ISS Security Alert Summary
May 1, 2000  
Volume 5 Number 4

X-Force Vulnerability and Threat Database: http://xforce.iss.net/   To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type:  'subscribe alert'.

_____

Contents

35 Reported Vulnerabilities
 - eudora-warning-message
 - icradius-username-bo
 - postgresql-plaintext-passwords
 - aix-frcactrl-file-modify
 - cisco-ios-http-dos
 - meetingmaker-weak-encryption
 - pcanywhere-tcpsyn-dos
 - piranha-passwd-execute
 - piranha-default-password
 - solaris-lp-bo
 - solaris-xsun-bo
 - solaris-lpset-bo
 - zonealarm-portscan
 - cvs-tempfile-dos
 - imp-wordfile-dos
 - imp-tmpfile-view
 - suse-file-deletion
 - qpopper-fgets-spoofing
 - adtran-ping-dos
 - emacs-local-eavesdrop
 - emacs-tempfile-creation
 - emacs-password-history
 - irix-pmcd-mounts
 - irix-pmcd-processes
 - irix-pmcd-dos
 - iis-myriad-escape-chars
 - freebsd-healthd
 - beos-syscall-dos
 - linux-trustees-patch-dos
 - pcanywhere-login-dos
 - beos-networking-dos
 - win2k-unattended-install
 - mssql-agent-stored-pw
 - webobjects-post-dos
 - allaire-forums-allaccess
 
Risk Factor Key

_____

Date Reported:    4/28/2000
Vulnerability:    eudora-warning-message
Platforms Affected:  Eudora (2.4, 2.5)
Risk Factor:    High
Attack Type:    Network/Host Based

Eudora is a Windows based mail reader. Versions 2.4 and 2.5 contain a
vulnerability that would allow a user to bypass the warning message
displayed when the user attempts to open a exe, com, or bat file. This
could allow an unsuspecting user to execute a malicious program.

Reference:
"Stealth Attachment" demo page at:
http://www.peacefire.org/security/stealthattach/

_____

Date Reported:    4/24/2000
Vulnerability:    icradius-username-bo
Platforms Affected:  ICRadius
Risk Factor:    High
Attack Type:    Network Based

ICRADIUS is a program that integrates Remote Authentication Dial In User
Service (RADIUS) with MySQL. The program is vulnerable to a buffer
overflow attack in the sprintf function, which does not check for
oversized buffers. A remote attacker can send a large amount of data to
the buffer to crash the program, and possibly execute arbitrary code on
the system.

Reference:
Bugtraq Mailing List: "Buffer Overflow in version .14" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.21.0004240023080.19563-100000@mammoth.psnw.com

_____

Date Reported:    4/23/2000
Vulnerability:    postgresql-plaintext-passwords
Platforms Affected:  PostgreSQL
Risk Factor:    Medium
Attack Type:    Host Based

PostgreSQL is an open-source relational database management system (DBMS)
that supports SQL constructs. The program stores its usernames and
passwords in plaintext format in a file called pg_shadow that is readable
by the postgres user and root. A local attacker can run strings on the
file to obtain database usernames and passwords.

Reference:
Bugtraq Mailing List: "Postgresql cleartext password storage" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000423220245.A24619@cistron.nl

_____

Date Reported:    4/26/2000
Vulnerability:    aix-frcactrl-file-modify
Platforms Affected:  AIX 4.3
Risk Factor:    High
Attack Type:    Host Based

The Fast Response Cache Accelerator (FRCA) is a kernel module that can be
used with the IBM HTTP server to improve the performance of a web server.
If the FRCA module is loaded, a local attacker could use frcactrl, a
program used to manage FRCA configuration, create, append, or overwrite
files as root. This would easily allow the user to gain root level
privileges. The vulnerability is present on systems with AIX fix IY02669
applied and with the FRCA kernel extension loaded (the kernel extension is
not enabled by default).

Reference:
ISS Security Advisory: "Insecure file handling in IBM AIX frcactrl
program" at: http://xforce.iss.net/alerts/advise47.php3

_____

Date Reported:    4/26/2000
Vulnerability:    cisco-ios-http-dos
Platforms Affected:  Cisco IOS
Risk Factor:    Medium
Attack Type:    Network Based

The Cisco IOS operating system found on many Cisco routers is vulnerable
to a denial of service attacker if the HTTP server is enabled. A remote
user can crash the router by sending a specially-crafted URL to the router
(in the form of http://<router_ip>/%%). This attack will either cause the
router to restart itself, or it will have to be manually powered down and
restarted.

Reference:
Bugtraq Mailing List: "Cisco HTTP possible bug" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.3.95.1000426201632.27862C-100000@rosencrantz.citytel.net

_____


Date Reported:    4/25/2000
Vulnerability:    meetingmaker-weak-encryption
Platforms Affected:  Meeting Maker
Risk Factor:    High
Attack Type:    Network/Host Based

Meeting Maker is a client-server calendar and scheduling program for small
workgroups to large enterprises. The software uses a weak encryption
scheme to encrypt passwords sent between the client and the server. An
attacker could use sniffing program on network traffic to obtain the
encrypted passwords.

Reference:
Bugtraq Mailing List: "finding Meeting Maker passwords using tcpdump" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200004250056.UAA18065@tiki-god.mit.edu

_____

Date Reported:    4/25/2000
Vulnerability:    pcanywhere-tcpsyn-dos
Platforms Affected:  PC Anywhere (8.0, 9.0. 9.2)
Risk Factor:    Medium
Attack Type:    Network/Host Based

Symantec pcAnywhere versions 8.0, 9.0, and 9.2 are vulnerable to a denial
of service attack. A local or remote attacker can perform a TCP SYN scan
on the vulnerable host to crash the service and cause it to stop
responding.

Reference:
Bugtraq Mailing List: "Denial of Service Against pcAnywhere" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000425150157.13567A-100000@sword.damocles.com

_____

Date Reported:    4/24/2000
Vulnerability:    piranha-passwd-execute
Platforms Affected:  RedHat 6.2
Risk Factor:    High
Attack Type:    Network Based

Piranha is a package distributed by Red Hat, Inc. that contains the Linux
Virtual Server (LVS) software, a web-based GUI, and monitoring and
fail-over components. The Piranha component passwd.php3 allows an
administrator to change their password. This component fails to validate
user input before passing it to the shell, which may allow attackers to
execute commands on the server. In conjunction with the backdoor password
in Piranha, this could allow an anonymous remote attacker to compromise
the Piranha server.

References:
ISS Security Advisory #46: "Backdoor Password in Red Hat Linux Virtual
Server Package" at: http://xforce.iss.net/alerts/advise46.php3

Red Hat, Inc. Security Advisory RHSA-2000:014-10: "Piranha web GUI
exposure" at: http://www.redhat.com/support/errata/RHSA-2000014-16.html
_____

Date Reported:    4/24/2000
Vulnerability:    piranha-default-password
Platforms Affected:  RedHat 6.2
Risk Factor:    High
Attack Type:    Network Based

Piranha is a package distributed by Red Hat, Inc. that contains the Linux
Virtual Server (LVS) software, a web-based GUI, and monitoring and
fail-over components. A backdoor password exists in the GUI portion of
Piranha that may allow remote attackers to execute commands on the server.
If an affected version of Piranha is installed and the default backdoor
password remains unchanged, any remote as well as local user may login to
the LVS web interface. From here LVS parameters can be changed and
arbitrary commands can be executed with the same privilege as that of the
web server.

Reference:
ISS Security Advisory #46: "Backdoor Password in Red Hat Linux Virtual
Server Package" at: http://xforce.iss.net/alerts/advise46.php3

Red Hat, Inc. Security Advisory RHSA-2000:014-10: "Piranha web GUI
exposure" at: http://www.redhat.com/support/errata/RHSA-2000014-16.html

_____

Date Reported:    4/24/2000
Vulnerability:    solaris-lp-bo
Platforms Affected:  Solaris 7.0
Risk Factor:    High
Attack Type:    Host Based

Solaris 7 is vulnerable to a buffer overflow in the lp program. The lp
program is part of the lpr package that is used to submit print requests.
A local attacker can pass a long argument to the -d flag to execute
arbitrary code as root.

Reference:
Bugtraq Mailing List: "Solaris 7 x86 lp exploit" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000424151520.4813E-100000@carma.isirc.is

_____

Date Reported:    4/24/2000
Vulnerability:    solaris-xsun-bo
Platforms Affected:  Solaris 7.0
Risk Factor:    High
Attack Type:    Host Based

Solaris 7 is vulnerable to a buffer overflow in Xsun, the X11 server for
Solaris. A local attacker can pass a long argument to the -dev flag and
overflow the buffer. An attacker can exploit this to execute arbitrary
code and gain root priviliges.

Reference:
Bugtraq Mailing List: "Solaris x86 Xsun overflow" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000424145711.4813C-100000@carma.isirc.is

_____

Date Reported:    4/24/2000
Vulnerability:    solaris-lpset-bo
Platforms Affected:  Solaris 7.0
Risk Factor:    High
Attack Type:    Host Based

Solaris 7 is vulnerable to a buffer overflow in the lpset program. The
lpset program is part of the lpr package that is used to set printer
configurations in /etc/printer.conf. A local attacker can pass a long
argument to the undocumented -r flag to execute arbitrary code and
possibly gain root access.

Reference:
Bugtraq Mailing List: "Solaris 7 x86 lpset exploit" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000424152415.4813F-100000@carma.isirc.is


_____

Date Reported:    4/24/2000
Vulnerability:    zonealarm-portscan
Platforms Affected:  ZoneAlarm
Risk Factor:    Medium
Attack Type:    Network/Host Based

ZoneAlarm is a personal firewall by Zone Labs that provides firewall
services for Windows based operating systems. ZoneAlarm does not block
packets with a source port of 67 or generate an alert. A remote attacker
can perform a port scan on the system by specifying a source port of 67.

Reference:
Bugtraq Mailing List: "ZoneAlarm" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000421044123.2353.qmail@securityfocus.com

_____

Date Reported:    4/23/2000
Vulnerability:    cvs-tempfile-dos
Platforms Affected:  CVS
Risk Factor:    Medium
Attack Type:    Host Based

Concurrent Versions Software (CVS) is a program that allows multiple
programmers to work on the same project by checking in and out source code
and recording changes. Due to the predictable nature of the CVS temporary
file names, a local user can create file names that CVS needs for locking
purposes, causing CVS sessions to crash.

Reference:
Bugtraq Mailing List: "CVS DoS" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000423174038.A520@clico.pl

_____

Date Reported:    4/22/2000
Vulnerability:    imp-wordfile-dos
Platforms Affected:  IMP2
Risk Factor:    Medium
Attack Type:    Host Based

IMP is a PHP-based program for accessing IMAP email through a web browser.
The program uses a utility called wv (formerly MSWordView) for translating
Microsoft Word documents to HTML for viewing with a web browser. If the wv
process is cancelled before it completes the file conversion, IMP 2.0.11
does not properly clean up the temporary files. An attacker could cancel
the conversion process repeatedly to fill up the file system and cause a
denial of service against the IMP server.

Reference:
Bugtraq Mailing List: "Two Problems in IMP 2" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-22&msg=Pine.LNX.4.05.10004241852320.18437-100000@biocserver.BIOC.CWRU.Edu
_____

Date Reported:    4/22/2000
Vulnerability:    imp-tmpfile-view
Platforms Affected:  IMP2
Risk Factor:    High
Attack Type:    Host Based

IMP is a PHP-based program for accessing IMAP email through a web browser.
The program uses a utility called wv (formerly MSWordView) for translating
Microsoft Word documents to HTML for viewing with a web browser. When
converting Word documents to HTML, IMP 2.0.11 creates world-readable
temporary files. A user could read these files and obtain sensitive
information.

Reference:
Bugtraq Mailing List: "Two Problems in IMP 2" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-22&msg=Pine.LNX.4.05.10004241852320.18437-100000@biocserver.BIOC.CWRU.Edu

_____

Date Reported:    4/21/2000
Vulnerability:    suse-file-deletion
Platforms Affected:  SuSE Linux
Risk Factor:    Medium
Attack Type:    Host Based

SuSE Linux (versions 6.3 and earlier) is vulnerable to arbitrary file
deletion by a local attacker. An unauthorized user can to delete arbitrary
files if the variable MAX_DAYS_IN_TMP is set to anything greater than 0 in
the /etc/rc.config file.

Reference:
BugTraq Mailing List: "Local user can delete arbitrary files on
SuSE-Linux" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0004210843510.23186-100000@gmv.spm.univ-rennes1.fr
_____

Date Reported:    4/21/2000
Vulnerability:    qpopper-fgets-spoofing
Platforms Affected:  Qpopper 3.0
Risk Factor:    Medium
Attack Type:    Network/Host Based

Qpopper versions 2.53 and 3.0 are vulnerable to a buffer overflow that
could allow attackers to create messages with spoofed headers. Qpopper is
POP3 mail server distributed by Qualcomm for Unix systems. The program
uses the fgets() command to read message headers into a fixed input
buffer. An attacker can overflow this buffer to trick the program and
create a message with spoofed or incorrect headers. This spoofed message
is treated as an internal plain-text message, which is not scanned by
virus checking software.

Reference:
BugTraq Mailing List: "unsafe fgets() in qpopper" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-22&msg=9763.000421@SECURITY.NNOV.RU

_____

Date Reported:    4/19/2000
Vulnerability:    adtran-ping-dos
Platforms Affected:  Adtran Multiplexor
Risk Factor:    Medium
Attack Type:    Network Based

The Adtran Multiplexor is vulnerable to a remote denial of service attack.
By ping flooding the hardware for about 15 to 20 seconds, a remote
attacker can cause the hardware to crash and automatically restart.

Reference:
Bugtraq Mailing List: "Adtran DoS" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10004190908140.32750-100000@localhost.localdomain

_____

Date Reported:    4/18/2000
Vulnerability:    emacs-local-eavesdrop
Platforms Affected:  GNU Emacs 20
Risk Factor:    High
Attack Type:    Host Based

GNU Emacs is a self-documenting, customizable, extensible real-time
display editor. Versions 20.6 and earlier set PTY permissions improperly.
A local attacker can eavesdrop on the Emacs user.

Reference:
Bugtraq Mailing List: "RUS-CERT Advisory 200004-01: GNU Emacs 20" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de

_____

Date Reported:    4/18/2000 
Vulnerability:    emacs-tempfile-creation
Platforms Affected:  GNU Emacs 20
Risk Factor:    High
Attack Type:    Host Based

GNU Emacs is a self-documenting, customizable, extensible real-time
display editor. Versions 20.6 and earlier create predictible temporary
files that follow existing symbolic links. A local attacker could use a
symlink attack to gain access to the Emacs user ID.

Reference:
Bugtraq Mailing List: "RUS-CERT Advisory 200004-01: GNU Emacs 20" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de

_____

Date Reported:    4/18/2000
Vulnerability:    emacs-password-history
Platforms Affected:  GNU Emacs 20
Risk Factor:    High
Attack Type:    Host Based

GNU Emacs is a self-documenting, customizable, extensible real-time
display editor. Versions 20.6 and earlier do not clear user passwords from
the key history. A local user with access to an Emacs session could
potentially read the passwords in the Emacs history.

Reference:
Bugtraq Mailing List: "RUS-CERT Advisory 200004-01: GNU Emacs 20" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de

_____

Date Reported:    4/12/2000
Vulnerability:    irix-pmcd-mounts
Platforms Affected:  IRIX (6.2, 6.3, 6.4, 6.5)
Risk Factor:    Medium
Attack Type:    Network Based

Performance Copilot (pmcd) is installed by default with IRIX 6.x and is
used to gather performance statistics about the system. One vulnerability
that it contains allows a remote user to list all the disks and their
mount points. Information gathering techniques can lead to unauthorized
access attempts.

Reference:
Bugtraq Mailing List: "Performance Copilot for IRIX 6.5" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=001f01bfa4d5$1f26f7a0$63295581@emmazunz.rockefeller.edu
_____

Date Reported:    4/12/2000
Vulnerability:    irix-pmcd-processes
Platforms Affected:  IRIX (6.2, 6.3, 6.4, 6.5)
Risk Factor:    Medium
Attack Type:    Network Based

Performance Copilot (pmcd) is installed by default with IRIX 6.x and is
used to gather performance statistics about the system. One vulnerability
that it contains allows a remote user to list all the processes and their
owners. Information gathering techniques can lead to unauthorized access
attempts.

Reference:
Bugtraq Mailing List: "Performance Copilot for IRIX 6.5" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=001f01bfa4d5$1f26f7a0$63295581@emmazunz.rockefeller.edu

_____

Date Reported:    4/12/2000
Vulnerability:    irix-pmcd-dos
Platforms Affected:  IRIX (6.2, 6.3, 6.4, 6.5)
Risk Factor:    Medium
Attack Type:    Network Based

Performance Co-Pilot, installed by default with IRIX 6.x, is used to
gather system performance statistics across a network. The Performance
Metrics Collector Daemon (PMCD) is a message routing server, controlling
communications between the client monitoring tools and the domain agents.
The default configuration of PMCD allows allows a remote attacker to pass
a large quantity of garbage data to the service, causing the system to
consume all available memory.

Reference:
Bugtraq Mailing List: "Performance Copilot for IRIX 6.5" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=001f01bfa4d5$1f26f7a0$63295581@emmazunz.rockefeller.edu


_____

Date Reported:    4/12/2000
Vulnerability:    iis-myriad-escape-chars
Platforms Affected:  IIS 4.0, 5.0
Risk Factor:    Medium
Attack Type:    Network/Host Based

Microsoft Internet Information Server (IIS) 4.0 and 5.0 is vulnerable to a
potential denial of service attack. A remote attacker could request a
specially-crafted URL containing a large amount of escaped characters to
consume CPU usage on the web server. This attack would slow down the web
server and cause it to be unresponsive until it fully processed the URL.

Reference:
Microsoft Security Bulletin (MS00-023): "Patch Available for 'Myriad
Escaped Characters' Vulnerability at:
http://www.microsoft.com/technet/security/bulletin/ms00-023.asp
_____

Date Reported:    freebsd-healthd
Vulnerability:    4/10/2000
Platforms Affected:  FreeBSD (3.0, 3.1, 3.2, 3.3, 3.4, 4.0)
Risk Factor:    High
Attack Type:    Host Based

The healthd package version 0.3, which ships with FreeBSD, is a utility
for monitoring the motherboard temperature, CPU fan, and voltage levels in
the computer. The program is vulnerable to a buffer overflow attack that
would allow a local attacker to gain root level access.

Reference:
Bugtraq Mailing List: "FreeBSD Security Advisory:
FreeBSD-SA-00:12.healthd" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-8&msg=200004102059.NAA07231@freefall.freebsd.org

_____
Date Reported:    4/10/2000
Vulnerability:    beos-syscall-dos
Platforms Affected:  BeOS (R5.0, R4.5.x)
Risk Factor:    Medium
Attack Type:    Host Based

The BeOS operating system versions R5.0 and R4.5.x are vulnerable to
denial of service caused by a malformed system call. If a user sends a
direct kernel call with invalid parameters, the system will crash, and it
will have to be restarted.

Reference:
Bugtraq Mailing List: "BeOS syscall bug" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000410131628.659.qmail@securityfocus.com

_____

Date Reported:    4/10/2000
Vulnerability:    linux-trustees-patch-dos
Platforms Affected:  Linux
Risk Factor:    Medium
Attack Type:    Network/Host Based

Bray Systems Linux Trustees kernel patch version 1.5 is vulnerable to a
buffer overflow that will hang processes. Linux Trustees is used to manage
advanced permission settings in Linux, similar to the permission model in
Novell NetWare. By attempting to access an unusually long file or path
name, an attacker can hang the program, and possibly cause other system
utilities to hang as a result. This attack will require the system to be
restarted.

Reference:
Bugtraq Mailing List: "linux trustees 1.5 long path name vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000410142058.W19474@univ.uniyar.ac.ru

_____

Date Reported:    4/9/2000
Vulnerability:    pcanywhere-login-dos
Platforms Affected:  PC Anywhere (8.0, 9.0)
Risk Factor:    Medium
Attack Type:    Network Based

Symantec pcAnywhere 8.0 and 9.0 remote control software is vulnerable to a
denial of service attack against the service on the host computer. When
connecting a pcAnywhere client to the host, a remote attacker can crash
the host service by selecting cancel during the initial connection
sequence, before the login screen appears.

Reference:
Bugtraq Mailing List: "A funny way to DOS pcANYWHERE8.0 and 9.0" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-8&msg=20000409093526.22418.qmail@securityfocus.com

_____

Date Reported:    4/7/2000
Vulnerability:    beos-networking-dos
Platforms Affected:  BeOS (R5.0, R4.5, R4.0)
Risk Factor:    Medium
Attack Type:    Network Based

The BeOS operating system is vulnerable to a denial of service attack
against the networking process. A local or remote attacker can crash the
networking service by sending a malformed packet to it. If an IP packet is
sent with the IP length field set to a number below the minimum header
length, the networking service will crash, and it will have to be
restarted.

Reference:
Bugtraq Mailing List: "BeOS Networking DOS" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=m12dhV0-000W5EC@malasada.lava.net

_____

Date Reported:    4/7/2000
Vulnerability:    win2k-unattended-install
Platforms Affected:  Windows 2000
Risk Factor:    Medium
Attack Type:    Host Based

In Windows 2000, only members of the Administrator or SYSTEM groups are
given write access to the All Users profile. However, when Windows 2000 is
installed with the unattended install file and the OEMPreinstall option is
selected, the All Users profile directory is not secured. Any local user
could install a trojan horse program to be executed when the next user
logs in.

Reference:
NTBugtraq Mailing List: "All Users startup folder left open if unattended
install and OEMP reinstall" at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0004&L=ntbugtraq&F=&S=&P=1606

_____

Date Reported:    4/5/2000
Vulnerability:    mssql-agent-stored-pw
Platforms Affected:  Microsoft SQL
Risk Factor:    High
Attack Type:    Host Based

The SQL Server Agent can be configured to connect to SQL Server using
Windows NT authentication or SQL Server authentication. 
If standard security is used, the password is stored in the registry using
a proprietary two-way encryption algorithm. Most password hash algorithms
are one-way functions. Since the password must be read from the registry
and decrypted to connect to SQL Server, it is stored using a two-way
encryption algorithm. This allows anyone with knowledge of the algorithm
and access to the encrypted password to easily find the clear text
password. This password is stored in the registry on the server under the
key 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer\SQLServerAgent\HostPassword'.

_____

Date Reported:    4/3/2000
Vulnerability:    webobjects-post-dos
Platforms Affected:  WebObjects 4.5
Risk Factor:    Medium
Attack Type:    Network/Host Based

WebObjects 4.5 Developer, when used in conjunction with CGI-adapter and
IIS 4.0, is vulnerable to a buffer overflow that will crash the service.
An attacker can send a POST message with a large header variable to crash
the service and generate a Dr. Watson error.

Reference:
Bugtraq Mailing List: "WebObjects DoS" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-01&msg=OCELLGABDLDELPDEFKNACELGCBAA.gdead@fortnocs.com

_____

Date Reported:    4/3/2000
Vulnerability:    allaire-forums-allaccess
Platforms Affected:  Allaire Forums 2.0.5
Risk Factor:    Medium
Attack Type:    Network/Host Based

Allaire Forums 2.0.5 could allow a remote user to view and post to secure
discussion threads in an insecure manner. Due to improper handling of
variable "rightAccessAllForums", an attacker could access conferences that
they did not belong to, by using unsecured conferences or email.

Reference:
Allaire Security Bulletin (ASB00-06): "Patch Available for Allaire Forums
2.0.5 security issue" at:
http://www.allaire.com/handlers/index.cfm?ID=15099&Method=Full

_____

Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.

_____

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is  not to be edited in any way without express
consent of the X-Force.  If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:   http://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

About Internet Security Systems

Internet Security Systems (ISS) is the leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite* security software, ePatrol* remote managed security services,
and strategic consulting and education offerings, ISS is a trusted
security provider to its customers and partners, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security management
solutions protect more than 5,500 customers worldwide including 21 of the
25 largest U.S. commercial banks, 10 of the largest telecommunications
companies and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin
America and the Middle East. For more information, visit the Internet
Security Systems web site at www.iss.net <http://www.iss.net>  or call 
888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBORD2djRfJiV99eG9AQGugwQArxXxQJyV3JA2ruP+JCHP7gY4hspP2oNQ
ujF9xKHPonX941smN2ij60dRbeqDIzRlAFjraM0bhqA9P705CL93Z3opC2vOXD9a
oVHPraUuWrItV8sSftJj1eTerewcvjqde9qe2IhAH7ef7UUYIEWvcnOZtvb0os4q
9nEGigRLw9g=
=83kT
-----END PGP SIGNATURE-----