Apache Tomcat System Path Information Disclosure Vulnerability BugTraq ID: 4557 Remote: Yes Date Published: Apr 19 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4557 Summary:
Apache Tomcat does not properly handle malformed jsp file requests. As a result, an attacker can obtain potentially sensitive information about the server. Submitting malformed requests will reveal an error message containing the absolute path to the web root. Requests that allegedly cause the condition: http://target/+/file.jsp http://target/>/file.jsp http://target/</file.jsp http://target/%20/file.jsp Gaining knowledge of path information could assist an attacker in further attacks against the host. This issue may be related to the issue discussed in BID 3199. OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability BugTraq ID: 4560 Remote: Yes Date Published: Apr 19 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4560 Summary: A buffer overflow condition exists in the OpenSSH server. The condition is exploitable by attackers with valid user credentials in versions 2.9.9 and higher. Exploitation does not require valid user credentials in versions prior to 2.9.9. The vulnerability is related to the handling of Kerberos 4 TGT/AFS tokens passed by the client. The overflow may occur when data is written into an internal credentials structure. The offending code is an unsafe string copy operation and the overflow occurs on the stack. Successful exploitation of this vulnerability may allow for attackers to obtain root privileges on the affected server. Note: this vulnerability does not affect default installations of OpenSSH. The vulnerability is present when the server is configured to use Kerberos 4 or AFS. Faq-O-Matic Cross Site Scripting Vulnerability BugTraq ID: 4565 Remote: Yes Date Published: Apr 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4565 Summary: Faq-O-Matic 2.711 and 2.712 is a web-based Frequently Asked Question (FAQ) management system. It is vulnerable to a cross site scripting issue arising from a failure to filter HTML or script from a malformed query, returning the submitted script as an error message which is then processed by the browser. This is done by submitting the script as an argument to the Faq-O-Matic component "fom.cgi" - specifically, to the "file" 2parameter. Since this is an invalid argument, fom.cgi returns an error message containing the script or HTML and the browser processes it as though it originated from the website hosting Faq-O-Matic. BSD exec C Library Standard I/O File Descriptor Closure Vulnerability BugTraq ID: 4568 Remote: No Date Published: Apr 22 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4568 Summary: It has been reported that BSD-based kernels do not check to ensure that the C library standard I/O file descriptors 0-2 are valid open files before exec()ing setuid images. Consequently, I/O channels that are opened by a setuid process may be assigned file descriptors equivelent to those defined in the C library as 'standard input','standard output', and 'standard error'. When file descriptors are assigned, the lowest numerical value that is not already open is used. If a process has closed 0-2 prior to executing a setuid image, these file descriptors will be assigned to the first I/O resources opened or created by the process. If a sensitive I/O channel has been opened by a setuid/setgid process and assigned a standard I/O file descriptor, untrusted data may be written to the sensitive channel by C library functions, due to the preprocessor definitions of 'STDOUT' and 'STDIN'. Data may also be read (and then output, depending on the application) from the I/O resource corresponding to the STDIN file descriptor. Exploitation and consequence are dependent on the particular setuid/setgid application. It has been confirmed that local attackers can gain root privileges through some utilities. SLRNPull Spool Directory Command Line Parameter Buffer Overflow Vulnerability BugTraq ID: 4569 Remote: No Date Published: Apr 22 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4569 Summary: SLRN is a freely available, open source news reading utility. It is developed and maintained by the SLRN project, and designed for use on various operating systems. This problem affects the UNIX and Linux implementation. It may be possible for a local user to gain elevated privileges. The problem is in the handling of long directory spool names. Due to a boundary condition error, a buffer overflow condition exists in spool directory names. This problem affects the slrnpull program, included as part of the slrn package. When slrnpull is executed with the -d flag, and a file name of greater than 4091 bytes, the overflow makes it possible to overwrite process memory, including the return address. While the default installation of slrnpull is as a non-privileged user from source, some operating systems include slrnpull as a setuid or setgid executable. In including the program with these privileges, a local user could exploit this overflow to execute user-supplied instructions, and gain elevated privileges. PsyBNC Oversized Passwords Denial Of Service Vulnerability BugTraq ID: 4570 Remote: Yes Date Published: Apr 22 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4570 Summary: PsyBNC is a freely available, open source IRC bouncing server. It is available for the UNIX and Linux operating systems. A problem with PsyBNC could lead to a denial of service. The problem is in the handling of long PsyBNC passwords. Under some circumstances, it is possible for a remote user to crash a vulnerable server. Upon connection to a vulnerable system, if a user sends a password of 9000 or more characters, and disconnects from the system, the server process does not die. Instead, the process continues to live and consume a large amount of resources. This vulnerability could result in a user launching several connection attempts, sending long passwords to the PsyBNC server, and tying up large amounts of system resources. This could result in crash of the PsyBNC server process, and potentially the server hosting the PsyBNC. vqServer CGI Demo Program Script Injection Vulnerability BugTraq ID: 4573 Remote: Yes Date Published: Apr 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4573 Summary: vqServer is a HTTP server implemented in Java. vqServer is available on any architecture supporting Java, including Linux and Microsoft Windows. vqServer supports a variety of CGI mechanisms, including Perl scripts, executables and servlets. vqServer includes a number of demonstration programs for these methods. Issues have been reported with multiple scripts included with vqServer. Reportedly, it is possible to inject JavaScript code through these programs. In addition to cross site scripting issues, it has been reported possible to inject script code into cookie content. Exploitation of these sample programs may allow an attacker to execute script code in the context of the page hosted with vqServer. Apache Tomcat Servlet Path Disclosure Vulnerability BugTraq ID: 4575 Remote: Yes Date Published: Apr 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4575 Summary: Apache Tomcat is a servlet container for use with the Java Servlet and JavaServer Pages technologies. Tomcat may be run on most Unix and Linux variants as well as Microsoft Windows operating systems. A problem in the default installation of Apache Tomcat may cause sensitive information to be disclosed to remote attackers. Apache Tomcat ships with a number of example classes (SnoopServlet and TroubleShooter) which may reveal the absolute path of the Tomcat installation when requested via HTTP. These classes are included to serve as an example for developers and are not intended to be used in production environments. This information will give the attacker an idea of the layout of the filesystem on the host running Apache Tomcat. Disclosure of this type of sensitive information may aid in further attacks against the host running the vulnerable software. CGIScript.NET csMailto Hidden Form Field Remote Command Execution Vulnerability BugTraq ID: 4579 Remote: Yes Date Published: Apr 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4579 Summary: CGIScript.NET csMailto is a Perl script designed to support multiple mailto: forms. A vulnerability has been reported in some versions of this script. Reportedly, configuration values used by the script are contained in hidden form values. As a result, a remote attacker may trivially modify these values between script invocations. This is reported to have a number of consequences, including the ability to execute arbitrary code on the vulnerable server, downloading arbitrary files, gain administrative access to the script, and using the vulnerable script as an open mail relay. Reportedly csMailto attempts to use the HTTP Referrer value as a security measure. Unfortunately, this information is also under the complete control of the client, and it is trivial to provide an arbitrary value. GNU Screen Braille Module Buffer Overflow Vulnerability BugTraq ID: 4578 Remote: No Date Published: Apr 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4578 Summary: Screen is a freely available, open source terminal management software package. It is distributed and maintained by the Free Software Foundation. It is available for the Unix and Linux platforms. A problem with screen may allow a local user to gain elevated privileges. The problem is in the handling of long strings of input. Under some circumstances, it may be possible for a local user to take advantage of a buffer overflow in screen. Due to insufficient bounds checking performed by the braille module of screen, it is possible for a local user to pass long strings of data to the screen program, which could result in an overflow, and the overwriting of process memory. This could result in the execution of arbitrary code. As the screen program is typically installed setuid root, any user-supplied code would be executed as root. This problem may be exploited by the attacker placing the exploit code in a screenrc file, and loading the file with the -c flag of screen. This problem may also affect earlier versions of the software. Mosix Malformed Packet Handling Denial Of Service Vulnerability BugTraq ID: 4580 Remote: Yes Date Published: Apr 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4580 Summary: Mosix is a parallel processing software package. It is designed for use on the Linux operating system. A problem with Mosix could lead to a user denying service to cluster processes. The problem is in the handling of malformed packets. It has been reported that Mosix does not properly handle certain maliciously constructed packets. When these malformed packets are received by Mosix, it may react unpredictably, or become unstable. The precise nature of the crash-inducing packets is not known. This vulnerability also reportedly affects Open-Mosix. Successful exploitation may cause a failure of the process, resulting in a denial of service. Mosix ClumpOS Blank Default VNC Password Vulnerability BugTraq ID: 4581 Remote: Yes Date Published: Apr 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4581 Summary: ClumpOS is a cd-based Linux and Mosix distribution. It is maintained and distributed by the Mosix project. A problem with ClumpOS could allow unauthorized administrative access to a vulnerable system. The problem is the setting of passwords. ClumpOS does not prompt a user to set a password for VNC when installed. Instead, ClumpOS leaves the default password for VNC blank. This could allow remote root access to the system. - Pour poster une annonce: [EMAIL PROTECTED]
