ZLib Compression Library Heap Corruption Vulnerability BugTraq ID: 4267 Remote: Yes Date Published: Mar 11 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4267 Summary:
The zlib compression library is reportedly vulnerable to a heap corruption vulnerability. Under some circumstances, a block of dynamically allocated memory may have the 'free()' routine called on it twice. This may occur during decompression. An exploitable condition may result if the 'free()' function is used on memory that has already been freed. Under some circumstances, it is possible for an attacker to manipulate data layout in the heap so that an arbitrary word in memory is overwritten with a custom value when 'free()' is called for the second time. Arbitrary code may be executed if critical values such as function return addresses, GOT entries, etc., are overwritten. By itself, this condition is not a vulnerability. An attacker must identify a program linked to the library or using vulnerable code. The program must either run with higher privileges (be installed setuid, for example) or run on a remote machine. The attacker must also locate a method through which the condition may be triggered (for example, by supplying compressed data as input). Several programs use zlib or vulnerable code borrowed from the library, including: SSH / OpenSSH OpenPKG rsync popt / rpm the Linux Kernel GNU Fileutils Directory Removal Race Condition Vulnerability BugTraq ID: 4266 Remote: No Date Published: Mar 11 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4266 Summary: GNU fileutils is a freely available, open source file management utility package maintained and distributed by the open source community. It is designed for use on the Linux operating system. A problem with GNU fileutils could make it possible for a local user to deny service to legitimate users of the system. The problem is in the handling of directory removal. Under some circumstances, it may be possible for a local user to remove the root directory of the system. Due to inadequate file locking, as well as an insecure chdir call, it is possible to move a user removing files from the /tmp directory into the root directory. The problem occurs under the circumstance of a directory tree with several single subdirectories in /tmp, and the root user attempting to remove the directories recursively. If the root user were to attempt to recursively remove the directory tree from /tmp, if the directory tree were writable by another user, the user could move a high-level directory into /tmp after the rm program has decended the tree. The rm program would then ascend from the /tmp directory to the root directory, recursively removing the contents of the root directory. An attacker may exploit this race condition to deny service to legitimate users of the system. Zyxel Zywall10 Denial Of Service Vulnerability BugTraq ID: 4272 Remote: Yes Date Published: Mar 11 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4272 Summary: The Zywall10 is a hardware firewall appliance developed and distributed by Zyxel. A problem with the Zywall firmware could make it possible for remote users to deny service to legitmate users of the firewall. The problem is due to a failure handling exceptional conditions. Under some circumstances, it may be possible to deny service to users of a Zyxel Zywall. When a spoofed arp reply is sent to an interface on the system with the IP address of the receiving interface, and an arbitrary MAC address, the Zywall puts the receiving interface in the down state. This could allow users capable of sending arp traffic to the firewall to prevent the firewall from passing traffic. This problem makes it possible for a remote user to deny service to legitmate users of the firewall. A power-cycling, and serial console connection to the firewall is required to resume normal operation. PHP FirstPost Path Disclosure Vulnerability BugTraq ID: 4274 Remote: Yes Date Published: Mar 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4274 Summary: PHP FirstPost is a PHP weblog program which contains an open submission queue and comment rating system. It has been reported that PHP FirstPost discloses path information. When a web user makes a request for a non-existent page, an error page is served up containing the absolute path to the web root on the host running the vulnerable software. This information may aid in further attacks against the host running the vulnerable software. Black Tie Project Path Disclosure Vulnerability BugTraq ID: 4275 Remote: Yes Date Published: Mar 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4275 Summary: Black Tie Porject (BTP) is PHP based portal system. It is designed to be modular in nature, and allows users to easily create and customize additional modules. BTP is a French language project. It has been reported that BTP discloses path information. When a web user makes a request for a non-existent page, an error page is served up containing the absolute path to the web root on the host running the vulnerable software. This information may aid in further attacks against the host running the vulnerable software. PHP ImgList Directory Traversal Vulnerability BugTraq ID: 4276 Remote: Yes Date Published: Mar 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4276 Summary: PHP ImgList allows a user to generate a web gallery of image files. PHP ImgList does not adequately filter '../' sequences from web requests, making it prone to directory traversal attacks. This vulnerability could be exploited to effectively disclose any file on a host running the affected software. Successful exploitation of this vulnerability could lead to the disclosure of sensitive information, assisting an attacker in further attacks against the host. Marcus Xenakis directory.php Shell Command Execution Vulnerability BugTraq ID: 4278 Remote: Yes Date Published: Mar 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4278 Summary: The directory.php script provides a web interface for directory listings, similar to the 'ls' command. An issue exists in this script which could allow a user to execute arbitrary shell commands. User supplied input is not properly checked for shell metacharacters. A maliciously constructed URL containing characters such as ; or | may include additional shell commands. Shell commands will execute with the permissions of the script process, often a non-privileged user 'nobody'. X-Stat Path Disclosure Vulnerability BugTraq ID: 4279 Remote: Yes Date Published: Mar 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4279 Summary: X-Stat is a freely available web traffic analyzer, written in PHP. It will run on Unix and Linux variants, as well as Microsoft operating systems. X-Stat is prone to an issue which may disclose sensitive information to remote attackers. In particular, the 'x_stat_admin.php' will reveal sensitive path information when an error page is generated by an erroneous web request. Such information may be used by a remote attacker to gather information about the host running the vulnerable software, which may lead to further attacks. X-Stat PHPInfo Information Disclosure Vulnerability BugTraq ID: 4280 Remote: Yes Date Published: Mar 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4280 Summary: X-Stat is a freely available web traffic analyzer, written in PHP. It will run on Unix and Linux variants, as well as Microsoft operating systems. X-Stat discloses sensitive information about the environment of the host running the vulnerable software. In particular, the 'x_stat_admin.php' script includes a 'phpinfo' action, which when called will reveal a great deal of sensitive information about the environment of the host. A remote attacker may obtain this information by making a specially-crafted web request. Information gathered in this manner may aid the attacker in further attempts to compromise the host running the vulnerable software. X-Stat Cross-Site Scripting Vulnerability BugTraq ID: 4281 Remote: Yes Date Published: Mar 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4281 Summary: X-Stat is a freely available web traffic analyzer, written in PHP. It will run on Unix and Linux variants, as well as Microsoft operating systems. X-Stat fails to properly filter HTML tags from URL parameters. This makes it prone to cross-site scripting attacks. In particular, this is a problem with the 'x_stat_admin.php' script. A remote attacker may create a link which contains malicious script code. When this link is clicked by a web user, the script code will execute in the browser of the web user, in the context of the site running the vulnerable software. Successful exploitation may enable an attacker to steal cookie-based authentication credentials from a legitimate user of the software. X-News Insecure User Database Permissions Vulnerability BugTraq ID: 4283 Remote: No Date Published: Mar 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4283 Summary: X-News is a news management system, written in PHP. X-News uses a flat-file database to store information. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems. An issue has been discovered which may allow an attacker who has local access to the host to gain unauthorized access to the administrative account of the X-News service. X-News stores user IDs and MD5 hashes in a world-readable file (db/users.txt). This is the same information that is issued by X-News in cookie-based authentication credentials. An attacker may incorporate this information into cookies and then submit them to gain unauthorized access to the X-News administrative account. PHPProjekt Remote File Include Vulnerability BugTraq ID: 4284 Remote: Yes Date Published: Mar 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4284 Summary: PHPProjekt is a freely available, open source PHP Groupware package. It is actively maintained by the PHPProjekt Development Team. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems. PHPProjekt is prone to an issue which may allow an attacker to include arbitrary files located on a remote server. In particular, the 'lib_path' variable in the 'filemanager_forms.php' script defines the path to the configuration file. It is possible, under some configurations, for an attacker to specify an arbitrary value for the location of the configuration file which points to a file on a remote server. If the included file is a PHP script, this may allow for execution of arbitrary attacker-supplied code. Successful exploitation depends partly on the configuration of PHP on the host running the vulnerable software. If 'all_url_fopen' is set to 'off' then exploitation of this issue may be limited. RSync Daemon Mode Supplementary Group Privilege Vulnerability BugTraq ID: 4285 Remote: Yes Date Published: Mar 13 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4285 Summary: The rsync program is used to synchronize files and directory structures across a network. It is commonly used to maintain mirrors of ftp sites, often through anonymous access to the rsync server. It is available for Linux and other Unix operating systems. rsync is usually configured to run as the root user. A problem has been discovered in rsync which may create a security vulnerability. Under some circumstances, rsync fails to drop privileges for supplementary groups after it has been started. This is particularly the case when rsync is run from the command line using daemon mode, causing the process to inherit the group of the user that started it. In such cases, rsync does not properly drop privileges. Oracle 9iAS Apache PL/SQL Module Web Administration Access Vulnerability BugTraq ID: 4292 Remote: Yes Date Published: Mar 15 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4292 Summary: The Oracle 9iAS web service is powered by the Apache webserver. Included is an Apache module for PL/SQL support. Administrative web pages associated with this server allow a web user to modify Database Access Descriptors (DAD) and cache settings. By default, no authentication is required to access these administrative pages. As a result, any attacker able to access the page may perform these administrative functions. The ability to modify DAD settings may allow an attacker to access or modify PL/SQL applications, or deny service to legitimate users. Access to the administrative pages may also allow an attacker to exploit other vulnerabilities in the administrative functions. Exploitation of the buffer overflow issues detailed in BID 4032 may allow execution of arbitrary code. [ et d'autres bugs d'Oracle cette semaine qui ne sont pas li�s � du logiciel OSS �galement ] Qualcomm QPopper Remote Denial of Service Vulnerability BugTraq ID: 4295 Remote: Yes Date Published: Mar 15 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4295 Summary: Qualcomm's QPopper is a POP3 mail server for Linux and Unix based systems. Recent versions of QPopper have been released as open source projects. A vulnerability has been reported in some versions of qpopper. When a connection is initiated, a client may send a long stream of arbitrary data to the qpopper process. In some cases, a string of over 2048 characters will cause a denial of service condition. It has been reported that this will cause the qpopper process to cease responding and consume all available CPU. The server may have to be manually killed and restarted in order to regain normal functionality. It may be possible to exploit this vulnerability to execute arbitrary code. This has not, however, been confirmed. - Pour poster une annonce: [EMAIL PROTECTED]
