Date: Mon, 29 Mar 2004 14:51:12 -0700 (MST)
From:"John Boletta" <jboletta@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #177


SecurityFocus Linux Newsletter #177
------------------------------------
This Issue is Sponsored by: Check Point

Introducing the world's first and only complete Internal Security 
Gateway:
Check Point InterSpect.

Built specifically to protect internal networks, Check Point InterSpect
provides intelligent worm defense, network zone segmentation, 
quarantine
capabilities, and LAN protocol protection - all in one easy to deploy
appliance that protects your network from threats within.

Learn more about Check Point InterSpect at:
http://www.securityfocus.com/sponsor/CheckPoint_sf-news_040315
------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Dogs of War: Securing Microsoft Groupware Environments with 
Unix (Pt.1)
     2. Security Patches by Modem? Forget it!
     3. When Gaming is a Gamble
II. LINUX VULNERABILITY SUMMARY
     1. Apache Connection Blocking Denial Of Service Vulnerability
     2. Borland Interbase Database User Privilege Escalation Vulnera...
     3. Apache Error Log Escape Sequence Injection Vulnerability
     4. XWeb Directory Traversal Vulnerability
     5. phpBB profile.php avatarselect Cross-Site Scripting Vulnerab...
     6. Xine Bug Reporting Script Insecure Temporary File Creation V...
     7. Joel Palmius Mod_Survey Survey Input Field HTML Injection Vu...
     8. phpBB Multiple Input Validation Vulnerabilities
     9. Invision Gallery Multiple SQL Injection Vulnerabilities
     10. Centrinity FirstClass HTTP Server TargetName Parameter 
Cross...
     11. Ethereal Multiple Vulnerabilities
     12. Hibyte HiGuest Message Field HTML Injection Vulnerability
     13. CPanel Multiple Cross-Site Scripting Vulnerabilities
     14. HP Web Jetadmin Printer Firmware Update Script Arbitrary 
Fil...
     15. HP Web Jetadmin setinfo.hts Script Directory Traversal 
Vulne...
     16. HP Web Jetadmin Remote Arbitrary Command Execution 
Vulnerabi...
     17. Emil Multiple Buffer Overrun and Format String 
Vulnerabiliti...
     18. MySQL Aborted Bug Report Insecure Temporary File Creation 
Vu...
III. LINUX FOCUS LIST SUMMARY
     1. how to avoid user1 becoming user2 using local root ? (Thread)
     2. nis : how to avoid user1 becoming user2 using local ... 
(Thread)
     3. Rewrite Rules, SSL, and .htaccess (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Ethereal v0.10.3
     2. Dazuko v2.0.1-pre2
     3. Securepoint Firewall and VPN Server v4.0 (S4)
     4. Linux Intrusion Detection System (LIDS) v2.2.0p1 (2.6.3)
     5. pmacct v0.6.1
     6. Wolverine Firewall and VPN Server v1.3
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Dogs of War: Securing Microsoft Groupware Environments with Unix 
(Pt.
1)
By Bob Rudis

This article discusses the implementation of layered mail security 
using
Unix as MTA in front of Microsoft groupware products. Part one 
describes
the use of Sendmail, MIMEDefang and SpamAssassin.

http://www.securityfocus.com/infocus/1770

2. Security Patches by Modem? Forget it!
By Scott Granneman

Let's face it - there is no way for dial-up users on any major 
operating
system to keep their computers up-to-date and patched. OK, maybe "no 
way"
is an exaggeration. How about, "a difficult, burdensome, 
time-consuming,
very prone to failure way?"

http://www.securityfocus.com/columnists/230

3. When Gaming is a Gamble
By Mark Rasch

A new Justice Department policy threatens to jail security 
professionals
who help lock down online gambling sites anywhere in the world.

http://www.securityfocus.com/columnists/229


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Apache Connection Blocking Denial Of Service Vulnerability
BugTraq ID: 9921
Remote: Yes
Date Published: Mar 19 2004
Relevant URL: http://www.securityfocus.com/bid/9921
Summary:
Apache is prone to an issue that may permit remote attackers to cause a
denial of service issue via a listening socket on a rarely accessed 
port.
This will reportedly block out new connections to the server until 
another
connection on the rarely accessed socket is initiated.

The functionality that exposes this issue is reportedly enabled by 
default
on all platforms except Windows.

2. Borland Interbase Database User Privilege Escalation Vulnera...
BugTraq ID: 9929
Remote: No
Date Published: Mar 20 2004
Relevant URL: http://www.securityfocus.com/bid/9929
Summary:
By default, insecure permissions are set on the file storing the user
database that is shipped with Borland Interbase.  The permissions, 
0666,
permit all users to write to the file.  This configuration error can be
exploited to gain administrative access within the database.  The
consequences of this flaw may extend further if the database supports
applications.

3. Apache Error Log Escape Sequence Injection Vulnerability
BugTraq ID: 9930
Remote: Yes
Date Published: Mar 20 2004
Relevant URL: http://www.securityfocus.com/bid/9930
Summary:
It has been reported that the Apache web server is prone to a remote 
error
log escape sequence injection vulnerability.  This issue is due to an
input validation error that may allow escape character sequences to be
injected into apache log files.

This may facilitate exploitation of issues such as those found in BIDs
6936 and 6938.

This issue may allow an attacker to carry out a number of actions
including arbitrary file creation and code execution on the affected
system.

4. XWeb Directory Traversal Vulnerability
BugTraq ID: 9937
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9937
Summary:
XWeb is reportedly prone to directory traversal attacks.  Remote 
attackers
may exploit this issue to gain access to sensitive files outside of the
server root.  This would occur in the context of the server, i.e.: any
files the server could access would also be accessible to the attacker.

5. phpBB profile.php avatarselect Cross-Site Scripting Vulnerab...
BugTraq ID: 9938
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9938
Summary:
It has been reported that phpBB may be prone to a cross-site scripting
vulnerability that may allow an attacker to execute arbitrary HTML or
script code in a user's browser.  The issue exists due to insufficient
sanitization of user-supplied input via the 'avatarselect' form 
parameter
of 'profile.php' script.

phpBB 2.0.6d has been reported to be prone to this issue, however, 
other
versions could be affected as well.

6. Xine Bug Reporting Script Insecure Temporary File Creation V...
BugTraq ID: 9939
Remote: No
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9939
Summary:
The xine bug reporting scripts (xine-bugreport and xine-check) create
temporary files in an insecure manner.  A malicious local user could 
take
advantage of this issue by mounting a symbolic link attack to corrupt
other system files, most likely resulting in destruction of data.
Privilege escalation is also theoretically possible.  This issue is 
only
exposed when the vulnerable scripts are run to submit a bug report to 
the
vendor.

It should be noted that xine-bugreport and xine-check are separate
instances of the same script.

7. Joel Palmius Mod_Survey Survey Input Field HTML Injection Vu...
BugTraq ID: 9941
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9941
Summary:
Mod_Survey is prone to HTML injection attacks via survey input fields.
They may permit remote attackers to persistently inject HTML and script
code into surveys, which may be rendered in the web browser of
administrative or other users.

Exploitation could permit for theft of cookie-based authentication
credentials.  Other attacks are also possible.

8. phpBB Multiple Input Validation Vulnerabilities
BugTraq ID: 9942
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9942
Summary:
It has been reported that phpBB may be prone to multiple 
vulnerabilities
that could allow an attacker to carry out SQL injection and cross-site
scripting attacks.  These vulnerabilities result from insufficient
sanitization of user-supplied input via the 'id' parameter of
'admin_smilies.php' module and the 'style_id' parameter of 
'admin_styles'
module.

phpBB versions 2.0.7a and prior are reported to be prone to these 
issues.

9. Invision Gallery Multiple SQL Injection Vulnerabilities
BugTraq ID: 9944
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9944
Summary:
It has been reported that Invision Gallery may be prone to multiple sql
injection vulnerabilities, allowing an attacker to influence SQL query
logic.  The issues exist due to insufficient sanitization of 
user-supplied
data via the 'img', 'cat', 'sort_key', 'order_key', 'user' and 'album'
parameters of the gallery module accessed via the 'index.php' script.

Invision Gallery is a gallery system that can be used as a plugin for
Invision Power Board.  Invision Gallery 1.0.1 is reported to be prone 
to
these issues, however, other versions could be affected as well.

10. Centrinity FirstClass HTTP Server TargetName Parameter Cross...
BugTraq ID: 9950
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9950
Summary:
It has been reported that FirstClass HTTP Server may be prone to a
cross-site scripting vulnerability that may allow a remote attacker to
execute arbitrary HTML or script code in a user's browser.  The issue
presents itself due to insufficient sanitization of user-supplied data 
via
the 'TargetName' parameter of 'Upload.shtml' script.

Since this vulnerability affects the web server there is a possibility 
of
an attacker crossing domains if multiple domains are hosted on one web
server.  The vendor has reported that this vulnerability only affects 
the
'standard' template set.  The 'webmail' and 'mobile' template sets do 
not
contain the 'Upload.shtml' script.

Centrinity FirstClass versions 7.1 and prior may be vulnerable to this
issue.

11. Ethereal Multiple Vulnerabilities
BugTraq ID: 9952
Remote: Yes
Date Published: Mar 22 2004
Relevant URL: http://www.securityfocus.com/bid/9952
Summary:
Ethereal 0.10.3 has been released to address multiple vulnerabilities.
These issues include:

- Thirteen stack-based buffer overruns in various protocol dissectors
(NetFlow, IGAP, EIGRP, PGM, IrDA, BGP, ISUP, and TCAP).

- A denial of service that is triggered by a zero length Presentation
protocol selector.

- Specially crafted RADIUS packets may cause a crash in Ethereal.

- Corrupt color filter files may cause a crash in Ethereal.

These issues may result in a denial of service or potentially be 
leveraged
to execute arbitrary code in the instance of the buffer overruns.

12. Hibyte HiGuest Message Field HTML Injection Vulnerability
BugTraq ID: 9955
Remote: Yes
Date Published: Mar 23 2004
Relevant URL: http://www.securityfocus.com/bid/9955
Summary:
Hibyte's HiGuest guestbook software is prone to HTML injection attacks.
This issue is exposed via the message form field in the guestbook entry
submission form.

Exploitation could permit remote attackers to persistently inject 
hostile
HTML and script code into guestbook content.  This could allow for 
theft
of cookie-based authentications or other attacks, such as those which
misrepresent guestbook content.

13. CPanel Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 9965
Remote: Yes
Date Published: Mar 24 2004
Relevant URL: http://www.securityfocus.com/bid/9965
Summary:
Reportedly cPanel is prone to multiple cross-site scripting
vulnerabilities.  These issues are due to a failure of the application 
to
properly validate user supplied URI input.

These issues could permit a remote attacker to create a malicious link 
to
the vulnerable application that includes hostile HTML and script code. 
If
this link were followed, the hostile code may be rendered in the web
browser of the victim user. This would occur in the security context of
the affected web site and may allow for theft of cookie-based
authentication credentials or other attacks.

14. HP Web Jetadmin Printer Firmware Update Script Arbitrary Fil...
BugTraq ID: 9971
Remote: Yes
Date Published: Mar 24 2004
Relevant URL: http://www.securityfocus.com/bid/9971
Summary:
HP Web Jetadmin is prone to an issue which may permit remote users to
upload arbitrary files to the management server.

This issue exists in the printer firmware update script.  Given the
ability to place arbitrary files on the server to an attacker-specified
location, it may be possible to execute arbitrary code, though this 
will
require exploitation of other known vulnerabilities, such as BID 9972 
"HP
Web Jetadmin setinfo.hts Script Directory Traversal Vulnerability".

Authentication, if it has been enabled, would be required to exploit 
this
issue.

This issue was reported in HP Web Jetadmin version 7.5.2546 on a 
Windows
platform.  Other versions may be similarly affected.

15. HP Web Jetadmin setinfo.hts Script Directory Traversal Vulne...
BugTraq ID: 9972
Remote: Yes
Date Published: Mar 24 2004
Relevant URL: http://www.securityfocus.com/bid/9972
Summary:
It has been reported that HP Web JetAdmin may be prone to a directory
traversal vulnerability allowing remote attackers to access information
outside the server root directory.  The problem exists due to 
insufficient
sanitization of user-supplied data passed via the 'setinclude' 
parameter
of 'setinfo.hts' script.

This vulnerability can be combined with HP Web Jetadmin Firmware Update
Script Arbitrary File Upload Weakness (BID 9971) to upload malicious 
files
to a vulnerable server in order to gain unauthorized access to a host.

This issue has been tested with an authenticated account on HP Web
Jetadmin version 7.5.2546 running on a Windows platform.

16. HP Web Jetadmin Remote Arbitrary Command Execution Vulnerabi...
BugTraq ID: 9973
Remote: Yes
Date Published: Mar 24 2004
Relevant URL: http://www.securityfocus.com/bid/9973
Summary:
Reportedly HP web Jetadmin is prone to a remote arbitrary command
execution vulnerability.  This issue is due to a failure of the
application to properly validate and sanitize user supplied input.

Successful exploitation of this issue will allow a malicious user to
execute arbitrary commands on the affected system.

This issue has been tested with an authenticated account on HP Web
Jetadmin version 7.5.2546 running on a Windows platform.

17. Emil Multiple Buffer Overrun and Format String Vulnerabiliti...
BugTraq ID: 9974
Remote: Yes
Date Published: Mar 25 2004
Relevant URL: http://www.securityfocus.com/bid/9974
Summary:
Multiple locally and remotely exploitable buffer overrun and format
strings were reported in emil.  This could permit execution of 
arbitrary
code in the context of the software.

18. MySQL Aborted Bug Report Insecure Temporary File Creation Vu...
BugTraq ID: 9976
Remote: No
Date Published: Mar 25 2004
Relevant URL: http://www.securityfocus.com/bid/9976
Summary:
The MySQL bug reporting utility (mysqlbug) creates a temporary file 
with a
static name when a bug report is aborted.  An attacker may exploit this
issue to launch symbolic link attacks that will most likely result in
corruption of files.  This could cause destruction of data and denial 
of
services.

This issue would only affect Unix/Linux-based operating systems.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. how to avoid user1 becoming user2 using local root ? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/358820

2. nis : how to avoid user1 becoming user2 using local ... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/358819

3. Rewrite Rules, SSL, and .htaccess (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/358680


IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.


5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in it?s own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Ethereal v0.10.3
By: Gerald Combs, <gerald@ethereal.com>
Relevant URL: http://www.ethereal.com/
Platforms: AIX, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD, SCO,
Solaris, True64 UNIX
Summary:

Ethereal is a network protocol analyzer, or "packet sniffer", that lets
you capture and interactively browse the contents of network frames. 
The
goal of the project is to create a commercial-quality packet analyzer 
for
Unix, and the most useful packet analyzer on any platform.

2. Dazuko v2.0.1-pre2
By: John Ogness
Relevant URL: http://www.dazuko.org/
Platforms: FreeBSD, Linux
Summary:

This project provides a kernel module which provides 3rd-party
applications with an interface for file access control. It was 
originally
developed for on-access virus scanning. Other uses include a 
file-access
monitor/logger or external security implementations. It operates by
intercepting file-access calls and passing the file information to a
3rd-party application. The 3rd-party application then has the 
opportunity
to tell the kernel module to allow or deny the file-access. The 
3rd-party
application also receives information about the file, such as type of
access, process ID, user ID, etc.

3. Securepoint Firewall and VPN Server v4.0 (S4)
By: Lutz Hausmann
Relevant URL: http://www.securepoint.cc/
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:

Securepoint Firewall and VPN Server is a high-performance application
designed to offer full protection for network assets. The Security 
Manager
offers a graphical user interface with many features, different
configurations, and advanced reporting functions. The Securepoint 
server
is a complete firewall and VPN software system with an operating system
based on a secure Linux. VPN operation supports PPTP and IPSec (X.509
certificates, preshared, RSA signature). You can use the firewall on a
standard PC with 2 to 16 network cards (including Ethernet, ADSL, 
ISDN).
It is very easy to install and administer. The Securepoint Security
Manager is available in English, German, and Spanish, and works in 
online
and offline mode.

4. Linux Intrusion Detection System (LIDS) v2.2.0p1 (2.6.3)
By: Xie Hua Gang, xhg@gem.ncic.ac.cn
Relevant URL: http://www.lids.org/download.html
Platforms: Linux
Summary:

The Linux Intrusion Detection System is a patch which enhances the
kernel's security. When it is in effect, chosen files access, all
system/network administration operations, any capability use, raw 
device,
mem, and I/O access can be made impossible even for root. You can 
define
which program can access which file. It uses and extends the system
capabilities bounding set to control the whole system and adds some
network and filesystem security features to the kernel to enhance the
security. You can finely tune the security protections online, hide
sensitive processes, receive security alerts through the network, and
more.

5. pmacct v0.6.1
By: Paolo Lucente
Relevant URL: http://www.ba.cnr.it/~paolo/pmacct/
Platforms: Linux, OpenBSD
Summary:

pmacct is a network tool to gather IP traffic information (source 
address,
bytes counter, and number of packets). Data is stored in an in-memory
table whose content could be retrieved by a client program via a local
stream-oriented connection. Gathering packets off the wire is done 
using
the pcap library and one or more network interfaces in promiscuous 
mode.

6. Wolverine Firewall and VPN Server v1.3
By: Joshua Jackson
Relevant URL: http://www.coyotelinux.com
Platforms: Linux, POSIX
Summary:

Wolverine is a firewall and VPN server that is based on the Embedded
Coyote Linux distribution of Linux. This product is intended as an
alternative to commercial devices such as the Cisco PIX, the FireBox, 
etc.
Wolverine features a hardened Linux 2.4-based stateful firewall along 
with
IPSEC and PPTP VPN services. As it is intended to be an embedded 
solution,
the overall installation size is roughly 8Mb.

VII. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: Check Point

Introducing the world's first and only complete Internal Security 
Gateway:
Check Point InterSpect.

Built specifically to protect internal networks, Check Point InterSpect
provides intelligent worm defense, network zone segmentation, 
quarantine
capabilities, and LAN protocol protection - all in one easy to deploy
appliance that protects your network from threats within.

Learn more about Check Point InterSpect at:
http://www.securityfocus.com/sponsor/CheckPoint_sf-news_040315
------------------------------------------------------------------------