Multiple Vendor Mail Reply-To Field Vulnerability BugTraq ID: 1910 Remote: No Date Published: 2000-11-01 Relevant URL: http://www.securityfocus.com/bid/1910 Summary: mail is a simple console e-mail client. A vulnerability exists in several vendors' distributions of this program. [ ou plut�t dont la fa�on dont certains l'utilisent ] RedHat Linux restore Insecure Environment Variables Vulnerability BugTraq ID: 1914 Remote: No Date Published: 2000-11-03 Relevant URL: http://www.securityfocus.com/bid/1914 Summary: restore is a program for backup and recovery procedures, distributed with the RedHat Linux Operating System. A vulnerability exists that could allow a user elevated permissions. The problem occurs in the RSH environment variable. restore is dependent upon this environment variable for execution. It is possible to set this variable PATH to that of an executable, and then execute restore. This will result in the executable in the RSH environment variable being run with an EUID of 0. Exploitation of this vulnerability by a malicious user can result in root compromise. [ restore ne devrait pas �tre setuid root, ou alors ne devrait �tre accessible qu'au groupe backup, p.ex. ] StarOffice /tmp Directory Symbolic Link Vulnerability BugTraq ID: 1922 Remote: No Date Published: 2000-11-08 Relevant URL: http://www.securityfocus.com/bid/1922 Summary: StarOffice is a productivity package designed designed to offer advanced word processing and business applications. A vulnerability exists which can allow users to read and write to restricted files belonging to users who run StarOffice. The problem occurs in use of the /tmp directory. When a user starts the StarOffice application, the application creates the /tmp/soffice.tmp directory with permissions set to 0777. The application has also been [ en discussion sur Open Office ] Multiple Vendor BIND 8.2.2-P5 Denial of Service Vulnerability BugTraq ID: 1923 Remote: Yes Date Published: 2000-11-08 Relevant URL: http://www.securityfocus.com/bid/1923 Summary: BIND is the Berkeley Internet Name Daemon, a free Name Resolution software package maintained by the Internet Software Consortium. A Denial of Service exists in current implementations. The problem occurs in the Compressed Zone Transfer (ZXFR) functionality of BIND. A default installation of BIND does not support the transfer of compressed zone files. However, daemon that allows zone transfers and recursive queries will crash if queried for a compressed zone transfer that is not in the nameserver cache. This could result in a name resolution Denial of Service for all users and systems depending upon nameservers using the affected software. tcsh Here-document /tmp Symbolic Link Vulnerability BugTraq ID: 1926 Remote: No Date Published: 2000-10-29 Relevant URL: http://www.securityfocus.com/bid/1926 Summary: Tcsh is an enhanced version of the traditional Unix C shell. Tcsh, when handling here-documents, creates a temporary file in /tmp insecurely. The file's filename is based on the process ID of the tcsh process and is thus guessable. This can be exploited by an attacker aware of jobs using here-document redirects and their process ID's to overwrite the contents of files owned by those users (or any file if it is root's process). This would be accomplished through the use of a symbolic link with a filename of the predicted temporary tcsh filename created in /tmp at the time of the jobs execution and use of "<<". The file pointed to by the malicious symbolic link would then be overwritten by the temporary here-document input. If pulled off, this could (under certain circumstances) lead to an elevation of privileges for the attacker in a number of ways. -- Pour poster une annonce: [EMAIL PROTECTED]
