Avec retard. Autres vuln�rabilit�s � signaler: - PHP nuke - Oracle - RealNetworks software - Matlab
Polycom ViewStation Plain Text Administrative Password Vulnerability BugTraq ID: 6447 Remote: Yes Date Published: Dec 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6447 Summary: Polycom ViewStation is a series of video-conferencing products. The ViewStation devices ship with an on-board proprietary operating system which allows remote access via Telnet, FTP and HTTP. The administrator and the software update passwords are stored in a HTML file on the device named a_security.htm in plain text. This file is accessible through the URI http://<target>/a_security.htm. This could allow an attacker to make modifications to device settings and firmware. [ hardware ] nCipher PKCS#11 Implementation Access Control Vulnerability BugTraq ID: 6448 Remote: Unknown Date Published: Dec 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6448 Summary: PKCS#11 (Cryptographic Token Interface Standard) is an API specification for devices which perform cryptographic operations. A vulnerability has been reported in the nCipher implementation of this standard. Under certain circumstances, it is possible for plaintext keys to be exported from affected devices and components. This is due to a flaw in the access control component of the nCipher PKCS#11 library. According to nCipher, if keys are "improperly secured" an attacker who is able to issue commands to any module in and obtain data from a Security World may also obtain plaintext key data from the target module. It is not currently known how keys must be "improperly secured" for this attack scenario to be possible. A compromise of the system may result if keys are disclosed. [ hardware ] Multiple Temporary File Monitoring Utility Vendor Stopped Process Vulnerabilities BugTraq ID: 6451 Remote: No Date Published: Dec 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6451 Summary: Temporary file monitoring and cleaning utilities are commonplace on many UNIX systems. Popular tools are 'tmpwatch' and 'stmpclean'. A weakness in the design of these tools has recently been published. During operation, some of these utilities delete temporary files that have not been accessed for a pre-specified amount of time. This is based on the access times stored in file inodes. This is an insecure design because the tools cannot determine whether the process that has created a temporary file has terminated or not. As a result, the state of processes which have not terminated may be corrupted or lost if their temporary files are deleted. In some circumstances, attackers can induce this condition by stopping a process with higher privileges (for example, setuid programs can be stopped with SIGSTOP). The deletion of a process' temporary file may create exploitable conditions. For example, attackers may replace the deleted temporary file with a link or a file of their own if a process performs operations on the deleted temporary file using its filename. One example follows: Attackers may replace a deleted temporary file with a link to a target file, owned by the owner of the setuid target utility. The affected process may delete the file, potentially resulting in a loss of sensitive information. Tmpwatch Race Condition Vulnerability BugTraq ID: 6453 Remote: No Date Published: Dec 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6453 Summary: Tmpwatch is a utility written by Erik Troan that is meant to clean unused temporary files from /tmp. It has been reported that a potentially exploitable race condition is present in tmpwatch. The flaw occurs when tmpwatch is deleting a temporary file. During this process, tmpwatch first issues the lstat() call on the file in question to obtain information from its inode. It then issues unlink() to remove it if it meets the deletion criteria. A race condition exists during the time between the invocations of lstat() and unlink(). It may be possible for another process on the system that is scheduled between these two system calls to perform operations that interfere with tmpwatch. Theoretically, this can be an exploitable condition for malicious local users. For example, a utility with higher privileges may exist that the attacker wishes to exploit. This utility stores state information in a temporary file, perhaps with a filename based on process-id and system time. An attacker may create a "decoy" temporary file with a guessed filename (anticipating running the utility in the near future). After tmpwatch runs 'lstat()' on the decoy, it is theoretically possible for attackers to delete it and run the target utility before 'unlink()' is called. If the filename was guessed correctly and the race is won, the state file of the target utility will be deleted by tmpwatch rather than the decoy. The attacker may then replace the deleted state file with one of their own, further exploiting any operations that the target utility may perform on the state file using its filename (rather than an open file descriptor). Axis Embedded Device Authentication Buffer Overflow Vulnerability BugTraq ID: 6452 Remote: Yes Date Published: Dec 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6452 Summary: Axis Network Cameras, Video Servers, and Network Digital Video Recorders contain a modified version of the Boa web server running on embedded Linux. There is an unchecked buffer in the authentication code for the modified Boa web server. Successful exploitation of this vulnerability may lead to a denial of service or execution of arbitrary code. Since this issue exists in the authentication code, it may be possible for an attacker to exploit this vulnerability without being logged in. This vulnerability only exists in this modified version of Boa and not the official Boa distribution version. [ hardware ] STMPClean Race Condition Vulnerability BugTraq ID: 6457 Remote: No Date Published: Dec 20 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6457 Summary: Stmpclean is a utility meant for automatically removing temporary files that are not in use. It is developed by Stanislav Shalunov. It has been reported that a race condition is present in stmpclean in certain circumstances. Though the conditions are unlikely, the vulnerability is theoretically exploitable. The flaw occurs when there are two stmpclean processes running concurrently and operating on the same file. The steps taken by stmpclean to identify and delete temporary files are as follows: Stmpclean first calls lstat() on the file to be removed If the file is owned by root, it is not removed Stmpclean then sets its uid to the owner of the file Stmpclean then attempts to unlink() the file A race condition between two stmpclean processes is present and may be exploited by using "hard links". If successful, attackers may cause the state file of a non-root process to be deleted. This may create opportunities for further attack. KDE Parameter Quoting Shell Command Execution Vulnerability BugTraq ID: 6462 Remote: Yes Date Published: Dec 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6462 Summary: KDE is a freely available, open source X Desktop Manager. It has application features to make systems user-friendly, and is designed for Unix and Linux operating systems. A problem with KDE could lead to arbitrary command execution. It has been discovered that KDE insecurely handles some types of input. Under some circumstances, KDE does not properly quote parameters of commands passed to the command shell. By creating a custom, malicious string in an attacker-controlled medium of delivery, it would be possible execute commands with the privileges of the user receiving the malicious string. This vulnerability could be exploited through one of several mediums, such as email, webpages, or files on a network file system. This vulnerability additional has the potential to give the attacker remote access with the privileges of the user receiving the malicious string. Apache printenv Sample Script Cross Site Scripting Vulnerability BugTraq ID: 6466 Remote: Yes Date Published: Dec 23 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6466 Summary: Apache is a freely available webserver for Unix and Linux variants, as well as Microsoft operating systems. A cross site scripting vulnerability has been reported in a sample script included with Apache. The vulnerability exists in the 'printenv' sample script, which is typically installed in the 'cgi-bin' directory. Due to insufficient sanitization of user-supplied input it is possible for an attacker to construct a malicious link which contains arbitrary HTML and script code. Attacker-supplied HTML and script code may be executed on a web client visiting the malicious link in the context of the vulnerable server. This may be exploited to steal cookie-based authentication credentials. It should be noted that this script is not installed as an executable script and any output is generated as plain text. However, some browsers may not properly interpret the TEXT/PLAIN MIME header and may render any output messages in HTML. Internet Junkbuster Proxy Unauthorized Connections Vulnerability BugTraq ID: 6471 Remote: Yes Date Published: Dec 23 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6471 Summary: Internet Junkbuster is a utility that prevents a web browser from displaying advertisement images. A vulnerability in Junkbuster may allow remote attackers to abuse the proxy to make unauthorized connections to arbitrary ports on any hosts that the proxy may access. It is possible to exploit this issue using the CONNECT method to proxy an unauthorized connection to an arbitrary port on any host the proxy may access. The affected product does not appear to have a mechanism for restricting which ports can be connected to using the CONNECT method. This vulnerability has been reported for Junkbuster 2.01. Junkbuster is installed as part of RedHat Linux's complete installation. CHETCPASSWD Shadow File Disclosure Vulnerability BugTraq ID: 6472 Remote: Yes Date Published: Dec 22 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6472 Summary: CHETCPASSWD is a web-based utility which allows users to change their system passwords remotely. It is available for Unix and Linux variants. CHETCPASSWD is prone to a vulnerability that may potentially cause the tail end of the local shadow file to be disclosed to a remote attacker. It is possible to exploit this issue by sending an overly long string (120+ characters) as a value for the 'user' URI parameter in a request to the 'chetcpasswd.cgi'. The type of information disclosed may aid the attacker in mounting further attacks against the system hosting the vulnerable software. KDE smbview Readable Command Line Password Argument BugTraq ID: 6474 Remote: No Date Published: Dec 23 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6474 Summary: A vulnerability has been discovered in smbview shipped with the K Desktop Environment (KDE). It has been reported that smbview takes a user's password as a command-line argument. This presents a security risk as information passed via the command line may be viewable by other local users. A malicious local attacker may take advantage of this issue to steal another legitimate user's SMB password. This may aid the attacker in launching further attacks against a target user. Xpdf/CUPS pdftops Integer Overflow Vulnerability BugTraq ID: 6475 Remote: No Date Published: Dec 23 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6475 Summary: The Xpdf pdftops filter is a utility for converting PDF files to PostScript. The pdftops filter also ships with CUPS. The pdftops filter is prone to an integer overflow. As a result, it may be possible to corrupt memory (such as function pointers) with attacker-supplied data and cause arbitrary code to be executed. This condition may occur when the filter is supplied an oversized integer value as the number of elements for ColorSpace. It is also been reported that it is possible to trigger the integer overflow through other means. The method of exploitation may vary. If an attacker can entice a user to print a malformed file from the command line using the vulnerable filter, it may be possible to execute code with the privileges of that user. Local exploitation may result in the attacker gaining the elevated privileges of the 'lp' user if the utility is installed setuid. MHonArc m2h_text_html Filter Cross Site Scripting Vulnerability BugTraq ID: 6479 Remote: Yes Date Published: Dec 21 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6479 Summary: MHonArc is a Perl program designed to automatically parse email into a HTML based archive format. A cross site scripting vulnerability has been reported for MHonArc. A specially crafted HTML mail messages may be able to bypass existing HTML filtering techniques imposed by MHonArc. Any MHonArc archives that allow HTML content are vulnerable to this issue. It has been reported that the vulnerability exists in the m2h_text_html::filter. Reportedly, the filter does not adequately remove, or strip, malicious HTML code from email messages. This vulnerability has been reported to affect all versions of MHonArc 2.5.13 and earlier. ncftpd STAT File Globbing Remote Buffer Overflow Vulnerability BugTraq ID: 6478 Remote: Yes Date Published: Dec 24 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6478 Summary: NcFTPd is a File Transfer Protocol (FTP) server for UNIX systems, designed for high-traffic sites and internet service providers. A vulnerability has been reported for ncftpd. A buffer overflow exists in the STAT function when used in conjunction with file globbing. The issue likely occurs due to insufficient bounds checking of expanded character requests. It is possible to trigger the overflow by passing a malicious STAT request containing recursive calls to a directory name of excessive length referenced using file globbing characters. When the request is expanded by the server the malicious request will overwrite sensitive memory. Successful exploitation of this vulnerability will allow an attacker to execute arbitrary commands with the privileges of the vulnerable ncftpd process. It should be noted that this vulnerability has been reported to exist in version 2.7.1. Symantec has not yet been able to verify the existence of this bug. - Pour poster une annonce: [EMAIL PROTECTED]
