Apache Cocoon Directory Traversal Vulnerability BugTraq ID: 8883 Remote: Yes Date Published: Oct 24 2003 Relevant URL: http://www.securityfocus.com/bid/8883 Summary: Apache Cocoon is a XML Web development framework by Apache.
A vulnerability has been reported to exist in the software that may allow a remote attacker to traverse outside the server root directory in order to access sensitive server readable files. The problem is reported to exist in the sample "view-source" script. The issue presents itself due to insufficient sanitization of user-supplied input to the "filename" parameter and may allow an attacker to access unauthorized information by issuing '../../../' character sequences. This vulnerability may be successfully exploited to gain sensitive information about a vulnerable host that could be used to launch further attacks against the system. Apache Cocoon version 2.1 and 2.2 before 22 Oct 2003 have been reported to be affected by this issue, however other versions may be affected as well. 15. SH-HTTPD Character Filtering Remote Information Disclosure V... BugTraq ID: 8897 Remote: Yes Date Published: Oct 27 2003 Relevant URL: http://www.securityfocus.com/bid/8897 Summary: sh-httpd is a freely available, open source web server written in shell. It is available for the Unix and Linux platforms. A problem has been identified in the handling of some characters by sh-httpd. Because of this, an attacker may be able to gain unauthorized access to information. The problem is in the handling of the asterisk character. When a request is made to the service for a directory listing using the asterisk character (*), it is possible to see the contents of the entire directory requested. An attacker could use this issue to gather information about host design, services enabled, and other potentially restricted information. [ well, don't do that ] RedHat Apache Directory Index Default Configuration Error BugTraq ID: 8898 Remote: Yes Date Published: Oct 27 2003 Relevant URL: http://www.securityfocus.com/bid/8898 Summary: A vulnerability has been reported to be present in the RedHat Apache configuration that may allow remote attacker to view directory listings by sending a specific HTTP GET request. It has been reported that this issue exist even when autoindex for the root directory has been disabled and a default welcome page is supposed to be displayed. A request for '//' reportedly evades a rule designed to prevent Apache from displaying directory listings with a request for '/'. Successful exploitation of this issue result in disclosure of sensitive information which may be useful in further attacks against the system. This problem has been reported to exist in Apache 2.0.40 shipped with RedHat Linux 9.0. It is possible that other versions are affected as well. Musicqueue SIGSEGV Signal Handler Insecure File Creation Vul... BugTraq ID: 8899 Remote: No Date Published: Oct 27 2003 Relevant URL: http://www.securityfocus.com/bid/8899 Summary: Musicqueue is a CGI-based jukebox utility designed to invoke external programs to carry out a variety of tasks. Musicqueue is available for the Linux operating system. This program includes a make suid installation option, which will install the utility with suid and sgid privileges of the installing user. When the Musicqueue utility is invoked, the crash() function is registered as the handling procedure for any generated SIGSEGV signals. The functions sole functionality is calling the gcgiSaveEnvVariables() library function, which takes a single argument that is the name of a temporary file. The CGI environment variable data of the program that encountered the segmentation violation is then stored within this file. It has been discovered that the crash() signal handler incorrectly passes the aforementioned library function a predictable filename for the storage of environment information, specifically "/tmp/musicqueue.crash". As a result, when handling a SIGSEGV signals, Musicqueue may be prone to symbolic link attacks. Due to the potentially attacker-controllable data contained within environment variables, it is believed to be trivial for an attacker to elevated privileges to those of the owner or group of the executable. On some installations, this may effectively result in root compromise. This vulnerability is said to affect Musicqueue 1.2.0, however earlier versions may also be affected. IWConfig Local ARGV Command Line Buffer Overflow Vulnerabili... BugTraq ID: 8901 Remote: No Date Published: Oct 27 2003 Relevant URL: http://www.securityfocus.com/bid/8901 Summary: iwconfig is a freely available, open source wireless connection management tool for Linux. A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges. The problem is in bounds checking. It is possible to produce an exploitable stack overflow by passing an argument of 96 or more bytes of data as an argument to the program. This problem is likely an overflow in a function to which the data from ARGV is passed. It should be noted that the iwconfig program is typically installed as a setuid executable by default. Musicqueue Multiple Buffer Overrun Vulnerabilities BugTraq ID: 8903 Remote: No Date Published: Oct 27 2003 Relevant URL: http://www.securityfocus.com/bid/8903 Summary: Musicqueue is a CGI-based jukebox utility designed to invoke external programs to carry out a variety of tasks. Musicqueue is available for the Linux operating system. This program includes a make suid installation option, which will install the utility with suid and sgid privileges of the installing user. Multiple buffer overrun vulnerabilities have been discovered in Musicqueue. Both issues stem from the lack of bounds checking when passing user-supplied input to the sprintf() libc function. As a result, it may be possible for an attacker to exploit arbitrary code with the privileges the affected application, possibly installed suid or sgid. The problems specifically occur within the openLang() and langExists() functions, passed the user-controllable 'language' parameter. It has been reported that the openLang() issue may not be exploitable to due the malicious data being limited to a range of ascii characters from 'a' to 'z'. However, it may be possible to carry out a partial pointer overwrite in such a way that execution flow can be controlled. The langExists() overrun is said to be trivially exploitable. It should be noted that due to the nature of both of these issues, triggering the bugs will potentially cause a SIGSEGV signal to be generated. As a result, these vulnerabilities may be used in conjunction with the vulnerability described in BID 8899, to effectively allowing for privilege elevation. thttpd defang Remote Buffer Overflow Vulnerability BugTraq ID: 8906 Remote: Yes Date Published: Oct 27 2003 Relevant URL: http://www.securityfocus.com/bid/8906 Summary: thttpd is a HTTP web server application. A vulnerability has been reported to exist in thttpd that may allow a remote attacker to gain unauthorized access by executing arbitrary code on a vulnerable system. The condition is present due to insufficient boundary checking. The problem is reported to exist due to the defang() function in libhttpd.c. The issue presents itself due to insufficient bounds checking. A remote attacker may ultimately exploit this issue remotely and execute arbitrary code in the context of the user who is running the vulnerable software. Successful exploitation may allow a attacker to gain unauthorized access to the vulnerable host. Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the web server in order to gain unauthorized access to a vulnerable system. thttpd versions 2.21 to 2.23b1 have been reported to be prone to this issue, however other versions may be affected as well. Apache Web Server Multiple Module Local Buffer Overflow Vuln... BugTraq ID: 8911 Remote: No Date Published: Oct 28 2003 Relevant URL: http://www.securityfocus.com/bid/8911 Summary: A vulnerability has been reported to exist in Apache that may allow a local attacker to gain unauthorized access by executing arbitrary code on a vulnerable system. The condition is present due to insufficient boundary checking. The problem is reported to exist in mod_alias and mod_rewrite modules of the software. It has been reported that the problems presents itself if a regular expression is configured with more the 9 captures using parenthesis. It is reported that the vulnerability is in an Apache wrapper function for the regex interface. A local attacker may ultimately exploit this issue locally and execute arbitrary code in the context of the user who is running the vulnerable software. Successful exploitation may allow a attacker to gain unauthorized access to the vulnerable host. It has also been reported that to exploit this issue an attacker would need to locally create a specially crafted configuration file (.htaccess or httpd.conf). Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the web server in order to gain unauthorized access to a vulnerable system. kpopup Privileged Command Execution Vulnerability BugTraq ID: 8915 Remote: No Date Published: Oct 28 2003 Relevant URL: http://www.securityfocus.com/bid/8915 Summary: kpopup is a KDE utility designed to allow hosts to transmit and receive "WinPopup" messages. It has been alleged that it is possible for local attackers to gain root privileges through kpopup, which is installed setuid root by default. According to the report, kpopup uses the system(3) C-library function insecurely to run other utilities on the system. In at least one instance, system(3) is called to invoke the binary killall(1) in a manner relying on the PATH environment variable. As the environment can be set by the unprivileged user when kpopup is executed, an arbitrary executable with the filename killall(1) can be executed. On typical UNIX and UNIX-like systems, the system(3) library call invokes fork(2) and the child executes "/bin/sh" with the function parameter as it's argument. Many modern shells anticipate insecure use of this function by setuid/setgid processes and drop effective privileges if they do not match the real userid/gid of the process. This typically prevents exploitation of these issues. This particular vulnerability may be different. It may be the case that kpopup first sets its real uid and gid to 0 before calling system, making this vulnerability exploitable. This has not been confirmed by Symantec. kpopup Local Arguments Format String Vulnerability BugTraq ID: 8918 Remote: No Date Published: Oct 28 2003 Relevant URL: http://www.securityfocus.com/bid/8918 Summary: kpopup is a KDE utility designed to allow hosts to transmit and receive "WinPopup" messages. It is available for Unix and Linux platforms. It has been alleged that it is possible for local attackers to take advantage of format string vulnerabilities in kpopup, which is installed setuid root by default. According to the report, kpopup does not correctly handle format strings when passed to the program as arguments. Preliminary reports indicate that this issue can be used to cause the program to crash with a segmentation violation error. This is usually indicative of memory management issues that typically can be exploited to execute attacker-supplied instructions. Apache Mod_Security Module Heap Corruption Vulnerability BugTraq ID: 8919 Remote: Yes Date Published: Oct 28 2003 Relevant URL: http://www.securityfocus.com/bid/8919 Summary: The Apache 2 mod_security module is designed to act as an web-based intrusion detection system. It is also designed to prevent certain types of attacks by handling and parsing data. A vulnerability has been discovered in the mod_security module when handling specific data transmitted by the Apache server. The problem occurs within sec_filter_out() function located in the mod_security.c source file. When this function is used to handle data transmitted from a server-side script, it incorrectly assumes that the data is broken into 4 or 8 kilobyte chunks before being transmitted. As a result, when expanding the size of the data's storage buffer it explicitly reallocates the size to be 2 times as large. However, because the data is not the expected chunk sizes, the size of the data copied into the data could in fact be larger then expected. When finally copied into the buffer, sensitive heap variables such as malloc chunk pointers may be overwritten. An attacker could ultimately exploit this condition to execute arbitrary code with the privileges of the Apache server. It should be emphasized however, that an attacker would be required to carry this attack out locally or on a server that allows the uploading of malicious scripts (which may be possible via exploitation of other vulnerabilities). The vulnerability cannot be triggered by sending a request with excessive data to the affected module. This issue is said to affect release 1.7 and 1.7.1 of mod_security. Apache Web Server mod_cgid Module CGI Data Redirection Vulne... BugTraq ID: 8926 Remote: Yes Date Published: Oct 29 2003 Relevant URL: http://www.securityfocus.com/bid/8926 Summary: Apache has reported a potential vulnerability in the mod_cgid module when the threaded MPM (Multi-Processing Module) is used. The problem is said to be due to mishandling of CGI redirect paths. Reportedly, the module will incorrectly redirect the CGI output data to a seperate, unrelated thread. Apache has stated that the specific problem is related to mishandling of the AF_UNIX socket that is used to pass communications between the cgid daemon and a CGI script. It seems likely that this issue could occur inadvertently and it is not currently known if a remote attacker could deliberately trigger the condition. Depending on the context of the CGI data in question, this could potentially result in sensitive information, such as banking or login information, being exposed to a user of a seperate thread. This could also potentially result in another user incorrectly being granted authorization to a sensitive page. The precise technical details regarding this condition are currently unknown. This bid will be updated as further information is made available. It should also be noted that although unconfirmed, this condition may in some ways be similar to the condition described in bid 8725. Multiple Vendor HTTP Server IPv6 Socket IPv4 Mapped Address ... BugTraq ID: 8927 Remote: Yes Date Published: Oct 29 2003 Relevant URL: http://www.securityfocus.com/bid/8927 Summary: IPv6 is a protocol designed to replace IPv4. IPv6 allows for the encapsulation of IPv4 addresses, in order to facilitate transition between the two standards, and allow the usage of IPv4 legacy applications under IPv6 networking. Additionally, many systems are expected to support both IPv4 and IPv6 traffic, in order to allow a transition period between the two standards. A problem may exist in some web servers that may result in vulnerabilities in web applications. When a mapped IPv4 address is passed to a system through an IPv6 interface, it may be possible confuse or even take advantage of functions in web applications. A scenario could occur when such an address is passed to the $REMOTE_ADDR server environment variable, for example. If the $REMOTE_ADDR variable were then used for authentication or access control in this situation, unexpected behavior could result, potentially introducing a security vulnerability. This problem could permit an attacker to bypass access restrictions, or potentially obscure the origins of a request. Cisco IOS OSPF Potential Routing Table Corruption Vulnerabil... BugTraq ID: 8935 Remote: Yes Date Published: Oct 30 2003 Relevant URL: http://www.securityfocus.com/bid/8935 Summary: A bug has been discovered in specifically configured Cisco IOS routers when handling the OSPF (Open Shortest Path First) protocol. It has not yet been confirmed if this issue is an explicit security vulnerability, however it has been conjectured by a reliable source that the problem could potentially lead to the corruption of routing tables. The bug is said to exist on Cisco IOS release 12.3(1a), when running on an AS5350 device. This issue may reportedly occur when the following configuration is used: router ospf 1 log-adjacency-changes redistribute connected subnets route-map ospf redistribute static subnets route-map ospf network 192.168.100.0 0.0.1.255 area 1 As a result, the device may incorrectly multicast OSPF Hello packets to all peers, regardless of the host's address. This could potentially allow for a malicious system to issue a response containing false information, designed to corrupt routing table entries. This condition has not yet been confirmed. If this bug does prove to be a vulnerability, an attacker could exploit this condition to re-route traffic through controlled systems or could potentially pose as a trusted host. This could lead to a number of attacks including man-in-the-middle attacks, connection hijacking, modifying data streams, exposing sensitive information, etc. This issue is reportedly not present in Cisco IOS 12.2(3). *** October 31, 2003 - Cisco has issued a response regarding this issue and has stated that the behaviour of the device is as expected. OSPF will be enabled on any interface that has an IP address bound to it, and as such Hello packets will typically be transmitted over these interfaces. This BID has been flagged as Conflicting Reports, and will be updated as further details have been released. [ hardware ] _______________________________________________ gull-annonces mailing list [EMAIL PROTECTED] http://lists.alphanet.ch/mailman/listinfo/gull-annonces
