| Date: | Tue, 14 Jun 2005 17:11:37 -0600 |
From: | "Peter Laborge" <plaborge@securityfocus.com>
| To: | linux-secnews@securityfocus.com |
Subject: | SecurityFocus Linux Newsletter #239 |
SecurityFocus Linux Newsletter #239
----------------------------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: How a Hacker Launches a SQL Injection Attack
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers
complete access to all your backend systems! Firewalls and IDS will not
stop such attacks
because SQL Injections are NOT seen as intruders. Download this *FREE*
white paper from
SPI Dynamics for a complete guide to protection!
http://www.securityfocus.com/sponsor/SPIDynamics_sf-news_050614
------------------------------------------------------------------
I. FRONT AND CENTER
1. Shred It!
2. A Role Model for Security. Almost.
3. Software Firewalls: Made of Straw? Part 1 of 2
II. LINUX VULNERABILITY SUMMARY
1. FUSE Local Information Disclosure Vulnerability
2. GIPTables Firewall Insecure File Creation Vulnerability
3. MediaWiki Page Template HTML Injection Vulnerability
4. LutelWall Multiple Insecure File Creation Vulnerabilities
5. Dzip Remote Directory Traversal Vulnerability
6. LPanel Multiple Input Validation Vulnerabilities
7. Info2html Unspecified Cross-Site/Cross-Frame Scripting
Vulnerabilities
8. Linux Kernel Radionet Open Source Environment Unspecified
Vulnerability
9. Linux Kernel 64 Bit PTrace Segment Base Address Local Denial
Of Service Vulnerability
10. Backup Manager Archive Repository Disclosure Vulnerability
11. Linux Kernel MMap Invalid Memory Region Local Denial Of
Service Vulnerability
12. SilverCity Insecure File Permissions Vulnerability
13. Linux Kernel Auditing Code Unspecified Local Denial Of
Service Vulnerability
14. Linux Kernel 64 Bit PTrace Kernel Memory Access
Vulnerability
15. Linux Kernel 64 Bit Multiple Unspecified Local Denial of
Service Vulnerabilities
16. Linux Kernel DRM IOCTL Functions Unspecified Privilege
Escalation Vulnerability
17. TCPDump BGP Decoding Routines Denial Of Service
Vulnerability
18. Invision Power Services Invision Gallery SQL Injection
Vulnerability
19. Invision Community Blog Multiple Input Validation
Vulnerabilities
20. Novell NetMail Multiple Remote Vulnerabilities
21. e107 ePing Remote Command Execution Vulnerability
22. Gaim Yahoo! Protocol Support File Download Denial of Service
Vulnerability
23. Gaim MSN Protocol Malformed Message Denial of Service
Vulnerability
24. e107 eTrace Remote Command Execution Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. RedHat ES 4 and Oracle 10
V. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Shred It!
By Mark Rasch
The second worst thing you can do in the face of a government
investigation is to destroy the documents relevant to that investigation. The
worst thing you can do, of course, is to almost destroy these documents.
http://www.securityfocus.com/columnists/332
2. A Role Model for Security. Almost.
By Jason Miller
The pursuit of absolute security is a lot like perfectionism.
http://www.securityfocus.com/columnists/331
3. Software Firewalls: Made of Straw? Part 1 of 2
By Israel G. Lugo, Don Parker
The concept of a firewall still brings to mind the picture of an
impenetrable brick wall, the unsurpassable magic protector of all that is
good.
http://www.securityfocus.com/infocus/1839
II. LINUX VULNERABILITY SUMMARY
------------------------------------
1. FUSE Local Information Disclosure Vulnerability
BugTraq ID: 13857
Remote: No
Date Published: 2005-06-06
Relevant URL: http://www.securityfocus.com/bid/13857
Summary:
FUSE is susceptible to a local information disclosure vulnerability.
This issue is due to a failure of the kernel module to properly clear
used memory prior to its reuse.
This vulnerability allows malicious local users to gain access to
potentially sensitive kernel memory, aiding them in further attacks.
FUSE versions 2.2, 2.2.1, 2.3-pre*, and 2.3-rc1, running on Linux
kernel versions 2.4, through 2.6 are affected by this issue.
2. GIPTables Firewall Insecure File Creation Vulnerability
BugTraq ID: 13860
Remote: No
Date Published: 2005-06-06
Relevant URL: http://www.securityfocus.com/bid/13860
Summary:
GIPTables Firewall is prone to an insecure file creation vulnerability.
This issue is due to a design error that causes the application to fail
to verify the existence of a file before writing to it.
An attacker may leverage this issue to overwrite arbitrary files with
the privileges of an unsuspecting user that activates the vulnerable
utility.
The temporary file contains a list of IP addresses to be blocked by the
firewall software, so an attacker may also exploit this vulnerability
to deny network service to arbitrary IP addresses.
3. MediaWiki Page Template HTML Injection Vulnerability
BugTraq ID: 13861
Remote: Yes
Date Published: 2005-06-06
Relevant URL: http://www.securityfocus.com/bid/13861
Summary:
MediaWiki is prone to an HTML injection vulnerability. This issue is
due to a failure in the application to properly sanitize user-supplied
input before using it in dynamically generated content.
Attacker-supplied HTML and script code would be executed in the context
of the affected Web site, potentially allowing for theft of
cookie-based authentication credentials. An attacker could also exploit this issue
to control how the site is rendered to the user; other attacks are also
possible.
4. LutelWall Multiple Insecure File Creation Vulnerabilities
BugTraq ID: 13863
Remote: No
Date Published: 2005-06-06
Relevant URL: http://www.securityfocus.com/bid/13863
Summary:
LutelWall is prone to multiple insecure file creation vulnerabilities.
This issues are due to a design error that causes the application to
fail to verify the existence of files before writing to them.
An attacker may leverage this issue to overwrite arbitrary files with
the privileges of an unsuspecting user that activates the vulnerable
utility. Due to the nature of this script, it is likely that only users
with superuser privileges will be executing it.
One of the temporary files is used to store the downloaded LutelWall
script file in an upgrade process. Attackers may be able to exploit the
race condition between when the temporary file is created, and when
LutelWall is overwritten with the contents of the temporary file. This
would allow attackers to overwrite the LutelWall script with an arbitrary
executable, so that further invocations of LutelWall by the superuser
would cause the attacker-supplied code to be executed with superuser
privileges.
5. Dzip Remote Directory Traversal Vulnerability
BugTraq ID: 13867
Remote: Yes
Date Published: 2005-06-06
Relevant URL: http://www.securityfocus.com/bid/13867
Summary:
Dzip is affected by a directory traversal vulnerability.
A successful attack can allow the attacker to place potentially
malicious files in arbitrary locations.
This attack would occur with the privileges of the application.
Dzip 2.9 and prior versions are reportedly vulnerable.
6. LPanel Multiple Input Validation Vulnerabilities
BugTraq ID: 13869
Remote: Yes
Date Published: 2005-06-06
Relevant URL: http://www.securityfocus.com/bid/13869
Summary:
LPanel is prone to multiple input validation vulnerabilities, all of
the vulnerabilities require authentication to be exploited. The following
issues are reported:
The domain name value passed to the 'domain' parameter of the
'diagnose.php' script is not sufficient sanitized. This may allow an
authenticated attacker to reset DNS values for target domains that are controlled
by LPanel.
Input passed to the 'close', 'pid', and 'open' parameters of the
'view_ticket.php' script is not sufficiently sanitized. An authenticated
attacker may leverage this issue to respond to arbitrary support tickets.
Additionally, input passed to the 'pid' parameter may be used to launch
HTML injection attacks.
The 'inv' URI parameter, passed to the 'viewreceipt.php' script is not
properly sanitized. An authenticated attacker may leverage this issue
to view arbitrary receipts.
The 'editdomain' URI parameter, passed to the 'domains.php' script is
not properly sanitized. An authenticated attacker may leverage this
issue to change DNS information for arbitrary LPanel accounts.
These issues are reported to exist in LPanel versions 1.59 and prior.
7. Info2html Unspecified Cross-Site/Cross-Frame Scripting
Vulnerabilities
BugTraq ID: 13885
Remote: Yes
Date Published: 2005-06-07
Relevant URL: http://www.securityfocus.com/bid/13885
Summary:
info2html is prone to multiple unspecified cross-site/cross-frame
scripting vulnerabilities.
The exact cause of these issues is currently unknown, however, it is
conjectured that an attacker may execute arbitrary HTML or script code in
a user's browser due to a lack of argument escaping. This may allow
the attacker to steal cookie-based authentication credentials or carry
out other attacks.
All versions of info2html are considered vulnerable at the moment.
This BID will be updated when more information is available.
8. Linux Kernel Radionet Open Source Environment Unspecified
Vulnerability
BugTraq ID: 13886
Remote: No
Date Published: 2005-06-07
Relevant URL: http://www.securityfocus.com/bid/13886
Summary:
The Linux Kernel Radionet Open Source Environment (ROSE) implementation
is prone to an unspecified vulnerability.
The issue exists in the 'rose_rt_ioctl()' function of the
'net/rose/rose_route.c' source file. Supposedly, the issue manifests when the
function is handling 'ndigis' arguments.
9. Linux Kernel 64 Bit PTrace Segment Base Address Local Denial Of
Service Vulnerability
BugTraq ID: 13891
Remote: No
Date Published: 2005-06-08
Relevant URL: http://www.securityfocus.com/bid/13891
Summary:
The Linux kernel is reported prone to a local denial of service
vulnerability. The issue exists due to insufficient sanitization of memory
addresses passed to ptrace().
This issue only exists on the amd64 platform, where it is possible that
a local attacker will leverage the issue to crash the kernel. A
successful attack will deny service for legitimate users.
10. Backup Manager Archive Repository Disclosure Vulnerability
BugTraq ID: 13892
Remote: No
Date Published: 2005-06-08
Relevant URL: http://www.securityfocus.com/bid/13892
Summary:
Backup Manager is affected by an information disclosure vulnerability.
Archives are created with insecure permissions, which can allow
attackers to disclose sensitive information. Other attacks may be possible as
well.
Backup Manager 0.5.8 and prior versions are affected.
11. Linux Kernel MMap Invalid Memory Region Local Denial Of Service
Vulnerability
BugTraq ID: 13893
Remote: No
Date Published: 2005-06-08
Relevant URL: http://www.securityfocus.com/bid/13893
Summary:
The Linux kernel is reported prone to a local denial of service
vulnerability. The issue is reported to exist due to a lack of validation
performed by 'mmap()' on memory regions passed to the function.
Immediate consequence of exploitation is a kernel panic. However, it is
conjectured that this issue may be further leveraged to execute
arbitrary code in the context of the system kernel, although this is not
confirmed.
12. SilverCity Insecure File Permissions Vulnerability
BugTraq ID: 13894
Remote: No
Date Published: 2005-06-08
Relevant URL: http://www.securityfocus.com/bid/13894
Summary:
The SilverCity installation package is reported prone to a
vulnerability. Reports indicate that when SilverCity is installed three of the
SilverCity executables are installed with insecure permissions.
An attacker that had local access to a vulnerable computer may modify
the SilverCity executables and replace them with trojaned versions.
13. Linux Kernel Auditing Code Unspecified Local Denial Of Service
Vulnerability
BugTraq ID: 13895
Remote: No
Date Published: 2005-06-08
Relevant URL: http://www.securityfocus.com/bid/13895
Summary:
The Linux kernel is prone to an unspecified local denial of service
vulnerability.
Reports indicate that the issue exists in the Linux kernel auditing
code, and that local attacks on 64-Bit platforms could result in a kernel
panic.
Successful attacks will deny service for legitimate users.
14. Linux Kernel 64 Bit PTrace Kernel Memory Access Vulnerability
BugTraq ID: 13903
Remote: No
Date Published: 2005-06-09
Relevant URL: http://www.securityfocus.com/bid/13903
Summary:
The Linux kernel is prone to a vulnerability that may allow local
attackers to write into kernel memory pages. This issue only exists on
64-Bit platforms.
The specific details about this vulnerability are currently unknown.
This BID will be updated when more information is available.
15. Linux Kernel 64 Bit Multiple Unspecified Local Denial of Service
Vulnerabilities
BugTraq ID: 13904
Remote: No
Date Published: 2005-06-09
Relevant URL: http://www.securityfocus.com/bid/13904
Summary:
The Linux kernel is affected by multiple unspecified local denial of
service vulnerabilities. These issues only affect 64-Bit platforms.
Reports indicate that an attacker can exploit these vulnerabilities to
crash the kernel, effectively denying service to legitimate users.
This BID will be updated when more information is available.
16. Linux Kernel DRM IOCTL Functions Unspecified Privilege Escalation
Vulnerability
BugTraq ID: 13905
Remote: No
Date Published: 2005-06-09
Relevant URL: http://www.securityfocus.com/bid/13905
Summary:
The Linux kernel is affected by an unspecified privilege escalation
vulnerability.
Reports indicate that some unspecified DRM ioctl functions can allow
local attackers to gain elevated privileges due to insufficient checks.
This BID will be updated when more information is available.
17. TCPDump BGP Decoding Routines Denial Of Service Vulnerability
BugTraq ID: 13906
Remote: Yes
Date Published: 2005-06-09
Relevant URL: http://www.securityfocus.com/bid/13906
Summary:
tcpdump is prone to a vulnerability that may allow a remote attacker to
cause a denial of service condition in the software. The issue occurs
due to the way tcpdump decodes Border Gateway Protocol (BGP) packets.
A remote attacker may cause the software to enter an infinite loop by
sending malformed ISIS packets resulting in the software hanging.
18. Invision Power Services Invision Gallery SQL Injection
Vulnerability
BugTraq ID: 13907
Remote: Yes
Date Published: 2005-06-09
Relevant URL: http://www.securityfocus.com/bid/13907
Summary:
Invision Gallery is affected by an SQL injection vulnerability.
This issue is due to a failure in the application to properly sanitize
user-supplied input to the 'index.php' script before using it in an SQL
query.
Successful exploitation could result in a compromise of the
application, disclosure or modification of data, or may permit an attacker to
exploit vulnerabilities in the underlying database implementation.
Invision Gallery 1.3.0 and prior are vulnerable.
19. Invision Community Blog Multiple Input Validation Vulnerabilities
BugTraq ID: 13910
Remote: Yes
Date Published: 2005-06-09
Relevant URL: http://www.securityfocus.com/bid/13910
Summary:
Multiple input validation vulnerabilities reportedly affect Invision
Community Blog. These issues are due to a failure of the application to
properly sanitize user-supplied input prior to using it to carry out
critical actions.
The first issue is a cross-site scripting issue and the second set of
issues are SQL injection issues.
An attacker may leverage these issues to carry out cross-site scripting
and SQL injection attacks against the affected application. This may
result in the theft of authentication credentials, destruction or
disclosure of sensitive data, and potentially other attacks.
20. Novell NetMail Multiple Remote Vulnerabilities
BugTraq ID: 13926
Remote: Yes
Date Published: 2005-06-10
Relevant URL: http://www.securityfocus.com/bid/13926
Summary:
Novell NetMail is susceptible to multiple remote vulnerabilities.
The IMAP agent is susceptible to two remote buffer overflow
vulnerabilities, and the Modweb agent is susceptible to a remote buffer overflow
vulnerability. These issues allow remote attackers to execute arbitrary
machine code in the context of the affected server process.
The Modweb agent is susceptible to two remote denial of service
vulnerabilities. These issues allow remote attackers to crash the service, and
to consume excessive CPU resources. These issues result in the denial
of service to legitimate users.
The Modweb agent is also susceptible to a cross-site scripting
vulnerability, allowing attackers to execute arbitrary HTML and script code in
unsuspecting users Web browsers in the context of the affected Web
site.
This BID will be split into its individual issues at a later date.
21. e107 ePing Remote Command Execution Vulnerability
BugTraq ID: 13929
Remote: Yes
Date Published: 2005-06-10
Relevant URL: http://www.securityfocus.com/bid/13929
Summary:
ePing is prone to a remote command execution vulnerability.
Due to this, an attacker can supply arbitrary shell commands and have
them executed in the context of the server. This can facilitate various
attacks including unauthorized access to an affected computer.
22. Gaim Yahoo! Protocol Support File Download Denial of Service
Vulnerability
BugTraq ID: 13931
Remote: Yes
Date Published: 2005-06-10
Relevant URL: http://www.securityfocus.com/bid/13931
Summary:
Gaim is affected by a denial of service vulnerability during the
download of a file using the Yahoo! protocol. This issue can allow remote
attackers to cause an affected client to fail.
A vulnerability in the client manifests when it tries to download a
file that contains non-ASCII characters in the filename.
Gaim versions prior to 1.3.1 are reportedly affected by this
vulnerability; other versions may also be affected.
23. Gaim MSN Protocol Malformed Message Denial of Service Vulnerability
BugTraq ID: 13932
Remote: Yes
Date Published: 2005-06-10
Relevant URL: http://www.securityfocus.com/bid/13932
Summary:
Gaim is affected by a denial of service vulnerability when handling
malformed messages using the MSN protocol. This issue can allow remote
attackers to cause an affected client to fail.
Gaim versions prior to 1.3.1 are reportedly affected by this
vulnerability; other versions may also be affected.
24. e107 eTrace Remote Command Execution Vulnerability
BugTraq ID: 13934
Remote: Yes
Date Published: 2005-06-10
Relevant URL: http://www.securityfocus.com/bid/13934
Summary:
eTrace is prone to a remote command execution vulnerability.
Due to this, an attacker can supply arbitrary shell commands and have
them executed in the context of the server. This can facilitate various
attacks including unauthorized access to an affected computer.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. RedHat ES 4 and Oracle 10
http://www.securityfocus.com/archive/91/401562
V. SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: SPI Dynamics
ALERT: How a Hacker Launches a SQL Injection Attack
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers
complete access to all your backend systems! Firewalls and IDS will not
stop such attacks
because SQL Injections are NOT seen as intruders. Download this *FREE*
white paper from
SPI Dynamics for a complete guide to protection!
http://www.securityfocus.com/sponsor/SPIDynamics_sf-news_050614