PHP HTTP POST Incorrect MIME Header Parsing Vulnerability BugTraq ID: 5278 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5278 Summary:
PHP is a general purpose scripting language that is used for Web development. It is available for various platforms including Linux and Unix variants as well as Microsoft Windows operating systems. A vulnerability has been reported for PHP versions 4.2.0 and 4.2.1. It is possible for a remote attacker to cause the PHP interpreter to crash the web server on a vulnerable system and execute malicious, attacker supplied code. The vulnerability is the result of the PHP interpreter incorrectly parsing MIME headers when HTTP POST commands are received. When PHP receives a malformed POST request, it generates an error condition that is improperly handled. When a HTTP POST command is received, a memory structure is appended to a linked list of MIME headers. The memory allocated for this structure is freed when the POST command is successful. When a malformed POST request is made, an uninitialised memory structure is appended to the list of MIME headers. Attempting to free this memory will have negative consequences for a vulnerable system. This vulnerability has different effects on different architectures. It has been reported that PHP will crash when it tries to free the memory structure on an IA32 (x86) architecture. The IA32 architecture has been verified to be safe from the execution of arbitrary code. However, it is still possible to crash PHP as well as the web server on vulnerable systems. It has also been reported that on Sparc architectures, an attacker may have greater control about how memory is freed. Arbitrary code execution on the Sparc architecture is possible. An attacker may take advantage of this vulnerability to cause the PHP interpreter to crash leading to a denial of service or cause the vulnerable web server to execute malicious, attacker supplied code. It may also be possible for the attacker to gain elevated privileges. [ attention, plein d'autres attaques sur les *scripts* PHP, mais il y en a tellement que je ne les mets plus ] Pyramid BenHur Default Firewall Weakness BugTraq ID: 5279 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5279 Summary: Pyramid BenHur is a firewall appliance. It is based on Debian Linux using Linux kernel 2.2.x and ipchains firewalling capabilites. A vulnerability has been reported for the BenHur device. Reportedly, the device has a weak default firewall configuration ruleset. It is possible for an attacker to connect to any port between 1024 and 65096 on the device provided the source port is TCP port 20. This is due to a poorly designed rule that was put in place to support FTP data connections. Attackers may exploit this vulnerability to connect to potentially sensitive/vulnerable ports on the device such as the administration port (8888) or the the web proxy server. PHP Interpreter Direct Invocation Denial Of Service Vulnerability BugTraq ID: 5280 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5280 Summary: It is possible, under some circumstances, for remote attackers to invoke the PHP interpreter from the web. When PHP is installed with Apache, an alias/virtual path is created for the PHP interpreter and this alias is used internally when a CGI path is resolved. To prevent the interpreter from being invoked remotely for malicious purposes the cgi.force_redirect directive was introduced, and it is enabled by default. However, it is still possible to invoke the interpreter by name without command line arguments from the web despite the cgi.force_redirect directive. When the interpreter is invoked with no command line options, it will hang. Attackers may repeatedly request the PHP interpreter to cause a denial of service via resource exhaustion. This is reported to be a problem with PHP and Apache on Microsoft Windows platforms. It may be possible to reproduce this condition in other environments as well. Multiple SSH Client Protocol Change Default Warning Weakness BugTraq ID: 5284 Remote: Yes Date Published: Jul 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5284 Summary: A weakness has been reported in multiple SSH clients which may allow a man-in-the-middle attack to occur. SSH servers commonly support compatibility mode, which allows negotiation between the protocols SSH1 and SSH2 with a client when a connection is initiated. SSH communication with a given server normally occurs using a given protocol such as SSH2. A given client will record the server's public key. If a new key is ever reported, the client software will report to the end user that the event should be viewed with extreme suspicion. However, if the server negotiates an SSH connection with a protocol such as SSH1 which has not previously been used with a given client, the displayed message will only report that a new key is being presented. The fact that the host is already associated with a specific key under a different protocol is not mentioned. The end user can not be expected to understand the security implications of this event. This may allow a man-in-the-middle attack to pass undetected by the client user. A similar attack may be possible based on the SSH2 negotiation for a MAC algorithm. In this case, choosing an unusual algorithm may again fail to produce a warning on the client system, allowing a man-in-the-middle attack. DansGuardian Hex Encoding URL Content Filter Bypass Vulnerability BugTraq ID: 5291 Remote: Yes Date Published: Jul 23 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5291 Summary: DansGuardian is a web content filter based on the Squid HTTP proxy server. It is available for various Unix based operating systems, including Linux. A vulnerability in DansGuardian may allow malicious users to bypass some filter rules. URLs which contain hex encoded characers are not processed before the URL is checked against patterns. A user may specify a URL including several such characters in an attempt to bypass restrictions impossed by DansGuardian. Under some installations, this may violate security policy, or allow users to inadvertantly access malicious web content. Zyxel Prestige 642R Router Malformed TCP Packet Denial Of Service Vulnerability BugTraq ID: 5292 Remote: Yes Date Published: Jul 24 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5292 Summary: ZyXEL 642R and Prestige 310 routers have difficulties handling TCP packets that are malformed. Reportedly, when ZyXEL routers receive a single specially malformed packet, they stop responding for exactly 30 seconds. An attacker can take advantage of this vulnerability to cause ZyXEL Prestige 642R routers to stop responding. An attacker sending specially malformed packets every 30 seconds is able to prevent the ZyXEL router from responding indefinitely thus causing a denial of service. ZyXEL 642R and Prestige 310 routers are reportedly affected by this vulnerability. It is possible that other ZyNOS-based routers are also affected by this vulnerability [ hardware ] Mozilla JavaScript URL Host Spoofing Arbitrary Cookie Access Vulnerability BugTraq ID: 5293 Remote: Yes Date Published: Jul 24 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5293 Summary: Mozilla is an open source web browser available for a number of platforms, including Microsoft Windows and Linux. An issue has been reported in the Mozilla web browser which may allow script code to access cookie data associated with arbitrary domains. Mozilla supports javascript: URLs, which can be used to execute JavaScript functions directly. Normally the domain of such functions is restricted, and cookie data associated with other sites may not be accessed. It has been reported possible to create a javascript: URL which appears to start with a valid domain. Malicious script code may specify an arbitrary domain, and will be able to access cookie data associated with that domain. It is possible to exploit this vulnerability by creating a javascript: URL which starts with a javascript comment of the form '//host\n', followed by arbitrary script code. Other avenues of exploitation may, however, be possible. Exploitation of this vulnerability may result in a remote attacker gaining access to sensitive cookie data, including authentication credentials. - Pour poster une annonce: [EMAIL PROTECTED]
