PHPProjekt Arbitrary User Modification Vulnerability BugTraq ID: 3239 Remote: Yes Date Published: 2001-08-26 Relevant URL: http://www.securityfocus.com/bid/3239 Summary: PHPProjekt is a freely available, open source PHP Groupware package. It is actively maintained by the PHPProjekt Development Team. PHPProjekt is prone to an input validation problem which will allow remote attackers to view, modify and delete arbitrary user data. This is done by changing the ID number in the URL. The issue occurs because vulnerable versions of PHPProjekt do not attempt to check if the user has authenticated when an arbitrary ID number is specified. Lpd Remote Command Execution via DVI Printfilter Configuration Error BugTraq ID: 3241 Remote: Yes Date Published: 2001-08-27 Relevant URL: http://www.securityfocus.com/bid/3241 Summary: 'dvips' is a utility that converts DVI documents to PostScript. It is an optional component of the TeTeX text formatting package. When installed on a system where LPRnG and TeTeX are in use, 'dvips' will be invoked by 'lpd' when a DVI document is to be printed. DVI files can contain directives that will cause the interpreter to open files and/or execute commands while the file is being processed. The developers of 'dvips' included a switch that will cause these directives to be ignored for security reasons. On some systems, this switch will not be included when 'dvips' is invoked by 'lpd'. On these systems, it may be possible for a remote attacker to execute arbitrary commands on vulnerable systems by attempting to print a malicious DVI document. Any command executed will run with the privileges of user 'lp'. It should be noted that this vulnerability is only due to the configuration of the DVI printfilter on some systems. There is no specific vulnerability in lpd, dvips or any other executable component. It is simply an error in the default configuration present on some systems. It has been reported that Red Hat 7.0 is vulnerable with the default configuration installed with the RPM packages. Red Hat PAM qpopper User Enumeration Vulnerability BugTraq ID: 3242 Remote: Yes Date Published: 2001-08-25 Relevant URL: http://www.securityfocus.com/bid/3242 Summary: Qpopper is a widely used POP daemon for Unix systems. When qpopper is used in conjunction with PAM on Red Hat systems, remote attackers can enumerate valid account usernames. This is due to different error messages being output when authentication attempts are made using valid and invalid usernames. When a remote client attempts to authenticate using a valid username with an invalid password, the server outputs: -ERR [AUTH] PAM authentication failed for user "validuser": Authentication failure (7) When an authentication attempt is made with an invalid username, the server outputs: -ERR [AUTH] Password supplied for "username" is incorrect. By attempting to authenticate using various usernames and viewing the server responses, it is possible for a remote attacker to determine valid usernames on the system. This information may make a brute force attack significantly more feasible. Note: This vulnerability only affects qpopper when it is used with PAM. Red Hat systems are reported to be vulnerable. Netscape 6 Temp File Symbolic Link Vulnerability BugTraq ID: 3243 Remote: No Date Published: 2001-08-27 Relevant URL: http://www.securityfocus.com/bid/3243 Summary: Netscape 6 is a freely available web browser distributed by Netscape Communications. A problem in the web browser makes it possible for local users to overwrite arbitrary files. This could lead to denial of service. The problem is in the handling of symbolic links by the Netscape 6 package when installed on Solaris systems. When installed, Netscape usually must be installed by the system administrator as the superuser. When the installation is initiated, files are created in the /tmp directory using the admin prefix and pid as the file extension. An example would be "admin.6565," where admin is the prefix, and 6565 is the process id. This makes it possible for a local user to guess a range of process id's, and create symbolic links to system files. Upon the installation of Netscape 6, the program will attempt to create the temporary file, overwriting the file at the end of the symbolic link. It is unknown whether this affects other UNIX platforms. [ pas Open Source ] Java Plug-In 1.4/JRE 1.3 Expired Certificate Vulnerability BugTraq ID: 3245 Remote: Yes Date Published: 2001-08-24 Relevant URL: http://www.securityfocus.com/bid/3245 Summary: Java Plug-In is a product from Sun that allows for Java applets to be run in web browsers. It has been reported that a vulnerability exists when Java Plug-In 1.4 is used on systems with Java Runtime Environment version 1.3 installed. Users may not be alerted by the plugin/JRE when applets have been signed with expired certificates. As a result, the user may be lead to believe that the applet is valid and allow it to be run on the local computer. It may be possible for applets to run with privileges that allow for the client host running it to be compromised. An attacker may be able to obtain an expired or invalid certificate, sign a malicious applet with it and place it on a website trusted by a victim. Note: This vulnerability is reported to affect systems with Plug-In 1.4 and JRE 1.3 installed. The existence of this vulnerability has not yet been confirmed by the vendor. [ pas Open Source ] - Pour poster une annonce: [EMAIL PROTECTED]
