Apache HTTP Server Multiple Vulnerabilities BugTraq ID: 8226 Remote: Yes Date Published: Jul 18 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8226 Summary:
Apache HTTP Server is a open-source web server designed to run on a number of different platforms. Apache HTTP Server version 1.3.28 has been released in response to multiple vulnerabilities discovered. Apache is vulnerable to three potential security issues. The impact of these vulnerabilities includes denial of service, file descriptor leakage, and logging failures. Under Windows and OS/2 systems, it may be possible to cause Apache to send special control characters, namely a 0x1A character, over a pipe. This could potentially cause Apache to cease logging and exit. It has also been reported that attackers may be able to send specially crafted requests that cause Apache to go into an internal loop and eventually crash. Additionally, Apache may under certain circumstances leak file descriptors from a parent process to a child process. This could result in varying degrees of unauthorized access. Multiple BIDs are currently pending for these issues. When individual BIDs are available, this BID will be retired. GnuPG Group Root File Corruption Vulnerability BugTraq ID: 8228 Remote: No Date Published: Jul 19 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8228 Summary: gnupg is an encryption utility that is available for a number of platforms, including Unix/Linux variants. gnupg is reported to be prone to an issue that could permit a malicious local user to corrupt files owned by the root group. This issue is reportedly the result of gnupg having setgid root privileges. The issue was reported for Gentoo Linux, though other distributions may have a similar default installation and be prone to this issue. This vulnerability may potentially be exploited to corrupt critical or sensitive files for a denial of service. The possibility of privilege escalation also exists. CGI.pm Start_Form Cross-Site Scripting Vulnerability BugTraq ID: 8231 Remote: Yes Date Published: Jul 20 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8231 Summary: CGI.pm is a module for Perl that allows for dynamic creation of web forms and parsing of CGI input. CGI.pm is prone to cross-site scripting attacks under some circumstances. This issue occurs because the start_form() function (or other functions which use this function such as start_multipart_form()) does not sufficiently sanitize HTML and script code when a form action is not specified. This could expose scripts that use the function to cross-site scripting attacks. This issue could be exploited to cause hostile HTML and script code to be rendered in the browser of a user who is enticed to visit a malicious link to a vulnerable script. The code would be interpreted in the context of the vulnerable site. Exploitation could allow theft of cookie-based authentication credentials or other attacks. GNU GNATS Queue-PR Database Command Line Option Buffer Overflow Vulnerability BugTraq ID: 8232 Remote: No Date Published: Jul 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8232 Summary: GNU GNATS is a freely available bug tracking system. It is available for a variety of Linux and Unix variant operating environments. The queue-pr utility is shipped as part of GNATS and is intended as a tool, used to manage the GNATS queue. The queue-pr utility is a setuid utility typically with UID 'gnats' privileges. A stack overflow vulnerability has been reported for the queue-pr utility. The vulnerability occurs due to insufficient bounds checks performed on the database name passed to the '-d' commandline option. An attacker may invoke the queue-pr utility passing a malicious database name (>=1148 bytes of data), in a manner sufficient to trigger the vulnerability. Successful exploitation may result in the execution of attacker-supplied code with potentially elevated privileges. It should be noted that on some systems, the queue-pr utility might be installed with setuid 'root' privileges. It should be noted that although this vulnerability has been reported to affect GNATS version 3.113.1_6, other versions might be affected. Multiple Linux 2.4 Kernel Vulnerabilities BugTraq ID: 8233 Remote: Yes Date Published: Jul 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8233 Summary: Red Hat has released an advisory reporting the existence of multiple vulnerabilities in the Linux 2.4 kernel. The following issues were reported: /proc/tty/driver/serial may expose sensitive information to local attackers by revealing the exact character count for serial links. This information could permit a malicious local user to infer password lengths and the timing between keystrokes when entering passwords. This might aid in brute-force attacks that attempt to compromise another user's password. A race condition in the implementation of the execve() system was reported. This issue is described in BID 8042. The kernel RPC code was reported to have recently changed, causing the reuse flag on newly created sockets to be set. This introduced a vulnerability that could permit unprivileged users to bind to UDP ports used for related services, such as nfsd. A vulnerability in the implementation of the execve() system could permit malicious local users to gain read access to restricted file descriptors. This occurs because the file descriptor of the executable process is stored in the file table of the calling process. This could be exploited to gain access to sensitive information. This is related to the race condition in execve() and is also discussed in BID 8042. A flaw in the /proc filesystem could be exploited to gain access to sensitive information. If /proc/self entries are opened before executed a setuid program, the program may fail to change the ownership and permissions of entries that are already open. The STP protocol on Red Hat was disabled due to lack of security. This could be an issue on other distributions. An additional issue with STP was reported in the kernel that may permit denial of service attacks, due to insufficient length checking. It was reported that the kernel Forwarding table may be spoofed if forged packets are received that have the same source IP address as the host. These issues will be divided into separate BIDs when further analysis is complete. Drupal Cross-Site Scripting Vulnerability BugTraq ID: 8235 Remote: Yes Date Published: Jul 21 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8235 Summary: Drupal is an open-source content management system. Drupal is available for a number of platforms including Microsoft Windows operating systems and Unix/Linux variants. The Drupal content management system is prone to a cross-site scripting vulnerability. This issue is exposed through the main page and through other sub-pages. An attacker may exploit this issue by including hostile HTML and script code in a malicious link to Drupal. This code may be rendered in the web browser of a user who visits the link. This would occur in the security context of the site hosting Drupal. The attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user. [ langage ind�termin� ] Top Home Environment Variable Local Buffer Overflow Vulnerability BugTraq ID: 8239 Remote: No Date Published: Jul 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8239 Summary: top is a freely available, open source process monitoring utility. It is available for various Unix and Linux platforms. A buffer overflow condition has been reported in top when handling environment variables of excessive length. This may result in an attacker potentially executing arbitrary code. The problem is in the checking of bounds on the HOME environment variable. top does not properly handle input of excessive length in the HOME environment variable. By placing a string of excessive length (1100 bytes) in this environment variable, an attacker may be able to corrupt sensitive process memory, and potentially execute arbitrary code with the privileges of the top program. It should be noted that top is typically installed with the setuid root bit set. Additionally, although top versions less than or equal to version 2.0.11 have been reported vulnerable, it should be noted that other versions might also be vulnerable. MySQL AB ODBC Driver Plain Text Password Vulnerability BugTraq ID: 8245 Remote: No Date Published: Jul 22 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8245 Summary: A vulnerability has been reported in the MySQL AB ODBC (Open Data Base Connectivity) driver implementation. Reportedly, ODBC credentials are stored in the system registry using plain text format. When creating ODBC connections, the MySQL ODBC driver reportedly stores plain text credentials used to connect to the specified database in the system registry. ODBC SYSTEM-DSN entries are stored in the HKEY_LOCAL_MACHINE branch of the system registry, unlike USER-DSN entries which are stored in HKEY_LOCAL_USER registry branch. This may exaggerate the impact of the vulnerability when relating to MySQL ODBC SYSTEM-DSN entries, because the data may be accessible to a greater number of users. If a local user has read access to the registry key that contains the sensitive data, the credentials may be disclosed and used to connect to the target database. It should be noted that this issue might be configuration specific. Other ODBC drivers may also be prone to the same issue, though this is not confirmed. [ probablement closed source; mais pas s�r ] FDClone Local Insecure Temporary Directory Creation Vulnerability BugTraq ID: 8247 Remote: No Date Published: Jul 23 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8247 Summary: fdclone is a freely available, open source file management tool. It is available for the Linux platform. A problem has been reported in the creation of temporary directories by fdclone. Because of this, an attacker may be able to gain access to potentially sensitive information. The problem is in the creation of directories by the fdclone program in the /tmp directory. fdclone does not properly check for the existence of temporary directories prior to execution, and does not validate permissions on already existing directories. Because of this, an attacker may be able to gain access to the contents of temporary files created by fdclone. It may also be possible to launch symbolic link attacks with this vulnerability. 3Com DSL Router Administrative Interface Long Request Router Denial Of Service Vulnerability BugTraq ID: 8248 Remote: Yes Date Published: Jul 23 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/8248 Summary: The 812 OfficeConnect is one of a series of DSL routers distributed and maintained by 3Com. A vulnerability in the 3Com 812 OfficeConnect has been reported that may result in the router becoming unstable. Because of this, an attacker may be able to deny service to legitimate users of the vulnerable router. The problem is in the handling of requests of excessive length by the administrative interface. When an attacker sends a string of 512 or more bytes to the administrative interface on port 80, the router reboots. This could be exploited repeatedly, resulting in an prolonged denial of service. It should be noted that the administrative interface is reachable only via the LAN interface of the DSL router, and cannot be accessed by the untrusted network side by default. It should also be noted that this issue is likely a memory corruption vulnerability. Although unconfirmed, a possibility exists that this issue may be exploitable to execute arbitrary code. This issue may also affect other 3Com routers. [ hardware ] _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
