Résumé de securityfocus: contient les attaques connues contre des logiciels libres ou open source, voire parfois contre du `matériel' (firmware). Les problèmes avec des logiciels écrits en PHP ne sont en général pas mentionnés (il y en a des dizaines chaque semaine, donc ...)
MIT CGIEmail Arbitrary Recipient Mail Relay Vulnerability BugTraq ID: 5013 Remote: Yes Date Published: Jun 14 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5013 Summary: MIT cgiemail is designed to take the input of web forms and convert it to an e-mail format defined by the author of the form. It was written for use on UNIX and Linux variant operating systems. A vulnerability has been reported for cgiemail that allows cgiemail to act as an open relay for email. The vulnerability is due to failure of proper santization of user supplied values. In particular the new line code "%0a" is not filtered properly. cgiemail uses templates when generating emails. To exploit this issue, an attacker must know the exact path of a template file that cgiemail uses. As well, the attacker must know of the fields that will be included in the generated email. As a result, a malicious user may trivially specify any email address, effectively using the script as an open mail relay. This technique is well known, and commonly used for sending unsolicited email. Multiple Vendor Spoofed IGMP Report Denial Of Service Vulnerability BugTraq ID: 5020 Remote: Yes Date Published: Jun 14 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5020 Summary: Internet Group Management Protocol (IGMP) is the specified guidelines for the management of Internet Multicast Routing management. A problem with the implementation of the protocol in some operating systems could lead to a denial of service. It is possible for an arbitrary host to deny service to a system on the same segment of network. In a situation where a multicast router sends a membership report request, a host sending a unicast membership report response to the primary responder can prevent the responder from sending a message to the multicast router. In doing so, the router will not receive a response from any host, and thus the transmission will time out and cease. This problem could result in an attacker launching a denial of service against an affected host, and could additionally be used to deny service to a range of vulnerable hosts on a subnet. This vulnerability may additionally affect other operating systems, though it is currently unknown which implementations may be vulnerable. Apache Chunked-Encoding Memory Corruption Vulnerability BugTraq ID: 5033 Remote: Yes Date Published: Jun 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5033 Summary: Apache is a freely available webserver for Unix and Linux variants, as well as Microsoft operating systems. The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. A vulnerability has been discovered in the Apache implementation of 'Chunked Encoding'. When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This may be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions may occur that have security implications. It has been reported that a buffer overrun and signal race condition occur. Exploitation of these conditions may result in the execution of arbitrary code. On Windows and Netware platforms, Apache uses threads within a single server process to handle concurrent connections. Causing the server process to crash on these platforms may result in a denial of service. It has been confirmed that this vulnerability may be exploited to execute arbitrary code on both Win32 and UNIX platforms. Note: Products which use or bundle Apache such as Oracle 9iAS or IBM Websphere may also be affected. Zyxel Prestige 642R Malformed Packet Denial Of Service Vulnerability BugTraq ID: 5034 Remote: Yes Date Published: Jun 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5034 Summary: ZyXEL 642R routers have difficulties handling packets with certain TCP options enabled. In particular, it is possible to deny services by sending a vulnerable router a SYN-ACK packet. This type of malformed packet will create a denial of service which can only be remedied by restarting the device. To a lesser degree, the router also encounters difficulties when handling SYN-FIN packets. SYN-FIN packets have been reported to deny service for the duration of a few minutes. This issue has also been reproduced with other types of malformed packets. In both instances, some services provided by the router (telnet, FTP and DHCP) will be denied, however, the device will continue to route network traffic. ZyXEL 642R-11 routers are reportedly affected by this vulnerability. It is possible that other ZyNOS-based routers are also affected by this vulnerability. ZxXEL 643 ADSL routers do not appear to be prone to this issue. This issue may be exploited in combination with the vulnerability described in Bugtraq ID 3346. [ hardware ] NetGear RP114 Administrative Access Via External Interface Vulnerability BugTraq ID: 5036 Remote: Yes Date Published: Jun 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5036 Summary: The NetGear RP114 router includes administrative support through a variety of mechanisms, including telnet and HTTP. Access to administration tools is granted to systems with the address 192.168.0.1, reserved for use on internal networks. Reportedly, the RP114 router will accept traffic from addresses in the 192.168.x.x range on it's external interface. An attacker external to the router may be able to connect to the device from this IP, and access the administrative interface. An attacker may be able to gain access to sensitive information, or to create a denial of service condition for legitimate users of the router. Authentication is still required, however the device has a commonly known default username of 'admin' with the password '1234'. Other related devices may share this vulnerability, this has not however been confirmed. [ hardware ] Successful exploitation may gain the attacker local access on the affected host. Cisco uBR7200 / uBR7100 Universal Broadband Routers DOCSIS MIC Bypass Vulnerability BugTraq ID: 5041 Remote: Yes Date Published: Jun 17 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5041 Summary: A vulnerability has been announced which affects Cisco uBR7200 series and uBR7100 series Universal Broadband Routers under some versions of IOS. It is possible to sign DOCSIS configuration files with a Message Integrity Check (MIC) signature. Based on MD5, this provides a cryptographically secure signing of the configuration file. It is possible for networks to reject cable modem devices which do not have a properly signed file. It is possible to create an invalid DOCSIS file which is truncated and does not include a MIC signature. Vulnerable routers may nonetheless accept the configuration file as valid, allowing access to the network. Malicious cable modem users may create DOCSIS files with arbitrary configurations, possibly allowing them to bypass limitations such as bandwith consumption restrictions. Exploitation of this vulnerability may allow these configuration files to be accepted by the network. This issue is documented as Cisco Defect number CSCdx72740. [ hardware ] Interbase GDS_Drop Interbase Environment Variable Buffer Overflow Vulnerability BugTraq ID: 5044 Remote: No Date Published: Jun 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5044 Summary: Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems. A problem with Interbase could make it possible for a local user to gain elevated privileges. A buffer overflow has been discovered in the setuid root gds_drop program packaged with Interbase. This problem could allow a local user to execute the program with strings of arbitrary length. By using a custom crafted string, the attacker could overwrite stack memory, including the return address of a function, and potentially execute arbitrary code as root. The vulnerability occurs in the INTERBASE environment variable. When the gds_drop program is executed with a string of arbitrary length (typically 500 or more characters) in the INTERBASE environment variable, the result in an exploitable buffer overflow. This could make it possible for a local user to gain administrative access. [ open source ] Interbase GDS_Lock_MGR Interbase Environment Variable Buffer Overflow Vulnerability BugTraq ID: 5046 Remote: No Date Published: Jun 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5046 Summary: Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems. A problem with Interbase could make it possible for a local user to gain elevated privileges. A buffer overflow has been discovered in the setuid root program gds_lock_mgr, packaged with Interbase. This problem could allow a local user to execute the program with strings of arbitrary length. By using a custom crafted string, the attacker could overwrite stack memory, including the return address of a function, and potentially execute arbitrary code as root. The vulnerability occurs in the INTERBASE environment variable. When the gds_lock_mgr program is executed with a string of arbitrary length (typically 500 or more bytes) in the INTERBASE environment variable, the result in an exploitable buffer overflow. This could make it possible for a local user to gain administrative access. [ open source ] WebScripts WebBBS Remote Command Execution Vulnerability BugTraq ID: 5048 Remote: Yes Date Published: Jun 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5048 Summary: WebBBS is web-based BBS software, written in Perl. WebBBS was designed to run on Unix and Linux variants. WebBBS does not sufficiently filter shell metacharacters from CGI parameters. As a result, remote attackers may execute arbitrary commands on the underlying shell of the system hosting the vulnerable software. This issue is known to exist in the 'webbbs_post.pl' script and is due to insufficient filtering of the 'followup' CGI variable. Remote attackers may gain local, interactive access to the host with the privileges of the webserver process as a result of successful exploitation. Mandrake 8.2 Msec Insecure Default Permissions Vulnerability BugTraq ID: 5050 Remote: No Date Published: Jun 18 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5050 Summary: Mandrake ships with an interface for setting and maintaining system-wide security policy during an install of the operating system. This functionality is provided by the Mandrake-Security package (msec). Various settings provide differing levels of security. The Mandrake 8.2 version of msec installs home directories with world-readable permissions on the Standard security setting. This is misleading as the Standard (msec level 2) security setting is intended to be ideal for systems which have multiple local users. This may expose contents of home directories to other local users. Additionally, msec will proactively reset the permissions of home directories if they are changed from the default world-readable permissions. msec is a mandatory component of Mandrake 8.2 and may not be deselected during an install of the operating system. It should be noted that it is still possible to ensure more secure home directory permissions by using a more restrictive msec setting. Apache Tomcat Web Root Path Disclosure Vulnerability BugTraq ID: 5054 Remote: Yes Date Published: Jun 19 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5054 Summary: Apache Tomcat is a freely available, open source web server maintained by the Apache Foundation. It is available for use on Unix and Linux variants as well as Microsoft Windows operating environments. A vulnerability has been reported for Apache Tomcat 4.0.3 on a Microsoft Windows platform. Reportedly, it is possible for a remote attacker to make requests that will result in Apache Tomcat returning an error page containing information that includes the absolute path to the server's web root. For example, submitting a request for LPT9 to Tomcat will result in the following error message: "java.io.FileNotFoundException: C:\Program Files\Apache Tomcat 4.0\webapps\ROOT\lpt9 (The system cannot find the file specified)" Gaining knowledge of path information could assist an attacker in further attacks against the host. IRSSI Long Malformed Topic Denial Of Service Vulnerability BugTraq ID: 5055 Remote: Yes Date Published: Jun 19 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5055 Summary: irssi is a freely available, open source irc client. irssi is available for the Linux and Unix operating systems. irssi version 0.8.4 is prone to a denial of service condition when a user joins a channel with a long, malformed topic. The vulnerability occurs when a user attempts to join a channel that has an overly long topic description. When the string, "\x1b\x5b\x30\x6d\x0d\x0a", is appended to the topic, irssi will crash resulting in a denial of service. An attacker can cause irssi clients to crash by changing the topic of a channel while users are still online or by enticing users to join channels with malformed topic descriptions. An attacker may take advantage of this vulnerability to deny service to legitimate users. - Pour poster une annonce: [EMAIL PROTECTED]
