Multiple Browser Zero Width GIF Image Memory Corruption Vulnerability BugTraq ID: 5665 Remote: Yes Date Published: Sep 06 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5665 Summary:
Multiple web browsers are prone to memory corruption when handling GIF image files with a width field set to zero. Browsers reported to be affected are Netscape, Mozilla and Opera on Linux platforms. Other browsers and platforms may also be affected. It may be possible to exploit this issue to cause a denial of service or potentially execute arbitrary code. It is reported that the malformed GIF may enable an attacker to corrupt the heap with attacker-supplied data, which may lead to execution of arbitrary code. As multiple browsers are affected, this vulnerability may be due to a common issue in a library used to render GIF images (such as libungif). This possibility has not been confirmed. NetGear FM114P Prosafe URL Filter Bypassing Vulnerability BugTraq ID: 5667 Remote: Yes Date Published: Sep 07 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5667 Summary: FM114P Prosafe firewalls are a hardware solution manufactured and distributed by Netgear. A problem with these firewalls could make it possible for a user to circumvent restrictions placed on URLs. It has been reported that FM114P firewalls do not sufficiently check addresses when requests are made. Because of this, it would be possible for a user behind the system to reach a restricted-access site by requesting the site on the basis of IP address. It should be noted that this is potentially a configuration issue. The design of URL filtering software typically requires that all sites be blacklisted by default, with a whitelist of authorized sites specified. PHP Header Function Script Injection Vulnerability BugTraq ID: 5669 Remote: Yes Date Published: Sep 07 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5669 Summary: PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems. A problem with PHP may make it possible to execute arbitrary script code. It has been reported that a vulnerability in the PHP header function exists. It may be possible for a user to supply arbitrary script code in an URL that would allow the injection of script code into the HTTP header. In such a scenario, a piece of code using the header function as in the following example would be vulnerable: <?php header("Location: $_GET['$url']"); ?> This problem could lead to the execution of arbitrary script code in the security context of the redirected site. [ probl�me concernant le mauvais filtrage par le d�veloppeur d'un script de variables, mais je le mets quand m�me. Il s'agit apparemment d'un probl�me de cross-scripting m�me si les advisories sont de moins en moins complets et clairs. ] Wordtrans-web Remote Command Execution Vulnerability BugTraq ID: 5671 Remote: Yes Date Published: Sep 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5671 Summary: Wordtrans-web provides an interface to query multilingual dictionaries through a web browser. Wordtrans-web fails to validate input parameters properly, allowing the inclusion of operating system commands. The wordtrans.php script will pass the parameters to the Wordtrans binary for execution. Commands will be executed with the privileges of the webserver process. All versions of Wordtrans-web up to and including version 1.1pre8 are vulnerable to this issue. Wordtrans-web Script Injection Vulnerability BugTraq ID: 5674 Remote: Yes Date Published: Sep 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5674 Summary: Wordtrans-web provides an interface to query multilingual dictionaries through a web browser. The Wordtrans-web interface does not properly validate input parameters. These input parameters in turn will be used in output generated by the software. This could allow injection of arbitrary HTML and script code, which will be executed by the web client in the context of the Wordstrans-web interface. All versions of Wordtrans-web up to and including version 1.1pre8 are vulnerable to this issue. Netris Remote Memory Corruption Vulnerability BugTraq ID: 5680 Remote: Yes Date Published: Sep 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5680 Summary: Netris is a freely available network "Tetris" clone. It is available for Unix and Linux variants. Netris is prone to a remotely exploitable memory corruption issue. An attacker may exploit this to cause a denial of service to occur. It may also be possible to cause memory to be corrupted with attacker-supplied data, which may result in execution of arbitrary code with the privileges of the user running the program. The possibility of code execution has not been confirmed. PHP Function CRLF Injection Vulnerability BugTraq ID: 5681 Remote: Yes Date Published: Sep 09 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5681 Summary: PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems. PHP includes a number of functions, such as fopen() and file(), which are used to reference external resources, such as other PHP files. If the allow_url_fopen() PHP directive is enabled, these functions may be used to access resources that exist on remote hosts by supplying a URL as an argument to the function. When these functions are used to reference a remote resource, PHP constructs a request for the resource using the appropriate protocol. A vulnerability has been discovered in PHP which may allow an attacker to add arbitrary data to headers constructed by PHP when remote resources are retrieved using these functions. This may be accomplished by embedding CRLF (carriage returns/linefeed pairs) in variables included in the URL. For example, if fopen() is called with an include_path to a remote web server, then a HTTP GET request will be constructed to access the remote resource. It is possible, by injecting CRLFs into parameters of a vulnerable script, to add arbitrary header information (such as the Host: field, cookies, etc) to the request that is constructed by PHP. This input validation condition may allow for a number of attacks. For example, attackers may modify the Host: field. This may theoretically result in a file other than that expected being included in a PHP script. Furthermore, under some circumstances it is possible to trick the PHP interpreter into connecting to an arbitrary port and transmitting commands. This was demonstrated by the individual who reported this issue. [ encore un probl�me de validation d'entr�es plut�t que sp�cifique � PHP. Une bonne politique de filtrage est d'utiliser des listes blanches, p.ex. '^[a-z0-9\-._]+$' ] - Pour poster une annonce: [EMAIL PROTECTED]
