GNU Mailman 'email' Cross Site Scripting Vulnerability BugTraq ID: 6677 Remote: Yes Date Published: Jan 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6677 Summary:
Mailman is software to help manage email discussion lists, much like Majordomo and SmartList. It is written and maintained by the GNU Project and is available for the Linux and Unix operating systems. A cross site scripting vulnerability has been discovered in GNU Mailman. The issue occurs due to insufficient sanitization of URI parameters. Specifically, the 'email' URI parameter is not correctly filtered for embedded HTML or script code. As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. When this link is followed by a web user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible. GNU Mailman Error Page Cross Site Scripting Vulnerability BugTraq ID: 6678 Remote: Yes Date Published: Jan 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6678 Summary: Mailman is software to help manage email discussion lists, much like Majordomo and SmartList. It is written and maintained by the GNU Project and is available for the Linux and Unix operating systems. A cross site scripting vulnerability has been discovered in GNU Mailman. The issue occurs due to insufficient sanitization of URI parameters. Specifically, the 'language' variable is not sufficiently sanitized before being included in error pages. As a result, attackers may embed malicious script code or HTML into a link to a site running the vulnerable software. When this link is followed by a web user, the attacker-supplied code will be interpreted in their web browser in the security context of the site hosting the software. It may be possible to steal the unsuspecting user's cookie-based authentication credentials, as well as other sensitive information. Other attacks are also possible. It has been reported that GNU Mailman 2.0.11 is not affected by this issue. SpamAssassin BSMTP Mode Buffer Overflow Vulnerability BugTraq ID: 6679 Remote: Yes Date Published: Jan 24 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6679 Summary: SpamAssassin is a mail filter to identify and process spam. It is available for Linux and Unix variant operating systems. A buffer overflow vulnerability has been reported for SpamAssassin. The vulnerability exists when SpamAssassin has been configured for use with BSMTP (Batch Simple Mail Transfer Protocol) processing. SpamAssassin uses the program spamc to process mail. 'spamc' is the client program that feeds data to the spamd service that processes email. BSMTP processing is enabled by executing spamc with the '-B' option. The vulnerability occurs when SpamAssassin is escaping '.' characters when processing email headers. Due to insufficient bounds checking performed by the filter, it is possible for a remote attacker to trigger the buffer overflow condition. An attacker can exploit this vulnerability by composing a malicious email with specific headers. This will cause the buffer overflow condition in the program, spamc. This may result in malicious attacker-supplied code being executed with the privileges of the spamc process. It should be noted that this issue allows an attacker to write the value of the '.' character to the LSB of the value stored above the affected buffer. Under some circumstances this may be the function's saved frame pointer but the exploitability of this issue is highly volatile. This vulnerability was reported to affect SpamAssassin 2.40 to 2.43. Hypermail Message Attachment Buffer Overflow Vulnerability BugTraq ID: 6689 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6689 Summary: Hypermail is a freely available tool for converts email into HTML format. A buffer overflow vulnerability has been reported for Hypermail. The vulnerability occurs when Hypermail processes emails with overly long attachment names. Specifically, the buffer overflow condition exists in the source file, parse.c, when processing emails. This vulnerability is only exploitable if Hypermail is configured to output verbose information with the option 'progress = 2'. An attacker can exploit this vulnerability by sending an email with an overly long attachment name, consisting of more than 252 characters, to the vulnerable Hypermail service. The buffer overflow condition will be triggered when Hypermail parses the email and may result in malicious attacker-supplied code being executed by the vulnerable hypermail process. This vulnerability was reported for Hypermail 2.1.3 to 2.1.5. Hypermail CGI Mail Reverse DNS Lookup Buffer Overflow Vulnerability BugTraq ID: 6690 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6690 Summary: Hypermail is a freely available tool for converts email into HTML format. A buffer overflow vulnerability has been reported for Hypermail's CGI mail program. The vulnerability exists due to insufficient bounds checking performed by the CGI mail program when resolving DNS replies. Specifically, the program uses the function gethostbyaddr() to obtain a hostname from a given IP address. If the DNS server's reply is greater than 80 characters, this would result in a buffer overflow condition. Operators of malicious DNS servers may exploit this condition to execute arbitrary code on target hosts. It may also be possible for attackers who do not control the DNS server to spoof malicious responses. Successful exploitation of this vulnerability may result in the attacker obtaining control of the execution of the vulnerable program. This vulnerability was reported for Hypermail 2.1.3 to 2.1.5. Noffle Remote Memory Corruption Vulnerability BugTraq ID: 6695 Remote: Yes Date Published: Jan 27 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6695 Summary: Noffle is a news (nntp) server designed to service few users and low speed dial-up connections to the Internet. It is available for the Unix and Linux operating systems. A memory corruption bug has been discovered in Noffle. The issue can be triggered remotely and may cause a segmentation violation in the affected server. This issue is likely caused when Noffles is attempting to process a malicious news group or entry. Although unconfirmed, this issue may be exploitable by a remote attacker to trigger a denial of service or possibly execute arbitrary code. Attacker-supplied instructions would be executed with the privileges of the invoker of Noffle, likely the 'news' user. The technical details regarding this issue are currently unknown. This BID will be updated when further information becomes available. MIT Kerberos Remote Heap Corruption Vulnerability BugTraq ID: 6713 Remote: Yes Date Published: Jan 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6713 Summary: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret- key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems. A vulnerability has been discovered in MIT Kerberos. It has been reported that, due to insufficient bounds checking and sanitization of user-supplied data, Kerberos is prone to memory corruption. A remote attacker may trigger this condition my supplying a negative length value in a malicious packet sent to a target server. This may result in insufficient memory being allocated or cause invalid memory to be referenced. Successful exploitation of this issue may result in a denial of service. Due to the nature of this vulnerability it may be possible for an attacker to create a situation in which sensitive memory could be overwritten. If successful this could allow for the execution of arbitrary code with the privileges of Kerberos. The possibility of exploitation of this issue to execute code, however, has not been confirmed. As this issue affects older releases of Kerberos, a BID may already exist. If this is issue proves to be covered in a previous database entry, this BID will be retired and the correct BID will be updated accordingly. MIT Kerberos Key Distribution Center Remote Format String Vulnerabilities BugTraq ID: 6712 Remote: Yes Date Published: Jan 28 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6712 Summary: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret- key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems. A number of vulnerabilities have been reported in the MIT Kerberos Key Distribution Center (KDC). It has been reported that KDC fails to supply sufficient format specifiers when handling user-supplied data. Specifically, principal names supplied by a remote user are handled by functions of the printf family without supplying format specifiers. It has been determined that under some cirumstances an unauthenticated remote user may be able to pass principal names to an affected server. An attacker could exploit this vulnerability by supplying a maliciously crafted principal name containing format specifiers. By writing attacker-controlled values to memory using the %n format specifier, it may be possible for a remote attacker to execute arbitrary commands. As this issue affects older releases of Kerberos, a BID may already exist. If this is issue proves to be covered in a previous database entry, this BID will be retired and the correct BID will be updated accordingly. MIT Kerberos / Key Distribution Center Shared Key User Spoofing Vulnerability BugTraq ID: 6714 Remote: Yes Date Published: Jan 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6714 Summary: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret- key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems. A vulnerability has been discovered MIT Kerberos and Key Distribution Center (KDC). It has been reported that a user within a realm implementing shared keys may be able to spoof another legitimate non-local user. This issue is exploitable due to insufficent realm transit path verification by the affected software. This vulnerable exists only if non-local principal names are located in the KDC's access control list. The ability to impersonate another legitimate user may be leveraged by an attacker to obtain sensitive information. Under some cirumstances a malicious attacker may be able to impersonate a user with additional privileges to their own. This issue affects MIT Kerberos 5 release 1.2.2 and earlier. As this issue affects older releases of Kerberos, a BID may already exist. If this is issue proves to be covered in a previous database entry, this BID will be retired and the correct BID will be updated accordingly. PLP Tools plpnfsd Syslog Format String Vulnerability BugTraq ID: 6715 Remote: No Date Published: Jan 29 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6715 Summary: PLP Tools is a collection of libraries and utilities for enabling Unix and Linux variant systems to communicate with a Psion palmtop over a serial line. plpnfsd is the server application that allows users to mount Psion filesystems on workstations. A vulnerability has been reported for plpnfsd that may result in an attacker obtaining elevated privileges on the vulnerable system. Due to a programming error, it may be possible to exploit a format string vulnerability in plpnfsd. A logging function in plpnfsd contains insecure syslog() calls. This could result in the execution of attacker-supplied code. The vulnerability occurs when plpnfsd receives a carefully constructed directory name that include malicious format string specifiers. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with elevated privileges. This vulnerability is also exacerbated by the fact that the plpnfsd daemon is installed with setuid root privileges. This vulnerability was reported for plptools 0.6. - Pour poster une annonce: [EMAIL PROTECTED]
