[ la qualit� de SecurityFocus se d�grade avec sa commercialisation ] PostNuke Cross Site Scripting Vulnerability BugTraq ID: 4350 Remote: Yes Date Published: Mar 22 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4350 Summary:
PostNuke is a content management system originally forked from the PHP-Nuke project. It is implemented in PHP, and available for Windows, Linux and other Unix based systems. Cross site scripting vulnerabilites have been reported in some versions of PostNuke. User supplied input may be inserted into the HTML produced by both the index.php and modules.php scripts. The script will then execute within the context of the vulnerable site. Exploitation of this vulnerability may result in the theft of cookie data and, with it, session authentication data. More subtle attacks such as information subversion may also be attempted. The reported consequences of exploitation suggest that this vulnerability may be a result of a SQL injection problem. This has, however, not been confirmed. Additionally, exploitation of this vulnerability may be related to web based error reporting, as controlled by the local PHP configuration. This is also unconfirmed at this time. Webmin Plaintext Authentication Credentials Disclosure Vulnerability BugTraq ID: 4351 Remote: No Date Published: Mar 22 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4351 Summary: Webmin is a web-based interface for system administration of Unix and Linux operating systems. A vulnerability has been discovered that may potentially cause authentication credentials for remote Webmin servers to be disclosed to a local attacker. It has been reported that authentication credentials for remote servers are stored in plaintext by Webmin. These credentials are stored in the '/etc/webmin/servers/' directory. The filename associated with each host is derived from the system time at the point when the host was first discovered by the local Webmin server. Though the directory is unreadable, the execute bit enabled. The consistent naming based on system time allows for an attacker to search for existing files. A clever attacker may exploit this to disclose authentication credentials for remote hosts on the network which are running Webmin. Linux Directory Penguin NSLookup Perl Script Arbitrary File Reading Vulnerability BugTraq ID: 4353 Remote: Yes Date Published: Mar 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4353 Summary: Penguin nslookup.pl is a freely available, open source script for tracing network hops from a web server. It is distributed by Linux Directory. A problem with the script could make it possible for a remote user to view arbitrary files, and execute arbitrary commands. The problem is in the filtering of special characters. The Penguin nslookup script does not adequately filter special characters. This makes it possible for a remote user to access specific files on the local system. The attacker may read files that are accessible by the web server. Additionally, the attacker may be able to execute arbitrary commands with the permissions of the web server by encapsulating commands in special characters. This problem makes it possible for a remote user to gain access to potentially sensitive information, and potentially local access to the system with the permissions of the web server. Alguest Cookie Falsification Vulnerability BugTraq ID: 4355 Remote: Yes Date Published: Mar 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4355 Summary: Alguest is a guestbook program, written in PHP and back-ended by a MySQL database. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems. Alguest allows administrators to authenticate via cookie-based authentication credentials. However, Alguest administrative cookies are not properly checked for administrative rights (via a shared secret, credentials such as username/password, etc.). Alguest only checks that an administrative cookie exists. As a result, it is trivial for a remote attacker to falsify an administrative cookie. Apache Double-Reverse Lookup Log Entry Spoofing Vulnerability BugTraq ID: 4358 Remote: Yes Date Published: Mar 25 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4358 Summary: Apache is a freely available webserver for Unix and Linux variants, as well as Microsoft operating systems. A vulnerability has been discovered in the way Apache logs double-reverse DNS lookups. This may cause Apache to log invalid hostname information. A double-reverse DNS lookup is a security measure where an IP address is translated to a hostname and then the hostname is translated back to the IP address. If a double-reverse DNS lookup is performed but fails, then an invalid hostname may appear in the logs. For example, this may occur if the hostname does not properly resolve to the IP address in the double-reverse DNS lookup. This problem occurs because Apache logs the (potentially falsified) hostname instead of the numeric IP address. A remote attacker may deliberately exploit this issue to cause spoofed information to be logged by the webserver. Instant Web Mail POP Command Execution Vulnerability BugTraq ID: 4361 Remote: Yes Date Published: Mar 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4361 Summary: Instant Web Mail is a free, web based POP email client. It is implemented in PHP, and can be expected to run under Windows, Linux and most Unix systems. A vulnerability has been reported in some versions of Instant Web Mail. An attacker may create links to vulnerable scripts including arbitrary POP commands, and send an email including these links to a user of the system. If the link is followed, the command will be executed. This may result in lost email or more subtle attacks. In addition, Instant Web Mail allows the inclusion of additional POP commands. This is possible when CR/LF characters are included in attacker supplied data used to build the expected POP commands. This may allow the above attack to pass undetected, as the results will not be immediately displayed to the vulnerable user. Squid Compressed DNS Buffer Overflow Vulnerability BugTraq ID: 4363 Remote: Yes Date Published: Mar 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4363 Summary: Squid is a high performance web cache and proxy. Squid was initially developed for the Unix platform, and is available for Linux and most major Unix like operating systems. Recent versions of Squid may function under Windows. A boundary condition error exists in the internal DNS implementation included with the Squid web proxy. If a malicious DNS server returns a malformed compressed DNS answer message, Squid may exit with a SIGSEGV error. There have been reports that this vulnerability is the result of heap memory corruption. Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on the vulnerable system. This possibility has not yet been confirmed. Internal DNS queries are enabled by default. ht://Dig Configuration File Path Disclosure Vulnerability BugTraq ID: 4366 Remote: Yes Date Published: Mar 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4366 Summary: ht://Dig is a freely available, open source search engine. It is developed and maintained by the ht://Dig project, and functions on the Unix and Linux operating systems. A problem with ht://Dig could make it possible for a local user to gain access to potentially sensitive information. The problem is in the generation of error messages. An error page will be returned when a request is made via the htsearch component and the value for the 'config' variable is erroneous or non-sensical. The error page will contain the full path of the configuration file directory for ht://Dig. Additionally, the 'config' variable being accessible by any user may allow the ht://Dig program to load arbitrary files as configuration. The problem makes it possible for a remote user to gain knowledge of the directory structure and ht://Dig configuration file directory. It may additionally result in the loading of arbitrary ht://Dig configuration files. Etnus TotalView Insecure UID/GID Privilege Escalation Vulnerability BugTraq ID: 4365 Remote: No Date Published: Mar 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4365 Summary: TotalView is a debugger for programs written in the C, C++, and Fortran. It is maintained by Etnus and is available for a number of Linux and Unix variants. A flaw in the installation of TotalView may circumstantially enable a local attacker to elevate privileges on the host running the vulnerable software. TotalView, when installed, fails to create a number of files and directories with the correct UID/GID. These files/directories are created with write permissions for UID 5039/GID 59. Normally, these files and directories would be created with a UID/GID of root. A local attacker who has access to an account with UID 5039 or GID 59 may be able to backdoor the affected files, which will result in an elevation of privleges when the affected files are executed through TotalView by the root user. This vulnerability has been reported for version 5.0.0-4 on the Linux platform. Other versions/platforms may also be affected. Linux Kernel d_path() Path Truncation Vulnerability BugTraq ID: 4367 Remote: No Date Published: Mar 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4367 Summary: The Linux kernel d_path() function converts a dentry structure into an ASCII path name. The full path to the specified dentry is returned in a fixed length buffer of size PAGE_SIZE bytes. Reportedly, if a dentry structure is passed with a path which exceeds this length, an erroneous value is returned. The path which is returned has leading entries truncated, and no error is reported. Multiple higher level functions are dependent on d_path(), including getcwd(2) and readlink(2). As such, exploitation of this vulnerability may have security implications in programs that use these functions. Under some circumstances, a privileged process may perform operations within an inappropriate directory, possibly on incorrect files. This may result in security checks specific to an application failing. CSSearch Remote Command Execution Vulnerability BugTraq ID: 4368 Remote: Yes Date Published: Mar 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4368 Summary: csSearch is a website search script, written in Perl. It will run on most Unix and Linux variants, as well as Microsoft operating systems. csSearch is prone to an issue which may enable an attacker to execute Perl code with the privileges of the webserver process. It is possible to craft a web request which is capable of passing arbitrary data to the configuration script, including attacker-supplied Perl code. Perl code passed in this manner will be interpreted by the vulnerable script, effectively allowing a remote attacker to execute arbitrary Perl code with the privileges of the webserver process. For exploitation to be successful, the attacker must pass properly URL encoded Perl code in CGI parameters via a web request. For example: http://host/cgi-bin/csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE This issue may enable a remote attacker to gain local, interactive access to the host running the vulnerable software. - Pour poster une annonce: [EMAIL PROTECTED]
