SecurityFocus Linux Newsletter #137 ----------------------------------- This Issue is Sponsored by: SPI Dynamics
ALERT: "How a Hacker Uses SQL Injection to Steal Your Data" It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.securityfocus.com/SPIDynamics-ms-secnews4 ------------------------------------------------------------------------------- I. FRONT AND CENTER 1. Securing PHP: Step-by-step 2. Tracking Down the Phantom Host 3. From the Booby Hatch II. LINUX VULNERABILITY SUMMARY 1. FakeBO Syslog Format String Vulnerability 2. PostNuke Modules.PHP Multiple Cross-Site Scripting Vulnerabilities 3. PostNuke User.PHP UNAME Cross-Site Scripting Vulnerability 4. ATFTP Blocksize Command Line Argument Local Buffer Overflow... 5. Multiple Vendor PDF Hyperlinks Arbitrary Command Execution... 6. MikMod Long File Name Local Buffer Overflow Vulnerability 7. Progress Database DBAgent InstallDir Local Privilege Elevation... 8. myServer Signal Handling Denial Of Service Vulnerability 9. PHPBB Admin_Styles.PHP Theme_Info.CFG File Include Vulnerability 10. Multiple Gnocatan Server Buffer Overflow Vulnerabilities 11. Typespeed Remote Memory Corruption Vulnerability 12. ATFTP Timeout Command Line Argument Local Buffer Overflow... 14. ATFTP TFTP-Timeout Command Line Argument Local Buffer Ove... 15. Progress Database Environment Variable Local Privilege... 16. Xoops/E-Xoops Tutorials Module Remote Command Execution... 17. Pod.Board Forum_Details.PHP Multiple HTML Injection... 18. Portmon Log File Option File Overwrite Vulnerability 19. Dune HTTP Get Remote Buffer Overrun Vulnerability 20. PMachine Lib.Inc.PHP Remote Include Command Execution... 21. Squirrelmail Multiple Remote Vulnerabilities 22. LedNews Post Script Code Injection Vulnerability 23. Linux-PAM Pam_Wheel Module getlogin() Username Spoofing... 24. Pod.Board New_Topic.PHP Multiple HTML Injection Vulnerabilities 25. Portmon Host File Option Sensitive File Arbitrary Content... 26. MyServer HTTP Server Directory Traversal Vulnerability 27. NetHack / JNetHack Incorrect Permissions Vulnerability 28. MidHosting FTP Daemon Shared Memory Local Denial Of Service... 29. Alguest Admin Panel Cookie Authentication Bypass Vulnerability III. LINUX FOCUS LIST SUMMARY 1. deny deleting a file for users.. trying a solution (Thread) 2. New SecurityFocus Article (Thread) IV. NEW PRODUCTS FOR LINUX PLATFORMS 1. Zorp 2. AccessGuard 3. AlphaShield V. NEW TOOLS FOR LINUX PLATFORMS 1. fireflier v1.1.1 2. SRG v1.0b2 3. UDP Ping Logger v0.2 VI. SPONSOR INFORMATION I. FRONT AND CENTER ------------------- 1. Securing PHP: Step-by-step By Artur Maj This article shows the basic steps in securing PHP, one of the most popular scripting languages used to create dynamic web pages on the Internet. http://www.securityfocus.com/infocus/1706 2. Tracking Down the Phantom Host By John Payton This article explains techniques on how to locate a problem host when you are not sure where it is physically located. http://www.securityfocus.com/infocus/1705 3. From the Booby Hatch By George Smith Senator Orrin Hatch says he wants to destroy music swappers' computers, but what he really means is that kids today have no respect for their elders. http://www.securityfocus.com/columnists/168 II. BUGTRAQ SUMMARY ------------------- 1. FakeBO Syslog Format String Vulnerability BugTraq ID: 7882 Remote: Yes Date Published: Jun 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7882 Summary: FakeBO is a utility to log common trojan attempts in an effort to possibly emulate one. It may also be used in a honeypot setup to facilitate security monitoring. It is available for Microsoft Windows, Linux, and Unix variant operating systems. A vulnerability has been reported for FakeBO that may result in an attacker obtaining elevated privileges on a target system. Due to a programming error, it may be possible to exploit a format string vulnerability in the affected utility. Specifically, a logging function in FakeBO contains insecure syslog() calls. This could result in the execution of attacker-supplied code. The vulnerability occurs when FakeBO resolves a carefully constructed hostname that include malicious format string specifiers. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with elevated privileges. This vulnerability was reported for FakeBO 0.4.1. 2. PostNuke Modules.PHP Multiple Cross-Site Scripting Vulnerabilities BugTraq ID: 7898 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7898 Summary: PostNuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows. The PostNuke 'modules.php' script does not sufficiently sanitize data supplied via URI parameters, making it prone to cross-site scripting attacks. In particular, the 'categories' and 'letter' URI parameters are not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code. This would occur in the security context of the site hosting the software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. It should be noted, that although this vulnerability has been reported to affect PostNuke version 0.7.2.3, other versions might also be affected. 3. PostNuke User.PHP UNAME Cross-Site Scripting Vulnerability BugTraq ID: 7901 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7901 Summary: PostNuke is a web-based portal system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows. The PostNuke 'user.php' script does not sufficiently sanitize data supplied via URI parameters, making it prone to cross-site scripting attacks. In particular, the 'uname' URI parameter is not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious code. This would occur in the security context of the site hosting the software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. It should be noted, that although this vulnerability has been reported to affect PostNuke version 0.7.2.3, other versions might also be affected. 4. ATFTP Blocksize Command Line Argument Local Buffer Overflow Vulnerability BugTraq ID: 7907 Remote: No Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7907 Summary: atftp is a TFTP client/server implementation for Linux and Unix variants. atftp is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient bounds checking performed on input supplied to the command line parameter (-b) for "blocksize". By providing a string of excessive length as a value for the command line parameter, it is possible to trigger this condition to corrupt stack variables. Local attackers may leverage the resulting memory corruption to execute arbitrary instructions. If atftp is installed setuid/setgid, an attacker may potentially exploit this condition to execute arbitrary instructions with elevated privileges. It should be noted that although this vulnerability has been reported to affect atftp version 0.7cvs, other versions might also be vulnerable. It should also be noted that atftp is not installed setuid/setgid by default. 5. Multiple Vendor PDF Hyperlinks Arbitrary Command Execution Vulnerability BugTraq ID: 7912 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7912 Summary: A vulnerability has been reported for multiple viewers for Unix variant operating systems. Both Adobe Acrobat Reader and Xpdf are said to be affected. The vulnerability allegedly occurs when following a malicious hyperlink. When the hyperlink is followed the PDF viewer externally calls the 'sh -c' command to invoke a utility to handle the request. Supposedly, when the link is followed it is possible to execute arbitrary code by placing shell metacharacters designed to escape the command. This can be accomplished by placing (`) characters within the hyperlink. Successful exploitation of this vulnerability could potentially allow an attacker to execute arbitrary commands on a target system with the privileges of the user invoking the PDF document. This would occur externally to the program and the utility invoked to handle the link would still be called. The exploitability of this issue is said to vary between PDF viewers, as some do not support the use of external hyperlinks. If a viewer is currently invoked within a browser, the call to 'sh -c' may not be made. This vulnerability is said to affect Adobe Acrobat Reader 5.06 and Xpdf 1.01, however, other versions may also be affected. It should be noted that this vulnerability may be similar to that described in BID 1624. If it is concluded that this is in fact the case, the older BID will be updated and this BID will be retired. 6. MikMod Long File Name Local Buffer Overflow Vulnerability BugTraq ID: 7914 Remote: No Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7914 Summary: mikmod is a freely available, open source sound library and module player. It is available for Unix, Linux, and Microsoft platforms. A problem with the program may make it possible for users to gain unauthorized privileges. It has been reported that mikmod does not properly handle some types of input. Because of this, an attacker may be able to gain unauthorized privileges on a system using the program. mikmod does not properly handle file names of arbitrary length. Long file names inside archive files can cause the corruption of sensitive process memory that may potentially be exploited to execute code with the privileges of the process. 7. Progress Database DBAgent InstallDir Local Privilege Elevation Vulnerability BugTraq ID: 7915 Remote: No Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7915 Summary: Progress Database is a commercial database for Microsoft Windows, Linux, and Unix systems. A problem with the software may grant unauthorized privileges. It has been reported that dbagent packaged with Progress does not properly handle untrusted input in some command line arguments. Because of this, an attacker may be able to gain unauthorized privileges. The problem is in the installdir option. The dbagent program does not perform sufficient checks or sanitizing of values passed with this argument when executed. This could lead to an attacker supplying a directory in an arbitrary location on the system, and potentially loading a malicious library into the program. Any library code loaded and executed through the installdir argument would be with the privileges of the dbagent program. dbagent is typically installed with privileges. 8. myServer Signal Handling Denial Of Service Vulnerability BugTraq ID: 7917 Remote: Yes Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7917 Summary: myServer is an application and web server for Microsoft Windows and Linux operating systems. A vulnerability has been reported for myServer that may result in a denial of service condition. The vulnerability exists when myServer receives certain signals. Specifically, when myServer receives the SIGINT signal, it will crash. This vulnerability was reported to affect myServer 0.4.1. 9. PHPBB Admin_Styles.PHP Theme_Info.CFG File Include Vulnerability BugTraq ID: 7932 Remote: Yes Date Published: Jun 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7932 Summary: phpBB is an open-source web forum application that is written in PHP and supported by a number of database products. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems. It has been reported that phpBB may permit an attacker to influence the include path of 'theme_info.cfg'. The path to this file can be influenced by supplying a malicious value for the '$install_to' CGI variable. While it does not seem possible to supply a path to a remote server, it may be possible to supply a relative path to a malicious local 'theme_info.cfg' file. This could lead to execution of arbitrary PHP code with the privileges of the web server. Older versions of PHP may also permit an attacker to specify a path to an arbitrary system file by including a NULL byte (%00) in the request, which could reportedly cause files to be disclosed to the attacker. 10. Multiple Gnocatan Server Buffer Overflow Vulnerabilities BugTraq ID: 7877 Remote: Yes Date Published: Jun 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7877 Summary: Gnocatan is a multiplayer game. It is available for Microsoft Windows and Linux operating systems. The Gnocatan game server is prone to multiple remotely exploitable buffer overflow vulnerabilities. The vulnerabilities are due to insufficient bounds checking of data supplied to the server, which could result in corruption of memory with attacker-supplied values. These conditions could potentially be exploited to execute malicious code in the context of the server or to launch denial of service attacks. Specific technical details regarding these vulnerabilities are not available at this time. This BID will be updated as more details become available. 11. Typespeed Remote Memory Corruption Vulnerability BugTraq ID: 7891 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7891 Summary: Typespeed is a game designed to test typing skills. It is available for the Linux operating system. Typespeed is installed setgid 'games' by default on the Debian Linux distribution. A memory corruption vulnerability has been reported for Typespeed that may result in code execution with elevated privileges. The vulnerability exists in the net_swapscore() function of the 'network.c' source file. Specifically, proper bounds checks are not performed prior to executing the 'strncpy' function. A remote attacker may be able to exploit this vulnerability to corrupt sensitive with attacker-supplied code. This vulnerability was reported for Typespeed 0.4.1 and earlier. 12. ATFTP Timeout Command Line Argument Local Buffer Overflow Vulnerability BugTraq ID: 7902 Remote: No Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7902 Summary: atftp is a TFTP client/server implementation for Linux and Unix variants. atftp is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient bounds checking performed on input supplied to the command line parameter (-t) for "timeout". By providing a string of excessive length (9000 bytes) as a value for the command line parameter, it is possible to trigger this condition to corrupt stack variables. Local attackers may leverage the resulting memory corruption to execute arbitrary instructions. If atftp is installed setuid/setgid, an attacker may potentially exploit this condition to execute arbitrary instructions with elevated privileges. It should be noted that although this vulnerability has been reported to affect atftp version 0.7cvs, other versions might also be vulnerable. 13. Sphera HostingDirector Session ID Random Generator Weakness BugTraq ID: 7904 Remote: Yes Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7904 Summary: HostingDirector is a commercially available system administration package distributed by Sphera. It is available for the Linux and Microsoft Windows platforms. A problem with the software may increase the possibility of a user gaining unauthorized access to the system. It has been reported that Sphera HostingDirector uses a weak method of generating session IDs. This problem may increase the possibility of an attacker brute-force guessing a valid session ID. The problem is in the method used to generate session IDs. Upon session ID generation, each new session ID may be a total of 11 bytes in length, of which five bytes vary from a previously generated session ID. Of these five bytes, one is incremented sequentially in a predictable location. This value is stored in a cookie on the system of the authenticated user. It, and the session ID, is persistent until the user logs out. To gain access to a vulnerable implementation, an attacker still must know a valid user name to place in the authentication cookie. 14. ATFTP TFTP-Timeout Command Line Argument Local Buffer Overflow Vulnerability BugTraq ID: 7906 Remote: No Date Published: Jun 13 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7906 Summary: atftp is a TFTP client/server implementation for Linux and Unix variants. atftp is prone to a locally exploitable buffer overflow condition. This issue is due to insufficient bounds checking performed on input supplied to the command line parameter (-T) for "tftp-timeout". By providing a string of excessive length as a value for the command line parameter, it is possible to trigger this condition to corrupt stack variables. Local attackers may leverage the resulting memory corruption to execute arbitrary instructions. If atftp is installed setuid/setgid, an attacker may potentially exploit this condition to execute arbitrary instructions with elevated privileges. It should be noted that although this vulnerability has been reported to affect atftp version 0.7cvs, other versions might also be vulnerable. It should also be noted that atftp is not installed setuid/setgid by default. 15. Progress Database Environment Variable Local Privilege Escalation Vulnerability BugTraq ID: 7916 Remote: No Date Published: Jun 14 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7916 Summary: Progress Database is a commercial database for Microsoft Windows, Linux, and Unix systems. A problem with the software may grant unauthorized privileges. It has been reported that Progress database does not properly handle untrusted input when opening shared libraries. Specifically, the dlopen() function, used by several Progress utilities in /usr/dlc/bin/, checks the user's PATH environment variable when including shared object libraries. If any shared objects are found, Progress will load and execute them. Due to this, an attacker may be able to gain unauthorized privileges. An attacker can exploit this vulnerability by creating a malicious shared object and setting the PATH environment variable to include the directory containing the shared object. When certain utilities in the /usr/dlc/bin/ directory are executed, the malicious shared library will be loaded. Any library code loaded will execute with elevated privileges. 16. Xoops/E-Xoops Tutorials Module Remote Command Execution Vulnerability BugTraq ID: 7927 Remote: Yes Date Published: Jun 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7927 Summary: Xoops is open-source, freely available web portal software written in object-oriented PHP. It is back-ended by a MySQL database and will run on most Unix and Linux distributions. The Tutorials module allows remote users to upload various content to a site, including image MIME type. All images are uploaded to the images directory. This module is also available for E-Xoops. A vulnerability has been discovered in the function used by Tutorials to upload images to a site. The problem occurs due to the module failing to verify that the file being uploaded is indeed an image MIME type. Due to this lack of input validation, a remote attacker may be capable of uploading malicious script files to the images directory or possibly other locations on the system. If a script file were successfully uploaded, an attacker could subsequently trigger its execution by issuing an HTTP request for the file. This would effectively result in the execution of arbitrary system commands with the privileges of the httpd server, possibly root. 17. Pod.Board Forum_Details.PHP Multiple HTML Injection Vulnerabilities BugTraq ID: 7933 Remote: Yes Date Published: Jun 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7933 Summary: pod.board is a web-based portal/forum system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows. The pod.board 'forum_details.php' script does not sufficiently sanitize data supplied via URI parameters or web-based input fields, making it prone to HTML injection attacks. In particular, the 'user_homepage', 'user_location', 'user_nick' and 'user_signature' URI parameters and corresponding input fields are not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious injected code. This would occur in the security context of the site hosting the software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. It should be noted, that although this vulnerability has been reported to affect pod.board version 1.1, other versions might also be affected. 18. Portmon Log File Option File Overwrite Vulnerability BugTraq ID: 7943 Remote: No Date Published: Jun 17 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7943 Summary: Portmon is a freely available, open source network service monitoring utility. It is available for Unix and Linux operating systems. A problem with the software may give local users the ability to overwrite information. Portmon is typically installed with elevated privileges, as it requires these privileges to use raw sockets. When the program is executed, and a file with restricted privileges is supplied as an argument to the log file command line argument, the contents of the file will be corrupted by portmon. This could result in a denial of service if critical files are corrupted. It is not known if files can be corrupted with custom data, though if this is possible, an attacker may potentially exploit this issue to elevate privileges. 19. Dune HTTP Get Remote Buffer Overrun Vulnerability BugTraq ID: 7945 Remote: Yes Date Published: Jun 17 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7945 Summary: Dune is a freely available, open source HTTP server for the Unix and Linux platforms. A problem with the program may make it possible for an attacker to gain unauthorized access. It has been reported that Dune is vulnerable to a remote boundary condition error when handling long requests. This could allow a remote attacker to execute arbitrary code on a vulnerable system. The problem is insufficient bounds checking of HTTP GET requests. By placing an HTTP GET request of 48 or more bytes, an attacker can cause the overwriting of sensitive process memory. This could be exploited to execute code with the privileges of the web server process. It should be noted that the Dune project is no longer maintained. 20. PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability BugTraq ID: 7919 Remote: Yes Date Published: Jun 15 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7919 Summary: PMachine is a web content management system. It is available for the Unix and Linux platforms. A problem with the software may make unauthorized access possible. It has been reported that PMachine does not properly handle include files under some circumstances. Because of this, an attacker may be able to remotely execute commands. The problem is in the lib.inc.php file. This file does not adequately check the input of an include() function. Because of this, an attacker can supply a value to a remote include file containing malicious commands to be executed in a shell on the local host. This could allow an attacker to gain access to the host with the privileges of the web server process. 21. Squirrelmail Multiple Remote Vulnerabilities BugTraq ID: 7952 Remote: Yes Date Published: Jun 17 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7952 Summary: SquirrelMail is a webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems. Multiple vulnerabilities have been reported for SquirrelMail PHP scripts which could be exploited to carry out a variety of attacks. Successful exploitation could result in a wide variety of circumstances including data corruption, information disclosure, and privilege escalation. These vulnerabilities were reported for SquirellMail 1.2.11, however, earlier versions may also be affected. It should be noted that as further analysis is carried out on these vulnerabilities, each issue will be given their own individual Bugtraq ID. At that time, this BID will be retired. 22. LedNews Post Script Code Injection Vulnerability BugTraq ID: 7920 Remote: Yes Date Published: Jun 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7920 Summary: LedNews is a freely available, open source news posting script. It is available for the Unix and Linux platforms. A problem with the software may make script injection attacks possible. It has been reported that LedNews does not properly filter input from news posts. Because of this, it may be possible for an attacker to steal authentication cookies or perform other nefarious activities. The problem is in filtering of input. The program does not properly sanitize input, allowing HTML and script code to be posted as news. This could be abused to execute code in the browser of site users. It should be noted that it may also be possible to execute arbitrary commands through server-side includes on a host using the vulnerable software. 23. Linux-PAM Pam_Wheel Module getlogin() Username Spoofing Privileged Escalation Vulnerability BugTraq ID: 7929 Remote: No Date Published: Jun 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7929 Summary: Linux-PAM (Pluggable Authentication Modules for Linux) is an authentication system used to enforce various access restrictions and security mechanisms. The pam_wheel module can be used to enforce access restrictions to various utilities, such as 'su', using the 'wheel' group. When the "trust" configuration option is implemented, users of the trusted group are not required to supply a password when running the 'su' utility. A configuration option "use_uid" is also available which specifies whether a user of the trusted group should be verified using the login name or user id. A vulnerability has been discovered in the pam_wheel module when running a configuration with the "trust" option enabled and the "use_uid" option disabled. The vulnerability occurs due to the insecure use of the getlogin() function when verifying user login names against a list of trusted users. It should be noted that the said configuration is not used by default. Due to the insecure use of getlogin() a local attacker may be capable of gaining unauthorized 'root' privileges without supplying a password. This can be accomplished by spoofing the 'logname' return value, effectively making the getlogin() function to return a value of another logged in user. The spoofed user would have to be logged in to the system and also be part of the trusted group for this to attack take place. Successful exploitation of this issue would allow an attacker to invoke the 'su' utility and gain unauthorized superuser privileges. 24. Pod.Board New_Topic.PHP Multiple HTML Injection Vulnerabilities BugTraq ID: 7936 Remote: Yes Date Published: Jun 16 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7936 Summary: pod.board is a web-based portal/forum system. Implemented in PHP, it is available for a range of systems, including Unix, Linux, and Microsoft Windows. The pod.board 'new_topic.php' script does not sufficiently sanitize data supplied via URI parameters or web-based input fields, making it prone to HTML injection attacks. In particular, the 'topic_title' or 'post_text' URI parameters and corresponding input fields are not properly sanitized of HTML tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page that contains the malicious injected code. This would occur in the security context of the site hosting the software. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. It should be noted, that although this vulnerability has been reported to affect pod.board version 1.1, other versions might also be affected. 25. Portmon Host File Option Sensitive File Arbitrary Content Display Vulnerability BugTraq ID: 7941 Remote: No Date Published: Jun 17 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7941 Summary: Portmon is a freely available, open source network service monitoring utility. It is available for Unix and Linux operating systems. A vulnerability in the software may give local users unauthorized access to sensitive information. Portmon is typically installed with elevated privileges, as it requires these privileges to use raw sockets. When the program is executed, and a file with restricted privileges is supplied as an argument to the hosts command line argument (-c), the contents of the file are displayed to the user executing portmon. This could reveal sensitive information to a malicious local user. 26. MyServer HTTP Server Directory Traversal Vulnerability BugTraq ID: 7944 Remote: Yes Date Published: Jun 17 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7944 Summary: MyServer is an application and web server for Microsoft Windows and Linux operating systems. The MyServer HTTP server is prone to a file disclosure vulnerability. Encoded directory traversal sequences may be used to break out of the web root directory. Attackers may gain access to files that are readable by the web server as a result. Successful exploitation may expose sensitive information to remote attackers. This information could be used to aid in further attacks that attempt to compromise the host. It should be noted that although this vulnerability has been reported to affect MyServer version 0.4.1 other versions might also be affected. 27. NetHack / JNetHack Incorrect Permissions Vulnerability BugTraq ID: 7953 Remote: No Date Published: Jun 12 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7953 Summary: Nethack and jnethack are games included with several distributions of Linux including Debian Linux. It has been reported that Nethack and jnethack are configured incorrectly with weak default permissions. Successful exploitation of this vulnerability may result in a local attacker obtaining elevated privileges. Other attacks are also possible. The precise technical nature of this vulnerability is currently unknown. This BID will be updated as further information becomes available. 28. MidHosting FTP Daemon Shared Memory Local Denial Of Service Vulnerability BugTraq ID: 7956 Remote: No Date Published: Jun 18 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7956 Summary: MidHosting FTP Daemon is a freely available, open source FTP daemon. It is available for the Unix and Linux platforms. A problem with the software may make it possible for an attacker to deny service to legitimate users. It has been reported that MidHosting FTP Daemon does not properly implement shared memory when the m flag (-m) is enabled. Because of this, an attacker could corrupt process memory, causing the service to crash. MidHosting FTPd does not sufficiently protect the shared memory from arbitrary read/write access. An attacker with shell access to a system using the vulnerable server software could overwrite sections of the shared memory used by the process. 29. Alguest Admin Panel Cookie Authentication Bypass Vulnerability BugTraq ID: 7957 Remote: Yes Date Published: Jun 18 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/7957 Summary: Alguest is web-based guestbook based on a mysql database, written in PHP. It is designed to run on Windows, Linux and Unix variants. Alguest is prone to an issue, which may allow remote attackers to bypass authentication procedures and gain administrative access to the software. The issue presents itself, because the affected software checks only for the existence of an authentication cookie before granting administrative access to the software. The attacker may manually craft a cookie sufficient to bypass the authentication check and proceed to make an HTTP request for the Alguest admin panel. Ultimately the fake cookie may bypass the Alguest authentication procedure and the attacker will gain administrative access to the guestbook. III. LINUX FOCUS LIST SUMMARY ----------------------------- 1. deny deleting a file for users.. trying a solution (Thread) Relevant URL: http://www.securityfocus.com/archive/91/325669 2. New SecurityFocus Article (Thread) Relevant URL: http://www.securityfocus.com/archive/91/325414 IV. NEW PRODUCTS FOR LINUX PLATFORMS ------------------------------------ 1. Zorp by Balabit IT Security Ltd. Platforms: Linux Relevant URL: http://www.balabit.com/products/zorp/ Summary: Zorp is a proxy firewall suite making it possible to finetune proxy decisions (with its built in script language), to fully analyze complex protocols (like SSH with several forwarded TCP connections), to use outband authentication techniques (unlike common practices where proxy authentication had to be hacked into the protocol). Combined the power explained above, source code is provided under the GNU/GPL. 2. AccessGuard by AccessGuard Platforms: Os Independent Relevant URL: http://www.accessguard.nl/ Summary: AccessGuard is a fully automated intrusion prevention service, that instantly protects your IT infrastructure from known and unknown attacks by hackers, worms, server based 'Denial of Service' and other Internet risks. AccessGuard reduces security cost: It replaces and outperforms state of the art Intrusion Detection Systems (IDS) and makes analysis by security specialists unnecessary. 3. AlphaShield by AlphaShield Inc. Platforms: Os Independent Relevant URL: http://www.alphashield.com/products.htm Summary: A stand-alone hardware device that serves as a complete anti-intrusion solution and physical lockout for any intruder. It is a compact box that sits between your PC and the high-speed Internet cable that connect you to your broadband modem. It blocks all malicious attacks and intrusions, while working with any operating system. V. NEW TOOLS FOR LINUX PLATFORMS --------------------------------- 1. fireflier v1.1.1 by Martin Maurer Relevant URL: http://sourceforge.net/projects/fireflier Platforms: Linux, POSIX Summary: Fireflier is a firewall tool which is built on top of the iptables framework. It allows you to create rules based on single incoming network packets or to simply allow/deny single packets to pass. It features a client-server approach for administering from another PC, SSL connection between client and server, rules with timeouts (rules are deleted after some time or when fireflier-server shuts down), and filtering based on applications. 2. SRG v1.0b2 by Matt Brown Relevant URL: http://www.crc.net.nz/software/srg.php Platforms: Linux Summary: SRG (Squid Report Generator) is a log file analyzer and report generator for the Squid Web proxy. It was created to allow easy integration with authentication systems such as those that are used for squid itself. It is fast and flexible, and can report details down to the individual files fetched. 3. UDP Ping Logger v0.2 by Mats Engstrom Relevant URL: http://www.nerdlabs.org/projects/uplog.php Platforms: Linux Summary: Uplog is an UDP-based ping program that gives an ASCII graphical log of packet loss. Once per second, it sends a UDP packet to the echo port of the target host and waits for a reply. If it gets a reply an X is written, otherwise a dot is written to the log file. If a packet with an incorrect sequence number arrives, a colon is written to the log file. By examining the log file, one can easily see when and how the packet losses occur. VI. SPONSOR INFORMATION ----------------------- This Issue is Sponsored by: SPI Dynamics ALERT: "How a Hacker Uses SQL Injection to Steal Your Data" It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.securityfocus.com/SPIDynamics-ms-secnews4 -------------------------------------------------------------------------------
