SecurityFocus Microsoft Newsletter #268



SecurityFocus Microsoft Newsletter #268
----------------------------------------

This Issue is Sponsored By: CipherTrust

CipherTrust Products have been nominated! Please Vote in the SC
Magazine Awards.
IronMail Gateway - Best E-Mail Security
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=7&Sub_ID=2&Prod_ID=122
IronMail Gateway - Best Anti-Spam
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=5&Sub_ID=2&Prod_ID=87

------------------------------------------------------------------
I. FRONT AND CENTER
1. Evading NIDS, revisited
2. Regaining control II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Windows SynAttackProtect Predictable Hash Remote Denial of Service Vulnerability
2. Sun Java Runtime Environment Multiple Privilege Escalation Vulnerabilities
3. Cisco Security Agent Unspecified Local Privilege Escalation Vulnerability
4. Microsoft Internet Explorer CSS Import Cross-Domain Restriction Bypass Vulnerability
5. Drupal Image Upload HTML Injection Vulnerability
6. Citrix Multiple Applications Login Form Cross-Site Scripting Vulnerability
7. Microsoft Windows CreateRemoteThread Local Denial of Service Vulnerability
8. Drupal View User Profile Authorization Bypass Vulnerability
9. Drupal Submitted Content HTML Injection Vulnerability
10. PHPX Admin Login.PHP SQL Injection Vulnerability
11. WinEggDropShell Multiple Remote Buffer Overflow Vulnerabilities
12. Zen Cart Password_Forgotten.PHP SQL Injection Vulnerability
13. Real Networks RealPlayer Unspecified Remote Code Execution Vulnerability
14. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In The Middle Vulnerability
15. Horde IMP Email Attachments HTML Injection Vulnerability
16. Apple Quicktime/iTunes Unspecified Heap Overflow Vulnerability
17. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
III. MICROSOFT FOCUS LIST SUMMARY
1. Changing local admin PW using vb logon script - can it be encrypted?
2. Changing local admin PW using vb logon script - can it be encrypted?
3. Prohibiting Index Server does not prevent information leakage in IIS 6.0
4. SecurityFocus Microsoft Newsletter #267
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION


I. FRONT AND CENTER
---------------------
1. Evading NIDS, revisited
By Sumit Siddharth
This article looks at some of the most popular IDS evasion attack techniques, based on fragmentation or using the TTL field. Snort's configuration and response to these attacks will also be discussed.
http://www.securityfocus.com/infocus/1852


2. Regaining control
By Kelly Martin
Securing endpoint systems by locking them down using complex software brings back memories of another era, where business computers were once used for business applications only - and businesses retained control over their assets and data.
http://www.securityfocus.com/columnists/372



II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Microsoft Windows SynAttackProtect Predictable Hash Remote Denial of Service Vulnerability
BugTraq ID: 15613
Remote: Yes
Date Published: 2005-11-28
Relevant URL: http://www.securityfocus.com/bid/15613
Summary:
Microsoft Windows is prone to a denial of service vulnerability.


The vulnerability arises due to a design error in the function responsible for the hash table management for 'SynAttackProtect'. Reports indicate that the affected function used by the TCP/IP stack creates a predictable hash, allowing an attacker to send a large number of SYN packets with an identical hash value.

A successful attack can eventually lead to a denial of service condition due to the lookup algorithm becoming very inefficient at performing searches.


2. Sun Java Runtime Environment Multiple Privilege Escalation Vulnerabilities BugTraq ID: 15615 Remote: Yes Date Published: 2005-11-28 Relevant URL: http://www.securityfocus.com/bid/15615 Summary: Sun JRE is susceptible to various privilege escalation vulnerabilities.

These issues can allow remote Java applications to read/write local files and execute arbitrary applications in the context of an affected user.

Further details are not available at this time. This BID will be updated as further information is disclosed. 3. Cisco Security Agent Unspecified Local Privilege Escalation Vulnerability
BugTraq ID: 15618
Remote: No
Date Published: 2005-11-29
Relevant URL: http://www.securityfocus.com/bid/15618
Summary:
Cisco Security Agent is susceptible to an unspecified local privilege escalation vulnerability. This issue only affects computers running affected versions of Cisco Security Agent on the Microsoft Windows platform.


Further details are not currently available, this BID will be updated as information becomes available.

This issue allows local attackers to gain SYSTEM level privileges on computers running the affected software.

4. Microsoft Internet Explorer CSS Import Cross-Domain Restriction Bypass Vulnerability
BugTraq ID: 15660
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15660
Summary:
Microsoft Internet Explorer is prone to an issue that allows a violation of the cross-domain security model.


The vulnerability arises as Internet Explorer does not properly parse CSS files and facilitates imports of files that are not valid CSS files.

This allows attackers to disclose HTML and script code from the remote site that was improperly imported as a CSS file. This site may exist in another domain than the site that exploits the issue.

An attacker may exploit this issue to steal sensitive information, which may aid in other attacks.

5. Drupal Image Upload HTML Injection Vulnerability
BugTraq ID: 15663
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15663
Summary:
Drupal is prone to an HTML injection vulnerability. This is due to a lack of proper sanitization of user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.


This issue is only present when using the Microsoft Internet Explorer Web browser.


6. Citrix Multiple Applications Login Form Cross-Site Scripting Vulnerability
BugTraq ID: 15664
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15664
Summary:
Citrix MetaFrame Secure Access Manager and Citrix NFuse Elite are prone to a cross-site scripting vulnerability. These issues are due to a failure in the applications to properly sanitize user-supplied input.


An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

7. Microsoft Windows CreateRemoteThread Local Denial of Service Vulnerability
BugTraq ID: 15671
Remote: No
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15671
Summary:
Microsoft Windows is prone to a local denial of service vulnerability. This issue can allow an attacker to trigger a system wide denial of service condition or terminate arbitrary processes.


Reports indicate that a process can call the 'CreateRemoteThread' function to trigger this issue.

It was reported that this attack can be carried out by a local unprivileged user.

8. Drupal View User Profile Authorization Bypass Vulnerability
BugTraq ID: 15674
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15674
Summary:
Drupal is prone to an authorization bypass vulnerability. This issue is due to an unspecified error when the application is running under PHP5.


An attacker can exploit this vulnerability to bypass permissions and gain access to user profiles; this may result in information disclosure.

9. Drupal Submitted Content HTML Injection Vulnerability
BugTraq ID: 15677
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15677
Summary:
Drupal is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.


Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

10. PHPX Admin Login.PHP SQL Injection Vulnerability
BugTraq ID: 15680
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15680
Summary:
PHPX is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.


Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

11. WinEggDropShell Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 15682
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15682
Summary:
WinEggDropShell is affected by multiple remote buffer overflow vulnerabilities.

A remote buffer overflow vulnerability affecting the HTTP server arises when a GET request is provided with excessive data.

Two remote buffer overflow vulnerabilities affecting the FTP server arise when the FTP commands are provided with excessively long arguments.

An unauthenticated attacker may leverage these issues to execute arbitrary code on a computer with the privileges of the server process. This may facilitate unauthorized access and a complete compromise.

WinEggDropShell 1.7 is reportedly vulnerable, however, other versions are likely affected as well.

12. Zen Cart Password_Forgotten.PHP SQL Injection Vulnerability
BugTraq ID: 15690
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15690
Summary:
Zen Cart is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.


Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

13. Real Networks RealPlayer Unspecified Remote Code Execution Vulnerability
BugTraq ID: 15691
Remote: Yes
Date Published: 2005-11-30
Relevant URL: http://www.securityfocus.com/bid/15691
Summary:
Real Networks RealPlayer is affected by an unspecified code execution vulnerability. The potential impact of this issue allows for remote arbitrary code execution in the context of the user running the application. All versions of RealPlayer for Microsoft Windows platform are considered to be vulnerable at the moment.


This BID will be updated as more information is released.

14. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In The Middle Vulnerability
BugTraq ID: 15728
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15728
Summary:
Sun Java System Application Server is prone to a man in the middle vulnerability.


This issue arises when the reverse SSL proxy plug-in is used with a supported Web server.

An attacker may exploit this issue to gain access to sensitive contents of encrypted network traffic between a client and a server.

15. Horde IMP Email Attachments HTML Injection Vulnerability
BugTraq ID: 15730
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15730
Summary:
Horde IMP is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.


Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

Reports indicate this issue is only present when viewing IMP content with the Microsoft Internet Explorer Web browser.

16. Apple Quicktime/iTunes Unspecified Heap Overflow Vulnerability
BugTraq ID: 15732
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15732
Summary:
An unspecified heap-based buffer overflow vulnerability has been reported in Apple Quicktime and iTunes. This issue affects both Mac OS X and Microsoft Windows releases of the software. It is believed that this issue is triggered when the affected applications play a malicious media file, though this has not been confirmed. Successful exploitation will result in execution of arbitrary code in the context of the currently logged in user.


This issue affects Apple Quicktime 7.0.3 and iTunes 6.0.1. Earlier versions may also be affected.

17. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 15735
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15735
Summary:
phpMyAdmin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.


An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Changing local admin PW using vb logon script - can it be encrypted?
http://www.securityfocus.com/archive/88/418575

2. Changing local admin PW using vb logon script - can it be encrypted?
http://www.securityfocus.com/archive/88/418259

3. Prohibiting Index Server does not prevent information leakage in IIS 6.0
http://www.securityfocus.com/archive/88/418256

4. SecurityFocus Microsoft Newsletter #267
http://www.securityfocus.com/archive/88/418148

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@xxxxxxxxxxxxxxxxx from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.


If your email address has changed email listadmin@xxxxxxxxxxxxxxxxx and ask to be manually removed.

V.   SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: CipherTrust

CipherTrust Products have been nominated! Please Vote in the SC
Magazine Awards.
IronMail Gateway - Best E-Mail Security
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=7&Sub_ID=2&Prod_ID=122
IronMail Gateway - Best Anti-Spam
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=5&Sub_ID=2&Prod_ID=87





---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter #222
    ... MICROSOFT VULNERABILITY SUMMARY ... PHProjekt Remote File Include Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/12107 ... It is freely available for Unix, Apple Mac OS X, other Unix variants, and Microsoft Windows. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #260
    ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ... attacker to execute arbitrary code on a vulnerable computer with SYSTEM ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #341
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Terminal Services Remote Security Restriction Bypass Vulnerability ... Microsoft Windows Media Server MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability ... An attacker can exploit this issue to execute arbitrary code in the context of the user running the application. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #286
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Internet Explorer HTML Tag Memory Corruption Vulnerability ... Microsoft Internet Explorer Persistent Window Content Address Bar Spoofing Vulnerability ... An attacker may exploit this issue to execute arbitrary code in the context of a user running the vulnerable application. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #411
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft SQL Server 2000 'sqlvdir.dll' ActiveX Buffer Overflow Vulnerability ... Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities ... Remote attackers may leverage this issue to execute arbitrary code with SYSTEM-level privileges and allow the attacker to gain complete access to the vulnerable computer. ...
    (Focus-Microsoft)