SecurityFocus Microsoft Newsletter #268

[Marc Fossi]

SecurityFocus Microsoft Newsletter #268
----------------------------------------
This Issue is Sponsored By: CipherTrust

CipherTrust Products have been nominated! Please Vote in the SC
Magazine Awards.
IronMail Gateway - Best E-Mail Security
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=7&Sub_ID=2&Prod_ID=122
IronMail Gateway - Best Anti-Spam
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=5&Sub_ID=2&Prod_ID=87

------------------------------------------------------------------
I.   FRONT AND CENTER
      1. Evading NIDS, revisited
      2. Regaining control II.  MICROSOFT VULNERABILITY SUMMARY
      1. Microsoft Windows SynAttackProtect Predictable Hash Remote Denial of 
Service Vulnerability
      2. Sun Java Runtime Environment Multiple Privilege Escalation 
Vulnerabilities
      3. Cisco Security Agent Unspecified Local Privilege Escalation 
Vulnerability
      4. Microsoft Internet Explorer CSS Import Cross-Domain Restriction Bypass 
Vulnerability
      5. Drupal Image Upload HTML Injection Vulnerability
      6. Citrix Multiple Applications Login Form Cross-Site Scripting 
Vulnerability
      7. Microsoft Windows CreateRemoteThread Local Denial of Service 
Vulnerability
      8. Drupal View User Profile Authorization Bypass Vulnerability
      9. Drupal Submitted Content HTML Injection Vulnerability
      10. PHPX Admin Login.PHP SQL Injection Vulnerability
      11. WinEggDropShell Multiple Remote Buffer Overflow Vulnerabilities
      12. Zen Cart Password_Forgotten.PHP SQL Injection Vulnerability
      13. Real Networks RealPlayer Unspecified Remote Code Execution 
Vulnerability
      14. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In 
The Middle Vulnerability
      15. Horde IMP Email Attachments HTML Injection Vulnerability
      16. Apple Quicktime/iTunes Unspecified Heap Overflow Vulnerability
      17. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
III. MICROSOFT FOCUS LIST SUMMARY
      1. Changing local admin PW using vb logon script - can it be encrypted?
      2. Changing local admin PW using vb logon script - can it be encrypted?
      3. Prohibiting Index Server does not prevent information leakage in IIS 
6.0
      4. SecurityFocus Microsoft Newsletter #267
IV.  UNSUBSCRIBE INSTRUCTIONS
V.   SPONSOR INFORMATION

I.   FRONT AND CENTER
---------------------
1. Evading NIDS, revisited
By Sumit Siddharth
This article looks at some of the most popular IDS evasion attack techniques, 
based on fragmentation or using the TTL field. Snort's configuration and 
response to these attacks will also be discussed.
http://www.securityfocus.com/infocus/1852

2. Regaining control
By Kelly Martin
Securing endpoint systems by locking them down using complex software brings 
back memories of another era, where business computers were once used for 
business applications only - and businesses retained control over their assets 
and data.
http://www.securityfocus.com/columnists/372


II.  MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Microsoft Windows SynAttackProtect Predictable Hash Remote Denial of Service 
Vulnerability
BugTraq ID: 15613
Remote: Yes
Date Published: 2005-11-28
Relevant URL: http://www.securityfocus.com/bid/15613
Summary:
Microsoft Windows is prone to a denial of service vulnerability.

The vulnerability arises due to a design error in the function responsible for 
the hash table management for 'SynAttackProtect'.  Reports indicate that the 
affected function used by the TCP/IP stack creates a predictable hash, allowing 
an attacker to send a large number of SYN packets with an identical hash value.

A successful attack can eventually lead to a denial of service condition due to 
the lookup algorithm becoming very inefficient at performing searches.


2. Sun Java Runtime Environment Multiple Privilege Escalation Vulnerabilities
BugTraq ID: 15615
Remote: Yes
Date Published: 2005-11-28
Relevant URL: http://www.securityfocus.com/bid/15615
Summary:
Sun JRE is susceptible to various privilege escalation vulnerabilities.

These issues can allow remote Java applications to read/write local files and 
execute arbitrary applications in the context of an affected user.

Further details are not available at this time. This BID will be updated as 
further information is disclosed. 
3. Cisco Security Agent Unspecified Local Privilege Escalation Vulnerability
BugTraq ID: 15618
Remote: No
Date Published: 2005-11-29
Relevant URL: http://www.securityfocus.com/bid/15618
Summary:
Cisco Security Agent is susceptible to an unspecified local privilege 
escalation vulnerability. This issue only affects computers running affected 
versions of Cisco Security Agent on the Microsoft Windows platform.

Further details are not currently available, this BID will be updated as 
information becomes available.

This issue allows local attackers to gain SYSTEM level privileges on computers 
running the affected software.

4. Microsoft Internet Explorer CSS Import Cross-Domain Restriction Bypass 
Vulnerability
BugTraq ID: 15660
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15660
Summary:
Microsoft Internet Explorer is prone to an issue that allows a violation of the 
cross-domain security model.

The vulnerability arises as Internet Explorer does not properly parse CSS files 
and facilitates imports of files that are not valid CSS files.

This allows attackers to disclose HTML and script code from the remote site 
that was improperly imported as a CSS file.  This site may exist in another 
domain than the site that exploits the issue.

An attacker may exploit this issue to steal sensitive information, which may 
aid in other attacks.

5. Drupal Image Upload HTML Injection Vulnerability
BugTraq ID: 15663
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15663
Summary:
Drupal is prone to an HTML injection vulnerability. This is due to a lack of 
proper sanitization of user-supplied input before using it in dynamically 
generated content. 
Attacker-supplied HTML and script code would be executed in the context of the 
affected Web site, potentially allowing for theft of cookie-based 
authentication credentials. An attacker could also exploit this issue to 
control how the site is rendered to the user; other attacks are also possible.

This issue is only present when using the Microsoft Internet Explorer Web 
browser.


6. Citrix Multiple Applications Login Form Cross-Site Scripting Vulnerability
BugTraq ID: 15664
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15664
Summary:
Citrix MetaFrame Secure Access Manager and Citrix NFuse Elite are prone to a 
cross-site scripting vulnerability.  These issues are due to a failure in the 
applications to properly sanitize user-supplied input.

An attacker may leverage these issues to have arbitrary script code executed in 
the browser of an unsuspecting user in the context of the affected site.  This 
may facilitate the theft of cookie-based authentication credentials as well as 
other attacks.

7. Microsoft Windows CreateRemoteThread Local Denial of Service Vulnerability
BugTraq ID: 15671
Remote: No
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15671
Summary:
Microsoft Windows is prone to a local denial of service vulnerability.  This 
issue can allow an attacker to trigger a system wide denial of service 
condition or terminate arbitrary processes.

Reports indicate that a process can call the 'CreateRemoteThread' function to 
trigger this issue.

It was reported that this attack can be carried out by a local unprivileged 
user.

8. Drupal View User Profile Authorization Bypass Vulnerability
BugTraq ID: 15674
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15674
Summary:
Drupal is prone to an authorization bypass vulnerability.  This issue is due to 
an unspecified error when the application is running under PHP5.

An attacker can exploit this vulnerability to bypass permissions and gain 
access to user profiles; this may result in information disclosure.

9. Drupal Submitted Content HTML Injection Vulnerability
BugTraq ID: 15677
Remote: Yes
Date Published: 2005-12-01
Relevant URL: http://www.securityfocus.com/bid/15677
Summary:
Drupal is prone to an HTML injection vulnerability.  This issue is due to a 
failure in the application to properly sanitize user-supplied input before 
using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the 
affected Web site, potentially allowing for theft of cookie-based 
authentication credentials. An attacker could also exploit this issue to 
control how the site is rendered to the user; other attacks are also possible.

10. PHPX Admin Login.PHP SQL Injection Vulnerability
BugTraq ID: 15680
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15680
Summary:
PHPX is prone to an SQL injection vulnerability.  This issue is due to a 
failure in the application to properly sanitize user-supplied input before 
using it in an SQL query.

Successful exploitation could result in a compromise of the application, 
disclosure or modification of data, or may permit an attacker to exploit 
vulnerabilities in the underlying database implementation.

11. WinEggDropShell Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 15682
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15682
Summary:
WinEggDropShell is affected by multiple remote buffer overflow vulnerabilities.

A remote buffer overflow vulnerability affecting the HTTP server arises when a 
GET request is provided with excessive data.

Two remote buffer overflow vulnerabilities affecting the FTP server arise when 
the FTP commands are provided with excessively long arguments.

An unauthenticated attacker may leverage these issues to execute arbitrary code 
on a computer with the privileges of the server process. This may facilitate 
unauthorized access and a complete compromise.

WinEggDropShell 1.7 is reportedly vulnerable, however, other versions are 
likely affected as well.

12. Zen Cart Password_Forgotten.PHP SQL Injection Vulnerability
BugTraq ID: 15690
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15690
Summary:
Zen Cart is prone to an SQL injection vulnerability.  This issue is due to a 
failure in the application to properly sanitize user-supplied input before 
using it in an SQL query.

Successful exploitation could result in a compromise of the application, 
disclosure or modification of data, or may permit an attacker to exploit 
vulnerabilities in the underlying database implementation.

13. Real Networks RealPlayer Unspecified Remote Code Execution Vulnerability
BugTraq ID: 15691
Remote: Yes
Date Published: 2005-11-30
Relevant URL: http://www.securityfocus.com/bid/15691
Summary:
Real Networks RealPlayer is affected by an unspecified code execution 
vulnerability. 
The potential impact of this issue allows for remote arbitrary code execution 
in the context of the user running the application.  All versions of RealPlayer 
for Microsoft Windows platform are considered to be vulnerable at the moment.

This BID will be updated as more information is released.

14. Sun Java System Application Server Reverse SSL Proxy Plug-in Man In The 
Middle Vulnerability
BugTraq ID: 15728
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15728
Summary:
Sun Java System Application Server is prone to a man in the middle 
vulnerability.

This issue arises when the reverse SSL proxy plug-in is used with a supported 
Web server.

An attacker may exploit this issue to gain access to sensitive contents of 
encrypted network traffic between a client and a server.

15. Horde IMP Email Attachments HTML Injection Vulnerability
BugTraq ID: 15730
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15730
Summary:
Horde IMP is prone to an HTML injection vulnerability.  This issue is due to a 
failure in the application to properly sanitize user-supplied input before 
using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the 
affected Web site, potentially allowing for theft of cookie-based 
authentication credentials. An attacker could also exploit this issue to 
control how the site is rendered to the user; other attacks are also possible.

Reports indicate this issue is only present when viewing IMP content with the 
Microsoft Internet Explorer Web browser.

16. Apple Quicktime/iTunes Unspecified Heap Overflow Vulnerability
BugTraq ID: 15732
Remote: Yes
Date Published: 2005-12-02
Relevant URL: http://www.securityfocus.com/bid/15732
Summary:
An unspecified heap-based buffer overflow vulnerability has been reported in 
Apple Quicktime and iTunes.  This issue affects both Mac OS X and Microsoft 
Windows releases of the software. 
It is believed that this issue is triggered when the affected applications play 
a malicious media file, though this has not been confirmed. 
Successful exploitation will result in execution of arbitrary code in the 
context of the currently logged in user.

This issue affects Apple Quicktime 7.0.3 and iTunes 6.0.1.  Earlier versions 
may also be affected.

17. PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 15735
Remote: Yes
Date Published: 2005-12-06
Relevant URL: http://www.securityfocus.com/bid/15735
Summary:
phpMyAdmin is prone to multiple cross-site scripting vulnerabilities.  These 
issues are due to a failure in the application to properly sanitize 
user-supplied input.

An attacker may leverage these issues to have arbitrary script code executed in 
the browser of an unsuspecting user in the context of the affected site.  This 
may facilitate the theft of cookie-based authentication credentials as well as 
other attacks.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Changing local admin PW using vb logon script - can it be encrypted?
http://www.securityfocus.com/archive/88/418575

2. Changing local admin PW using vb logon script - can it be encrypted?
http://www.securityfocus.com/archive/88/418259

3. Prohibiting Index Server does not prevent information leakage in IIS 6.0
http://www.securityfocus.com/archive/88/418256

4. SecurityFocus Microsoft Newsletter #267
http://www.securityfocus.com/archive/88/418148

IV.  UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to 
[EMAIL PROTECTED] from the subscribed address. The 
contents of the subject or message body do not matter. You will receive a 
confirmation request message to which you will have to answer. Alternatively 
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via 
the website.

If your email address has changed email [EMAIL PROTECTED] and ask to 
be manually removed.

V.   SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: CipherTrust

CipherTrust Products have been nominated! Please Vote in the SC
Magazine Awards.
IronMail Gateway - Best E-Mail Security
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=7&Sub_ID=2&Prod_ID=122
IronMail Gateway - Best Anti-Spam
http://www.scawards.com/vote4a.asp?Area_ID=1&Cat_ID=5&Sub_ID=2&Prod_ID=87





---------------------------------------------------------------------------
---------------------------------------------------------------------------