W3M Frame Enabled Browsing Cross Site Scripting Vulnerability BugTraq ID: 6793 Remote: Yes Date Published: Feb 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6793 Summary:
W3M is a text-based Web browser. It is developed for several platforms including Linux and Unix variant operating systems. A cross site scripting vulnerability has been reported for W3M if frames support is enabled. Due to inadequate sanitization of some HTML tags, it is possible for an attacker to steal another user's cookie information or other sensitive data. Specifically, W3M does not fully sanitize malicious HTML code from FRAME tags. It should be noted that this vulnerability is exploitable only if W3M is executed with the '-F' commandline option. This vulnerability has been reported to affect W3M 0.3.2. It is likely that earlier versions are affected. W3M Image Attribute Cross Site Scripting Vulnerability BugTraq ID: 6794 Remote: Yes Date Published: Feb 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6794 Summary: W3M is a text-based Web browser. It is developed for several platforms including Linux and Unix variant operating systems. A cross site scripting vulnerability has been reported for W3M. Due to inadequate sanitization of some HTML tags, it is possible for an attacker to steal another user's cookie information or other sensitive data. Specifically, W3M does not fully sanitize malicious HTML code from IMAGE tags. This vulnerability has been reported to affect W3M 0.3.2.2 and earlier. Red Hat Linux User Mode Linux SetUID Installation Vulnerability BugTraq ID: 6801 Remote: No Date Published: Feb 07 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6801 Summary: Red Hat Linux is a freely available, open source operating system distributed by Red Hat Incorporated. A problem with a component of the kernel-utils package may make it possible for local users to perform unauthorized activities. It has been reported that under some circumstances, Red Hat Linux may allow unauthorized actions through User-Mode-Linux compatibility. Due to permissions on some components installed with the User-Mode-Linux utilities, a local user could perform actions on the system that require privilege, potentially affecting local host security. The problem is in the setuid bit given to the uml_net program. When installed with the kernel-utils package, the program is installed setuid root. A local user could execute this program to control network interfaces, or manipulate some network settings. Netgear FM114P Wireless Firewall File Disclosure Vulnerability BugTraq ID: 6807 Remote: Yes Date Published: Feb 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6807 Summary: Netgear FM114P Cable/DSL Prosafe 802.11b Wireless Firewall is a hardware appliance that can allow several systems to share a single broadband Internet connection. The device also includes a firewall and is managed through a web interface. A directory traversal vulnerability exists in the FM114P's web administration interface. The firewall does not properly sanitize URL requests. Starting from the upnp/service directory on the firewall, it is possible for an unauthenticated user to traverse out of this directory using escaped character sequences. Submitting the following request to the firewall would retrieve the configuration file: http://<ip-or-hostname>:<port>/upnp/service/%2e%2e%2fnetgear.cfg This could allow an unauthenticated user to retrieve the firewall's configuration file and possibly other sensitive information. This vulnerability was reported to affect firmware version 1.4 Beta 17. Other versions may also be affected. Nethack Local Buffer Overflow Vulnerability BugTraq ID: 6806 Remote: No Date Published: Feb 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6806 Summary: Nethack is a game included with several distributions of Linux including RedHat Linux. It has been reported that Nethack fails to drop privileges, potentially resulting in privilege escalation. A buffer overflow has been discovered in Nethack when invoked with the '-s' command line option. By passing an overly large string, consisting of at least 1000 characters, to the '-s' command line option of /usr/games/lib/nethackdir/nethack, it is possible to corrupt memory. By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. Nethack distributed with RedHat Linux is shipped with setgid 'games' privileges. Successful exploitation would result in the escalation of privileges to the 'games' group, which could result in the corruption of saved game data, as well as storage consumption. Cisco IOS ICMP Redirect Routing Table Modification Vulnerability BugTraq ID: 6823 Remote: Yes Date Published: Feb 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6823 Summary: Internet Operating System (IOS) is the firmware used on Cisco routers. It is distributed and maintained by Cisco. It has been reported that it is possible to make arbitrary remote modifications to the Cisco IOS routing table. If IP routing is disabled on a vulnerable router, the router will accept malicious ICMP redirect packets and modify its routing table accordingly. ICMP redirect messages are normally sent to indicate inefficient routing, a new route or a routing change. An attacker may specify a default gateway on the local network that does not exist this would effectively deny service to any destination that is outside the local subnet. This vulnerability requires that IP routing be explicitly disabled on the system using an affected version of Cisco IOS, thus making the router a host on the network. The attacker may also intercept network data by making routing table modifications to redirect network communications through the attacker's machine. Ericsson HM220dp DSL Modem World Accessible Web Administration Interface Vulnerability BugTraq ID: 6824 Remote: Yes Date Published: Feb 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6824 Summary: The Ericsson HM220dp DSL Modem is a broadband modem used in homes and small office environments. The modem uses a web interface to allow remote administration and configuration. This interface does not require users to authenticate in any way in order to access it. The modem also does not allow users to enable any form of authentication. Remote attackers may connect to the interface and change configuration settings to render the modem unusable until it is reset or reconfigured. APC apcupsd Client Syslog Format String Vulnerability BugTraq ID: 6828 Remote: Unknown Date Published: Feb 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6828 Summary: Apcupsd provides UPS power management under Linux and BSD systems for APC Products. A vulnerability has been reported for apcupsd client that may result in an attacker obtaining elevated privileges on the vulnerable system. The 'log_event' function in 'apclog.c' contains an insecure instance of a syslog() call. Due to this programming error, it may be possible to exploit a format string vulnerability in the apcupsd 'log_event' function. When the program is invoked using the vulnerable function, it may be possible to exploit a format string vulnerability through the generation of a malicious log event that contains attacker-supplied format strings. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with the privileges of the apcupsd user. CGI Lite Perl Module Metacharacter Input Validation Vulnerability BugTraq ID: 6833 Remote: Yes Date Published: Feb 11 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6833 Summary: CGI Lite is a freely available Perl module that is used to decode form and query information, including file uploads and cookies. A vulnerability has been reported in the escape_dangerous_chars() function, which is a part of the CGI Lite Perl module. The function does not sufficiently sanitize all instances of potentially dangerous characters. As the end result, externally supplied input may not be adequately sanitized before being used in other Perl functions. This will create a false sense of security and may allow an attacker to execute arbitrary commands via a CGI program which depends on the vulnerable function. The following characters are not sanitized by the function: \, ?, ~, ^, \n, \r If the function is used as part of a CGI application to sanitize externally supplied input before passing it to Perl functions such as system() or open(), it may be possible to execute commands on the underlying shell of the host. It should be noted that these other functions would need to be called in an unsafe manner for this issue to be exploited. Commands executed as a consequence of exploiting this issue will be in the context of the webserver process. - Pour poster une annonce: [EMAIL PROTECTED]