-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert Summary
July 1, 2000
Volume 5 Number 6

X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries as well as other Alerts and Advisories,
subscribe to the Internet Security Systems Alert mailing list at:
http://xforce.iss.net/maillists/index.php

_____

Contents

77 Reported Vulnerabilities:

 - win2k-telnetserver-dos
 - win2k-cpu-overload-dos
 - fw1-resource-overload-dos
 - sybergen-routing-table-modify
 - ircd-dalnet-summon-bo
 - win-arp-spoofing
 - imesh-tcp-port-overflow
 - ie-active-setup-download
 - ftgate-invalid-user-requests
 - winproxy-get-dos
 - firstclass-large-bcc-dos
 - winproxy-command-bo
 - boa-webserver-file-access
 - ie-access-vba-code-execute
 - ie-powerpoint-activex-object-execute
 - fortech-proxy-telnet-gateway
 - xwin-clients-default-export
 - sawmill-file-access
 - sawmill-weak-encryption
 - netscape-virtual-directory-bo
 - netscape-enterprise-netware-bo
 - proxyplus-telnet-gateway
 - glftpd-privpath-directive
 - irc-leafchat-dos
 - openbsd-isc-dhcp-bo
 - debian-cups-malformed-ipp
 - jetadmin-network-dos
 - wuftp-format-string-stack-overwrite
 - jrun-read-sample-files
 - redhat-secure-locate-path
 - redhat-gkermit
 - weblogic-file-source-read
 - netscape-ftpserver-chroot
 - linux-kon-bo
 - dmailweb-long-username-dos
 - dmailweb-long-pophost-dos
 - aix-cdmount-insecure-call
 - irix-workshop-cvconnect-overwrite
 - blackice-security-level-nervous
 - linux-libice-dos
 - xdm-xdmcp-remote-bo
 - webbbs-get-request-overflow
 - nettools-pki-http-bo
 - nettools-pki-unauthenticated-access
 - panda-antivirus-remote-admin
 - dragon-telnet-dos
 - dragon-ftp-dos
 - small-http-get-overflow-dos
 - mdaemon-pass-dos
 - simpleserver-long-url-dos
 - win2k-desktop-separation
 - zope-dtml-remote-modify
 - pgp-cert-server-dos
 - antivirus-nav-fail-open
 - antivirus-nav-zip-bo
 - kerberos-gssftpd-dos
 - sol-ufsrestore-bo
 - tigris-radius-login-failure
 - webbanner-input-validation-exe
 - smartftp-directory-traversal
 - antisniff-arptest
 - weblogic-jsp-source-read
 - websphere-jsp-source-read
 - freebsd-alpha-weak-encryption
 - mailstudio-set-passwords
 - http-cgi-mailstudio-bo
 - mailstudio-view-files
 - kerberos-lastrealm-bo
 - kerberos-localrealm-bo
 - kerberos-emsg-bo
 - kerberos-authmsgkdcrequests
 - kerberos-free-memory
 - openssh-uselogin-remote-exec
 - mailstudio-cgi-input-vaildation
 - ceilidh-path-disclosure
 - ceilidh-post-dos
 - nt-admin-lockout

_____

Date Reported:    6/30/00
Vulnerability:    win2k-telnetserver-dos
Platforms Affected:  Windows 2000
Risk Factor:    Medium
Attack Type:    Network/Host Based

Microsoft Windows 2000 contains a telnet server for users to access the console 
remotely. If a a user sends a stream of binary zeros to the server will cause 
it to crash and restart. If this happens numerous times, the service stops 
restarting because of maximum failure.

Reference:
Bugtraq Mailing List: "SecureXpert Advisory [SX-20000620-1]" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161841.4619A-100000@fjord.fscinternet.com

_____

Date Reported:    6/30/00
Vulnerability:    win2k-cpu-overload-dos
Platforms Affected:  Windows 2000
Risk Factor:    Medium
Attack Type:    Network/Host Based

Microsoft Windows 2000 is vulnerable to a binary zero denial of service attack. 
If a user sends a stream of binary zeros to any of Windows 2000's ports, the 
CPU usage will rise to 100% and slow to a halt.

Reference:
Bugtraq Mailing List: "SecureXpert Advisory [SX-20000620-2]" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com

_____

Date Reported:    6/30/00
Vulnerability:    fw1-resource-overload-dos
Platforms Affected:  Firewall 1
Risk Factor:    Medium
Attack Type:    Network/Host Based

Checkpoint Software's Firewall-1 versions 1.4.0 and 1.4.1 contain a resource 
overload denial of service. If a user sends a stream of binary zeros to the 
SMTP port (25) on the firewall, it causes the load to increase to 100% causing 
the system to slow to a halt.

Reference:
Bugtraq Mailing List: "SecureXpert Advisory [SX-20000620-3]" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630162106.4619C-100000@fjord.fscinternet.com

_____

Date Reported:    6/30/00
Vulnerability:    sybergen-routing-table-modify
Platforms Affected:  Sybergen Secure Desktop 2.1
Risk Factor:    High
Attack Type:    Network Based

Sybergen Secure Desktop 2.1 is a personal firewall that protects a single 
computer from malicious attackers. A vulnerability exists in the program in 
that it does not properly protect the system from spoofed ICMP router 
advertisements. This would allow a remote attacker to modify the routing table, 
which would open up such vulnerabilties as disabling the firewall, tcp 
redirection, and man in the middle attacks.

Reference:
Bugtraq Mailing List: "Multiple vulnerabilities in Sybergen Secure Desktop" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=4125690E.00524395.00@guardianit.se

_____

Date Reported:    6/29/00
Vulnerability:    ircd-dalnet-summon-bo
Platforms Affected:  Dalnet ircd 4.6.5
Risk Factor:    Medium
Attack Type:    Network Based

Internet Relay Chat (IRC) is a popular program used for chatting with other 
users across ircd servers. The Dalnet ircd server is vulnerable to a buffer 
overflow in the SUMMON command. If a remote user overflows this command and 
supplies shellcode, it will be executed as the user running ircd. This is very 
difficult to exploit, and default versions of ircd do not have the SUMMON 
command enabled.

Reference:
Bugtraq Mailing List: "dalnet 4.6.5 remote vulnerability" at: 
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-06-22&msg=Pine.LNX.3.95.1000628153342.12798A-100000@cannabis.dataforce.net

_____

Date Reported:    6/29/00
Vulnerability:    win-arp-spoofing
Platforms Affected:  Windows 95
      Windows 98
Risk Factor:    High
Attack Type:    Network Based

Windows 95 and 98 is vulnerable to an ARP spoofing attack. If a user spoofs ARP 
packets to the system, it would allow them to overwrite the ARP table with 
static ips that would reroute traffic for specific hosts to other machines on 
the same subnet.

Reference:
Bugtraq Mailing List: "Buggy ARP handling in Windoze" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de

_____

Date Reported:    6/29/00
Vulnerability:    imesh-tcp-port-overflow
Platforms Affected:  iMesh 1.02
Risk Factor:    High
Attack Type:    Network/Host Based

iMesh is a program that allows users to access and share information from one 
desktop to another, rather than over servers. If a user connects to the TCP 
port that iMesh is listening to, and creates an overflow that overwrites the 
EIP, it would allow them to execute arbitrary code on the vulnerable system.

Reference:
BluePanda Vulnerability Announcement: "iMesh 1.02 vulnerability" at: 
http://bluepanda.box.sk/files/imbof102.txt

_____

4839
Date Reported:    6/29/00
Vulnerability:    ie-active-setup-download
Platforms Affected:  Microsoft Internet Explorer (4.0, 4.01, 5.0, 5.01)
Risk Factor:    High
Attack Type:    Network Based

Microsoft Internet Explorer uses Active Setup Control which allows Microsoft 
signed .cab files to be installed without asking for the user's approval. A 
malicious web site operator could imbed tags into the web site that would 
install .cab files onto a visitor's machine, overwriting existing files, 
possibly making the machine unusable.

Reference:
Microsoft Security Bulletin (MS00-042): "Patch Available for 'Active Setup 
Download' Vulnerability" at: 
http://www.microsoft.com/technet/security/bulletin/ms00-042.asp

_____

Date Reported:    6/28/00
Vulnerability:    ftgate-invalid-user-requests
Platforms Affected:  FTGate
Risk Factor:    Low
Attack Type:    Network Based

FTGate is a feature packed mail server that runs on Windows 95/98 or Windows 
NT/2000.  FTGate's POP3 server responds to invalid USER requests with a -ERR 
code without disconnecting making it possible for an attacker to bruteforce 
usernames and passwords.

Reference:
BugTraq Mailing List, Mon Jun 26 2000 14:23:08: "Problems with FTGate" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006262019340.87758-100000@unix.za.net

_____

Date Reported:    6/27/00
Vulnerability:    winproxy-get-dos
Platforms Affected:  WinProxy
Risk Factor:    Medium
Attack Type:    Network/Host Based

WinProxy is a windows based proxy program by Sapporo Works in Japan. If a user 
connects to the POP3 or HTTP port and issues a GET command followed by a 
forward slash, it causes the proxy to stop responding.

Reference:
Bugtraq Mailing List: "[SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and 
Exploitable Buffer Overflow" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp

_____

Date Reported:    6/27/00
Vulnerability:    firstclass-large-bcc-dos
Platforms Affected:  FirstClass Internet Services 5.770
Risk Factor:    Medium
Attack Type:    Network/Host Based

FirstClass Internet Services 5.770 is vulnerable to a denial of service attack. 
If a message is received that has a unusually large BCC header (such as many 
spam messages do), it causes the FCIS server processes to hang and have to be 
restarted.

Reference:
Bugtraq Mailing List: "DoS in FirstClass Internet Services 5.770" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-22&msg=4.3.2.7.2.20000627222545.00b06c80@mailbox80.utcc.utoronto.ca

_____

Date Reported:    6/27/00
Vulnerability:    winproxy-command-bo
Platforms Affected:  WinProxy
Risk Factor:    High
Attack Type:    Network/Host Based

WinProxy is a windows based proxy program by Sapporo Works in Japan. If a user 
connects to the POP3 or HTTP port and any of the standard commands such as 
USER, PASS, LIST, RETR, DELE, followed by strings of 312 characters or more, 
the buffer overflows and the user can execute arbitrary code.

Reference:
Bugtraq Mailing List: "[SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and 
Exploitable Buffer Overflow" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp

_____

Date Reported:    6/27/00
Vulnerability:    boa-webserver-file-access
Platforms Affected:  BOA Webserver
Risk Factor:    High
Attack Type:    Network Based

BOA Webserver is a simple, basic command web server for Unix based machines. 
Because of the lack of URL parsing, a remote user can access any file on the 
machine by specificly formatting an URL such as '/../../../../etc/passwd'.

Reference:
Bugtraq Mailing List: "BOA Webserver local path problem" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-22&msg=Pine.LNX.4.21.0006271632590.30256-100000@binxdsign.com

_____

Date Reported:    6/27/00
Vulnerability:    ie-access-vba-code-execute
Platforms Affected:  Microsoft Internet Explorer 5.01
      Microsoft Access 2000
Risk Factor:    High
Attack Type:    Network Based

Microsoft Internet Explorer and Microsoft Access 2000 contain a vulnerability 
that would allow a malicious web page to execute Visual Basic Applications 
(VBA) code. If a web page or email message uses IFRAME without acknowledging 
the user, .mdb files can be executed with VBA code embeded in them.

Reference:
Bugtraq Mailing List: "IE 5 and Access 2000 vulnerability - executing programs" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589359.762392DB@nat.bg

_____

Date Reported:    6/27/00
Vulnerability:    ie-powerpoint-activex-object-execute
Platforms Affected:  Microsoft Internet Explorer 5.01
      Microsoft Powerpoint 2000
Risk Factor:    High
Attack Type:    Network Based

Microsoft Internet Explorer and Microsoft Powerpoint 2000 contain a 
bulnerability that would allow a malicious web page to execute applications on 
the affected system. Using IFRAME, ActiveX object tags can be executed which 
could save a file anywhere on the system without the user knowning. If the file 
is saved in the startup folder, it would be executed the next time a user 
restarts Windows.

Reference:
Bugtraq Mailing List: "IE 5 and Excel 2000, PowerPoint 2000 vulnerability - 
executing programs" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589349.ED9DBCAB@nat.bg

_____

Date Reported:    6/26/00
Vulnerability:    fortech-proxy-telnet-gateway
Platforms Affected:  Fortech
Risk Factor:    Low
Attack Type:    Network Based

Proxy+ is an intergrated firewall proxy server and mail server. A vulnerability 
in the Proxy+ telnet proxy can allow an attacker to connect remotely to the 
system resources.

Reference:
BugTraq Mailing List, Mon Jun 26 2000 13:58:20: "Proxy+ Telnet Gateway 
Problems" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006261954210.87590-100000@unix.za.net

_____

Date Reported:    6/26/00
Vulnerability:    xwin-clients-default-export
Platforms Affected:  Exceed (6.0.1.0, 6.0.2, 6.1)
Risk Factor:    Low
Attack Type:    Network Based

Many Xwindows clients for Windows based opearting systems export sessions to 
the world by default. If a remote user can access the session, it is possible 
for them to capture keystrokes, usernames, passwords, and other sensitive 
information.

Reference:
ducktank.net: "X Window Vulnerabilities making a strong comeback" at: 
http://www.ducktank.net/tips/X.html

_____

Date Reported:    6/26/00
Vulnerability:    sawmill-file-access
Platforms Affected:  Sawmill 5.0.21
Risk Factor:    Medium
Attack Type:    Network/Host Based

Flowerfire's Sawmill is a program for Unix, Windows based, or Macintosh 
operationg systems that logs site statistics. A user can send a malformed url 
to the program over the http server, and read the first line of any file on the 
system.

Reference:
Bugtraq Mailing List: "sawmill5.0.21 old path bug & weak hash algorithm" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006261615350.606-200000@localhost.localdomain

_____

Date Reported:    6/26/00
Vulnerability:    sawmill-weak-encryption
Platforms Affected:  Sawmill 5.0.21
Risk Factor:    Medium
Attack Type:    Network/Host Based

Flowerfire's Sawmill is a program for Unix, Windows based, or Macintosh 
operationg systems that logs site statistics. The password file 
'SawmillPassword' uses a weak encryption algorithm and a program exists to 
decrypt this password, which would give the attacker access to Sawmill for 
viewing statistics or reconfiguring it.

Reference:
Bugtraq Mailing List: "sawmill5.0.21 old path bug & weak hash algorithm" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006261615350.606-200000@localhost.localdomain

_____

Date Reported:    6/26/00
Vulnerability:    netscape-virtual-directory-bo
Platforms Affected:  Netscape Enterprise Server for NetWare (4.1.1, 5.0)
Risk Factor:    High
Attack Type:    Network Based

Netscape Enterprise Server for NetWare is vulnerable to a buffer overflow. By 
issuing a malformed URL, a remote attacker can overflow the buffer and execute 
arbitrary code on the system with the privileges of the web server.

Reference:
BugTraq Mailing List, Mon Jun 26 2000 06:02:15: "Netscape Enterprise Server for 
NetWare Virtual Directory Vulnerab ility" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-01-8&msg=199801122320.PAA09984@passer.osg.gov.bc.ca

_____

Date Reported:    6/26/00
Vulnerability:    netscape-enterprise-netware-bo
Platforms Affected:  Netscape Enterprise Server
      NetWare (5.0, 5.1)
Risk Factor:    High
Attack Type:    Network/Host Based

Netscape Enterprise Server for Netware 5.0 and 5.1 contains a buffer overflow. 
If a user requests a specifically malformed URL to the server, the services 
stop responding and the user can execute arbitrary code.

Reference:
Bugtraq Mailing List: "Netscape Enterprise Server for NetWare Virtual Directory 
Vulnerability" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=A5F256C2C72FD411BCD600508B65FE6A02B783@nm-exch-cph.internal.n-m.com

_____

Date Reported:    6/26/00
Vulnerability:    proxyplus-telnet-gateway
Platforms Affected:  Proxy+ 2.40
Risk Factor:    High
Attack Type:    Network Based

Fortech's Proxy+ is a service that provides solutions for accessing the 
internet from a local area network. Proxy+ restricts remote access via the http 
proxy, however it is possible to access the services over the telnet proxy.

Reference:
Bugtraq Mailing List: "Proxy+ Telnet Gateway Problems" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006261954210.87590-100000@unix.za.net

_____

Date Reported:    6/26/00
Vulnerability:    glftpd-privpath-directive
Platforms Affected:  GlFtpd
Risk Factor:    High
Attack Type:    Network/Host Based

glftpd contains a vulnerability in its checking of access of the privpath 
directive. If the attacker knows the name of a directory, they can access the 
directory using the chdir command combined with the name completion function 
(such as only entering the first letter of the directory).

Reference:
Bugtraq Mailing List: "Glftpd privpath bugs... +fix" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006261041360.31907-200000@twix.thrijswijk.nl

_____

Date Reported:    6/25/00
Vulnerability:    irc-leafchat-dos
Platforms Affected:  LeafChat 1.7
Risk Factor:    Low
Attack Type:    Network Based

The LeafChat IRC client is vulnerable to a denial of service attack by a remote 
user. When a LeafChat client receives invalid data from the server, a dialog 
box appears with an error message. A remote attacker can send invalid messages 
rapidly from the server to consume resources on the client's system and crash 
the LeafChat program.

Reference:
BugTraq Mailing List, Sun Jun 25 2000 15:00:06: "LeafChat Denial of Service" 
at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006252056110.74551-100000@unix.za.net

_____

Date Reported:    6/24/00
Vulnerability:    openbsd-isc-dhcp-bo
Platforms Affected:  ISC DHCP Client (2.0, 3.0)
Risk Factor:    High
Attack Type:    Network Based

The ISC Dynamic Host Configuration Protocol Distribution provides a free 
redistributable reference implementation of the DHCP protocol.  An input 
validation flaw exists in DHCP which could allow an attacker to execute 
commands from remote an obtain root access.

Reference:
BugTraq Mailing List, Wed Jun 21 2000 06:54:08: "Possible root exploit in ISC 
DHCP client." at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl

_____

Date Reported:    6/22/00
Vulnerability:    debian-cups-malformed-ipp
Platforms Affected:  Linux Debian (2.2, 2.3)
Risk Factor:    Low
Attack Type:    Network/Host Based

A denial of service attack exists in certain versions of CUPS(Common Unix 
Printing System) which could result in the disruption of printing services.

Reference:
BugTraq Mailing List, Tue Jun 20 2000 00:20:02: "CUPS DoS Bugs" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000620132002.B16494@server1

_____

Date Reported:    6/22/00
Vulnerability:    jetadmin-network-dos
Platforms Affected:  JetAdmin 6.0
Risk Factor:    Medium
Attack Type:    Network/Host Based

Hewlett-Packard Web JetAdmin provides a management solution for TCP/IP and IPX 
connected peripheral devices. Web JetAmin is vulnerable to a denial of service 
attack. An attacker could send a malformed URL to crash the service and cause 
the networked devices to work improperly.

Reference:
Hewlett-Packard Security Bulletin HPSBUX0006-116: "Sec. Vulnerability in Web 
JetAdmin 6.0" at: 
http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000050014347

_____

Date Reported:    6/22/00
Vulnerability:    wuftp-format-string-stack-overwrite
Platforms Affected:  wu-ftpd 2.5
Risk Factor:    High
Attack Type:    Network Based

Washington University's ftp daemon for Unix based operating systems is a 
widely used ftp service. It contains a vulnerablity that would allow a remote 
user to execute arbitrary commands over an anonymous ftp session. If the user 
uses the SITE EXEC command, its possible to overwrite data such as the return 
address on the stack. A user can then execute code, as root, they have inserted 
into the string. This is not a standard buffer overflow but an "input 
validation" vulnerability.

Reference:
BugTraq Mailing List, Fri Jun 23 2000 01:18:22: "ftpd: the advisory version" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail@fiver.freemessage.com

_____

Date Reported:    6/22/00
Vulnerability:    jrun-read-sample-files
Platforms Affected:  Jrun Server
Risk Factor:    High
Attack Type:    Network Based

Allaire Jrun is Java application server that supports Java Servlet APIs and 
Java Server Pages (JSP). Jrun 2.3.x includes sample files that could allow a 
remote user to view files on the web server. By requesting specially crafted 
URLs, a remote attacker could view online documentation or sample files, as 
well as view files on the web server and retrieve sensitive information.

Reference:
Allaire Security Bulletin ASB00-15: "Workaround available for vulnerabilities 
exposed by JRun 2.3.x code sample" at: 
http://www.allaire.com/handlers/index.cfm?ID=16290&Method=Full

_____

Date Reported:    6/21/00
Vulnerability:    redhat-secure-locate-path
Platforms Affected:  Linux RedHat 6.2
Risk Factor:    Medium
Attack Type:    Host Based

The slocate (Secure Locate) package in Red Hat Linux is used to maintain an 
index of the entire filesystem. The program performs insufficient input 
validation on the LOCATE_PATH environment variable. An unauthorized user could 
construct an invalid LOCATE_PATH variable and cause a possibly exploitable SEGV 
(segmentation fault) in Secure Locate.

Reference:
BugTraq Mailing List, Wed Jun 21 2000 06:54:08: "rh 6.2 - gid compromises, etc" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl

_____

Date Reported:    6/21/00
Vulnerability:    redhat-gkermit
Platforms Affected:  Linux RedHat 6.2
Risk Factor:    Medium
Attack Type:    Host Based

The gkermit binary in Red Hat Linux could allow a local attacker to access 
sensitive files. The gkermit binary is a Unix utility for transferring files 
using the Kermit protocol. A local attacker could use gkermit to gain read and 
write access to critical system files, including uucp password files, because 
the program is setgid uucp.

Reference:
BugTraq Mailing List, Wed Jun 21 2000 06:54:08: "rh 6.2 - gid compromises, etc" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl

_____

Date Reported:    6/21/00
Vulnerability:    weblogic-file-source-read
Platforms Affected:  WebLogic Express
Risk Factor:    Medium
Attack Type:    Network/Host Based

BEA System's Weblogic web server is vulnerable to a source disclosure 
vulnerability. If a user makes an HTTP request and uses the "/file/" at the 
end of the URL, this causes the server to display the source of the requested 
java applet instead of running it.

Reference:
Foundstone, Inc.: "BEA's WebLogic" at: 
http://www.foundstone.com/FS-062100-4-BEA.txt

_____

Date Reported:    6/21/00
Vulnerability:    netscape-ftpserver-chroot
Platforms Affected:  Netscape Professional Services FTPServer 1.3.6
Risk Factor:    High
Attack Type:    Network Based

Netscape Professional Services FTP Server version 1.3.6 could allow a remote 
attacker to gain root privileges. The FTP server fails to enforce a restricted 
user environment (chroot) allowing an FTP user to download any file on the 
system. An attacker could download any file on the system (such as /etc/passwd) 
and gain root access. An attacker could also upload files with the privileges 
of the FTP daemon. Additionally, this FTP server supports LDAP users, and 
multiple LDAP accounts use the same physical UID. An attacker could access and 
overwrite files on other accounts, or retrieve LDAP user passwords.

Reference:
BugTraq Mailing List, Wed Jun 21 2000 08:13:33: "Netscape FTP Server - 
"Professional"" as hell :>"" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211351280.23780-100000@nimue.tpi.pl

_____

Date Reported:    6/21/00
Vulnerability:    linux-kon-bo
Platforms Affected:  Linux RedHat (5.0, 5.1, 5.2, 6.1, 6.2)
      Linux Debian (2.1, 2.2, 2.3)
Risk Factor:    High
Attack Type:    Host Based

The KON (Kanji on Console) package in Linux is used to display Kanji text. KON 
binaries "kon" and "fld" are vulnerable to buffer overflows in the stack 
that may allow an attacker to gain root access.

Reference:
BugTraq Mailing List, Mon Jun 19 2000 16:51:53: ""Problems with ""kon2"" 
package"" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk

_____

Date Reported:    6/20/00
Vulnerability:    dmailweb-long-username-dos
Platforms Affected:  NetWin DMailWeb 2.6
      NetWin CWMail 2.6
Risk Factor:    Low
Attack Type:    Network Based

NetWin DMailWeb 2.6 is vulnerable to a denial of service if a remote user sends 
a long username with 240 characters or more.

Reference:
BugTraq Mailing List, Tue Jun 20 2000 23:52:22: "NetWin dMailWeb Denial of 
Service" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca

_____

Date Reported:    6/20/00
Vulnerability:    dmailweb-long-pophost-dos
Platforms Affected:  NetWin DMailWeb 2.6
                        NetWin CWMail 2.6
Risk Factor:    Low
Attack Type:    Network Based

NetWin DMailWeb 2.6 is vulnerable to a denial of service if a remote user sends 
a long pophost with 512 characters or more.

Reference:
BugTraq Mailing List, Tue Jun 20 2000 23:52:22: "NetWin dMailWeb Denial of 
Service" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca

_____

Date Reported:    6/20/00
Vulnerability:    aix-cdmount-insecure-call
Platforms Affected:  AIX
Risk Factor:    High
Attack Type:    Network Based

The AIX cdmount program is part of the AIX UltiMedia Services (UMS) package, 
designed to allow regular users to mount CD-ROM filesystems. Insecure handling 
of the arguments to cdmount may allow a local regular user to execute commands 
as root. The system()library subroutine is used to spawn a shell to execute the 
mount command with arguments provided by the user. By calling cdmount with 
arguments containing shell metacharacters, an attacker could execute arbitrary 
commands as root. AIX systems with the LPP UMS.objects 2.3.0.0 and below 
installed are affected.

Reference:
Internet Security Systems Security Advisory #55: "Insecure call of external 
program in AIX cdmount" at: http://xforce.iss.net/alerts/advise55.php

_____

Date Reported:    6/20/00
Vulnerability:    irix-workshop-cvconnect-overwrite
Platforms Affected:  IRIX
Risk Factor:    High
Attack Type:    Netowrk/Host Based

WorkShop is a set of software tools used to debug programs. WorkShop could 
allow a remote attacker to overwrite any file on the system, due to a flaw in 
the included cvconnect(1M) binary. The cvconnect(1M) binary, which is setuid 
root, is invoked by WorkShop and is not intended to be run by users. An 
attacker with a local account on the system could use cvconnect(1M) to 
overwrite any file, and then gain root access on the system.

Reference:
Silicon Graphics Inc. Security Advisory: "IRIX WorkShop cvconnect(1M) 
Vulnerability" at: http://www.securityfocus.com/templates/advisory.html?id=2341

_____

Date Reported:    6/20/00
Vulnerability:    blackice-security-level-nervous
Platforms Affected:  BlackICE
Risk Factor:    High
Attack Type:    Network Based

BlackICE is an Intrustion Detection System (IDS) for personal or corporate 
use. The BlackICE application fails to block high UDP ports at the "NERVOUS" 
configuration level. A remote attacker could use various exploits (such as Back 
Orifice) that use high UDP ports to bypass BlackICE and compromise the system.

Reference:
BugTraq Mailing List, Tue Jun 20 2000 00:30:22: "BlackICE by Network ICE Corp 
vulnerability against Back Orifice 1.2" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=KIEPJBAEMHMFLDLNKBOBKEOKCAAA.juancho@networkice.com

_____

Date Reported:    6/19/00
Vulnerability:    linux-libice-dos
Platforms Affected:  Gnome 1.1
Risk Factor:    Low
Attack Type:    Network Based

The libICE package in many versions of Linux is vulnerable to a denial of 
service. LibICE is an X11 widowing system component. The libICE package is 
vulnerable to a denial of service attack. Due to improper handling of the 
SKIP_STRING macro, a remote attacker can cause a segfault by supplying a large 
skip value. In GNOME, a remote attacker can use the libICE vulnerability to 
crash another user's X session.

Reference:
BugTraq Mailing List, Mon Jun 19 2000 16:51:18: "XFree86: libICE DoS" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=P
ine.LNX.4.21.0006192220220.9945-100000@ferret.lmh.ox.ac.uk

_____

Date Reported:    6/19/00
Vulnerability:    xdm-xdmcp-remote-bo
Platforms Affected:  XFree86
Risk Factor:    Medium
Attack Type:    Network Based

XDM and derivative packages (KDM and WDM) shipped with X Windows are vulnerable 
to a buffer overflow in the xdmcp.c error handling code. XDM is a X Windows 
display manager for Linux. The send_failed() method copies a host name into a 
buffer without verifying sufficient memory space. By sending over 256 
characters, a remote attacker can overflow the buffer and gain access to the 
system. If XDM is run as root, the attacker could gain root privileges. It may 
be possible to cause a denial of service by crashing XDM.

Reference:
BugTraq Mailing List, Mon Jun 19 2000 16:51:43: "XFree86: xdm flaw; present in 
kdm" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192325410.19998-100000@ferret.lmh.ox.ac.uk

_____

Date Reported:    6/19/00
Vulnerability:    webbbs-get-request-overflow
Platforms Affected:  WebBBS 1.1.5
Risk Factor:    High
Attack Type:    Network/Host Based

WebBBS is a multi-function web server and web-based bulletin board developed by 
International TeleCommunications. WebBBS version 1.1.5 is vulnerable to a 
buffer overflow in the GET command. By sending a large GET request to the 
server on port 80, a remote attacker can overflow a buffer and execute 
arbirtary code on the system.

Reference:
Security Team Advisories DST2K0018: "Multiple BufferOverruns in WebBBS HTTP 
Server v1.15" at: 
http://www.delphisplc.com/thinking/whitepapers/security/DST2K0018.txt

_____

Date Reported:    6/18/00
Vulnerability:    nettools-pki-http-bo
Platforms Affected:  Net Tools PKI Server
Risk Factor:    Medium
Attack Type:    Network/Host Based

Network Associates' Net Tools PKI Server contains a vulnerability when a user 
sends an unusually long URL to the HTTP server.  This will cause the service to 
crash and have to be restarted.

Reference:
BugTraq Mailing List, Sun Jun 18 2000 17:19:59: "Net Tools PKI server exploits" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=B1F2937B437BD3119603000094A18677169B58@mailer.0.20.172.in-addr.arpa

_____

Date Reported:    6/18/00
Vulnerability:    nettools-pki-unauthenticated-access
Platforms Affected:  Net Tools PKI Server
Risk Factor:    High
Attack Type:    Network/Host Based

Network Associates' Net Tools PKI Server uses Xcert Universal Database API 
(XUDA) templates.  XUDA does not use absolute pathnames so a user can create a 
file and gain access to the system.

Reference:
BugTraq Mailing List, Sun Jun 18 2000 17:19:59: "Net Tools PKI server exploits" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=B1F2937B437BD3119603000094A18677169B58@mailer.0.20.172.in-addr.arpa

_____

Date Reported:    6/17/00
Vulnerability:    panda-antivirus-remote-admin
Platforms Affected:  Panda Antivirus 2.0 for NetWare
Risk Factor:    High
Attack Type:    Network Based

Panda Antivirus is a multi-platform virus protection program. Panda Antivirus 
2.0 for NetWare could allow an attacker to execute arbitrary NetWare commands 
on the administration server. An unauthenticated remote attacker can telnet to 
port 2001 and execute any NetWare command using the CMD command.

Reference:
BugTraq Mailing List, Sat Jun 17 2000 05:10:17: "Infosec.20000617.panda.a" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=41256901.003D5E29.00@mailgw.backupcentralen.se

_____

Date Reported:    6/16/00
Vulnerability:    dragon-telnet-dos
Platforms Affected:  Dragon Server (1.0, 2.0)
Risk Factor:    Medium
Attack Type:    Network/Host Based

Dragon Server is vulnerable to a denial of service caused by a buffer overflow 
in the Telnet login function. Dragon Server is an FTP and Telnet server for 
Windows that is designed to look and function like a Unix program. By sending a 
string of 16,500 characters at the Telnet username login prompt, a remote 
attacker can cause the Telnet service (port 23) to crash and have to be 
restarted.

Reference:
Underground Security System Research Advisory USSR-2000046: "Multiples Remotes 
DoS Attacks in Dragon Server v1.00 and v2.00 Vulnerability" at: 
http://www.ussrback.com/labs46.html

_____

Date Reported:    6/16/00
Vulnerability:    dragon-ftp-dos
Platforms Affected:  Dragon Server (1.0, 2.0)
Risk Factor:    Medium
Attack Type:    Network/Host Based

Dragon Server is vulnerable to a denial of service caused by a buffer overflow 
in the FTP login function. Dragon Server is an FTP and Telnet server for 
Windows that is designed to look and function like a Unix program. By sending a 
string of 16,500 characters at the FTP username prompt (port 21), a remote 
attacker can cause the FTP service to crash and have to be restarted.

Reference:
Underground Security System Research Advisory USSR-2000046: "Multiples Remotes 
DoS Attacks in Dragon Server v1.00 and v2.00 Vulnerability" at: 
http://www.ussrback.com/labs46.html

_____

Date Reported:    6/16/00
Vulnerability:    small-http-get-overflow-dos
Platforms Affected:  Small HTTP Server
Risk Factor:    Medium
Attack Type:    Network/Host Based

Small HTTP server is an web server for Windows. The program is vulnerable to a 
denial of service attack caused by a buffer overflow in the GET command. By 
sending a GET request of 65,000 characters to the HTTP server service (port 
80), an attacker can cause the server to crash and have to be restarted.

Reference:
Underground Security System Research USSR-2000047: "Remote DoS Attack in Small 
HTTP Server ver. 1.212 Vulnerability" at: http://www.ussrback.com/labs47.html

_____

Date Reported:    6/16/00
Vulnerability:    mdaemon-pass-dos
Platforms Affected:  MDaemon
Risk Factor:    Medium
Attack Type:    Network/Host Based

Deerfield.com's Mdaemon is an email server which supports SMTP, POP3, IMAP4, 
and many other applications. If a local or remote user uses the pass command, 
then issues the UIDL command and quits immediately before receiving a UIDL 
response, then the server crashes and has to be restarted.

Reference:
NTBugtraq Mailing List, Fri, 16 Jun 2000 22:08:44 +0200: ""mdaemon 2.8.5.0 
WinNT and Win9x remote DoSContent"" at: 
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0006&L=ntbugtraq&F=&S=&P=7545

_____

Date Reported:    6/15/00
Vulnerability:    simpleserver-long-url-dos
Platforms Affected:  AnalogX SimpleServer WWW Version 1.05
Risk Factor:    Medium
Attack Type:    Network/Host Based

AnalogX SimpleServer:WWW is a standard web server for Windows. Version 1.05 is 
vulnerable to a denial of service attack caused by a buffer overflow in the GET 
command. By requesting a URL with a long string following the /cgi-bin/ 
directory, an attacker can crash the server, requiring it to be rebooted.

Reference:
Underground Security System Research USSR-2000045: "Remote DoS attack in 
AnalogX SimpleServer WWW Version 1.05 Vulnerability" at: 
http://www.ussrback.com/labs45.html

_____

Date Reported:    6/15/00
Vulnerability:    win2k-desktop-separation
Platforms Affected:  Windows 2000
Risk Factor:    Medium
Attack Type:    Host Based

Microsoft Windows 2000 could allow an attacker to gain increased privileges on 
the local system. The Windows 2000 security architecture restricts processes 
through a system of sessions, "windows stations", and "desktops". A local 
attacker could create a process that runs in a higher-privilege context 
(""desktop"") than the local user. This would give the attacker access to 
certain input devices available to the higher-privilege desktop, for instance, 
allowing the user to monitor local logins to record usernames and passwords.

Reference:
Microsoft Security Bulletin MS00-020: "Patch Available for 'Desktop Separation' 
Vulnerability" at: 
http://www.microsoft.com/technet/security/bulletin/ms00-020.asp

_____

Date Reported:    6/15/00
Vulnerability:    zope-dtml-remote-modify
Platforms Affected:  Zope (2.1.7 and earlier)
Risk Factor:    Medium
Attack Type:    Network Based

The Z Object Publishing Environment (Zope) could allow a remote attacker to 
modify DTML documents. Zope versions 2.1.7 and earlier contain an 
insufficiently protected method in one of the base classes in the 
DocumentTemplate package. An attacker could change the contents of 
DTMLDocuments or DTMLMethods remotely or through DTML code, without being 
properly authorized to make such changes.

References:
Zope web site: "News Item: Zope security alert and hotfix product" at: 
http://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert

BugTraq Mailing List, Thu Jun 15 2000 13:44:52: "[Brian@digicool.com: [Zope] 
Zope security alert and 2.1.7 update [*important*]]" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000615214452.C11871@schvin.net

BugTraq Mailing List, Thu Jun 15 2000 23:38:07: "Conectiva Linux Security 
Announcement - ZOPE" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000616103807.A3768@conectiva.com.br

Zope.org Home Page: "News Item: Zope security alert and hotfix product" at: 
http://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert

_____

Date Reported:    6/14/00
Vulnerability:    pgp-cert-server-dos
Platforms Affected:  Network Associates PGP Certificate Server
Risk Factor:    Medium
Attack Type:    Network/Host Based

Network Associates PGP Certificate Server is vulnerable to a denial of service 
attack. If a local or remote user attempts to access remote server management, 
and has an IP address that does not resolve to a hostname, the service crashes 
and has to be restarted.

Reference:
Underground Security System Research Advisory USSR-2000044: "Remote DoS attack 
in Networks Associates PGP Certificate Server Version 2.5 Vulnerability" at: 
http://www.ussrback.com/labs44.html

_____

Date Reported:    6/14/00
Vulnerability:    antivirus-nav-fail-open
Platforms Affected:  Norton AntiVirus for Microsoft Exchange (2.0 and earlier)
Risk Factor:    Medium
Attack Type:    Network Based

Norton AntiVirus for Microsoft Exchange is an anti-virus program for detecting 
and removing viruses sent in email messages. Under certain circumstances, 
versions 2.0 and earlier may enter a ""fail-open"" state that leaves users 
completely unprotected from email viruses. When this failure occurs, the 
program logs (in Event Viewer) e-mail messages that contain viruses, but it 
fails to clean them from the recipients' mail boxes. The service must be 
restarted to restore proper functionality.

References:
BugTraq Mailing List, Wed Jun 14 2000 08:02:16: "Vulnerabilities in Norton 
Antivirus for Exchange" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=3947F2D8.18900.89F003@localhost

BugTraq Mailing List, Tue Jun 20 2000 17:38:47: "FW: Vulnerabilities in Norton 
Antivirus for Exchange" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=OF16AB62DA.D26E5050-ON88256905.005570DD@symantec.com

_____

Date Reported:    6/14/00
Vulnerability:    antivirus-nav-zip-bo
Platforms Affected:  Norton AntiVirus for Microsoft Exchange (2.0 and earlier)
Risk Factor:    Medium
Attack Type:    Network Based

Norton AntiVirus for Microsoft Exchange is an anti-virus program for detecting 
and removing viruses sent in email messages. The component for unzipping files 
in versions 2.0 and earlier is vulnerable to a buffer overflow. By sending an 
email message containing a .ZIP file with a long file name, an attacker can 
overflow a buffer and disrupt service on the Norton AntiVirus server. The 
attacker may be able to use this vulnerability to embed viruses in .ZIP files 
with long names, cause the server to enter an unrecoverable ""fail-open"" 
state, or possibly execute arbitrary code on the mail server.

References:
BugTraq Mailing List, Wed Jun 14 2000 08:02:16: "Vulnerabilities in Norton 
Antivirus for Exchange" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=3947F2D8.18900.89F003@localhost

BugTraq Mailing List, Tue Jun 20 2000 17:38:47: "FW: Vulnerabilities in Norton 
Antivirus for Exchange" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=OF16AB62DA.D26E5050-ON88256905.005570DD@symantec.com

_____

Date Reported:    6/14/00
Vulnerability:    kerberos-gssftpd-dos
Platforms Affected:  MIT Kerberos 5-1.1.x
Risk Factor:    Medium
Attack Type:    Network/Host Based

MIT Kerberos 5-1.1.x is vulnerable to a denial of service attack. The gssftp 
daemon could allow a remote user to execute certain FTP commands without 
authorization and crash the system. An attacker with a local account may be 
able to use this vulnerability to gain root access.

Reference:
Kerberos Security Advisories: "Remote root vulnerability in GSSFTPD" at: 
http://web.mit.edu/kerberos/www/advisories/ftp.txt

_____

Date Reported:    6/14/00
Vulnerability:    sol-ufsrestore-bo
Platforms Affected:  Solaris 8
Risk Factor:    High
Attack Type:    Host Based

The ufsrestore utility in Sun Solaris is used to restore files from backup 
created with the ufsdump command. The ufsrestore utility in Sun Solaris 
versions 8 and earlier is vulnerable to a buffer overflow. An attacker can 
overflow the buffer that holds the pathname/command for an interactive session 
to gain local root access on the system.

Reference:
BugTraq Mailing List, Wed Jun 14 2000 07:59:05: "Vulnerability in Solaris 
ufsrestore" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=20000614135905.A8522@itsx2.itsx.com

_____

Date Reported:    6/13/00
Vulnerability:    tigris-radius-login-failure
Platforms Affected:  Ericsson AXC Tigris MultiService Access Platform
Risk Factor:    Medium
Attack Type:    Network Based

Ericsson AXC Tigris MultiService Access Platform is a high-density router for 
voice and data networks. The Tigris operating system may fail to pass RADIUS 
accounting data under certain login conditions. When a remote user attempts to 
log in with invalid login credentials, the user's PPP software may prompt them 
to retry the login without re-establishing a new connection. A remote attacker 
can bypass RADIUS accounting by failing the initial login, and then 
successfully logging in when prompted to retry the login.

Reference:
BugTraq Mailing List, Tue Jun 13 2000 12:32:47: "ACC/Ericsson Tigris Accounting 
Failure" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=39458F3F.905001A3@pinnacle.net.au

_____

Date Reported:    6/13/00
Vulnerability:    webbanner-input-validation-exe
Platforms Affected:  WebBanner 4.0
Risk Factor:    High
Attack Type:    Network/Host Based

Extropia WebBanner version 4.0 is a Perl-based CGI program that randomly 
displays banner ads on web pages. The index.cgi script performs insufficient 
input validation on data passed to it. By sending a malformed request 
containing metacharacters to the script, an attacker can execute arbitrary 
commands on the server and gain access as the user running the service, 
typically webmaster.

Reference:
BugTraq Mailing List, Tue Jun 13 2000 02:55:53: "CGI: Selena Sol's WebBanner ( 
Random Banner Generator ) Vulnerability" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=ILENKALMCAFBLHBGEOFKGEJCCAAA.jwesterink@jwesterink.daxis.nl

_____

Date Reported:    6/13/00
Vulnerability:    smartftp-directory-traversal
Platforms Affected:  Mindstorm Networks SmartFTP Daemon
Risk Factor:    High
Attack Type:    Network Based

Mindstorm Networks SmartFTP Daemon could allow a user to created and specify a 
modified configuration file to gain privileges on the server. For each FTP 
account on the system, the account's user rights and password are stored in a 
configuration file (username.FTP_user). A remote attacker with write access 
could gain full access to the server by creating a modified configuration file 
with a new username. By using ""dot dot"" sequences in the username field at 
login, the attacker can traverse directories on the server to use the new 
configuration file.

Reference:
BugTraq Mailing List, Tue Jun 13 2000 12:01:38: "SmartFTP Daemon v0.2 Beta 
Build 9 - Remote Exploit" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=15307.960912098@www16.gmx.net

_____

Date Reported:    6/12/00
Vulnerability:    antisniff-arptest
Platforms Affected:  L0pht's AntiSniff
Risk Factor:    Medium
Attack Type:    Network Based

The L0pht AntiSniff program is performing an ARP test to scan your network for 
systems in promiscuous (sniffing) mode. The AntiSniff program developed by 
L0pht Heavy Industries determines if a device is listening to traffic on the 
local network. An attacker could use L0pht AntiSniff to gain information about 
a network that could be useful in an attack. AntiSniff can detect if an IDS 
(Intrusion Detection System) is being used on the network, prompting an 
attacker to use IDS evasion techniques. An attacker could also use L0pht 
AntiSniff to locate compromised machines that have been placed in promiscuous 
(sniffing) mode that could be used by the attacker.

Reference:
L0pht Heavy Industries, Inc.: "AntiSniff" at: http://www.l0pht.com/antisniff/

_____

Date Reported:    6/12/00
Vulnerability:    weblogic-jsp-source-read
Platforms Affected:  BEA WebLogic Server
Risk Factor:    Medium
Attack Type:    Network/Host Based

BEA WebLogic Server is vulnerable to source code disclosure of Java Server 
Pages (JSP files). By requesting a JSP file from the server with the file 
extension changed from lowercase .jsp to uppercase .JSP, an attacker can cause 
the web server to reveal the source code for the requested JSP file.  
Potentially proprietary web server files (such as Java Server Pages) may 
contain sensitive information (such as user IDs and passwords) embedded in the 
source code ths should not be available to remote users.

Reference:
BugTraq Mailing List, Sun Jun 11 2000 13:22:38: "IBM WebSphere JSP showcode 
vulnerability" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-8&msg=2153DBA073F0D311911100B0D01A826F05B770@mail.foundstone.com

_____

Date Reported:    6/12/00
Vulnerability:    websphere-jsp-source-read
Platforms Affected:  IBM Websphere
Risk Factor:    Medium
Attack Type:    Network/Host Based

The IBM Websphere web server is vulnerable to source code disclosure of Java 
Server Pages (JSP files). By requesting a JSP file from the server with the 
file extension changed from lowercase .jsp to uppercase .JSP, an attacker can 
cause the web server to reveal the source code for the requested JSP file. 
Potentially proprietary web server files (such as Java Server Pages) may 
contain sensitive information (such as user IDs and passwords) embedded in the 
source code ths should not be available to remote users."

Reference:
BugTraq Mailing List, Sun Jun 11 2000 13:19:45: "BEA WebLogic JSP showcode 
vulnerability" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-8&msg=2153DBA073F0D311911100B0D01A826F05B76E@mail.foundstone.com

_____

Date Reported:    6/12/00
Vulnerability:    freebsd-alpha-weak-encryption
Platforms Affected:  FreeBSD Alpha
Risk Factor:    Medium
Attack Type:    Host Based

FreeBSD Alpha version does not contain the /dev/random or /dev/urandom 
pseudo-random number generators that are included in other versions of the 
FreeBSD kernel. Some applications, such as OpenSSL 0.9.4, do not properly check 
for a working /dev/random, resulting in weaker encryption.

Reference:
FreeBSD Security Advisory FreeBSD-SA-00:25: "FreeBSD/Alpha platform lacks 
kernel pseudo-random number generator, some applications fail to detect this" 
at: http://www.securityfocus.com/templates/advisory.html?id=2323

Reference:
NetBSD Security Advisory 2000-007: "bad key generation in libdes if no 
/dev/urandom" at: 
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-007.txt.asc

_____

Date Reported:    6/10/00
Vulnerability:    mailstudio-set-passwords
Platforms Affected:  MailStudio 2000
Risk Factor:    Medium
Attack Type:    Network Based

MailStudio 2000 is a web-based email server for remote users to view mail from 
any computer. MailStudio 2000 could allow a remote user to set the password for 
a system user if a password is not already set.

Reference:
BugTraq Mailing List, Sat Jun 10 2000 17:17:12: "Re: Mailstudio2000 CGI 
Vulnerabilities [S0ftPj.4]" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=394223B8.A61C0517@relaygroup.com

_____

Date Reported:    6/9/00
Vulnerability:    mailstudio-view-files
Platforms Affected:  MailStudio 2000
Risk Factor:    Low
Attack Type:    Network Based

MailStudio 2000 is a web-based email server for remote users to view mail from 
any computer. MailStudio 2000 could allow a remote user to view files on the 
mail server. A remote attacker with a local account can use ""dot dot"" (/../) 
sequences when calling a CGI application to traverse directories and view any 
file on the mail server, such as other users' email, password files, log files, 
or configuration files.

Reference:
BugTraq Mailing List, Fri Jun 09 2000 14:00:16: "Mailstudio2000 CGI 
Vulnerabilities [S0ftPj.4]" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006091800.UAA02755@MaNTRa.FuZZy.net

_____

Date Reported:    6/9/00
Vulnerability:    kerberos-lastrealm-bo
Platforms Affected:  MIT Kerberos
Risk Factor:    Medium
Attack Type:    Network Based

MIT Kerberos is vulnerable to a buffer overflow in the lastrealm variable in 
the set_tgtkey() function that could lead to a denial of service. A remote 
attacker could overflow this buffer to cause the KDC to issue invalid tickets 
for all principles, generate a ""principal unknown"" error, or crash the KDC 
process. Both Kerberos 4 and Kerberos 5 KDC servers that can service version 4 
ticket requests are vulnerable.

References:
Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 
KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt

CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service 
Attacks" at: http://www.cert.org/advisories/CA-2000-11.html

_____

Date Reported:    6/9/00
Vulnerability:    kerberos-emsg-bo
Platforms Affected:  MIT Kerberos
Risk Factor:    Medium
Attack Type:    Network Based

MIT Kerberos is vulnerable to a buffer overflow in the e_msg variable in the 
kerb_err_reply() function that could lead to a denial of service. A remote 
attacker could overflow this buffer to cause the KDC to issue invalid tickets 
for all principles, generate a ""principal unknown"" error, or crash the KDC 
process. Both Kerberos 4 and Kerberos 5 KDC servers that can service version 4 
ticket requests are vulnerable.

References:
Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 
KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt

CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service 
Attacks" at: http://www.cert.org/advisories/CA-2000-11.html

_____

Date Reported:    6/9/00
Vulnerability:    kerberos-authmsgkdcrequests
Platforms Affected:  MIT Kerberos
Risk Factor:    Medium
Attack Type:    Network Based

MIT Kerberos 5-1.1.x is vulnerable to a denial of service attack, when 
configured to service version 4 ticket requests. The code specific to 
AUTH_MSG_KDC_REQUESTs improperly checks for null-termination, which could lead 
to a double-free of memory and corruption of the malloc pool. This may result 
in the KDC process crashing.

References:
Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 
KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt

CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service 
Attacks" at: http://www.cert.org/advisories/CA-2000-11.html

_____

Date Reported:    6/9/00
Vulnerability:    kerberos-free-memory
Platforms Affected:  MIT Kerberos
Risk Factor:    Medium
Attack Type:    Network Based

MIT Kerberos 5-1.1.x is vulnerable to a denial of service attack, when 
configured to service version 4 ticket requests. A portion of the Kerberos 4 
compatibility code could allow free memory to be improperly freed again. This 
causes a double-free of memory, which could corrupt the malloc pool and crash 
the KDC process.

References:
Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 
KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt

CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service 
Attacks" at: http://www.cert.org/advisories/CA-2000-11.html

_____

Date Reported:    6/9/00
Vulnerability:    openssh-uselogin-remote-exec
Platforms Affected:  OpenSSH
Risk Factor:    High
Attack Type:    Network Based

OpenSSH could allow authenticated users to execute commands with elevated 
privileges, if the UseLogin option is enabled. When UseLogin is enabled, the 
OpenSSH server uses the login(1) program to switch the uid to that of the user. 
However, when a remote user executes a command through ssh, the uid does not 
change to the user, and the code executes with the uid of sshd (usually root). 
Default installations of OpenSSH are not vulnerable, because UseLogin is 
disabled by default.

References:
BugTraq Mailing List, Fri Jun 09 2000 11:06:30: "OpenSSH's UseLogin option 
allows remote access with root privilege." at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-8&msg=20000609170629.A4933@folly.informatik.uni-erlangen.de

BugTraq Mailing List, Sat Jun 10 2000 03:11:56: "CONECTIVA LINUX SECURITY 
ANNOUNCEMENT - OPENSSH" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-08&msg=20000610141156.F3275@conectiva.com.br

_____

Date Reported:    6/9/00
Vulnerability:    mailstudio-cgi-input-vaildation
Platforms Affected:  MailStudio 2000
Risk Factor:    High
Attack Type:    Network Based

MailStudio 2000 is a web-based email server for remote users to view mail from 
any computer. MailStudio 2000 could allow a remote user to execute arbitrary 
commands on the mail server. Due to insufficient input validation in the 
userreg.cgi script, an unauthenticated remote attacker can execute arbitrary 
commands on the server by inserting ""%0a"" into the URL.

Reference:
BugTraq Mailing List, Fri Jun 09 2000 14:00:16: "Mailstudio2000 CGI 
Vulnerabilities [S0ftPj.4]" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006091800.UAA02755@MaNTRa.FuZZy.net

_____

Date Reported:    6/8/00
Vulnerability:    ceilidh-path-disclosure
Platforms Affected:  Ceilidh v2.60a
Risk Factor:    Low
Attack Type:    Network Based

Ceilidh v2.60a web bulletin board software could reveal the physical path of 
the Ceilidh files. The HTML code generated by ceilidh.exe contains a hidden 
form field named ""translated_path"" that provides the physical location of the 
program's files on the web server.

Reference:
Security Team Advisory DST2K0010: "DoS, Path Revealing & BufferOverrun 
Vulnerability in Ceilidh v2.60a" at: 
http://www.delphisplc.com/thinking/whitepapers/security/DST2K0010.txt

_____

Date Reported:    6/8/00
Vulnerability:    ceilidh-post-dos
Platforms Affected:  Ceilidh v2.60a
Risk Factor:    Low
Attack Type:    Network Based

Ceilidh v2.60a web bulletin board software is vulnerable to a denial of service 
attack. A remote attacker can consume available resources on the web server 
using the POST statement. By repeatedly sending a specially-crafted POST 
statement, an attacker can spawn multiple copies of ceilidh.exe, with each copy 
consuming 1% of the CPU and 700 KB of memory.

Reference:
Security Team Advisory DST2K0010: "DoS, Path Revealing & BufferOverrun 
Vulnerability in Ceilidh v2.60a" at: 
http://www.delphisplc.com/thinking/whitepapers/security/DST2K0010.txt

_____

Date Reported:    6/8/00
Vulnerability:    nt-admin-lockout
Platforms Affected:  Windows NT
Risk Factor:    Low
Attack Type:    Host Based

Normally, the Administrator account cannot be locked out if an attacker 
attempts to guess the password. However, a utility in the Windows NT Resource 
Kit called PASSPROP supports this option. If the PASSPROP utility is installed, 
the Administrator account will be locked out if an attacker attempts a brute 
force or dictionary attack from another computer on the network. This utility 
does not block the administrator from logging on locally, even if the account 
has been locked out.

Reference:
Microsoft TechNet: "Securing Your Network" at: 
http://www.microsoft.com/TechNet/winnt/Winntas/Tips/techrep/secnet.asp

_____

Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.

_____

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is  not to be edited in any way without express
consent of the X-Force.  If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,   
please e-mail xforce@iss.net for permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:   http://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

About Internet Security Systems

Internet Security Systems (ISS) is the leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite* security software, ePatrol* remote managed security services,
and strategic consulting and education offerings, ISS is a trusted
security provider to its customers and partners, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security management
solutions protect more than 5,500 customers worldwide including 21 of the
25 largest U.S. commercial banks, 10 of the largest telecommunications
companies and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin
America and the Middle East. For more information, visit the Internet
Security Systems web site at www.iss.net <http://www.iss.net>  or call 
888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOWUkuDRfJiV99eG9AQFmcAP+O8+a2+sWgzUKOsPC2m3O0vr0SBiCOCx3
xBQn2tu2TN7/JtNHbXdIA/PySKTpyEpnL4RNbr93P+Br+NfDuT4+5tJg1pQF6d6j
TgpZb/oOgDl0TCx9khBdAXBJOxRakAoAthAsDNeI956N9YcBkNgbaTMxKXairVv1
LOjUVxE9UK4=
=vNze
-----END PGP SIGNATURE-----