Network Security

AERAsec
Network Security
Current Security Messages


Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!


This is some information you send:

Your Browser

CCBot/2.0 (http://commoncrawl.org/faq/)

Your IP address

ec2-54-92-236-20.compute-1.amazonaws.com [54.92.236.20]

Your referer

(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen month 01 / 2001

System: TurboLinux
Topic: Vulnerability in LPRng
Links: TLSA2001001
ID: ae-200101-056

The LPRng port (versions prior to 3.6.26), contains a potential vulnerability which may allow root compromise from both local and remote systems. It's is due to incorrect usage of the syslog function. A patch is available now.

System: Red Hat Linux
Topic: Vulnerabilities in inetd and bind
Links: RHSA-2001-006, RHSA-2001-007, ERS-2001:41, ERS-2001:42
ID: ae-200101-055

The inetd server as shipped with Red Hat Linux 6.2 fails to close sockets for internal service properly. This could make services stop working when the system had leaked sufficient resources. Normally, these services are not turned on.
Several vulnerabilities have been found in BIND, the name server. Some of them could lead to a root-compromise.
Patches are available now.

System: Microsoft Windows 2000
Topic: Vulnerability in Hotfix packaging
Links: MS01-005, L-041, WinITSec, ERS-2001:033
ID: ae-200101-054

No further comment due to Microsoft insisting on their Copyright on advisories.

System: SuSE Linux
Topic: Vulnerabilities in glibc, kdesu, and BIND
Links: SuSE-SA:2001:01, SuSE-SA:2001:02, SuSE-SA:2001:03
ID: ae-200101-053

In glibc a vulnerability has been found, which may allow to bind user-defined libraries with the dynamic linker ld.linux.so.2. Kdesu may be tricked out to give the root-password to an attacker. Several holes in BIND may also compromise the root-account. Patches to solve the mentioned problems are available now.

System: OpenBSD
Topic: Vulnerabilities in BIND
Links: OpenBSD
ID: ae-200101-052

Multiple vulnerabilities have been found in BIND, the Berkeley Internet Name Daemon, versions prior 4.98 and prior 8.2.3. Version 9.x is not affected. Some of the holes may lead to a root-compromise of the system a running a vulnerable BIND. New packages with a corrected BIND are available now and should be installed as soon as possible because tools to exploit the security holes are available.

System: Debian Linux
Topic: Vulnerabilities in exmh, inn2, cron, openssh, and bind
Links: DSA-022, DSA-023, DSA-024, DSA-025, DSA-026
ID: ae-200101-051

Some versions of the exmh program use /tmp for storing temporary files. No checks are made to ensure that nobody has placed a symlink with the same name in /tmp. So it's vulnerable to a symlink attack, which may allow an attacker to overwrite any file writable for the user executing exmh. In inn2 also an insecure handling with temporary files has been found. Additionally, a buffer overflow and a Denial-of-Service may be possible. A bug in the way new crontabs are handled may allow an attacker to display arbitrary crontab files on the local system. This only affects valid crontab files so can't be used to get access to /etc/shadow or something. On SPARC Servers, openssh may have the feature that users may not connect to the server. Several critical vulnerabilities have been found in BIND, including the danger of compromised Root-Accounts. Patches to fix the mentioned problems are available.

System: Linux Mandrake
Topic: Vulnerabilities in BIND
Links: MDKSA-2001:017
ID: ae-200101-050

Multiple vulnerabilities have been found in BIND, the Berkeley Internet Name Daemon, versions prior 4.98 and prior 8.2.3. Version 9.x is not affected. Some of the holes may lead to a root-compromise of the system a running a vulnerable BIND. New packages with a corrected BIND are available now and should be installed as soon as possible because tools to exploit the security holes are available.

System: OpenLinux
Topic: Vulnerabilities in BIND
Links: CSSA-2001-008 (008-1)
ID: ae-200101-049

As Caldera reports also, several security problems have been discovered in the most recent versions of BINDv8 (8.2.2p7). One of them is a buffer overflow that can potentially exploited to execute arbitrary code with the privilege of the user BIND. A workaround and updated packages are available.

System: Unix
Topic: Multiple Vulnerabilities in BIND
Links: CA-2001-02, ISC, ISS-072, L-030, ERS-2001:031, WinITSec, PGP-047, AA-2001.01, S-01-08
ID: ae-200101-048

Four critical vulnerabilities have been found in the recent versions of the well known nameserver BIND, affecting many systems:
- ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
This vulnerability may allow an attacker to execute code with the same privileges as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.
- ISC BIND 4 contains buffer overflow in nslookupComplain()
This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute code with the privileges of the BIND server. Also here, the root-account may be compromised.
- ISC BIND 4 contains input validation error in nslookupComplain()
This vulnerability may allow an attacker to execute code with the privileges of the BIND server. And again, the root-account may be compromised.
- Queries to ISC BIND servers may disclose environment variables
This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables. This may help attackers for further attacks.
Please refer to the advisory to get further information about your system and install the patched version!

System: Microsoft IIS 4.0, 5.0
Topic: Vulnerability caused by File Fragment Reading via .HTR
Links: MS01-004, WinITSec, CSB01-02
ID: ae-200101-047

No further comment due to Microsoft insisting on their Copyright on advisories.

System: HP-UX
Topic: Vulnerability in man found
Links: HP Security Bulletin #00138, ERS-2001:030 L-034
ID: ae-200101-046

On HP9000 Series 700 and 800 a vulnerability in man has been found. Exploiting this vulnerability, users could cause a Denial-of-Service (DoS). Patches are available and should be installed:

System Patch-ID
HP-UX 10.01  PHCO_23091
HP-UX 10.10  PHCO_23090
HP-UX 10.20  PHCO_23089
HP-UX 10.24  PHCO_23178
HP-UX 11.00  PHCO_23088
HP-UX 11.04  PHCO_23178
System: Red Hat Linux
Topic: Vulnerabilities in php and icecast
Links: RHSA-2000-136, RHSA-2001-004, ERS-2001:027, ERS-2001:028
ID: ae-200101-045

Under some conditions PHP 3.0.17 would crash. Updated packages are available now. A string format vulnerability has been found in icecast. As a consequence, the execution of arbitrary commands is possible. Also here patches are available and should be installed soon.

System: Linux Mandrake
Topic: Vulnerabilities in exmh and webmin
Links: MDKSA-2001:015, MDKSA-2001:016
ID: ae-200101-044

The way, exmh stores files in the /tmp-directory is insecure and symlink-attacks are possible. Also webmin handles temporary files insecure. This may lead to a root-compromise of the system. Pateches are available now and should be installed as soon as possible.

System: Debian Linux
Topic: Vulnerabilities in squid, php4, and apache
Links: DSA-019, DSA-020, DSA-021
ID: ae-200101-043

When squid sends E-Mails to the administrator, a race condition may happen. So arbitrary files could be overwritten. Php4 shows vulnerabilities concerning a Denial-of-Service attack and gives an attacker the possibility to undergo the "engine-on"/"engine-off" state. By "special" HTTP-requests it's possible to cause php4 to serve the next page with wrong values. In apache an insecure opening of temporary files in htdigest and htpasswd has been found. A patch fixes these problems in mod_rewrite. The other problems may also be solved with patches.

System: OpenBSD
Topic: Problems with rnd
Links: OpenBSD-017
ID: ae-200101-042

The rnd(4) device does not use all of its input when data is written to it. A patch is available now.

System: FreeBSD
Topic: Vulnerabilities found in XFree86, ipfw/ip6fw, crontab, and bind
Links: FreeBSD-SA-01:07, FreeBSD-SA-01:08, FreeBSD-SA-01:09, FreeBSD-SA-01:10, L-029, ERS-2001:021, ERS-2001:022, ERS-2001:023, ERS-2001:024, S-01-05, S-01-06, S-01-07
ID: ae-200101-041

XFree86 is a popular X server. It has multiple vulnerabilities that may allow a Denial-of-Service attack. Additionally, local users may gain elevated privileges. Ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. It can be tricked out by packets with the (experimental) ECE flag set. So the rules will accept these packets, even if they don't belong to an established connection. Crontab contains a vulnerability that may allow local users to read any file on the system. Bind shows a vulnerability concerning compressed Zone-Transfers (ZXFR). Under certain circumstances Bind will crash. This problem is solved with Bind 8.2.3. Patches to fix these problems are available now.

System: Microsoft Windows NT 4.0
Topic: Problems with Winsock Mutex
Links: MS01-003, ERS-2001:029
ID: ae-200101-040

No further comment due to Microsoft insisting on their Copyright on advisories.

System: ATT Labs
Topic: Vulnerability in VNC
Links: WinITSec
ID: ae-200101-039

ATT VNC is a freeware remote control package, using a challenge and response mechanism for authentication. An attacker may use a design flaw in the VNC mechanism to launch a simple man-in-the-middle attack to gain unauthorized access to hosts running VNC. It's recommended to use VNC over encrypted connections only.

System: Lotus Domino Notes Server 5.x
Topic: Vulnerability caused by buffer overflow
Links: WinITSec
ID: ae-200101-038

Lotus Domino SMTP Server contains a policy feature that can be used to prevent relaying of E-Mail. An attacker may force a buffer overflow by exploiting a hole in this feature. Arbitrary commands may be executed. This vulnerability is fixed in version 5.0.6.

System: Open Linux
Topic: Vulnerabilities in kdesu and glibc
Links: CSSA-2001-005, CSSA-2001-007
ID: ae-200101-037

KDE2 comes with the program kdesu to run certain administration commands under the account of the super user. A bug in kdesu allows any user on the system to steal the passwords entered at the kdesu prompt. A serious security problem with ELF shared library loader in glibc can be exploited to overwrite arbitrary files on the system. Patches are available now.

System: Debian Linux
Topic: Vulnerabilities in micq, MySQL, splitvt, sash, wu-ftpd, jazip, and tinyproxy
Links: DSA-012, DSA-013, DSA-014, DSA-015, DSA-016, DSA-017, DSA-018
ID: ae-200101-036

A buffer overflow in sprintf(), micq versions 0.4.6 and previous, has been found. It allows remote attackers to sniff packets to the ICQ server to execute arbitrary code on the victim system. In in the mysql server leads also a buffer overflow to a remote exploit. Splitvt is vulnerable to numerous buffer overflow attacks and a format string attack. An attacker will be able to gain root-access. Versions of the sash package prior to 3.4-4 don't clone /etc/shadow properly, causing it to be made world-readable. A temp file creation bug and a possible format string bug in wu-ftpd were found. With older versions of jazip a user could gain root access for members of the floppy group to the local machine. A heap overflow in tinyproxy may be remotely exploited. An attacker could gain a shell (user nobody) remotely. Patches are available now.

System: Red Hat Linux 7.0
Topic: Vulnerability in mysql
Links: RHSA-2001-003, ERS-2001:026
ID: ae-200101-035

In MySQL as shipped in Red Hat Linux 7.0 several security risks were reported. They concern buffer overflow and information protection issues. They are fixed in version 3.23.32, which is available now. Links for the download of the packages can be found in the advisory.

System: Microsoft PowerPoint 2000
Topic: Security risk by opening files
Links: MS01-002, WinITSec, ERS-2001:020, S-01-04
ID: ae-200101-034

No further comment due to Microsoft insisting on their Copyright on advisories.

System: Oracle 8.1.7 & Windows 2000
Topic: Oracle JSP/SQLJS handlers allow viewing files and executing JSP outside the web root
Links: GG-036
ID: ae-200101-033

It is possible to view files outside the web root. Also possible is execution of .JSP files outside the web root in the same partition as the web server's root.
Perhaps this bug exists also on other versions, but still not tested.
See given URL for more details like demonstration URLs

System: Linux Mandrake 7.2
Topic: Some versions of MySQL may allow to get encrypted password of mysql.user table
Links: MDKSA-2001-014
ID: ae-200101-032

A security problem exists in all versions of MySQL after 3.23.2 and prior to 3.23.31. The problem is that the SHOW GRANTS command could be executed by any user making it possible for anyone with a MySQL account to get the crypted password from the mysql.user table. The new 3.23.31 version fixes this.
Solution: Upgrade to newest version, also due libary changes the PHP package must be updated (see given URL for details)

System: Caldera OpenLinux eDesktop 2.4, eServer 2.3.1, eBuilder
Topic: Insecure temp file handling of webmin can cause local root exploit
Links: CSSA-2001-004.0
ID: ae-200101-031

On several occasions, webmin creates temporary files insecurely. This can be exploited by a local attacker to overwrite or create arbitrary files and possibly gain root privilege.
Currently, there are no known exploits for this problem but there is also no workaround available.
Solution: upgrade to fixed packages (see given URL for details)

System: FastStream FTP++
Topic: Several vulnerabilities found
Links: WinITSec
ID: ae-200101-030

Multiple vulnerabilities have been discovered in FastStream FTP++ Beta 10 Build 2. The first being a DoS attack where an attacker can flood the FTP server by sending requests of 2048 bytes or greater. The second vulnerability is a condition where an attacker can browse and obtain directory listings outside of the FTP root directory. A simple "ls C:\" would provide the user a directory listing of the C drive. A third vulnerability is how usernames and passwords are stored: FastStream stores them in a file that is unencrypted. FastStream has published a new beta version, eliminating the second vulnerability.

System: LocalWeb 2000
Topic: Security risk by leaving Web directory
Links: WinITSec
ID: ae-200101-029

A vulnerability has been identified in LocalWeb 2000 1.1.0. By adding a "../" to an URL an attacker can read files outside of the webroot directory. A patch will be published soon.

System: IBM AIX
Topic: Vulnerability in locale subsystem
Links: ERSi-2001:001
ID: ae-200101-028

In IBM AIX 3.2.x, 4.1.x, 4.2.x, and 4.3.x a format string vulnerability in locale subsystem has been found. A user specified locale file may be used for displaying messages. Because of a security hole, local users may gain root-access to the system. A patch is available.

System: Microsoft IE 4.x, 5.x, Microsoft Outlook & Outlook Express
Topic: Denial-of-Service by Stack Overflow
Links: WinITSec
ID: ae-200101-027

A stack overflow has been discovered in the file mshtml.dll. It's responsible for parsing HTML. Any program such as Internet Explorer (IE) 4.0 and later, Outlook, and Outlook Express that use this DLL is vulnerable. This vulnerability is low risk because the system "only" crashes, but further actions are not possible. Microsoft will address this bug in the next SP for IE.

System: HP-UX
Topic: Vulnerability in Support Tools Manager
Links: HP Security Bulletin #00137, ERS-2001:018, L-035
ID: ae-200101-026

A defect in the Support Tool Manager application, typically used for hardware diagnostic purposes, shows a feature which enables local users to cause a Denial-of-Service (DoS). Patches are available and should be installed:

System Patch-ID
HP-UX 10.20, Series 700  PHSS_23064
HP-UX 10.20, Series 800  PHSS_23065
HP-UX 11.00  PHSS_23066
HP-UX 11.11  PHSS_23067
System: Unix, Sun Solaris
Topic: Vulnerability in SSH with secure-RPC
Links: ERS-2001:016
ID: ae-200101-025

A bug in SSH-1.2.30 involving secure-RPC has been found. The SSH1 protocol is not formally supported by SSH Communications Security. When using secure-RPC to encrypt a secret key file with the SUN-DES-1 magic phrase, SSH generates a "magic phrase" which is easily discoverable by other users on the same host, or in the same NIS+ domain. A patch is available now.

System: Oracle Application Server & Oracle Internet Application Server
Topic: Vulnerability in mod_plsql
Links: ERS-2001:005
ID: ae-200101-024

Some vulnerabilities in mod_plsql were reported. Now a new configuration parameter in mod_plsql called exclusion_list can be used to disallow URLs with specific formats from being passed to mod_plsql. A patch introducing this new feature is available now.

System: Linux Mandrake 7.2
Topic: Security hole PHP4
Links: MDKSA-2001:013
ID: ae-200101-023

There are two security problems with php4 as shipped in Linux-Mandrake 7.2. It is possible to specify PHP directives on a per-directory basis under Apache and a remote attacker could carefully craft an HTTP request that would cause the next page to be served with the wrong values for these directives. The second problem is that although PHP may be installed, it can be activated and deactivated on a per-directory or per-virtual host basis using the "engine=on" or "engine=off" directive. PHP can "leak" the "engine=off" setting to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server. These
vulnerabilities are corrected in PHP 4.0.4pl1.

System: Linux Mandrake 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1
Topic: Lokal root exploit of glibc possible
Links: MDKSA-2001:012
ID: ae-200101-022

The LD_PRELOAD variable in the GNU C Library is honoured normally even for SUID/SGID applications (but removed afterwards from the environment) if it does not contain '/' characters. There is a special check which only preloads found libraries if they have the SUID bit set. However, if a library has been found in /etc/ld.so.cache, this check was not performed. As a result, a malicious user could preload some library located in /lib or /usr/lib before SUID/SGID applications and create or overwrite a file he would normally have permission to. As well, LD_PROFILE output from SUID programs would go into /var/tmp, making it vulnerable to various link attacks.
Solution: update package (see links for details)

System: UnixWare 7 Release 7.0.0, 7.0.1, 7.1.0, 7.1.1
Topic: Security exploits in the Verity Search Engine
Links: SB-01.01
ID: ae-200101-021

The Verity search engine can allow remote users to view world-readable system files and gain privilaged acces on a UnixWare 7 server that is running scohelp(X1) because it is vulnerable to buffer overflows.
A workaround is to disable scohelphttp(X1M) on your systems. This can be done using the command: scohelphttp disable, but has the disadvantage of disabling access to manpages and online documentation.
For customers with UnixWare 7 Release 7.0.0 and 7.0.1 a solution is to upgrade to UnixWare 7 Release 7.1.1 because 7.0.0 and 7.0.1 are no longer supported.
Customers using UnixWare 7 Release 7.1.0 and 7.1.1 should apply PTF7684a to their systems. See advisory for details.

System: Linux Mandrake 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1
Topic: Temp-File creation bug in wu-ftpd 2.6.1
Links: MDKSA-2001-001-1, MDKSA-2001-001-2
ID: ae-200101-020

WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, MDKSA-2000:014, which had not been previously addressed for 7.2.

System: Caldera Openlinux 2.3, 2.3.1, 2.4
Topic: Possible buffer overflow in dhcp client and server, TMP-File access problems in mgetty and inn
Links: CSSA-2001-001.0 (inn), CSSA-2001-002.0 (mgetty), CSSA-2001-003.0 (dhcp), ERS-2001:013, ERS-2001:014, ERS-2001:015
ID: ae-200101-019

The DHCP server and client have probems in the error logging code. An attacker can potentially overflow a static buffer, and provide a string containing formatting directives. Solution is to upgrade to fixed packages.
Mgetty has a /tmp/ file problem in the fax reception code which could allow determined attackers to overwrite system files. Solution is to upgrade to fixed packages.
INN uses a temporary directory for several operations. Those operations use it in a unsecure manner, which would allow an attacker to gain access to the news user. Since INN is not supposed to work in a public temporary directory, please use the described workaround to change the temp directory to a news private one.

System: Red Hat Linux 6.2 + 7.0
Topic: A Linux worm named Ramen attacks servers with default installion and outdated updates
Links: Symantec, Heise News, ISS-071, IN-2001-01, ERS-2001:019, ERS-2001:046, S-01-12
ID: ae-200101-018

Linux.Ramen is a collection of Linux scripts and utilities that arrives on the infected system as Ramen.tgz. It attempts to locate web servers that are running Red Hat Linux versions 6.2 or 7.0. Default installations of these two Linux versions contain applications that have several security flaws, namely rpc.statd and wu-ftpd. The worm attempts to exploit these flaws to gain access to the server in order to replace the home page of that server with the message:
RameN Crew--Hackers looooooooooooove noodles.
The worm scans the Internet for servers with such security holes. The scan will use large amounts of Internet bandwidth, which may flood lower bandwidth servers. This worm has no other malicious capabilities.
To prevent affection update to the latest version of all packages and disable not used daemons at Red Hat Download
More information about the exploited daemons are shown at CA-2000-17 (rpc.statd) and CA-2000-13 (wu-ftpd)

System: FreeBSD ports collection & 4.1.1-STABLE
Topic: Several security holes found
Links: FreeBSD-SA-01:01 (OpenSSH), FreeBSD-SA-01:02 (syslog-ng), FreeBSD-SA-01:03 (bash1), FreeBSD-SA-01:04 (joe), FreeBSD-SA-01:05 (stunnel)), FreeBSD-SA-01:06 (zope), ERS-2001:007, ERS-2001:008, ERS-2001:009, ERS-2001:010, ERS-2001:011, ERS-2001:012
ID: ae-200101-017

Several security holes were found in the ports collection of FreeBSD:

PackageProblemAffected Versions
OpenSSHHostile server OpenSSH agent/X11 forwardingFreeBSD < 4.2
syslog-ngremote denial-of-serviceFreeBSD 3.5.1 & 4.2
bash1creates insecure temporary filesFreeBSD 3.5.1 & 4.2
joecreates insecure recovery filesFreeBSD 3.5.1 & 4.2
stunnelcontains potential remote compromiseFreeBSD 3.5.1 & 4.2
zopevulnerability allows escalation of privilegesFreeBSD 3.5.1 & 4.2
System: Microsoft Windows Media Player 7 & IE & Java enabled
Topic: Windows Media Player 7 and IE Java vulnerability - executing arbitrary programs
Links: GG-035, WinITSec
ID: ae-200101-016

Georgi Guninski reports about a security vulnerability in Windows Media Player 7 in conjunction with IE and Java enabled, which allows reading local files and browsing directories which in turn allows the execution of arbitrary programs. This may lead to taking full control over user's computer. A demonstration is available, a patch is not available yet. Workaround: disable Java.

System: Red Hat Linux 7.0, 6.x
Topic: Vulnerability in glibc
Links: RHSA-2001:001, ERS-2001:006, ERS-2001:017
ID: ae-200101-015

A couple of bugs in GNU C library 2.2 allow unpriviledged user to read restricted files and preload libraries in the directories /lib and /usr/lib into SUID programs even if those libraries have not been marked as such by root. Patches are available now.

System: Sun Solaris
Topic: Security risk in arp
Links: Sun Security Bulletin #00200, L-028, S-01-03
ID: ae-200101-014

The arp program displays and modifies the Internet-to-Ethernet address translation tables used by the address resolution protocol (arp). Prior to Solaris 8, arp was setgid making it susceptible to certain setgid attacks. Patches are available now - they are pointed out in the advisory.

System: Linux Mandrake
Topic: Vulnerability in linuxconf
Links: MDKSA-2001:011
ID: ae-200101-013

A potential temporary file race problem in the vpop3d program in the linuxconf package has been found and is being now corrected with an available patch.

System: Debian Linux
Topic: Vulnerability in mgetty
Links: DSA-011
ID: ae-200101-012

In Debian Linux 2.2 mgetty doesn't create temporary files securely. This may lead to a symlink attack. Patches are available now and should be installed as soon as possible.

System: Microsoft Office 2000, Windows 2000, Windows Me
Topic: Vulnerability in Web Client NTLM Authentication
Links: MS01-001, WinITSec, ERS-2001:003, WinITSec
ID: ae-200101-011

No further comment due to Microsoft insisting on their Copyright on advisories.

System: Interbase
Topic: Vulnerability by compiled-in Back Door Account
Links: CA-2001-01, WinITSec, S-01-02
ID: ae-200101-010

Interbase is an open source database package. In this a compiled-in back door account with a known password has been found. This back door allows any local user or remote user able to access port 3050/tcp to manipulate any database object on the system. This includes the ability to install trapdoors or other trojan horse software in the form of stored procedures. In addition, if the database software is running with root privileges, then any file on the server's file system can be overwritten, possibly leading to execution of arbitrary commands as root. Affected are Borland/Inprise Interbase 4.x and 5.x, Open source Interbase 6.0 and 6.01, and Open source Firebird 0.9-3 and earlier. A patch is available for Borland and the Firebird project.

System: Linux Mandrake 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1
Topic: Fix of Potential Temp File Race in following Applications:
diffutils inn mgetty shadow-utils gpm rdist getty_ps squid arpwatch wu_ftpd
Links: MDKSA-2001:008-1 (diffutils), MDKSA-2001:010 (inn), MDKSA-2001:009 (mgetty), MDKSA-2001:007 (shadow-utils), MDKSA-2001:006 (gpm), MDKSA-2001:005 (rdist), MDKSA-2001:004 (getty_ps), MDKSA-2001:003 (squid), MDKSA-2001:002 (arpwatch), MDKSA-2001:001 (wu_ftpd)
ID: ae-200101-009

WireX discovered potential temporary file race conditions in several programs. Upper shown URLs guide you to the updates.

System: Oracle
Topic: Vulnerability caused by XSQL servlet
Links: GG-034, ERS-2001:025
ID: ae-200101-008

Georgi Guninski has found a new hole in Oracle in combination with Java. The Oracle XSQL servlet is installed by default with Oracle 8.1.7 under Windows 2000. This is java code and so not restricted to Windows. The XSQL servlet allows specifying external xslt stylesheets which may reside anywhere. It's possible to execute java on the web server in the xslt stylesheet, which may lead to a compromise of the web server. Further information can be found in the advisory. A patch is available now.

System: HP-UX
Topic: Vulnerability in inetd
Links: HP Security Bulletin #00136, ERS-2001:001, S-01-01
ID: ae-200101-007

A server that uses the 'swait' state in the /etc/inetd.conf file can be made to interfere with one or more services started by inetd. So attackers may make the inetd hang. Patches are available and should be installed:

System Patch-ID
HP-UX 10.20  PHNE_20747
VVOS 10.24  PHNE_21699
HP-UX 11.00  PHNE_21835
VVOS 11.24  PHNE_23068
System: Microsoft IIS 5.0
Topic: Vulnerability caused by .HTR-Requests
Links: GG-033, WinITSec
ID: ae-200101-006

Georgi Guninski reports that it's possible to view most types of CGI files if a special request is sent to the Microsoft Internet Information Server 5.0, patched against file fragment reading vulnerability. This works with using a request of the type %3F+.htr. A patch is not available yet.

System: Tiny Software
Topic: Vulnerabilities in WinRoute Pro
Links: WinITSec
ID: ae-200101-005

Two vulnerabilities have been discovered in WinRoute Pro 4.1. A first vulnerability causes the software not ro function if memory write protection under Windows 2000 is enabled. During the installation process, WinRoute Pro disables memory write protection, which leaves the system less stable and vulnerable to various security threats. A second vulnerability is caused by POP3: WinRoute Pro lets anyone use Windows NT domain credentials to access mailboxes. If POP3 is used to access mail, WinRoute Pro lets this information sent in clear text This could lead to the compromise of the whole network. Patches will be published soon. 

System: Lotus Domino 5.0.5
Topic: Vulnerability in Web Server found
Links: GG-032, Lotus, WinITSec, ERS-2001:002
ID: ae-200101-004

Georgi Guninski reports about a problem in the Web Server of Lotus Domino under Microsoft Windows 2000. Using "special" URL's with Netscape Navigator attackers may read files outside of the area of the Web Server. A demonstration is available. A patch is included in the latest version 5.06a.

System: SuSE Linux
Topic: Vulnerabilities in openssh/ssh and netscape
Links: SA:2000:47, SA:2000:48
ID: ae-200101-003

Many serious vulnerabilities have been found in the openssh package, along with a compilation problem in the openssh and ssh packages in the SuSE-7.0 distribution. A buffer overflow in has been found in the html parser code of the Netscape Navigator in all versions before and including 4.75. Patches are available now.

System: Linux Mandrake
Topic: Problems with MandrakeUpdate and cvs
Links: MDKA-2001:001, MDKA-2001:002
ID: ae-200101-002

In previous versions of MandrakeUpdate a problem has been found. The reporting of the serverity of the problems with updated packages was not ok. This problem affects Linux Mandrake 7.2 only. A patch is available.

System: Microsoft Windows Media Player 7 & IE
Topic: Vulnerability caused by WMP ActiveX Control
Links: GG-031, WinITSec
ID: ae-200101-001

Georgi Guninski reports about a security vulnerability in Windows Media Player 7, which is exploitable throuth the Internet Explorer. This vulnerability allows reading local files which in turn allows executing arbitratrary programs. This may lead to taking full control over user's computer. A demonstration is available, a patch is not available yet.



(c) 2000-2014 AERAsec Network Services and Security GmbH