Red Hat TUX HTTP Server Oversized Host Denial of Service Vulnerability BugTraq ID: 3506 Remote: Yes Date Published: Nov 05 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3506 Summary:
TUX is a kernel based HTTP server released under the GNU General Public License. It is able to serve static content, cache dynamic content, and coordinate with other HTTP servers to produce dynamic content. An error exists when the TUX daemon received an oversized Host: header as part of an HTTP request. The request will result in an assertation failure and eventually in a kernel panic. At this point a system reboot will be required to regain normal functionality. When the vulnerability is exploited, an error is generated as the result of a bad EIP address. As this error is recognized, it is not believed this can be exploited to execute arbitrary code. PHP Nuke Copying and Deleting Files Vulnerability BugTraq ID: 3510 Remote: Yes Date Published: Nov 05 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3510 Summary: PHP Nuke is a web portal creation and management package, implemented in the PHP scripting language. The default installation includes the script admin/case/case.filemanager.php, which can be used to copy and delete files on the server file system. The script case.filemanager.php is designed such that it can only be called from the script admin.php, which is responsible for authentication of the remote user. This implementation is flawed, due to a bug in PHPs handling of the $PHP_SELF variable. It is possible for a remote user to include information in the url which is appended to the $PHP_SELF variable, allowing him to bypass this check. By calling the script in this manner and passing arbitrary file names to the script, a remote user is able to copy and delete any file on the web server. This is subject to the user permissions the web server is running under. The remote user may, for example, copy '/etc/passwd' over a file normally displayed by the web server, gaining access to sensitive information. If the remote user is able to upload files to the server, they may be able to copy them over a standard PHP Nuke script, and have arbitrary scripts executed by the web user. Slashcode Guessable SessionID Vulnerability BugTraq ID: 3519 Remote: Yes Date Published: Nov 07 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3519 Summary: Slashcode is a popular message board like web page system. Users are able to create accounts and log in to the system to post and respond to messages. Persistent authentication of users is accomplished through a session ID assigned in a cookie. Users who create accounts on a Slashcode system are initially assigned a random eight character password. The session ID for an account using the default password consists of the user ID concatenated with the user password. The user ID is given sequentially as new accounts are created, and is guessible by creating an account and assuming other accounts will exist with similar user IDs. The default password is composed of eight characters, each with 56 possible values. It is possible to search the password space in a reasonable amount of time. It is important to note that once a user has changed their password, the session ID is constructed using a variable length MD5 hash of the new password, which is not vulnerable to a practical brute force guessing attack. Other versions of Slashcode may also be vulnerable. Apache mod_usertrack Predictable ID Generation Vulnerability BugTraq ID: 3521 Remote: Yes Date Published: Nov 08 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3521 Summary: Apache is a popular open-source HTTP server in wide use across the Internet. Apache ships with a module called 'mod_usertrack'. This module contains code to generate unique identifiers for individual web sessions and requests. The IDs that are generated are not not random. They are generated using the IP address of the client, the system time and the server process ID. As they are non-random, these IDs are not meant to be used for authentication purposes. Any applications that rely on these IDs for tracking authenticated sessions may be vulnerable to ID prediction attacks. Depending on the application, an attacker who can predict an ID can possibly hijack user sessions and accounts. If an attacker has local access to the machine, information like system time and server process IDs can be obtained without guessing. It should be noted that this is not a vulnerability in Apache. This is only a vulnerability when an application uses these IDs to track authenticated users. RedHat Linux IPTables Save Option Unrestorable Rules Vulnerability BugTraq ID: 3520 Remote: Yes Date Published: Nov 08 2001 12:00A Relevant URL: http://www.securityfocus.com/bid/3520 Summary: Red Hat Linux is a freely available, Open Source clone of the Unix Operating System. It is distributed and maintained by Red Hat Incorporated. A problem with the firewall infrastructure included with the Operating System could make it possible for a administrator to unknowingly expose a system to unnecessary risk. The problem is in the save format used by the iptables program. iptables will create a save file of the current active ruleset when the -c option is used. When an administrator attempts to save a firewall ruleset to file, the format in which the ruleset is saved is not one that can be understood by iptables when an attempt to reload the saved ruleset is made. An administrator saving a firewall configuration to a file that will be loaded by the system on the next reboot will leave the system unprotected. This could result in a remote user gaining access to sensitive services on a system, and potentially local access or elevated privileges on systems that have been deployed insecurely. [ Cette semaine je donne aussi quelques outils r�f�renc�s: ] Swatch v3.0.4 by Todd Atkins Relevant URL: http://www.stanford.edu/~atkins/swatch/ Platforms: BSDI, Linux, Solaris, UNIX Summary: Swatch was originally written to actively monitor messages as they were written to a log file via the UNIX syslog utility. It has multiple methods of alarming, both visually and by triggering events. The perfect tools for a master loghost. It is known to work flawlessly on Linux (RH5), BSDI, and Solaris 2.6 (patched). [ effectivement, � quoi servent des logs s'ils ne sont pas lus ] snort-rep v1.7 by David Schweikert Relevant URL: http://people.ee.ethz.ch/~dws/software/snort-rep/ Platforms: POSIX Summary: snort-rep is a Snort reporting tool that can produce text or HTML output from a syslog file. It is designed to be used for daily e-mail reports to the system administrators All reports contain priority information (if used with Snort 1.8+), and the HTML output contains direct links to the IDS descriptions of whitehats.com. [ pour �viter de donner des droits root pour bind()er, pratique en chroot ] Linux Port/Socket Pseudo ACLs v2.4.14-11 (2.4) by anthonyu Relevant URL: http://original.killa.net/infosec/acls/ Platforms: Linux Summary: The Linux Port/Socket Pseudo ACLs patch allows an administrator to delegate privileges for some protected network resources to non-root users. The ACLs are generally used to run untrusted or insecure applications as an unprivileged process, thereby mitigating some undiscovered denial of service or root compromise. The ACLs cover protected ports, raw sockets, and packet sockets. - Pour poster une annonce: [EMAIL PROTECTED]
