Jetty Servlet Engine Cross Site Scripting Vulnerability BugTraq ID: 5821 Remote: Yes Date Published: Sep 28 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5821 Summary:
Jetty is a freely available, open source Java Web Server and Servlet Container. It is available for Linux, Unix, and Microsoft Windows platforms. A problem with Jetty may make it possible for users to launch cross-site scripting attacks. It has been reported that Jetty does not properly sanitize requests. This could result in a user clicking a malicious link that would execute script or HTML code in the security context of the site hosted by the Jetty server. An attacker could exploit this vulnerability to gain authentication cookies, or other sensitive information. This vulnerability occurs when the script code is appended with two hex linefeed (0a) characters in the requested URL. This vulnerability may affect other versions of Jetty. Apache Server Side Include Cross Site Scripting Vulnerability BugTraq ID: 5847 Remote: Yes Date Published: Oct 02 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5847 Summary: The Apache HTTP Server is a popular open-source HTTP server for multiple platforms, including Windows and Unix. Apache is reported to be vulnerable to cross site scripting attacks. This vulnerability is due to the SSI (Server Side Include) error pages of the webserver not being properly sanitized of malicious HTML code. Specifically, this vulnerability is a result of Apache failing to filter HTTP/1.1 'Host' headers that are sent by browsers. Reportedly, Apache webserver does not filter specially crafted 'Host' headers that contain malicous HTML code before passing them onto the browser as entity data. An attacker may exploit this vulnerability by enticing a victim user to follow a malicious link. Attacker-supplied HTML and script code may be executed on a web client visiting the malicious link in the context of the webserver. Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user. SafeTP Passive Mode Internal IP Address Revealing Vulnerability BugTraq ID: 5822 Remote: Yes Date Published: Sep 28 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5822 Summary: SafeTP is a freely available, open source secure ftp client-server software package. It is available for Unix, Linux, and Microsoft Operating Systems. A problem with SafeTP may result in the disclosure of sensitive information. It has been reported that under some circumstances, the SafeTP server may reveal sensitive network information. When a passive session is initiated in a specific manner, SafeTP may return the address of a system serving files that is behind at NAT firewall. This disclosure of information could give an attacker limited information about network configuration behind a NAT firewall. It could be used to launch further, directed attacks against network resources. EmuMail Web Root Path Disclosure Vulnerability BugTraq ID: 5823 Remote: Yes Date Published: Sep 29 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5823 Summary: Emumail is an open source web mail application. It is available for the Unix, Linux, and Microsoft Windows operating systems. A problem with Emumail could make it possible for an attacker to gain sensitive information. Under some conditions, Emumail may reveal sensitive configuration information. When unexpected characters are inserted into some fields in web mail forms, the form generates an error. The error page returned may contain the directory to the web root on the Emumail server. EmuMail Email Form Script Injection Vulnerability BugTraq ID: 5824 Remote: Yes Date Published: Sep 29 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5824 Summary: Emumail is an open source web mail application. It is available for the Unix, Linux, and Microsoft Windows operating systems. A problem with EmuMail could make it possible for a user to execute arbitrary script code. It has been reported that EmuMail does not properly sanitize input. Under some conditions, it is possible to pass an email containing script or html code through the EmuMail web mail interface. This would result in execution of the script code in the security context of the EmuMail site. This could allow an attacker to potentially steal cookie information. Eric S. Raymond Fetchmail Email Header Parsing Buffer Overflow Vulnerability BugTraq ID: 5825 Remote: Yes Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5825 Summary: Fetchmail is a freely available, open source mail retrieval utility. It is maintained by Eric S. Raymond. A buffer overflow vulnerability has been reported for Fetchmail 6.0.0 and earlier. Reportedly, this vulnerability is due to improper checks of user-supplied values for email headers. The vulnerability occurs in the readheaders() function which is used to parse email headers. Fetchmail does not properly check the size of some user-specified data when copying information into stack buffers. Reportedly, the function, nxtaddr() limits the size of user-supplied data to BUFSIZ bytes. BUFSIZ is usually defined to be 1024 bytes. Some systems running glibc, however, define BUFSIZ to be 8192 bytes. Thus a remote attacker is able to trigger the overflow condition, by composing an email consisting of overly large email headers, and cause Fetchmail to improperly allocate space on the system stack. It is believed that an attacker could potentially exploit this condition to overwrite stack variables with malicious attacker-supplied values. It is possible that exploitation could result in execution of malicious attacker-supplied code as the Fetchmail process. This vulnerability has been reported for Fetchmail 6.0.0 and earlier. Eric S. Raymond Fetchmail Multidrop Mode Denial Of Service Vulnerability BugTraq ID: 5826 Remote: Yes Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5826 Summary: Fetchmail is a freely available, open source mail retrieval utility. It is maintained by Eric S. Raymond. A denial of service vulnerability has been reported for Fetchmail 6.0.0 and earlier. The vulnerability is due to improper boundary checks when processing email headers. Specifically, the vulnerability occurs when Fetchmail is in multidrop mode and attempts to obtain DNS information through the getmxrecord() function. A remote attacker is able to exploit this vulnerability by sending a large, specially crafted DNS packet to a vulnerable version of Fetchmail. This may be possible if the attacker controls a malicious DNS server or is able to forge DNS replies. This will cause Fetchmail to crash when processing the malformed packet. This vulnerability has been reported for Fetchmail 6.0.0. Eric S. Raymond Fetchmail Multidrop Mode Email Header Parsing Heap Overflow Vulnerability BugTraq ID: 5827 Remote: Yes Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5827 Summary: Fetchmail is a freely available, open source mail retrieval utility. It is maintained by Eric S. Raymond. A remotely exploitable heap overflow vulnerability has been reported for Fetchmail 6.0.0 and earlier. The vulnerability occurs in the parse_received() function which is used to parse the 'Received:' email headers. This vulnerability affects Fetchmail in multidrop mode and will cause Fetchmail to corrupt heap memory with attacker-supplied values. Reportedly, certain parts of the 'Received:' header get copied into memory buffers without any checks being performed. An attacker can exploit this vulnerability by composing an email that includes a specially crafted 'Received:' header and sending this email to a victim Fetchmail user. When Fetchmail processes the malicious email, the overflow condition will be triggered and memory in the heap will be corrupted. An attacker may exploit this condition to overwrite arbitrary words in memory. This may allow for the execution of arbitrary code. This vulnerability has been reported for Fetchmail 6.0.0 and earlier. WN Server Malformed GET Request Buffer Overflow Vulnerability BugTraq ID: 5831 Remote: Yes Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5831 Summary: WN Server is a freely available webserver. It is included in the FreeBSD ports collection. WN Server is prone to a remotely exploitable buffer overflow. This is due to insufficient bounds checking of data received in HTTP GET requests. It is possible to send an overly long request to the server and cause process memory to be corrupted with attacker-supplied data. Stack variables, including the return address, may be overwritten with attacker-supplied data as a result of exploitation. An attacker may leverage this condition to execute arbitrary instructions. Code execution that results from successful exploitation will occur in the context of webserver process, and may allow a remote attacker to gain access to the host with the privileges of the webserver. This issue is reported to be present in WN Server version 1.18.2 through 2.0.0. It is possible that other versions may also be affected by this vulnerability. Monkey HTTP Server Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 5829 Remote: Yes Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5829 Summary: Monkey is an open source Web server written in C, based on the HTTP/1.1 protocol. It is available for the Linux platform. It has been reported that Monkey HTTP server is prone to cross site scripting vulnerabilities. An attacker may exploit this vulnerability by enticing a victim user to follow a malicious link. Attacker-supplied HTML and script code may be executed on a web client visiting the malicious link in the context of the webserver. Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user. Trolltech Qt Assistant Default Port Unauthorized Access Weakness BugTraq ID: 5833 Remote: Yes Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5833 Summary: Qt is a C++ toolkit for application development. It is designed for use with various platforms including Linux and Unix variants as well as Microsoft Windows operating environments. A weakness has been reported for the Qt Assistant. The Qt Assistant is a browser for the Qt documentation and is typically used in conjuntion with Qt Designer. Reportedly, the Qt Assistant opens port 7358 for communication with Qt Designer. This port, however, can be accessed remotely. An attacker can exploit this weakness by connecting to a vulnerable system on port 7358 and making requests for HTML pages. The requests will be processed by the Qt Assistant and will be displayed on the screen of the user that is currently using the Assistant. Numerous simultaneous requests may cause the Qt Assistant from responding to legitimate requests in a timely manner. GNU Tar Hostile Destination Path Variant Vulnerability BugTraq ID: 5834 Remote: Yes Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5834 Summary: GNU Tar 1.13.25 contains a vulnerability in the handling of pathnames for archived files. By specifying a path for an archived item which points outside the expected directory scope, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem - including paths containing system binaries and other sensitive or confidential information. Since tar can override umask settings, the output file can be rendered executable. This can be used to create or overwrite binaries in any desired location. Properly exploited, this grants the archive creator an elevation of privileges, potentially to 'root'. This issue is a variant of the vulnerability described in BID 3024. It is not known whether earlier versions are also affected by this variant. Apache Tomcat Mod_JK /Mod_JServ Directory Disclosure Vulnerability BugTraq ID: 5838 Remote: Yes Date Published: Oct 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5838 Summary: Apache Tomcat is reported to be prone to a vulnerability which may enable remote attackers to disclose the contents of directories. It is possible to submit a malicious web request which is capable of disclosing directory contents. An attacker may use the information gathered in this manner to mount further attacks against the host. This issue is reported to affect Apache Tomcat 3.2.x on HP-UX 11.04 (VVOS) systems. The source of the problem is a connector issue. It is not known whether other systems are also affected. FreeBSD Rogue Local Buffer Overflow Vulnerability BugTraq ID: 5837 Remote: No Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5837 Summary: Rogue is a game included with FreeBSD. Games are invoked by the /usr/games/dm binary, which is setgid games by default. Normal game behaviour involves revoking privileges. Rogue fails to drop privileges, potentially resulting in privilege escalation. A buffer overflow has been discovered in Rogue when restoring saved games. By passing an overly large string to the 'read_string' function in save.c, it is possible to corrupt memory. By exploiting this issue it may be possible for an attacker to overwrite values in the programs Global Offset Table, resulting in the execution of arbitrary attacker-supplied code. Successful exploitation would result in the escalation of privileges to the 'games' group, which could result in the corruption of saved game data, as well as storage consumption. GV GZip Archive Malicious File Name Command Execution Vulnerability BugTraq ID: 5840 Remote: No Date Published: Oct 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5840 Summary: gv is a freely available, open source Portable Document Format (PDF) and PostScript (PS) viewing utility. It is available for Unix and Linux operating systems. A problem with gv could make the execution of arbitrary commands possible. Under some circumstances, gv does not properly handle file names. When a PostScript (PS) or Portable Document Format (PDF) file contained within a compressed archive such as a gzip archive is opened with gv, command execution may occur. A file name containing special characters such as backticks (`), quotes ("), and ampersands (&) will be interpretted as commands, and executed by gv. This problem could make the execution of arbitrary commands possible. Any commands executed through gv would be executed with the permissions of the gv user. NetGear FVS318 Username/Password Disclosure Vulnerability BugTraq ID: 5830 Remote: No Date Published: Sep 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5830 Summary: NetGear distributes commercially available Firewall/VPN/Router hardware devices. A vulnerability has been reported in NetGear FVS318 Firewall/VPN/Routers when certain configuration options are enabled. An optional backup setting is included on NetGear devices. When enabled, a backup file containing configuration settings is created. Certain sensitive information, such as ISP usernames and remote web administration passwords are stored in plain text. An attacker accessing the backup file, could obtain sensitive information, which could aid the attacker in compromising the web administrative interface of the device. It should be noted that the backup option is not enabled by default, but is a common feature used by administrators. [ hardware ] Bugzilla Group Creation With Elevated Privileges Vulnerability BugTraq ID: 5843 Remote: Yes Date Published: Oct 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5843 Summary: Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Operating Systems. A vulnerability has been reported for Bugzilla. This vulnerability affects sites that use the 'usebuggroups' feature of Bugzilla. This feature, when enabled, allows sites to track bugs based on products and allows site administrators to restrict access to bugs on a per-product basis. The 'editgroups.cgi' page will show a listing of all current groups. The vulnerability is the result of improper mathematical calculations done when a site has 47, or more, bug groups. When a new product is added to a site that has 47, or more, bug groups, the new group will be created with extra privileges set. Any new users that are added to this group will automatically gain access to other group privileges. An attacker can exploit this vulnerability to obtain access to a privileged group and perform actions pertaining to that group. Site administrators may be able to find groups with extra privileges by viewing the 'editgroups.cgi' page and looking for 'bit' values that end in '0'. A large value such as, '4503599627370480', is indicative of an error in large integer math. Administrators may be able to change the group bit values and check permissions of users belonging to the offending groups. This vulnerability affects Mozilla Bugzilla 2.14.3 and earlier and Bugzilla 2.16 and earlier. Bugzilla Account Creation SQL Injection Vulnerability BugTraq ID: 5842 Remote: Yes Date Published: Oct 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5842 Summary: Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Operating Systems. Bugzilla is prone to SQL injection attacks. This issue is due to insufficient sanitization of apostrophes (') from e-mail addresses during account creation. Maliciously formatted SQL injected via the e-mail address field will be included in a SQL query. An attacker could exploit this condition to modify the logic of SQL queries, potentially resulting in disclosure of sensitive information or database corruption. SQL injection may also enable a remote attacker to exploit other existing vulnerabilities in the underlying datbase implementation. Bugzilla Bugzilla_Email_Append.pl Arbitrary Command Execution Vulnerability BugTraq ID: 5844 Remote: Yes Date Published: Oct 01 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/5844 Summary: Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Operating Systems. A problem with Bugzilla could make it possible to execute arbitrary commands. Under some circumstances, it may be possible to execute arbitrary commands on a Bugzilla server. A user may be able to insert maliciously formatted entries into the Bugzilla database that would be handled by the bugzilla_email_append.pl script. A maliciously formatted entry passed to this script could result in the execution of arbitrary commands. This problem could allow a remote user to execute arbitrary code on a Bugzilla server. This could lead to a remote attacker gaining access to the system with the privileges of the web server process. - Pour poster une annonce: [EMAIL PROTECTED]
