CGIWrap Cross-Site Scripting Vulnerability BugTraq ID: 3084 Remote: Yes Date Published: 2001-07-22 Relevant URL: http://www.securityfocus.com/bid/3084 Summary: CGIWrap is a free, open-source program for running CGI securely. CGIWrap does not filter embedded scripting commands from user-supplied input. A web user may submit a malicious link into any form which displays user-supplied input, such as guestbooks, forums, etc. Users clicking on the link will have the malicious scripting commands executed in their browser. The result is an error page and it will appear as though the malicious code is from a trusted site. Arkeia Backup World Writable File Creation Vulnerability BugTraq ID: 3085 Remote: No Date Published: 2001-07-23 Relevant URL: http://www.securityfocus.com/bid/3085 Summary: Arkeia Backup is a full-feature enterprise system backup infrastructure, distributed and maintained by Knox Software. A problem in the software package may lead to a local user overwriting root owned files. This problem could lead to a user denying service to legitimate users of the system, or potentially gaining elevated privileges. The problem is in the permissions of created files. During normal operation, the Arkeia backup software package functions between backup clients and the backup server. The backup clients initiate a backup session with the server. Upon receiving the backup data from the clients, the server stores the information on the configured backup device; tape, drive, or other backup medium. After execution, Arkeia creates a number of files on the local file system in the database directory, by default /usr/knox/arkeia/dbase. The backup software normally executes as root, which results in all files created by the backup software being root-owned. The software does not exercise sufficient file access control, and creates these files with 0666 permissions. This allows a user with local access to remove, and potentially recreate the name of a predictable file created by the software in the form of a symbolic link. This symbolic link could overwrite any local root-owned file, resulting in a denial of service, and potentially elevation of privileges. [ Pas libre, mais en usage répandu. Ils utilisent un format de données documenté et livrent un programme de restauration open source ] Richard Everitt Pileup Buffer Overflow Vulnerability BugTraq ID: 3086 Remote: No Date Published: 2001-07-22 Relevant URL: http://www.securityfocus.com/bid/3086 Summary: Pileup is a Linux morse code simulator for amateur radio operators which uses SoundBlaster hardware. The C library 'scanf' functions allow a program to read data into a variable from a character source such as another string or I/O stream based on a format string. Programs can read strings into variables using the '%s' parameter, which will copy a string of arbitrary length into the corresponding buffer until it is terminated by whitespace or newlines. The use of 'scanf' to read strings of arbitrary length into buffers can lead to exploitable overflow conditions because there is often no bounds checking enforced. Pileup version 1.1 introduces two instances of dangerous scanf() use. The conditions occur when reading command options in main() as well as when reading the user's callsign in the keyboard_thread() function. During both operations, strings of arbitrary length are copied into local variables. If the length of either string, read from standard input, exceeds the size of its input buffer, the excess data will overwrite other variables on the stack and the stack frame itself. Properly exploited, this will allow a user to replace the affected function's return address with a pointer to malicious shellcode. Because this program is installed suid root, the shellcode will be executed with root privilege. NetBSD sendmsg Denial of Service Vulnerability BugTraq ID: 3088 Remote: No Date Published: 2001-07-24 Relevant URL: http://www.securityfocus.com/bid/3088 Summary: A potential denial of service vulnerability exists in the NetBSD kernel. The problem is the result of an input validation error in the sendmsg(2) function and is due to insufficient length checking on the 'msg_controllen' member of the 'msghdr' structure. The msghdr structure contains most of the arguments for the sendmsg() function. This includes the msg_controllen variable, which is used to specify the size of any optional ancillary data (or control information) that should be sent with a message. The variable is then used by the kernel to read the control information (pointed to by another member, 'msg_control') into kernel space. Because the kernel fails to check the length given with the msg_controllen member, it is possible to cause a page fault trap or 'out of space in kmem_map' kernel panic if the value is sized to a large enough value. Remote Linux Groff Exploitation via lpd BugTraq ID: 3103 Remote: Yes Date Published: 2001-07-26 Relevant URL: http://www.securityfocus.com/bid/3103 Summary: lpd is the print spooling daemon. It is used to support network printing on a variety of unix platforms. The version of lpd that ships with linux systems invokes groff to process TeX formatted documents that are to be printed. The groff utility used to process images, 'pic', contains a vulnerability that can be exploited to execute arbitrary commands on the victim. It may be possible for remote attackers to exploit this vulnerability through lpd. While groff (and subsequently 'pic') are executed by lpd with lowered privileges, this vulnerability is still especially dangerous. Remote, anonymous attackers on the Internet may be able to gain local access to target hosts. It is significantly easier to gain complete control over target systems when local access is obtained. Further technical details will be made available in forthcoming updates. - Pour poster une annonce: [EMAIL PROTECTED]