Mod_SSL Off-By-One HTAccess Buffer Overflow Vulnerability BugTraq ID: 5084 Remote: No Date Published: Jun 22 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5084 Summary:
mod_ssl is a freely available, open source cryptography package designed for the Apache Web Server. It is available for the Unix and Linux operating systems. A problem with mod_ssl may make it possible to execute code on a vulnerable web server with the privileges of the HTTP user. An off-by-one issue exists in mod_ssl that affects Apache when handling certain types of long entries in an .htaccess file. Though this capability within the web server is not enabled by default, it is popular as it allows non-privileged users to create web access control schemes for hosted sites, and is enabled through the "AllowOverride" configuration variable in Apache. A .htaccess file with 10000 or more bytes set into the variable DATE_LOCALE will result in a buffer overflow within the web server process handling the request. This is an exploitable buffer overflow. In the event that for a user is able to upload or create a malicious .htaccess file, it would be possible to execute code with the privileges of the HTTP server child process handling the request. This could make it possible for a user to gain access to a shell in an environment where the user isn't authorized regular shell access, or execute code to perform other actions as the HTTP user. It should be noted that Apache 1.3.26 servers compiled without the mod_ssl package are not vulnerable to this issue. Additionally, systems that have an installed version of mod_ssl compiled without backward compatibility enabled are also not vulnerable. The default compilation of mod_ssl enables backwards compatibility. PHPSquidPass Index.PHP Unauthorized User Deletion Vulnerability BugTraq ID: 5090 Remote: Yes Date Published: Jun 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5090 Summary: phpSquidPass is a tool designed for users to change user authentication files for the squid web proxy. It is implemented in PHP and should be available for use with Unix and Linux variants as well as Microsoft Windows operating environments. phpSquidPass may allow a malicious user of the system to overwrite additional accounts. When a password is updated, the proxy_users file is searched for the provided username, and that account is updated. Due to an error in the program, usernames ending with the supplied username will also be modified. In this case, both the username and password are overwritten. This effectively deletes the additional account. A malicious user may be able to take advantage of this vulnerability to create a denial of service condition for other users of the system. The ability to exploit this vulnerability is, however, dependant on the possession of a valid user account which is a substring of another username. ht://Dig htsearch Cross Site Scripting Vulnerability BugTraq ID: 5091 Remote: Yes Date Published: Jun 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5091 Summary: ht://Dig is a freely available, open source search engine. It is developed and maintained by the ht://Dig project, and functions on the Unix and Linux operating systems. When a user submits a search request using ht://Dig, the htsearch CGI program executes. It is possible for an attacker to create a custom URL to htsearch.cgi which contains malicious script code. User supplied input is not sufficiently sanitized by ht://Dig before being included in the generated page. If such a URL is viewed by a user, the script code will execute within the context of the vulnerable site. Successful exploitation of this vulnerability could enable an attacker to execute code in the security context of a trusted site. This vulnerability may be exploited to steal cookie-based authentication credentials from legitimate users. OpenSSH Challenge-Response Buffer Overflow Vulnerabilities BugTraq ID: 5093 Remote: Yes Date Published: Jun 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5093 Summary: The OpenSSH team has reported that vulnerabilities exist in OpenSSH. The vulnerabilities are remotely exploitable and may allow for unauthenticated attackers to obtain root privileges. The conditions are related to the OpenSSH SSH2 challenge-response mechanism. They are present when the OpenSSH server is configured at compile-time to support BSD_AUTH or SKEY. OpenBSD 3.0 and later ship with OpenSSH built to support BSD_AUTH. Systems are vulnerable when either of the following configuration options are enabled: PAMAuthenticationViaKbdInt ChallengeResponseAuthentication It is possible for attackers to exploit the vulnerabilities by constructing a malicious response. As this occurs before the authentication process completes, it may be exploited by remote attackers without valid credentials. Successful exploitation may result in the execution of shellcode or a denial of service. OpenSSH 3.4 has been released. Upgrading to this version will eliminate the vulnerability. If this is not possible, administrators should upgrade to version 3.3 and enable the privilege separation feature. Privilege separation may be enabled by modifying the sshd configuration file, found at (on many systems, configuration may differ): /etc/ssh/sshd_config The configuration option 'UsePrivilegeSeparation' should be set to 'Yes': UsePrivilegeSeparation yes Once this is done, the file should be saved and the service should be restarted completely. Administrators of systems using OpenSSH versions prior to 3.3 are urged to upgrade immediately and follow the instructions listed above. If privilege separation does not work or the version of OpenSSH cannot be upgraded, the following workaround is prescribed: disable ChallengeResponseAuthentication in sshd_config. and disable PAMAuthenticationViaKbdInt in sshd_config. Note: It has been reported that hackers may be developing, or have functional exploit code. Users are advised to upgrade immediately. Multiple Vendor BSD libc DNS Lookup Buffer Overflow Vulnerability BugTraq ID: 5100 Remote: Yes Date Published: Jun 26 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5100 Summary: The libc library includes functions which perform DNS lookups. A buffer overflow vulnerability has been reported in versions of libc used by some operating systems. In particular, FreeBSD, NetBSD and OpenBSD have been reported to suffer from this issue. The vulnerable code is related to DNS queries. Under some conditions, a buffer size is miscalculated when message padding is not taken into consideration. Subsequent parsing of related DNS messages may result in this buffer being overrun, corrupting adjacent memory. In particular, it has been reported possible for this error to be triggered through usage of the gethostbyname() function. In this case, it may be possible for a malicious DNS server to provide a response which will exploit this condition. Other libc functions may trigger this vulnerability under some conditions. The names of vulnerable functions may vary between distributions. The consequences of this vulnerability will be highly dependant on the details of individual applications using libc. It is likely that exploitation will allow a malicious DNS server to execute arbitrary code as the vulnerable process. Under some conditions, this may grant an attacker local access, possibly as a privileged user. This vulnerability has been reported in recent versions of FreeBSD, NetBSD and OpenBSD. It is likely that earlier versions share this vulnerability. CERT/CC has reported that vulnerable code exists in the libbind library included with BIND 4 and BIND 8. It is not, however, believed that the BIND named daemon utilizes the vulnerable functions. DPGS Form Field Input Validation Vulnerability BugTraq ID: 5081 Remote: Yes Date Published: Jun 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/5081 Summary: Duma Photo Gallery System (DPGS) is web-based software for managing photographs. It is written in Perl and will run on most Unix and Linux variants as well as Microsoft Windows operating systems. DPGS does not sufficiently validate form field input. Specifically, this vulnerability is due to insufficient filtering of input supplied to the Perl open() function. This may allow remote attackers to disclose the contents of arbitrary web-readable files via directory traversals. Requesting a web-readable file by supplying a relative path to the file using dot-dot-slash sequences (../) is all that is required to exploit this issue. It has also been reported that this lack of sufficient input validation may also be exploited to overwrite any files which are writeable by the webserver process. This is due to insufficient filtering of null characters (\0) from the same form fields that are affected by the file disclosure issue. Exploitation of this vulnerability may be extended to affect arbitrary system files on some webservers running under Microsoft Windows, if the webserver is run with SYSTEM privileges. It should be noted that DPGS is no longer being maintained, so a vendor-supplied fix is unlikely. - Pour poster une annonce: [EMAIL PROTECTED]
