SecurityFocus Newsletter #229
------------------------------

SecurityFocus.com Introduces a new search engine for 2004.

In our continued quest to better serve our audience, We here at
SecurityFocus.com look forward to introducing to you our new search engine
for 2004. This new and improved search engine will feature the advantage
of a complete text search of the entire site, as well as full text
searches of the mailing list archives and vulnerabilities. Also included
will be an advanced search interface.
------------------------------------------------------------------------

I. FRONT AND CENTER
1. Checklist for Deploying an IDS
2. A Very Small Step for Music-Kind
II. BUGTRAQ SUMMARY
1. OpenBSD Tcpdump Remote Denial of Service Vulnerability
2. Apple MacOS X AppleFileServer Unspecified Vulnerability
3. Apple MacOS X fs_usage Unspecified Local Privilege Escalatio...
4. Apple MacOS X ASN.1 Decoding Unspecified Remote Denial Of S...
5. BES-CMS Multiple Module File Include Vulnerability
6. Xoops MyLinks Myheader.php Cross-Site Scripting Vulnerabilit...
7. BN Soft BoastMachine Comment Form HTML Injection Vulnerabili...
8. ProjectForum find Request Denial of Service Vulnerability
9. ProjectForum HTML Injection Vulnerability
10. DCAM WebCam Server Personal Web Server Directory Traversal V...
11. RhinoSoft Serv-U FTP Server Insecure INI File Permissions Vu...
12. osCommerce products_id URI Parameter SQL Injection Vulnerabi...
13. PServ Web Server Directory Traversal Vulnerability
14. osCommerce manufacturers_id Parameter Cross-Site Scripting V...
15. Microsoft Internet Explorer File Download Warning Bypass Vul...
16. Opera Relative Path Directory Traversal File Corruption Vuln...
17. Sun Solaris tcsh ls-F Builtin Unspecified Privilege Escalati...
18. Opera Browser URI Display Obfuscation Weakness
19. iSoft-Solutions QuikStore Shopping Cart store Parameter Path...
20. iSoft-Solutions QuikStore Shopping Cart template Parameter D...
21. Red Hat Linux 2.4 Kernel Multiple Potential Vulnerabilities
22. Xlight FTP Server PASS Command Remote Buffer Overflow Vulner...
23. My Little Forum Email.PHP Cross-Site Scripting Vulnerability
24. Webfroot Shoutbox Viewshoutbox.PHP Cross-Site Scripting Vuln...
25. phpBB Privmsg.PHP Cross-Site Scripting Vulnerability
26. ViewCVS Viewcvs.py Cross-Site Scripting Vulnerability
27. KnowledgeBuilder Remote File Include Vulnerability
28. Psychoblogger Multiple Cross-Site Scripting Vulnerabilities
29. Psychoblogger Multiple SQL Injection Vulnerabilities
30. Microsoft Internet Explorer For Mac HTTP Referer Information...
31. Squirrelmail G/PGP Encryption Plugin Remote Command Executio...
32. GNU Indent Local Heap Overflow Vulnerability
33. Surfboard httpd Remote Buffer Overflow Vulnerability
34. OpenBB Index.PHP Remote SQL Injection Vulnerability
35. Web Merchant Services Storefront Shopping Cart login.asp SQL...
36. Apache mod_php Module File Descriptor Leakage Vulnerability
III. SECURITYFOCUS NEWS ARTICLES
1. Online crime up in 2003
2. Chats led to Acxiom hacker bust
3. Secret Service airbrushes aerial photos
4. Electronic voting firm acknowledges hacker break-in
5. CIA gadget-museum: robot fish, pigeon camera, jungle microph...
6. Victory for CPRM: SD cards overtake Compact Flash
IV. SECURITYFOCUS TOP 6 TOOLS
1. Fwall 0.1.4-2
2. ClairVoyanT SysAdmin (CVTSA) v0.2
3. OpenProtect v5.0.1.2
4. Fingerprint Verification System v0.1.0
5. Socks Server 5 v2.4mr2
6. GNU Transport Layer Security Library v1.0.3
V. SECURITYJOBS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.
VI. INCIDENTS LIST SUMMARY
1. Large increase in port 32772 activity (Thread)
2. Unusual port scan? (Thread)
3. flood of SYN packets to port 110 (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Bugtraq Security Systems (ADV 0001) (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Hardening the Scheduler Service (Thread)
2. Article Announcement: Low-Level Enumeration With TCP... (Thread)
3. SecurityFocus Microsoft Newsletter #168 (Thread)
4. TCP/IP Stack Hardening (Thread)
IX. SUN FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.
X. LINUX FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.
XI. UNSUBSCRIBE INSTRUCTIONS
XII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Checklist for Deploying an IDS
By Andy Cuff

The scope of this article considers the worst case scenario, that of
deploying a Network IDS on a remote network (target). The introduction of
an IDS into a organization's network can be sensitive and often has
political implications with the network staff, and thus a checklist
written from the perspective of an outside consultant (even if the IDS is
deployed internally) that appeases all parties can be useful to ensure a
successful implementation.

http://www.securityfocus.com/infocus/1754

2. A Very Small Step for Music-Kind
By Mark Rasch

The District of Columbia Court of Appeals' decision in the Verizon v. RIAA
case will likely be a small and pyrrhic victory for downloaders.

http://www.securityfocus.com/columnists/205


II. BUGTRAQ SUMMARY
-------------------
1. OpenBSD Tcpdump Remote Denial of Service Vulnerability
BugTraq ID: 9263
Remote: Yes
Date Published: Dec 20 2003
Relevant URL: http://www.securityfocus.com/bid/9263
Summary:
tcpdump is a freely available, open source network monitoring tool.

It has been reported that tcpdump is vulnerable to a denial of service
when some packet types are received. By sending a maliciously formatted
packet containing 0xff,0x02 bytes to UDP port 1701 of a system running a
vulnerable version of tcpdump, an attacker can cause the L2TP protocol
parser in tcpdump to enter an infinite loop consuming all memory
resources.

Further reports indicate that when a malicious L2TP control packet with
optional bits set, and invalid payload data is handled by tcpdump the
l2tp_avp_print() function is called. It has been reported that this
function falls into a tight infinite recursive loop, where the
l2tp_avp_print() call passes bad data to itself.

Although unconfirmed, this issue may allow an attacker to cause a buffer
overflow in the application leading to arbitrary code execution.

This issue is reported to affect tcpdump 3.7 and prior running on OpenBSD
3.3 and -current, however other versions on different platforms could be
affected as well.

2. Apple MacOS X AppleFileServer Unspecified Vulnerability
BugTraq ID: 9264
Remote: Unknown
Date Published: Dec 20 2003
Relevant URL: http://www.securityfocus.com/bid/9264
Summary:
AppleFileServer is the Apple File Protocol server.

An unspecified security vulnerability has been reported to be present in
Apple File Protocol server by the vendor. It has been reported that the
software fails to properly handle malformed requests. Due to the fact
that no details were supplied by the vendor, the implications of
exploitation are not currently known. Although unconfirmed it may be
assumed that this issue could lead to a denial of service condition or
exposure of sensitive information.

The impact of this alert have been set to reflect the possible
implications of this issue. As further information is made available, the
impact levels as well as the details of the BID will be changed if
necessary.

Apple Jaguar for Mac OS X 10.2.8 and Mac OS X Server 10.2.8 and Panther
for Mac OS X 10.3.2 and Mac OS X Server 10.3.2 are reported to be prone to
this issue.

3. Apple MacOS X fs_usage Unspecified Local Privilege Escalatio...
BugTraq ID: 9265
Remote: No
Date Published: Dec 20 2003
Relevant URL: http://www.securityfocus.com/bid/9265
Summary:
fs_usage is a Unix utility that displays system call usage information for
file system activity.

An unspecified local privilege escalation vulnerability has been reported
to exist in Apple MacOS X implementation of fs_usage. This issue may
allow for a local user to gain elevated privileges. Exploitation of this
vulnerability may result in a compromise of root access to local attackers
since fs_usage requires admin privileges to run.

Due to a lack of details further information cannot be provided at the
moment. This BID will be updated as more information becomes available.

Apple Jaguar for Mac OS X 10.2.8 and Mac OS X Server 10.2.8 and Panther
for Mac OS X 10.3.2 and Mac OS X Server 10.3.2 have been reported to be
prone to this issue.

4. Apple MacOS X ASN.1 Decoding Unspecified Remote Denial Of S...
BugTraq ID: 9266
Remote: Yes
Date Published: Dec 20 2003
Relevant URL: http://www.securityfocus.com/bid/9266
Summary:
A vulnerability has been reported to exist in Apple MacOS X. This issue
presents itself due to improper handling of ASN.1 sequences for the Public
Key Infrastructure (PKI), which may result in remote attackers creating a
denial of service condition. This could potentially lead to an attacker
crashing a service that uses an implementation of the vulnerable software.
This issue is reported to be similar to OpenSSL ASN.1 Large Recursion
Remote Denial Of Service Vulnerability described in BID 8970.

This issue has been reported by Apple and it is reported to affect Apple
Jaguar for Mac OS X 10.2.8 and Mac OS X Server 10.2.8 and Panther for Mac
OS X 10.3.2 and Mac OS X Server 10.3.2. It is possible that this problem
may also affect other vendors, however this has not been confirmed at the
moment.

Due to a lack of details further information concerning this issue cannot
be provided at the moment. This BID will be updated as more information
becomes available.

5. BES-CMS Multiple Module File Include Vulnerability
BugTraq ID: 9268
Remote: Yes
Date Published: Dec 20 2003
Relevant URL: http://www.securityfocus.com/bid/9268
Summary:
0.4 rc3, 0.5 rc3 is a content management system. It is written in PHP.

A vulnerability has been reported to exist in the software that may allow
an attacker to include malicious files containing arbitrary code to be
executed on a vulnerable system. The issue exists due to improper
validation of user-supplied data. The problem exists in the
'index.inc.php', 'Members/index.inc.php', 'Members/root/index.inc.php',
'Include/functions_folder.php', 'Include/functions_message.php',
'Include/Start.php' scripts of the software.

Remote attackers could potentially exploit this issue via a vulnerable
variable to include a remote malicious script, which will be executed in
the context of the web server hosting the vulnerable software.

BES-CMS versions 0.4 rc3 and 0.5 rc3 are reported to be vulnerable to this
issue, however other versions may be affected as well.

6. Xoops MyLinks Myheader.php Cross-Site Scripting Vulnerabilit...
BugTraq ID: 9269
Remote: Yes
Date Published: Dec 21 2003
Relevant URL: http://www.securityfocus.com/bid/9269
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.

Xoops is prone to a cross-site scripting vulnerability in the
'myheader.php' script included in the mylinks module. The source of the
problem is that HTML and script code are not adequately sanitized from
input supplied via URI parameters, which will then be included in
dynamically generated web pages. In particular, the 'url' parameter is
affected by this issue. A remote attacker could exploit this issue by
embedding hostile HTML and script code in a malicious link to the
vulnerable script. The attacker-supplied code will be interpreted in the
context of the site hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible since an attacker can
influence how the site will be rendered to a victim user.

This issue was reported in Xoops 2.0.5.1. It is likely that other
versions are also affected.

7. BN Soft BoastMachine Comment Form HTML Injection Vulnerabili...
BugTraq ID: 9270
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9270
Summary:
BoastMachine is a web-based application used for publishing blogs,
articles etc. It is written in PHP.

A vulnerability has been reported in the software that may allow a remote
attacker to execute HTML and script code in a user's browser. The problem
is reported to exist due to improper sanitizing of user-supplied data in
the 'Comment' form. It may be possible for an attacker to include
malicious HTML code in one of the vulnerable fields. The injected code
could then be interpreted by the browser of a user visiting the vulnerable
site. This attack would occur in the security context of the affected
site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.

This vulnerability has been reported to exist in BoastMachine version 2.6,
however it is possible that other versions are affected as well.

8. ProjectForum find Request Denial of Service Vulnerability
BugTraq ID: 9271
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9271
Summary:
ProjectForum is a web-based forum application.

A vulnerability has been identified in ProjectForum that may allow a
remote attacker to cause a denial of service condition in the software.
The problem is reported to exist in 'projectforum.exe'. It has been
reported that an attacker may be able to cause the server to crash by
sending an excessively long string via the 'find' request to the server.

Successful exploitation of this issue may allow a remote attacker to crash
an affected ProjectForum server, effectively denying service to other
legitimate users. Although unconfirmed, due to the nature of this issue,
it may allow an attacker to cause a buffer overflow in the application
leading to arbitrary code execution.

ProjectForum versions 8.4.2.1 and prior have been reported to be prone to
this issue.

9. ProjectForum HTML Injection Vulnerability
BugTraq ID: 9272
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9272
Summary:
ProjectForum is a web-based forum application.

A vulnerability has been reported in the software that may allow a remote
attacker to execute HTML and script code in a user's browser. The problem
is reported to exist due to improper sanitizing of user-supplied data in
the administrator login page, the find function, and the error page. It
may be possible for an attacker to include malicious HTML code in one of
the vulnerable fields. The injected code could then be interpreted by the
browser of a user visiting the vulnerable site. This attack would occur in
the security context of the affected site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible.

ProjectForum versions 8.4.2.1 and prior have been reported to be prone to
this issue.

It has also been reported that CourseForum, a similar application which
uses the
same engine as ProjectForum, is also vulnerable to these attacks.
Specific versions of the software have not been identified therefore this
BID will be updated as more information becomes available.

10. DCAM WebCam Server Personal Web Server Directory Traversal V...
BugTraq ID: 9273
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9273
Summary:
DCAM WebCam server is a webcam server written in Visual Basic. It also
has a built in HTTP web server called Personal Web Server (PWS).

A vulnerability has been reported to exist in the Personal Web Server of
DCAM WebCam Server that may allow a remote attacker to access information
outside the server root directory. The problem exists due to insufficient
sanitization of user-supplied data. The issue may allow a remote attacker
to traverse outside the server root directory by using '.' character
sequences.

Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.

DCAM WebCam server versions 8.2.5 and prior are reported to be prone to
this issue.

11. RhinoSoft Serv-U FTP Server Insecure INI File Permissions Vu...
BugTraq ID: 9274
Remote: No
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9274
Summary:
RhinoSoft Serv-U FTP Server is designed for use with Microsoft Windows
operating systems.

RhinoSoft Serv-U FTP Server has been reported prone to an insecure file
permission vulnerability. Specifically, a configuration file
ServUDaemon.ini is created with insecure permissions by default. Because
of this any local user may make modifications to the ServUDaemon.ini
file. It has been reported that by adding the line Maintenance=System
the attacker may login to the affected FTP service and use quote site
exec FTP commands to execute files with SYSTEM privileges.

A local attacker may exploit this condition to gain elevated privileges.

It should be noted that although this vulnerability has been reported to
affect RhinoSoft Serv-U FTP Server version 4.1.0.0, other versions might
also be affected.

12. osCommerce products_id URI Parameter SQL Injection Vulnerabi...
BugTraq ID: 9275
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9275
Summary:
osCommerce is an open-source PHP e-commerce suite.

It has been reported that one of the scripts included with osCommerce
fails to validate user-supplied input, rendering it vulnerable to a SQL
injection attack. The script in question is the default script of
osCommerce, default.php.

It has been reported that an attacker may supply malicious SQL queries as
the products_id URI parameter to the affected script. The attacker may
leverage this condition to manipulate the logic and structure of database
queries, possibly resulting in osCommerce compromise, information
disclosure or other consequences.

It has been reported that an attacker may exploit this issue to deny
service to legitimate users of the osCommerce.

13. PServ Web Server Directory Traversal Vulnerability
BugTraq ID: 9276
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9276
Summary:
pServ is a freely available, open source web server package. It is
available for the Unix and Linux platforms.

A vulnerability has been identified in the handling of certain types of
requests by pServ. Because of this, it is possible for an attacker to
gain access to potentially sensitive system files.

The problem is in the handling of directory traversal strings. When a
request containing double-slash (//) sequences is placed to a pServ web
server, the program allows a remote user to escape the web root directory.
This issue could be exploited to gain read access to files on a host using
the vulnerable software. Read privileges granted to these files would be
restricted by the permissions of the web server process.

14. osCommerce manufacturers_id Parameter Cross-Site Scripting V...
BugTraq ID: 9277
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9277
Summary:
osCommerce is an open-source PHP e-commerce suite.

A vulnerability has been reported to exist in the software that may allow
a remote user to launch cross-site scripting attacks. The problem is
reported to exist due to improper sanitizing of user-supplied data in the
'manufacturers_id' parameter passed to the default.php script. This
vulnerability makes it possible for an attacker to construct a malicious
link containing HTML or script code that may be rendered in a user's
browser upon visiting that link. This attack would occur in the security
context of the site.

Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication credentials. Other attacks are also possible

15. Microsoft Internet Explorer File Download Warning Bypass Vul...
BugTraq ID: 9278
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9278
Summary:
A vulnerability has been discovered in Microsoft Internet Explorer when
handling file URIs. This issue may be exploited to download a malicious
file to the client system.

Internet Explorer warns a user when an attempt is made to download a file.
The warning notifies the user of the dangers of downloading certain types
of files such as '.exe', '.bat' etc.

It has been reported that by renaming a file, an attacker may be able to
trick the browser and bypass the security warning. An attacker may name a
file in the following format to conceal the extension type from the
browser:

http://www.example.com/file.exe?.html

It has been reported that the browser will recognize this file as an HTML
file instead of an executable. Successful exploitation of this issue may
allow an attacker to plant malicious files on vulnerable systems in order
to execute malicious code. This issue may be combined with the Multiple
Browser URI Display Obfuscation Weakness (BID 9182) to carry out further
attacks.

This issue has reportedly been tested with Microsoft Internet Explorer
running on a Windows 2003 Web Server edition platform, however, other
versions are likely to be affected as well.

MyIE2 Web Browser that uses Microsoft Internet Explorer codebase is also
reported to be vulnerable to this issue. It has been reported that MyIE2
versions 0.9.10 and prior are affected by this vulnerability.

16. Opera Relative Path Directory Traversal File Corruption Vuln...
BugTraq ID: 9279
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9279
Summary:
Opera is prone to a file corruption vulnerability. This issue is exposed
when a user is presented with a file dialog, which will cause the creation
of a temporary file. For example, if the user was prompted to download
FILENAME.ext, then the following temporary file would be created:

c:windows empFILXXX.tmp.FILENAME.ext

(where XXX is a random value)

However, it is possible to specify a relative path to another file on the
system using directory traversal sequences when the download dialog is
displayed. For example, if the user was prompted to download a filename
that contained '%5C..' sequences that form a relative path to another
system file, then that file would be corrupted. This would only be
possible if the user had write permissions to the attacker-specified file.

This could be exploited to delete sensitive files on the systems. It has
been reported that an attacker may harness Opera auto-install
functionality (Certain MIME-types are opened with Opera) for Skin Files
and Configuration Files to further exploit this vulnerability. This method
may enable an attacker to write an arbitrary file to, for example, the
Windows startup folder without requiring user intervention. The malicious
file would be executed when the system is restarted.

This issue was reported in Opera for Windows platforms. It is not known
whether other platforms are also affected.

17. Sun Solaris tcsh ls-F Builtin Unspecified Privilege Escalati...
BugTraq ID: 9280
Remote: No
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9280
Summary:
Sun has reported an unspecified vulnerability in tcsh. This issue is
related to the 'ls-F' builtin. This builtin command provides
functionality to list files as though 'ls -F' were executed, only much
more efficiently.

This vulnerability may reportedly be exploited to create/remove arbitrary
files or gain the privileges of another user (possibly even root). The
vendor has stated that the consequences of exploitation will be dependant
on the privilege level of the process using the builtin command.

This BID will be updated with further technical details if more
information is made available.

18. Opera Browser URI Display Obfuscation Weakness
BugTraq ID: 9281
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9281
Summary:
A weakness has been reported in Opera that may allow attackers to
obfuscate the URI for a visited page. The problem is said to occur when a
URI that is designed to access a specific location with a supplied
username, contains a specially crafted sequence of characters such as
xC0x80, xC0xBF, xC1x80, and xC1xBF etc. These characters
will be interpreted as a NULL due to UTF-8 encoding. This sequence may be
placed as part of the username value prior to the @ symbol in the
malicious URI to aid in obfuscating the URI for a visited page.

Specifically, the malicious URI must be formatted as follows, where %C0
may be any non-displayable hexadecimal value:

http://www.malicious.com%C0%[email protected]/

Upon clicking the link, the URI field would contain www.trusted.com
despite the access site actually being www.malicious.com. It should be
noted that manually placing such a URI into the location may not work, as
the hexadecimal value must not be escaped.

An attacker could exploit this issue by supplying a malicious URI pointing
to a page designed to mimic that of a trusted site. If an unsuspecting
victim were to follow the link and attempt to verify the authenticity of
the current location by checking the current URI, they may be deceived
into believing they are at the actual trusted site. This could potentially
cause a false sense of security for the victim. It has been reported that
the browser will display a warning before a page is displayed in HTTP and
HTTPS, however no warning dialog is displayed for FTP.

This issue is reported to affect Opera 6.06 with Encoding all addresses
with UTF-8 enabled, however other versions could be affected as well.

19. iSoft-Solutions QuikStore Shopping Cart store Parameter Path...
BugTraq ID: 9282
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9282
Summary:
QuikStore Shopping Cart is a web-based shopping cart software.

A vulnerability has been reported to exist in the software that may allow
an attacker to disclose the installation path. The issue presents itself
due to insufficient sanitization of user-supplied data through the 'store'
parameter of the 'quikstore.cgi' script. An attacker may disclose the
installation path of directories by passing a single quote ' character
through the 'store' parameter. As a result of the malformed request, the
software generates an error disclosing the installation path. Although
unconfirmed, due to the nature of this issue, it may be possible to carry
out SQL injection attacks against a vulnerable system as well.

Successful exploitation of this vulnerability may allow an attacker to
gain sensitive information about the file system that may aid in launching
more direct attacks against the system.

Specific vulnerable versions of the software were not identified in the
report; therefore it is assumed that the current version QuikStore
Shopping Cart v2.12 is vulnerable to this issue.

20. iSoft-Solutions QuikStore Shopping Cart template Parameter D...
BugTraq ID: 9283
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9283
Summary:
QuikStore Shopping Cart is a web-based shopping cart software.

A vulnerability has been reported to exist in QuikStore Shopping Cart that
may allow a remote attacker to access information outside the server root
directory. The problem exists due to insufficient sanitization of
user-supplied data through the 'template' parameter of the 'quikstore.cgi'
script. The issue may allow a remote attacker to traverse outside the
server root directory by using '../' character sequences.

Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive information that may be used to launch further
attacks against a vulnerable system.

Specific vulnerable versions of the software were not identified in the
report; therefore it is being assumed that the current version QuikStore
Shopping Cart v2.12 is vulnerable to this issue.

21. Red Hat Linux 2.4 Kernel Multiple Potential Vulnerabilities
BugTraq ID: 9284
Remote: No
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9284
Summary:
Red Hat Linux has released a 2.4 Kernel update to fix multiple potential
security issues.

The issues are as follows:

Red Hat has reported that ioctls of several RTC drivers have been fixed to
prevent potential data leaks. A privileged attacker may potentially
exploit this condition to gain access to sensitive data. This may be
related to BID 9154.

A previous kernel upgrade may have caused certain --reject-with
tcp-reset IPTABLES rules to malfunction. This may lead an administrator
into a false sense of security or introduce security exposures since
existing or newly created rules may not function properly.

It has been reported that if a bonding interface that does not have an IP
address is initiated, the bonding process and kernel may panic due to a
reference to a null pointer. This may require superuser privileges but
could be exposed via third-party setuid applications that may perform this
operation, though this has not been confirmed.

Other non-security related issues were also addressed in this upgrade.

22. Xlight FTP Server PASS Command Remote Buffer Overflow Vulner...
BugTraq ID: 9285
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9285
Summary:
XLight FTP Server is a commercially available FTP server. It is available
for the Microsoft Windows platform.

A vulnerability has been identified in XLight FTP Server when handling
certain types of requests. Because of this, it may be possible for a
remote attacker to gain unauthorized access to a system running the
vulnerable software. The condition is present due to insufficient
boundary checking.

The issue presents itself when an attacker sends a specially crafted PASS
command request containing an excessively long string value to the
vulnerable server. Immediate consequences of an attack may result in a
denial of service condition.

An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed at the moment.

Xlight FTP Server versions 1.41 and prior have been reported to be prone
to this issue.

23. My Little Forum Email.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 9286
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9286
Summary:
my little forum is simple web-forum implemented in PHP.

my little forum is prone to a cross-site scripting vulnerability in the
'email.php' script. The source of the problem is that HTML and script code
are not adequately sanitized from input supplied via the 'forum_contact'
URI parameter. This input will be included in dynamically generated web
pages. A remote attacker could exploit this issue by embedding hostile
HTML and script code in a malicious link to the vulnerable script. The
attacker-supplied code will be interpreted in the context of the site
hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this issue has been reported to affect my
little forum version 1.3, other versions might also be affected.

24. Webfroot Shoutbox Viewshoutbox.PHP Cross-Site Scripting Vuln...
BugTraq ID: 9289
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9289
Summary:
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.

Webfroot Shoutbox is prone to a cross-site scripting vulnerability in the
'viewshoutbox.php' script. The source of the problem is that HTML and
script code are not adequately sanitized from input supplied via the
'error' URI parameter. This input will be included in dynamically
generated web pages. A remote attacker could exploit this issue by
embedding hostile HTML and script code in a malicious link to the
vulnerable script. The attacker-supplied code will be interpreted in the
context of the site hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this issue has been reported to affect
Webfroot Shoutbox version 2.32, other versions might also be affected.

25. phpBB Privmsg.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 9290
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9290
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

phpBB is prone to a cross-site scripting vulnerability in the
'privmsg.php' script. The source of the problem is that HTML and script
code are not adequately sanitized from input supplied via the 'mode' URI
parameter. This input will be included in dynamically generated web pages.
A remote attacker could exploit this issue by embedding hostile HTML and
script code in a malicious link to the vulnerable script. The
attacker-supplied code will be interpreted in the context of the site
hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this issue has been reported to affect
phpBB version 2.0.6, other versions might also be affected.

26. ViewCVS Viewcvs.py Cross-Site Scripting Vulnerability
BugTraq ID: 9291
Remote: Yes
Date Published: Dec 24 2003
Relevant URL: http://www.securityfocus.com/bid/9291
Summary:
ViewCVS is an application that allows users to browse CVS repositories via
the web.

ViewCVS is prone to a cross-site scripting vulnerability. This issue
exists in the 'viewcvs.py' script and is due to insufficient sanitization
of user-supplied input that will be included in error pages. A remote
attacker could take advantage of this issue by constructing a malicious
link to a site running the vulnerable software that include embedded
hostile HTML and script code. If this link is visited by a victim user,
the attacker-supplied code may be rendered in their browser in the context
of the site.

This could permit theft of cookie-based authentication credentials since
the attacker's script code may access properties of the vulnerable site as
the user visiting the malicious link. This vulnerability will also permit
other types of attacks because the attacker may influence how the site is
rendered to the victim of the attack.

27. KnowledgeBuilder Remote File Include Vulnerability
BugTraq ID: 9292
Remote: Yes
Date Published: Dec 24 2003
Relevant URL: http://www.securityfocus.com/bid/9292
Summary:
KnowledgeBuilder is a web-based application for managing articles and
FAQs.

KnowledgeBuilder is prone to a remote file include vulnerability. The
source of this vulnerability is that a remote attacker may influence the
include path of an external script. By causing a script to be included
from a remote attacker-controlled server, it is possible to leverage this
vulnerability to execute arbitrary PHP code. This would occur in the
security context of the web server hosting the software.

28. Psychoblogger Multiple Cross-Site Scripting Vulnerabilities
BugTraq ID: 9293
Remote: Yes
Date Published: Dec 24 2003
Relevant URL: http://www.securityfocus.com/bid/9293
Summary:
Psychoblogger is a web-based software application that is used to create
web logs. It is written in PHP and employs MySQL database.

Multiple cross-site scripting vulnerabilities have been identified in the
software that may allow a remote attacker to launch cross-site scripting
attacks against a vulnerable system.

The following specific issues have been reported:

The software is reported to be prone to a cross-site scripting
vulnerability due to insufficient sanitization of user-supplied data via
the 'desc' parameter of 'imageview.php'.

Another cross-site scripting issue has been identified in the
'entryadmin.php', 'authoredit.php', 'blockedit.php', 'configadmin.php' and
'quoteedit.php' scripts. This issue results from improper sanitization of
user-supplied data via the 'errormessage' parameter.

These vulnerabilities make it possible for an attacker to construct a
malicious link containing HTML or script code that may be rendered in a
user's browser upon visiting that link. An attack of this type would occur
in the security context of the site.

Successful exploitation of this type of an attack may allow an attacker to
steal cookie-based authentication credentials. Other attacks are also
possible.

Psychoblogger version PB-beta1 has been reported to be prone to these
issues, however, other versions could be affected as well.

29. Psychoblogger Multiple SQL Injection Vulnerabilities
BugTraq ID: 9294
Remote: Yes
Date Published: Dec 24 2003
Relevant URL: http://www.securityfocus.com/bid/9294
Summary:
Psychoblogger is a web-based software application that is used to create
web logs. It is written in PHP and employs MySQL database.

Multiple SQL injection vulnerabilities have been identified in the
software that may allow an attacker to influence SQL query logic to
disclose sensitive information that could be used to gain unauthorized
access.

The following specific issues have been reported:

An SQL injection vulnerability has been reported in 'shouts.php'. This
issue presents itself due to insufficient sanitization of user-supplied
data via the 'shoutlimit' parameter. Although unconfirmed this issue
could be used to harvest usernames and passwords of legitimate users of a
vulnerable site.

An SQL injection vulnerability is reported to exist in the 'comments.php'
script. This issue presents itself due to insufficient sanitization of
user-supplied data via the 'blogid' parameter. It has been reported that
this issue may be exploited via an HTTP post request to harvest encrypted
passwords from the database, that could be exposed by brute-forcing.

Another SQL injection vulnerability may exist in the 'category.php'
script. This issue could allow an attacker to gain access to author
passwords, which could be used to launch further attacks against the
vulnerable system.

The cause of these issues is insufficient sanitization of user-supplied
data. A malicious user may influence database queries in order to view or
modify sensitive information potentially compromising the software or the
database.

Psychoblogger version PB-beta1 has been reported to be prone to these
issues, however, other versions could be affected as well.

30. Microsoft Internet Explorer For Mac HTTP Referer Information...
BugTraq ID: 9295
Remote: Yes
Date Published: Dec 24 2003
Relevant URL: http://www.securityfocus.com/bid/9295
Summary:
Microsoft Internet Explorer for the Apple Mac platform has been reported
prone to an information disclosure vulnerability.

The browser allegedly forwards HTTP Referer data in HTTP requests made
from secure HTTPS servers. This behavior does not comply with the HTTP 1.1
RFC and so may present a security risk in certain circumstances. One of
these reported circumstances was when a link to a remote HTTP site is
followed from Outlook Web Access(HTTPS); data contained in the Referer may
include Outlook Inbox Username and Domain name. The most common risk
associated with this issue is situations where session IDs or other
credentials are included in URIs. If a user were to follow a link from
within an HTTPS page, the Referer could be leaked to an external site.

Information gathered by an attacker by exploiting this vulnerability may
be used to aid in further attacks launched against the target server.

31. Squirrelmail G/PGP Encryption Plugin Remote Command Executio...
BugTraq ID: 9296
Remote: Yes
Date Published: Dec 25 2003
Relevant URL: http://www.securityfocus.com/bid/9296
Summary:
Squirrelmail is a freely available, open source webmail package. It is
available for the Unix and Linux platforms.

A problem in the handling of some types of input passed to the
Squirrelmail G/PGP Plugin has been discovered. This issue may make it
possible for a remote user to gain unauthorized access to a system hosting
the vulnerable application.

The problem is in the checking of input. When an e-mail is sent to a user
through a Squirrelmail implementation which uses the G/PGP plugin, the
program does not sufficiently sanitize user input. Because of this, an
attacker can place shell commands in the To: line of an e-mail sent
through Squirrelmail which, when encrypted with the G/PGP plugin, forces
the execution of the commands supplied by the attacker.

It should be noted that this issue is limited by the permissions of the
web server process.

**December 26, 2003 - The vendor has reported that Squirrelmail version
1.4.2 is not vulnerable to this issue, however, Squirrelmail version 1.4.0
with GPG version 1.2 is reportedly vulnerable. This information cannot be
completely verified at the moment; therefore this BID will be updated as
more information becomes available.

32. GNU Indent Local Heap Overflow Vulnerability
BugTraq ID: 9297
Remote: No
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9297
Summary:
GNU Indent is an application used to improve the syntax of C, making it
easier to read source code.

An overflow condition has been identified in the software that may allow
an attacker to execute arbitrary code on a vulnerable system.

The issue has been reported to exist in the handle_token_colon() function
of the software. The problem is reported to present itself when the
application attempts to a parse a C source file (*.c). It has been
reported that indent copies data from the file to a 1000 byte long buffer
without sufficient boundary checking. A heap overflow condition may be
triggered, potentially causing heap memory management structures to be
corrupted. This can result in critical memory being overwritten and,
ultimately, code execution with the privileges of the user running indent.

GNU Indent version 2.2.9 has been reported to be prone this issue,
however, other versions may be affected as well.

33. Surfboard httpd Remote Buffer Overflow Vulnerability
BugTraq ID: 9299
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9299
Summary:
Surfboard is a freely available web server implementation for Unix/Linux
variants.

A vulnerability has been identified in Surfboard web server when handling
certain URL requests. Because of this, it may be possible for a remote
attacker to gain unauthorized access to a system running the vulnerable
software. The condition is present due to insufficient boundary checking.

The issue presents itself when an attacker sends a specially crafted URL
request with more than 1024 characters to the server daemon. Immediate
consequences of an attack may result in a denial of service condition.

An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed at the moment.

Surfboard version 1.1.9 has been reported to be prone to this issue,
however, other versions may be affected as well.

34. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 9300
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9300
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.

A problem with the software may make it possible for remote users to
modify database query logic.

It has been reported that OpenBB does not properly check input passed via
the 'CID' parameter of 'index.php' script. Because of this, it may be
possible for a remote user to inject malicious arbitrary SQL queries in
the context of the database user for the bulletin board software. The
consequences of successful exploitation will vary depending on the
underlying database implementation, but may allow for disclosure of
sensitive information such as administrator passwords or remote compromise
of the bulletin board or database itself.

OpenBB 1.06 has been reported to be prone this issue, however, other
versions could be affected as well.

This issue may be related to BID 7401.

35. Web Merchant Services Storefront Shopping Cart login.asp SQL...
BugTraq ID: 9301
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9301
Summary:
Storefront shopping cart is web-based shopping cart software. It is
written in ASP.

A vulnerability has been reported to exist in the software that may allow
a remote user to inject malicious SQL syntax into database queries. The
problem is reported to exist due to insufficient sanitization of
user-supplied data in the 'login.asp' script. A remote attacker may
exploit this issue to influence SQL query logic to disclose sensitive
information that could be used to gain unauthorized access. It has been
reported that an attacker may be able to login with '=' as a username and
password.

A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.

Specific vulnerable versions were not identified in the report, therefore
it is being assumed that the current version Storefront shopping cart 5.0
is vulnerable to this issue.

36. Apache mod_php Module File Descriptor Leakage Vulnerability
BugTraq ID: 9302
Remote: No
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9302
Summary:
Apache is a freely available, open source web server software package. It
is distributed and maintained by the Apache Group. Mod_PHP is an Apache
module which allows for PHP functionality in websites.

A vulnerability has been reported to exist in the Apache mod_php module
that may allow local attackers to gain access to privileged file
descriptors. This issue could be exploited by an attacker to hijack a
vulnerable server daemon.

It has been reported that the file descriptor associated with the socket
listening on port 443, normally used for Secure Sockets Layer (SSL), is
leaked to the mod_php module and any processes it creates. This allows
for scripts and any processes they spawn to access the privileged port.

This issue may allow an attacker to pose as a legitimate server to
clients. An attacker may also steal sensitive information such as user
credentials and other authentication information.


III. SECURITYFOCUS NEWS ARTICLES
--------------------------------
1. Online crime up in 2003
By: Kevin Poulsen

Complaints logged by a federal clearinghouse rose sixty percent over last
year.
http://www.securityfocus.com/news/7714

2. Chats led to Acxiom hacker bust
By: Kevin Poulsen

An IRC log on another hacker's computer led police to Epitaph, a
Cincinnati man who downloaded records on millions of consumers.

http://www.securityfocus.com/news/7697

3. Secret Service airbrushes aerial photos
By: Kevin Poulsen

The White House and other government buildings get the Photoshop treatment
when the agency tinkers with publicly-funded overhead images of Washington
D.C.

http://www.securityfocus.com/news/7671

4. Electronic voting firm acknowledges hacker break-in
By: Ted Bridis, The Associated Press

http://www.securityfocus.com/news/7728

5. CIA gadget-museum: robot fish, pigeon camera, jungle microph...
By: Ted Bridis, The Associated Press

http://www.securityfocus.com/news/7721

6. Victory for CPRM: SD cards overtake Compact Flash
By: Andrew Orlowski, The Register

http://www.securityfocus.com/news/7712


IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. Fwall 0.1.4-2
By: Aras
Relevant URL: http://linux.fan.lt/fwall/
Platforms: N/A
Summary:

fwall is a simple user-friendly firewall script for iptables. It is based
on bash. It includes a configuration for 1-2 interfaces, port forwarding,
DoS protection, and so on.

2. ClairVoyanT SysAdmin (CVTSA) v0.2
By: Ardoino Paolo
Relevant URL: http://cvtsa.sourceforge.net/
Platforms: Linux
Summary:

CVTSA is a tool for GNU/Linux written in C that allows a user to run any
command he wants on his Linux box even if he is far from his computer.
CVTSA works as a shell but receives commands via email (email could be
sent from a standar mailbox or from wap or some societies services that
allow to send emails as SMS). There are some security features that make
CVTSA quite safe. First of all the user has to choose a password (that he
has to write in all emails(before commands) and when he starts CVTSA) so
the ClairVoyanT SysAdmin can recognize emails and none else can run
commands. Then there is a command wrapper file where the user can set
denied commands and running policies. A mail wrapper allows a the user to
choose from which email addresses accept commands.

3. OpenProtect v5.0.1.2
By: OpenProtect is a server-side email protector which guards against spam
and viruses in addition to pr
Relevant URL: http://opencomputing.sf.net
Platforms: Linux
Summary:

OpenProtect is a server-side email protector which guards against spam and
viruses in addition to providing content filtering, using a variety of
open- source packages. It supports Sendmail, Postfix, Exim and qmail, and
is easy to install and maintain.

4. Fingerprint Verification System v0.1.0
By: Shivang Patel
Relevant URL: http://fvs.sourceforge.net/
Platforms: FreeBSD, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:

Fingerprint Verification System is an easy-to-use library that allows
programmers to integrate fingerprint technology into their software
without specific know-how. It is fast and small, and is great for embedded
systems.

5. Socks Server 5 v2.4mr2
By: Matteo Ricchetti
Relevant URL: http://digilander.iol.it/matteo.ricchetti/
Platforms: Linux
Summary:

Socks Server 5 is a socks server for the Linux platform which supports the
Socks protocol versions 4 and 5.

6. GNU Transport Layer Security Library v1.0.3
By: Nikos Mavroyanopoulos
Relevant URL: http://www.gnutls.org
Platforms: FreeBSD, NetBSD, OpenBSD, Solaris, UNIX
Summary:

GNU Transport Layer Security Library is a library which implements a
secure layer over a reliable transport layer such as TCP/IP. It implements
the TLS 1.0 and SSL 3.0 protocols. GnuTLS is available for beta testing.


V. SECURITYJOBS LIST SUMMARY
----------------------------
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.


VI. INCIDENTS LIST SUMMARY
--------------------------
1. Large increase in port 32772 activity (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348473

2. Unusual port scan? (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348446

3. flood of SYN packets to port 110 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/75/348344


VII. VULN-DEV RESEARCH LIST SUMMARY
-----------------------------------
1. Bugtraq Security Systems (ADV 0001) (Thread)
Relevant URL:

http://www.securityfocus.com/archive/82/348353


VIII. MICROSOFT FOCUS LIST SUMMARY
----------------------------------
1. Hardening the Scheduler Service (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348399

2. Article Announcement: Low-Level Enumeration With TCP... (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348265

3. SecurityFocus Microsoft Newsletter #168 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348259

4. TCP/IP Stack Hardening (Thread)
Relevant URL:

http://www.securityfocus.com/archive/88/348258


IX. SUN FOCUS LIST SUMMARY
--------------------------
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.


X. LINUX FOCUS LIST SUMMARY
---------------------------
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.