The Linux OpenSSL 'slapper' is continuing to make its rounds,
and new variants have been reported. Please keep in mind that
while some variants of the worm check the HTTP server banner,
other scanner tools can identify a server as vulnerable even
if the HTTP server banner is modified/obfuscated to defeat the
worm. For those of you hoping for a quick workaround, be forewarned.
http://archives.neohapsis.com/archiv...2-09/0287.html
Among this week's top vulnerabilities are multiple problems in the
Trillian chat client (item {02.38.001} in the Windows category),
a library loading vulnerability in setuid/setgid X applications
(item {02.38.003} in the cross-platform category) and Microsoft
Java VM vulnerabilities in all versions of Windows (item {02.38.019}
in the Windows category).
Until next week,
--Security Alert Consensus Team
************************************************************************
TABLE OF CONTENTS:
{02.38.001} Win - Multiple Trillian vulnerabilities
{02.38.005} Win - Dino's Web server Web root escaping
{02.38.008} Win - MS02-051: RDP protocol information disclosure
{02.38.010} Win - ISS Scanner HTTP response overflow
{02.38.018} Win - IBM WebSphere large header DoS
{02.38.019} Win - MS02-052: Multiple Java VM JDBC vulnerabilities
{02.38.002} Linux - Update {02.37.007}: Cross - Konqueror subframe CSS
and insecure cookie vulnerabilities
{02.38.004} Linux - Update {02.22.001}: xchat DNS query command
execution
{02.38.007} Linux - Update {02.37.002}: Linux - Update {02.33.024}:
Multiple Postgres function buffer overflows
{02.38.011} Linux - Update {02.37.005}: Linux - Update {01.27.039}: PHP
mail() command may bypass safe_mode
{02.38.017} NApps - HP printer/print server/digital sender DNS
vulnerability
{02.38.003} Cross - xfree86 libX11.so LD_PRELOAD vulnerability
{02.38.006} Cross - Squirrel mail CGI multiple CSS vulnerabilities
{02.38.009} Cross - Apache 2.0.42 released, mod_dav DoS
{02.38.012} Cross - Multiple Cisco VPN 5000 client vulnerabilities
{02.38.013} Cross - Multiple Mozilla 1.0 vulnerabilities
{02.38.014} Cross - DB4Web db4Web_c CGI file download
{02.38.016} Cross - Lycos HTMLGear guestbook address CSS
{02.38.020} Cross - Compaq WebES file access
{02.38.021} Cross - JAWmail CGI multiple CSS vulnerabilities
{02.38.022} Cross - phpWeb site CGI inc_prefix code execution
{02.38.023} Cross - Null HTTP server content-length overflow
{02.38.024} Cross - Xoops CGI img tag CSS
{02.38.025} Cross - Tomcat JSP disclosure via DefaultServlet
- --- Windows News
-------------------------------------------------------
*** {02.38.001} Win - Multiple Trillian vulnerabilities
Trillian versions .74 and prior reportedly contain multiple
vulnerabilities: a PRIVMSG nick buffer overflow; an embedded ident
service buffer overflow; a JOIN channel topic buffer overflow; a
'raw 221' packet buffer overflow; IRC raw message buffer overflows;
and malformed HTML causes Trillian to crash. The buffer overflow may
allow remote execution of arbitrary code.
These vulnerabilities are not confirmed.
Source: NTBugtraq, SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-q3/0140.html
http://archives.neohapsis.com/archiv...2-q3/0139.html
http://archives.neohapsis.com/archiv...2-09/0258.html
http://archives.neohapsis.com/archiv...2-09/0266.html
http://archives.neohapsis.com/archiv...2-09/0268.html
http://archives.neohapsis.com/archiv...2-09/0282.html
*** {02.38.005} Win - Dino's Web server Web root escaping
Dino's Web server version 1.2 is vulnerable to an encoded directory
traversal attack, thereby allowing remote attackers to access files
outside the Web root.
The advisory indicates confirmation by the vendor, which discontinued
the software.
Source: VulnWatch
http://archives.neohapsis.com/archiv...2-q3/0127.html
*** {02.38.008} Win - MS02-051: RDP protocol information disclosure
Microsoft released MS02-051 ("RDP protocol information
disclosure"). The patch addresses two remote desktop/terminal services
bugs: improper encryption of packets in Windows XP and 2000 could
allow an attacker to recover encrypted data and certain malformed
RDP packets will crash the Windows XP remote desktop service.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-051.asp
Source: Microsoft
http://archives.neohapsis.com/archiv...2-q3/0001.html
*** {02.38.010} Win - ISS Scanner HTTP response overflow
ISS Scanner version 6.2.1 contains a buffer overflow in the handling
of a particular HTTP response. This potentially allows a malicious
Web server to execute arbitrary code on the system running the scanner.
The vendor confirmed this vulnerability and included a patch in
X-Press update 6.17.
Source: VulnWatch
http://archives.neohapsis.com/archiv...2-q3/0119.html
*** {02.38.018} Win - IBM WebSphere large header DoS
IBM WebSphere version 4.0.3 reportedly crashes when a request for
a .jsp file containing a large Host header is received. Whether
this denial of service can lead to the execution of arbitrary code
is uncertain.
The advisory indicates confirmation by the vendor, which released
a patch.
Source: VulnWatch
http://archives.neohapsis.com/archiv...2-q3/0123.html
*** {02.38.019} Win - MS02-052: Multiple Java VM JDBC vulnerabilities
Microsoft released MS02-052 ("Multiple Java VM JDBC
vulnerabilities"). The Microsoft Java VM (virtual machine) shipped
with virtually all versions of Windows and Internet Explorer contains
three different vulnerabilities in the JDBC and other classes that
potentially let a malicious e-mail or Web site execute arbitrary code
on the user's system or crash the browser/VM.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-052.asp
Source: Microsoft
http://archives.neohapsis.com/archiv...2-q3/0002.html
- --- Linux News
---------------------------------------------------------
*** {02.38.002} Linux - Update {02.37.007}: Cross - Konqueror subframe
CSS and insecure cookie vulnerabilities
Debian and Conectiva released updated kdelibs packages that fix the
vulnerability discussed in {02.37.007} ("Cross - Konqueror subframe
CSS and insecure cookie vulnerabilities").
Updated Debian DEBs:
http://archives.neohapsis.com/archiv...2-q3/0105.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archiv...2-q3/0022.html
Source: Debian, Conectiva
http://archives.neohapsis.com/archiv...2-q3/0105.html
http://archives.neohapsis.com/archiv...2-q3/0022.html
*** {02.38.004} Linux - Update {02.22.001}: xchat DNS query command
execution
Conectiva released updated xchat packages that fix the vulnerability
discussed in {02.22.001} ("xchat DNS query command execution").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archiv...2-q3/0023.html
*** {02.38.007} Linux - Update {02.37.002}: Linux - Update {02.33.024}:
Multiple Postgres function buffer overflows
Conectiva released updated postgresql packages that fix the
vulnerability discussed in {02.37.002} ("Linux - Update {02.33.024}:
Multiple Postgres function buffer overflows").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archiv...2-q3/0021.html
*** {02.38.011} Linux - Update {02.37.005}: Linux - Update {01.27.039}:
PHP mail() command may bypass safe_mode
Debian released updated PHP packages that fix the vulnerability
discussed in {02.37.005} ("Linux - Update {01.27.039}: PHP mail()
command may bypass safe_mode").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archiv...2-q3/0163.html
- --- Network Appliances News
--------------------------------------------
*** {02.38.017} NApps - HP printer/print server/digital sender DNS
vulnerability
An HP advisory indicates that various printer, print server and
digital sender network devices are vulnerable to the DNS resolver
library overflow previously reported in SAC.
These vulnerabilities are confirmed. For a complete list of solutions,
please see the reference URL below.
Source: HP
http://archives.neohapsis.com/archiv...2-q3/0087.html
- --- Cross-Platform News
------------------------------------------------
*** {02.38.003} Cross - xfree86 libX11.so LD_PRELOAD vulnerability
The libX11 library included with xfree86 honors the LD_PRELOAD
environment variable, thereby allowing a local attacker to potentially
execute arbitrary code with elevated privileges via available
setuid/setgid X-based applications.
This vulnerability is confirmed. Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archiv...2-q3/1116.html
Source: SuSE
http://archives.neohapsis.com/archiv...2-q3/1116.html
*** {02.38.006} Cross - Squirrel mail CGI multiple CSS vulnerabilities
Squirrel mail version 1.2.7 reportedly contains multiple cross-site
scripting problems in the various PHP pages.
The vendor confirmed these vulnerabilities and indicated they are
fixed in version 1.2.8.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0246.html
http://archives.neohapsis.com/archiv...2-09/0248.html
*** {02.38.009} Cross - Apache 2.0.42 released, mod_dav DoS
Apache version 2.0.42 was released. In addition to the usual bug fixes,
this version fixes a denial of service attack possible in mod_dav.
The latest source code can be downloaded from:
http://httpd.apache.org/
Source: Apache
http://archives.neohapsis.com/archiv...2002/0017.html
*** {02.38.012} Cross - Multiple Cisco VPN 5000 client vulnerabilities
A Cisco advisory indicates the VPN 5000 clients on MacOS, Solaris
and Linux contain various security vulnerabilities: the MacOS client
incorrectly saves the login password in plain text and the Solaris
and Linux clients contain buffer overflows in various included setuid
applications that let a local attacker gain root privileges.
The vendor confirmed these vulnerabilities and released updates.
Source: Cisco
http://archives.neohapsis.com/archiv...2-q3/0009.html
*** {02.38.013} Cross - Multiple Mozilla 1.0 vulnerabilities
This is a general entry to point out that the various security bugs
in Mozilla 1.0 were fixed in version 1.0.1. The vulnerabilities were a
mix between local and remote, and some were previously reported. This
item is really just to raise awareness of the various problems that
exist in Mozilla 1.0.
These vulnerabilities were fixed in Mozilla version 1.0.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0228.html
*** {02.38.014} Cross - DB4Web db4Web_c CGI file download
The db4Web_c CGI included with the DB4Web server allows remote
attackers to download arbitrary files outside the Web root by
submitting a particular URL request. Another bug in DB4Web allows a
remote attacker to proxy port scans through the db4Web_c CGI.
The vendor confirmed this vulnerability and released a patch, which
is available at:
http://www.db4Web.de/DB4Web/home/DB4Web/hotfix_e.html
Source: VulnWatch
http://archives.neohapsis.com/archiv...2-q3/0124.html
http://archives.neohapsis.com/archiv...2-q3/0125.html
*** {02.38.016} Cross - Lycos HTMLGear guestbook address CSS
The Lycos HTMLGear guestbook application contains a cross-site
scripting vulnerability in the handling of the e-mail or Web addresses.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0198.html
*** {02.38.020} Cross - Compaq WebES file access
An HP/Compaq advisory indicates that the WebES Compaq Analyze service
suite on all platforms contains a vulnerability that allows local
and remote attackers to access arbitrary files on the system.
The vendor confirmed this vulnerability and is currently working on
a patch.
Source: HP/Compaq
http://archives.neohapsis.com/archiv...2-q3/0013.html
*** {02.38.021} Cross - JAWmail CGI multiple CSS vulnerabilities
The JAWmail CGI suite version 1.0-rc1 reportedly contains multiple
cross-site scripting errors in the displaying of various e-mail
elements.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0270.html
*** {02.38.022} Cross - phpWeb site CGI inc_prefix code execution
phpWeb site version 0.8.2 reportedly does not properly handle the
inc_prefix URL parameter. This allows a remote attacker to trick the
application into executing arbitrary PHP code located on a malicious
Web server.
The advisory indicates confirmation by the vendor, which released
version 0.8.3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0275.html
*** {02.38.023} Cross - Null HTTP server content-length overflow
The Null HTTP Server version 0.5.0 incorrectly handles negative
content-length HTTP header values. This causes a heap buffer overflow
to occur and allows a remote attacker to execute arbitrary code.
The vendor confirmed this vulnerability and released version 0.5.1,
which is available at:
http://prdownloads.sourceforge.net/n...d-0.5.1.tar.gz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0284.html
*** {02.38.024} Cross - Xoops CGI img tag CSS
The Xoops CGI suite version RC3.0.4 does not properly handle image
tags, thereby leading to a cross-site scripting vulnerability.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0286.html
*** {02.38.025} Cross - Tomcat JSP disclosure via DefaultServlet
Apache Tomcat versions 4.0.4 and 4.1.10 display the source code to JSP
pages when invoked via the org.apache.catalina.servlets.DefaultServlet
servlet included by default with Tomcat.
The vendor confirmed this vulnerability and released versions 4.0.5
and 4.1.12.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0288.html
Reply With Quote