NewsX NNTP SysLog Format String Vulnerability BugTraq ID: 5240 Remote: Unknown Date Published: Jul 15 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5240 Summary:
newsx is a NNTP client for Unix-based operating systems. newsx is prone to a format string vulnerability. This problem is due to incorrect use of the syslog() function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. It appears that this issue may be local in nature, however, there is a possibility that this issue may be remotely exploitable. Successful exploitation of this issue may allow the attacker to execute arbitrary instructions with the privileges of the NNTP client. If this issue proves to be local, it would likely only be a security risk if the NNTP client is installed setuid/setgid. If this issue is remote in nature, then it is likely that it would be exploitable by a malicious NNTP server. Thorsten Korner 123tkShop SQL Injection Vulnerability BugTraq ID: 5244 Remote: Yes Date Published: Jul 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5244 Summary: 123tkShop is a a freely available, open source e-business application written using PHP. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems. A vulnerability has been reported for 123tkShop. Reportedly, 123tkShop suffers from a SQL injection vulnerability. User supplied data is used to construct SQL statements, and special characters such as ''' and '"' are not properly escaped. An attacker may be able to pass malicious data to the system which modifies SQL queries. If 'magic_quotes_gcp' is disabled in PHP configuration file, php.ini, it is possible for an intruder to inject malicious SQL code into queries to 123tkShop. This may be exploited by the attacker to view or modify the contents of sensitive database files. Thorsten Korner 123tkShop Arbitrary File Include Vulnerability BugTraq ID: 5243 Remote: Yes Date Published: Jul 16 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5243 Summary: 123tkShop is a a freely available, open source e-business application written using PHP. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems. A vulnerability has been reported for 123tkShop for versions prior to 0.3.1. Reportedly, an attacker may be able to read arbitrary files on the vulnerable system with the privilege level of the 123tkShop process. Almost all PHP files distributed with 123tkShop include other files dynamically. Most of them are included with a statement like: include("path/$var/file.inc.php"); If 'register_globals' is enabled in the local PHP configuration file, a remote attacker may be able to subvert the contents of the variable interpolated into the include statement. Through the usage of '../' character sequences, an arbitrary file location may be specified. If the 'magic_quotes_gcp' configuration parameter is disabled, the attacker may additionally include a null character in this variable, terminating the string and allow the specification of an arbitrary system file. This file will then be disclosed to the remote user. ATPhttpd Buffer Overflow Vulnerabilities BugTraq ID: 5215 Remote: Yes Date Published: Jul 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5215 Summary: ATPhttpd is a small webserver designed for high-performance. It was developed by Yann Ramin. There exist several exploitable buffer overflow conditions in ATPhttpd. Remote attackers may levarage these vulnerabilities to gain access on affected servers. The vulnerabilities are due to use of unbounded string copy operations and off-by-one errors. One such condition is when errors are output due to invalid data supplied by a client: (void) sprintf(buffer, "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text ); The insecure construction of this string using externally supplied data may be exploited to overwrite data beyond the boundaries of 'buffer'. CARE 2002 Multiple SQL Injection Vulnerabilities BugTraq ID: 5219 Remote: Yes Date Published: Jul 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5219 Summary: CARE 2002 is software designed to integrate various systems in the health care industry. It provides a web interface, and is implemented in PHP. Reportedly, CARE 2002 suffers from multiple SQL injection issues. User supplied data is used to construct SQL statements, and special characters such as ''' and '"' are not properly escaped. An attacker may be able to pass malicious data to the system which modifies SQL queries. Exploitation of this issue may result in the disclosure of sensitive information, modification of sensitive information, or privilege escalation. Full details on the nature of these vulnerabilities are not currently available. CARE 2002 Unsafe File Include Input Validation Error BugTraq ID: 5218 Remote: Yes Date Published: Jul 12 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5218 Summary: CARE 2002 is software designed to integrate various systems in the health care industry. It provides a web interface, and is implemented in PHP. An input validation error has been reported in CARE 2002 which may result in the disclosure of sensitive locale files. Reportely, under some conditions user supplied input is used in an unsafe manner as part of an include() call. A malicious party able to influence this data may use '../' character sequences to exit the web root, and specify an arbitrary file as the parameter to included. Under some scripts, the specified file will be displayed to the remote user. Additionally, the null character 0x00 may be used to terminate the string passed to include(), eliminating any file extension restrictions on which files may be viewed. Exploitation of this vulnerability requires that the PHP parameter 'register_globals' is set to 'on'. - Pour poster une annonce: [EMAIL PROTECTED]
