of Service Vulnerability
BugTraq ID: 7890
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7890
Summary:

WebBBS Pro is a web-based BBS system designed to run in Microsoft Windows
environments. WebBBS Pro is shipped with a web server component.

A vulnerability has been discovered in WebBBS Pro, which may allow a
remote attacker to trigger a denial of service condition in the WebBBS
HTTP server.

It has been reported that a remote attacker may cause the web server to
throw an exception by making a malformed HTTP request. The server will
crash effectively denying service to legitimate webBBS Pro users, until
the service is restarted.

This issue was reported to affect WebBBS Pro 1.18, however, other versions
may also be affected.

9. PostNuke Modules.PHP Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 7898
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7898
Summary:

PostNuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.

The PostNuke 'modules.php' script does not sufficiently sanitize data
supplied via URI parameters, making it prone to cross-site scripting
attacks. In particular, the 'categories' and 'letter' URI parameters are
not properly sanitized of HTML tags. This could allow for execution of
hostile HTML and script code in the web client of a user who visits a web
page that contains the malicious code. This would occur in the security
context of the site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to
affect PostNuke version 0.7.2.3, other versions might also be affected.

10. PostNuke User.PHP UNAME Cross-Site Scripting Vulnerability
BugTraq ID: 7901
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7901
Summary:

PostNuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.

The PostNuke 'user.php' script does not sufficiently sanitize data
supplied via URI parameters, making it prone to cross-site scripting
attacks. In particular, the 'uname' URI parameter is not properly
sanitized of HTML tags. This could allow for execution of hostile HTML and
script code in the web client of a user who visits a web page that
contains the malicious code. This would occur in the security context of
the site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to
affect PostNuke version 0.7.2.3, other versions might also be affected.

11. Methodus 3 FTP Server File Disclosure Vulnerability
BugTraq ID: 7905
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7905
Summary:

Methodus 3 is utility that provides a number of features such as file
sharing through an HTTP server and FTP client/server implementation. It
is a available for Microsoft Windows operating systems.

The Methodus 3 FTP server component is prone to a file disclosure
vulnerability.

This vulnerability is due to insufficient sanitization of various
directory traversal sequences from FTP commands. It is possible to break
out of the FTP root directory by submitting directory sequences such as
'../' and '//..' via the change directory (CD) FTP command. Other
commands may be similarly affected. As a result, files that are readable
by the server could be disclosed to remote attackers. The attacker would
need to authenticate with the FTP server to exploit this issue, though
this could occur through anonymous access if it is enabled.

12. Mollensoft Hyperion FTP/Enceladus Server Suite Multiple Remote Heap Corruption Vulnerabilities
BugTraq ID: 7909
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7909
Summary:

MollenSoft Hyperion FTP Server is a server that supports basic FTP
functionality and more. It is available for the Microsoft Windows
operating systems.

MollenSoft Enceladus Server Suite, is a combined FTP and HTTP server
product. It is available for the Microsoft Windows operating systems.

Multiple vulnerabilities have been reported for Mollensoft Hyperion FTP
and Enceladus Server Suite. The problem likely occurs due to insufficient
bounds checking of user-supplied command parameters. As a result, by
supplying excessive data to one of multiple FTP commands it is possible to
corrupt heap-based memory.

The affected commands include cwd, stat, mkd, xmkd, rmd, and nlst. It is
possible to trigger this condition by supplying approximately 270 to 344
bytes as a parameter to one of the commands.

This vulnerability could potentially be exploited by an attacker to
execute arbitrary code with the privileges of the server process, possibly
SYSTEM. A denial of service attack is also possible.

13. MikMod Long File Name Local Buffer Overflow Vulnerability
BugTraq ID: 7914
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7914
Summary:

mikmod is a freely available, open source sound library and module player.
It is available for Unix, Linux, and Microsoft platforms.

A problem with the program may make it possible for users to gain
unauthorized privileges.

It has been reported that mikmod does not properly handle some types of
input. Because of this, an attacker may be able to gain unauthorized
privileges on a system using the program.

mikmod does not properly handle file names of arbitrary length. Long file
names inside archive files can cause the corruption of sensitive process
memory that may potentially be exploited to execute code with the
privileges of the process.

14. Progress Database DBAgent InstallDir Local Privilege Elevation Vulnerability
BugTraq ID: 7915
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7915
Summary:

Progress Database is a commercial database for Microsoft Windows, Linux,
and Unix systems.

A problem with the software may grant unauthorized privileges.

It has been reported that dbagent packaged with Progress does not properly
handle untrusted input in some command line arguments. Because of this,
an attacker may be able to gain unauthorized privileges.

The problem is in the installdir option. The dbagent program does not
perform sufficient checks or sanitizing of values passed with this
argument when executed. This could lead to an attacker supplying a
directory in an arbitrary location on the system, and potentially loading
a malicious library into the program.

Any library code loaded and executed through the installdir argument would
be with the privileges of the dbagent program. dbagent is typically
installed with privileges.

15. myServer Signal Handling Denial Of Service Vulnerability
BugTraq ID: 7917
Remote: Yes
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7917
Summary:

myServer is an application and web server for Microsoft Windows and Linux
operating systems.

A vulnerability has been reported for myServer that may result in a denial
of service condition. The vulnerability exists when myServer receives
certain signals. Specifically, when myServer receives the SIGINT signal,
it will crash.

This vulnerability was reported to affect myServer 0.4.1.

16. Snitz Forums Search.ASP Cross-Site Scripting Vulnerability
BugTraq ID: 7922
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7922
Summary:

Snitz Forums is ASP-based web forum software. It runs on Microsoft Windows
operating systems.

Snitz Forums is prone to cross-site scripting attacks. This is due to
insufficient sanitization of data passed to the search facility via URI
parameters. As a result, it is possible for a remote user to create a
malicious link to a site hosting the vulnerable software, which contains
hostile HTML and script code. If this link is visited, the
attacker-supplied HTML and script code will be interpreted by their
browser. This will occur in the context of the site hosting the vulnerable
software.

Exploitation may allow theft of cookie-based authentication credentials or
other attacks.

This issue was reported in Snitz Forums 3.4.0.3, other versions might also
be affected.

17. PHPBB Admin_Styles.PHP Theme_Info.CFG File Include Vulnerability
BugTraq ID: 7932
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7932
Summary:

phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

It has been reported that phpBB may permit an attacker to influence the
include path of 'theme_info.cfg'. The path to this file can be influenced
by supplying a malicious value for the '$install_to' CGI variable.

While it does not seem possible to supply a path to a remote server, it
may be possible to supply a relative path to a malicious local
'theme_info.cfg' file. This could lead to execution of arbitrary PHP code
with the privileges of the web server. Older versions of PHP may also
permit an attacker to specify a path to an arbitrary system file by
including a NULL byte (%00) in the request, which could reportedly cause
files to be disclosed to the attacker.

18. Microsoft Internet Explorer Custom HTTP Error HTML Injection Vulnerability
BugTraq ID: 7939
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7939
Summary:

An issue has been reported for Microsoft Internet Explorer that may result
in HTML injection attacks. The vulnerability exists when IE is used to
display custom HTTP error messages also known as "Friendly HTTP error
messages".

IE 5 and later include HTML resource files that are able to display the
custom HTTP errors. A function in the HTML resource files is to extract
the real URL from the document.

When an error occurs, IE will request the following resource:
res://shdoclc.dll/<HTTP STATUS CODE>_HTTP.htm#http://>

Due to some errors when extracting the URL from the above requested
resource, it is possible to cause IE to execute malicious HTML code.

Exploitation may allow theft of cookie-based authentication credentials or
other attacks.

This vulnerability was reported to affect Microsoft Internet Explorer 6.0
SP1 and earlier. It is likely that other applications that use the IE
engine are also vulnerable to this issue.

19. MiniHTTPServer WebForums Server Remote Directory Traversal Vulnerability
BugTraq ID: 7955
Remote: Yes
Date Published: Jun 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7955
Summary:

WebForums Server is a commercially-available HTTP server. It is available
for the Microsoft Windows platform.

A problem with the server may give remote users unauthorized access to
potentially sensitive information.

It has been reported that WebForums Server does not properly handle some
types of requests. Because of this, attackers may be able to gain access
to files on the host server with the privileges of the web server process.

The problem is in the handling of directory traversal strings. WebForums
Server does not properly sanitize requests. Remote users may request
files using dot-dot-slash (../) requests to gain access to any file on the
system.

20. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
BugTraq ID: 7877
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7877
Summary:

Gnocatan is a multiplayer game. It is available for Microsoft Windows and
Linux operating systems.

The Gnocatan game server is prone to multiple remotely exploitable buffer
overflow vulnerabilities. The vulnerabilities are due to insufficient
bounds checking of data supplied to the server, which could result in
corruption of memory with attacker-supplied values. These conditions
could potentially be exploited to execute malicious code in the context of
the server or to launch denial of service attacks.

Specific technical details regarding these vulnerabilities are not
available at this time. This BID will be updated as more details become
available.

21. Sphera HostingDirector Session ID Random Generator Weakness
BugTraq ID: 7904
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7904
Summary:

HostingDirector is a commercially available system administration package
distributed by Sphera. It is available for the Linux and Microsoft
Windows platforms.

A problem with the software may increase the possibility of a user gaining
unauthorized access to the system.

It has been reported that Sphera HostingDirector uses a weak method of
generating session IDs. This problem may increase the possibility of an
attacker brute-force guessing a valid session ID.

The problem is in the method used to generate session IDs. Upon session
ID generation, each new session ID may be a total of 11 bytes in length,
of which five bytes vary from a previously generated session ID. Of these
five bytes, one is incremented sequentially in a predictable location.
This value is stored in a cookie on the system of the authenticated user.
It, and the session ID, is persistent until the user logs out.

To gain access to a vulnerable implementation, an attacker still must know
a valid user name to place in the authentication cookie.

22. Methodus 3 Web Server File Disclosure Vulnerability
BugTraq ID: 7908
Remote: Yes
Date Published: Jun 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7908
Summary:

Methodus 3 is utility that provides a number of features such as file
sharing through an HTTP server and FTP client/server implementation. It
is a available for Microsoft Windows operating systems.

It is possible for remote attackers to retrieve resources outside of the
web root directory. The vulnerability is due to insufficient sanitization
of directory traversal sequences such as '../' from web requests. This
could potentially be exploited to gain access to sensitive files on a
system hosting the vulnerable software. Files that are readable by the
web server could be disclosed if this issue is exploited.

23. Progress Database Environment Variable Local Privilege Escalation Vulnerability
BugTraq ID: 7916
Remote: No
Date Published: Jun 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7916
Summary:

Progress Database is a commercial database for Microsoft Windows, Linux,
and Unix systems.

A problem with the software may grant unauthorized privileges.

It has been reported that Progress database does not properly handle
untrusted input when opening shared libraries. Specifically, the dlopen()
function, used by several Progress utilities in /usr/dlc/bin/, checks the
user's PATH environment variable when including shared object libraries.
If any shared objects are found, Progress will load and execute them. Due
to this, an attacker may be able to gain unauthorized privileges.

An attacker can exploit this vulnerability by creating a malicious shared
object and setting the PATH environment variable to include the directory
containing the shared object. When certain utilities in the /usr/dlc/bin/
directory are executed, the malicious shared library will be loaded.

Any library code loaded will execute with elevated privileges.

24. Mailtraq User Password Encoding Weakness
BugTraq ID: 7923
Remote: No
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7923
Summary:

Mailtraq is a commercially available e-mail server and client software
package. It is available for the Microsoft Windows platform.

A problem with the software may make increase the possibility of an
attacker discovery passwords.

It has been reported that Mailtraq does not securely store passwords.
Because of this, an attacker may have an increased chance at gaining
access to clear text passwords.

The problem is in the algorithm used to store passwords. Mailtraq uses a
weak encoding scheme that can be easily reversed by a user with read
access to the password file. This can result in an attacker revealing the
clear text password strings and gaining access to the accounts of Mailtraq
users.

25. Snitz Forum Cookie Authentication Bypass Vulnerability
BugTraq ID: 7924
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7924
Summary:

Snitz Forums is ASP-based web forum software. It runs on Microsoft Windows
operating systems.

Snitz Forum has been reported prone to a cookie authentication bypass
vulnerability.

It has been reported that, if a remote attacker can retrieve the
authentication cookie of another user, they can extract the password hash
and use it to construct a malicious cookie that can be harnessed to hijack
the victim's account.

An attacker may exploit this issue to hijack another Snitz forum users
account.

This issue was reported in Snitz Forums 3.4.0.3, other versions might also
be affected.

26. Mailtraq Remote Format String SMTP Resource Consumption Vulnerability
BugTraq ID: 7926
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7926
Summary:

Mailtraq is a commercially available e-mail server and client software
package. It is available for the Microsoft Windows platform.

A problem with the software may make a remote denial of service possible.

It has been reported that Mailtraq does not reliably handle format strings
in some SMTP protocol fields. This may cause a system to become unstable
and crash, allowing a remote attacker to deny service to the system.

The problem is in the handling of certain format string sequences. It has
been reported that sending an e-mail with strings such as @@%s%p%n and
%s%p%n to the server in the following fields may consume excessive
resources:

MAIL FROM
RCPT TO
HELO
FROM

Each string must contain 65535 repetitions of the string to successfully
cause the system to become momentarily resource-bound. This can be
automated to result in a prolonged denial of service.

27. Pod.Board Forum_Details.PHP Multiple HTML Injection Vulnerabilities
BugTraq ID: 7933
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7933
Summary:

pod.board is a web-based portal/forum system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.

The pod.board 'forum_details.php' script does not sufficiently sanitize
data supplied via URI parameters or web-based input fields, making it
prone to HTML injection attacks. In particular, the 'user_homepage',
'user_location', 'user_nick' and 'user_signature' URI parameters and
corresponding input fields are not properly sanitized of HTML tags. This
could allow for execution of hostile HTML and script code in the web
client of a user who visits a web page that contains the malicious
injected code. This would occur in the security context of the site
hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to
affect pod.board version 1.1, other versions might also be affected.

28. Internet Security Systems BlackICE Defender Cross-site Scripting Detection Evasion Weakness
BugTraq ID: 7942
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7942
Summary:

BlackICE Defender is a home/small office firewall and intrusion detection
system. It is maintained by Internet Security Systems and is designed for
use on the Microsoft Windows operating system.

A weakness has been reported for BlackICE Defender, which could allow an
attacker to evade the detection of specific forms of attacks.
Specifically, the intrusion detection system fails to match cross-site
scripting attacks embedded within various HTTP requests.

An attacker could potentially exploit this weakness by embedding
cross-site scripting payloads within PUT or DELETE HTTP requests for a
target system. This would effectively evade detection by BlackICE.

A user of BlackICE may be relying on a false sense of security as a result
of this weakness.

This weakness has been reported to affect BlackICE 3.6cbd, however it has
been speculated that earlier versions and possibly other software suites
may also be affected.

29. CesarFTP Remote CWD Denial of Service Vulnerability
BugTraq ID: 7949
Remote: Unknown
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7949
Summary:

CesarFTP is a freely available FTP Server for Microsoft Windows operating
systems.

A vulnerability has been reported for CesarFTP. Reportedly, an attacker
may crash a target server by supplying excessive data as the argument to
the 'CWD' command. Specifically, by passing approximately 6500 bytes of
data as an argument to the vulnerable command, it is possible to trigger
the vulnerability.

This may result in the server hanging, effectively denying service to
other legitimate FTP users.

30. Mailtraq Remote Directory Traversal Vulnerability
BugTraq ID: 7921
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7921
Summary:

Mailtraq is a commercially available e-mail server and client software
package. It is available for the Microsoft Windows platform.

A problem with the software may make it possible for an attacker to gain
unauthorized access to sensitive information.

It has been reported that Mailtraq is vulnerable to a remote directory
traversal issue. Because of this, an attacker may be able to gain access
to files on the local system with the privileges of the Mailtraq server
process.

The problem is in the handling of input by the Mailtraq server process.
By issuing a request to the Mailtraq web interface for a specific
directory, a remote user can view all the files contained in the requested
directory. As the Mailtraq program typically executes with elevated
privileges, this may permit the disclosure of privileged information.

31. Snitz Forums Password.ASP Password-Reset Vulnerability
BugTraq ID: 7925
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7925
Summary:

Snitz Forums is ASP-based web forum software. It runs on Microsoft Windows
operating systems.

Snitz Forums 'password.asp' has been reported prone to a password-reset
vulnerability. It has been reported that by requesting a forgotten
password, an attacker may save the 'password reset' page offline. By
modifying the member id in the saved script the attacker may reset
arbitrary account passwords, if the corresponding member id is known.

This issue was reported in Snitz Forums 3.4.0.3, other versions might also
be affected.

32. Mailtraq Webmail Remote HTML Injection Vulnerability
BugTraq ID: 7928
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7928
Summary:

Mailtraq is a commercially available e-mail server and client software
package. It is available for the Microsoft Windows platform.

It has been reported that Mailtraq does not sufficiently sanitize
potentially malicious content from e-mails.

The problem is in the filtering of HTML and script code from e-mail header
fields. When this type of content is sent to a user of the vulnerable
webmail service, it is not filtered of HTML tags. This may allow an
attacker to send HTML or script code to users that could result in a
denial of service, theft of authentication cookie credentials or other
attacks.

33. Pod.Board New_Topic.PHP Multiple HTML Injection Vulnerabilities
BugTraq ID: 7936
Remote: Yes
Date Published: Jun 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7936
Summary:

pod.board is a web-based portal/forum system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.

The pod.board 'new_topic.php' script does not sufficiently sanitize data
supplied via URI parameters or web-based input fields, making it prone to
HTML injection attacks. In particular, the 'topic_title' or 'post_text'
URI parameters and corresponding input fields are not properly sanitized
of HTML tags. This could allow for execution of hostile HTML and script
code in the web client of a user who visits a web page that contains the
malicious injected code. This would occur in the security context of the
site hosting the software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted, that although this vulnerability has been reported to
affect pod.board version 1.1, other versions might also be affected.

34. Microsoft Internet Explorer MSXML XML File Parsing Cross-Site Scripting Vulnerability
BugTraq ID: 7938
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7938
Summary:

A vulnerability has been reported for Internet Explorer, using the MSXML
parser, that may result in cross-site scripting attacks. The vulnerability
exists due to the way that the MSXML parser handles certain types of XML
data.

When IE views a XML file, it will automatically attempt to parse it using
the MSXML parser. If IE is unable to parse the XML file, it will display a
parse error that also includes the URL of the requested XML file.

In some instances, the displayed URL is not sufficiently sanitized of
query strings that may have been passed in as URI parameters.

As a result, it is possible for a remote user to create a malicious link
to a site hosting the vulnerable software, which contains hostile HTML and
script code. If this link is visited, the attacker-supplied HTML and
script code will be interpreted by their browser. This will occur in the
context of the site hosting the vulnerable software.

Exploitation may allow theft of cookie-based authentication credentials or
other attacks.

This vulnerability was reported to affect Microsoft Internet Explorer 5.5
and 6.0. It is likely that other applications that use the IE engine are
also vulnerable to this issue.

35. Armida Databased Web Server Long Request Denial Of Service Vulnerability
BugTraq ID: 7940
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7940
Summary:

Armida is a databased web server implementation for Microsoft Windows
operating systems.

Armida Databased Web Server is prone to a denial of service condition when
handling overly long HTTP GET requests. It is possible to reproduce this
condition by making an HTTP GET request that specifies a path to a
resource that is 500,000+ characters in length. This will cause CPU usage
for the server to spike. Multiple requests of this nature could cause a
prolonged denial of service to the system hosting the software.

36. MyServer HTTP Server Directory Traversal Vulnerability
BugTraq ID: 7944
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7944
Summary:

MyServer is an application and web server for Microsoft Windows and Linux
operating systems.

The MyServer HTTP server is prone to a file disclosure vulnerability.
Encoded directory traversal sequences may be used to break out of the web
root directory. Attackers may gain access to files that are readable by
the web server as a result.

Successful exploitation may expose sensitive information to remote
attackers. This information could be used to aid in further attacks that
attempt to compromise the host.

It should be noted that although this vulnerability has been reported to
affect MyServer version 0.4.1 other versions might also be affected.

37. Proxomitron Proxy Server Long Get Request Remote Denial Of Service Vulnerability
BugTraq ID: 7954
Remote: Yes
Date Published: Jun 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7954
Summary:

Proxomitron is a freely available proxy server. It is available for the
Microsoft Windows platform.

A problem in the software may result in denial of service to legitimate
users.

It has been reported that Proxomitron does not properly handle some string
types. Because of this, an attacker can cause the server to become
unstable and crash.

The problem is in the handling of long strings with mixed characters. It
has been reported that this issue can be reproduced by submitting a string
of at least 4504 characters with dots, slashes, and zero-percent-percent
(0%%) characters in the string.

It should be noted that all references on the web to Proxomitron proxy
software lead to a page with Japanese text that, when translated to
English, means "this page has gone."

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Filtering DHCP Assignments by MAC Address (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325993

2. Windows Event Logs (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325991

3. NTRootkit (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325992

4. Article Announcement: Tracking Down the Phantom Host (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325871

5. Question regarding su.exe (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325467

6. Administrivia: OOO Messages (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325273

7. SecurityFocus Microsoft Newsletter #141 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325268

8. Local User Permissions in a Public, Domain Environment? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/325263

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Netsecure Log
by CalyxNetSecure
Platforms: Solaris, Windows 2000, Windows NT
Relevant URL:
http://www.calyxnetsecure.com/produit.asp?nom_produit=NetsecureLog
Summary:

Netsecure Log is a security administration solution. It makes the
administrator's job easier by centralizing security events in a database
and then to analyze them with a powerful requesting tool.

2. AccessGuard
by AccessGuard
Platforms: Os Independent
Relevant URL:
http://www.accessguard.nl/
Summary:

AccessGuard is a fully automated intrusion prevention service, that
instantly protects your IT infrastructure from known and unknown attacks
by hackers, worms, server based 'Denial of Service' and other Internet
risks. AccessGuard reduces security cost: It replaces and outperforms
state of the art Intrusion Detection Systems (IDS) and makes analysis by
security specialists unnecessary.

3. Intellitactics Network Security Manager
by Intellitactics
Platforms: Solaris, Windows NT
Relevant URL:
http://www.intellitactics.com/products/nsm_overview.html
Summary:

Intellitactics Network Security Manager is the holistic, integrated threat
management platform that gives you a virtual window into your enterprise
security environment. NSM lets you police, prioritize and prevail across
the full range of today's security threats. You get a clear picture of
your security situation in real time--and over time--so you can deliver
the most effective information security possible. With NSM, you leverage
the infrastructure you've already built. NSM correlates massive amounts of
data for you--gathered from your full range of security devices and other
information sources throughout the enterprise. Then, on a single pane of
glass, NSM provides a graphical visualization of threats, anomalies and
trends. Your Security Operations Center can now respond more effectively
to real security threats than with any other security product--in moments
instead of days, with fewer resources.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Star v1.5a15
by Jörg Schilling
Relevant URL:
http://www.fokus.gmd.de/research/cc/glone/employees/joerg.schilling/private/star.html
Platforms: BeOS, MacOS, OS/2, POSIX, Windows 2000, Windows 95/98, Windows
NT, Windows XP
Summary:

Star is a very fast, POSIX-compliant tar archiver. It reads and writes
POSIX compliant tar archives as well as non-POSIX GNU tar archives. Star
is the first free POSIX.1-2001 compliant tar implementation. It saves many
files together into a single tape or disk archive, and can restore
individual files from the archive. It includes a FIFO for speed, a pattern
matcher, multi-volume support, the ability to archive sparse files and
ACLs, the ability to archive extended file flags, automatic archive format
detection, automatic byte order recognition, automatic archive
compression/decompression, remote archives, and special features that
allow star to be used for full and incremental backups. It includes the
only known platform independent "rmt" server program that hides Linux
incompatibilities. The "rmt" server from the star package implements all
Sun/GNU/Schily/BSD enhancements and allows any "rmt" client from any OS to
contact any OS as server.

2. Logrep v1.3.2
by Tevfik Karagülle
Relevant URL:
http://logrep.sourceforge.net/
Platforms: Linux, POSIX, Windows 2000, Windows NT
Summary:

Logrep is a secure multi-platform framework for the collection,
extraction, and presentation of information from various log files. It
features HTML reports, multi-dimensional analysis, overview pages, SSH
communication, and graphs, and supports more than 15 popular systems
including Snort, Squid, Postfix, Apache, syslog, iptables/ipchains, NT
event logs, Firewall-1, wtmp, Oracle listener, and Pix.

3. Monitoring Application for Resources and Servers v2.2.1
by Brian H. Trammell brian@altara.org Ben Parrot benji@altara.org
Relevant URL:
http://www.altara.org/mars
Platforms: BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Java, Linux,
NetBSD, OpenBSD, SCO, Solaris, True64 UNIX, UNIX, Windows 95/98, Windows
NT
Summary:

MARS is a host based system monitoring tool. It contains a distributed
agent, SPOT, which is placed on each host. The MARS server can then obtain
information about each of the machines the agent is running on, including
status, load information, disk activity and memory information.

MARS is Java based, and should run on any Unix supporting Java, as well as
Microsoft Windows products.

VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SPI Dynamics

ALERT: "How a Hacker Uses SQL Injection to Steal Your Data"

It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
Firewalls and IDS will not stop such attacks because SQL Injections are
NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics
for a complete guide to protection!

http://www.securityfocus.com/SPIDynamics-ms-secnews4
-------------------------------------------------------------------------------

-----------------------------------------------------------------------------
------------------------------------------------------------------------------

• Previous message: Jonathan R. Thompson : "RE: Filtering DHCP Assignments by MAC Address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]