Date: 10 May 2004 21:54:47 -0000
From:"John Boletta" <jboletta@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #183
SecurityFocus Linux Newsletter #183

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. This Issue is Sponsored By: SecurityFocus
II. LINUX VULNERABILITY SUMMARY
     1. Midnight Commander Multiple Unspecified Vulnerabilities
     2. Multiple LHA Buffer Overflow/Directory Traversal Vulnerabili...
     3. LibPNG Broken PNG Out Of Bounds Access Denial Of Service Vul...
     4. SquirrelMail Folder Name Cross-Site Scripting Vulnerability
     5. ProFTPD CIDR Access Control Rule Bypass Vulnerability
     6. Emacs flim Library Insecure Temporary File Creation Vulnerab...
     7. PaX 2.6 Kernel Patch Denial Of Service Vulnerability
     8. IPMenu Log File Symbolic Link Vulnerability
     9. Verity Ultraseek Error Message Path Disclosure Vulnerability
     10. SuSE Linux Kernel HbaApiNode Improper File Permissions 
Denia...
     11. Simple Machines Forum Size Tag HTML Injection Vulnerability
     12. PHPNuke Modules.php Multiple SQL Injection Vulnerabilities
     13. Exim Sender Verification Remote Stack Buffer Overrun 
Vulnera...
     14. Exim Header Syntax Checking Remote Stack Buffer Overrun 
Vuln...
     15. KAME Racoon Remote IKE Message Denial Of Service 
Vulnerabili...
     16. SuSE LINUX 9.1 Personal Edition Live CD-ROM SSH Server 
Defau...
III. LINUX FOCUS LIST SUMMARY
     1. Secure Form Script? (Thread)
     2. decent loadbalancing with 2 different ISP's with min... 
(Thread)
     3. decent loadbalancing with 2 different ISP's with min... 
(Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. yaSSL 0.1.0
     2. DNS Blacklist Packet Filter v0.5
     3. PCX Firewall (CGI Web Frontend) 1.3
     4. GNUnet v0.6.2a
     5. FTimes v3.4.0
     6. tinysofa enterprise server 1.0
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. This Issue is Sponsored By: SecurityFocus

Want to keep up on the latest security vulnerabilities? Don't have time 
to
visit a myriad of mailing lists and websites to read the news? Just add
the new SecurityFocus RSS feeds to your freeware RSS reader, and see 
all
the latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Midnight Commander Multiple Unspecified Vulnerabilities
BugTraq ID: 10242
Remote: Unknown
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10242
Summary:
It has been reported that Midnight Commander is prone to multiple, 
unspecified vulnerabilities.  These issues are due to various design and 
boundary condition errors.

These issues could be leveraged by an attacker to execute arbitrary 
code on an affected system, which may facilitate unauthorized access. It 
is also possible for an attacker to carry out symbolic link attacks 
against an affected system, potentially facilitating a system wide denial 
of service.

2. Multiple LHA Buffer Overflow/Directory Traversal Vulnerabili...
BugTraq ID: 10243
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10243
Summary:
LHA has been reported prone to multiple vulnerabilities that may allow 
a malicious archive to execute arbitrary code or corrupt arbitrary 
files when the archive is operated on.

The first issues reported have been assigned the CVE candidate 
identifier (CAN-2004-0234). It is reported that LHA is prone to two stack based 
buffer overflow vulnerabilities. These vulnerabilities may be exploited 
to execute  supplied instructions with the privileges of the user who 
invoked the affected LHA utility.

The second set of issues has been assigned CVE candidate identifier 
(CAN-2004-0235). In addition to the buffer overflow vulnerabilities that 
were reported, LHA has been reported prone to a several directory 
traversal issues. These directory traversal vulnerabilities may likely be 
exploited to corrupt/overwrite files in the context of the user who is 
running the affected LHA utility.

3. LibPNG Broken PNG Out Of Bounds Access Denial Of Service Vul...
BugTraq ID: 10244
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10244
Summary:
The libpng graphics library is reported to be prone to a denial of 
service vulnerability when handling certain types of broken images.

It is conjectured that this issue will cause an access violation on 
certain systems if software that is linked to the vulnerable library is 
used to handle a malicious broken PNG image that is sufficient to trigger 
the vulnerability.

4. SquirrelMail Folder Name Cross-Site Scripting Vulnerability
BugTraq ID: 10246
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10246
Summary:
It has been reported that SquirrelMail is affected by a cross-site 
scripting vulnerability in the handling of folder name displays.  This 
issue is due to a failure of the application to properly sanitize 
user-supplied input prior to including it in dynamic web content.

This issue may allow for theft of cookie-based authentication 
credentials.  Other attacks are also possible.

5. ProFTPD CIDR Access Control Rule Bypass Vulnerability
BugTraq ID: 10252
Remote: Yes
Date Published: Apr 30 2004
Relevant URL: http://www.securityfocus.com/bid/10252
Summary:
ProFTPD has been reported prone to an access control rule bypass 
vulnerability. The issue was reportedly introduced when a "portability 
workaround" was applied to ProFTPD version 1.2.9.

This vulnerability may lead a system administrator into a false sense 
of security, where it is believed that access to the ProFTPD server is 
restricted by access control rules. In reality the access control 
restriction will not be enforced at all.

6. Emacs flim Library Insecure Temporary File Creation Vulnerab...
BugTraq ID: 10259
Remote: No
Date Published: May 02 2004
Relevant URL: http://www.securityfocus.com/bid/10259
Summary:
The Emacs flim library is prone to a symlink vulnerability.  This could 
allow files to be overwritten with the privileges of the user running 
Emacs.

7. PaX 2.6 Kernel Patch Denial Of Service Vulnerability
BugTraq ID: 10264
Remote: No
Date Published: May 03 2004
Relevant URL: http://www.securityfocus.com/bid/10264
Summary:
PaX for 2.6 series Linux kernels has been reported prone to a local 
denial of service vulnerability. The issue is reported to present itself 
when PaX Address Space Layout Randomization Layout (ASLR) is enabled. 

The vulnerability may be exploited by a local attacker to influence the 
kernel into an infinite loop.

8. IPMenu Log File Symbolic Link Vulnerability
BugTraq ID: 10269
Remote: No
Date Published: May 04 2004
Relevant URL: http://www.securityfocus.com/bid/10269
Summary:
It has been reported that ipmenu is affected by a symbolic link 
vulnerability.  This issue is due to a design error that allows for the 
creation of temporary files in an insecure fashion, facilitating symbolic 
links attacks.

This issue may be leveraged to create a system wide denial of service 
condition.  This issue may also be leveraged to escalate privileges on 
the affected system, although this is currently unverified.

9. Verity Ultraseek Error Message Path Disclosure Vulnerability
BugTraq ID: 10275
Remote: Yes
Date Published: May 05 2004
Relevant URL: http://www.securityfocus.com/bid/10275
Summary:
It has been reported that Verity Ultraseek search application is prone 
to a remote path disclosure vulnerability that may allow an attacker to 
disclose the server document root.

Verity Ultraseek 5.2.1 and prior versions are reported to be vulnerable 
to this issue.

10. SuSE Linux Kernel HbaApiNode Improper File Permissions Denia...
BugTraq ID: 10279
Remote: No
Date Published: May 03 2004
Relevant URL: http://www.securityfocus.com/bid/10279
Summary:
A vulnerability has been identified in the SuSE Linux kernel that may 
allow a local attacker to cause a denial of service condition on a 
vulnerable system.  The issue is reported to be caused by improper file 
permissions on '/proc/scsi/qla2300/HbaApiNode' file.

SuSE Linux Enterprise Server 8.0, SuSE Linux 8.1 and 9.0 are reported 
to be affected by this issue.

Due to a lack of details, further information cannot be provided at the 
moment.  This BID will be updated as more information becomes 
available.

11. Simple Machines Forum Size Tag HTML Injection Vulnerability
BugTraq ID: 10281
Remote: Yes
Date Published: May 05 2004
Relevant URL: http://www.securityfocus.com/bid/10281
Summary:
It has been reported that Simple Machines Forum (SMF) may be prone to 
an HTML injection vulnerability that may allow an attacker to execute 
arbitrary HTML or script code in a user's browser. The issue exists due 
to insufficient sanitization of user-supplied input via the font size 
attribute.

Exploitation could allow for theft of cookie-based authentication 
credentials. Other attacks are also possible.

12. PHPNuke Modules.php Multiple SQL Injection Vulnerabilities
BugTraq ID: 10282
Remote: Yes
Date Published: May 05 2004
Relevant URL: http://www.securityfocus.com/bid/10282
Summary:
Multiple SQL vulnerabilities have been identified in the 'modules.php' 
module of the application. These vulnerabilities may allow a remote 
attacker to manipulate query logic, potentially leading to unauthorized 
access to sensitive information.

PHPNuke 7.2 and prior are reported to be prone to these issues.

13. Exim Sender Verification Remote Stack Buffer Overrun Vulnera...
BugTraq ID: 10290
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10290
Summary:
Exim has been reported prone to a remotely exploitable stack-based 
buffer overrun vulnerability.  

This is exposed if sender verification has been enabled in the agent 
and may be triggered by a malicious e-mail.  Exploitation may permit 
execution of arbitrary code in the content of the mail transfer agent.

This issue is reported in exist in Exim 3.35.  Earlier versions may 
also be affected. 

It should be noted that the vulnerable functionality is not enabled in 
the default install, though some Linux/Unix distributions that ship the 
software may enable it.

14. Exim Header Syntax Checking Remote Stack Buffer Overrun Vuln...
BugTraq ID: 10291
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10291
Summary:
Exim is reportedly prone to a remotely exploitable stack-based buffer 
overrun vulnerability.  

This issue is exposed if header syntax checking has been enabled in the 
agent and may be triggered by a malicious e-mail.  Though not confirmed 
to be exploitable, if this condition were to be exploited, it would 
result in execution of arbitrary code in the context of the mail transfer 
agent.  Otherwise, the agent would crash when handling malformed syntax 
in an e-mail message.

The issue is reported to exist in both Exim 3.35 and 4.32, though the 
vulnerable code exists in different source files in each of these 
versions.

It should be noted that the vulnerable functionality is not enabled in 
the default install, though some Linux/Unix distributions that ship the 
software may enable it.

15. KAME Racoon Remote IKE Message Denial Of Service Vulnerabili...
BugTraq ID: 10296
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10296
Summary:
It has been reported that KAME is affected by a remote denial of 
service vulnerability when processing malformed IKE messages.  This issue is 
due to a failure of the daemon to properly handle malformed messages.

This issue can be leveraged to cause the affected daemon to enter an 
infinite loop; effectively denying service to legitimate users.

16. SuSE LINUX 9.1 Personal Edition Live CD-ROM SSH Server Defau...
BugTraq ID: 10297
Remote: Yes
Date Published: May 06 2004
Relevant URL: http://www.securityfocus.com/bid/10297
Summary:
It has been reported that SuSE LINUX 9.1 Personal Edition Live CD-ROM 
can allow an attacker to gain full access to a vulnerable system.  The 
issue presents itself when a user boots the machine with the affected 
CD-ROM.  It has been reported that due to a configuration error, the 
system configures an SSH server on the host with a default root account.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Secure Form Script? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/362763

2. decent loadbalancing with 2 different ISP's with min... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/362709

3. decent loadbalancing with 2 different ISP's with min... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/362708

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary: 

Immunity CANVAS is 100% pure Python, and every license includes full 
access to the entire CANVAS codebase. Python is one of the easiest 
languages to learn, so even novice programmers can be productive on the 
CANVAS API, should they so chose. 

Immunity CANVAS is both a valuable demonstration tool for enterprise 
information security teams or system adminstrators, and an advanced 
development platform for exploit developers, or people learning to become 
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, 
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary: 

SecretAgent is a file encryption and digital signature utility, 
supporting cross-platform interoperability over a wide range of platforms: 
Windows, Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature technology, SecretAgent ensures the confidentiality, integrity, and 
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: 
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary: 

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business 
Vault, an information security solution that enables organizations to 
safely overcome traditional network boundaries in order to securely share 
business information among customers, business partners, and remote 
branches. It provides a seamless, LAN-like experience over the Internet 
that includes all the security, performance, accessibility, and ease of 
administration required to allow organizations to share everyday 
information worldwide. To learn more about these core attributes of the 
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. yaSSL 0.1.0
By: tao51
Relevant URL: 
http://freshmeat.net/projects/yassl/?branch_id=48050&release_id=160245
Platforms: Linux, POSIX, Windows 2000, Windows NT, Windows XP
Summary: 

The yaSSL software package is a fast, dual-licensed implementation of 
SSL. It includes SSL client libraries and an SSL server implementation. 
It supports multiple APIs, including those defined by SSL and TLS. It 
also supports an OpenSSL compatibility interface.

2. DNS Blacklist Packet Filter v0.5
By: Russell Miller
Relevant URL: 
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary: 

DNS Blacklist Packet Filter is a BSD/Linux netfilter client that 
decides whether to accept or drop packets based on the results of a DNS 
blacklist query (such as MAPS, SORBS, or SPEWS, to name a few). One use is 
to filter all incoming SMTP SYN packets for spam filtering.

3. PCX Firewall (CGI Web Frontend) 1.3
By: James A. Pattie
Relevant URL: http://pcxfirewall.sf.net/frontends/index.html
Platforms: Linux, POSIX
Summary: 

PCX Firewall is an IPTables firewalling solution that uses Perl to 
generate static shell scripts based upon the user's configuration settings. 
This allows the firewall to startup quickly, as it does not have to 
parse config files every time it starts.

4. GNUnet v0.6.2a
By: Christian Grothoff
Relevant URL: http://www.ovmj.org/GNUnet/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX
Summary: 

GNUnet is a peer-to-peer framework with focus on providing security. 
All link-to-link messages in the network are confidential and 
authenticated. The framework provides a transport abstraction layer and can 
currently encapsulate the peer-to-peer traffic in UDP, TCP, or SMTP messages. 
GNUnet supports accounting to provide contributing nodes with better 
service. The primary service build on top of the core GNUnet framework is 
anonymous file sharing.

5. FTimes v3.4.0
By: Klayton Monroe
Relevant URL: http://ftimes.sourceforge.net/FTimes/
Platforms: AIX, FreeBSD, Linux, MacOS, POSIX, Solaris, SunOS, Windows 
2000, Windows NT
Summary: 

FTimes is a system baselining and evidence collection tool. Its primary 
purpose is to gather and/or develop information about specified 
directories and files in a manner conducive to intrusion analysis. It was 
designed to support the following initiatives: content integrity 
monitoring, incident response, intrusion analysis, and computer forensics.

6. tinysofa enterprise server 1.0
By: Omar Kilani
Relevant URL: http://www.tinysofa.org
Platforms: Linux, POSIX
Summary: 

tinysofa enterprise server is a secure server targeted enterprise grade 
operating system. It is based on Trustix Secure Linux and includes a 
complete distribution port to Python 2.3 and RPM 4.2, an overhauled PAM 
authentication system providing system-wide authentication 
configuration, the latest upstream packages, the replacement of ncftp with lftp, the 
addition of gdb and screen, feature additions to the swup updater that 
provide multiple configuration file support, user login FTP support, 
enable/disable support, variable expansion support (allows multiple 
architectures), and many enhancements.

If your email address has changed email listadmin@securityfocus.com and 
ask to be manually removed. 
    
VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SecurityFocus 

Want to keep up on the latest security vulnerabilities? Don't have time 
to
visit a myriad of mailing lists and websites to read the news? Just add
the new SecurityFocus RSS feeds to your freeware RSS reader, and see 
all
the latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------