-BEGIN PGP SIGNED MESSAGE-
-
Debian Security Advisory DSA-058-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Wichert Akkerman
June 10, 2001
-
Broker FTP Server 5.9.5.0 Buffer Overflow / DoS /
Directory Traversal
TESTED ON
Broker FTP Server 5.9.5.0 on Windows 98, likely to
work on NT / 2k
DESCRIPTION
1) Buffer Overflow / DoS
The DoS, which completely freezes the victim machine,
can be triggered by repeatedly sending
the following
A lot of Intrusion Detection Systems are only look for Host: strings when
dealing with web server attacks that do bad things with the Host: field.
An example of that would be the .printer ISAPI overflow that eEye released a
few weeks or so ago.
We have seen three distinct patterns in signatures
Environment:
Mac OS X 10.0.3 / Darwin 1.3.3
Apache 1.3.14
This is the the default setup, out of the box, with available
software updates installed. Please note, this is OS X *Client*.
Who is affected:
Everybody who used Apache on Mac OS X Client with the following
conditions:
At UTD we are running active-active clustering (a-a-c) with two virtual
Exchange 2000 servers and a RAID array. We were in the process of
installing Exchange 2000 on the second node, and the admins decided to
apply this patch to the active node as well.
After application of the patch (this
The problem isn't the authentication, it's the granularity of the
authorization that the filesystem affords. NFS leaves authorization
up to the client host (aka ``No File Security'').
NFS provides most any level of security you desire; not many vendors
implement NFS security, though. NFSv4
On Fri, Jun 08, 2001 at 04:51:57AM +0100, Glynn Clements wrote:
Eric Hacker wrote:
Conveniently, UTF8 uses the same
values as ASCII for ASCII representation. Above the standard ASCII 127
character representation, UTF8 uses multi-byte strings beginning with 0xC1.
No; the sequences for
On Fri, 8 Jun 2001 [EMAIL PROTECTED] wrote:
One simple method of adding security in this case would be to pop up a
security alert when there is an attempt to add an address book entry where
the real name portion is de facto an RFC compliant mail address. The user
then can decide if he wants
Once upon a time, Peter Ajamian [EMAIL PROTECTED] said:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
This is not new; I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 8 Jun 2001, Peter Ajamian wrote:
Do not use the Crypt-PW authentication-scheme. Instead use the MAIL_FROM
or PGP scheme instead.
Neither of these are very good options either. The problems with MAIL-FROM
are the obvious flaws you find in
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
password is
On Fri, 08 Jun 2001 00:37:34 -0700 Peter Ajamian [EMAIL PROTECTED]
wrote.
Problem:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
[snip]
computer. A new 1ghz computer could easily crank out 6 char passwords in
mere seconds, 8 char passwords in a few hours, and a 10 char password
probably in a week to a month or better.
crypt() passwords are never more than
For those interested here is perl program to generate Crypt-PW's with a
propper salt.
#!/usr/bin/perl
$salt=salt();
print password encryptee, [CTRL]-D quits.\n;
while (STDIN) {
chop;
$text=crypt($_,$salt);
print $text.\n;
}
sub salt {
local($salt);
local($i, $rand);
local(@itoa64) = ( 0
Peter W wrote:
Plus when you submit a change request template, your email contains the
plaintext password. :-(
Changing your password means sending the cleartext value to NetSol via
email. So changing your password involves risk. :-(
In my recent experience, the unencrypted password is
Confirmed, on Mandrake 8.0.
I should, however, point out that I was only able to take down the
font-server as a local user, and not from a remote host. This could be a
bandwidth problem, caused by the fact that I only have a measly 10Mb/s
LAN.
Then again, my urandom bandwidth is less than
16 matches
Mail list logo
