SecurityFocus Linux Newsletter #164
------------------------------------

SecurityFocus.com Introduces a new search engine for 2004.

In our continued quest to better serve our audience, We here at
SecurityFocus.com look forward to introducing to you our new search engine
for 2004. This new and improved search engine will feature the advantage
of a complete text search of the entire site, as well as full text
searches of the mailing list archives and vulnerabilities. Also included
will be an advanced search interface.
------------------------------------------------------------------------

I. FRONT AND CENTER
1. Checklist for Deploying an IDS
2. A Very Small Step for Music-Kind
II. LINUX VULNERABILITY SUMMARY
1. Xoops MyLinks Myheader.php Cross-Site Scripting Vulnerabilit...
2. PServ Web Server Directory Traversal Vulnerability
3. Red Hat Linux 2.4 Kernel Multiple Potential Vulnerabilities
4. Webfroot Shoutbox Viewshoutbox.PHP Cross-Site Scripting Vuln...
5. phpBB Privmsg.PHP Cross-Site Scripting Vulnerability
6. Squirrelmail G/PGP Encryption Plugin Remote Command Executio...
7. Surfboard httpd Remote Buffer Overflow Vulnerability
8. OpenBB Index.PHP Remote SQL Injection Vulnerability
III. LINUX FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.
IV. NEW PRODUCTS FOR LINUX PLATFORMS
1. Immunity CANVAS
2. SecretAgent
3. Cyber-Ark Inter-Business Vault
4. EnCase Forensic Edition
5. KeyGhost SX
6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
1. ClairVoyanT SysAdmin (CVTSA) v0.2
2. OpenProtect v5.0.1.2
3. Fingerprint Verification System v0.1.0
4. Socks Server 5 v2.4mr2
5. smtp-vilter v1.1.4
6. Port Scan Attack Detector (psad) v1.3.1
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Checklist for Deploying an IDS
By Andy Cuff

The scope of this article considers the worst case scenario, that of
deploying a Network IDS on a remote network (target). The introduction of
an IDS into a organization's network can be sensitive and often has
political implications with the network staff, and thus a checklist
written from the perspective of an outside consultant (even if the IDS is
deployed internally) that appeases all parties can be useful to ensure a
successful implementation.

http://www.securityfocus.com/infocus/1754

2. A Very Small Step for Music-Kind
By Mark Rasch

The District of Columbia Court of Appeals' decision in the Verizon v. RIAA
case will likely be a small and pyrrhic victory for downloaders.

http://www.securityfocus.com/columnists/205


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Xoops MyLinks Myheader.php Cross-Site Scripting Vulnerabilit...
BugTraq ID: 9269
Remote: Yes
Date Published: Dec 21 2003
Relevant URL: http://www.securityfocus.com/bid/9269
Summary:
Xoops is open-source, freely available web portal software written in
object-oriented PHP. It is back-ended by a MySQL database and will run on
most Unix and Linux distributions.

Xoops is prone to a cross-site scripting vulnerability in the
'myheader.php' script included in the mylinks module. The source of the
problem is that HTML and script code are not adequately sanitized from
input supplied via URI parameters, which will then be included in
dynamically generated web pages. In particular, the 'url' parameter is
affected by this issue. A remote attacker could exploit this issue by
embedding hostile HTML and script code in a malicious link to the
vulnerable script. The attacker-supplied code will be interpreted in the
context of the site hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible since an attacker can
influence how the site will be rendered to a victim user.

This issue was reported in Xoops 2.0.5.1. It is likely that other
versions are also affected.

2. PServ Web Server Directory Traversal Vulnerability
BugTraq ID: 9276
Remote: Yes
Date Published: Dec 22 2003
Relevant URL: http://www.securityfocus.com/bid/9276
Summary:
pServ is a freely available, open source web server package. It is
available for the Unix and Linux platforms.

A vulnerability has been identified in the handling of certain types of
requests by pServ. Because of this, it is possible for an attacker to
gain access to potentially sensitive system files.

The problem is in the handling of directory traversal strings. When a
request containing double-slash (//) sequences is placed to a pServ web
server, the program allows a remote user to escape the web root directory.
This issue could be exploited to gain read access to files on a host using
the vulnerable software. Read privileges granted to these files would be
restricted by the permissions of the web server process.

3. Red Hat Linux 2.4 Kernel Multiple Potential Vulnerabilities
BugTraq ID: 9284
Remote: No
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9284
Summary:
Red Hat Linux has released a 2.4 Kernel update to fix multiple potential
security issues.

The issues are as follows:

Red Hat has reported that ioctls of several RTC drivers have been fixed to
prevent potential data leaks. A privileged attacker may potentially
exploit this condition to gain access to sensitive data. This may be
related to BID 9154.

A previous kernel upgrade may have caused certain --reject-with
tcp-reset IPTABLES rules to malfunction. This may lead an administrator
into a false sense of security or introduce security exposures since
existing or newly created rules may not function properly.

It has been reported that if a bonding interface that does not have an IP
address is initiated, the bonding process and kernel may panic due to a
reference to a null pointer. This may require superuser privileges but
could be exposed via third-party setuid applications that may perform this
operation, though this has not been confirmed.

Other non-security related issues were also addressed in this upgrade.

4. Webfroot Shoutbox Viewshoutbox.PHP Cross-Site Scripting Vuln...
BugTraq ID: 9289
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9289
Summary:
Webfroot Shoutbox is a web application designed to allow web site visitors
a chance to leave messages. It is implemented in PHP and is available for
the Unix, Linux, and Microsoft Windows platforms.

Webfroot Shoutbox is prone to a cross-site scripting vulnerability in the
'viewshoutbox.php' script. The source of the problem is that HTML and
script code are not adequately sanitized from input supplied via the
'error' URI parameter. This input will be included in dynamically
generated web pages. A remote attacker could exploit this issue by
embedding hostile HTML and script code in a malicious link to the
vulnerable script. The attacker-supplied code will be interpreted in the
context of the site hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this issue has been reported to affect
Webfroot Shoutbox version 2.32, other versions might also be affected.

5. phpBB Privmsg.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 9290
Remote: Yes
Date Published: Dec 23 2003
Relevant URL: http://www.securityfocus.com/bid/9290
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

phpBB is prone to a cross-site scripting vulnerability in the
'privmsg.php' script. The source of the problem is that HTML and script
code are not adequately sanitized from input supplied via the 'mode' URI
parameter. This input will be included in dynamically generated web pages.
A remote attacker could exploit this issue by embedding hostile HTML and
script code in a malicious link to the vulnerable script. The
attacker-supplied code will be interpreted in the context of the site
hosting the vulnerable software.

Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.

It should be noted that although this issue has been reported to affect
phpBB version 2.0.6, other versions might also be affected.

6. Squirrelmail G/PGP Encryption Plugin Remote Command Executio...
BugTraq ID: 9296
Remote: Yes
Date Published: Dec 25 2003
Relevant URL: http://www.securityfocus.com/bid/9296
Summary:
Squirrelmail is a freely available, open source webmail package. It is
available for the Unix and Linux platforms.

A problem in the handling of some types of input passed to the
Squirrelmail G/PGP Plugin has been discovered. This issue may make it
possible for a remote user to gain unauthorized access to a system hosting
the vulnerable application.

The problem is in the checking of input. When an e-mail is sent to a user
through a Squirrelmail implementation which uses the G/PGP plugin, the
program does not sufficiently sanitize user input. Because of this, an
attacker can place shell commands in the To: line of an e-mail sent
through Squirrelmail which, when encrypted with the G/PGP plugin, forces
the execution of the commands supplied by the attacker.

It should be noted that this issue is limited by the permissions of the
web server process.

**December 26, 2003 - The vendor has reported that Squirrelmail version
1.4.2 is not vulnerable to this issue, however, Squirrelmail version 1.4.0
with GPG version 1.2 is reportedly vulnerable. This information cannot be
completely verified at the moment; therefore this BID will be updated as
more information becomes available.

7. Surfboard httpd Remote Buffer Overflow Vulnerability
BugTraq ID: 9299
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9299
Summary:
Surfboard is a freely available web server implementation for Unix/Linux
variants.

A vulnerability has been identified in Surfboard web server when handling
certain URL requests. Because of this, it may be possible for a remote
attacker to gain unauthorized access to a system running the vulnerable
software. The condition is present due to insufficient boundary checking.

The issue presents itself when an attacker sends a specially crafted URL
request with more than 1024 characters to the server daemon. Immediate
consequences of an attack may result in a denial of service condition.

An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed at the moment.

Surfboard version 1.1.9 has been reported to be prone to this issue,
however, other versions may be affected as well.

8. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 9300
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9300
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.

A problem with the software may make it possible for remote users to
modify database query logic.

It has been reported that OpenBB does not properly check input passed via
the 'CID' parameter of 'index.php' script. Because of this, it may be
possible for a remote user to inject malicious arbitrary SQL queries in
the context of the database user for the bulletin board software. The
consequences of successful exploitation will vary depending on the
underlying database implementation, but may allow for disclosure of
sensitive information such as administrator passwords or remote compromise
of the bulletin board or database itself.

OpenBB 1.06 has been reported to be prone this issue, however, other
versions could be affected as well.

This issue may be related to BID 7401.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
NO NEW POSTS FOR THE WEEK 2003-12-23 to 2003-12-30.


IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, supporting
cross-platform interoperability over a wide range of platforms: Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features for
computer forensics and investigations. With an intuitive GUI and superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields completely
non-invasive computer forensic investigations while allowing examiners to
easily manage large volumes of computer evidence and view all relevant
files, including deleted files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. ClairVoyanT SysAdmin (CVTSA) v0.2
By: Ardoino Paolo
Relevant URL: http://cvtsa.sourceforge.net/
Platforms: Linux
Summary:

CVTSA is a tool for GNU/Linux written in C that allows a user to run any
command he wants on his Linux box even if he is far from his computer.
CVTSA works as a shell but receives commands via email (email could be
sent from a standar mailbox or from wap or some societies services that
allow to send emails as SMS). There are some security features that make
CVTSA quite safe. First of all the user has to choose a password (that he
has to write in all emails(before commands) and when he starts CVTSA) so
the ClairVoyanT SysAdmin can recognize emails and none else can run
commands. Then there is a command wrapper file where the user can set
denied commands and running policies. A mail wrapper allows a the user to
choose from which email addresses accept commands.

2. OpenProtect v5.0.1.2
By: OpenProtect is a server-side email protector which guards against spam
and viruses in addition to pr
Relevant URL: http://opencomputing.sf.net
Platforms: Linux
Summary:

OpenProtect is a server-side email protector which guards against spam and
viruses in addition to providing content filtering, using a variety of
open- source packages. It supports Sendmail, Postfix, Exim and qmail, and
is easy to install and maintain.

3. Fingerprint Verification System v0.1.0
By: Shivang Patel
Relevant URL: http://fvs.sourceforge.net/
Platforms: FreeBSD, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:

Fingerprint Verification System is an easy-to-use library that allows
programmers to integrate fingerprint technology into their software
without specific know-how. It is fast and small, and is great for embedded
systems.

4. Socks Server 5 v2.4mr2
By: Matteo Ricchetti
Relevant URL: http://digilander.iol.it/matteo.ricchetti/
Platforms: Linux
Summary:

Socks Server 5 is a socks server for the Linux platform which supports the
Socks protocol versions 4 and 5.

5. smtp-vilter v1.1.4
By: Micro Systems
Relevant URL: http://www.etc.msys.ch/software/smtp-vilter/
Platforms: FreeBSD, Linux, OpenBSD, POSIX, UNIX
Summary:

smtp-vilter is a high-performance content filter for sendmail-based email
servers. It is mainly meant for detecting viruses. It uses the milter API
to connect to sendmail, and it can scan email messages using various
backends.

6. Port Scan Attack Detector (psad) v1.3.1
By: Michael Rash
Relevant URL: http://www.cipherdyne.org/
Platforms: Linux
Summary:

Port Scan Attack Detector (psad) is a collection of three lightweight
system daemons written in Perl and C that are designed to work with Linux
iptables firewalling code to detect port scans and other suspect traffic.
It features a set of highly configurable danger thresholds (with sensible
defaults provided), verbose alert messages that include the source,
destination, scanned port range, begin and end times, TCP flags and
corresponding nmap options, email alerting, DShield reporting, and
automatic blocking of offending IP addresses via dynamic configuration of
iptables firewall rulesets. In addition, psad incorporates many of the
TCP, UDP, and ICMP signatures included in Snort to detect highly suspect
scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven),
DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas)
which are easily leveraged against a machine via nmap. Psad also uses
packet TTL, IP id, TOS, and TCP window sizes to passively fingerprint the
remote operating system from which scans originate