Re: PROBLEMS WITH WINDOWS SHORTCUTS

[Alexander Kiwerski]

Verified on Windows XP Pro SP1.  Crashes Explorer everytime.

/Alex Kiwerski

At 05:19 AM 3/15/2003 -0800, S G Masood wrote:

PROBLEMS WITH WINDOWS SHORTCUTS





==

Topic: Problems with Windows Shortcuts
Tested With: Windows 98, Windows 2000 Server
Author: S.G.Masood ([EMAIL PROTECTED])
==

==



DESCRIPTION:

There is a problem with the way Windows (tested with
Win98 and Win2k Server) handles shortcut (.lnk) files.
A specially crafted shortcut will crash
explorer.exe/shell32.dll.
A shortcut, say, A.lnk is created and it is made to
point to another
shortcut B.lnk. Then, B.lnk is made to point to A.lnk.
Now when the
folder containing these two files is viewed or
accessed in any way,
explorer crashes.

AOL's Billion SPAM March on Cyberspace

[Jason Coombs]

Aloha, Lonnie.

Your article: "ISPs Seek Bigger Mallet To Eliminate Spammers" caught my
attention.
http://www.theledger.com/apps/pbcs.dll/section?Category=COLUMNISTS0203

I'm an information security and computer forensics expert with detailed
technical knowledge of SPAM and the technology employed by spammers.
Recently I authored a report on SPAM delivery via AOL -- where a spammer
gains access to the Internet for the purpose of delivering SPAM to other
people elsewhere on the Internet. Considering the topic of your recent
article for The Ledger, I thought you'd be interested in reading this
report.

AOL is being ridiculous when they suggest that their billion SPAM march on
cyberspace does any good whatsoever. In fact, AOL is being downright
deceptive in their assertion that blocking inbound SPAM on behalf of their
subscribers who use @aol.com e-mail addresses is a virtue: AOL blocks SPAM
sent to their subscribers without AOL's permission (paid 'advertisements'
are sent to AOL subscribers with AOL's full support) but AOL does NOT block
SPAM that AOL users send to people who use OTHER ISP's e-mail services.

AOL may as well capture those billion SPAM messages and relay them to
non-AOL subscribers because this is exactly what the end-result is of AOL's
alleged attempts to curtail SPAM. AOL has positioned themselves to be a
facilitator of SPAM transmission to non-AOL subscribers while simultaneously
trumpeting their technical triumph over SPAM that originates elsewhere on
the Internet and is destined for an AOL subscriber's mailbox.

Your readers would be interested to know that anyone with an AOL account can
send SPAM to any other AOL account and AOL will NOT block it. On the other
hand, some ISPs are now blocking ALL e-mail that originates from AOL because
of these very issues.

Sincerely,

Jason Coombs
[EMAIL PROTECTED]

--

A Report on SPAM Blackholes, Blocking/Filtering, and AOL

For the last month I have purposefully used AOL for SMTP server mail relay
in order to analyze the real-world impact of blackhole lists. AOL not only
does not block outbound SMTP from dialup customers, they operate a
transparent proxy farm that intercepts all outbound SMTP traffic and
intentionally relays this traffic on to its intended recipient (but not its
intended SMTP relay point -- you can configure ANY remote IP address as your
SMTP server and AOL's proxy farm will still do your delivery for you based
on the MX records present in the destination domain, you need not find an
open mail relay to exploit nor set up authorized/authenticated SMTP service
with any third-party service provider in order to relay SPAM through dial-up
AOL Internet service).

The results have been quite interesting. To summarize, only a few of my
outbound e-mails have been blocked by blackhole sites in the last month. All
e-mail sent to mailing lists such as bugtraq has gone through successfully.
Every rejected message has been returned to me with an explanation (thank
you, blackhole-enabled servers, your deterministic failure mode made this
experiment possible because I didn't have to worry about whether my e-mail
simply disappeared silently and could take corrective action to see that my
recipient received my message through other channels).

The most interesting failure I encountered was to my own domains. For e-mail
service we use a third-party service provider, the same provider who does
our Web hosting on Linux-based servers running Ensim (www.ensim.com). By
default our service provider refuses all inbound mail delivery based on a
blocking filter rule (not a blackhole service). This blocking filter
considers ALL e-mail from AOL to be SPAM and refuses it. This isn't just
e-mail relayed from a dial-up address block, this is ALL AOL e-mail. No user
of AOL was able to send e-mail to our domains until we requested that
inbound filtering be disabled.

It's also interesting to note that my Reporting-MTA FQDN
"mail.jasoncoombs.com" does NOT have an A record or a PTR or any other DNS
records associated with it. This doesn't bother AOL's SMTP proxy farm, and
it likewise did not bother a single SMTP server that relayed or received my
e-mail during this test.

My conclusion is that blackhole servers and filtering are a terrible way to
deal with the problem of SPAM. Few people actually benefit from these
techniques. They introduce unnecessary deterministic failure rather than
unnecessary nondeterministic failure therefore they offer their own helpful
work-around instructions. By informing the sender that their e-mail did not
go through, they automatically ("oracle"-like) produce a comprehensive list
of target domains that are protected by blackhole services -- a list that
any spammer would use to relay SPAM from a different point of presence.

Blackhole-enabled services should switch to a non-deterministic failure mode
that silently kills e-mail delivery. This would have a far greater effect,
and it would prevent spammers from easily discovering the extent 

CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0 (fwd)

[Dave Ahmad]

David Mirza Ahmad
Symantec

"sabbe dhamma anatta"

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--- Begin Message ---



-BEGIN PGP SIGNED MESSAGE-

CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0

   Original issue date: March 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

 * Systems running Microsoft Windows 2000 with IIS 5.0 enabled

Overview

   A buffer overflow vulnerability exists in Microsoft IIS 5.0 running on
   Microsoft Windows 2000. IIS 5.0 is installed and running by default on
   Microsoft  Windows 2000 systems. This vulnerability may allow a remote
   attacker to run arbitrary code on the victim machine.

   An  exploit  is  publicly  available  for  this  vulnerability,  which
   increases the urgency that system administrators apply a patch.

I. Description

   IIS  5.0 includes support for WebDAV, which allows users to manipulate
   files   stored   on   a   web  server  (RFC2518).  A  buffer  overflow
   vulnerability  exists  in ntdll.dll (a portion of code utilized by the
   IIS  WebDAV  component).  By sending a specially crafted request to an
   IIS  5.0  server, an attacker may be able to execute arbitrary code in
   the  Local  System  security  context, essentially giving the attacker
   compete control of the system.

   Microsoft   has   issued   the   following   bulletin  regarding  this
   vulnerability:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec 
urity/bulletin/ms03-007.asp

   This  vulnerability  has been assigned the identifier CAN-2003-0109 by
   the Common Vulnerabilities and Exposures (CVE) group:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109

II. Impact

   Any  attacker  who can reach a vulnerable web server can gain complete
   control  of  the system and execute arbitrary code in the Local System
   security  context.  Note  that  this may be significantly more serious
   than a simple "web defacement."

III. Solution

Apply a patch from your vendor

   A patch is available from Microsoft at

http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en

Disable vulnerable service

   Until  a  patch  can  be  applied,  you  may  wish  to disable IIS. To
   determine if IIS is running, Microsoft recommends the following:

Go  to  Start  |  Settings  |  Control  Panel | Administrative Tools | Services.  

   If the World Wide Web Publishing service is listed then IIS
   is installed

   To  disable  IIS,  run  the  IIS lockdown tool. This tool is available
   here:
   
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955

   If  you  cannot  disable  IIS, consider using the IIS lockdown tool to
   disable  WebDAV (removing WebDAV can be specified when running the IIS
   lockdown tool). Alternatively, you can disable WebDAV by following the
   instructions located in Microsoft's Knowledgebase Article 241520, "How
   to Disable WebDAV for IIS 5.0":

http://support.microsoft.com/default.aspx?scid=kb;en-us;241520

Restrict buffer size

   If  you  cannot  use  either  IIS  lockdown  tool or URLScan, consider
   restricting the size of the buffer IIS utilizes to process requests by
   using  Microsoft's URL Buffer Size Registry Tool. This tool can be run
   against  a  local  or  remote Windows 2000 system running Windows 2000
   Service Pack 2 or Service Pack 3. The tool, instructions on how to use
   it,  and  instructions on how to manually make changes to the registry
   are available here:

URL Buffer Size Registry Tool - http://go.microsoft.com/fwlink/?LinkId=14875
 
Microsoft Knowledge Base Article 816930 - 
http://support.microsoft.com/default.aspx?scid=kb;en-us;816930

Microsoft Knowledge Base Article 260694 - 
http://support.microsoft.com/default.aspx?scid=kb;en-us;260694

   You  may  also wish to use URLScan, which will block web requests that
   attempt  to  exploit  this vulnerability. Information about URLScan is
   available at:
   
http://support.microsoft.com/default.aspx?scid=kb;[LN];326444

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have not received their comments.

Microsoft Corporation

 Please see Microsoft Security Bulletin MS03-007.
 _

   Author: Ian A. Finlay
   __

   This document is available from:
   http://www.cert.org/advisories/CA-2003-09.html
   __

CERT/CC Contact Information

   Email: [EMAIL PROTECTED]
  Phone: +1 412-268-7090 (24-hour hotline)
  Fax: +1 412-268-6989
   

[Sorcerer-spells] SAMBA-SORCERER2003-03-17

[Michael Walton]

-- 
Michael Walton

Asst-Manager Tech Support
[EMAIL PROTECTED]

(915)677-7900

Sorcerer Update Advisory
  Tap Into the Source




Source Name:samba-2.2.8
Advisory ID:SORCERER2003-03-17
Date:   March 17th, 2003


Problem Description:
A flaw has been deteced in the Samba main smbd code that could
allow an external attacker to remotyly and anonymously gain
super user access on the server running the Samba server. 
Present inf Samba 2.0.x to 2.2.7a.  

Update:
Sources have been updated to the lates version.


Updated Sources:  samba-2.2.8




Recomendation:
augur synch && augur update





Contacts:

Email:  [EMAIL PROTECTED]   
Mail List:  https://lists.berlios.de/mailman/listinfo/sorcerer-spells
Web:http://sorcerer.wox.org
Irc:irc://irc.freenode.net #sorcerer

PHP-Nuke 5.5 and 6.0: Path Disclosure

[Rynho Zeros Web]

+  Product -> PHP-Nuke
+  Version -> 5.5, 6.0 (other versions not tested jet)
+  Website -> http://www.phpnuke.org
+ Problems -> Path Disclosure

+ Explanation:
The fault happens in the file print.php, which this including in the modulos
'News' and 'AvantGo', in the same one is checked that the variable $sid
exists, but its content is not controlled, since if he is equal to NULL or not it
corresponds with I articulate in the data base, generates an error.

+ Exploit: This vulnerability may be exploited by accessing one of the
following vulnerable scripts:

http://www.target.x/modules.php?name=AvantGo&file=print&sid=
http://www.target.x/modules.php?name=News&file=print&sid=
http://www.target.x/modules.php?name=AvantGo&file=print&sid=[Any_Text]
http://www.target.x/modules.php?name=News&file=print&sid=[Any_Text]

[..]
Another one bug also has been found in "Forums" (Splatt Forums
3.2)
module:

http://www.target.x/modules.php?op=modload&name=Forums&file=attachment&AtchOp=show
[..]

+ Path AvantGo & News only:

http://www.rynhozeros.com.ar/files/site/own/fixes/PHPNuke6.0_5.5_etc.zip

-- 
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Re: qpopper timing analysis on to determine if a username exists on a system

[Waldo Nell]

Hi,

I have tested this on my qpopper 4.0.5 - and I get this response no matter 
from which host I test (even localhost):

sun waldo # ./poptest mail.XXX.net gert
Validating username gert , please stand by..
Disconnected after 119.993 seconds.
User "gert" is probably a valid user

But that user is not a valid user. I have APOP authentication on and required, 
thus the pop server responded with

You must use TLS/SSL or stronger authentication such as APOP to connect to 
this server

Maybe this is a temporary solution? Or maybe the issue was fixed in 4.0.5?

Regards,
- Waldo

On Saturday 15 March 2003 21:13, Dennis Lubert wrote:
> Hello,
>
> during development of a pop3 tool I found an issue that makes it possible
> for any user to check the validity of a user on a target system. If a user
> is valid and an invalid password has been supplied, then the system waits
> ~10 seconds until it sends a disconnect message and disconnect. If the
> username was not correct, then it disconnect immediately after the wrong
> password.
>
> This makes it possible to scan a server for valid users, to generate spam
> sending lists, or to check a username for another kind of attack.
>
> Tested against qpopper 3.1 and 4.0.4, others might be affected as well.
>
> Attached is the source code for a program that will do a simple check on a
> pop3 server. Additionally qpopper will also return an answer if the
> username supplied has a UID < 100 (< 10 for 3.1), which will also been
> checked.
>
> The fix should be simple, there must be a usleep() call or similar that
> should either be deleted, or added also to the part where the username was
> not correct.
>
> greets
>
> Dennis

MDKSA-2003:032 - Updated samba packages fix remote root vulnerability

[Mandrake Linux Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Mandrake Linux Security Update Advisory


Package name:   samba
Advisory ID:MDKSA-2003:032
Date:   March 15th, 2003

Affected versions:  8.0, 8.1, 8.2, 9.0, Corporate Server 2.1,
Multi Network Firewall 8.2


Problem Description:

 The SuSE security team, during an audit of the Samba source code, found
 a flaw in the main smbd code which could allow an external attacker to
 remotely and anonymously gain root privilege on a system running the
 Samba server.  This flaw exists in all version of Samba 2.x up to and
 including 2.2.7a.  The Samba team announced 2.2.8 today, however these
 updated packages include a patch that corrects this problem.
 
 MandrakeSoft urges all users to upgrade immediately.  If you are unable
 to apply the updated packages (perhaps due to unavailability on your
 preferred mirror), the following steps can be taken to protect an
 unpatched system:
 
 The "hosts allow" and "hosts deny" options in the smb.conf file can
 be used to allow access to your Samba server by only selected hosts; for
 example:
 
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny  = 0.0.0.0/0
 
 This will disallow all connections from machines that are not the 
 localhost or in the 192.168.2 and 192.168.3 private networks.
 Alternatively, you can tell Samba to listen to only specific network
 interfaces by using the "interfaces" and "bind interfaces only"
 options:
 
   interfaces = eth1 lo
   bind interfaces only = yes
 
 Obviously, use the internal interface for your network and not an
 external interface connected to the internet.  You may also choose to
 firewall off some UDP and TCP ports in addition to the previously
 mentioned suggestions by blocking external access to ports 137 and 138
 (UDP) and ports 139 and 445 (TCP).
 
 These steps should only be used as a temporary preventative measure
 and all users should upgrade as quickly as possible.
 
 Thanks to Sebastian Krahmer and the SuSE security team for performing
 the audit, Jeremy Allison for providing the fix, and Andrew Tridgell
 for providing advice on how to protect an unpatched Samba system.


References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086
  http://www.samba.org/samba/whatsnew/samba-2.2.8.html


Updated Packages:
  
 Corporate Server 2.1:
 810bfc81419eda40ab94406b80e2fa78  corporate/2.1/RPMS/nss_wins-2.2.7a-8.1mdk.i586.rpm
 6ddcdba4b4ddc8de889a68408cf63e6e  
corporate/2.1/RPMS/samba-client-2.2.7a-8.1mdk.i586.rpm
 dbbf8399e5d5b475e76b4ee4c8aa78ee  
corporate/2.1/RPMS/samba-common-2.2.7a-8.1mdk.i586.rpm
 94ef44b5ce3a5aededddeb60485c90cd  corporate/2.1/RPMS/samba-doc-2.2.7a-8.1mdk.i586.rpm
 ca867675236e7df77aa4901f6f91f21e  
corporate/2.1/RPMS/samba-server-2.2.7a-8.1mdk.i586.rpm
 3c9dbd347014301c6cc249979170bf19  corporate/2.1/RPMS/samba-swat-2.2.7a-8.1mdk.i586.rpm
 15b1406c67b55ecefb228cd40736d8fe  
corporate/2.1/RPMS/samba-winbind-2.2.7a-8.1mdk.i586.rpm
 536160396aa14907f6195f42c480c0e3  corporate/2.1/SRPMS/samba-2.2.7a-8.1mdk.src.rpm

 Mandrake Linux 8.0:
 f705527a1ad9f511a8e61da4e2581bbf  8.0/RPMS/samba-client-2.2.7a-8.1mdk.i586.rpm
 2bb5172eb1e79908df14b6829ddfc8eb  8.0/RPMS/samba-common-2.2.7a-8.1mdk.i586.rpm
 3db651903659ecf5ca94be587a78057b  8.0/RPMS/samba-doc-2.2.7a-8.1mdk.i586.rpm
 aac48811be4dbb7663b31f75f10d56fa  8.0/RPMS/samba-server-2.2.7a-8.1mdk.i586.rpm
 8eca4b870ad649dd50635142ef3220e3  8.0/RPMS/samba-swat-2.2.7a-8.1mdk.i586.rpm
 536160396aa14907f6195f42c480c0e3  8.0/SRPMS/samba-2.2.7a-8.1mdk.src.rpm

 Mandrake Linux 8.0/PPC:
 c0619454ddd254a2864f41d1a15b3d31  ppc/8.0/RPMS/samba-client-2.2.7a-8.1mdk.ppc.rpm
 a98846ba4a83fa3953c1d910fe9ba650  ppc/8.0/RPMS/samba-common-2.2.7a-8.1mdk.ppc.rpm
 2f47b120f0947fa8458e250f214e3689  ppc/8.0/RPMS/samba-doc-2.2.7a-8.1mdk.ppc.rpm
 2a48acf9fc1db869a9c7dfac85953b1f  ppc/8.0/RPMS/samba-server-2.2.7a-8.1mdk.ppc.rpm
 35491c934f9bdd08b689b5c1b68e57fe  ppc/8.0/RPMS/samba-swat-2.2.7a-8.1mdk.ppc.rpm
 536160396aa14907f6195f42c480c0e3  ppc/8.0/SRPMS/samba-2.2.7a-8.1mdk.src.rpm

 Mandrake Linux 8.1:
 b8c035ddd18cd9da2682f3143e234b5a  8.1/RPMS/samba-client-2.2.7a-8.1mdk.i586.rpm
 f28d560e6c86e9315898351f7c528275  8.1/RPMS/samba-common-2.2.7a-8.1mdk.i586.rpm
 391bfea011d0bd10a91335754f135f6a  8.1/RPMS/samba-doc-2.2.7a-8.1mdk.i586.rpm
 1adccf598ff2488a65e3ac776056d6b8  8.1/RPMS/samba-server-2.2.7a-8.1mdk.i586.rpm
 8db945ae3a6f9f880ee9b2c76b4dd084  8.1/RPMS/samba-swat-2.2.7a-8.1mdk.i586.rpm
 536160396aa14907f6195f42c480c0

[SCSA-010] Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb

[Grégory]

Security Corporation Security Advisory [SCSA-010]


PROGRAM: MyABraCaDaWeb
HOMEPAGE: http://www.webmaster-mag.net/
VULNERABLE VERSIONS: v1.0.2 and prior


DESCRIPTION


MyABraCaDaWeb is an other Content Management Systems like PHP-Nuke

More informations at :
http://www.webmaster-mag.net/?module=pages@@myabracadaweb_pr (In French)


DETAILS & EXPLOITS



¤ Path Disclosure :

Some vulnerabilities have been found in MyABraCaDaWeb which allow attackers
to determine the physical path of the application.


This vulnerability would allow a remote user to determine the full path to
the web root directory and other potentially sensitive information. 

This vulnerability can be triggered by a remote user submitting a 
specially crafted HTTP request, such as a request for an invalid Admin ID.


Exploits :

http://[target]/index.php?IDAdmin=test

http://[target]/index.php?base=test

http://[target]/index.php?tampon=test

http://[target]/index.php?SqlQuery=test

etc...

---

¤ Cross Site Scripting :

A Cross-Site Scripting vulnerability have been found in MyABraCaDaWeb which
allow attackers to inject script codes into the search script and use
them on clients browser as if they were provided by the site.

This Cross-Site Scripting vulnerability are found in the page for searching
keyword.

An attacker can input specially crafted links and/or other malicious
scripts.



Exploit :

http://[target]/index.php?module=pertinance&ma_ou=[modules]&ma_kw=
[hostile_c
ode]

The module could be : "annuaire2liens"

The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)

Vulnerable code "header.php" :


//---Creation du rapport
$vtp_p = new VTemplate;
$tpl_p = $vtp_p->Open("modules/pertinance/tpl/rapport.tpl");
$vtp_p->addSession($tpl_p,"rapport");
$vtp_p->setVar($tpl_p,"rapport.ma_kw",$ma_kw);
$vtp_p->setVar($tpl_p,"rapport.NbMotCle",$NbMotCle);
$vtp_p->setVar($tpl_p,"rapport.T3",$T3);
$vtp_p->setVar($tpl_p,"rapport.NbLiens",$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p->addSession($tpl_p,"sql");
$vtp_p->setVar($tpl_p,"sql.sql",$sql);
$vtp_p->closeSession($tpl_p,"sql");
}
$vtp_p->closeSession($tpl_p,"rapport");
$Raport = $vtp_p->Display($tpl_p,0);




SOLUTIONS


¤ Path Disclosure :

No solution for the moment.

¤ Cross Site Scripting :

You can found a patch at the following link :

http://www.security-
corporation.com/download/patch/MyABraCaDaWebv1.0.2XSSpat
ch.zip

For example use this code in "header.php":


//---Creation du rapport

# BugFix by Gregory LEBRAS www.security-corporation.com

$ma_kw =
eregi_replace("content-disposition:","!content-disposition:!",$ma_kw);
$ma_kw = eregi_replace("include","!include!",$ma_kw);
$ma_kw = eregi_replace("\<\?","<.?",$ma_kw);
$ma_kw = eregi_replace("\?\p\h\p",".?php",$ma_kw);
$ma_kw = eregi_replace("\?\>","?.>",$ma_kw);
$ma_kw = eregi_replace("","<./script>",$ma_kw);
$ma_kw = eregi_replace("javascript","!javascript!",$ma_kw);
$ma_kw = eregi_replace("embed","!embed!",$ma_kw);
$ma_kw = eregi_replace("iframe","!iframe!",$ma_kw);
$ma_kw = eregi_replace("refresh","!refresh!",$ma_kw);
$ma_kw = eregi_replace("onload","!onload!",$ma_kw);
$ma_kw = eregi_replace("onstart","!onstart!",$ma_kw);
$ma_kw = eregi_replace("onerror","!onerror!",$ma_kw);
$ma_kw = eregi_replace("onabort","!onabort!",$ma_kw);
$ma_kw = eregi_replace("onblur","!onblur!",$ma_kw);
$ma_kw = eregi_replace("onchange","!onchange!",$ma_kw);
$ma_kw = eregi_replace("onclick","!onclick!",$ma_kw);
$ma_kw = eregi_replace("ondblclick","!ondblclick!",$ma_kw);
$ma_kw = eregi_replace("onfocus","!onfocus!",$ma_kw);
$ma_kw = eregi_replace("onkeydown","!onkeydown!",$ma_kw);
$ma_kw = eregi_replace("onkeypress","!onkeypress!",$ma_kw);
$ma_kw = eregi_replace("onkeyup","!onkeyup!",$ma_kw);
$ma_kw = eregi_replace("onmousedown","!onmousedown!",$ma_kw);
$ma_kw = eregi_replace("onmousemove","!onmousemove!",$ma_kw);
$ma_kw = eregi_replace("onmouseover","!onmouseover!",$ma_kw);
$ma_kw = eregi_replace("onmouseout","!onmouseout!",$ma_kw);
$ma_kw = eregi_replace("onmouseup","!onmouseup!",$ma_kw);
$ma_kw = eregi_replace("onreset","!onreset!",$ma_kw);
$ma_kw = eregi_replace("onselect","!onselect!",

S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server

[Lluis Mora]

###
ID: S21SEC-011-en
Title: Multiple vulnerabilities in BEA WebLogic Server
Date: 7/01/2003
Status: Patch published
Scope: Remote command execution
Platforms: Linux, Windows 2000, probably others
Author: llmora
Location: http://www.s21sec.com/en/avisos/s21sec-011-en.txt
Release: Public
###

S 2 1 S E C

   http://www.s21sec.com

   Multiple vulnerabilities in BEA WebLogic Server


About BEA WebLogic Server
-
WebLogic Server is a quite extended BEA J2EE applications server
(http://www.bea.com).

Vulnerabilities description
---
WebLogic offers a web management console through which you can manage the
web server contents, load servlets, etc. One of the  functionalities it
offers is that you can upload  files to the remote server for its
publication.

The process in charge of managing the file upload validates the user
credentials and then calls an internal weblogic servlet  to upload the file,
that does not require any authentication. This internal servlet can be
publically accessed and therefore  it is possible to upload files to the
server without any kind of authentication.

Files can be uploaded to any location in the remote server, not limiting to
the tree of WebLogic directories
 (in Windows 2000 it is possible to upload files to any disk drive).

If you know the directory where the Weblogic server applications have been
installed (such as in a default installation)  there is the possibility to
upload a malicious application that will allow an attacker to execute
commands with the  premissions of the user executing the Weblogic server.


Additionally, the internal servlet offers different operations that allow,
without any authentication:

* Download arbitrary files from the remote server
* Obtain the users, groups and passwords (salted and hashed) of WebLogic

Affected Versions and platforms
---

These vulnerabilities have been verified to work in the WebLogic version for
Windows and Linux, although we think that they  are not specific to the
platform.

The current vulnerabilities vary in the different versions, the following
table shows which vulnerabilities are present in  each version:

UPLOAD DOWNLOADPASSWORD

   WebLogic 6.0   X   X
   WebLogic 6.1   X   X   X
   WebLogic 7.0   X

The WebLogic Server 5.1 version does not present any of the previously
mentioned vulnerabilities.

Solution

The vendor was notified and published a patch to solve these
vulnerabilities. More information on how to get and install the  patch can
be found in BEA's security advisory BEA03-28.00
(http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp
).

If upgrading is not an option, there is a temporary workaround for the
problem which consists in the installation of a  ConnectionFilter class to
filter out requests to the administration server, avoiding explotation of
the vulnerability from  the outside world.

In order to apply this workaround the administration and application servers
must be running on separate ports. Once they are  separated the
ConnectionFilter will filter connections based on the request source
address.

S21SEC developed a ConnectionFilter class that allows filtering based on the
source address and destination port. This filter  along with detailed
instructions on how to install and configure the filter can be downloaded
for free from the downloads  section in S21SEC website, at:

  http://www.s21sec.com/download/s21sec-weblogic-connectionfilter-1.0.tar.gz

Alternatively, connections to the administrative server can be filtered by
using an IP filtering device.

Additional information
--

These vulnerabilities have been found and researched by:

 Lluis Mora [EMAIL PROTECTED]

You can find the latest version of this advisory at:

http://www.s21sec.com/en/avisos/s21sec-011-en.txt

And other S21SEC advisories at http://www.s21sec.com/en/avisos/

[RHSA-2003:054-00] Updated rxvt packages fix various vulnerabilites

[bugzilla]

-
   Red Hat Security Advisory

Synopsis:  Updated rxvt packages fix various vulnerabilites
Advisory ID:   RHSA-2003:054-00
Issue date:2003-03-17
Updated on:2003-03-17
Product:   Red Hat Linux
Keywords:  trojan escape reporting
Cross references:  
Obsoletes: 
CVE Names: CAN-2003-0022 CAN-2003-0023 CAN-2003-0066
-

1. Topic:

Updated rxvt packages are available which fix a number of vulnerabilities
in the handling of escape sequences.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386

3. Problem description:

Rxvt is a color VT102 terminal emulator for the X Window System.  A number
of issues have been found in the escape sequence handling of Rxvt.
These could be potentially exploited if an attacker can cause carefully
crafted escape sequences to be displayed on a rxvt terminal being used by
their victim. 

One of the features which most terminal emulators support is the ability
for the shell to set the title of the window using an escape sequence. 
Certain xterm variants, including rxvt, also provide an escape sequence for
reporting the current window title.  This essentially takes the current
title and places it directly on the command line.   Since it is not
possible to embed a carriage return into the window title itself, the
attacker would have to convince the victim to hit enter for it to process
the title as a command, although the attacker can perform a number of
actions to increase the likelyhood of this happening.

The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite
arbitrary files via a certain character escape sequence when it is echoed
to a user's terminal, e.g. when the user views a file containing the
malicious sequence.

The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options
and execute arbitrary commands via a certain character escape sequence that
inserts the commands into the menu.

Users of Rxvt are advised to upgrade to these errata packages which contain
a patch to disable the title reporting functionality and patches to correct
the other issues.

Red Hat would like to thank H D Moore for bringing these issues to our
attention.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/rxvt-2.7.8-3.6.2.1.src.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/rxvt-2.7.8-3.6.2.1.i386.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/rxvt-2.7.8-3.7.0.1.src.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/rxvt-2.7.8-3.7.0.1.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/rxvt-2.7.8-3.7.1.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/rxvt-2.7.8-3.7.1.1.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/rxvt-2.7.8-4.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/rxvt-2.7.8-4.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/rxvt-2.7.8-4.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/rxvt-2.7.8-4.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/rxvt-2.7.8-4.i386.rpm



6. Verification:

MD5 sum  Package Name
--
356e4148537e1e522cdcbedfb735ef80 6.2/en/os/SRPMS/rxvt-2.7.8-3.6.2.1.src.rpm
8ce644f8e66b473ef91ea5baa70066ea 6.2/en/os/i386/rxvt-2.7.8-3.6.2.1.i386.rpm
08bc3ef32e1bc77836dc266af8ef2fa1 7.0/en/os/SRPMS/rxvt-2.7.8-3.7.0.1.src.rpm
b93bc19a8403c72943b33779b44b28fe 7.0/en/os/i386/rxvt-2.7.8-3.7.0.1.i386.rpm
cf99378c595e06eed1ff0c2a493d0472 7.1/en/os/SRPMS/rxvt-2.7.8-3.7.1.1.src.rpm
f973a30d1f45f561a1e15d4c58615526 7.1/en/os/i386/rxvt-2.7.8-3.7.1.1.i386.rpm
f5b4712eeb3c941b9b5f2cf3ab6d6dc4 7.2/en/os/SRPMS/rxvt-2.7.8-4.src.rpm
94a3cbbf0dbd8739e9b1b2cc716a326e 7.2/en/os/i386/rxvt-2.7.8-4.i386.rpm
781b84624dda1114d74d09814438c54a 7.2

GLSA: qpopper (200303-12)

[Daniel Ahlberg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - -
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-12
- - -

  PACKAGE : qpopper
  SUMMARY : buffer overflow
 DATE : 2003-03-17 09:50 UTC
  EXPLOIT : remote
VERSIONS AFFECTED : <4.0.5
FIXED VERSION : >=4.0.5
  CVE : CAN-2003-0143

- - -

- From advisory:

"Under certain conditions it is possible to execute arbitrary code using
a buffer overflow in the recent qpopper.

You need a valid username/password-combination and code is (depending on
the setup) usually executed with the user's uid and gid mail."

Read the full advisory at:
http://marc.theaimsgroup.com/?l=bugtraq&m=104739841223916&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-mail/qpopper upgrade to qpopper-4.0.5 as follows:

emerge sync
emerge qpopper
emerge clean

- - -
[EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - -
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+dZp5fT7nyhUpoZMRAq9XAJsFyPbrwFb1CcvL59jEKtAoymZzTwCeIw4Z
p8IXHapfnjyZM1j7pcN+nW8=
=OPDK
-END PGP SIGNATURE-

[RHSA-2003:072-08] Updated Gnome-lokkit packages fix vulnerability

[bugzilla]

-
   Red Hat Security Advisory

Synopsis:  Updated Gnome-lokkit packages fix vulnerability
Advisory ID:   RHSA-2003:072-00
Issue date:2003-03-17
Updated on:2003-03-17
Product:   Red Hat Linux
Keywords:  iptables forward lokkit
Cross references:  
Obsoletes: 
CVE Names: CAN-2003-0080
-

1. Topic:

Updated Gnome-lokkit packages fix missing FORWARD ruleset in Red Hat Linux 8.0

2. Relevant releases/architectures:

Red Hat Linux 8.0 - i386

3. Problem description:

Gnome-lokkit is a utility that provides firewalling for the average Linux
end user based on responses to a small number of simple questions.

Red Hat made modifications to Gnome-lokkit to support firewalls based on
iptables instead of ipchains.  In Red Hat Linux 8.0, the iptables ruleset
created by Gnome-lokkit did not place any rules on the FORWARD chain.  This
is a security vulnerability if an administrator enables packet forwarding
and uses an unmodified ruleset created by the Gnome-lokkit tool.

Users are advised to upgrade to these erratum packages which contain a
patch to Gnome-lokkit to also apply the INPUT chain ruleset to the FORWARD
chain.

Red Hat would like to thank Deneb Meketa for bringing this issue to our
attention.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

84975 - does not include FORWARD chain

6. RPMs required:

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/gnome-lokkit-0.50-21.8.0.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/gnome-lokkit-0.50-21.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/lokkit-0.50-21.8.0.i386.rpm



7. Verification:

MD5 sum  Package Name
--
5e5edd316950132ec84f9c727dac63f6 8.0/en/os/SRPMS/gnome-lokkit-0.50-21.8.0.src.rpm
01f42937db89e8afb3f30a704e52ca7f 8.0/en/os/i386/gnome-lokkit-0.50-21.8.0.i386.rpm
0f80d90d4766f04eef08928b33b6a25e 8.0/en/os/i386/lokkit-0.50-21.8.0.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:

rpm --checksig -v 

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

md5sum 


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0080

9. Contact:

The Red Hat security contact is <[EMAIL PROTECTED]>.  More contact
details at http://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.

Security Bugfix for Samba - Samba 2.2.8 Released

[Maslov, Snowy]

(See http://www.samba.org/samba/whatsnew/samba-2.2.8.html for a copy of
this information)

The Samba Team announces Samba 2.2.8

   
   * IMPORTANT: Security bugfix for Samba *
   

This release provides an important security fix outlined in the
release notes that follow. This is the latest stable release of
Samba and the version that all production Samba servers should be
running for all current bug-fixes.

The source code can be downloaded from :

http://download.samba.org/samba/ftp/

in the file samba-2.2.8.tar.gz or samba-2.2.8.tar.bz2.
Both archives have been signed using the Samba Distribution Key.

Binary packages will be released shortly for major platforms and
can be found at

http://download.samba.org/samba/ftp/Binary_Packages/

As always, all bugs are our responsibility.

   --Sincerely
   The Samba Team


Summary
---

The SuSE security audit team, in particular Sebastian 
Krahmer, has found a flaw in the Samba main smbd code which
could allow an external attacker to remotely and anonymously gain
Super User (root) privileges on a server running a Samba server.

This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
inclusive.  This is a serious problem and all sites should either
upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
and 445. Advice created by Andrew Tridgell, the leader of the Samba
Team,
on how to protect an unpatched Samba server is given at the end of this
section.

The SMB/CIFS protocol implemented by Samba is vulnerable to many
attacks, even without specific security holes.  The TCP ports 139 and
the new port 445 (used by Win2k and the Samba 3.0 alpha code in
particular) should never be exposed to untrusted networks.

Description
---

A buffer overrun condition exists in the SMB/CIFS packet fragment
re-assembly code in smbd which would allow an attacker to cause smbd
to overwrite arbitrary areas of memory in its own process address
space. This could allow a skilled attacker to inject binary specific
exploit code into smbd.

This version of Samba adds explicit overrun and overflow checks on
fragment re-assembly of SMB/CIFS packets to ensure that only valid
re-assembly is performed by smbd.

In addition, the same checks have been added to the re-assembly
functions in the client code, making it safe for use in other
services.

Credit
--

This security flaw was discovered and reported to the Samba Team by
Sebastian Krahmer  of the SuSE Security Audit Team.
The fix was prepared by Jeremy Allison and reviewed by engineers from
the Samba Team, SuSE, HP, SGI, Apple, and the Linux vendor engineers
on the Linux Vendor security mailing list.

The Samba Team would like to thank SuSE and Sebastian Krahmer for
their excellent auditing work and for drawing attention to this flaw.

Patch Availability
-

As this is a security issue, patches for this flaw specific to earlier
versions of Samba will be posted on the [EMAIL PROTECTED]
mailing list as requested.



Protecting an unpatched Samba server


  Samba Team, March 2003

  This is a note on how to provide your Samba server some
  protection against the recently discovered remote security
  hole if you are unable to upgrade to the fixed version
  immediately. Even if you do upgrade you might like to think
  about the suggestions in this note to provide you with
  additional levels of protection.


  Using host based protection
  ---

  In many installations of Samba the greatest threat comes for
  outside your immediate network. By default Samba will accept
  connections from any host, which means that if you run an
  insecure version of Samba on a host that is directly
  connected to the Internet you can be especially vulnerable.

  One of the simplest fixes in this case is to use the 'hosts
  allow' and 'hosts deny' options in the Samba smb.conf
  configuration file to only allow access to your server from a
  specific range of hosts. An example might be:


hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0

  The above will only allow SMB connections from 'localhost'
  (your own computer) and from the two private networks
  192.168.2 and 192.168.3. All other connections will be
  refused connections as soon as the client sends its first
  packet. The refusal will be marked as a 'not listening on
  called name' error.


  Using interface protection
  --

  By default Samba will accept connections on any network
  interface that it finds on your system. That means if you
  have a ISDN line or a PPP connection to the Internet then
  Samba will accept connections on those links. This may not be
  what you want.

  You can change this behavior using options li

[ADVISORY] Timing Attack on OpenSSL

[Ben Laurie]

I expect a release to follow shortly.

--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
OpenSSL v0.9.7a and 0.9.6i vulnerability


Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.

Typically, it will not have been, because it is not easily possible to
do so when using OpenSSL to provide SSL or TLS.

The enclosed patch switches blinding on by default. Applications that
wish to can remove the blinding with RSA_blinding_off(), but this is
not generally advised. It is also possible to disable it completely by
defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.

The performance impact of blinding appears to be small (a few
percent).

This problem affects many applications using OpenSSL, in particular,
almost all SSL-enabled Apaches. You should rebuild and reinstall
OpenSSL, and all affected applications.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0147 to this issue.

We strongly advise upgrading OpenSSL in all cases, as a precaution.
Index: crypto/rsa/rsa_eay.c
===
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
retrieving revision 1.28.2.3
diff -u -r1.28.2.3 rsa_eay.c
--- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 -  1.28.2.3
+++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 -
@@ -195,6 +195,25 @@
return(r);
}
 
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+   {
+   int ret = 1;
+   CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+   /* Check again inside the lock - the macro's check is racey */
+   if(rsa->blinding == NULL)
+   ret = RSA_blinding_on(rsa, ctx);
+   CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+   return ret;
+   }
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+   do { \
+   if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+   ((rsa)->blinding == NULL) && \
+   !rsa_eay_blinding(rsa, ctx)) \
+   err_instr \
+   } while(0)
+
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 unsigned char *to, RSA *rsa, int padding)
@@ -239,8 +258,8 @@
goto err;
}
 
-   if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-   RSA_blinding_on(rsa,ctx);
+   BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
 
@@ -318,8 +337,8 @@
goto err;
}
 
-   if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-   RSA_blinding_on(rsa,ctx);
+   BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
 
Index: crypto/rsa/rsa_lib.c
===
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
retrieving revision 1.30.2.2
diff -u -r1.30.2.2 rsa_lib.c
--- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 -  1.30.2.2
+++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 -
@@ -72,7 +72,13 @@
 
 RSA *RSA_new(void)
{
-   return(RSA_new_method(NULL));
+   RSA *r=RSA_new_method(NULL);
+
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
+   r->flags|=RSA_FLAG_BLINDING;
+#endif
+
+   return r;
}
 
 void RSA_set_default_method(const RSA_METHOD *meth)

GLSA: samba (200303-11)

[Daniel Ahlberg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- - -
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-11
- - -

  PACKAGE : samba
  SUMMARY : buffer overrun
 DATE : 2003-03-17 09:22 UTC
  EXPLOIT : remote
VERSIONS AFFECTED : <2.2.8
FIXED VERSION : >=2.2.8
  CVE : CAN-2003-0085 CAN-2003-0086

- - -

- From advisory:

"The SuSE security audit team, in particular Sebastian Krahmer
, has found a flaw in the Samba main smbd code which
could allow an external attacker to remotely and anonymously gain
Super User (root) privileges on a server running a Samba server."

"A buffer overrun condition exists in the SMB/CIFS packet fragment
re-assembly code in smbd which would allow an attacker to cause smbd
to overwrite arbitrary areas of memory in its own process address
space. This could allow a skilled attacker to inject binary specific
exploit code into smbd."

Read the full advisory at:
http://lists.samba.org/pipermail/samba-announce/2003-March/63.html

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-fs/samba upgrade to samba-2.2.8 as follows:

emerge sync
emerge samba
emerge clean

- - -
[EMAIL PROTECTED] - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - -
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+dZPAfT7nyhUpoZMRAqJaAJ90Tc8Bkgq+QRwjzTIdAedcgGZb8wCggBWq
Gok26HB4womHvtn/3PrBsXY=
=7cIA
-END PGP SIGNATURE-

[INetCop Security Advisory #2002-0x82-013] Kebi Academy 2001 Web Solution Directory Traversing Vulnerability.

[dong-h0un U]

INetCop Security Advisory #2002-0x82-013



* Title: Kebi Academy 2001 Web Solution Directory Traversing Vulnerability.


0x01. Description


Kebi Academy 2001 is web solution that is supplied to C Binary CGI in web.
Fatal vulnerability that can read or can write,
and execute uploading malignancy code interior file of system in remote of this web 
solution exists.

Vulnerability happens because don't filter "../" from homepage file administration 
contents of web solution.
If exploit of vulnerability succeeds, is possible to be writing with reading file as 
competence of webserver.
Also, result that attacker can execute shell in remote if upload malignancy code
to directory that cgi or php file can be executed happens.


0x02. Vulnerable Packages


Vendor site: http://solution.nara.co.kr/

Kebi Academy 2001 Solution
+Linux
+Unix

* We already, liaised to vendor.


0x03. Exploit


Can read certain file as following as competence of webserver.


http://target.com/k/home?dir=/&file=../../../../../../../../etc/passwd&lang=kor


If become so, can get other user's database and so on which can get as competence of 
web server.
Also, can upload certain file to directory that competence of web server is permited.
In case attacker uploads code that is enemy of evil,
it can enforce very fatal attack.


0x04. Patch


--

It can solve these problems as chroot() function.
Desire to compose safer web solution.

--

P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
  xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
 My World: http://x82.i21c.net & http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--


-- 
___
Get your free email from http://www.hackermail.com

Powered by Outblaze

SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express

[Caleb Sima]

Remote Administration of BEA WebLogic Server and Express 

Release Date:
March 18, 2003

Severity:
High

Systems Affected:
•   WebLogic Server and Express 6.0
•   WebLogic Server and Express 6.1
•   WebLogic Server and Express 7.0 


Description:
SPI Labs and S21sec have identified a serious vulnerability that could
allow an attacker to gain unauthorized access to the applications and
systems present on an affected Weblogic server.

Several undocumented applications were found, which are, deployed in
default configurations of Weblogic.  Some of these applications are used
by Weblogic for server-to-server communication during internal
maintenance and administration tasks, such as source code distribution
and modification.

Further analysis revealed that many of these applications were not
adequately protected from unauthorized use.  In some cases, no
authentication was required to perform administrative functions.  The
threat posed by the existence of these unprotected applications is
severe.  If an attacker can directly access a Weblogic server, it is
reasonable to assume that the presence of this vulnerability can
ultimately result in a compromise of the applications residing on the
server.

Because these applications are not intended to be user-configurable or
user identifiable, no configuration workaround exists.  BEA has issued a
patch that corrects this issue.  SPI Labs recommends that it be applied
to all Weblogic installations immediately.

Remediation:
SPI Labs recommends the following actions:
•   For WebLogic Server and Express 6.0
o   Upgrade to Service Pack 2 Rolling Patch 3 and follow the
instructions to apply the included patch:
•   For Weblogic Server and Express 6.1
o   Upgrade to Service Pack 4 and follow the instructions to apply
the included patch:
o   When Service Pack 5 becomes available, you may use that Service
Pack instead of Service Pack 4 and the patch
•   For WebLogic Server and Express 7.0 released or 7.0.0.1
o   Upgrade to Service Pack 2 and follow the instructions to apply
the included patch:
o   When Service Pack 3 becomes available, you may use that Service
Pack instead of Service Pack 2 and the patch

Vendor Information:
BEA has been notified of this issue and has released the patch
information described above at the following link:

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.
jsp

[RHSA-2003:098-00] Updated 2.4 kernel fixes vulnerability

[bugzilla]

-
   Red Hat Security Advisory

Synopsis:  Updated 2.4 kernel fixes vulnerability
Advisory ID:   RHSA-2003:098-00
Issue date:2003-03-17
Updated on:2003-03-17
Product:   Red Hat Linux
Keywords:  ptrace
Cross references:  
Obsoletes: RHSA-2003:025-20 RHBA-2003:069-12
CVE Names: CAN-2003-0127
-

1. Topic:

Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now
available.  These packages fix a ptrace-related vulnerability that can
lead to elevated (root) privileges.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - athlon, i386, i586, i686
Red Hat Linux 7.2 - athlon, i386, i586, i686
Red Hat Linux 7.3 - athlon, i386, i586, i686
Red Hat Linux 8.0 - athlon, i386, i586, i686

3. Problem description:

The Linux kernel handles the basic functions of the operating system.
A vulnerability has been found in version 2.4.18 of the kernel.  This
vulnerability makes it possible for local users to gain elevated (root)
privileges without authorization.  This advisory deals with updates to
Red Hat Linux 7.1, 7.2, 7.3, and 8.0.

All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade to
these errata packages, which contain patches to fix the vulnerability.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied, especially the additional
packages from RHSA-2002:205 and RHSA-2002:206.

The procedure for upgrading the kernel manually is documented at:

http://www.redhat.com/support/docs/howto/kernel-upgrade/

Please read the directions for your architecture carefully before
proceeding with the kernel upgrade.

Please note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. Note that you need to select the kernel
explicitly on default configurations of up2date.

5. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/kernel-2.4.18-27.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-2.4.18-27.7.x.athlon.rpm
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-smp-2.4.18-27.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/kernel-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-source-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-doc-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-BOOT-2.4.18-27.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.1/en/os/i586/kernel-2.4.18-27.7.x.i586.rpm
ftp://updates.redhat.com/7.1/en/os/i586/kernel-smp-2.4.18-27.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-smp-2.4.18-27.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-bigmem-2.4.18-27.7.x.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-debug-2.4.18-27.7.x.i686.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/kernel-2.4.18-27.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-2.4.18-27.7.x.athlon.rpm
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-smp-2.4.18-27.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/kernel-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-source-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-doc-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-BOOT-2.4.18-27.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.2/en/os/i586/kernel-2.4.18-27.7.x.i586.rpm
ftp://updates.redhat.com/7.2/en/os/i586/kernel-smp-2.4.18-27.7.x.i586.rpm

i686:
ftp://updates.redhat.com/7.2/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-smp-2.4.18-27.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-bigmem-2.4.18-27.7.x.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-debug-2.4.18-27.7.x.i686.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.18-27.7.x.src.rpm

athlon:
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-2.4.18-27.7.x.athlon.rpm
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-smp-2.4.18-27.7.x.athlon.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/kernel-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-source-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-doc-2.4.18-27.7.x.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-BOOT-2.4.18-27.7.x.i386.rpm

i586:
ftp://updates.redhat.com/7.3/en/os/i586/kernel-2.4.18-27.7.x.i586.rpm
ftp://updates.redhat.com/7.3/en/os/i586/kernel-smp-2.

[SECURITY] [DSA 263-1] New tcpdump packages fix denial of service vulnerability

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 263-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 17th, 2003http://www.debian.org/security/faq
- --

Package: netpbm-free
Vulnerability  : math overflow errors
Problem-Type   : remote
Debian-specific: no
CVE Id : CAN-2003-0146
CERT advisory  : VU#378049 VU#630433

Al Viro and Alan Cox discovered several maths overflow errors in
NetPBM, a set of graphics conversion tools.  These programs are not
installed setuid root but are often installed to prepare data for
processing.  These vulnerabilities may allow remote attackers to cause
a denial of service or execute arbitrary code.

For the stable distribution (woody) this problem has been
fixed in version 9.20-8.2.

The old stable distribution (potato) does not seem to be affected
by this problem.

For the unstable distribution (sid) this problem has been
fixed in version 9.20-9.

We recommend that you upgrade your netpbm package.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.2.dsc
  Size/MD5 checksum:  662 1c8d2ac6308e12bd407551f0a239709e

http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20-8.2.diff.gz
  Size/MD5 checksum:48519 15bdcd7cdbbd33e4eafedc4224ec158a

http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_9.20.orig.tar.gz
  Size/MD5 checksum:  1882851 0f153116c21bc7d2e167e574a486c22f

  Alpha architecture:


http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_alpha.deb
  Size/MD5 checksum:77636 fbd95c88eec1506033829ef65a56b033

http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_alpha.deb
  Size/MD5 checksum:   135348 d6fc73f5432869a4c8c20d6a6d202a3e

http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_alpha.deb
  Size/MD5 checksum:  1412714 9c508ca408fbc5f6a03f5a2e320cad60

  ARM architecture:


http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_arm.deb
  Size/MD5 checksum:64038 5d2ff5816d2bc9f5b9b8f6555c0dc365

http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_arm.deb
  Size/MD5 checksum:   125450 3422bd71d85d14d950f4b490ea7fcb14
http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_arm.deb
  Size/MD5 checksum:  1127198 ff627c8920c5bd9c3420a7182e07a764

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_i386.deb
  Size/MD5 checksum:62358 89e5f42f2d3a11b4b7c9dc27b996324d

http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_i386.deb
  Size/MD5 checksum:   103340 0f0c7e2bbbeb897bc1993ce2ca2dee06
http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_i386.deb
  Size/MD5 checksum:  1078350 415a6018874f103405739bb92d718100

  Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_ia64.deb
  Size/MD5 checksum:96448 65abd6e7e2945f52cc31727d5c2d48b1

http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_ia64.deb
  Size/MD5 checksum:   170308 05e9e8e8b00f1fcba4511cb55b8be368
http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_ia64.deb
  Size/MD5 checksum:  1608002 84bca62575bc798425e65ce0733fde65

  HP Precision architecture:


http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_hppa.deb
  Size/MD5 checksum:83808 6c997768d27d95ff71247ab15a63dad1

http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_9.20-8.2_hppa.deb
  Size/MD5 checksum:   122828 dab9d6a493a3bb46393c7302a44accf7
http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_9.20-8.2_hppa.deb
  Size/MD5 checksum:  1337162 054e5945f8146d45a1b178ca95658b12

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_9.20-8.2_m68k.deb
  Size/MD5 checksum:61934 bb0176c0eed79eafa32cbc8f5a99dfdf

http://securit

MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4protocol

[Tom Yu]

-BEGIN PGP SIGNED MESSAGE-

 MIT krb5 Security Advisory 2003-004

2003-03-17

Topic: Cryptographic weaknesses in Kerberos v4 protocol

Severity: CRITICAL

SUMMARY
===

A cryptographic weakness in version 4 of the Kerberos protocol allows
an attacker to use a chosen-plaintext attack to impersonate any
principal in a realm.  Additional cryptographic weaknesses in the krb4
implementation included in the MIT krb5 distribution permit the use of
cut-and-paste attacks to fabricate krb4 tickets for unauthorized
client principals if triple-DES keys are used to key krb4 services.
These attacks can subvert a site's entire Kerberos authentication
infrastructure.

Kerberos version 5 does not contain this cryptographic vulnerability.
Sites are not vulnerable if they have Kerberos v4 completely disabled,
including the disabling of any krb5 to krb4 translation services.

IMPACT
==

* An attacker controlling a krb4 shared cross-realm key can
  impersonate any principal in the remote realm to any service in the
  remote realm.  This can lead to root-level compromise of a KDC,
  along with compromise of any hosts that rely on authentication
  provided by that KDC.

* This attack may be performed against cross-realm principals, thus
  allowing an attacker to hop realms and compromise any realm that
  transitively shares a cross-realm key with the attacker's local
  realm.

* Related, but more difficult attacks may be possible without
  requiring the control of a shared cross-realm key.  At the very
  least, an attacker capable of creating arbitrary principal names in
  the target realm may be able to perform the attack.

* An attacker may impersonate any principal to a service keyed with
  triple-DES krb4 keys, given the ability to capture network traffic
  containing tickets for the target client principal.

* A leak has occurred of an unpublished paper containing enough
  details about the vulnerability that an attacker familiar with the
  krb4 protocol can easily construct an exploit.  No exploit is known
  to be circulating at this time, though.

AFFECTED SOFTWARE
=

* These are protocol vulnerabilities; ALL implementations of
  vulnerable functionality are vulnerable.

* All implementations of the Kerberos version 4 Key Distribution
  Center that allow cross-realm authentication are vulnerable.

* All implementations of the Kerberos version 5 Key Distribution
  Center that also implement a KDC for the Kerberos version 4 protocol
  and use the same keys for version 4 and version 5 are vulnerable.

* MIT implementations of krb5 that include support for triple-DES keys
  in krb4 are vulnerable.

FIX
===

* These are PROTOCOL vulnerabilities; fixes inherently involve
  restricting the functionality of the protocol.

* If you are using the implementation of krb4 contained in the MIT
  krb5, apply the patch kit, which is available at

  http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.tar.gz

  The detached PGP signature of the patch kit is available at

  http://web.mit.edu/kerberos/www/advisories/2003-004-krb4_patchkit.sig

* Release 1.3 of MIT krb5 will include a fix.  The fix has also been
  committed to our development source tree.

* If you are running MIT release krb5-1.2.6 or later, and you are
  unable to patch your production code, setting the DISALLOW_ALL_TIX
  or the DISALLOW_SVR attributes on all cross-realm principals should
  disable cross-realm authentication without losing key information.
  This will, of course, cause loss of krb5 cross-realm functionality.
  Note that the functionality of these principal attributes has not
  been extensively tested.

* If using the Kerberos v4 implementation contained in MIT krb5, and
  you are unable to patch your production systems, cease use of
  triple-DES keys for Kerberos v4 services.

* If using a different implementation of krb4, disable all krb4
  cross-realm functionality, both in KDC implementations and in any
  krb524d implementations.

* A possible workaround is to randomize all cross-realm keys.  This
  should be considered to be a last resort, as re-establishing
  cross-realm keys can be time-consuming, and krb5 cross-realm
  functionality will be lost.

* The following text describes the patch kit for the MIT krb5
  implementation.

PATCH KIT DESCRIPTION
=

** FLAG DAY REQUIRED **

One of the things we decided to do (and must do for security reasons)
was drop support for the 3DES krb4 TGTs.  Unfortunately the current
code will only accept 3DES TGTs if it issues 3DES TGTs.  Since the new
code issues only DES TGTs, the old code will not understand its v4
TGTs if the site has a 3DES key available for the krbtgt principal.
The new code will understand and accept both DES and 3DES v4 TGTs.

So, the easiest upgrade option is to deploy the code on all KDCs at
once, being sure to deploy it on the master KDC last.  Under this
scenario, a brief window exists where slaves may be able to

McAfee ePolicy Orchestrator Format String Vulnerability (a031703-1)

[@stake Advisories]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
@stake, Inc.
  www.atstake.com
 Security Advisory

Advisory Name: ePolicy Orchestrator Format String Vulnerability
Release Date: 03/17/2003
 Application: McAfee ePolicy Orchestrator 2.5.1
Platform: Windows 2000 Server SP1
  Windows 2000 Pro SP1
Severity: There is a a format string vulnerability
  that leads to the remote execution of code as
  SYSTEM.
 Authors: Ollie Whitehouse [EMAIL PROTECTED]
  Andreas Junestam [EMAIL PROTECTED]
Vendor Status: Vendor has patch available
CVE Candidate: CAN-2002-0690
   Reference: www.atstake.com/research/advisories/2003/a031703-1.txt
Overview:

  McAfee Security ePolicy Orchestrator
(http://www.mcafeeb2b.com/ products/epolicy/default-desktop-
protection.asp [line wrapped]) is an enterprise antivirus management
tool.  ePolicy Orchestrator is a policy driven deployment and
reporting tool for enterprise administrators to effectivley manage
their desktop and server antivirus products.
There is a vulnerability in the processing of network requests that
allows an attacker to anonymously execute arbitrary code. To attack
a machine running ePO, an attacker would typically need to be
located within the corporate firewall with access to TCP port 8081
on the host they wish to compromise.  Once the vulnerability is
sucessfully exploited the attacker gains SYSTEM level privileges on
the host.
This is a good example of why you should perform a risk analysis of
all new solutions being introduced in to your environment even when
the product is designed to enhance your overall security.
Details:

  The ePolicy Orchestrator Agent is a service that to allows
the retrieval of log data.  It should be noted that the Agent does
not require password authentication to gain access and allows the
retrieval of sensitive information (i.e. the source AV server, local
paths etc.). By default the agent runs as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely
compromise the host.
The ePO agent uses the HTTP protocol to communicate on port 8081.
Sending a GET request with a request string containing a few format
string characters will cause the service to terminate. An event
will be written to the event log detailing the crash. A properly
constucted malicious string containing format string characters
will allow the execution or arbitrary code.
Vendor Response:

Initial contact: May, 2002

The vendor has made a patch available.  It is not directly
downloadable.  Call to request the patch.  It is delivered via
email. Contact information:
http://www.nai.com/naicommon/aboutnai/contact/intro.asp#
software-support [URL wrapped]
@stake Recommendation:

If you have a support contract and are eligible for the patch you
should request it and install it.
If you cannot patch, you should consider host based filtering so
that only the network management systems that need to communicate
with the hosts running ePO can connect on TCP port 8081.  This
requires a host based firewall.
When deploying new security products within the enterprise,
organizations should understand the risks that new security
solutions may introduce.  Does the service need to be running as
the SYSTEM user? Does the service need to be accessed anonymously
from any machine?
In addition to the remote execution of arbitrary code issue there
is an information disclosure issue that can be mitigated by host
based network filtering.
Common Vulnerabilities and Exposures (CVE) Information:

  The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues.  These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.
CAN-2002-0690 McAfee ePolicy Orchestrator Format String

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to [EMAIL PROTECTED]
Copyright 2003 @stake, Inc. All rights reserved.

-BEGIN PGP SIGNATURE-
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com
iQA/AwUBPnXZuEe9kNIfAm4yEQIStwCfT5YS5dckLOLmowF0eH6dxnFdQlYAoLsL
03RASV2cRXv/Pmf7bILYWSa6
=q0ko
-END PGP SIGNATURE-