-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary of Security Items from July 21 through August 3, 2004 This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between July 21 and August 3, 2004. The current version of this document can be found here <http://www.us-cert.gov/cas/bulletins/SB04-217.html> Bugs, Holes, & Patches * Windows Operating Systems * UNIX Operating Systems * Multiple Operating Systems Recent Exploit Scripts/Techniques Trends Viruses/Trojans _________________________________________________________________ Bugs, Holes, & Patches The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Updates to items appearing in previous bulletins are listed in bold. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section. Note: All the information included in the following tables has been discussed in newsgroups and on web sites. Risk is defined as follows: * High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges. * Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file. * Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat. Windows Operating Systems Only Layton Technology HelpBox 3.0.1 An input verification vulnerability exists that could allow an attacker to conduct SQL injection attacks. Various scripts fail to verify input passed to certain parameters properly before it is used in a SQL query. No solution is available at this time. A Proof of Concept exploit has been published. Layton HelpBox Multiple SQL Injection Vulnerabilities High Secunia, SA12118, July 22, 2004 SecuriTeam, July 21, 2004 Microsoft MS Windows NT Workstation 4.0 SP 6a; MS Windows NT Server 4.0 SP 6a; MS Windows NT Server 4.0 Terminal Server Edition SP 6; MS Windows 2000 SP2, SP3, SP4; MS Windows XP / XP SP1; MS Windows XP 64-Bit Edition SP1; MS Windows XP 64-Bit Edition Version 2003; MS Windows Server 2003 / 2003 64-Bit Edition; MS Windows 98, 98 SE, and Me Internet Explorer 5.01 SP2, 3, 4 Internet Explorer 5.5 SP2 Internet Explorer 6, SP1, SP1 (64-Bit Edition), Windows Server 2003, Windows Server 2003 (64-Bit Edition) Cross-site scripting and remote code execution vulnerabilities exist. This security patch fixes three vulnerabilities: * A double-free vulnerability in the processing of GIF files * An integer overflow in the processing of bitmap files * Internet Explorer does not adequately validate the security context of a frame that has been redirected by a web server. An attacker can use malicious images on a web page or in HTML-formatted email messages. If the attacker can convince a user to visit the web page, open the message, or otherwise view the image, the attacker may be able to gain control of the user's machine. An attacker also may be able to take advantage of frames to redirect users to a malicious web site. Verify Windows is updated and download updates at: http://v4.windowsupdate.microsoft.com/en/default.asp We are not aware of any exploits for this vulnerability. Cumulative Security Update for Internet Explorer (867801) CVE Name: CAN-2004-0549 CAN-2004-0566 CAN-2003-1048 High Microsoft Security Bulletin MS04-025, July 30, 2004 US-CERT Cyber Security Alert SA04-212A, July 30, 2004 US-CERT VU#685364 and VU#266926, July 30, 2004 NetSupport DNA Helpdesk 1.01 An input verification vulnerability exists which could allow an attacker to conduct SQL injection attacks. The script "problist.asp" fails to verify input passed to the "where" parameter properly before it is used in a SQL query. No solution is available at this time. A working exploit has been published. DNA HelpDesk SQL Injection Vulnerability High Secunia, SA12119, July 22, 2004 OllyDbg version 1.10 A Denial of Service vulnerability exists that could allow an attacker to crash OllyDbg and execute machine code. This vulnerability is due to a format string bug in the code that handles Debugger Messages. No solution is available at this time. A working exploit has been published. OllyDbg Format String Bug High SecuriTeam, July 20, 2004 SapporoWorks BlackJumboDog FTP Server 3.6.1 A buffer overflow vulnerability exists in which a remote user can execute arbitrary code on the target system. A remote user can send a specially crafted FTP command with a long parameter string to trigger the flaw. The USER, PASS, RETR, CWD, XMKD, XRMD, and other commands are affected. The software reportedly copies the user-supplied parameter string to a 256 byte buffer. Update to version 3.6.2, available at: http://homepage2.nifty.com/spw/software/bjd/ We are not aware of any exploits for this vulnerability. BlackJumboDog Has Buffer Overflow in the FTP Service High US-CERT VU#714584, August 3, 2004 Webcam Corp. Webcam Watchdog 4.0.1a An input validation vulnerability exists that could allow an attacker to conduct cross-site scripting attacks. 'sresult.exe' does not properly filter HTML code from user-supplied input in the 'cam' variable before displaying the input. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Watchdog software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. No solution is available at this time. A Proof of Concept exploit has been published. Webcam Watchdog Input Validation Hole in 'sresult.exe' Permits Cross-Site Scripting Attacks High SecurityTracker Alert ID: 1010824, July 30, 2004 Whisper Technology Limited FTP Surfer 1.0.7 A buffer overflow vulnerability exists due to a boundary error when handling filenames that could allow an attacker to execute arbitrary code. This can be exploited to cause a buffer overflow, which is triggered when the application is closed, by tricking a user into opening a file with an overly long filename from a malicious FTP server. No solution is available at this time. We are not aware of any exploits for this vulnerability. FTP Surfer File Handling Buffer Overflow Vulnerability High Secunia, SA12107, July 27, 2004 XLineSoft ASPRunner 2.4 and prior Multiple vulnerabilities exist in ASPRunner due to improper input validation. A remote user can inject SQL commands, conduct cross-site scripting attacks, and download the underlying database. Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted HTTP POST request that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ASPRunner scripts and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. No solution is available at this time. A Proof of Concept exploit has been published. ASPRunner Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks High SecurityTracker Alert ID: 1010777, July 26, 2004 SecuriTeam, July 27, 2004 Innovative Technology Consulting FTP GLIDE 2.43 A vulnerability exists in the FTP GLIDE client software in which a local user can view passwords. FTP GLIDE client stores usernames and passwords in clear text. No solution is available at this time. No exploit code required. FTP GLIDE Discloses Passwords to Local Users Medium SecurityTracker Alert ID: 1010776, July 26, 2004 Leigh Business Enterprises Ltd. LBE Web HelpDesk 4.0.80 An input verification vulnerability exists in the "jobedit.asp" script that an attacker could use to manipulate SQL queries. Update to version 4.0.0.81 available at: http://www.lbehelpdesk.com/helpdesk-latest.htm A working exploit has been published. LBE Web HelpDesk SQL Injection Medium Secunia, SA12123, July 22, 2004 SecuriTeam, July 21, 2004 Microsoft Microsoft Systems Management Server (SMS) 2.50.2726.0 A Denial of Service vulnerability exists due to an error within the client SMS Remote Control service when processing specially crafted packets containing the string "RCH0####RCHE" followed by about 130 characters. Successful exploitation crashes the service. Restrict access to ports 2701/TCP and 2702/TCP. A working exploit has been published. Microsoft Systems Management Server Remote Control Service Vulnerability Medium Secunia, SA11814, July 27, 2004 NET2SOFT Inc. Flash FTP Server 1.0 (banner version 2.1) A vulnerability exists in the Flash FTP Server which could allow a remote user can view files on the target system that are located outside of the FTP root directory. A remote authenticated user, including an anonymous user, can generate a 'CWD ...' command followed by a 'CWD /' command to gain access to the root directory on the target system. No solution is available at this time. A working exploit has been published. Flash FTP Server Lets Remote Users Traverse the Directory With CWD Command Medium SecurityTracker Alert, 1010750, July 21, 2004 Opera Software Opera 7.53 A spoofing vulnerability exists that could be exploited by an attacker to conduct phishing attacks against a user. Opera fails to update the address bar if a web page is opened using the "window.open" function and then "replaced" using the "location.replace" function. This causes Opera to display the URL of the first website while loading the content of the second website. Workaround: Do not follow links from untrusted websites. A Proof of Concept exploit has been published. Opera Browser Spoofing Vulnerability Medium Secunia, SA12162, July 27, 2004 Polar Polar HelpDesk 3.0 An authentication vulnerability exists because the system does not verify if a user is logged on. It only checks if a cookie with the appropriate "UserId" and "UserType" is set. An attacker could log on as any user with arbitrary privileges. Solution: Restrict access using a different authentication mechanism or upgrade to latest version. A working exploit has been published. Polar HelpDesk Authentication Bypass and Inadequate Security Checks Medium Secunia, SA12120, July 22, 2004 SecuriTeam, July 21, 2004 [back to top] UNIX Operating Systems Only Vendor & Software Name Vulnerability - Impact Patches - Workarounds Attacks Scripts Common Name Risk Source Citadel/UX Citadel/UX 6.23 and prior Citadel/UX "USER" Command Buffer Overflow Vulnerability A buffer overflow vulnerability exists in Citadel/UX, which could allow a Denial of Service attack or remote code execution. The vulnerability is caused due to a boundary error within the citadel service when processing "USER" commands. This can be exploited to cause a stack-based buffer overflow by passing an overly long argument (about 94 bytes) to the "USER" command. A patch is available in the CVS repository available at: http://www.citadel.org/cvs.php A Proof of Concept exploit has been published. Citadel/UX Remote Buffer Overflow Vulnerability High No System Group - Advisory #04 - July 28, 2004 Debian libapache-mod-ssl, courier (sqwebmail), mailreader Multiple vulnerabilities including cross-site scripting exist in Linux modules. Debian has issued updates for libapache-mod-ssl, courier, and mailreader. This fixes Denial of Service and other vulnerabilities. Update to Debian GNU/Linux 3.0 alias woody. Details available at: http://lists.debian.org/debian-security-announce/debian-security-annou nce-2004/msg00134.html http://lists.debian.org/debian-security-announce/debian-security-annou nce-2004/msg00136.html http://lists.debian.org/debian-security-announce/debian-security-annou nce-2004/msg00135.html We are not aware of any exploits for this vulnerability. Debian updates for libapache-mod-ssl , courier, and mailreader High Debian Security Advisories: DSA 532-1, DSA 533-1, DSA 534-1, July 22, 2004 GNU / GPL Conectiva Gentoo Mandrake RedHat SuSE Trustix Samba 3.0.0 - 3.0.4 and 2.2.9 and prior Multiple buffer overflow vulnerabilities exist in Samba that could allow a remote user to execute arbitrary code on the target system. These are caused by boundary errors when decoding base64 data and when handling "mangling method = hash". Upgrade to version 3.0.5 or 2.2.10 available at: http://us2.samba.org/samba/ftp/ Conectiva: ftp://atualizacoes.conectiva.com.br RedHat: RedHat Enterprise Linux AS 3, ES 3, WS 3: http://rhn.redhat.com/ Gentoo: http://security.gentoo.org/glsa/glsa-200407-21.xml Mandrakesoft: Mandrake Multi Network Firewall 8.x, 9.x; Mandrake Corporate Server 2.x http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:071 SuSE: SuSE Linux, Email, Database, and Enterprise Servers http://www.suse.de/de/security/2004_22_samba.html Trustix: http://http.trustix.org/pub/trustix/updates/ A working exploit has been published. Samba Buffer Overflow Vulnerabilities CVE Names: CAN-2004-0600 CAN-2004-0686 High Samba Release Notes 3.0.5, July 20, 2004 Gentoo, RedHat, Mandrakesoft, SuSE, Trustix, Conectiva Advisories Internet Software Sciences Web+Center 4.0.1 An input verification vulnerability exists that could allow an attacker to conduct SQL injection attacks. Various scripts fail to verify input passed to certain parameters through cookies properly, before it is used in a SQL query. No solution is available at this time. A working exploit has been published. Web+Center SQL Injection Vulnerability High Secunia, SA12121, July 22, 2004 SecuriTeam, July 21, 2004 Oracle Oracle 8i, 9i Multiple Implementations A privilege escalation vulnerability exists in the default library directory. This is due to a default configuration error that could allow an attacker to replace libraries required by setuid root applications with arbitrary code. This issue would allow an Oracle software owner to execute code as the superuser, taking control of the entire system. No solution is available at this time. An untested workaround is available at: http://www.securityfocus.com/bid/10829/solution/ A Proof of Concept exploit has been published. Oracle Database Default Library Directory Privilege Escalation Vulnerability High Security Focus ID 10829, July 30, 2004 PHP Group Debian Slackware Fedora pp 4.3.7 and prior Updates to fix multiple vulnerabilities with php4 which could allow remote code execution. Debian: Update to Debian GNU/Linux 3.0 alias woody at http://www.debian.org/releases/stable/ Slackware: http://www.slackware.com/security/viewer.php?l=slackware- security&y=2004&m=slackware-security.406480 Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ PHP 'memory_limit' and strip_tags() Remote Vulnerabilities CVE Name: CAN-2004-0594 CAN-2004-0595 High Secunia, SA12113 and SA12116, July 21, 2004 Debian, Slackware, and Fedora Security Advisories phpBB Group phpBB 2.0.9 and prior Multiple vulnerabilities including cross-site scripting and full path disclosure exist due to improper input sanitization in the search.php, privmsg.php, and login.php scripts and uninitialized arrays. Upgrade to version 2.0.10 available at: http://www.phpbb.com/downloads.php A Proof of Concept exploit has been published. phpBB Cross Site Scripting, Full Path, and XSS Vulnerabilities High Secunia, SA12114, July 22, 2004 SecuriTeam, July 22, 2004 SCO UnixWare 7.1.3 / Open UNIX 8.0.0: A buffer overflow exists in ReadFontAlias from dirfile.c of Xsco that may allow local users and remote attackers to execute arbitrary code via a font alias file with a long token. There are also multiple vulnerabilities reading font files. Apply updated packages available at: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.2/erg712546.pkg.Z We are not aware of any exploits for this vulnerability. UnixWare / Open UNIX Xsco Buffer Overflow Vulnerabilities CVE Name: CAN-2004-0083 CAN-2004-0106 High SCO Security Advisory, SCOSA-2004.2, July 29, 2004 SCO SCO OpenServer 5.0.6 and 5.0.7 A buffer overflow exists in ReadFontAlias from dirfile.c of Xsco that may allow local users and remote attackers to execute arbitrary code via a font alias file with a long token. There are also multiple vulnerabilities reading font files. Apply updated packages available at: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.3/VOL.000.000 ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/507mp3_vol.tar We are not aware of any exploits for this vulnerability. OpenServer Xsco Buffer Overflow Vulnerabilities CVE Name: CAN-2004-0083 CAN-2004-0106 High SCO Security Advisory, SCOSA-2004.3, July 29, 2004 Sourceforge.net Gentoo Linux Pavuk 0.x Multiple vulnerabilities exist which could allow an attacker to run arbitrary code. The vulnerabilities are caused due to boundary errors within the handling of digest authentication. Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-19.xml We are not aware of any exploits for this vulnerability. Pavuk Digest Authentication Buffer Overflow Vulnerabilities High Gentoo Security Advisory, GLSA 200407-19 / Pavuk Release Date July 26, 2004 sox.sourceforge.net Fedora Mandrakesoft Gentoo Conectiva RedHat SoX 12.17.4, 12.17.3, and 12.17.2 Multiple vulnerabilities exist that could allow a remote attacker to execute arbitrary code This is due to boundary errors within the "st_wavstartread()" function when processing ".WAV" file headers and can be exploited to cause stack-based buffer overflows. Successful exploitation requires that a user is tricked into playing a malicious ".WAV" file with a large value in a length field. Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076 Gentoo: http://security.gentoo.org/glsa/glsa-200407-23.xml Conectiva: ftp://atualizacoes.conectiva.com.br RedHat: http://rhn.redhat.com/errata/RHSA-2004-409.html A working exploit has been published. SoX ".WAV" File Processing Buffer Overflow Vulnerabilities CVE Name: CAN-2004-0557 High Secunia, SA12175, 12176, 12180, July 29, 2004 SecurityTracker Alerts 1010800 and 1010801, July 28/29, 2004 Mandrakesoft Security Advisory MDKSA-2004:076, July 28, 2004 SquirrelMail Project Team SquirrelMail 1.4.2 An input validation vulnerability was reported in SquirrelMail. A remote user may be able to execute SQL statements on the target system. The flaw resides in 'abook_database.php' where the $alias variable is not properly filtered. Update to version 1.4.3 RC1 and later versions, available at: http://www.squirrelmail.org/download.php We are not aware of any exploits for this vulnerability. SquirrelMail Input Validation Flaw in 'abook_database.php' CVE Name: CAN-2004-0521 High SecurityTracker Alert ID: 1010842, August 3, 2004 Team OpenFTPD OpenFTPD 0.30.2 prior to July 16, 2004, and prior versions A vulnerability exists that could allow a remote attacker to execute arbitrary code on the target system. A remote authenticated user can send a specially crafted message to another FTP user to trigger a format string flaw and execute arbitrary code on the FTP server due to a flaw in 'misc/msg.c'. Update available at: http://www.openftpd.org:9673/openftpd/download_page.html A Proof of Concept exploit has been published. OpenFTPD Format String Flaw Lets Remote Authenticated Users Execute Arbitrary Code High VSA0402 - openftpd - void.at security notice, July 31, 2004 Apple Computer Panther 10.3.4 - Internet Connect 1.3 A privilege and Denial of Service vulnerability exist which could allow a local user to can gain root privileges. An attacker could also render the machine unusable by corrupting important system files.The application creates a log file in an unsafe manner and a local user can create a symbolic link (symlink) from a critical file on the system to the temporary file. When Internet Connect is run the symlinked file will be written to with 'root' user privileges. Workaround: Ensure that the temporary file already exists (preventing the creation of a symlink) with the following commands: /usr/bin/touch /tmp/ppp.log echo '/usr/bin/touch /tmp/ppp.log' >> /etc/daily echo '/usr/bin/touch /tmp/ppp.log' >> /etc/rc.common Proof of Concepts have been published. Apple 'Internet Connect.app' Uses and Unsafe Temporary File That Lets Local Users Gain Root Privileges Medium SecurityTracker Alert ID: 1010771, July 25, 2004 SecuriTeam, July 27, 2004 eSeSIX Computer GmbH Thintune OS 2.4.38 Multiple vulnerabilities exist that could allow a remote attacker to gain system access and local users to escalate their privileges. A process is listening on port 25702/TCP allowing an attacker to connect using a certain password. The process provides access to certain administrative functionality including a root shell. Certain usernames and passwords used for connecting to remote servers are stored incorrectly. It is possible to open a local root shell "lshell" on the client by pressing a certain keystroke combination and password. The Phoenix browser is executed as "root". Update to Thintune OS version 2.4.39. No exploit code required. Thintune Client Multiple Vulnerabilities Medium Secunia, SA12154, July 26, 2004 SecuriTeam, July 25, 2004 Hewlett-Packard HP-UX B.11.23 HP-UX B.11.22 HP-UX B.11.11 HP-UX B.11.00 A vulnerability exists in HP-UX when running xfs and stmkfont. A a remote user can gain 'bin' group privileges. Updates to the following patches available at: http://itrc.hp.com PHSS_31181 - B.11.23 PHSS_31180 - B.11.22 PHSS_31179 - B.11.11 PHSS_31178 - B.11.00 We are not aware of any exploits for this vulnerability. HP-UX Unspecified Flaw in Xfs and stmkfont May Grant Access to Remote Users Medium HP Security Bulletin, HPSBUX01061, July 21, 2004 Jamie Cameron Mandrakesoft Webmin 1.140 Usermin A vulnerability exists in the account lockout mechanism due to insufficient validation of user supplied input and improper parsing of certain characters, which could let a remote attacker attempt to guess IDs and passwords continuously and prevent legitimate users from logging on. Usermin: http://www.webmin.com/udownload.html Webmin: http://prdownloads.sourceforge.net/webadmin/webmin-1.150.tar.gz Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:074 There is no exploit code required. Webmin & Usermin Account Lockout Bypass CVE Name: CAN-2004-0582 CAN-2004-0583 Medium US-CERT Cyber Security Bulletin SB04-173, July 23, 2004 Mandrakesoft Security Advisory, MDKSA-2004:074, July 27, 2004 Nessus prior to version 2.0.12 A vulnerability exists in the 'nessus-adduser' function which may allow a local user to gain elevated privileges. There is a race condition that can be exploited when the TMPDIR variable has not been specified. Update to version 2.0.12, available at: http://nessus.org/download.html We are not aware of any exploit for this vulnerability. Nessus Race Condition in 'nessus-adduser' May Let Local Users Gain Elevated Privileges Medium SecurityTracker Alert ID: 1010758, July 22 2004 Polar HelpDesk 3.0 An authentication vulnerability exists because the the system does not verify if a user is logged on. It merely checks if a cookie with the appropriate "UserId" and "UserType" is set. This could allow an attacker to log on as any user with arbitrary privileges. No solution is available at this time. A working exploit has been published. Polar HelpDesk Authentication Bypass Medium Secunia, SA12120, July 22, 2004 SERENA Software, Inc. Serena TeamTrack 6.1.1 and prior Cross Site Scripting vulnerabilities exists due to improper input validation that an attacker could use to view sensitive information without authentication. Workaround: Restrict access using a different authentication mechanism such as ".htaccess" or similar. A working exploit has been published. Serena TeamTrack Multiple Vulnerabilities Medium Secunia, SA12122, July 22, 2004 Opera Gentoo Opera 5.x, 6.x, 7.x Due to a race condition in Opera it is possible to spoof the contents of the address bar using a specially crafted HTML page. Solution: Disable support for Javascript or update as follows: Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-15.xml A Proof of Concept exploit has been published. Opera Address Bar Spoofing Condition High SecuriTeam, July 11, 2004 Gentoo Linux Security Advisory, GLSA 200407-15 / opera, July 20, 2004 PostgreSQL Global Development Group Mandrakesoft PostgreSQL A buffer overflow vulnerability exists in the ODBC driver of PostgreSQL. It is possible to exploit this problem and crash the surrounding application. Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:072 We are not aware of any exploits for this vulnerability. Updated postgresql Packages Fix Buffer Overflow Low Mandrakesoft Security Advisory, MDKSA-2004:072, July 27, 2004 Tigris.org Fedora Gentoo Subversion 1.0.5 and prior A vulnerability exists in Subversion that could allow an attacker to read protected files. This is because the Apache module "mod_authz_svn" allows users to copy files from a read protected part of the repo into a part which the user can read. Update to version 1.0.6 available at: http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=260 Fedora Core 2: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-20.xml We are not aware of any exploits for this vulnerability. Subversion File Restriction Bypass Low Tigris.org Advisory: mod_authz_svn-copy-advisory.txt Gentoo and Fedora Security Advisories [back to top] Multiple Operating Systems - Windows / UNIX / Other Vendor & Software Name Vulnerability - Impact Patches - Workarounds Attacks Scripts Common Name Risk Source Check Point Software Technologies Check Point VPN-1/FireWall-1 VSX NG; Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI); Check Point VPN-1/Firewall-1 NG; Check Point VPN-1 SecuRemote; Check Point VPN-1 SecureClient; Check Point SSL Network Extender; Check Point Provider-1; Check Point FireWall-1 GX 2.x A vulnerability exists in in various Check Point VPN-1 products, which an attacker can exploit to execute arbitrary code. The vulnerability is caused due to a boundary error in the ASN.1 decoding library during setup of the initial encrypted connection. This can be exploited to cause a heap overflow by establishing a VPN connection and sending a malicious packet containing specially crafted fields. Updates available at: http://www.checkpoint.com/techsupport/alerts/asn1.html We are not aware of any exploits for this vulnerability. Check Point VPN-1 ASN.1 Decoding Heap Overflow Vulnerability High Check Point ASN.1 Alert, July 28, 2004 US-CERT VU#435358 Cisco Cisco ONS 15327, 15454, and 15454 SDH; prior to 4.6(2) Cisco ONS 15600 Multiple vulnerabilities exist on Cisco control cards that could allow a remote user to gain access to an account on the system or cause the cards to reset. Cisco reported that if an account on the system has a blank password, then a remote user can login to the device with an arbitrary password that is longer than 10 characters. This authentication vulnerability only affects the TL1 login interface. A Denial of Service vulnerability also exists. A remote user can send malformed SNMP, UDP, TCP, ICMP, or IP packets to potentially cause the XTC, TCC/TCC+/TCC2 and TCCi/TCC2 control cards to reset. A detailed patch matrix is available at: www.cisco.com/warp/public/707/cisco-sa-20040721-ons.shtml No exploit script required. Cisco ONS Control Cards Malformed Packet Vulnerabilities High SecurityTracker, 1010748 and 1010749, July 21, 2004 Cisco Security Advisory: Document ID: 60322, Revision 1.0, July 21, 2004 Cisco ServletExec 3.x, 2.x Cisco Collaboration Server (CSS) 3.x, 4.x A vulnerability exists in the ServletExec subcomponent that could allow an attacker to upload and execute arbitrary files.The vulnerability affects CCS (prior to 5.0) using a ServletExec version prior to 3.0E. Update instructions available at: http://www.cisco.com/warp/public/707/cisco-sa-20040630-CCS.shtml We are not aware of any exploits for this vulnerability. Cisco Collaboration Server ServletExec Arbitrary File Upload Vulnerability High US-CERT VU#718896 Comersus Open Technologies Comersus Shopping Cart 5.098 Input validation vulnerabilities exist in Comersus that could allow an attacker to conduct SQL injection and cross-site scripting attacks. Comersus fails to verify input passed to the "email" parameter properly before it is used in a SQL query. Also, input passed to the "message" parameter in "comersus_message.asp" and "comersus_backoffice_message.asp" is not properly sanitized before being returned to the user. Workaround: Edit the source code to ensure that input is properly sanitized. We are not aware of any exploits for this vulnerability. Comersus SQL Injection and Cross-Site Scripting Vulnerabilities High Secunia, SA12183, August 3, 2004 GNU 0.75-RC3 and 0.726PostNuke-3 with Xanthia module Full path disclosure and cross site scripting vulnerabilities exists in PostNuke's Xanthia module due to an unvalidated input error and an error in the showcontent() function. No solution is available at this time. A Proof of Concept exploit is available. PostNuke Multiple Vulnerabilities In Xanthia Module High Securiteam, July 27, 2004 GNU / GPL Nucleus prior to 3.0.1 An input validation vulnerability exists because the input used to include files isn't properly validated. This may allow an attacker to include arbitrary files from local and external resources if "register_globals" is set to "On" and gain system access. Upgrade to Nucleus 3.0.1 available at: http://nucleuscms.org/ A Proof of Concept exploit has been published. Nucleus Inclusion of Arbitrary Files High SecurityTracker Alert, 1010746, July 21, 2004 Secunia, SA12097, July 20, 2004 GNU / GPL AntiBoard 0.7.2 and prior Multiple vulnerabilities exist that could allow an attacker to conduct cross-site scripting and SQL injection attacks. The vulnerabilities are caused due to missing validation of various parameters in the "antiboard.php" script. No updates available. Edit the source code to ensure that user input is properly sanitized. We are not aware of any exploits for this vulnerability. AntiBoard Cross-Site Scripting and SQL Injection Vulnerabilities High Secunia, SA12137, July 29, 2004 SecurityTracker Alert ID: 1010803, July 29, 2004 GNU / GPL BLOG:CMS prior to 3.1.4 An input validation vulnerability in BLOG:CMS exists because the input used to include files isn't properly validated. This may allow an attacker to include arbitrary files from local and external resources if "register_globals" is set to "On" and gain system access. Upgrade to BLOG:CMS 3.1.4 available at: http://forum.blogcms.com/viewtopic.php?id=324 A Proof of Concept exploit has been published. BLOG:CMS Inclusion of Arbitrary Files High SecurityTracker Alert, 1010746, July 21, 2004 Secunia, SA12097, July 20, 2004 GNU / GPL PunBB prior to 1.1.5 An input validation vulnerability exists because the input used to include files isn't properly validated. This may allow an attacker to include arbitrary files from local and external resources if "register_globals" is set to "On" and gain system access. Upgrade to PunBB 1.1.5 available at: http://www.punbb.org/ A Proof of Concept exploit has been published. PunBB Inclusion of Arbitrary Files High Secunia, SA12097, July 20, 2004 GNU / GPL Nucleus 3.01 An input verification vulnerability exists that could allow an attacker to conduct SQL injection attacks. Nucleus fails to verify input passed to the "itemid" parameter properly before it is used in SQL queries. No updates available. Edit the source code to ensure that input is properly sanitized. We are not aware of any exploits for this vulnerability. Nucleus "itemid" SQL Injection Vulnerability High Secunia, SA12166, July 28, 2004 Hewlett-Packard dced A buffer overflow vulnerability exists in HP's DCED implementation that listens by default on TCP port 135. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands on the targeted system with the privileges of the DCED process which is typically run as the root user. Disable dced or update as follows: OS: HP HP-UX 11 update available at: http://itrc.hp.com OS: HP Tru64 update available at: http://support.entegrity.com/private/patches/dce/ssrt4741.asp OS: HP OpenVMS update available at: http://www2.itrc.hp.com/service/patch/mainPage.do We are not aware of any exploits for this vulnerability. HP dced Remote Command Execution CVE Name: CAN-2004-0716 High atstake.com, July 22, 2004 SecuriTeam, July 25, 2004 HP Bulletins: HPSBUX0311-299, HPSBUX0311-299: SSRT3660 DCE (Rev.01), SSRT4741 rev.0 DCE Hitachi Web Page Generator 1.x, 2.x, 3.x, 4.x Multiple vulnerabilities exist in Web Page Generator, which could allow an attacker to cause a Denial of Service, disclose content of directories, or conduct cross-site scripting attacks. These are due to an unspecified error which can stop the website service by accessing the website "improperly" multiple times (Windows platforms only) and errors in the error transactions of the Web Page Generator templates. Update to Web Page Generator Enterprise version 03-03-/D or 04-02-/L, and set the "DEBUG_MODE" property to "off". We are not aware of any exploits for this vulnerability. Hitachi Web Page Generator Multiple Vulnerabilities High Hitachi Vulnerability Notice HS04-002 and HS04-003, July 28, 2004 Invision Power Services Invision Power Board 2.0 Cross site scripting and input validation vulnerabilities exists because the URL (QUERY_STRING) is used in "index.php" and isn't properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site. No updates available. Edit the source code to ensure that input is properly sanitized. We are not aware of any exploits for this vulnerability. Invision Power Board "index.php" Cross Site Scripting Vulnerability High Secunia, SA12105, July 20, 2004 l2tpd.org Debian Gentoo l2tpd 0.62 0.69 A buffer overflow vulnerability exists in the `write_packet()' function due to a failure of the application to properly validate user supplied string lengths, which could let a remote malicious user cause a Denial of Service and potentially execute arbitrary code. Debian: http://www.debian.org/security/2004/dsa-530 Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-17.xml We are not aware of any exploits for this vulnerability. L2TPD Buffer Overflow High Gentoo Linux Security Advisory, GLSA 200407-17 / net-dialup/l2tpd, July, 22, 2004 Mateo & Mewis AG EasyIns Stadtportal 4 and prior A vulnerability was reported in EasyIns Stadtportal. A remote user can supply a URL with a specially crafted 'site' parameter to cause the target system to include and execute PHP code from a remote site. No solution is available at this time. A working exploit has been published. EasyIns Stadtportal Include File Bug Lets Remote Users Execute Arbitrary Code High SecurityTracker Alert ID: 1010769, July 24, 2004 Matt Johnston Dropbear SSH Server 0.42 A vulnerability exists that could allow a remote attacker to execute arbitrary code. This vulnerability is caused due to freeing of uninitialized variables in the DSS verification code. Update to version 0.43 available at: http://matt.ucc.asn.au/dropbear/ We are not aware of any exploits for this vulnerability. Dropbear SSH Server DSS Verification Vulnerability High Secunia, SA12153, July 26, 2004 Dropbear Security Update mod SSL Project Gentoo Slackware Mandrake mod_ssl 2.x A vulnerability exists in mod_ssl, which may allow an attacker to compromise a vulnerable system. The vulnerability is reportedly due to a "ssl_log()" related format string error within the "mod_proxy" hook functions. Update to version 2.8.19-1.3.31 available at: http://www.modssl.org/source/mod_ssl-2.8.19-1.3.31.tar.gz OpenPKG: ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.6.src.rpm Gentoo: http://www.gentoo.org/security/en/glsa/glsa-200407-18.xml Slackware: http://www.slackware.com/security/viewer.php?l=slackware- security&y=2004&m=slackware-security.419544 Mandrakesoft: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:075 We are not aware of any exploits for this vulnerability. mod_proxy" Hook Functions Format String Vulnerability in mod_ssl High modSSL Notice, July 16, 2004 Secunia, SA12077, July 19, 2004 Gentoo, Mandrakesoft and Slackware Security Advisories Mozilla Organization Mozilla 1.6 and prior Netscape 7.0, 7.1, and prior A input validation vulnerability exists in the SOAPParameter object constructor in Netscape and Mozilla which allows execution of arbitrary code. The SOAPParameter object's constructor contains an integer overflow which allows controllable heap corruption. A web page can be constructed to leverage this into remote execution of arbitrary code. Upgrade to Mozilla 1.7.1 available at: http://www.mozilla.org/products/mozilla1.x/ We are not aware of any exploits for this vulnerability. Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability CVE Name: CAN-2004-0722 High iDEFENSE Security Advisory, August 2, 2004 Bugzilla Bug 236618 MyServer.org MyServer 0.6.2 Multiple vulnerabilities exist in the math_sum.mscgi sample script. A remote user may be able to execute arbitrary code or conduct cross-site scripting attacks. This is because the 'a' and 'b' parameters are not filtered to remove HTML code from user-supplied input before the input is displayed. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MyServer software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. Workaround: Remove the math_sum.mscgi sample script. A working exploit is available. MyServer Bugs in math_sum.mscgi May Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks High SecurityTracker Alert ID: 1010808, July 29, 2004 powerportal.sourceforge.net PowerPortal 1.3 A cross-site scripting vulnerability exists in the private_messages module that could allow a remote user to execute arbitrary code. T the private_messages module does not properly filter HTML code from user-supplied input in the message title field. Cookies and passwords are also vulnerable as they are stored in clear text. No solution is available at this time. A Proof of Concept exploit has been published. PowerPortal Input Validation Hole in Private Message Title Permits Cross-Site Scripting Attacks High SecurityTracker Alert ID: 1010802, July 29, 2004 Sourceforge.net Jaws 0.4 An input validation vulnerability exists which could allow an attacker to can gain administrative access to the application. This is because 'config.php' disables magic quotes and 'controlpanel.php' contains an input validation error, allowing a remote user to inject SQL commands via the "crypted_password" variable. Replace the 'gadgets/controlpanel.php' file with this file: http://jaws.com.mx/files/controlpanel.php.txt A working exploit has been published. Jaws 'controlpanel.php' Input Validation Error High SecurityTracker Alert ID: 1010815, July 30, 2004 U.S. Robotics Wireless Router Model 8054 A Denial of Service vulnerability exists in U.S. Robotics wireless router (model 8054). A remote user can cause the router to crash and may be able to execute arbitrary code on the router by connecting to the router's web administration port and issuing a specially crafted HTTP GET request to trigger an overflow and cause the device to crash. No solution is available at this time. A Proof of Concept exploit has been published. U.S. Robotics Wireless Router Can Be Crashed By Remote Users High SecurityTracker Alert ID: 1010839, August 2, 2004 4D Portal 1.5 A configuration vulnerability exists that could allow a remote attacker to gain access to the system if the default password has not been changed. Solution: Change the "super-user" default username and password. No exploit script required. 4D Portal Default Password May Let Remote Users Access the System Medium SecurityTracker Alert, 1010747, July 21, 2004 artmedic webdesign artmedic kleinanzeigen An input verification vulnerability exists in artmedic kleinanzeigen because the "id" parameter isn't properly verified in "index.php" before it is used to include a file. This could allow an attacker to supply arbitrary paths to local and external resources. Upgrade to the latest release available at: http://www.artmedic.de/index.php A working exploit has been published. artmedic kleinanzeigen Inclusion of Arbitrary Files Medium Secunia, SA12099, July 21, 2004 Dom Lachowicz Fedora AbiWord 2.0.7 and prior A vulnerability exists in the "wv" library of AbiWord, which could be exploited by an attacker to compromise a user's system. Update to version 2.0.8 or later available at: http://www.abisource.com/download/ Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ We are not aware of any exploits for this vulnerability. AbiWord "wv" Library Buffer Overflow Vulnerability Medium AbiWord 2.0.7-2.0.9 Changes Secunia, SA12136 and SA12146, July 26, 2004 EasyWeb FileManager 1.0 RC-1 for PostNuke An input validation vulnerability exists that could allow an attacker to retrieve arbitrary files. An input validation error in the "ew_filemanager" module can be exploited to access directories outside the web root via the "../" directory traversal character sequence using the "pathext" parameter. No solution is available at this time. A Proof of Concept exploit has been published. EasyWeb FileManager "pathext" Directory Traversal Medium cirt.net, CIRT-200404: EasyWeb (EW) FileManager Directory Traversal, July 23, 2004 Fusion News 3.6.1 and prior A vulnerability exists that could allow a remote attacker to create a specially crafted URL that, when loaded by a target administrator, will cause a user account to be added to Fusion News. The malicious URL can be placed in a BBCode image tag within a comment and then executed when the target administrator views the comment, for example. No solution is available at this time. A Proof of Concept exploit has been published. Fusion News Lets Remote Users Add User Accounts on the Application Medium SecurityTracker Alert ID: 1010829, July 31, 2004 GNU PostNuke 0.73x - 0.75 GOLD An installation vulnerability exists that could allow a remote user to determine the administrator's username and password on affected sites. PostNuke does not remove the 'install.php' file after installation. A remote user can request the file and accept the terms to view the password information. Workaround: Rename or delete the 'install.php' file. A Proof of Concept exploit has been published. PostNuke 'install.php' Discloses Administrator Password to Remote Users Medium SecurityTracker Alert ID: 1010755, July 22, 2004 Hewlett-Packard HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 with CIFS Server A.01.11.01 installed A buffer overflow vulnerability exists which could be exploited by an attacker to gain root access. Set "mangling method = hash2" or "mangled names = no" in the "smb.conf" configuration file. We are not aware of any exploits for this vulnerability. HP-UX CIFS Server Buffer Overflow Vulnerability CVE Name: CAN-2004-0686 Medium Secunia, SA12168, July 28, 2004 HP SECURITY BULLETIN, HPSBUX01062, July 26, 2004 IBM IBM Directory Server 4.1 and prior An input verification vulnerability exists in the IBM Directory Server in 'ldacgi.exe'. A remote user can view files on the target system with the privileges of the web service. The script does not properly validate user-supplied input in the 'Template' parameter. A remote user can supply a path containing directory traversal characters ('../') to view arbitrary files on the target system. Update to 3.2.2 Fix Pack 4 available at: http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg24006917 or 4.1 Fix Pack 3 available at: http://www-1.ibm.com/support/docview.wss?rs=0&q1=directory+server&uid= swg24006667&loc=en_US&cs=utf-8&cc=us</=en A Proof of Concept exploit has been published. IBM Directory Server 'ldacgi' Discloses Files to Remote Users Medium SecurityTracker Alert ID: 1010834, August 2, 2004 IBM APAR IR52692 and IR 53631 Mozilla Organization Mozilla Firefox 0.9.2 and Mozilla 1.7.1 on Windows Mozilla Firefox 0.9.2 on Linux A spoofing vulnerability exists that could allow malicious sites to abuse SSL certificates of other sites. An attacker could make the browser load a valid certificate from a trusted website by using a specially crafted "onunload" event. The problem is that Mozilla loads the certificate from a trusted website and shows the "secure padlock" while actually displaying the content of the malicious website. The URL shown in the address bar correctly reads that of the malicious website. An additional cause has been noted due to Mozilla not restricting websites from including arbitrary, remote XUL (XML User Interface Language) files. Workaround: Do not follow links from untrusted websites and verify the correct URL in the address bar with the one in the SSL certificate. A Proof of Concept exploit has been published. Mozilla / Mozilla Firefox "onunload" SSL Certificate Spoofing Medium Cipher.org, July 25, 2004 Secunia, SA12160, July 26, 2004; SA12180, July 30, 2004 Open Source Development Network OpenDocMan 1.x An authentication vulnerability exists which can be exploited by an attacker to bypass certain security restrictions and make unauthorized changes. The vulnerability is caused due to a missing authentication check in "commitchange.php" when committing changes. Update to version 1.2-Final available at: http://prdownloads.sourceforge.net/opendocman/opendocman-1.2.tar.gz?do wnload No exploit code required. OpenDocMan "commitchange.php" Unauthorized Commitment of Changes Medium Secunia, SA12159, July 26, 2004 OpenDocMan 1.2 Final Release Notes QualiTeam Litecommerce 2.0.0 A configuration vulnerability exists in Litecommerce. A remote user can invoke the installation script to gain administrative access on some sites. By default, the software leaves the 'install.php' installation file on the server after installation. A remote user can load the file to change the administrative password. On some systems, this requires authentication but on other systems, authentication is not required. Workaround: Remove the 'install.php' script manually after installation. A working exploit is available. Litecommerce Installation Script May Let Remote Users Gain Administrative Access Medium SecurityTracker Alert ID: 1010778, July 26, 2004 Sun Microsystems Sun Java System Portal Server 6.2 An authentication vulnerability exists which may allow an attacker to gain administrative credentials. The problem arises if the user changes the display options to a non-default view. This only affects the Calendar server. As a workaround, Sun indicates that you can prohibit end users from editing the calendar channels "calendar" or "view" display profile properties when Admin Proxy Authentication is enabled. SPARC updates: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=116856&rev=10 X86 Platform updates: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=117757&rev=09 We are not aware of any exploits for this vulnerability. Sun Java System Portal Server Proxy Authentication Failure Medium Sun Alert ID: 57586, July 21, 2004 US-CERT Vulnerability Note VU#881254 , July 23, 2004 Sun Microsystems SDK and JRE 1.4.2_04 or earlier; 1.4.1_07 or earlier; 1.4.0_04 or earlier A vulnerability exists in Sun Java JRE/SDK that could allow an attacker to gain escalated privileges on a vulnerable system. The vulnerability is caused due to an error within the XSLT processor. This allows applets to read data from other applets being processed or gain escalated privileges. Update to version 1.4.2_05 or later available at: http://java.sun.com/j2se/ We are not aware of any exploits for this vulnerability. Sun Java JRE/SDK XSLT Processor Vulnerability Medium Sun Alert ID: 57613, August 2, 2004 Conceptronic CADSLR1 Router with firmware version 3.04n A Denial of Service vulnerability exists in the router because the device fails to handle HTTP requests with a long username (65535 characters). This causes the device to reboot. Solution: Filter access to the device or disable the HTTP service. We are not aware of any exploits for this vulnerability. Conceptronic CADSLR1 Router Denial of Service Vulnerability Low Secunia, SA12110, July 21, 2004 phpMyFAQ Team phpMyFAQ 1.4.0 A user validation vulnerability exists in phpMyFaq, which could allow an attacker to upload or delete arbitrary images. The security issue is caused due to a missing user authentication check in the ImageManager plugin, which allows anyone to access the plugin's functionality. Update to version 1.4.0a available at: http://www.phpmyfaq.de/download.php We are not aware of any exploits for this vulnerability. phpMyFaq ImageManager Plugin Missing User Authentication Low phpMyFAQ Security Advisory, July 27, 2004 Sun Microsystems Solaris 9 A Denial of Service vulnerability exists in the Sun Solaris Volume Manager (SVM) that could allow a local user to cause a denial-of-service condition. There is a vulnerability in the way the Sun Volume Manager handles certain types of probe requests. By supplying an incorrectly formed probe request, a local user could cause a denial-of-service condition on a Solaris 9 system with this service configured. Update available at: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57598 We are not aware of any exploits for this vulnerability. Sun Solaris Volume Manager (SVM) fails to properly handle malformed probe requests Low US-CERT Vulnerability Note VU#390742 Sun Alert ID: 57598, July 16, 2004 Sun Sun Java System Web Server (Sun ONE/iPlanet) 6.x A Cross-Site Scripting vulnerability exists in the the sample application "webapps-simple". Sample scripts should not be installed on production systems. Update to Sun Java System Web Server 6.1 Service Pack 2 and later. We are not aware of any exploits for this vulnerability. Sun Java System Web Server Cross Site Scripting Vulnerability Low Sun Alert ID: 57605, July 21, 2004 WWW File Share Pro 2.60 A Denial of Service vulnerability exists due to an unspecified error during the handling of HTTP GET requests. This can be exploited to crash the process by sending an overly long request. Solution: Filter requests using a firewall or proxy server. A working exploit has been published. WWW File Share Pro HTTP Request Denial of Service Vulnerability Low Secunia, SA12111, July 21, 2004 [back to top] Recent Exploit Scripts/Techniques The table below contains a sample of exploit scripts and "how to" guides identified during this period. Note: At times, scripts/techniques may contain names or content that may be considered offensive. Date of Script (Reverse Chronological Order) Script name Script Description July 31, 2004 fusionphp.net A specially crafted URL that, when loaded by a target administrator, will cause a user account to be added. The malicious URL can be placed in a BBCode image tag within a comment and then executed when the target administrator views the comment. July 30, 2004 controlpanel.php An SQL injection vulnerability allowing a remote user administrative access. July 29, 2004 antiboard072txt SQL Injection and cross site scripting vulnerabilities exist in AntiBoard versions 0.7.2 and below due to a lack of input validation of various variables. July 29, 2004 citadel-advisory-04.txt Citadel/UX versions 6.23 and below are vulnerable to a buffer overflow that occurs when more than 97 bytes are sent with the USER directive to port 504. July 29, 2004 IRM-009.txt IRM Security Advisory 009 - RiSearch version 1.0.01 and RiSearch Pro 3.2.06 are susceptible to open FTP/HTTP proxying, directory listings, and file disclosure vulnerabilities. July 28,2004 bitlanceOpera.txt A vulnerability in the Opera 7.x series allows phishing attacks due to not updating the address bar if a web page is opened using the window.open function and then replaced using the location.replace function. July 27, 2004 taskShed.C Microsoft Windows 2K/XP Task Scheduler local exploit that will spawn notepad.exe. July 27, 2004 nucleusCMSSQL.txt Nucleus CMS version 3.01 addcoment/itemid SQL Injection Proof of Concept PHP exploit that dumps the username and md5 hash of the password for the administrator user. July 26, 2004 eSeSix.txt eSeSIX Thintune with a firmware equal to or below 2.4.38 is susceptible to multiple vulnerabilities. These include having a backdoored service on a high port with an embedded password giving a remote root shell, various other passwords being stored locally in clear text, and a local root shell vulnerability. July 26, 2004 ew_file_manager.txt The EasyWeb FileManager Module for PostNuke is vulnerable to a directory traversal problem which allows retrieval of arbitrary files from the remote system. Versions affected: EasyWeb FileManager 1.0 RC-1. July 26, 2004 Mozilla_Firefox_25-07-2004.txt Mozilla FireFox versions 0.9.1 and 0.9.2 has a flaw where it is possible to make a browser load a valid certificate from a trusted website by using a specially crafted onunload event July 25, 2004 applePanther.txt Apple OSX Panther 10.3.4 with Internet Connect version 1.3 by default appends to ppp.log in /tmp if the file already exists. If a symbolic link is made to any file on the system, it automatically writes to it as root allowing for an easy local compromise. Detailed exploitation given. July 24, 2004 wgetusr.c Exploit that makes use of the mod_userdir vulnerability in various Apache 1.3 and 2.x servers. July 24, 2004 sambaPoC.txt Proof of concept exploit code for the Samba 3.x swat preauthentication buffer overflow vulnerability. July 24, 2004 httpdDoS.pl Denial of service test exploit for the flaw in Apache httpd 2.0.49. July 23, 2004 OpteronMicrocode.txt This document details the procedure for performing microcode updates on the AMD K8 processors. It also gives background information on the K8 microcode design and provides information on altering the microcode and loading the altered update for those who are interested in microcode hacking. Source code is included for a simple Linux microcode update driver for those who want to update their K8's microcode without waiting for the motherboard vendor to add it to the BIOS. The latest microcode update blocks are included in the driver. July 23, 2004 FlashFTPtraverse.txt Flash FTP Server version 1.0 (and possibly 2.1) for Windows is susceptible to a directory traversal attack. July 20, 2004 unrealdecloak.tar.gz Unreal Decloak Toolkit version 0.1 illustrates the weak hashing system vulnerability in Unreal ircd 3.2 and previous versions. [back to top] Trends Six months since the W32/MyDoom mass-mailing virus first appeared on the Internet, US-CERT continues to see new variants appearing and many variants (new and old) continuing to spread. Many variants of W32/MyDoom are known to open a backdoor and use its own SMTP engine to spread through email. US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive. See US-CERT Cyber Security Alert SA04-208A. Microsoft has reported two vulnerabilities in the way Internet Explorer processes certain types of images. Attackers may be able to gain control of your machine if you view a malicious image, visit a web page, or open an email message that contains these images. Microsoft has also published an update to address the cross-domain vulnerability discussed in SA04-163A. This vulnerability may allow an attacker to alter a web site to point to a different location. If the attacker can convince you to visit the site, they may be able to gain control of your machine. See US-CERT Cyber Security Alert SA04-212A. [back to top] Viruses/Trojans New Viruses / Trojans Viruses or Trojans Considered to be a High Level of Threat * MyDoom.M / MyDoom.N: New variants of the MyDoom worm surfaced and produced a tremendous amount of e-mail traffic as well as drastically slowing access to major search engines. After a PC is infected, the virus searches for e-mail addresses on the hard drive, and then it looks for more by running queries on search engines. The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors and security related web sites: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects. NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive. Name Aliases Type Backdoor.Agent.B BackDoor-CFB TROJ_AGENT.AC Troj/Agent-AC Agent.E Backdoor.Agent.ac Trojan: Backdoor Backdoor.Berbew.I Berbew.I TrojanSpy.Win32.Qukart.gen W32/Berbew.G Trojan: Backdoor Backdoor.Moonlit Trojan: Backdoor Backdoor.Xordoor Trojan: Backdoor Backdoor.Zincite.A Trojan: Backdoor BackDoor-CHI Trojan: Backdoor Downloader-MY Trojan: Downloader Downloader-NE.dr Trojan: Downloader Downloader-NK Trojan: Downloader HTML.Phishbank.AI HTML/Phishbank.AI.Worm E-mail Scam Kol.D BackDoor-CGP Backdoor.Delf.nm Keylogger.Trojan Win32.Kol.D Win32/Kol.D.1.Trojan Trojan - Keylogging Lovgate.AT W32/Lovgate.AT.worm Win32 Worm Mabutu.B W32/Mabutu.B.worm W32/Mabutu.b@MM Win32 Worm MultiDropper-LA Neblso Neblso.A W32/MultiDropper-LA Trojan: Dropper Mydoom.M I-Worm.Mydoom.M I-Worm.Mydoom.R MyDoom.M Mydoom.M@MM Mydoom.O W32.Mydoom.M@mm W32/Mydoom-O W32/Mydoom.L W32/Mydoom.M.worm W32/Mydoom.N.worm W32/Mydoom.o@MM Win32.Mydoom.O Win32/MyDoom.O.Worm WORM_MYDOOM.M ZIP.Mydoom.O Win32 Worm Mydoom.N I-Worm.Mydoom.n W32.Mydoom.N@mm W32/Mydoom.p@MM WORM_MYDOOM.N Win32 Worm Mydoom.P Win32.Mydoom.P Win32/Mydoom.P.Worm Win32 Worm OF97/Toraja-I O97M.Toraja.Gen X97M/Toraja O97M_TORAJA.I MS Word Virus Protoride.I W32.Protoride.Worm W32/Protoride.J Win32.Protoride.I Win32/Protoride.G Win32/Protoride.I.Worm Worm.Win32.Protoride.j Win32 Worm PWSteal.Ldpinch.B Backdoor-CEX Ldpinch.W Multidropper-KN Trojan Rbot.H Backdoor.SdBot.jg Backdoor/SDBot W32.Randex.gen W32/Sdbot.worm.gen.i Win32.Rbot.H Win32 Worm Secdrop.A Trojan.Win32.Small.q Win32.Secdrop.A Win32/LowSec.Trojan Trojan Troj/CmjSpy-Z Trojan: Keylogging Troj/Delf-DU New Malware.b Trojan Troj/Dluca-CQ TrojanDownloader.Win32.Dyfuca.cq Trojan: Adware Troj/PatchLs-A Trojan.Win32.PatchLs.a Win32/PatchLs.A Trojan Troj/Psyme-AI TrojanDownloader.VBS.Iwill.v JS/Exploit-InjScript JS/SillyDownloader.C Exploit.HTML.InjScript Trojan Troj/Small-AO Trojan: Backdoor Trojan.Download.Inor.C Trojan: Downloader Trojan.Exruntel Trojan W32.Beagle.AH@mm Win32 Worm W32.Bugbros.C@mm Bloodhound.W32.VBWORM I-Worm.generic W32/Generic.a@MM Win32 Worm W32.Gaobot.BAJ Win32 Worm W32.Korgo.AD W32/Korgo.worm.gen Win32 Worm W32.Mits.A@mm Mits.A Trojan.Win32.Smith Trojan W32.Rotor Win32 Worm W32/Agobot-LL Gaobot Nortonbot Phatbot Polybot Backdoor.Agobot.gen Win32 Worm W32/Agobot-LM Win32 Worm W32/Atak-C Atak-C I-Worm.Agist.a Win32 Worm W32/Bagle.aj!proxy Trojan.Mitglieder.M Win32 Proxy Virus W32/Bagle.ak!proxy Win32 Proxy Virus W32/Mydoom.o@MM!zip Win32 Worm W32/Rbot-EK Backdoor.Rbot.gen W32/Sdbot.worm.gen.h Win32 Worm W32/Rbot-EP Backdoor.Rbot.gen W32/Sdbot.worm.gen Win32 Worm W32/Rbot-EQ Win32 Worm W32/Rbot-ET Backdoor.Rbot.gen Win32 Worm W32/Rbot-EW Backdoor.Rbot.gen Win32 Worm W32/Rbot-FC Backdoor.Rbot.gen Win32 Worm W32/Scaner-A Exploit-DcomRpc.gen Win32.Agent.Z Win32.Dcom.db Win32 Worm W32/Sdbot-KM Trojan: Backdoor W32/Sdbot-KU W32/Sdbot.worm.gen Backdoor.SdBot.np BKDR_SDBOT.GEN Win32 Worm W32/Spybot-CZ W32.Spybot.worm.gen.a Backdoor.Spyboter.gen Win32 Worm W32/Stewon-A Worm.P2P.Stewon Win32 Worm W32/Tompai-A Win32 Worm W97M.Diperis.A W97M/Diperis.A Word97Macro/Diperis.A MS Word Virus W97M.Kuna MS Word Virus W97M.Seliuq.D Macro.Word97.Seliuq.c W97M/Assilem.g.gen W97M_SELIUQ.C WM97/Seliuq-A MS Word Virus Win32.Dluca.H Downloader-DC TrojanDownloader.Win32.Dluca.y Win32/Dluca.H.Trojan Win32 Worm Win32.Glieder Troj/Dload-AO Trojan.Mitglieder.M TrojanClicker.Win32.Small.ak TrojanClicker.Win32.Small.al W32/Bagle.am!proxy W32/Bagle.dll.gen Win32.Glieder Win32.Glieder.C Win32/Glieder.DLL.Trojan Win32.Rbot.H Backdoor.SdBot.jg Backdoor/SDBot W32.Randex.gen W32/Sdbot.worm.gen.i Win32 Worm WinCE/Duts.1520.dr WinCE/Duts.1536.dr WinCE Virus WORM_KORGO.AC Korgo.AC Win32 Worm Zindos.A W32.Zindos.A W32/Zindos-A W32/Zindos.A W32/Zindos.A.worm W32/Zindos.worm Win32.Zindos.A Win32/Zindos.A.Trojan Win32/Zindos.A.worm Worm.Win32.Zindos.A WORM_ZINDOS.A Zindos Win32 Worm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBEZ90XlvNRxAkFWARAhLSAJ43lfDqyCMDhveFYuN7Bnf3NtuYAgCgw5u/ ZYHuDtWH4YeD6IiL8YuQJ/M= =M3Qe -----END PGP SIGNATURE-----
