Re: SSHD-1 Logging Vulnerability

2001-02-12 Thread Markus Friedl
On Fri, Feb 09, 2001 at 06:23:07PM +0100, Florian Weimer wrote: + log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.", user, client_user, get_canonical_hostname()); I don't think this patch is a good idea. If a user accidentally

Re: Linux kernel sysctl() vulnerability

2001-02-12 Thread Joost Pol2
'Night all, Should this not be fixed in copyout/copyin instead? It probarly occurs at other places instead of sysctl as well. Kind regards, Joost Pol alias Nohican ([EMAIL PROTECTED]) :wq On Sat, Feb 10, 2001 at 02:43:38PM -0800, Greg KH wrote: On Sat, Feb 10, 2001 at 10:28:01AM +0100,

Security Hole in Microfocus Cobol

2001-02-12 Thread Dixie Flatline
Summary --- If the AppTrack feature is enabled, the default install of MicroFocus Cobol 4.1 (Merant's commercial suite of cobol utilities) contains a security hole which can lead to root compromise. Specifics - In the default install, /var/mfaslmf is installed mode 777, and

Re: Linux kernel sysctl() vulnerability

2001-02-12 Thread Stephen White
On Sat, Feb, 2001, Florian Weimer wrote: Chris Evans [EMAIL PROTECTED] writes: There exists a Linux system call sysctl() which is used to query and modify runtime system settings. Unprivileged users are permitted to query the value of many of these settings. The following trivial patch

Palm Pilot - How to view hidden files

2001-02-12 Thread Paulo Cesar Breim
The software Tiny Sheet, present in all versions of Palm Pilot, has a function called IMPORT file. Well when this function is use ALL FILES, including the hidden files protetex with password, can be imported to a Sheet.

Re: Some more MySql security issues

2001-02-12 Thread Konrad Rieck
I am a little bit confused about this mail. Maybe the author can explain some issues to me... On Sat, Feb 10, 2001 at 12:54:33AM -, Joao Gouveia wrote: roberto@spike:~ mysql -ublaah (Note: 'blaah' obviously isn't a valid username) You seem to have a strange configuration of mysql. By

Re: severe error in SSH session key recovery patch

2001-02-12 Thread Andrew Brown
-- With the patch, the lifespan of the server key still does not go below one minute. As mentioned in CORE SDI's advisory, the number of server connections necessary to carry out the attack is normally very large but "the number of connections given is for the average case

vixie cron possible local root compromise

2001-02-12 Thread Flatline
- Introduction: Paul Vixie's crontab version 3.0.1-56 contains another buffer overflow vulnerability. I'm not sure whether it's exploitable or not, it needs to be fixed however. - Platforms: I've only tested it under Red Hat linux 7.0 which uses version 3.0.1-56, although this condition

Re: SSH1 vulnerability ?

2001-02-12 Thread Markus Friedl
Tatu Ylonen wrote: It's real enough for most vendors to respond. I think you want to make sure your servers have at least 1.2.30/2.4.0 or openssh 2.3.0p1 at this point. well, 1.2.30 does not contain a fix for this problem. No, but the current version is ssh-2.4.0, which does not

Re: Lotus Notes Stored Form Vulnerability

2001-02-12 Thread Mikkel Heisterberg
People administring Lotus Domino should still be aware that the default settings for the ECL was VERY loose before Lotus Notes release 5.x (e.g. permitted unsigned code to be run). This means that the suggested "vunerability" could still be exploited at a site with an improberly configured Lotus

Commerce.cgi Directory Traversal

2001-02-12 Thread slipy
Introduction: Commerce.cgi can have your store's catalog up and running on the web in literally a couple of hours. The easy to use Store Manager will even allow you to add and remove products from your inventory right through your web browser. Best of all, it's free, vulnerable open

NetBSD Security Advisory 2001-001

2001-02-12 Thread NetBSD Security Officer
-BEGIN PGP SIGNED MESSAGE- NetBSD Security Advisory 2001-001 = Topic: Multiple BIND vulnerabilities Version:All release versions of NetBSD, and NetBSD-current Severity: Remote root execution of

Bug / DoS in LICQ Gnome-ICU

2001-02-12 Thread -No Strezzz Cazzz
Bug / DoS in LICQ (all versions) and Gnome-ICU (all versions) The sending of a .rtf file/document (rich text file) to one of the versions mentioned above will crash LICQ/Gnome-ICU on the target computer and it will close itself down after that. The error is probable the problem that Unix/Linux

ssh protocol vulnerability scanning

2001-02-12 Thread Niels Provos
Hi, recent security problems in ssh protocol implementations require that vulnerable ssh protocol servers be upgraded. As an administrator of a large network, it can be difficult to efficiently determine which implementations of the ssh protocols are running on a network. To solve this

Way board: show files Vulnerability with null bite bug

2001-02-12 Thread UkR-XblP™
Name: "show files" Vulnerability with perl null bite bug. Date: 28.01.2001 About: Way-board - is a popular korean board (http://way.co.kr - official site). Problem: Through this bug you can see any files, bug works on every system were perl is installed. "%00" - means hex symbol of the end of the

Vulnerability in Muscat Empower wich can print path to DB-dir.

2001-02-12 Thread UkR-XblP™
---UkR security team advisory #6 Vulnerability in Muscat Empower wich can print path to DB-dir. -- Name: Vulnerability in Muscat Empower wich can print path to DB-dir. Date: 03.02.2001 Problem: when the request invalid send to

Symantec pcAnywhere 9.0 DoS / Buffer Overflow

2001-02-12 Thread Zoa_Chien
= Securax-SA-14 Security Advisory belgian.networking.security Dutch

Environment and Setup Variables can be Viewed through webpage.cgi

2001-02-12 Thread UkR-XblP™
Name: Environment and Setup Variables can be Viewed through webpage.cgi Date: 28.01.2001 Problems:The script allows several environment variables to be viewed by the attacker, who can gain useful information on the site, making further attacks more feasible. Analysis:webpage.cgi dumps useful

tdhttp transversal bug

2001-02-12 Thread UkR-XblP™
-=-=-=-=-=[ UkR security team - advisory n0. 7 ]=-=-=-=-=- tdhttp transversal bug -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: 07.02.2001 Problem: possibility of arbitrary file retreival and directory listing on remote host, running tdhttp (http.c, probably all its versions).

[SECURITY] [DSA-029-1] New version of proftpd released

2001-02-12 Thread debian-security-announce
-BEGIN PGP SIGNED MESSAGE- - Debian Security Advisory DSA-029-1 [EMAIL PROTECTED] http://www.debian.org/security/Michael Stone February 11, 2001 -

Fwd: Re: phpnuke, security problem...

2001-02-12 Thread Joao Gouveia
Hi, Due to this reply, i see no reason to delay this. No patch nor new version has been released, for a quick fix, see below. Regards, Joao Gouveia [EMAIL PROTECTED] Francisco Burzi [EMAIL PROTECTED] Joao Gouveia wrote: Helo Francisco, There is yet another security

PALS Library System show files Vulnerability and remote command execution

2001-02-12 Thread UkR-XblP™
Name: PALS Library System "show files" Vulnerability and remote command executiom. Date: 02.02.2001 About: This script is derived from an idea originated at St.Olaf College to provide a www interface to the PALS Library System. This idea was then worked on at Georgia State University. This

Format string bug in startinnfeed

2001-02-12 Thread Paul Starzetz
1. Description -- The 'startinnfeed' binary contains various format string bugs. Most of the command line options passes user given arguments to 'syslog()' as format string. For example: paul@ps:/usr/home/paul /usr/lib/news/bin/startinnfeed -a "%x%x%n%n%n%n%n%n%n" segmentation

ROADS search system show files Vulnerability with null bite bug

2001-02-12 Thread UkR-XblP™
Name: ROADS search system "show files" Vulnerability with "null bite" bug Date: 29.01.2001 About: The search.pl program is a Common Gateway Interface (CGI) program used to provide an end user search front end to ROADS databases. When accessed with no CGI query, the program can return an HTML form

Re: Some more MySql security issues

2001-02-12 Thread Theodor Milkov
On Sat, Feb 10, 2001 at 12:54:33AM -, Joao Gouveia wrote: Hi, MySql staff has been notified regarding this issues on 2001-01-26. There still are some potential security flaws with MySql lastest stable release. Follows some tests i've made all with: MySql v3.23.32 PHP v4.0.4pl1

Re: SSHD-1 Logging Vulnerability

2001-02-12 Thread Florian Weimer
Markus Friedl [EMAIL PROTECTED] writes: [Logging user names harmful or not?] While I understand you concern, I am not sure whether this applies to SSH clients, since they are usually very different from telnet clients. You enter the usename when you start the client, so it's hard to get out

HIS Auktion 1.62: show files vulnerability and remote command execute.

2001-02-12 Thread UkR-XblP™
---UkR security team advisory #8 HIS Auktion 1.62: "show files" vulnerability and remote command execute. -- Name: HIS Auktion 1.62: "show files" vulnurability. Date: 11.02.2001 Author: UkR-XblP About: script "HIS Auktion 1.62"

WebSPIRS CGI script show files Vulnerability.

2001-02-12 Thread UkR-XblP™
---UkR security team advisory #1 WebSPIRS CGI script "show files" Vulnerability. -- Name: WebSPIRS CGI script "show files" Vulnerability. Date: 27.01.2001 About: WebSPIRS is SilverPlatter's Information Retrieval System for the

Re: SSH1 vulnerability ?

2001-02-12 Thread Peter van Dijk
On Sat, Feb 10, 2001 at 03:08:11PM +0200, Tatu Ylonen wrote: On Fri, 9 Feb 2001, Christophe Dupre wrote (on the [EMAIL PROTECTED] list): I just read Razor's vulnerability advisory, as reported on slashdot. Any truth to it, or is it another wannabe ? I suppose you are referring to this one:

[SECURITY] [DSA-030-1] Multiple security problems in X

2001-02-12 Thread debian-security-announce
-BEGIN PGP SIGNED MESSAGE- - Debian Security Advisory DSA-030-1 [EMAIL PROTECTED] http://www.debian.org/security/ Wichert Akkerman February 12, 2001 -

Re: SSHD-1 Logging Vulnerability

2001-02-12 Thread Ben Greenbaum
While I understand you concern, I am not sure whether this applies to SSH clients, since they are usually very different from telnet clients. You enter the usename when you start the client, so it's hard to get out of sync, e.g. I have never seen a user enter $ ssh -l mypasswd host

Re: SSHD-1 Logging Vulnerability

2001-02-12 Thread Grecni, Steve
On Sun, 11 Feb 2001, Markus Friedl wrote: On Fri, Feb 09, 2001 at 06:23:07PM +0100, Florian Weimer wrote: + log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.", user, client_user, get_canonical_hostname()); I don't think this

Re: Some more MySql security issues

2001-02-12 Thread Tim Yardley
At 05:40 PM 2/10/2001, Konrad Rieck wrote: I am a little bit confused about this mail. Maybe the author can explain some issues to me... On Sat, Feb 10, 2001 at 12:54:33AM -, Joao Gouveia wrote: roberto@spike:~ mysql -ublaah (Note: 'blaah' obviously isn't a valid username) You seem to

Re: Bug in ssh client (open ssh 2.3.0)

2001-02-12 Thread Tatu Ylonen
OpenSSH's client drops all privileges before the user is asked for a password, so there is really no need to panic and send ads to this list -- especially since this thread not at all related to SSH-1. However, if you are afraid of SSH-1 you can simply turn off protocol 1 support in OpenSSH

Re: vixie cron possible local root compromise

2001-02-12 Thread Peter van Dijk
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote: [snip] - Quick fix (diff output for crontab.c): 146c146 strcpy(User, pw-pw_name); --- strncpy(User, pw-pw_name, MAX_UNAME - 1); Uhm, won't the user running crontab then get another user's crontab, if the 'stripped'

Re: vixie cron possible local root compromise

2001-02-12 Thread Blake R. Swopes
Considering what overflows the buffer (your username), it would seem that you'd need root access to begin with in order to craft an exploit. Am I wrong? Of course, maybe this could be some exotic new addition to a rootkit. -Original Message- From: Bugtraq List [mailto:[EMAIL

Re: Lotus Notes Stored Form Vulnerability

2001-02-12 Thread Security Advisory
I am not certain of the need to send the memo internally. There is a mail distribution option that allows the user to indicate that the recipient is a notes user, thus packaging the email in 'Notes Rich Text' format. I have successfully sent and accepted meeting invitations this way, as well as

Re: Some more MySql security issues

2001-02-12 Thread Peter van Dijk
On Sun, Feb 11, 2001 at 12:40:48AM +0100, Konrad Rieck wrote: I am a little bit confused about this mail. Maybe the author can explain some issues to me... On Sat, Feb 10, 2001 at 12:54:33AM -, Joao Gouveia wrote: roberto@spike:~ mysql -ublaah (Note: 'blaah' obviously isn't a valid

Re: Palm Pilot - How to view hidden files

2001-02-12 Thread Peter W
On Sun, Feb 11, 2001 at 05:15:53PM -0300, Paulo Cesar Breim wrote: The software Tiny Sheet, present in all versions of Palm Pilot, http://www.iambic.com/pilot/tinysheet3/ To clarify: it's not included with PalmOS; it's 3rd-party software. has a function called IMPORT file. Well when this

Re: vixie cron possible local root compromise

2001-02-12 Thread Mark van Reijn
Hmm, doesn't do anything weird/wrong on my RH6.2 server: [aabbcc@obelix mark]$ crontab -e no crontab for aabbaabbaab - using an empty one crontab: installing new crontab [aabbcc@obelix mark]$ crontab crontab:

Re: Some more MySql security issues

2001-02-12 Thread Konrad Rieck
On Mon, Feb 12, 2001 at 02:34:43PM -0600, Tim Yardley wrote: This is a nice example of bad code, but not a security issue, I could show up a 100 of programs that simply don't care for *argv parameters. You don't gain anything by exploiting such overflows in non-suid programs. watch what you

Re: Format string bug in startinnfeed

2001-02-12 Thread Russ Allbery
I love the notification that you gave to the INN developers about this problem (namely, absolutely none at all). If you'd mailed us first, I could have pointed out to you that innfeed does no argument parsing of its own and just execs innfeed with the passed arguments, which at the least would

Re: severe error in SSH session key recovery patch

2001-02-12 Thread Kari Hurtta
-- With the patch, the lifespan of the server key still does not go below one minute. As mentioned in CORE SDI's advisory, the number of server connections necessary to carry out the attack is normally very large but "the number of connections given is for the average

Re: Palm Pilot - How to view hidden files

2001-02-12 Thread Peter van Dijk
On Sun, Feb 11, 2001 at 05:15:53PM -0300, Paulo Cesar Breim wrote: The software Tiny Sheet, present in all versions of Palm Pilot, has a function called IMPORT file. Well when this function is use ALL FILES, including the hidden files protetex with password, can be imported to a Sheet. One

Workaround for Unintended JSP Execution When Using Oracle Apache/JServ

2001-02-12 Thread Oracle Security Alerts
Workaround for Unintended JSP Execution When Using Oracle Apache/JServ Description A potential security vulnerability has been discovered in Oracle JSP Releases 1.0.x through 1.0.2 when using Oracle Apache/JServ only. This vulnerability permits the execution of unintended (or incorrect) JSP

Patch for Potential Vulnerability in the execution of JSPs outside doc_root

2001-02-12 Thread Oracle Security Alerts
Patch for Potential Vulnerability in the execution of JSPs outside doc_root Description of the problem A potential security vulnerability has been discovered in Oracle JSP releases 1.0.x through 1.1.1 (in Apache/Jserv). This vulnerability permits access to and execution of unintended JSP files

Re: vixie cron possible local root compromise

2001-02-12 Thread Valentin Nechayev
Sun, Feb 11, 2001 at 00:38:02, achter05 (Flatline) wrote about "vixie cron possible local root compromise": 146c146 strcpy(User, pw-pw_name); --- strncpy(User, pw-pw_name, MAX_UNAME - 1); Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch has been

Re: Fwd: Re: phpnuke, security problem...

2001-02-12 Thread Peter van Dijk
On Mon, Feb 12, 2001 at 11:07:15AM -, Joao Gouveia wrote: [snip] Example: http://www.phpnuke.org/opendir.php?requesturl=/etc/passwd You can actually insert any URL instead of "/etc/passwd" and have it read. Depending on the server's configuration, this could be abused to execute PHP code,

Re: Some more MySql security issues

2001-02-12 Thread Carsten H. Pedersen
I am a little bit confused about this mail. Maybe the author can explain some issues to me... On Sat, Feb 10, 2001 at 12:54:33AM -, Joao Gouveia wrote: roberto@spike:~ mysql -ublaah (Note: 'blaah' obviously isn't a valid username) You seem to have a strange configuration of mysql.