Linux /bin/mail Carbon Copy Field Buffer Overrun Vulnerability BugTraq ID: 7760 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7760 Summary:
The /bin/mail utility is a mail processing system which can be used to send and receive e-mail messages. It is available for the Unix and Linux operating systems. A vulnerability has been discovered in /bin/mail on the Linux operating system. The problem occurs when processing the 'CC:' field within an e-mail message. Due to insufficient bounds checking, handling approximately 8824 bytes of data will trigger a buffer overrun. Successful exploitation of this issue could allow an attacker to execute arbitrary commands with the privileges of /bin/mail. It should be noted that local exploitation of this vulnerability may be inconsequential. However, a malicious e-mail message referenced by the vulnerability utility or a remote CGI interface may both be sufficient conduits for remote exploitation. JBoss Null Byte Request JSP Source Disclosure Vulnerability BugTraq ID: 7764 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7764 Summary: JBoss is a freely available, open source Java Application server. It is distributed and maintained by JBoss Group. A problem in the software may make it possible to gain unauthorized access to potentially sensitive information. A problem has been reported in the handling of unexpected characters by the JBoss program. Because of this, an attacker may gain access to potentially sensitive information. The problem is in the input of null characters with some requests. By placing a valid request, and appending a null byte to the end of the request, it is possible to see the source of the Java Server Page (JSP) requested from JBoss. This could yield potentially sensitive information such as passwords. It should be noted that this problem occurs when JBoss is used with Jetty. It is not known what affect this problem has on JBoss with other servers. Apache Tomcat Insecure Directory Permissions Vulnerability BugTraq ID: 7768 Remote: No Date Published: Jun 01 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7768 Summary: Tomcat is a web server and JSP/Servlet container that is developed by Apache as part of the Jakarta project. Apache Tomcat may be installed with world-readable permissions for the /opt/tomcat/ directory. Files in this directory may contain sensitive information, such as authentication credentials. Local users may potentially gain unauthorized access to these files as a result. This issue was reported for Apache Tomcat versions prior to 4.1.24 on Gentoo Linux. It is not known if other distributions are similarly affected. Multiple Mod_Gzip Debug Mode Vulnerabilities BugTraq ID: 7769 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7769 Summary: Mod_gzip is an Apache web server module that compresses web content before sending it to the client. Mod_gzip is not a standard module for Apache. Multiple vulnerabilities were reported in Mod_gzip. The following issues exist when the software is run in debug mode: Insufficient bounds checking of request data may lead to a stack overflow. If a remote user passes an excessive request for a file type (such as gzip) handled by the module, it may be possible to corrupt stack variables with specific values. This could lead to execution of malicious attacker-supplied instructions. Mod_gzip is prone to a format string vulnerability when Apache logging facilities are used. This is due to missing format specifiers in the code responsible for logging requests for file types handled by the module. Exploitation could permit a remote attacker to overwrite arbitrary locations in memory with malicious data, potentially allowing for code execution. Mod_gzip logs debugging information in files using predictable names. The following naming scheme is used when log files are created: /tmp/t<PID>.log By anticipating the value of the process ID, a local attacker could launch symlink attacks against other system files. It has been reported that some debugging information is logged as the superuser. This could allow for corruption of arbitrary files. If these files can be corrupted with custom data, then it will be possible to gain elevated privileges. Exploitation of these issues could result in execution of malicious instructions or corruption of critical or sensitive files. This record will be divided into multiple BIDs when further analysis of these issues is complete. myServer HTTP GET Argument Buffer Overflow Vulnerability BugTraq ID: 7770 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7770 Summary: myServer is an application and web server for Microsoft Windows and Linux operating systems. myServer has been reported prone to a remote buffer overflow vulnerability. The vulnerability exists when the web server attempts to process HTTP requests of excessive length. Specifically, when the web server processes an argument passed to a malicious HTTP GET request that consists of more than 4100+ bytes, the web server will crash. This will result in a denial of service condition. It is possible that this vulnerability may also allow the execution of arbitrary instructions. Any instructions carried out through this vulnerability would be with the privileges of the web server process. However, the possibility of code execution has not been confirmed. This vulnerability was reported for myServer version 0.4.1 It is likely that other versions are also affected. [ licence incertaine ] Pi3Web SortName Buffer Overflow Vulnerability BugTraq ID: 7787 Remote: Yes Date Published: Jun 02 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7787 Summary: Pi3Web is a free, multi platform, configurable HTTP server and development environment. It is available for Unix/Linux variants and Microsoft Windows operating systems. Pi3Web is prone to a buffer overflow vulnerability. This is due to insufficient bounds checking of URI parameters. It is possible to trigger this condition by specifying a 'SortName' URI parameter of excessive length. Excess data will overrun adjacent regions of memory. This condition could be exploited to cause a denial of service or possibly to execute malicious instructions in the context of the server. This issue was reported for Pi3Web 2.0.2 Beta 1 on Windows platforms. It was originally believed that this condition only existed with certain indexing configurations but additional reports indicate that this is not the case. [ licence incertaine ] Multiple Vendor kon2 Local Buffer Overflow Vulnerability BugTraq ID: 7790 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7790 Summary: kon2 is a Kanji emulator for the Linux console. A buffer overflow vulnerability has been reported for the kon2 utility shipped with various Linux distributions. Exploitation of this vulnerability may result in a local attacker obtaining elevated privileges on a vulnerable system. The vulnerability exists due to insufficient bounds checking performed on some commandline options passed to the vulnerable utility. A local attacker can exploit this vulnerability by invoking kon2 with overly long commandline options. This will trigger the overflow condition and may result in an attacker obtaining root privileges. This vulnerability was reported for kon2 0.3.9b and earlier. Red Hat Linux TTY Layer Kernel Panic Denial Of Service Vulnerability BugTraq ID: 7791 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7791 Summary: The TTY layer is used to process input and output supplied to and from the console. A vulnerability has been reported in the TTY layer that may result in a kernel panic. The precise technical details of this vulnerability are currently unknown. This BID will be updated as further information is available. [ concerne probablement d'autres distributions, voyez les erratas et mises � jours qui vous concernent. ] Red Hat Linux Kernel MXCSR Handler Unspecified Vulnerability BugTraq ID: 7793 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7793 Summary: The Intel MXCSR register contains control/status information for the SSE registers. The Red Hat Linux Kernel MXCSR handler code has been reported prone to an unspecified vulnerability. The issue presents itself when low-level MXCSR kernel code encounters a malformed address. It has been reported that the MXCSR code fails to sufficiently handle malformed address data and will leave garbage in the CPU state registers. Although speculative, it has been conjectured that this issue may allow an attacker to corrupt CPU state registers and trigger a denial of service condition if the kernel relies on current register contents. Although unconfirmed other attacks may also be possible. It should be noted that this vulnerability will only affect systems running on the Intel architectures. This BID will be updated as further technical details are released. Red Hat Linux EXT3 Filesystem Data Corruption Vulnerability BugTraq ID: 7795 Remote: No Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7795 Summary: A potential data corruption vulnerability has been identified in the Red Hat Linux kernel. The potential issue may be exploitable under very restrictive circumstances. In an ext3 file-system environment where the system is processing heavy complex memory mapped file I/O loads, if the mapped writes are to a partial page at the end of a file, a file may be simultaneously unlinked and the corresponding mapped file blocks reallocated. This action may potentially cause the corruption of arbitrary files. If an attacker can recreate the necessary environment, it may be possible to create a condition where arbitrary files are corrupted. [ idem, il manque les informations n�cessaires pour identifier si ce probl�me est ancien ou nouveau, et concerne uniquement des kernels patch�s par Red Hat. Consultez les informations de votre distribution. ] Linux Kernel Fragment Reassembly Remote Denial Of Service Vulnerability BugTraq ID: 7797 Remote: Yes Date Published: Jun 03 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7797 Summary: The Linux kernel is the core of all Linux operating systems. It is community-maintained. A problem in the kernel network code could make a remote denial of service possible. It has been reported that the Linux kernel does not properly handle some specific types of network traffic. Because of this, an attacker may be able to cause excessive consumption of resources with malicious TCP/IP packets, resulting in a denial of service. The problem is in the handling packet reassembly. By sending maliciously crafted packet fragments to a system using the vulnerable kernel, it would be possible to consume an excessive amount of resources during the packet reassembly phase. This could cause the system to become unstable. PHP Transparent Session ID Cross Site Scripting Vulnerability BugTraq ID: 7761 Remote: Yes Date Published: May 30 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7761 Summary: PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems. PHP contains an option known as transparent session IDs. This feature allows session IDs to be embedded with a URL. A cross-site scripting vulnerability has been discovered in PHP version 4.3.1 and earlier. The problem occurs when the 'session.use_trans_sid' global parameter has been enabled. Due to insufficient sanitization of the PHPSESSID URI parameter, it is possible for an attacker to embed malicious script code within a link. By embedding malicious code in such a way that an HTML tag will be possible for an attacker to embed malicious script code within a link. By embedding malicious code in such a way that an HTML tag will be prematurely terminated, it may be possible to execute arbitrary script code. Successful exploitation of this issue would allow an attacker to execute arbitrary script code in a victim's browser within the context of the visited website. This may allow for the theft of sensitive information, such as session ID's, or possibly other attacks. It should be noted that PHP versions prior to release 4.2.0 do not support transparent session IDs by default. Support must be specified during initial compilation. [ + divers probl�mes avec PHP Nuke et des scripts PHP Nuke ] _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
