Basilix Webmail File Disclosure Vulnerability BugTraq ID: 2995 Remote: Yes Date Published: 2001-07-06 Relevant URL: http://www.securityfocus.com/bid/2995 Summary: Basilix is a web-based mail application. It offers features such as mail attachments, address book, multiple language and theme support. During operation, Basilix opens a PHP include file using a variable as the filename that can be supplied remotely. Basilix do not properly filter malicious user-supplied input. The problem exists in the file 'lang.inc'. It is possible for remote attackers to have Basilix attempt to 'include' an arbitrary webserver-readable file by setting it as the value of 'request_[DUMMY]' in a HTTP request. This vulnerability may disclose sensitive information contained in arbitrary web-readable files. It may also be possible for remote attackers to execute php files. [ open source ou pas? je ne sais pas mais vu qu'il y a plein de bugs avec PHP on y va :) Ca vaut la peine de r�p�ter ces choses. ] Multiple Vendor Small TCP MSS Denial of Service Vulnerability BugTraq ID: 2997 Remote: Yes Date Published: 2001-07-07 Relevant URL: http://www.securityfocus.com/bid/2997 Summary: A potential denial of service vulnerability exists in several TCP stack implementations. TCP has a MSS (maximum segment size) option that is used by a TCP client to announce to a peer the maximum amount of TCP data that can be sent per segment. The MSS is sent during connection establishment, and is often set to the interface MTU minus the fixed sizes of the IP and TCP headers. This is usually 1460 on an Ethernet using IPv4, or 1440 on an Ethernet using IPv6. When data of a length exceeding the MSS is written to a TCP socket, it is broken down into segments before being passed to IP. For example, if an application writes 2048 bytes of data to a TCP socket with the MSS set to 256, a total of 8 segments are transmitted. Using IPv4, this incurs an additional 320 bytes for IP and TCP header data. Using IPv6, the amount increases to 480 bytes. Sending a large number of packets often also means a significant increase in the workload of the system sending the data. The potential for attacks against TCP stack implementations exists because in many cases only a small minimum value is enforced for the MSS. By setting the MSS to a low value (such as 1) and making requests for large amounts of data through a TCP service, an attacker could effectively cause a denial of service by causing a large workload on a system. Tripwire Insecure Temporary File Symbolic Link Vulnerability BugTraq ID: 3003 Remote: No Date Published: 2001-07-09 Relevant URL: http://www.securityfocus.com/bid/3003 Summary: Tripwire is an open source host-based intrusion detection system actively maintained by the Tripwire Development Team. A problem in the software makes it possible to launch symbolic link attacks on an affected system. This vulnerability may be exploited to arbitrarily overwrite root-owned files, resulting in a denial of service, or potentially to gain elevated privileges. The problem is in the insecure handling of temporary files by the Tripwire program. During normal operation, Tripwire traverses system directories and builds a database of current files. The program then checks attributes of these files such as unix filesystem attributes and message digest hashes against an existing database, verifying the integrity of the system files. When Tripwire searches the directories, it creates files in the /tmp directory insecurely; Tripwire fails to use the O_EXCL flag with the O_CREAT flag prior to attempting to create a file. Additionally, the program uses the mktemp() system call, rather than the more secure mkstemp() system call for the creation of the tempfile. This makes it possible for a local attacker to guess the filename of a future temporary file, and create a range of symbolic links that could be used to overwrite root-owned files. OpenSSL PRNG Internal State Disclosure Vulnerability BugTraq ID: 3004 Remote: Yes Date Published: 2001-07-10 Relevant URL: http://www.securityfocus.com/bid/3004 Summary: The randomness pool and associated mixing function used by the OpenSSL PRNG (pseudo-random number generator) suffer from a flaw that could enable an attacker to reconstruct the generator's internal state. The OpenSSL generator maintains a global 1024-byte 'state' buffer (the randomness pool) along with an incrementing counter and a working hash value. The PRNG function used by OpenSSL both mixes the contents of the state buffer and produces the generator's output. For each successive group of ten bytes (or less) of data extracted from the generator, the high ten bytes of a local buffer initialized from the global hash are hashed with ten bytes of the global state and the counter. The first ten bytes of the hash result are XOR'd back into the global state, and the remaining ten bytes are provided as the generator's output. The flaw exists because the data quantum from the global hash used as input to the hash function is also used in the generator's output, meaning that in general it can not be considered secret. Additionally, the number of bytes used from the global state depends on the amount of PRNG output requested and could be as low as one, allowing brute-force analysis of all possible cases. If an attacker is able to gain knowledge of the generator's state, it may be possible for that attacker to predict future results. The impact of this vulnerability depends on the nature of the target application or protocol. It is relatively unlikely for data to be retrieved from the OpenSSL PRNG in a pattern allowing for attacks. No vulnerable applications are currently known. xloadimage Buffer Overflow Vulnerability BugTraq ID: 3006 Remote: Yes Date Published: 2001-07-10 Relevant URL: http://www.securityfocus.com/bid/3006 Summary: xloadimage is a utility used for displaying images of varying formats on X11 servers. xloadimage contains a buffer overflow vulnerability in the handling of the 'Faces Project' image type. During processing of the image file, the "Firstname" and "Lastname" fields are copied into local variables. This is done via strcpy(), which performs no bounds checking. It is possible to create a file according to the 'Faces Project' file format specifications containing 'Firstname' and 'Lastname' fields that are larger than the buffers allocated to store them in xloadimage. When they are copied via strcpy(), the excessive data will overwrite neighboring memory on the stack. The function stack frame in xloadimage is overwritten and can be corrupted so that the function returns to shellcode. xloadimage is not setuid however, so locally this condition is not a vulnerability. An optional netscape plugin shipped with Red Hat powertools invokes xloadimage to load certain image types. If this plugin is in use, this vulnerability may be remotely exploitable if an attacker places the exploit-file on a webserver. FreeBSD exec() Inherited Signal Handler Vulnerability BugTraq ID: 3007 Remote: No Date Published: 2001-07-10 Relevant URL: http://www.securityfocus.com/bid/3007 Summary: On UNIX systems, fork() is the method by which a new process is created. The fork() system call causes a duplicate of the calling process to be created called a 'child' process. Once created, a child process may replace it's image with that of a binary executable on the file system using the exec() system call. The rfork() system call allows the calling process to specify explicitly which resources the child process is to inherit from the parent. A vulnerability exists in the FreeBSD exec() implementation. The system calls fails to prevent signal handlers from being inherited by processes attempting to exec setuid images. As a result, setuid processes may end up with user-supplied signal handlers set. This can lead to arbitrary code execution. An attacker may be able to place instructions in the environment and set the signal handler to their address. When the setuid process catches the signal associated with the handler, the arbitrary code in the environment will be executed. It may be possible to elevate privileges by exploiting this vulnerability. Apache Autoindexing Module Possible Directory Index Disclosure Vulnerability BugTraq ID: 3009 Remote: Yes Date Published: 2001-07-10 Relevant URL: http://www.securityfocus.com/bid/3009 Summary: The AutoIndex module for Apache provides automatic indexing of directories within the webroot. Normally, if an index file exists (specified by the 'DirectoryIndex' directive) in a directory, it is output to the client when the directory is requested. If no such file exists and AutoIndexing is enabled, the webserver provides an HTML index of the directory to the client. Some administrators may rely on the presence of an 'index.html' to ensure that the actual contents of the directory will not be disclosed. There exists a possible vulnerability in this module that can allow for disclosure of directory contents despite the presence of an 'index.html'. It has been reported that it is possible to obtain a list of files in a directory by submitting a request containing indexing parameters. It is believed that the AutoIndex module may bypass 'index.html' if these parameters are recieved. Exploitation of this vulnerability may disclose sensitive information to attackers, especially if 'index.html' is relied upon for preventing this. - Pour poster une annonce: [EMAIL PROTECTED]
