Re: Password Hole Found In Webshots

[Ian Nguyen]

Confirmed. As it is, I don't think Webshots offers much in the way of
securing a user's desktop even though it has the password protection
feature.  But it is just that, a screensaver, which just display pretty
images.

I think what Brian is trying to say here is if you want to lock your
desktop, use Windows' Ctrl+Alt+Del function instead.

Ian

- Original Message -
From: "Brian Carpenter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 13, 2002 5:33 AM
Subject: Password Hole Found In Webshots


> I have descovered a hole in the webshots screensave program. On either
> a Win2K or xp machine that has it installed you can bypass the password
> on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
> box that contains logout lockcomputer shutdown ect: Then you will hit
> cancel and boom you are at the desktop with all the permisions the
> previous user had. If you have windows password locking the screen saver
> you are able to  Ctrl+Alt+Del and then go to taskmanger and end the
> screen saver thus bringing you back to the desktop.
>
> This works with both webshots password set up and the windows password
> setup on the computer. As long as webshots is used the hole is there.
>
>
>
>
>

[SECURITY] [DSA-210-1] lynx CRLF injection

[Wichert Akkerman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-210-1   [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
December 13, 2002
- 


Package: lynx, lynx-ssl
Problem type   : CRLF injection
Debian-specific: no

lynx (a text-only web browser) did not properly check for illegal
characters in all places, including processing of command line options,
which could be used to insert extra HTTP headers in a request.

For Debian GNU/Linux 2.2/potato this has been fixed in version 2.8.3-1.1
of the lynx package and version 2.8.3.1-1.1 of the lynx-ssl package.

For Debian GNU/Linux 3.0/woody this has been fixed in version 2.8.4.1b-3.2
of the lynx package and version 1:2.8.4.1b-3.1 of the lynx-ssl package.

- 

Obtaining updates:

  By hand:
wget URL
will fetch the file for you.
dpkg -i FILENAME.deb
will install the fetched file.

  With apt:
deb http://security.debian.org/ stable/updates main
added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

- 


Debian GNU/Linux 2.2 alias potato
- -

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.


  Source archives:


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1.orig.tar.gz
  Size/MD5 checksum:  2058352 2ee38e4b05d587a787c33bff9085c098
http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.dsc
  Size/MD5 checksum: 1279 3eccb5692780db83f078013ff8796224
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.dsc
  Size/MD5 checksum: 1229 2924513df600a7cc6b4d29987a325107
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3.orig.tar.gz
  Size/MD5 checksum:  2024975 0fc239287592e885231e4be2fb2cd755
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1.diff.gz
  Size/MD5 checksum:20091 507a328f301a1c37471a69e60df4479d

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1.diff.gz
  Size/MD5 checksum:   101630 59d4dfb527584001374bebdcc9760623

  alpha architecture (DEC Alpha)


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_alpha.deb
  Size/MD5 checksum:  1165112 dce2288ab84eaac8851c657ab271f5cd
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_alpha.deb
  Size/MD5 checksum:  1155516 775381bbf1c7c5f3177b17369969fda7

  arm architecture (ARM)


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_arm.deb
  Size/MD5 checksum:  1018784 ba8d2ee2271ebb56216e4f9c67690f6a
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_arm.deb
  Size/MD5 checksum:  1006492 85a7c675d239cce67e4d7076d69e8c48

  i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_i386.deb
  Size/MD5 checksum:   973310 9f591d8c7e97b1bd84da2f841397a75c

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_i386.deb
  Size/MD5 checksum:   980678 ef6cf5f0e4a8781b14876639fafa78be

  m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_m68k.deb
  Size/MD5 checksum:   928930 b77c252b5da24613fd6b24ee7b8f09f5

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_m68k.deb
  Size/MD5 checksum:   938162 e3b5992515dfb3f537ee9ece56a05083

  powerpc architecture (PowerPC)


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_powerpc.deb
  Size/MD5 checksum:  1026988 3453040226d6fde9fb23ff8334d5e382
http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_powerpc.deb
  Size/MD5 checksum:  1015372 c2e0c1e1026f7fd2053d2c09cab90be1

  sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/l/lynx/lynx_2.8.3-1.1_sparc.deb
  Size/MD5 checksum:  1015696 3a207988cadc086720029abf6a227954

http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.3.1-1.1_sparc.deb
  Size/MD5 checksum:  1028208 bf6725e66a603d0652a6a987f737c64b


Debian GNU/Linux 3.0 alias woody
- 

  Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
  powerpc, s390 and sparc.

  Source archives:


http://security.debian.org/pool/updates/main/l/lynx-ssl/lynx-ssl_2.8.4.1b.orig.tar.gz
  Size/MD5 checksum:  2557510 053a10f76b871e3944c11c7776da7f7a
http://security.debian.org/pool/updates/main

Re: [VulnWatch] proftpd <=1.2.7rc3 DoS

[Kurt Seifried]

> Hello,
>
> 1. I know that the workaround with the DenyFilter works.

Actually it turns out there is no need for DenyFilter.

> 2. Proftpd by default doesn't have this filter set, neither has the
>default proftpd install on slackware 8.1

In any event this is immaterial as we see later since I can't cause Proftpd
1.2.7rc3 to crash with */*/?/./whatever.

> 3. The methods mentioned on the page you refer to do not work on later
>proftpd versions (tested on 1.2.7rc3) because of limits set in the
>code. i.e:
>
> ftp> ls .*./*?/.*./*?/.*./*?/.*./*?/.*./
> 200 PORT command successful
> 150 Opening ASCII mode data connection for file list
> 226-Out of memory during globbing of .*./*?/.*./*?/.*./*?/.*./*?/.*./
> 226 Transfer complete.
> ftp>
>
>   these proftpd versions don't even process that command.

Ahh. so? The command returns an error message and the server keeps going, no
additional load as far as I can tell.

Your example causes no damage, at least with the 1.2.7rc3 packages at
proftpd.net on a default Red Hat 8.0 box, default install, no
denyfilter/etc/etc. In case you're wondering my test ftp server has 30 gigs
of data nested quite deeply, so it's not like /pub/ is empty.

Perhaps the slackware proftpd package is broken, or your install is, I
cannot replicate this behaviour with thepackages ftom proftpd.net on Red Hat
at all. What symptons are you seeing, does the server crash? Proftpd sucks
up all the memory, or?

> I think I have done proper research on this issue before notifying anyone.

Google thinks otherwise, I remember this issue from way back when. It's been
beaten to death (wuftpd. proftpd, you name it). The horse is dead. Plus the
vendor would have told you about this had you contacted them first, rather
then going public. You did contact the vendor first right?

> People should do more research before making any conclusions, it's far
> less embarassing.

Yes, it is. If you can recreate this problem outside of your specific setup,
especially with standard packages from proftpd.net or another vendor I'd
like to know (I'm sure they would too).

> Rob.


Kurt Seifried, [EMAIL PROTECTED]
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

iDefense Security Advisory

[gobbles]

-BEGIN PGP SIGNED MESSAGE-

iDEFENSE Security Advisory 12.13.02:
http://www.idefense.com/advisory/12.13.02.txt
Bufferoverflow in 0verkill Server
December 13, 2002

I. BACKGROUND

0verkill is a client-server 2d deathmatch-like game in ASCII art.  It
supports free connecting/disconnecting during the game, and runs well on
modem lines.  Graphics are in 16-color ASCII art with elaborate hero
animations.  0verkill features 4 different weapons, grenades, invisibility,
and armor.  The package also contains reaperbot clients, a simple graphics
editor, and a level editor.  The server portion of 0verkill listens on an
UDP port ( by default).


II. DESCRIPTION

Remote explotation of a buffer overflow within the 0verkill server source
could allow a remote attacker to gain the privilages of whichever user the
process is running as.  Since there are no authentication measures built
into the game, this problem can be considered to be PREAUTH*.  This is a
very serious vulnerability and should be taken seriously.

The following is a snapshot of the exploit in action.

[EMAIL PROTECTED]:~$ ./0verkillflow -t 5 -h 192.168.0.1 -o l -p 
Attacking host 192.168.0.1 (Linux 2.4.20-grsec).
*GOBBLE*
id; uname -a
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Linux spender 2.4.20 #1 Sat Dec 7 13:44:54 EST 2002 i686 unknown
^C

[EMAIL PROTECTED]:~$ su -
Password:
[EMAIL PROTECTED]:~# rm -rf /&


III. ANALYSIS

Remote attackers can use this exploit to gain unauthorized access to your
corporate network if you do not immediately upgrade to the latest version of
0verkill.  We have seen evidence of this being exploited in the wild, and
suggest that ISS and Securityfocus increase the ARIS Threatcon to at least 7.

Most of our clients have probably already been compromised by this exploit of
ours, and those who were not running the daemon as root were probably later
rooted locally by bugs in **Abuse that the author refuses to patch.

Since this exploit exists in the wild, we will soon send our IDS signatures
to Max Vision and Martin Roesch so that they may update their IDS systems to
detect this version of the attack, and this exploit specifically.  Please
keep in mind that these signatures will not be sufficient for other versions
of the exploit, and that you may need to upgrade your IDS to a better
mechanism that is capable of detecting more than specific versions of an
attack.


IV. DETECTION

To detect whether or not you are running a vulnerable version of the 0verkill
server or not, we suggest that you take the md5sum of the binary.  For example:

[EMAIL PROTECTED]:/usr/src/0verkill-0.16# md5sum server
0f210947eec2ead10e00069896d2f4bb  server

If your server binary has the same checksum as our binary, here at iDefense
Labs, you are vulnerable to this attack and must immediately upgrade your
service to the latest version.  We're currently attempting to devise a more
reliable method to verify whether or not an executable is vulnerable or not,
but our research scientists are at this time stumped.

The IDS experts from Sourcefire, ISS, and NFR are currently studying this
vulnerability and are developing exploits for it, so that they might understand
all possible methods of exploitation, and accordingly create the proper dynamic
rules to help you detect all variations of this bug being exploited, instead of
a single version which ultimately won't help anything.  Once this has been done, you 
can replay your network traffic through your sensors and watch to see if this has been 
exploited on your network yet or not.


V. VENDOR FIX

We have not been able to contact any of the developers for the software, and at this 
time there is no fix for the problem.


VI. CVE INFORMATION

We have received information from Brian McWilliams which links MITRE to the
Al Quada terrorist network, and for this reason we will no longer participate
in any MITRE sponsored programs.


VII. DISCLOSURE TIMELINE

11/20/2002  Issue disclosed to iDEFENSE
12/08/2002  Maintainer, Brain ([EMAIL PROTECTED]),
and NetBSD Security Officer ([EMAIL PROTECTED])
notified.
12/09/2002  Contacted CERT ([EMAIL PROTECTED]) about the matter.
12/10/2002  Attempted to contact CERT again for assistance with contacting
the authors of 0verkill.
12/11/2002  iDEFENSE clients notified
12/12/2002  Coordinated public disclosure

VIII. CREDIT

GOBBLES ([EMAIL PROTECTED]) discovered this vulnerability.

*By PREAUTH, we mean pre-authentication.
**Please read our previous advisory on Abuse, which can be found here:
 http://www.idefense.com/advisory/11.01.02.txt

" Life without CERT is like the Chocolate Factory without Charlie :-( "
-BEGIN PGP SIGNATURE-
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj35GzMVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPnpIA
n0q1wFh9yDm8IGzwhFNlgZk5RRauAJ9m9xnpfG+

Adelphia Powerlink service vulnerable to man in the middle attacks by cable modem users.

[0x90]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
- 

InvisibleNet Security Advisory ISA 1-1a [EMAIL PROTECTED]

http://www.invisiblenet.com

December 12th, 2002 - report issued by 0x90

- --
- 

Subject: Adelphia PowerLink Network (http://powerlink.adelphia.com)
vulnerable to Arp Poisoning attacks and Promiscuous mode Sniffing.

Vulnerability: Arp Poisoning and monitoring of Subnet(s)

Problem-Type: remote

OS Specific: N/A

Problem Description:

A certain set of subnets on Adelphia's Powerlink network are treated
as a
HUB/SWITCH and therefore allow cable modem subscribers promiscuous
monitoring of the subnet, 
and arp poisoning (man in the middle) attacks. Upon finding this
flaw, it seems to only affect
windows users dhcp requests, as for *nix it hands off an entirely
different
subnet ip address that is not vulnerable. This doesn't stop one from
booting
into *nix and manually configuring their ip to be on the vulnerable
subnet.
To review, with arp poisoning, one can do a tremendous amount of
malicious
activity on a subnet, from DoS'ing the network, to hijacking DNS
servers,
and even attacking/cracking SSL/SSH/VPN negotiations. Promiscuous
mode, one
can passively monitor all traffic on the subnet, obtaining private
information, including logins/passwords, and private email.

Vulnerable Subnets:

please contact [EMAIL PROTECTED] for info regarding specific
subnets.



Solution:

The solution is varying on how the cable networks topology is
handled, and arp poisoning, as we know is not a completely solvable
issue
without a physical/virtual separation of Layer 3 from Layer 2 in the
OSI
Model. For promiscuous mode, don't have the network in HUB
mode.

Patch:

N/A.

Disclaimer:


InvisibleNet is not responsible for the misuse of any of the
information we
provide on this website and/or through our security advisories. Our
advisories are a service to our customers intended to promote secure
installation and use of InvisibleNet products.

- --0x90--
I'd crawl over an acre of "Visual This++" and "Integrated Development
That" to get to gcc, Emacs, and gdb.  Thank you.

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use 

iQA/AwUBPfjpkTep2+UpsNFNEQIWlACg/Vf44LuQHkdwaotTTN2oOBlKAD0AniS2
gSXaIhcrh+Q5j9Po3Ct8BeYx
=CS8m
-END PGP SIGNATURE-

XSS flaw found at "https://www.e-gold.com"

[Liu Die Yu]

i know bugtraq doesn't accept vulnerability on one site, but the following 
info is important; please suggest a forum for me to post.


===--



XSSatEGOLD-Content-Tech

XSS flaw found at "https://www.e-gold.com";

technically, it's nothing new. 

XSS at E-gold is very dangerous. E-gold is one of the most popular way to 
do international business. and unlike credit card system, e-gold sent, it 
never comes back. there is no refund policy. 

so stealing passphrase means stealing real gold. 

it's important, so i take it seriously.


[tested]
browser:MSIEv6 
time:2002/12/10 UTC+800


[demo]
at
http://www16.brinkster.com/liudieyu/XSSatEGOLD/XSSatEGOLD-MyPage.htm
or
http://clik.to/liudieyu ==>XSSatEGOLD
or
[CODE.URL START]
https://www.e-gold.com/acct/historycsv.asp?
initial=1">&startmonth=12&startday=4&startyear=1996&endmonth=12&end
day=4&endyear=2003&paymentsreceived=1&oldsort=tstamp&page=1
[CODE.URL END]

[exp]

technically, there is only one thing important for XSS attackers:
some CGI can only be found when you are logged in, but they can be reached 
even if you are not logged in.
of course, the module dealing with logged-in users is different from the 
one dealing with un-logged-in users.
so, you have to test in both situations to ensure it's not XSS vulnerable.


[contact]
http://clik.to/liudieyu ==> "how to contact liu die yu" section

[BTW]
this flaw can be found easily with FASX at
http://clik.to/fasx

Password Hole Found In Webshots

[Brian Carpenter]

I have descovered a hole in the webshots screensave program. On either
a Win2K or xp machine that has it installed you can bypass the password
on the screen saver by pressing Ctrl+Alt+Del wich brings up the Windows
box that contains logout lockcomputer shutdown ect: Then you will hit
cancel and boom you are at the desktop with all the permisions the
previous user had. If you have windows password locking the screen saver
you are able to  Ctrl+Alt+Del and then go to taskmanger and end the
screen saver thus bringing you back to the desktop.

This works with both webshots password set up and the windows password
setup on the computer. As long as webshots is used the hole is there. 

[SECURITY] [DSA-209-1] two wget problems

[Wichert Akkerman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-209-1   [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
December 12, 2002
- 


Package: wget
Problem type   : directory traversal
 buffer overflow
Debian-specific: no
CVEs   : CAN-2002-1344

Two problems have been found in the wget package as distributed in
Debian GNU/Linux:

* Stefano Zacchiroli found a buffer overrun in the url_filename function,
  which would make wget segfault on very long URLs

* Steven M. Christey discovered that wget did not verify the FTP server
  response to a NLST command: it must not contain any directory information,
  since that can be used to make a FTP client overwrite arbitrary files.

Both problems have been fixed in version 1.5.3-3.1 for Debian GNU/Linux
2.2/potato and version 1.8.1-6.1 for Debian GNU/Linux 3.0/woody.

- 

Obtaining updates:

  By hand:
wget URL
will fetch the file for you.
dpkg -i FILENAME.deb
will install the fetched file.

  With apt:
deb http://security.debian.org/ stable/updates main
added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

- 


Debian GNU/Linux 2.2 alias potato
- -

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.diff.gz
  Size/MD5 checksum:75231 61d99d8ab75b95cd9fa2459e74182a50
http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3.orig.tar.gz
  Size/MD5 checksum:   446966 47680b25bf893afdb0c43b24e3fc2fd6
http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1.dsc
  Size/MD5 checksum: 1163 9eb3c57aa94d74e3c6e4097b5d941563

  alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_alpha.deb
  Size/MD5 checksum:   249228 0eedd7487056460a8de93ea2ed3402f2

  arm architecture (ARM)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_arm.deb
  Size/MD5 checksum:   233342 9a57b21e6611b46b3991bb38e75dbd08

  i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_i386.deb
  Size/MD5 checksum:   227812 fc7c576836d26cebc397c07f3bbd1488

  m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_m68k.deb
  Size/MD5 checksum:   224820 b967f1e1b960be2fce3fb2cae55b6710

  powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_powerpc.deb
  Size/MD5 checksum:   234646 48b138d481cebbe85b437d82b63285b7

  sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.5.3-3.1_sparc.deb
  Size/MD5 checksum:   235500 631874205d8d85378555387209a9db37


Debian GNU/Linux 3.0 alias woody
- 

  Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
  powerpc, s390 and sparc. An update for mipsel is not available at this
  moment.


  Source archives:

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1.orig.tar.gz
  Size/MD5 checksum:  1097780 6ca8e939476e840f0ce69a3b31c13060
http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.diff.gz
  Size/MD5 checksum: 9939 69f96b6608e043e0d781061a22e90169
http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1.dsc
  Size/MD5 checksum: 1217 97af60040e8d7a2cd538d18a5120cd87

  alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_alpha.deb
  Size/MD5 checksum:   364338 aeade9ab45904c8b6c64fcdb5934576e

  arm architecture (ARM)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_arm.deb
  Size/MD5 checksum:   335972 dfe4085e95fd53be9821d1b33d79d134

  hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_hppa.deb
  Size/MD5 checksum:   355790 32dd606c8dc5b3d3fc8000519009de4e

  i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_i386.deb
  Size/MD5 checksum:   332394 afc976eaaf4cd416f8eedd347d18367b

  ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/w/wget/wget_1.8.1-6.1_ia64.deb
  Size/MD5 checksum:   393540 efb82eb46927b657fa8e2706f475bf53

  m68k architecture (Motorola Mc680x0)

http://security.debian.org/pool/updates/main/w/w

MDKSA-2002:086 - Updated wget packages fix directory traversal vulnerability

[Mandrake Linux Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Mandrake Linux Security Update Advisory


Package name:   wget
Advisory ID:MDKSA-2002:086
Date:   December 11th, 2002

Affected versions:  7.2, 8.0, 8.1, 8.2, 9.0,
Single Network Firewall 7.2


Problem Description:

 A vulnerability in all versions of wget prior to and including 1.8.2
 was discovered by Steven M. Christey.  The bug permits a malicious
 FTP server to create or overwriet files anywhere on the local file
 system by sending filenames beginning with "/" or containing "/../".
 This can be used to make vulnerable FTP clients write files that can
 later be used for attack against the client machine.


References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344
  http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482


Updated Packages:
  
 Linux-Mandrake 7.2:
 56f86210d618f4659468b03cca5f5367  7.2/RPMS/wget-1.8.2-3.1mdk.i586.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  7.2/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Mandrake Linux 8.0:
 b998782770af6b72e98d77840fe1d11a  8.0/RPMS/wget-1.8.2-3.1mdk.i586.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  8.0/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Mandrake Linux 8.0/PPC:
 83bcfaa286ca31287910d0de7ad885db  ppc/8.0/RPMS/wget-1.8.2-3.1mdk.ppc.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  ppc/8.0/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Mandrake Linux 8.1:
 86909f6a3f8c1cb14177047efdbf508d  8.1/RPMS/wget-1.8.2-3.1mdk.i586.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  8.1/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Mandrake Linux 8.1/IA64:
 de7f59b11fa67fe6dd87a282b7ae47f4  ia64/8.1/RPMS/wget-1.8.2-3.1mdk.ia64.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  ia64/8.1/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Mandrake Linux 8.2:
 6d851936f51c179f2412b5cb3323eb01  8.2/RPMS/wget-1.8.2-3.1mdk.i586.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  8.2/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Mandrake Linux 8.2/PPC:
 d9b9435e30763b13a852a7ed191fc7cf  ppc/8.2/RPMS/wget-1.8.2-3.1mdk.ppc.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  ppc/8.2/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Mandrake Linux 9.0:
 f7658d3f4e94bf736bf02d053a597e0a  9.0/RPMS/wget-1.8.2-3.1mdk.i586.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  9.0/SRPMS/wget-1.8.2-3.1mdk.src.rpm

 Single Network Firewall 7.2:
 56f86210d618f4659468b03cca5f5367  snf7.2/RPMS/wget-1.8.2-3.1mdk.i586.rpm
 d84e6c60c2b8a1df2fdfd37022325df0  snf7.2/SRPMS/wget-1.8.2-3.1mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

  rpm --checksig 

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

  https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

Type Bits/KeyID Date   User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  

- -BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohW

Re: Directory Traversal Vulnerabilities in FTP Clients

[Stephen Samuel]

I have a bone to pick with Sun's classification of the FTP traversal
vulnerability as 'not a bug'

Most notably:

   The Solaris ftp mget behaviour is consistent with other BSD derived
   ftp clients, for example on Linux and FreeBSD.  Changing the
   existing behaviour will cause problems.


I will simply classify this comment as "the lemming response": 'Everybosy
else has this bug, so we'll leave it that way'.

First of all, it would appear that Linux (Red-Hat)  and (open)BSD
developers are responding to this issue as a bug and appear to be
developing/distributing solutions.  Secondly, these directory traversal
activities are in response to clearly non-standard responses from
a server. I can't think  of any case where a legitimate FTP server
would respond with those file names and expect that the files would
be installed in such a location.

I don't see how breaking an obvious exploit that has few (if any)
legitimate uses would 'cause problems'. If Sun wants to enable the few
cases where a user actualy *wanted* to enable directory traversal, it
would be easy enough to code in a runtime flag.

This issue is also not only a systems vulnerability. An attacker could,
for example, craft an exploit aimed at a specific user, resulting in
the replacement/destruction of a document with legal/political
significance.  It could also result in the destruction/modification of
system-significant files associated with an account used to do automated
downloads.

The runique and interactive workarounds are only useful for interactive
(not script or batch) downloads, and/or where existing files are not
usually expected to be replaced in the normal course of actions.

In short, I'm very disappointed by Sun's unwillingness to address this
exploit as the bug that it clearly is -- insecure actions in the face
of entirely non-standard input.
--
Stephen Samuel +1(604)876-0426[EMAIL PROTECTED]
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

VisNetic WebSite XSS vulnerability through HTTP referer header

[Ory Segal]

Visnetic WebSite XSS vulnerability through HTTP Referer header
-

=> Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/

=> Release date: 09/12/2002

=> Vendor: Deerfield ( http://www.deerfield.com )

The following products were found to be vulnerable:

VisNetic WebSite 3.5.13.1

=> Severity: High

=> Impact: Loss of privacy - user cookies associated with the target 
site may
be stolen in some cases.

=> CVE candidate: Not assigned yet.

=> Summary: A Cross Site Scripting vulnerability exists when requesting a
non-existent web page from VisNetic WebSite pro and injecting a malicious
script in the HTTP 'Referer' header.

=> Description: VisNetic WebSite server, will return a customized 404 
page when
a requested page does not exist. This customized 404 page contains a 
link to the
last visited web page, and by clicking on the link the user is 
redirected back to where
he/she came from. This link, is created by using the data in the HTTP 
'Referer' header,
which is sent automatically by the web browser. By requesting a 
non-existent page, and
changing the HTTP 'Referer' header to contain malicious Javascript code, 
an attacker may
force the application to return the JavaScript code to the web browser, 
where it will
be executed.

=> Example Exploit: The following request will return a JavaScript 
pop-up screen:

GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: ">alert('Cross Site Scripting')

=> Fix: The new version of VisNetic WebSite (3.5.15) solves this 
problem. You can download it from:
http://www.deerfield.com/products/visnetic_website/

=> Note: This XSS vulnerability (and many others) can be tested with 
Sanctum's
web application security scanner, AppScan.

///
>> Security Advisory <<
///


 
Visnetic WebSite XSS vulnerability through HTTP Referer header


=> Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/

=> Release date: 09/12/2002

=> Vendor: Deerfield ( http://www.deerfield.com )

The following products were found to be vulnerable:

VisNetic WebSite 3.5.13.1 
 
=> Severity: High

=> Impact: Loss of privacy - user cookies associated with the target site may
be stolen in some cases.

=> CVE candidate: Not assigned yet.

=> Summary: A Cross Site Scripting vulnerability exists when requesting a 
non-existent web page from VisNetic WebSite pro and injecting a malicious
script in the HTTP 'Referer' header.

=> Description: VisNetic WebSite server, will return a customized 404 page when 
a requested page does not exist. This customized 404 page contains a link to the
last visited web page, and by clicking on the link the user is redirected back to where
he/she came from. This link, is created by using the data in the HTTP 'Referer' header,
which is sent automatically by the web browser. By requesting a non-existent page, and 
changing the HTTP 'Referer' header to contain malicious Javascript code, an attacker 
may
force the application to return the JavaScript code to the web browser, where it will
be executed.

=> Example Exploit: The following request will return a JavaScript pop-up screen:

GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: ">alert('Cross Site Scripting')

=> Fix: The new version of VisNetic WebSite (3.5.15) solves this problem. You can 
download
it from: http://www.deerfield.com/products/visnetic_website/

=> Note: This XSS vulnerability (and many others) can be tested with Sanctum's
web application security scanner, AppScan. 

[SECURITY] [DSA 208-1] New Perl packages correct Safe handling

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 208-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
December 12th, 2002 http://www.debian.org/security/faq
- --

Package: perl, perl-5.004, perl-5.005
Vulnerability  : broken safe compartment
Problem-type   : local
Debian-specific: no
CVE  Id: CAN-2002-1323

A security hole has been discovered in Safe.pm which is used in all
versions of Perl.  The Safe extension module allows the creation of
compartments in which perl code can be evaluated in a new namespace
and the code evaluated in the compartment cannot refer to variables
outside this namespace.  However, when a Safe compartment has already
been used, there's no guarantee that it is Safe any longer, because
there's a way for code to be executed within the Safe compartment to
alter its operation mask.  Thus, programs that use a Safe compartment
only once aren't affected by this bug.

This problem has been fixed in version 5.6.1-8.2 for the current
stable distribution (woody), in version 5.004.05-6.2 and 5.005.03-7.2
for the old stable distribution (potato) and in version 5.8.0-14 for
the unstable distribution (sid).

We recommend that you upgrade your Perl packages.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- -

  Source archives:


http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.dsc
  Size/MD5 checksum:  675 6fd3dd1d3346fed64da5a5af67730586

http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2.diff.gz
  Size/MD5 checksum:47924 a5b16d1599b04013a139510563206b24

http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05.orig.tar.gz
  Size/MD5 checksum:  2856190 b92ffc4e7bea3a367af102e8db136864

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.dsc
  Size/MD5 checksum:  694 7531125caf802bad131494e664c53ba2

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2.diff.gz
  Size/MD5 checksum:96897 fffd8c16f393c20fbac4eef683cb81b3

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03.orig.tar.gz
  Size/MD5 checksum:  3679040 427890d97e32430341c1fa80f55277a7

  Architecture independent components:


http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-doc_5.004.05-6.2_all.deb
  Size/MD5 checksum:  2296810 f96146c04692fad19a8d6372f86ed69d

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-doc_5.005.03-7.2_all.deb
  Size/MD5 checksum:  2849810 45ab33a3a00906413791b62c1c686aba

  Alpha architecture:


http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_alpha.deb
  Size/MD5 checksum:  1634058 f0765237e1ac6133ce5e731a04f69c40

http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-base_5.004.05-6.2_alpha.deb
  Size/MD5 checksum:   452634 aae1fc314f90b6a1b8007a1e396db5ff

http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-debug_5.004.05-6.2_alpha.deb
  Size/MD5 checksum:  1984930 b2669cce93aeb5c6b5839cd75e946bff

http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004-suid_5.004.05-6.2_alpha.deb
  Size/MD5 checksum:   346460 603729228532b771cd604349fe5699d6


http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005_5.005.03-7.2_alpha.deb
  Size/MD5 checksum:  1978462 622b3d300bafcadf874a529efac4f4d2

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-base_5.005.03-7.2_alpha.deb
  Size/MD5 checksum:   576628 df9878b0d71f9be6ea9a4f9f2e8a8bae

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-debug_5.005.03-7.2_alpha.deb
  Size/MD5 checksum:  2218552 497012e99b26b25e28c3f0de6d6cd879

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-suid_5.005.03-7.2_alpha.deb
  Size/MD5 checksum:   373452 5e5c6bb092c749d580b5562263940ffa

http://security.debian.org/pool/updates/main/p/perl-5.005/perl-5.005-thread_5.005.03-7.2_alpha.deb
  Size/MD5 checksum:  1436580 8ac1e7a3a3cd9450558425223a711931

  ARM architecture:


http://security.debian.org/pool/updates/main/p/perl-5.004/perl-5.004_5.004.05-6.2_arm.deb
  Size/MD5 checksum:  1483602 

Multiple Mambo Site Server sec-weaknesses

[euronymous]

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: Multiple Mambo Site Server sec-weaknesses
product: Mambo Site Server 4.0.11
vendor: http://sourceforge.org/projects/mambo
risk: high
date: 12/12/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory urls: http://f0kp.iplus.ru/bz/010.en.txt
   http://f0kp.iplus.ru/bz/010.ru.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

index
-

1) php and system environment information
2) search.php xss
3) weak passwords allowed and account blocking
4) path disclosure
5) default administration credentials
6) suitable database access
7) script injecting via `Your name' field


description
---

1) php and system environment information

with mambo comming some common script, that use phpinfo()
function, that print many important information, include
full physical pathes, php settings and so on.. the script
is placed under mambos `administrator' directory.  

http://hostname/mambo/administrator/phpinfo.php


2) search.php xss

in search field of index page you can put any scripting 
code, and then it will interpreted by script above.


3) weak passwords allowed and account blocking

registration.php will allow to you choose the password
with 1 charaÓter in long. within account registration
process you cannot use special chars (eg space char) as 
a password, but when you edit the your registered 
account and change password with one space char, then
you cannot login, becose script output error message:
`please complete username and password fields'. so, 
account was locked. 


4) path disclosure

if you call index.php with parameter, that not existent,
then you can see following error mesage:


Fatal error: Maximum execution time of 30 seconds 
exceeded in /var/www/html/mambo/classes/database.php 
on line 30


example url: 

http://hostname/mambo/index.php?Itemid=some_shit


5) default administration credentials

just after installation, mambo have a default account
for manage various site components.. it is a:

username: admin
password: admin

administration login page:  

http://hostname/mambo/administrator


6) suitable database access

if admin have installed phpMyAdmin and if he does make
corresponding changes in configuration.php, then you 
can to access database w/o any authorisation and with 
k-comfortable web-interface ))

http://hostname/mambo/administrator/phpMyAdmin.php 


7) script injecting via `Your name' field

within account register procedure you need to fill out
several fields, such as username, password, etc. 
in `Your name' field you can put any scripting code, 
that will interpreted every time, when some user will
read your articles, news, etc published via mambo site
server. but there is some problem: until admin doesnt 
check the your article, it was not published..


shouts: HACKRU Team, DWC, DHG, Spoofed Packet, HUNGOSH,
all russian security guyz!! to kate especially )) 
fuck_off: slavomira and other dirty ppl in *.kz


im not a lame,
not yet a hacker

PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability

[Marc Maiffret]

PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability

Release Date:
December 11, 2002

Severity:
High (Code Execution)

Systems Affected:
We have specifically tested the following software and verified the
potential for exploitation:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0

Note: We have also successfully exploited this vulnerability via the IE web
control for Microsoft Outlook.

For the purpose of completeness we have included a listing of each product
that ships with the vulnerable pngfilt.dll version 6.0.2600.0 and prior. We
obtained this list from Microsoft’s DLL Help Database:

Access 2000 SR1
BackOffice 4.5
Commerce Server 2000
DirectX 6.0 SDK
DirectX 6.0 SDK
Internet Explorer 4.0
Internet Explorer 4.01 SP1
Internet Explorer 4.01 SP1
Internet Explorer 4.01 SP2
Internet Explorer 4.01 SP2
Internet Explorer 5.0
Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 5.5 Service Pack 2
Internet Explorer 6.0
Microsoft Visual Studio .NET (2002) Enterprise Architect
Microsoft Visual Studio .NET (2002) Enterprise Architect
Microsoft Visual Studio .NET (2002) Enterprise Developer
Microsoft Visual Studio .NET (2002) Professional
Office 2000 Developer
Office 2000 SR1
Office 2000 SR1
Office XP Professional
Project 2002 Professional
Publisher 98
Publisher 98
SNA Server 4.0 SP2
SNA Server 4.0 SP2
SNA Server 4.0 SP3
SNA Server 4.0 SP3
SQL Server 7.0
SQL Server 7.0
SharePoint Portal Server
Small Business Server 2000
Small Business Server 2000
Visio 2002 Professional
Visio 2002 Standard
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Visual FoxPro 7.0
Visual Studio 6.0
Visual Studio 6.0
Visual Studio 6.0 SP4
Visual Studio 6.0 SP5
Windows 2000 Datacenter Server
Windows 2000 Professional
Windows 2000 Server
Windows 95 OSR 2.5
Windows 95 OSR 2.5
Windows 98
Windows 98 Second Edition
Windows Millenium Edition
Windows NT 4.0 SP5
Windows NT 4.0 SP5
Windows XP Home 2002
Windows XP Professional 2002



Twas the night before Christmas, and deep in IE
A creature was stirring, a vulnerability
MS02-066 was posted on the website with care
In hopes that Team eEye would not see it there

But the engineers weren't nestled all snug in their beds,
No, PNG images danced in their heads
And Riley at his computer, with Drew's and my backing
Had just settled down for a little PNG cracking

When rendering an image, we saw IE shatter
And with just a glance we knew what was the matter
Away into SoftICE we flew in a flash
Tore open the core dumps, and threw RFC 1951 in the trash

The bug in the thick of the poorly-written code
Caused an AV exception when the image tried to load
Then what in our wondering eyes should we see
But our data overwriting all of heap memory

With heap management structures all hijacked so quick
We knew in a moment we could exploit this $#!%
More rapid than eagles our malicious pic came --
The hardest part of this exploit was choosing its name

Derek Soeder
Software Engineer
eEye Digital Security




Overview:
During a review of the PNG image format implemented in Microsoft Windows,
two separate vulnerabilities were discovered related to the interpretation
of PNG image data. The first vulnerability deals with the handling of the
IDAT header and does not appear to be of significant threat level. The
second vulnerability can be exploited to execute code when the malicious PNG
image is viewed.  Due to the complexity of each of these vulnerabilities we
have decided only to describe the latter in detail.

General Description:
A heap corruption vulnerability exists due to the way the function
inflate_fast(), within pngfilt.dll, handles certain invalid data present in
“deflate” data input streams in a PNG image file.  The “deflate” compression
specification allows for the repetition of patterns that occur in the
decompressed data. This is accomplished by specifying a pair of special
codes that tell the decompression routine how far back into the decompressed
stream the pattern occurred (distance code), and the length of the pattern
to repeat in bytes (length code).  The inflate_fast() routine does not
properly handle length codes marked in the specification as invalid, and as
a result, a pattern can be replicated over a large portion of the heap,
allowing a skilled attacker to redirect the execution of a thread into a
“deflated” payload embedded in the deflate datastream within the malicious
PNG image.

Technical Description:
The heap overflow described above occurs in the interpretation of a
compressed block that uses fixed Huffman codes (BTYPE = 1).  Length codes
#286 and #287, while labeled as invalid in the formal specification (RFC
1951), are not discarded by the inflation routine, and are instead treated
as zero-length codes.  However, due to the way the inflation routine is
designed (see below), the length counter is decremented prior to being
evaluated, and an integer overflow will occur.  As a re

[RHSA-2002:222-21] Updated apache, httpd, and mod_ssl packages available

[bugzilla]

-
   Red Hat, Inc. Red Hat Security Advisory

Synopsis:  Updated apache, httpd, and mod_ssl packages available
Advisory ID:   RHSA-2002:222-21
Issue date:2002-12-12
Updated on:2002-11-25
Product:   Red Hat Linux
Keywords:  apache ab mod_ssl xss scoreboard
Cross references:  
Obsoletes: RHSA-2002:103
CVE Names: CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2002-1157
-

1. Topic:

Updated apache and httpd packages which fix a number of security issues are
now available for Red Hat Linux 6.2, 7, 7.1, 7.2, 7.3, and 8.0.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc
Red Hat Linux 7.0 - alpha, i386
Red Hat Linux 7.1 - alpha, i386, ia64
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

The Apache HTTP Web Server is a secure, efficient, and extensible web
server that provides HTTP services.

Buffer overflows in the ApacheBench support program (ab.c) in Apache
versions prior to 1.3.27, and Apache versions 2.x prior to 2.0.43, allow a
malicious Web server to cause a denial of service (DoS) and possibly
execute arbitrary code via a long response.  The Common Vulnerabilities and
Exposures project has assigned the name CAN-2002-0843 to this issue.

Two cross-site scripting (XSS) vulnerabilities are present in the error
pages for the default "404 Not Found" error and for the error response
when a plain HTTP request is received on an SSL port. Both of these issues
are only exploitable if the "UseCanonicalName" setting has been changed to
"Off", and wildcard DNS is in use.  These issues could allow remote
attackers to execute scripts as other webpage visitors, for instance, to
steal cookies. These issues affect versions of Apache 1.3 before 1.3.26,
versions of Apache 2.0 before 2.0.43, and versions of mod_ssl before
2.8.12. (CAN-2002-0840, CAN-2002-1157)

The shared memory scoreboard in the HTTP daemon for Apache 1.3, prior to
version 1.3.27, allows a user running as the "apache" UID to send a
SIGUSR1 signal to any process as root, resulting in a denial of service
(process kill) or other such behavior that would not normally be allowed. 
(CAN-2002-0839).  Note that this issue does not affect Red Hat
Linux 8.0.

All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages.  For Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3,
these packages include Apache version 1.3.27 which is not vulnerable to
these issues.  For Red Hat Linux 8.0, the fixes have been back-ported and
applied to Apache version 2.0.40.

Note that the instructions in the "Solution" section of this errata contain
additional steps required to complete the upgrade process.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.  

After the errata packages are installed, restart the Web service by running
the following command:

/sbin/service httpd restart

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

74882 - XSS vulnerabilities
76327 - Apache 1.3.27 released fixing multiple security issues

6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/apache-1.3.27-1.6.2.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/apache-1.3.27-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/apache-devel-1.3.27-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/apache-manual-1.3.27-1.6.2.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.27-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.27-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.27-1.6.2.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/apache-1.3.27-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/apache-devel-1.3.27-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/apache-manual-1.3.27-1.6.2.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/apache-1.3.27-1.7.1.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/mod_ssl-2.

Advisory 04/2002: Multiple MySQL vulnerabilities

[Stefan Esser]

   e-matters GmbH
  www.e-matters.de

  -= Security  Advisory =-



 Advisory: Multiple MySQL vulnerabilities
 Release Date: 2002/12/12
Last Modified: 2002/12/12
   Author: Stefan Esser [[EMAIL PROTECTED]]

  Application: MySQL <= 3.23.53a, <= 4.0.5a
 Severity: Several vulnerabilities within (lib)MySQL could
   allow (remote) compromise of client and/or server.
 Risk: Medium to critical
Vendor Status: Vendor released MySQL 3.23.54
Reference: http://security.e-matters.de/advisories/042002.html



Overview:

   We have discovered two flaws within the MySQL server that can be used
   by any MySQL user to crash the server. Furthermore one of the flaws can
   be used to bypass the MySQL password check or to execute arbitrary code
   with the privileges of the user running mysqld.
   
   We have also discovered an arbitrary size heap overflow within the mysql
   client library and another vulnerability that allows to write '\0' to any
   memory address. Both flaws could allow DOS attacks against or arbitrary
   code execution within anything linked against libmysqlclient.
 

Details:
   
   While auditing the MySQL sourcetree we discovered several bugs within
   the MySQL client and server that are listed below:
   

   +++ SERVER +++ COM_TABLE_DUMP - Signed Integer Vulnerability
   
   When handling the COM_TABLE_DUMP package MySQL < 4.x takes two chars
   from the packet, casts them directly to unsigned integers and uses
   them as length parameters for memcpy. Obviously negative values within
   the chars will turn into very big unsigned numbers. Because this is a 
   heap to heap copy operation and there is no memory allocating function
   within the SIGSEGV handler we strongly believe this bug can only be used
   for denial of service attacks. Depending on the packet mysqld will 
   directly crash or hang in an endless loop of segmentation faults. 
   This was tested against Windows, Linux and FreeBSD systems.
   
   
   +++ SERVER +++ COM_CHANGE_USER - Password Length Vulnerability
   
   In February 2000 Robert van der Meulen discovered a flaw within the
   main password authentication system of MySQL: The MySQL challenge 
   response algorithm creates an expected response with exactly the 
   length of the response provided by the client. So if the client sends
   only a one char response MySQL will check only one byte. But this
   means it is possible to give the correct response with only 32 tries
   (because the charset is only 32 chars big). When this bug was fixed
   in 2000 the MySQL authors simply added a check in the server that the
   response must be 8 chars long. However they forgot to add this check
   to the COM_CHANGE_USER command, too. So it is still possible for an
   attacker with a valid mysql-account to compromise the other accounts
   that are allowed to login from the same host. For a local user this
   means he can break into the mysql root account and so compromise all
   databases. This is especially dangerous in a shared environment or if
   the root user is allowed to login from other hosts than localhost.
   While the attacker can supply a one byte response to break into the
   other accounts he can also send an oversized one. If the response is
   longer than 16 chars the internal created expected answer overflows
   a stack buffer. If the response is long enough it is possible to
   overwrite the saved instruction pointer with bytes that are generated
   by the random number generator of the password verification algorithm.
   While this sounds hard or impossible to exploit, we successfully
   exploited this bug on our linux maschines. Due to the fact that mysql
   restarts on crash you have unlimited tries. Because of the limited
   set of characters generated by the random number generator we strongly
   believe that this bug is not exploitable on Windows, because it
   is not possible to overwrite the instruction pointer with valid
   controllable addresses.
   
   
   +++ CLIENT +++ libmysqlclient read_rows Overflow
   
   When the MySQL client library receives answer rows from the server it
   wants to copy the answers into another buffer. Therefore it loops
   through the returned fields and copies them to the other location.
   This is done without actually checking if the stored field sizes are
   within the destination buffer boundaries. Additionally there is also a
   terminating '\0' added to the end of all fields without checking for
   enough space within the destination buffer. Due to the fact that this
   bug gets already triggered by a simple SELECT query anything that is
   linked against libmysql is potentially vulnerable. Due to the nature 
   of this bug it is trivial to use it as denial of service attack against
   the client applications (A negative fieldsize will do the job). If it
   possible to use this overflow to execute code on th

CERT Advisory CA-2002-35 Vulnerability in RaQ 4 Servers (fwd)

[Muhammad Faisal Rauf Danka]

-BEGIN PGP SIGNED MESSAGE- 


CERT Advisory CA-2002-35 Vulnerability in RaQ 4 Servers 


   Original release date: December 11, 2002 
   Last revised: -- 
   Source: CERT/CC 


   A complete revision history can be found at the end of this file. 


Systems Affected 


 * Sun Cobalt RaQ 4 Server Appliances with the Security Hardening 
   Package installed 


Overview 


   A remotely exploitable vulnerability has been discovered in Sun Cobalt 
   RaQ 4 Server Appliances running Sun's Security Hardening Package 
   (SHP). Exploitation of this vulnerability may allow remote attackers 
   to execute arbitrary code with superuser privileges. 


I. Description 


   Cobalt RaQ 4 is a Sun Server Appliance. For background information on 
   Cobalt RaQ 4, please see the COBALT RaQ 4 User Manual. Sun provides a 
   Security Hardening Package (SHP) for Cobalt RaQ 4. Although the SHP is 
   not installed by default, many users choose to install it on their RaQ 
   4 servers. For background information on the SHP, please see the SHP 
   RaQ 4 User Guide. 


   A vulnerability in the SHP may allow a remote attacker to execute 
   arbitrary code on a Cobalt RaQ 4 Server Appliance. The vulnerability 
   occurs in a cgi script that does not properly filter input. 
   Specifically, overflow.cgi does not adequately filter input destined 
   for the email variable. Because of this flaw, an attacker can use a 
   POST request to fill the email variable with arbitrary commands. The 
   attacker can then call overflow.cgi, which will allow the command the 
   attacker filled the email variable with to be executed with superuser 
   privileges. 


   An exploit is publicly available and may be circulating. 


   Further information about this vulnerability may be found in VU#810921 
   in the CERT/CC Vulnerability Notes Database. 


II. Impact 


   A remote attacker may be able to execute arbitrary code on a Cobalt 
   RaQ 4 Server Appliance with the SHP installed. 


III. Solution 


Apply a patch from your vendor 


   Appendix A contains information provided by vendors for this advisory. 
   As vendors report new information to the CERT/CC, we will update this 
   section and note the changes in our revision history. If a particular 
   vendor is not listed below, we have not received their comments. 
   Please contact your vendor directly. 


Workarounds 


   Block access to the Cobalt RaQ 4 administrative httpd server 
   (typically ports 81/TCP and 444/TCP) at your network perimeter. Note 
   that this will not protect vulnerable hosts within your network 
   perimeter. It is important to understand your network configuration 
   and service requirements before deciding what changes are appropriate. 


Caveats 


   The patch supplied by Sun removes the SHP completely. If your 
   operation requires the use of the SHP, you may need to find a suitable 
   alternative. 


Appendix A. - Vendor Information 


Sun Microsystems 


   Sun confirms that a remote root exploit does affect the Sun/Cobalt 
   RaQ4 platform if the SHP (Security Hardening Patch) patch was 
   installed. 


   Sun has released a Sun Alert which describes how to remove the SHP 
   patch: 


   http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377 


   The removal patch is available from: 


 http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg 


Appendix B. - References 


1. CERT/CC Vulnerability Note: VU#810921 - http://www.kb.cert.org/vuls/id/810921 
2. Sun SHP RaQ 4 User Guide - 
http://www.sun.com/hardware/serverappliances/pdfs/support/RaQ_4_SHP_UG.pdf 
3. COBALT RaQ 4 User Manual - 
http://www.sun.com/hardware/serverappliances/pdfs/manuals/manual.raq4.pdf 
 _ 


   [EMAIL PROTECTED] publicly reported this vulnerability. 
 _ 


   Author: Ian A. Finlay. 
   __ 


   This document is available from: 
   http://www.cert.org/advisories/CA-2002-35.html 
   __ 


CERT/CC Contact Information 


   Email: [EMAIL PROTECTED] 
  Phone: +1 412-268-7090 (24-hour hotline) 
  Fax: +1 412-268-6989 
  Postal address: 
  CERT Coordination Center 
  Software Engineering Institute 
  Carnegie Mellon University 
  Pittsburgh PA 15213-3890 
  U.S.A. 


   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / 
   EDT(GMT-4) Monday through Friday; they are on call for emergencies 
   during other hours, on U.S. holidays, and on weekends. 


Using encryption 


   We strongly urge you to encrypt sensitive information sent by email. 
   Our public PGP key is available from 
   http://www.cert.org/CERT_PGP.key 


   If you prefer to use DES, please call the CERT hotline for more