SecurityFocus Microsoft Newsletter #269
----------------------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"-
White Paper
The newest web app vulnerability. Blind SQL Injection!
Even if your web application does not return error messages, it may still be
open to a Blind SQL Injection Attack.
Blind SQL Injection can deliver total control of your server to a hacker giving
them the ability to read, write and
manipulate all data stored in your backend systems! Download this *FREE* white
paper from SPI Dynamics for a complete guide to protection!
https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=701300000003Har
------------------------------------------------------------------
I. FRONT AND CENTER
1. Trusting software
2. Users inundated with pop-ups
II. MICROSOFT VULNERABILITY SUMMARY
1. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In
The Middle Vulnerability
2. Horde IMP Email Attachments HTML Injection Vulnerability
3. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
4. Multiple Vendor BIOS Password Persistence Weakness
5. PHPMyAdmin Import_Blacklist Variable Overwrite Vulnerability
6. Microsoft Excel Unspecified Memory Corruption Vulnerability
7. Microsoft December Advance Notification Unspecified Security
Vulnerabilities 8. Lyris ListManager Command Execution Vulnerability
9. Lyris Listmanager TCLHTTPd Service Multiple Information Disclosure
Vulnerabilities
10. Lyris ListManager Hidden Variable Information Disclosure
Vulnerability
11. Contenido CMS Unspecified Remote Command Execution Vulnerability
12. My Album Online Unspecified Directory Traversal Vulnerability
13. LogiSphere Multiple Directory Traversal Vulnerabilities
14. Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow
Vulnerability
15. Opera Web Browser Long Title Element Bookmark Denial of Service
Vulnerability
16. Microsoft Internet Explorer Dialog Manipulation Vulnerability
17. Microsoft Internet Explorer HTTPS Proxy Information Disclosure
Vulnerability
18. Microsoft Windows Asynchronous Procedure Call Local Privilege
Escalation Vulnerability
19. Microsoft Internet Explorer COM Object Instantiation Memory
Corruption Vulnerability
20. Opera Web Browser Download Dialog Manipulation File Execution
Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. IIS Script source access permission and NTFS DACLs
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Trusting software
By Jason Miller
rust is in everything we do, from the important to the mundane. Whether it's
open-source or closed-source, how do we evaluate what software, companies and
projects are safe to trust?
http://www.securityfocus.com/columnists/373
2. Users inundated with pop-ups
By Scott Granneman
There are many examples where users are now being inundated with pop-up
messages asking them to respond to things they don't know about or don't
understand, and it leads to weaker security overall.
http://www.securityfocus.com/columnists/374
II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In The
Middle Vulnerability
BugTraq ID: 15728
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15728
Summary:
Sun Java System Application Server is prone to a man in the middle
vulnerability.
This issue arises when the reverse SSL proxy plug-in is used with a supported
Web server.
An attacker may exploit this issue to gain access to sensitive contents of
encrypted network traffic between a client and a server.
2. Horde IMP Email Attachments HTML Injection Vulnerability
BugTraq ID: 15730
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15730
Summary:
Horde IMP is prone to an HTML injection vulnerability. This issue is due to a
failure in the application to properly sanitize user-supplied input before
using it in dynamically generated content.
Attacker-supplied HTML and script code would be executed in the context of the
affected Web site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user; other attacks are also possible.
Reports indicate this issue is only present when viewing IMP content with the
Microsoft Internet Explorer Web browser.
3. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 15735
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15735
Summary:
phpMyAdmin is prone to multiple cross-site scripting vulnerabilities. These
issues are due to a failure in the application to properly sanitize
user-supplied input.
An attacker may leverage these issues to have arbitrary script code executed in
the browser of an unsuspecting user in the context of the affected site. This
may facilitate the theft of cookie-based authentication credentials as well as
other attacks.
4. Multiple Vendor BIOS Password Persistence Weakness
BugTraq ID: 15751
Remote: No
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15751
Summary:
Multiple BIOS (Basic Input-Output System) vendors fail to clear the keyboard
buffer after reading the BIOS password during the system startup process.
This issue is reported to affect Insyde BIOS V190, and AWARD BIOS Modular
4.50pg. Other versions and platforms are also likely affected.
Depending on the operating system running on affected computers, the memory
region may or may not be available for user-level access. With Linux operating
systems, superuser access is required. With Microsoft Windows operating
systems, non-privileged users may access the keyboard buffer region.
Attackers that obtain the BIOS password may then utilize it for further
attacks.
5. PHPMyAdmin Import_Blacklist Variable Overwrite Vulnerability
BugTraq ID: 15761
Remote: Yes
Date Published: 2005-12-07
Relevant URL: http://www.securityfocus.com/bid/15761
Summary:
phpMyAdmin is prone to a vulnerability that permits an attacker to overwrite
global variables.
An attacker can exploit this issue to overwrite the global variables with
arbitrary input. Through control of the global variables, the attacker may be
able to include arbitrary remote and local files depending on the current PHP
version. Various other attacks are also possible.
6. Microsoft Excel Unspecified Memory Corruption Vulnerability
BugTraq ID: 15780
Remote: Yes
Date Published: 2005-12-08
Relevant URL: http://www.securityfocus.com/bid/15780
Summary:
An unspecified vulnerability has been reported to exist in Microsoft Excel.
The vulnerability was announced on eBay. The discoverer was offering to sell
the vulnerability details until the auction was terminated by eBay. According
to the auction description, it is possible to have a large value passed to
"msvcrt.memmove()" through data fields in an Excel .xls file. The discoverer
has claimed that code execution is possible.
This entry will be updated as more details become available.
**UPDATE (Dec 9, 2005): Microsoft has confirmed that this vulnerability exists.
See eWeek link in reference section. The original listing on eBay has been
pulled.
7. Microsoft December Advance Notification Unspecified Security Vulnerabilities
BugTraq ID: 15782
Remote: Unknown
Date Published: 2005-12-08
Relevant URL: http://www.securityfocus.com/bid/15782
Summary:
Microsoft has released advanced notification for two security bulletins that
will be released on December 13, 2005.
8. Lyris ListManager Command Execution Vulnerability
BugTraq ID: 15786
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15786
Summary:
Lyris ListManager is prone to a CRLF injection vulnerability.
Attackers may exploit this weakness to execute list manager administrative
commands, and manipulate the structure of outgoing messages. For example, it
may be possible for attackers to set the recipient to an arbitrary value.
Versions 5.0 through 8.8a are vulnerable; other versions may also be affected.
9. Lyris Listmanager TCLHTTPd Service Multiple Information Disclosure
Vulnerabilities
BugTraq ID: 15788
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15788
Summary:
The Lyris ListManager TCLHTTPd Service is prone to multiple vulnerabilities.
An attacker may obtain unathorized access to sensitive information, and view
arbitrary TML source code on the affected computer.
Versions 5.0 through 8.8a are affected; other versions may also be vulnerable.
10. Lyris ListManager Hidden Variable Information Disclosure Vulnerability
BugTraq ID: 15789
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15789
Summary:
Lyris ListManager is prone to an information disclosure vulnerability.
This vulnerability may be used to disclose the software version and software
installation path, which may be helpful in further attacks.
Versions 5.0 through 8.8a are vulnerable; other versions may also be affected.
11. Contenido CMS Unspecified Remote Command Execution Vulnerability
BugTraq ID: 15790
Remote: Yes
Date Published: 2005-12-09
Relevant URL: http://www.securityfocus.com/bid/15790
Summary:
Contenido CMS is prone to an unspecified remote command execution
vulnerability. This is due to a lack of proper sanitization of user-supplied
input.
An attacker can exploit this vulnerability to execute arbitrary commands in the
context of the Web server process. This may facilitate a compromise of the
underlying system; other attacks are also possible.
It should be notes that the "allow_url_fopen" and "register_globals" PHP
variables must be enabled to exploit this vulnerability.
12. My Album Online Unspecified Directory Traversal Vulnerability
BugTraq ID: 15800
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15800
Summary:
My Album Online is prone to an unspecified directory traversal vulnerability.
This issue is due to a failure in the application to properly sanitize
user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the
vulnerable system in the context of the Web server process. Information
obtained may aid in further attacks; other attacks are also possible.
13. LogiSphere Multiple Directory Traversal Vulnerabilities
BugTraq ID: 15807
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15807
Summary:
LogiSphere is prone to multiple directory traversal vulnerabilities. These
issues are due to a failure in the application to properly sanitize
user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the
vulnerable system in the context of the Web server process. Information
obtained may aid in further attacks; other attacks are also possible.
14. Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow
Vulnerability
BugTraq ID: 15809
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15809
Summary:
Sights 'n Sounds Streaming Media Server is prone to a buffer overflow
vulnerability. This issue is due to a failure in the application to properly
sanitize user-supplied input.
Successful exploitation will likely result in a crash of the 'SWS.exe'
application, denying service to legitimate users. Arbitrary code execution may
also be possible, this may facilitate privilege escalation to SYSTEM level.
Sights 'n Sounds Streaming Media Server version 2.0.3.b is affected.
15. Opera Web Browser Long Title Element Bookmark Denial of Service
Vulnerability
BugTraq ID: 15813
Remote: Yes
Date Published: 2005-12-12
Relevant URL: http://www.securityfocus.com/bid/15813
Summary:
Opera Web browser is prone to a denial of service vulnerability when a Web page
with a long title element is bookmarked. If this occurs, the browser will not
be able to restart after it is closed.
This issue affects Opera running on Windows and Mac OS X. It also affects
Japanese users and any users utilizing IME for text input.
16. Microsoft Internet Explorer Dialog Manipulation Vulnerability
BugTraq ID: 15823
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15823
Summary:
Internet Explorer is prone to a remote code execution vulnerability through
manipulation of custom dialog boxes. Keystrokes entered while one of these
dialogs is displayed may be buffered and passed to a download dialog, allowing
attacker-supplied code to be executed.
17. Microsoft Internet Explorer HTTPS Proxy Information Disclosure
Vulnerability
BugTraq ID: 15825
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15825
Summary:
Microsoft Internet Explorer is prone to an information disclosure vulnerability
when using an authenticating proxy server for HTTPS communications.
Exploitation of this issue could result in an attacker gaining a user's
authentication credentials.
This issue only exists when the authenticating proxy uses Basic Authentication.
18. Microsoft Windows Asynchronous Procedure Call Local Privilege Escalation
Vulnerability
BugTraq ID: 15826
Remote: No
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15826
Summary:
Microsoft Windows is susceptible to a local privilege escalation vulnerability.
This issue is due to a flaw in the Asynchronous Procedure Calls implementation
in Microsoft Windows.
This issue allows local attackers to gain elevated privileges, facilitating the
complete compromise of affected computers.
19. Microsoft Internet Explorer COM Object Instantiation Memory Corruption
Vulnerability
BugTraq ID: 15827
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15827
Summary:
Microsoft Internet Explorer is prone to a memory corruption vulnerability that
is related to the instantiation of COM objects.
COM objects may corrupt system memory and facilitate arbitrary code execution
in the context of the currently logged in user on the affected computer.
20. Opera Web Browser Download Dialog Manipulation File Execution Vulnerability
BugTraq ID: 15835
Remote: Yes
Date Published: 2005-12-13
Relevant URL: http://www.securityfocus.com/bid/15835
Summary:
Opera Web Browser is prone to a remote code execution vulnerability through
manipulation of dialog boxes.
An attacker can hide a 'File Download' dialog box underneath a new browser
window and entice a user into double clicking a specific area in the window.
This may result in the execution of arbitrary files.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IIS Script source access permission and NTFS DACLs
http://www.securityfocus.com/archive/88/419335
IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to
[EMAIL PROTECTED] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email [EMAIL PROTECTED] and ask to
be manually removed.
V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step"!"-
White Paper
The newest web app vulnerability. Blind SQL Injection!
Even if your web application does not return error messages, it may still be
open to a Blind SQL Injection Attack.
Blind SQL Injection can deliver total control of your server to a hacker giving
them the ability to read, write and
manipulate all data stored in your backend systems! Download this *FREE* white
paper from SPI Dynamics for a complete guide to protection!
https://download.spidynamics.com/1/ad/bsq.asp?Campaign_ID=701300000003Har
---------------------------------------------------------------------------
---------------------------------------------------------------------------
