---------- Forwarded message ---------- Joe Testa hellbent Information Leak Vulnerability BugTraq ID: 3909 Remote: Yes Date Published: Jan 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3909 Summary:
hellbent is a java web server maintained by Joe Testa. hellbent contains a file called 'hellbent.prefs', this file contains the web root, paths to the access and error logs, and IP access lists. If a user creates a file in the web root named after one of the preferences within the 'hellbent.prefs' file, and submits a GET request, the server will return the entry for the corresponding preference. For example, if a user names a file index.webroot, and submits a GET request for that file, hellbent will return the corresponding entry within 'hellbent.prefs' for webroot. Maelstrom Insecure Symbolic Link Vulnerability BugTraq ID: 3911 Remote: No Date Published: Jan 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3911 Summary: Maelstrom is a popular game originally written for the Macintosh. It has since been ported to Linux, and released under the GPL. It has been reported that some versions of Maelstrom create a temporary file in an insecure manner. The file /tmp/f is created without proper checks. An attacker may create a symbolic link from this location pointing to any target file. When Maelstrom is executed, the target file will be overwritten if the user has sufficient permissions. Careful selection of the target file could cause a loss of valuable data, and may result in some form of a denial of service attack. For example, email or shell configuration files could be overwritten. Later versions of Maelstrom may share this vulnerability. Kerberos 5 su Privilege Escalation Vulnerability BugTraq ID: 3919 Remote: No Date Published: Jan 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3919 Summary: Kerberos 5 includes a version of 'su', a utility that can be used by a user to change user-identity while logged in. This utility is known as 'k5su'. A vulnerability in k5su may allow for a local user to elevate privileges under certain circumstances. When root runs 'k5su', no password should be required to switch to arbitrary userids. The user running k5su is determined by the output of getlogin(), a function which returns the username associated with the process' controlling terminal. If the username 'root' is returned, the program functions as though root is using it and does not request passwords. Under certain circumstances, users may have 'root' returned by getlogin(). This may occur if their username is explicitly set to 'root' or if a process lowers privileges but does not set a new login name via setlogin(). On such systems, k5su would act as though root were running it and not prompt for a password. Exploitation of this vulnerability may result in a compromise of root access to local attackers. GNU Enscript Insecure Temporary File Creation Vulnerability BugTraq ID: 3920 Remote: No Date Published: Jan 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3920 Summary: Enscript is a freely available, open source program for transforming ASCII files into Postscript documents. Enscript is used mainly on Unix and Linux Operating Systems. A problem with Enscript could make it possible for local users to overwrite arbitrary files. The problem is in the creation of insecure temporary files. When executed, Enscript will translate a document written in ASCII to a document written in Postscript. This transforms the formatting of the document, making it possible to add additional features such as images, typesetting, or other enhancements. Enscript creates temporary files insecurely. Enscript makes use of insecure temporary file creation functions tmpnam() and tempnam(). The tmpnam() function, used in main.c, and tempnam() function used in psgen.c, do not create adequately secure temporary file names. In addition to the design problems involved with the tmpnam() and tempnam() functions, inadequate checks are performed by the program to ensure the temporary files do not already exist. This problem makes it possible for a local user to launch a symbolic link attack against a user of Enscript. This problem could result in the corruption of arbitrary files, and potentially elevated privileges. Sniffit Mail Logging Buffer Overflow Vulnerability BugTraq ID: 3923 Remote: Yes Date Published: Jan 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3923 Summary: Sniffit is a freely available, open source network monitoring tool. It is designed for use on the Unix and Linux Operating Systems. Sniffit contains at least one remotely exploitable buffer overflow vulnerability. Sniffit can be configured to log specific traffic such as authentication information and emails at the command line using the -L parameter. When Sniffit attempts to log an email and the 'From:' line is greater than 250 bytes, a stack overflow occurs. The overflow is the result of an unbounded 'sprintf()' call. The overflow can result in the corruption of stack variables, including the return address of the affected function and can ultimately result in the execution of arbitrary code. This could be exploited by a remote attacker to execute arbitrary code as root on the server running Sniffit. There may be other buffer overflow vulnerabilities in Sniffit related to the logging mechanism. There are several suspicious instances of sprintf() in the logging functions. Administrators are advised to use more actively supported alternatives such as Snort or dsniff. ACD CwpAPI Relative Path Validation Vulnerability BugTraq ID: 3924 Remote: Yes Date Published: Jan 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3924 Summary: CwpAPI is a collection of PHP libraries designed to allow the easy creation of secure web programs. The function GetRelativePath is designed to accept a relative path and return a fully qualified path on the server filesystem. It includes a security feature to ensure that the returned path is within the web server root directory. Some versions of CwpAPI do not correctly implement this check. If a path contains as a substring the correct web root directory, it will be returned. This may include valid directories which are outside the web root. If a program was constructed to rely on this security feature, it is possible it would be vulnerable to an attack. For example, it might be possible to read or write to files outside of the web root, if no additional permission checks or validation are performed. DNRD DNS Request/Reply Denial Of Service Vulnerability BugTraq ID: 3928 Remote: Yes Date Published: Jan 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3928 Summary: dnrd (Domain Name Relay Daemon) is a freely available, open-source proxy name server. It will run on a number of Unix and Linux distributions. dnrd performs its function by forwarding every DNS query to a DNS server, and then forwarding responses back to the client. It is intended to be used by dialup users who need to dial into more than one ISP. It works with a number of dialup systems, including masqdialer. dnrd does not perform sufficient bounds checking on externally supplied data, such as in DNS request and reply functions. It is possible for a remote attacker to submit a request which will cause the dnrd service to shut down. As a result, legitimate users will not be able to use the dnrd service until it is restarted. While it is apparent that a remote attacker may cause some locations in memory to be overwritten, it is not known whether it is possible to execute arbitrary attacker-supplied instructions as a result of this vulnerability. Netscape/Mozilla Null Character Cookie Stealing Vulnerability BugTraq ID: 3925 Remote: Yes Date Published: Jan 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3925 Summary: Mozilla is a popular, freely available, open-source web browser. It runs on most Linux and Unix variants, as well as MacOS and Microsoft Windows 9x/ME/NT/2000/XP operating systems. Netscape is another popular web-browser product which runs on the same platforms as Mozilla. An issue has been discovered in Mozilla and Netscape which may allow an attacker to steal cookie-based authentication credentials from a user of a vulnerable web browser. The problem is in the handling of NULL (%00) characters in URLs. It is possible for an attacker to read cookie-based authentication credentials that are stored on a web user's system for any domain. The attacker simply creates a malicious link that contains the hostname of a server under their control, followed by a NULL character, followed by the domain the attacker wishes the steal cookies for. Browsing the malicious link causes the web user to connect to the hostname specified in the first part of the link. The server can then access cookies set for the domain that was placed in the URL after the NULL byte. This issue may only be exploited to steal cookies set for a domain, as opposed to cookies set for a specific host in that domain. Cookies set with the secure flag can be stolen if the attacker uses SSL. psyBNC Encrypted Chat Injection Vulnerability BugTraq ID: 3931 Remote: Yes Date Published: Jan 22 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3931 Summary: psyBNC is an IRC proxy server. It includes a number of features, including the ability to encrypt IRC conversations with a given channel or user. It is an open source project, and will compile on a number of Linux and BSD platforms. Encrypted conversation through psyBNC is flagged by the characters [B] or [I] being prepended to messages. The character used indicates the algorithm used, either Blowfish or IDEA. These characters are displayed to the end user of the IRC client, and the remainder of the message is decrypted and displayed. It is possible for any IRC user to send a message starting with these characters. Under normal circumstances, psyBNC will then attempt to decrypt the message, and discard the garbage produced. However, if control characters are inserted into the string "[B]", psyBNC will not attempt to decrypt the message. Control characters with no net impact on the displayed text may be entirely unnoticed by other IRC clients, resulting in the apparent injection of text into an encrypted conversation. This does not immediately compromise the content of the encrypted conversation. However, various social engineering attacks may be possible through abuse of this vulnerability. DOOWS User Permissions Vulnerability BugTraq ID: 3932 Remote: Yes Date Published: Jan 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3932 Summary: DOOW (Database of our owlish wisdom) is a web-based "knowledge database", which allows users to post information about different topics. It is written in PHP4 and back-ended by a MySQL database. Vulnerable versions of DOOW do not properly check user permissions. This may allow an unprivileged user of the service to access restricted areas of the website. For example, a normal user may be able to gain access to the administrative functions of DOOW. Shoutcast Long Backslash Admin.CGI Request Denial Of Service Vulnerability BugTraq ID: 3934 Remote: Yes Date Published: Jan 19 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3934 Summary: Shoutcast is a freely available network music broadcast program. It is maintained and distributed by NullSoft. A problem with the program may make it possible for deny service to legitimate users. The problem is in the handling of malformed requests. Shoutcast listens on a admin-specified set of ports for client connections. Upon initiation of a client connection, Shoutcast sends a stream of audio to the client. Shoutcast also provides a web configuration interface. It is possible for a remote user to crash the Shoutcast server. When a user connects to the administrative interface, and makes a request from the admin.cgi script for an arbitrarily long backslash string, the server reacts unpredictably. This type of malformed request can cause the server to become unstable and crash. This problem makes it possible for a remote user to deny service to legitimate users of the service. CHUID Privileged File Owner Changing Vulnerability BugTraq ID: 3938 Remote: Yes Date Published: Jan 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3938 Summary: chuid is a freely available, open source user id changing utility. It was written and is maintained by Scott Parish. It is designed for use on the Linux operating system. A problem with chuid could make it possible for a remote user to change the ownership of privileged files. The problem is in the checking of file ownership. The chuid utility is used to change the ownership of files uploaded to a server. Files uploaded to a predesignated directory can be changed to a specified user or group membership. Due to insufficient checking of user input, it is possible for a remote user to change the ownership or group membership of a file owned by a privileged user. Since this problem makes it possible for a remote user to change the ownership and/or group membership of a privileged file, it could lead to the attacker gaining elevated privileges. CHUID Upload Directory Escaping File Owner Changing Vulnerability BugTraq ID: 3937 Remote: Yes Date Published: Jan 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3937 Summary: chuid is a freely available, open source user id changing utility. It was written and is maintained by Scott Parish. It is designed for use on the Linux operating system. A problem with chuid could make it possible for a remote user to change the ownership of arbitrary files. The problem is in the handling of the dot-dot-slash directive. The chuid utility is used to change the ownership of files uploaded to a server. Files uploaded to a predesignated directory can be changed to a specified user or group membership. Due to insufficient sanitization of user input, it is possible for a remote user to pass the name of a file outside of the predesignated ownership changing directory. This could allow a remote user to change the ownership or group membership of a restricted or privileged file. This problem makes it possible for a remote user to change the ownership and/or group membership of an arbitrary file, and could lead to elevated privileges. Conectiva Linux MySQL World Readable Log File Vulnerability BugTraq ID: 3907 Remote: No Date Published: Jan 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3907 Summary: MySQL is a relational database management system (RDBMS), freely available and open source. It is maintained by MySQL AB. A vulnerability has been discovered that may make it possible for local attackers to access extremely sensitive information. All queries made to the database are stored in the /var/log/mysql file, queries logged include user creation, password changes etc. Due to a flaw in the implementation of MySQL, the mysql file is stored as world readable, potentially disclosing sensitive information to local attackers. It has been reported that only Conectiva Linux's implementation of MySQL incorrectly leaves the permissions of this file as world readable. PHPNuke SQL_Debug Information Disclosure Vulnerability BugTraq ID: 3906 Remote: Yes Date Published: Jan 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3906 Summary: PHPNuke is a website creation/maintenance tool. It is can be back-ended by a number of database products such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. A vulnerability has been discovered in PHPNuke which has the potential to disclose sensitive information about the underlying MySQL database. The sql_layer.php script contains a debugging feature (sql_debug) which allows users to display information about all SQL queries made by PHPNuke. Access to the debugging feature is not restricted to administrators. This may be used by a remote attacker to disclose sensitive information about the database which may contribute to further attacks against the website running PHPNuke and the database. It is not known whether PostNuke is also affected by this issue. Joe Testa hellbent Relative Web Root Path Information Disclosure Vulnerability BugTraq ID: 3908 Remote: Yes Date Published: Jan 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/3908 Summary: hellbent is a java web server maintained by Joe Testa. An issue exists in hellbent which could enable a remote user to deduce the web root. If hellbent receives a request containing '../' sequences of a relative path which exits the web root then re-enters it, hellbent will either return a 403 Forbidden or 200 OK message along with the requested object. If the 200 OK message appears, the user will have confirmed the relative path that was submitted. Successful exploitation of this vulnerability could assist a user in further attacks against the target host. - Pour poster une annonce: [EMAIL PROTECTED]
