HP AdvanceStack Switch Authentication Bypass Vulnerability BugTraq ID: 4062 Remote: Yes Date Published: Feb 08 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4062 Summary:
HP AdvanceStack 10Base-T Switching Hubs combine 10Base-T functionality with the performance of switching. A vulnerability has been discovered which may allow an unprivileged user of the device to gain elevated privileges. It has been reported that authentication for HP J3210A 10Base-T Switching Hubs may be bypassed by a user who accesses one of the administrative web pages directly. The attacker may allegedly change the superuser password of the device via this interface and gain access to the administrative facilities of the device. Additionally, authentication credentials are disclosed to the attacker. If this issue is successfully exploited, the attacker will be able to change the configuration of the affected device. *Reportedly, the password is stored in plain text and can be revealed by viewing the source of the web page. [ mat�riel ] PHP Include File Relative Directory Information Disclosure Vulnerability BugTraq ID: 4063 Remote: Yes Date Published: Feb 08 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4063 Summary: Apache is a powerful, widely used web server available for most operating systems, including Linux, Windows and many other Unix like systems. PHP is a widely deployed scripting language, designed for web based development and CGI programming. A path disclosure vulnerability exists in the default configuration of some releases of PHP when used with the Apache web server. If PHP include files are references with a relative directory, it is possible to cause the include statement to fail. Submitting a request for a php file appended with a trailing slash '/', will return an error message and the full path to the include file directory. 'Require' statements may also be susceptible to this issue. Arescom NetDSL DSL Router Administrative Access Password Vulnerability BugTraq ID: 4066 Remote: Yes Date Published: Feb 08 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4066 Summary: NetDSL routers are a hardware solution manufactured by Arescom. They are designed to provide high-speed internet access to home and home-office users. A problem with some NetDSL routers could make it possible for a remote user to gain administrative access on the router. The problem is in the handling of authentication. Some NetDSL routers do not properly control access to administrative functions by default. It has been reported that NetDSL 800 routers by default permit access via telnet, and additionally do not require a password to gain administrative access. This problem makes it possible for remote users to gain administrative access to a NetDSL router, and potentially reconfigure the router, resulting in a denial of service. Arescom Net DSL 1000 telnet Denial of Service Vulnerability BugTraq ID: 4067 Remote: Yes Date Published: Feb 09 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4067 Summary: The Arescom NETDSL 1000 Series ADSL router provides a telnet-based management interface for configuration. This interface can be disabled by repeatedly connecting and sending long strings (256 characters) when prompted for a password. This does not affect normal router function, but shuts down the management console until the router is powered down and restarted. It is reported that the management interface behaves as though it does not distinguish between different telnet sessions. When the long password is sent, it causes the router to display an "Invalid password" type message a number of times. If it is reconnected to, it continues to display these messages as it processes the previous session's login attempt. If the act of connecting to the interface, sending long strings, and disconnecting is repeated numerous times, the interface crashes, reportedly without affecting other router functions. EZNE.NET Ezboard 2000 Remote Buffer Overflow Vulnerability BugTraq ID: 4068 Remote: Yes Date Published: Feb 11 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4068 Summary: Ezboard 2000 is a web based bulletin board system. It is available for Linux systems. A vulnerability has been reported in some versions of Ezboard. In some CGI programs, user supplied data is written to a staticly sized array with a sprintf call. Large amounts of user supplied data may overflow this array and overwrite adjacent areas of stack memory. If return pointers are overwritten, arbitrary code may be executed as the vulnerable process. It has been reported that the scripts ezboard.cgi, ezman.cgi and ezadmin.cgi suffer from this vulnerability. MakeBid Auction Deluxe Plaintext Cookie Vulnerability BugTraq ID: 4070 Remote: Yes Date Published: Feb 09 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4070 Summary: MakeBid Auction Deluxe is software for hosting real-time auctions on a website. It is written in Perl and will run on most Unix and Linux variants. Auction users may opt to save their login, so that they are not prompted for a username/password on repeat visits to the auction website. The auction software handles this by issuing a cookie to the user. However, a vulnerability has been discovered which may help to enable an attacker to hijack the account of a legitimate auction user. MakeBid Auction Deluxe stores authentication credentials in plaintext in cookies. BugTraq ID 4069 "MakeBid Auction Deluxe Cross-Site Scripting Vulnerability" describes an issue which allows a remote attacker to steal cookies from legitimate users of the service. In combination with this issue, an attacker is able to access auction accounts of other legitimate users. MakeBid Auction Deluxe Cross-Site Scripting Vulnerability BugTraq ID: 4069 Remote: Yes Date Published: Feb 09 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4069 Summary: MakeBid Auction Deluxe is software for hosting real-time auctions on a website. It is written in Perl and will run on most Unix and Linux variants. MakeBid Auction Deluxe does not filter HTML tags from form fields. In particular, it is possible to include arbitrary script code in the following form fields: City/State/Zip of a new auction registrant, Title/Description of a new auction item, and Item/Description for a new auction item. As a result, malicious script code will be executed when auction items are viewed by another legitimate user of the website running the vulnerable software. The malicious script code will be executed in the browser of the legitimate user, in the context of the MakeBid Auction Deluxe website. This may allow an attacker to steal cookie-based authentication credentials from a legitimate user. In combination with BugTraq ID 4070 "MakeBid Auction Deluxe Plaintext Cookie Vulnerability", it is trivial for an attacker to hijack the account of an auction user. Bavo Message Editing Insecure CGI Vulnerability BugTraq ID: 4079 Remote: Yes Date Published: Feb 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4079 Summary: Bavo is a freely available, open source news reader written. It is designed for use on Linux, Unix, and Microsoft operating systems. A problem with the software package could make it possible for a remote user to edit messages. The problem is in the filtering of input. It is possible for a remote user to edit messages in the Bavo archive. By examining the Bavo source and learning the CGI syntax used by Bavo, a remote user may alter the contents of archived messages. This problem makes it possible for an unauthorized remote user to alter the contents of posted messages. GNU Ada Compiler Runtime Library Insecure Temporary File Creation Vulnerability BugTraq ID: 4086 Remote: No Date Published: Feb 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4086 Summary: The GNU Ada Compiler (Gnat) is an open source commercial Ada compiler distributed and maintained by Ada Core Technologies. It is designed for use on Unix, Linux, and Microsoft Operating Systems, in addition to others. A problem in the runtime libraries used by binaries created with the compiler could create race condition situations. The problem is due to the insecure creation of temporary files. Gnat is a hybrid compiler. It combines the strengths of the GNU C Compiler and the Ada programming language. The Gnat runtime libraries use routines that when linked with a binary created by the compiler, can make the binary vulnerable to temporary file race conditions. This is due to the library using the deprecated tmpnam function, which generates a name for a temporary file that did not exist at some point. The function neither checks nor generates errors when generating names for temporary files. This problem could make it possible for an attacker to exploit a program built with the compiler to launch a symbolic link attack. This could in turn lead to the overwriting of arbitrary files owned by another user, and potentially elevated privileges. Multiple Vendor SNMP Trap Handling Vulnerabilities BugTraq ID: 4088 Remote: Yes Date Published: Feb 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4088 Summary: SNMP traps are messages sent from agent to manager systems. They typically notify the manager that some event has occured or otherwise provide information about the status of the agent. Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP trap messages. Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. Microsoft has confirmed that remote attackers may execute arbitrary code on vulnerable hosts if the SNMP service is enabled. HP has confirmed that large traps will cause OpenView Network Node Manager to crash. This may be due to an exploitable buffer overflow condition. Both of these issues will soon be given individual vulnerability records and Bugtraq IDs. Updates with more information are forthcoming. Multiple Vendor SNMP Request Handling Vulnerabilities BugTraq ID: 4089 Remote: Yes Date Published: Feb 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4089 Summary: SNMP requests are messages sent from manager to agent systems. They typically poll the agent for current performance or configuration information, ask for the next SNMP object in a Management Information Base (MIB), or modify the configuration settings of the agent. Multiple vulnerabilities have been discovered in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP request messages. Among the possible consequences are denial of service and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. Microsoft has confirmed that remote attackers may execute arbitrary code on vulnerable hosts if the SNMP service is enabled. These issues will soon be given individual vulnerability records and Bugtraq IDs. Updates with more information are forthcoming. MPG321 File Name ArgV Buffer Overflow Vulnerability BugTraq ID: 4091 Remote: No Date Published: Feb 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4091 Summary: mpg321 is a freely available, open source software package for decoding and playing files encoded as mp3's. It is available for the Unix and Linux platforms. A problem with the software package could lead to the execution of code with the privileges of the process executing the program. The problem is in the handling of file names. When executed, mpg321 requires a file name to function. If the supplied file name is a mp3 file, it is decoded and played. mpg321 may not properly handle file names. It has been reported that a buffer overflow occurs when mpg321 is executed, and excessively long file names are supplied to the program. Though mpg321 is not a setuid program, this could potentially result in a problem if mpg321 is invoked by a setuid program. This problem makes it possible for a user to execute code through mpg321 with the privileges of the process executing mpg321. - Pour poster une annonce: [EMAIL PROTECTED]
