NEdit Incremental Backup File Symbolic Link Vulnerability BugTraq ID: 2667 Remote: No Date Published: 2001-04-28 Relevant URL: http://www.securityfocus.com/bid/2667 Summary: NEdit is the Nirvana editor, a freely availabe text editor included with various implementations of the UNIX Operating system. It provides a graphic front end, and features designed to emulate the functions of text editors for Microsoft Windows and Macintosh Operating Systems. A problem with NEdit could make it possible for local users to launch symbolic link attacks against users of the editor. This problem is due to insufficient checking of the incremental backup file prior to attempting to write to it. When a file is being edited by a user of NEdit, the file is periodically backed up to a file with bearing the name of the original file edited, and prefixed with a tilde. Prior to performing this function, the existance of the file with a tilde prefix is not checked for. If a user of the NEdit editor were to use the program in a world-writable directory such as /tmp, a local user that observed the user of the editor and created a symbolic link prior to the first incremental backup by the editor could overwrite any file owned by the user of NEdit with the contents of the incremental backup. This problem also affects files created by the editor using the .bck file name, which is also used for file backups. Bugzilla Remote Arbitrary Command Execution Vulnerability BugTraq ID: 2670 Remote: Yes Date Published: 2001-04-30 Relevant URL: http://www.securityfocus.com/bid/2670 Summary: Bugzilla is a web-based bug-tracking system based on Perl and MySQL. Bugzilla contains a vulnerability which may allow remote users to execute arbitrary commands on the target webserver. User email addresses are not checked for shell metacharacters before they are included in an argument to the perl system() function. As a result, it may be possible for users to execute arbitrary commands on the webserver if they register with malicious e-mail addresses. The system() function is a quick way for one program to execute another. It relies on '/bin/sh' to process the command string. As a result, any shell metacharacters that are not escaped will be interpreted by and acted upon by '/bin/sh'. If the user-supplied e-mail address contains a character such as ';', the rest of the e-mail address will be executed as a separate command by the shell because the semicolon delimits commands. It is therefore possible for a user who has registered with a malicious e-mail address to execute arbitrary commands on the webserver (with the privileges of the webserver process). Bugzilla Sensitive Information Disclosure Vulnerability BugTraq ID: 2671 Remote: Yes Date Published: 2001-04-30 Relevant URL: http://www.securityfocus.com/bid/2671 Summary: Bugzilla is a web-based bug-tracking system based on Perl and MySQL. Bugzilla ships with a a file called 'globals.pl', containing global variables and other information used by various Bugzilla components. Among the more sensitive variables stored in this file are the database username and password. Many webservers are not configured by default to interpret files with the extension '.pl' as CGI executables. As a result, if 'globals.pl' is requested explicitly by a client from one of these webservers, it will be disclosed as plaintext. This would reveal the sensitive information to the attacker. With a database username and password, it may be possible to compromise the system further. - Pour poster une annonce: [EMAIL PROTECTED]
