SecurityFocus Microsoft Newsletter #269



SecurityFocus Microsoft Newsletter #269
----------------------------------------

This Issue is Sponsored By: SpiDynamics

ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"- White Paper
The newest web app vulnerability. Blind SQL Injection!
Even if your web application does not return error messages, it may still be open to a Blind SQL Injection Attack.
Blind SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and
manipulate all data stored in your backend systems! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=701300000003Har


------------------------------------------------------------------
I. FRONT AND CENTER
1. Trusting software
2. Users inundated with pop-ups
II. MICROSOFT VULNERABILITY SUMMARY
1. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In The Middle Vulnerability
2. Horde IMP Email Attachments HTML Injection Vulnerability
3. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
4. Multiple Vendor BIOS Password Persistence Weakness
5. PHPMyAdmin Import_Blacklist Variable Overwrite Vulnerability
6. Microsoft Excel Unspecified Memory Corruption Vulnerability
7. Microsoft December Advance Notification Unspecified Security Vulnerabilities 8. Lyris ListManager Command Execution Vulnerability
9. Lyris Listmanager TCLHTTPd Service Multiple Information Disclosure Vulnerabilities
10. Lyris ListManager Hidden Variable Information Disclosure Vulnerability
11. Contenido CMS Unspecified Remote Command Execution Vulnerability
12. My Album Online Unspecified Directory Traversal Vulnerability
13. LogiSphere Multiple Directory Traversal Vulnerabilities
14. Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow Vulnerability
15. Opera Web Browser Long Title Element Bookmark Denial of Service Vulnerability
16. Microsoft Internet Explorer Dialog Manipulation Vulnerability
17. Microsoft Internet Explorer HTTPS Proxy Information Disclosure Vulnerability
18. Microsoft Windows Asynchronous Procedure Call Local Privilege Escalation Vulnerability
19. Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability
20. Opera Web Browser Download Dialog Manipulation File Execution Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. IIS Script source access permission and NTFS DACLs
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION


I. FRONT AND CENTER
---------------------
1. Trusting software
By Jason Miller
rust is in everything we do, from the important to the mundane. Whether it's open-source or closed-source, how do we evaluate what software, companies and projects are safe to trust?
http://www.securityfocus.com/columnists/373


2. Users inundated with pop-ups
By Scott Granneman
There are many examples where users are now being inundated with pop-up messages asking them to respond to things they don't know about or don't understand, and it leads to weaker security overall.
http://www.securityfocus.com/columnists/374



II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In The Middle Vulnerability
BugTraq ID: 15728
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15728
Summary:
Sun Java System Application Server is prone to a man in the middle vulnerability.


This issue arises when the reverse SSL proxy plug-in is used with a supported Web server.

An attacker may exploit this issue to gain access to sensitive contents of encrypted network traffic between a client and a server.

2. Horde IMP Email Attachments HTML Injection Vulnerability
BugTraq ID: 15730
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15730
Summary:
Horde IMP is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.


Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

Reports indicate this issue is only present when viewing IMP content with the Microsoft Internet Explorer Web browser.

3. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 15735
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15735
Summary:
phpMyAdmin is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.


An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

4. Multiple Vendor BIOS Password Persistence Weakness
BugTraq ID: 15751
Remote: No
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15751
Summary:
Multiple BIOS (Basic Input-Output System) vendors fail to clear the keyboard buffer after reading the BIOS password during the system startup process.


This issue is reported to affect Insyde BIOS V190, and AWARD BIOS Modular 4.50pg. Other versions and platforms are also likely affected.

Depending on the operating system running on affected computers, the memory region may or may not be available for user-level access. With Linux operating systems, superuser access is required. With Microsoft Windows operating systems, non-privileged users may access the keyboard buffer region.

Attackers that obtain the BIOS password may then utilize it for further attacks.

5. PHPMyAdmin Import_Blacklist Variable Overwrite Vulnerability
BugTraq ID: 15761
Remote: Yes
Date Published: 2005-12-07
Relevant URL: http://www.securityfocus.com/bid/15761
Summary:
phpMyAdmin is prone to a vulnerability that permits an attacker to overwrite global variables.


An attacker can exploit this issue to overwrite the global variables with arbitrary input. Through control of the global variables, the attacker may be able to include arbitrary remote and local files depending on the current PHP version. Various other attacks are also possible.

6. Microsoft Excel Unspecified Memory Corruption Vulnerability
BugTraq ID: 15780
Remote: Yes
Date Published: 2005-12-08
Relevant URL: http://www.securityfocus.com/bid/15780
Summary:
An unspecified vulnerability has been reported to exist in Microsoft Excel. The vulnerability was announced on eBay. The discoverer was offering to sell the vulnerability details until the auction was terminated by eBay. According to the auction description, it is possible to have a large value passed to "msvcrt.memmove()" through data fields in an Excel .xls file. The discoverer has claimed that code execution is possible.


This entry will be updated as more details become available.

**UPDATE (Dec 9, 2005): Microsoft has confirmed that this vulnerability exists. See eWeek link in reference section. The original listing on eBay has been pulled.

7. Microsoft December Advance Notification Unspecified Security Vulnerabilities BugTraq ID: 15782
Remote: Unknown
Date Published: 2005-12-08
Relevant URL: http://www.securityfocus.com/bid/15782
Summary:
Microsoft has released advanced notification for two security bulletins that will be released on December 13, 2005.


8. Lyris ListManager Command Execution Vulnerability
BugTraq ID: 15786
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15786
Summary:
Lyris ListManager is prone to a CRLF injection vulnerability.

Attackers may exploit this weakness to execute list manager administrative commands, and manipulate the structure of outgoing messages. For example, it may be possible for attackers to set the recipient to an arbitrary value.

Versions 5.0 through 8.8a are vulnerable; other versions may also be affected.


9. Lyris Listmanager TCLHTTPd Service Multiple Information Disclosure Vulnerabilities
BugTraq ID: 15788
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15788
Summary:
The Lyris ListManager TCLHTTPd Service is prone to multiple vulnerabilities.


An attacker may obtain unathorized access to sensitive information, and view arbitrary TML source code on the affected computer.

Versions 5.0 through 8.8a are affected; other versions may also be vulnerable.


10. Lyris ListManager Hidden Variable Information Disclosure Vulnerability BugTraq ID: 15789 Remote: Yes Date Published: 2005-12-09 Relevant URL: http://www.securityfocus.com/bid/15789 Summary: Lyris ListManager is prone to an information disclosure vulnerability.

This vulnerability may be used to disclose the software version and software installation path, which may be helpful in further attacks.

Versions 5.0 through 8.8a are vulnerable; other versions may also be affected.


11. Contenido CMS Unspecified Remote Command Execution Vulnerability
BugTraq ID: 15790
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15790
Summary:
Contenido CMS is prone to an unspecified remote command execution vulnerability. This is due to a lack of proper sanitization of user-supplied input.


An attacker can exploit this vulnerability to execute arbitrary commands in the context of the Web server process. This may facilitate a compromise of the underlying system; other attacks are also possible.

It should be notes that the "allow_url_fopen" and "register_globals" PHP variables must be enabled to exploit this vulnerability.


12. My Album Online Unspecified Directory Traversal Vulnerability
BugTraq ID: 15800
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15800
Summary:
My Album Online is prone to an unspecified directory traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.


An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the Web server process. Information obtained may aid in further attacks; other attacks are also possible.

13. LogiSphere Multiple Directory Traversal Vulnerabilities
BugTraq ID: 15807
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15807
Summary:
LogiSphere is prone to multiple directory traversal vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.


An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the Web server process. Information obtained may aid in further attacks; other attacks are also possible.

14. Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow Vulnerability
BugTraq ID: 15809
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15809
Summary:
Sights 'n Sounds Streaming Media Server is prone to a buffer overflow vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.


Successful exploitation will likely result in a crash of the 'SWS.exe' application, denying service to legitimate users. Arbitrary code execution may also be possible, this may facilitate privilege escalation to SYSTEM level.

Sights 'n Sounds Streaming Media Server version 2.0.3.b is affected.


15. Opera Web Browser Long Title Element Bookmark Denial of Service Vulnerability
BugTraq ID: 15813
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15813
Summary:
Opera Web browser is prone to a denial of service vulnerability when a Web page with a long title element is bookmarked. If this occurs, the browser will not be able to restart after it is closed.


This issue affects Opera running on Windows and Mac OS X. It also affects Japanese users and any users utilizing IME for text input.


16. Microsoft Internet Explorer Dialog Manipulation Vulnerability
BugTraq ID: 15823
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15823
Summary:
Internet Explorer is prone to a remote code execution vulnerability through manipulation of custom dialog boxes. Keystrokes entered while one of these dialogs is displayed may be buffered and passed to a download dialog, allowing attacker-supplied code to be executed.


17. Microsoft Internet Explorer HTTPS Proxy Information Disclosure Vulnerability
BugTraq ID: 15825
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15825
Summary:
Microsoft Internet Explorer is prone to an information disclosure vulnerability when using an authenticating proxy server for HTTPS communications. Exploitation of this issue could result in an attacker gaining a user's authentication credentials.


This issue only exists when the authenticating proxy uses Basic Authentication.


18. Microsoft Windows Asynchronous Procedure Call Local Privilege Escalation Vulnerability
BugTraq ID: 15826
Remote: No
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15826
Summary:
Microsoft Windows is susceptible to a local privilege escalation vulnerability. This issue is due to a flaw in the Asynchronous Procedure Calls implementation in Microsoft Windows.


This issue allows local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.

19. Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability
BugTraq ID: 15827
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15827
Summary:
Microsoft Internet Explorer is prone to a memory corruption vulnerability that is related to the instantiation of COM objects. COM objects may corrupt system memory and facilitate arbitrary code execution in the context of the currently logged in user on the affected computer.



20. Opera Web Browser Download Dialog Manipulation File Execution Vulnerability
BugTraq ID: 15835
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15835
Summary:
Opera Web Browser is prone to a remote code execution vulnerability through manipulation of dialog boxes.


An attacker can hide a 'File Download' dialog box underneath a new browser window and entice a user into double clicking a specific area in the window.

This may result in the execution of arbitrary files.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IIS Script source access  permission and NTFS DACLs
http://www.securityfocus.com/archive/88/419335

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@xxxxxxxxxxxxxxxxx from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.


If your email address has changed email listadmin@xxxxxxxxxxxxxxxxx and ask to be manually removed.

V.   SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: SpiDynamics

ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"- White Paper
The newest web app vulnerability. Blind SQL Injection!
Even if your web application does not return error messages, it may still be open to a Blind SQL Injection Attack.
Blind SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and
manipulate all data stored in your backend systems! Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=701300000003Har






---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter #222
    ... MICROSOFT VULNERABILITY SUMMARY ... PHProjekt Remote File Include Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/12107 ... It is freely available for Unix, Apple Mac OS X, other Unix variants, and Microsoft Windows. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #260
    ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ... attacker to execute arbitrary code on a vulnerable computer with SYSTEM ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #341
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Terminal Services Remote Security Restriction Bypass Vulnerability ... Microsoft Windows Media Server MDSAuth.DLL ActiveX Control Remote Code Execution Vulnerability ... An attacker can exploit this issue to execute arbitrary code in the context of the user running the application. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #286
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Internet Explorer HTML Tag Memory Corruption Vulnerability ... Microsoft Internet Explorer Persistent Window Content Address Bar Spoofing Vulnerability ... An attacker may exploit this issue to execute arbitrary code in the context of a user running the vulnerable application. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #411
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft SQL Server 2000 'sqlvdir.dll' ActiveX Buffer Overflow Vulnerability ... Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities ... Remote attackers may leverage this issue to execute arbitrary code with SYSTEM-level privileges and allow the attacker to gain complete access to the vulnerable computer. ...
    (Focus-Microsoft)