response Progress: Denial of Service attack against WebSpeed possible

[suresync]

Dear Eelko,

thank you for your additional details.

Development has indeed confirmed that _edit.r gets installed for
deployment, not only for development environments.

The information about this vulnerability and the recommended workaround
have been published in our knowledge base, as solution #P123694.

[SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities

[Dann Frazier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 1286-1[EMAIL PROTECTED]
http://www.debian.org/security/   Dann Frazier
May 2nd, 2007   http://www.debian.org/security/faq
- --

Package: linux-2.6
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE ID : CVE-2007-0005 CVE-2007-0958 CVE-2007-1357 CVE-2007-1592

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2007-0005

Daniel Roethlisberger discovered two buffer overflows in the cm4040
driver for the Omnikey CardMan 4040 device. A local user or malicious
device could exploit this to execute arbitrary code in kernel space.

CVE-2007-0958

Santosh Eraniose reported a vulnerability that allows local users to read
otherwise unreadable files by triggering a core dump while using PT_INTERP.
This is related to CVE-2004-1073.

CVE-2007-1357

Jean Delvare reported a vulnerability in the appletalk subsystem.
Systems with the appletalk module loaded can be triggered to crash
by other systems on the local network via a malformed frame.

CVE-2007-1592

Masayuki Nakagawa discovered that flow labels were inadvertently
being shared between listening sockets and child sockets. This defect
can be exploited by local users to cause a DoS (Oops).

This problem has been fixed in the stable distribution in version 
2.6.18.dfsg.1-12etch1.

The following matrix lists additional packages that were rebuilt for
compatibility with or to take advantage of this update:

 Debian 4.0 (etch)
 fai-kernels 1.17etch1
 user-mode-linux 2.6.18-1um-2etch1

We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.

Updated packages for the mips and mipsel architectures are not yet available.
They will be provided later.

Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- 


  Source archives:


http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-12etch1.dsc
  Size/MD5 checksum: 5672 ac529ba78f040ff42c65c5fdbb04852c

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-12etch1.diff.gz
  Size/MD5 checksum:  5323912 5869979391ab0ccc891707888be243b3

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1.orig.tar.gz
  Size/MD5 checksum: 52225460 6a1ab0948d6b5b453ea0fce0fcc29060

http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17etch1.dsc
  Size/MD5 checksum:  713 c63bdcb967491d8af364b338f22ecb67

http://security.debian.org/pool/updates/main/f/fai-kernels/fai-kernels_1.17etch1.tar.gz
  Size/MD5 checksum:49181 ddbe8092d35f31f230f8fe8f4c70fcf9

http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch1.dsc
  Size/MD5 checksum:  865 2acf6514b90f220855703712887bfd42

http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um-2etch1.diff.gz
  Size/MD5 checksum:12685 c5da30ad76557c4cc62a9551e6bba41e

http://security.debian.org/pool/updates/main/u/user-mode-linux/user-mode-linux_2.6.18-1um.orig.tar.gz
  Size/MD5 checksum:14435 4d10c30313e11a24621f7218c31f3582

  Architecture independent components:


http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6.18_2.6.18.dfsg.1-12etch1_all.deb
  Size/MD5 checksum:  3585528 40ada0027fff7fa333827b8aaad0250d

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual-2.6.18_2.6.18.dfsg.1-12etch1_all.deb
  Size/MD5 checksum:  1079530 487c4f3f8972fe2401ac6c8c09ecdbd7

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-debian-2.6.18_2.6.18.dfsg.1-12etch1_all.deb
  Size/MD5 checksum:  1441798 93ee1d7bd1a3a80ff4330ba46685c7e4

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source-2.6.18_2.6.18.dfsg.1-12etch1_all.deb
  

rPSA-2007-0089-1 net-snmp net-snmp-utils

[rPath Update Announcements]

rPath Security Advisory: 2007-0089-1
Published: 2007-05-03
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Remote Deterministic Denial of Service
Updated Versions:
net-snmp=/[EMAIL PROTECTED]:devel//1/5.2.1.2-4.3-1
net-snmp-utils=/[EMAIL PROTECTED]:devel//1/5.2.1.2-4.3-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4837
https://issues.rpath.com/browse/RPL-1334

Description:
Previous versions of net-snmp are vulnerable to a remote denial
of service attack which can allow a remote attacker to craft a
disconnect to cause the snmpd daemon to crash.

Re: Medium security hole affecting DSL-G624T

[3APA3A]

Dear Tim Brown,

This  vulnerability  for  D-Link  DSL-G624T was already reported by Jose
Ramon Palanco. See

http://securityvulns.ru/Odocument816.html

Previously, same problem was reported for D-Link DSL-G604T by Qex

http://securityvulns.ru/Mdocument578.html


There were also few more problems reported about /cgi-bin/webcm, see

http://securityvulns.ru/Idocument664.html
http://securityvulns.ru/Idocument759.html



--Thursday, May 3, 2007, 2:43:58 AM, you wrote to [EMAIL PROTECTED]:

TB> Hi,

TB> I've identified a couple of security flaws affecting the DSL-G624T firmware.
TB> I believe the directory traversal issue has been reported in other devices /
TB> firmware versions supplied by D-Link but not the combination I tested and
TB> clearly has not been resolved.  Additionally, the Javascript injection issue
TB> is I believe new and has not been reported on any device.

TB> These issues were reported by email to the vendor at the usual addresses
TB> (support/security/etc) without response on 13th April 2007.  I also 
attempted
TB> to log faults on the vendors support web site but sadly, it would not
TB> function adequately using either Firefox nor Konqueror.

TB> Tim


-- 
~/ZARAZA http://securityvulns.com/
Åñëè äàæå âû ïîëó÷èòå êàêîå-íèáóäü ïèñüìî, âû âñå ðàâíî íå ñóìååòå åãî 
ïðî÷èòàòü. (Òâåí)

rPSA-2007-0088-1 xscreensaver

[rPath Update Announcements]

rPath Security Advisory: 2007-0088-1
Published: 2007-05-03
Products: rPath Linux 1
Rating: Major
Exposure Level Classification:
Local User Deterministic Weakness
Updated Versions:
xscreensaver=/[EMAIL PROTECTED]:devel//1/4.22-1.2-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1859
https://issues.rpath.com/browse/RPL-1293

Description:
Previous versions of xscreensaver are vulnerable to an attack that
requires that the attacker have physical access.  If the system is
configured to use remote directory service for login credentials,
an attacker who can cause or take advantage of a network failure
can cause the xscreensaver process to crash, unlocking the screen,
and allowing the attacker unrestricted access to the system as the
logged-in user.

rPSA-2007-0085-1 lftp

[rPath Update Announcements]

rPath Security Advisory: 2007-0085-1
Published: 2007-05-03
Products: rPath Linux 1
Rating: Informational
Exposure Level Classification:
Indirect User Non-deterministic Unauthorized Access
Updated Versions:
lftp=/[EMAIL PROTECTED]:devel//1/3.5.10-0.1-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2348
https://issues.rpath.com/browse/RPL-1229

Description:
Previous versions of lftp contain a mirror script that can be caused
to execute attacker-provided code when attempting to mirror a
malicious or compromised FTP site.

rPSA-2007-0090-1 gimp

[rPath Update Announcements]

rPath Security Advisory: 2007-0090-1
Published: 2007-05-03
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
Indirect User Deterministic Unauthorized Access
Updated Versions:
gimp=/[EMAIL PROTECTED]:devel//1/2.2.8-8.3-1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2356
https://issues.rpath.com/browse/RPL-1318

Description:
Previous versions of gimp are vulnerable to a user-assisted attack
in which gimp may execute arbitrary code contained in a sunras
format file that has been maliciously crafted.

12All File Upload Vulnerability

[John McGuire]

Author: John McGuire
Company: ActiveCampaign
Product: 1-2-All
Version: 4.5x - 4.53.13
Flaw: Arbitrary File Upload
Vendor Notified: Yes
Patch Available: Yes
Patch Location: 
http://www.activecampaign.com/support/forum/showthread.php?t=3293



URL: 
http://{12All_Location}/admin/functions/editor/editor/filemanager/browser/default/browser.html


Description: The FCKeditor module used to create HTML emails appears to 
check filenames against a blacklist of bad extensions. Extensions such 
as php4 and php5 are not in this list, and can be executed and run 
depending on server configuration.

[security bulletin] HPSBMI02210 SSRT071396 rev.1 - ProCurve Series 9300m Switches, Remote Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01034753
Version: 1

HPSBMI02210 SSRT071396 rev.1 - ProCurve Series 9300m Switches, Remote Denial of 
Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-04-25
Last Updated: 2007-04-25

Potential Security Impact: Remote Denial of Service (DoS) 

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in the ProCurve Series 
9300m Switches. The vulnerability could be remotely exploited resulting in a 
Denial of Service (DoS).

References: none 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
ProCurve Series 9300m Switches – system software versions 08.0.01c – 08.0.01j 

BACKGROUND

RESOLUTION

Customers who have installed the vulnerable system software versions 08.0.01c – 
08.0.01j should install 07.8.03. 
The version 07.8.03 software can be obtained from the Procurve Networking 
Software for Switches website: http://www.hp.com/rnd/software/switches.htm 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 

System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages resulting from user's use or disregard of the 
information provided in this Bulletin. To the extent permitted by law, HP 
disclaims all warranties, either express or implied, including the warranties 
of merchantability and fitness for a particular purpose, title and 
non-infringement."

©Copyright 2007 Hewlett-Packard Development Company, L.P. 

Hewlett-Packard Company shall not be liable for technical or editorial errors 
or omissions contained herein. The information provided is provided "as is" 
without warranty of any kind. To the extent permitted by law, neither HP or its 
affiliates, subcontractors or suppliers will be liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of substitute products or services; or damages for 
loss of data, or software restoration. The information in this document is 
subject to change without notice. Hewlett-Packard Company and the names of 
Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard 
Company in the United States and other countries. Other product and company 
names mentioned herein may be trademarks of their respective owners.
-BEGIN PGP SIGNATURE-
Version: PGP 8.1

iQA/AwUBRjH1hOAfOvwtKn1ZEQIkQQCgvyt10+sTEabhHDcrMWirSN77nU0AnRD+
5L6CYnbhpOJyVZbsSTXH9ZkK
=Unxp
-END PGP SIGNATURE-

[security bulletin] HPSBUX01137 SSRT5954 rev.10 - HP-UX Running TCP/IP (IPv4), Remote Unauthorized Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00571568
Version: 10

HPSBUX01137 SSRT5954 rev.10 - HP-UX Running TCP/IP (IPv4), Remote Unauthorized 
Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2005-04-24
Last Updated: 2007-04-25

Potential Security Impact: Remote unauthorized Denial of Service (DoS) 

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running 
TCP/IP (IPv4). This vulnerability could be remotely exploited by an 
unauthorized user to cause a Denial of Service (DoS). 

References: CAN-2005-1192 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.22, B.11.23. 

BACKGROUND

To determine if an HP-UX system has an affected version, 
search the output of "swlist -a revision -l fileset" 
for one of the filesets listed below. For affected systems 
verify that the recommended action has been taken. 

AFFECTED VERSIONS 

HP-UX B.11.11 
= 
Networking.NET2-KRN 
action: install PHNE_33159 

HP-UX B.11.22 
= 
Networking.NET2-KRN 
action: install preliminary binary files per Security Bulletin HPSBUX01164 

HP-UX B.11.23 
= 
Networking.NET2-KRN 
action: install PHNE_32606 

HP-UX B.11.11 
= 
IPSec.IPSEC2-KRN 
action: install revision A.01.07.02 and PHNE_33159 or subsequent 

HP-UX B.11.11 
= 
IPSec.IPSEC2-KRN 
action: install revision A.02.00.01 and TOUR 3.0 

HP-UX B.11.23 
= 
IPSec.IPSEC2-KRN 
action: install revision A.02.00.01 and PHNE_32606 or subsequent 

HP-UX B.11.23 
= 
IPSec.IPSEC2-KRN 
action: install revision A.02.00.01 and TOUR 3.0 

END AFFECTED VERSIONS 

Certain network traffic can result in a Denial of Service (DoS) for HP-UX 
systems running TCP/IP (IPv4). Receiving a certain packet on any open TCP/IP 
connection can result in a Denial of Service (DoS) condition which can only be 
corrected by a reboot of the affected system. The Denial of Service (DoS) is 
characterized by high cpu utilization and a lack of response on any I/O port 
including the system console. 

Previous revisions of this Security Bulletin recommended setting 
ip_pmtu_strategy to 0 or 3 as a workaround. Patches or updates to resolve the 
issue are now available. After these patches or updates are installed the 
workaround will no longer be necessary or recommended. 
- ->The ip_pmtu_strategy parameter should be restored to the default value of 
1. 
- ->Note: Previous versions of this Security Bulletin incorrectly stated that 
the default value of ip_pmtu_strategy is 2. 

RESOLUTION
Patches are available for the core TCP/IP product for 
B.11.11 and B.11.23 from http://itrc.hp.com 

For B.11.11 - PHNE_33159 or subsequent 
For B.11.23 - PHNE_32606 or subsequent 

Binary files are available for B.11.22 as discussed in Security Bulletin 
HPSBUX01164. 

Patches and updates are available for IPSec. 
The patches are available from http://itrc.hp.com 
IPSec and TOUR (Transport Optional Upgrade Release) are available from 
http://www.hp.com/go/softwaredepot 

For B.11.11 IPSec: 
IPSec revision A.01.07.02 and PHNE_33159 or subsequent 
or 
IPSec revision A.01.07.02 and TOUR 3.0 

For B.11.23 IPSec: 
IPSec revision A.02.00.01 and PHNE_32606 or subsequent 
or 
IPSec revision A.02.00.01 and TOUR 3.0 

MANUAL ACTIONS: Yes - NonUpdate 
B.11.22 Install preliminary binary files per Security Bulletin HPSBUX01164. 

B11.11 running IPSec 
Install IPSec revision A.01.07.02 and PHNE_33159 or subsequent 
or 
Install IPSec revision A.01.07.02 and TOUR 3.0 

B11.23 running IPSec 
Install IPSec revision A.02.00.01 and PHNE_32606 or subsequent 
or 
Install IPSec revision A.02.00.01 and TOUR 3.0 

PRODUCT SPECIFIC INFORMATION 

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application 
that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security 
Bulletins and lists recommended actions that may apply to a specific HP-UX 
system. It can also download patches and create a depot automatically. For more 
information see: 
https://www.hp.com/go/swa 

HISTORY 
Revision:0 (rev.0) - 24 April 2005 Initial release 
Revision:1 (rev.1) - 25 May 2005 Binary files available per Security Bulletin 
HPSBUX01164 
Revision:2 (rev.2) - 1 June 2005 IPSec not included in binary files 
Revision:3 (rev.3) - 27 June 2005 PHNE_33159 is available for B.11.11 
Revision: 4 (rev.4) - 10 July 2005 PHNE_32606 is available for B.11.23 
Revision:5 (rev.5) - 24 July 2005 Clarified the Resolution and Manual Actions 
sections 
Revision:6 (rev.6) - 5 December 2005 IPSec revisions available 
Version:7 (rev.7) - Skipped for formatting reasons 
Version:8 (rev.8) - 23 January 2006 Add rev. to title 
Version:9 (rev.9) - 2 April 2007 Change A.2.00.01 to A.02.00.01 
Version:10 (rev.10) - 30 Apri

[ MDKSA-2007:097 ] - Updated xscreensaver packages fix vulnerability

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___
 
 Mandriva Linux Security Advisory MDKSA-2007:097
 http://www.mandriva.com/security/
 ___
 
 Package : xscreensaver
 Date: May 2, 2007
 Affected: 2007.0, 2007.1, Corporate 3.0
 ___
 
 Problem Description:
 
 A problem with the way xscreensaver verifies user passwords
 was discovered by Alex Yamauchi.  When a system is using remote
 authentication (i.e. LDAP) for logins, a local attacker able to cause
 a network outage on the system could cause xscreensaver to crash,
 which would unlock the screen.
 
 Updated packages have been patched to correct this issue.
 ___

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1859
 ___
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 e836c3e822bd2023489bc33021559e2d  
2007.0/i586/xscreensaver-5.00-5.1mdv2007.0.i586.rpm
 114d59fee6b63fb55795509ce691fd7e  
2007.0/i586/xscreensaver-base-5.00-5.1mdv2007.0.i586.rpm
 bf9f6d24f46fb92d5a92c128108247a0  
2007.0/i586/xscreensaver-common-5.00-5.1mdv2007.0.i586.rpm
 59cc0c3dce851360e3475a63d1bfedc5  
2007.0/i586/xscreensaver-extrusion-5.00-5.1mdv2007.0.i586.rpm
 a67ca45b6c8b471f686509ae6e284af4  
2007.0/i586/xscreensaver-gl-5.00-5.1mdv2007.0.i586.rpm 
 e0ae6f662b999018321082dafd0113cf  
2007.0/SRPMS/xscreensaver-5.00-5.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 04b19bf52df790976fa5d8f246d487fc  
2007.0/x86_64/xscreensaver-5.00-5.1mdv2007.0.x86_64.rpm
 401342c023938d668c56406b7d663751  
2007.0/x86_64/xscreensaver-base-5.00-5.1mdv2007.0.x86_64.rpm
 a9e77f44381ea1b148eae13da96bbce9  
2007.0/x86_64/xscreensaver-common-5.00-5.1mdv2007.0.x86_64.rpm
 a6c9b67df6fab0c67c87ccbcba23328b  
2007.0/x86_64/xscreensaver-extrusion-5.00-5.1mdv2007.0.x86_64.rpm
 7e9b52bb1edefe9ee1156edd71b17114  
2007.0/x86_64/xscreensaver-gl-5.00-5.1mdv2007.0.x86_64.rpm 
 e0ae6f662b999018321082dafd0113cf  
2007.0/SRPMS/xscreensaver-5.00-5.1mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 cf74a31de15b8032cac5ff8efe970352  
2007.1/i586/xscreensaver-5.01-3.1mdv2007.1.i586.rpm
 50afa981a0c89f4868fe77488cc2ee64  
2007.1/i586/xscreensaver-base-5.01-3.1mdv2007.1.i586.rpm
 f84ca2049923f5e7ee0995308378d21f  
2007.1/i586/xscreensaver-common-5.01-3.1mdv2007.1.i586.rpm
 e2856e0fc916445a1b5aa5d2071efee9  
2007.1/i586/xscreensaver-extrusion-5.01-3.1mdv2007.1.i586.rpm
 8c11d67c56b5d87f70c632980bb11c63  
2007.1/i586/xscreensaver-gl-5.01-3.1mdv2007.1.i586.rpm 
 81a0cd78ff26cd58b5b8bd253f31e90f  
2007.1/SRPMS/xscreensaver-5.01-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 8b02873cf99b5d419748ab6ddadb578a  
2007.1/x86_64/xscreensaver-5.01-3.1mdv2007.1.x86_64.rpm
 ec5012296ac600be9564e2398c6f0f26  
2007.1/x86_64/xscreensaver-base-5.01-3.1mdv2007.1.x86_64.rpm
 2df43b6ebf7a668373e045b858073d56  
2007.1/x86_64/xscreensaver-common-5.01-3.1mdv2007.1.x86_64.rpm
 ff66a6152a0d050b3c80e357e66a0f4e  
2007.1/x86_64/xscreensaver-extrusion-5.01-3.1mdv2007.1.x86_64.rpm
 f62427b9d401edb71fcd0cff77af458d  
2007.1/x86_64/xscreensaver-gl-5.01-3.1mdv2007.1.x86_64.rpm 
 81a0cd78ff26cd58b5b8bd253f31e90f  
2007.1/SRPMS/xscreensaver-5.01-3.1mdv2007.1.src.rpm

 Corporate 3.0:
 7a347edabdaf4abb61ac57263f3d41ab  
corporate/3.0/i586/xscreensaver-4.14-4.2.C30mdk.i586.rpm
 6f9ea46c93d75ce54e91a0b04a2485d1  
corporate/3.0/i586/xscreensaver-extrusion-4.14-4.2.C30mdk.i586.rpm
 2b15011891719fbce2d442748f194cec  
corporate/3.0/i586/xscreensaver-gl-4.14-4.2.C30mdk.i586.rpm 
 1249c7696a3c54ae8eb41369c6c24272  
corporate/3.0/SRPMS/xscreensaver-4.14-4.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 705a50c595828a6f24006ff5707c91bd  
corporate/3.0/x86_64/xscreensaver-4.14-4.2.C30mdk.x86_64.rpm
 020673cb6dd074c0fb5c166ca4c98d1d  
corporate/3.0/x86_64/xscreensaver-extrusion-4.14-4.2.C30mdk.x86_64.rpm
 f87ad1daef3daf35ed3595ecfe9ef8b3  
corporate/3.0/x86_64/xscreensaver-gl-4.14-4.2.C30mdk.x86_64.rpm 
 1249c7696a3c54ae8eb41369c6c24272  
corporate/3.0/SRPMS/xscreensaver-4.14-4.2.C30mdk.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   Us

[security bulletin] HPSBTU02116 SSRT061135 rev.3 - HP Tru64 UNIX and HP Internet Express for Tru64 UNIX Running sendmail, Remote Execution of Arbitrary Code or Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00692635
Version: 3

HPSBTU02116 SSRT061135 rev.3 - HP Tru64 UNIX and HP Internet Express for Tru64 
UNIX Running sendmail, Remote Execution of Arbitrary Code or Denial of Service 
(DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-04-25
Last Updated: 2007-04-25

Potential Security Impact: Remote execution of arbitrary code, Denial of 
Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Tru64 UNIX or 
HP Internet Express for Tru64 UNIX running sendmail which may allow a remote 
attacker to execute arbitrary code or cause a Denial of Service (DoS).

References: CVE-2006-0058 (VU#834865), CVE-2006-1173 (VU#146718)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The following supported software versions are affected: 

HP Tru64 UNIX v5.1B-3 
HP Tru64 UNIX v5.1B-2/PK4 
HP Tru64 UNIX v5.1A PK6 
HP Tru64 UNIX v4.0G PK4 
HP Tru64 UNIX v4.0F PK8 
HP Internet Express for Tru64 UNIX v6.3 
HP Internet Express for Tru64 UNIX v6.4 
HP Internet Explorer for Tru64 UNIX v6.5 

BACKGROUND

RESOLUTION

HP has released the following Early Release Patch kits (ERPs) publicly for use 
by any customer. 

The ERP kits use dupatch to install and will not install over any Customer 
Specific Patches (CSPs) that have file intersections with the ERP.

The resolutions contained in the ERP kits are targeted to be available in the 
following supported patch kits: 

Tru64 UNIX v5.1B-4

The ERP kits distribute sendmail 8.13.6.

=
HP Tru64 UNIX Version v5.1B-3 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001125-V51BB26-ES-20070220
 

Name:T64KIT1001125-V51BB26-ES-20070220

MD5 Checksum: bd43eb3b99466a9d82d01c1f5cc33f9c

= 
HP Tru64 UNIX Version v5.1B-2/PK4 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1000617-V51BB25-ES-20060515
 

Name: T64KIT1000617-V51BB25-ES-20060515

MD5 Checksum: 1d8a0dc34628b5898c99b6dab2714320

= 
HP Tru64 UNIX Version v5.1A PK6 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1000618-V51AB24-ES-20060515
 

Name: T64KIT1000618-V51AB24-ES-20060515

MD5 Checksum: b9a2ef1d0c1745ce0fa265b2d2fd8c32

= 
HP Tru64 UNIX Version v4.0G PK4 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1000635-V40GB22-ES-20060519
 

Name: T64KIT1000635-V40GB22-ES-20060519

MD5 Checksum: 2c74941543d969c92adef38a44b5c764

= 
HP Tru64 UNIX Version v4.0F PK8 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=DUXKIT1000636-V40FB22-ES-20060519
 

Name: DUXKIT1000636-V40FB22-ES-20060519

MD5 Checksum: 9735ad5cc5c705e8efb01feb4128

= 
HP Internet Express for Tru64 UNIX v6.3 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=T64V51AB-IX-631-SENDMAIL-SSRT-061135
 

Name: T64V51AB-IX-631-SENDMAIL-SSRT-061135

MD5 Checksum: ee9e7d5b0cc01e0424edc05021670820

= 
HP Internet Express for Tru64 UNIX v6.4 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=T64V51AB-IX-641-SENDMAIL-SSRT-061135
 

Name: T64V51AB-IX-641-SENDMAIL-SSRT-061135

MD5 Checksum: 5b1a544575a62831c173fc489b8eaeea

= 
HP Internet Explorer for Tru64 UNIX v6.5 ERP Kit 
=

Location: 
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=T64V51AB-IX-651-SENDMAIL-SSRT-061135
 

Name: T64V51AB-IX-651-SENDMAIL-SSRT-061135 

MD5 Checksum: 0b6268159a9957c56ff2f35cea2057d8


PRODUCT SPECIFIC INFORMATION 


HISTORY 

Version: 1 (rev.1) 5 June 2006 Initial release 
Version: 2 (rev.2) 15 June 2006 Updated references 
Version: 3 (rev.3) 25 April 2007 Updated to add new ERP kit for HP Tru64 UNIX 
v5.1B-3 because PSM functionality was broken in the HPSBTU02116 rev.2 ERP kit 
T64KIT1000619-V51BB26-ES-20060515 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Em

[security bulletin] HPSBTU02179 SSRT061256 rev.1 - HP Tru64 UNIX Running the ps command, Local Disclosure of Sensitive Information

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00817515
Version: 1

HPSBTU02179 SSRT061256 rev.1 - HP Tru64 UNIX Running the ps command, Local 
Disclosure of Sensitive Information

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-04-25
Last Updated: 2007-04-25

Potential Security Impact: Local disclosure of sensitive information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with the HP Tru64 UNIX 
Operating System running the ps command. The ps command could be used to 
disclose information about a process's arguments and environmental variables 
that might be exploited by a local, authorized user. 

References: None 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The following supported software versions are affected: 

HP Tru64 UNIX v5.1B-4 
HP Tru64 UNIX v5.1B-3 
HP Tru64 UNIX v5.1A PK6 
HP Tru64 UNIX v4.0G PK4 
HP Tru64 UNIX v4.0F PK8 

BACKGROUND


RESOLUTION
HP has released the following Early Release Patch kits (ERPs) publicly for use 
by any customer. 

The ERP kits use dupatch to install and will not install over any Customer 
Specific Patches (CSPs) that have file intersections with the ERP.

The resolutions contained in the ERP kits are targeted for availability in the 
following mainstream patch kit: 

HP Tru64 UNIX Version v5.1B-5

The ERP kits distribute the following files:

/usr/bin/ps 
/sbin/ps 

After installing the patch kit, by default, the HP Tru64 UNIX ps command 
behaves just the same: it can display a process's arguments, and the ps e 
command displays a process's environmental variables. 
To prevent users from seeing the arguments and environmental variables of other 
users, set new variables in the "/etc/rc.config.common" file (versions v5.1A 
PK6, v5.1B-3, v5.2B-4) or the "/etc/rc.config" file (versions v4.0G PK4 and 
v4.0F PK8) as follows: 

For HP Tru64 UNIX versions v5.1B-4, v5.1B-3 and v5.1A PK6, use:

# rcmgr -c set TBL_ARGUMENTS_DISABLE 1 
# rcmgr -c set TBL_ENVIRONMENT_DISABLE 1 

For HP Tru64 UNIX versions v4.0G PK4 and v4.0F PK8, use:

# rcmgr set TBL_ARGUMENTS_DISABLE 1 
# rcmgr set TBL_ENVIRONMENT_DISABLE 1 

Important notes about setting these new variables: 

Setting the new variables to prevent the ps command from allowing non-root 
users to display other users arguments and environment variables might cause 
some applications or program scripts to not function properly. 
The root user running the ps command will continue to be allowed to display 
other users arguments and environment variables. 

===
HP Tru64 UNIX Version v5.1B-4 ERP Kit 
===

Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001143-V51BB27-ES-20070305
 

Name: T64KIT1001143-V51BB27-ES-20070305

MD5 Checksum: 44b15d10895cf0606003a572b3310f9a

=== 
HP Tru64 UNIX Version v5.1B-3 ERP Kit 
===

Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001144-V51BB26-ES-20070305
 

Name: T64KIT1001144-V51BB26-ES-20070305

MD5 Checksum: 67cfabb7cd3c422e2dc6bb6ed3d7d290
 
===
HP Tru64 UNIX Version v5.1A PK6 ERP Kit 
===

Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001145-V51AB24-ES-20070305
 

Name: T64KIT1001145-V51AB24-ES-20070305

MD5 Checksum: de6885b166dba703af862ce05431e5cc

=== 
HP Tru64 UNIX Version v4.0G PK4 ERP Kit 
===

Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001179-V40GB22-ES-20070330
 

Name: T64KIT1001179-V40GB22-ES-20070330

MD5 Checksum: 31129e60bb01ffdea015312c0e019fae

=== 
HP Tru64 UNIX Version v4.0F PK8 ERP Kit 
===

Location: 
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=DUXKIT1001180-V40FB22-ES-20070330
 

Name: DUXKIT1001180-V40FB22-ES-20070330

MD5 Checksum: db9d634bb27f02642e00f149d6ebb8ee
 


PRODUCT SPECIFIC INFORMATION 

HISTORY 

Version:1 (rev.1) - 25 April 2007 Initial release 

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulleti

[security bulletin] HPSBPI02185 SSRT071290 rev.2 - HP Jetdirect Running ftp, Remote Denial of Service (DoS)

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00838612
Version: 2

HPSBPI02185 SSRT071290 rev.2 - HP Jetdirect Running ftp, Remote Denial of 
Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon 
as possible.

Release Date: 2007-01-17
Last Updated: 2007-04-25


Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP Jetdirect running ftp. 
The vulnerability could be exploited remotely to create a Denial of Service 
(DoS).

References: CVE-2007-1772

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Jetdirect running firmware versions from x.20.nn up to and including x.24.nn 

BACKGROUND

 ->Note: The resolution below addresses the vulnerability reported in 
CVE-2007-1772.

The whitepaper 'HP Jetdirect Security Guidelines' has recommendations for 
securing HP Jetdirect. 
The whitepaper is available here: 
http://h2.www2.hp.com/bc/docs/support/SupportManual/c00746792/c00746792.pdf 

RESOLUTION
This vulnerability can be resolved by upgrading the Jetdirect firmware. 
There is also a workaround for this vulnerability by making configuration 
changes. 

Recent Jetdirect products use firmware revision x.25.nn or greater and are not 
vulnerable. Some older Jetdirect products allow the firmware to be upgraded and 
others do not.

Instructions for upgrading Jetdirect firmware are available here: 
http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07429 

For J4169A 610n - upgrade the firmware to version L.25.nn or greater.

For J6057A 615n - upgrade the firmware to version R.25.nn or greater.

Other older Jetdirect products running versions from x.20.nn up to and 
including x.24.nn are potentially vulnerable. The firmware for these products 
cannot be upgraded. The potential vulnerability can be avoided by disabling ftp 
or using access control lists as discussed in the whitepaper 'HP Jetdirect 
Security Guidelines' mentioned above.

PRODUCT SPECIFIC INFORMATION 

HISTORY 

Version:1 (rev.1) - 17 January 2007 Initial release 
Version:2 (rev.2) - 25 April 2007 Added reference to CVE-2007-1772 

Third Party Security Patches: Third party security patches which are to be 
installed on systems running HP software products should be applied in 
accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported 
product, send Email to: [EMAIL PROTECTED] 
It is strongly recommended that security related information being communicated 
to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: [EMAIL PROTECTED] 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins 
via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile 
to update appropriate sections.


To review previously published Security Bulletins visit: 
http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is 
represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault


System management and security procedures must be reviewed frequently to 
maintain system integrity. HP is continually reviewing and enhancing the 
security features of software products to provide customers with current secure 
solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the 
attention of users of the affected HP products the important security 
information contained in this Bulletin. HP recommends that all users determine 
the applicability of this information to their individual situations and take 
appropriate action. HP does not warrant that this information is necessarily 
accurate or complete for all user situations and, consequently, HP will not be 
responsible for any damages r

SchoolBoard (admin.php) Remote Login Bypass SQL Injection Vulnerability

[ilkerkandemir]

# Remote Login Bypass SQL Injection Vulnerability (admin.php)

#

# AYYILDIZ.ORG Presents.

# SchoolBoard [ http://free-php-scripts.net/download.php?id=120 ]

# author : iLker Kandemir< ilkerkandemir  mynet.com >

# Tnx : h0tturk,ekin0x,Dr.Max Virus,Gencnesil,Gencturk,Ajann

# Vulnerable; /admin.php

-//If login in
if($_POST['password'] != NULL){<<<-[+] //do all this:
  
 if($_POST['password'] == $ADMIN_PASS){
  $_SESSION['is_admin'] = $ADMIN_PASS;
 } else {
  $message = 'Invalid Access';
 }
}

//Check password
if($_SESSION['is_admin'] != $ADMIN_PASS){$_GET['page'] = 'login';}

if($_GET['page'] == NULL){$_GET['page'] = $_POST['page'];}

if($_GET['page'] != 'Add' && $_GET['page'] != 'login'){  
<<<---[+]  // but the user/pass don't match

-


username : 1/**/union/**/select/**/1,2,3,4/*
password : 1/**/union/**/select/**/1,2,3,4/*   (ADMIN_PASS)

Panel: /admin.php logged.

Bradford CampusManager v3.1(6) Sensitive Data Disclosure

[john]

Bradford CampusManager v3.1(6) Sensitive Data Disclosure

The following directories should be protected from world readability. Child 
folders include backup, log, and configuration files.

http://cmnms.target.com:8080/runTime/
http://cmnms.target.com:8080/remediationReports/

Vulnerable: CampusManager Network Control Application Server v3.1(6) (others 
should also be affected)

John Martinelli
[EMAIL PROTECTED]
http://john-martinelli.com

May 3rd, 2007

Medium security hole affecting DSL-G624T

[Tim Brown]

Hi,

I've identified a couple of security flaws affecting the DSL-G624T firmware.  
I believe the directory traversal issue has been reported in other devices / 
firmware versions supplied by D-Link but not the combination I tested and 
clearly has not been resolved.  Additionally, the Javascript injection issue 
is I believe new and has not been reported on any device.

These issues were reported by email to the vendor at the usual addresses 
(support/security/etc) without response on 13th April 2007.  I also attempted 
to log faults on the vendors support web site but sadly, it would not 
function adequately using either Firefox nor Konqueror.

Tim
-- 
Tim Brown


Nth Dimension Security Advisory (NDSA20070412)
Date: 12th April 2007
Author: Tim Brown 
URL:  / 
Product: DSL-G624T router (V3.00B01T02.UK-A.20060208)

Vendor: D-Link 
Risk: Medium

Summary

Following the Securiteam posting "D-Link DSL-G604T Wireless Router
Directory Traversal" which described a directory traversal in release
V1.00B02T02.EU.20040618 of the DSL-G624T router firmware, research
was carried out on the DSL-G624T router which indicated that it too
was vulnerable to this and a second vulnerability.  Nth Dimension
would also point out that the directory traversal have been reported in
other router and firmware combinations.

1) Firmware CGI is vulnerable to directory traversal and can be made
to retrieve any file to which the web server user has read access
(for example /etc/shadow).

2) Firmware CGI is vulnerable to Javascript injection within the 
requested URL.

Technical Details

1) The firmware CGI script can be made to read any arbitrary file that
the web server user has read access to, as it makes no sanity checks on
the value passed within the getpage parameter of the URL, for example:

http://192.168.1.1/cgi-bin/webcm?getpage=/etc/shadow

In the event that the user has not authenticated, then the user is prompted
for authentication credentials before the request is processed.

As noted above this vulnerability bares an uncanny resemblance to a previously
reported vulnerability with another D-Link router running a (presumably) older
version of the firmware.

2) The value of the URL requested is used in within the web pages returned
by the firmware CGI script, in its unsanitised form.  Specifically, it makes
no sanity checks on the value passed within the var:RelaodHref parameter of the
URL, for example:

http://192.168.1.1/cgi-bin/webcm?getpage=../html/home/home_RelaodHref.htm&var:RelaodHref=a"%20==%20"a";){alert("XSS")}}

As with the example of Javascript injection, the user will be
prompted to authenticate if required.

Combining these vulnerabilities should allow the compromise of any router
running affected firmware versions.

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time.  Note that 2 years have elapsed, and 2 major releases
of the firmware have occurred since the original Securiteam advisory were
published.

TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities

[TSRT]

TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple
Stack Overflow Vulnerabilities
http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
May  2, 2007

-- CVE ID:
CVE-2007-1868

-- Affected Vendor:
IBM

-- Affected Products:
Tivoli Provisioning Manager for OS Deployment

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
systems with vulnerable installations of IBM Tivoli Provisioning
Manager for OS Deployment. Authentication is not required to exploit
this vulnerability.

The specific flaws exist in the handling of HTTP requests to the
rembo.exe service listening on TCP port 8080. Several components of an
HTTP request can be modified to trigger buffer overflows. For example,
by supplying an overly long filename an attacker is able to overflow a
150 byte stack buffer and subsequently execute arbitrary code. The
overflow occurs during a string copy loop, shown here:

00431136   lea   edi, [ebp+var_3C4] ; 150 byte stack buffer
...
00431148 stringcopy:
00431148   mov   al, [edx]  ; edx -> our data
0043114A   add   edx, 1
0043114D   mov   [edi], al  ; edi -> stack buffer
0043114F   add   edi, 1
00431152   test  al, al
00431154   jnz   short stringcopy

The Host and Authorization fields are also vulnerable to similar
exploitable overflows.

-- Vendor Response:
IBM has issued an update to correct this vulnerability. More details can
be found at:

http://www-1.ibm.com/support/docview.wss?uid=swg24015664

-- Disclosure Timeline:
2006.12.18 - Vulnerability reported to vendor
2007.05.02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Aaron Portnoy, TippingPoint
Security Research Team.