-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert Summary
August 1, 2000
Volume 5 Number 7

X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries as well as other Alerts and Advisories,
subscribe to the Internet Security Systems Alert mailing list at:
http://xforce.iss.net/maillists/index.php

_____

Contents

37 Reported Vulnerabilities

 - analogx-proxy-ftp-crash
 - analogx-proxy-pop3-crash
 - analogx-proxy-socks4-crash
 - roxen-null-char-url
 - wftpd-stat-info
 - bair-security-removal
 - roxen-admin-pw-readable
 - wftpd-stat-dos
 - wftpd-rest-dos
 - wftpd-mlst-dos
 - outlook-express-mail-browser-link
 - winamp-playlist-parser-bo
 - outlook-date-overflow
 - tomcat-error-path-reveal
 - tomcat-snoop-info
 - website-webfind-bo
 - alibaba-cgi-script-directory-listing
 - alibaba-get-dos
 - website-httpd32-bo
 - alibaba-script-file-overwrite
 - zeroport-weak-encryption
 - linux-usermode-dos
 - blackboard-courseinfo-dbase-modification
 - lsoft-listserv-querystring-bo
 - linux-nfsutils-remote-root
 - iis-absent-directory-dos
 - blackboard-courseinfo-plaintext
 - cvsweb-shell-access
 - webactive-long-get-dos
 - worldclient-dir-traverse
 - http-cgi-bigbrother-bbhostsvc
 - apache-source-asp-file-write
 - netware-port40193-dos
 - netscape-admin-server-password-disclosure
 - cisco-pix-firewall-tcp
 - mssql-manager-password
 - minivend-viewpage-sample

Risk Factor Key

_____

Date Reported:    7/25/00
Vulnerability:    analogx-proxy-ftp-crash
Platforms Affected:  AnalogX Proxy
Risk Factor:    Low
Attack Type:    Network Based

AnalogX Proxy is a proxy server that has the ability to proxy requests for many 
different services. AnalogX Proxy is vulnerable to a denial of service attack 
caused by a buffer overflow in the USER command. By sending an FTP USER command 
containing 370 characters or more to TCP port 21, a remote attacker can 
overflow the buffer and crash the service.

Reference:
Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at: 
http://www.foundstone.com/FS-072500-7-ANA.txt

_____

Date Reported:    7/25/00
Vulnerability:    analogx-proxy-pop3-crash
Platforms Affected:  AnalogX Proxy
Risk Factor:    Low
Attack Type:    Network Based

AnalogX Proxy is a proxy server that has the ability to proxy requests for many 
different services. AnalogX Proxy is vulnerable to a denial of service attack 
caused by a buffer overflow in the USER command. By sending a POP3 USER command 
containing 370 characters or more to TCP port 110, a remote attacker can 
overflow the buffer and crash the service.

Reference:
Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at: 
http://www.foundstone.com/FS-072500-7-ANA.txt

_____

Date Reported:    7/25/00
Vulnerability:    analogx-proxy-socks4-crash
Platforms Affected:  AnalogX Proxy
Risk Factor:    Low
Attack Type:    Network Based

AnalogX Proxy is a proxy server that has the ability to proxy requests for many 
different services. AnalogX Proxy is vulnerable to a denial of service attack 
caused by a buffer overflow in the CONNECT request. By sending a SOCKS4 CONNECT 
request with a user ID field of 1800 characters or more to TCP port 1080, a 
remote attacker can overflow the buffer and crash the service.

Reference:
Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at: 
http://www.foundstone.com/FS-072500-7-ANA.txt

_____

Date Reported:    7/22/00
Vulnerability:    roxen-null-char-url
Platforms Affected:  Roxen 2.0
Risk Factor:    Medium
Attack Type:    Network Based

Roxen is a platform that is used to develop and manage dynamic web sites. Roxen 
2.0 could allow an attacker to view directory listings. By submitting a 
specially-crafted URL containing null characters, a remote attacker can obtain 
a directory listing the directories having index files. It may also be possible 
for a remote attacker to read the source code of CGI files or obtain other 
sensitive data.

Reference:
BugTraq Mailing List, Fri Jul 21 2000 21:53:34: "Roxen security alert: Problems 
with URLs containing null characters." at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D76r98nc4m9.fsf@rimmer.idonex.se

_____

Date Reported:    7/21/00
Vulnerability:    wftpd-stat-info
Platforms Affected:  WFTPD 2.4.1
Risk Factor:    Low
Attack Type:    Network Based

WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker 
can issue a STAT request while a file transfer is in progress to display the 
path and file name on the server. The server must be restarted to regain 
functionality before it can respond to any additional FTP requests.

Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 
vulnerabilities" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au

_____


Date Reported:    7/21/00
Vulnerability:    bair-security-removal
Platforms Affected:  BAIR 
Risk Factor:    Medium
Attack Type:    Host Based

BAIR web filtering software includes a setting to block access to the Internet 
Explorer options menu. However, a local attacker can modify the system registry 
to access this options menu. An attacker can delete the 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BAIR Secure to gain full 
access to the Internet Explorer options menu. An attacker could use this to 
bypass security and reconfigure Internet Explorer.

Reference:
BugTraq Mailing List, Fri Jul 21 2000 07:26:40: "More bad censorware" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D4.3.2.7.2.20000721222424.00b5b330@gatekeeper.cloudview.com

_____

Date Reported:    7/21/00
Vulnerability:    roxen-admin-pw-readable
Platforms Affected:  Roxen 2.0
Risk Factor:    Medium
Attack Type:    Network Based

Roxen 2.0 is a platform that is used to develop and manage dynamic web sites. 
Roxen 2.0 stores the encrypted administrator password in a file that is 
readable by any user. A remote attacker can access the 
/usr/local/roxen/configurations/_configinterface/settings/administrator_uid 
file to obtain the encrypted web admin password. A remote attacker can retrieve 
the encrypted password, and then decrypt it, to gain full access to the web 
server.

Reference:
BugTraq Mailing List, Thu Jul 20 2000 23:48:18: "Roxen Web Server 
Vulnerability" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D20000721074818.A10870@sdf.freeshell.org

_____

Date Reported:    7/21/00
Vulnerability:    wftpd-stat-dos
Platforms Affected:  WFTPD 2.4.1
Risk Factor:    Medium
Attack Type:    Network Based

WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker 
can issue a STAT command at the same time that a LIST is in progress to crash 
the FTP server. The server must be restarted to regain funtionality before it 
can respond to any additional FTP requests.

Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 
vulnerabilities" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au

_____

Date Reported:    7/21/00
Vulnerability:    wftpd-rest-dos
Platforms Affected:  WFTPD 2.4.1
Risk Factor:    Medium
Attack Type:    Network Based

WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker 
can issue a REST command to write past a file that does not exist, or past the 
end of an existing file, to crash the FTP server. The server must be restarted 
to regain functionality before it can respond to any additional FTP requests.

Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 
vulnerabilities" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au

_____

Date Reported:    7/21/00
Vulnerability:    wftpd-mlst-dos
Platforms Affected:  WFTPD 2.4.1
Risk Factor:    Medium
Attack Type:    Network Based

WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker 
can issue a MLST command before logging in and issuing a password (with the 
USER and PASS commands) to crash the server. The server must be restarted to 
regain functionality before it can respond to any additional FTP requests.

Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 
vulnerabilities" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au

_____

Date Reported:    7/20/00
Vulnerability:    outlook-express-mail-browser-link
Platforms Affected:  Microsoft Outlook Express (4.0 - 5.1)
Risk Factor:    Low
Attack Type:    Network Based

Microsoft Outlook Express versions 4.0 through 5.1 could allow a remote 
attacker to view a user's email messages. In Outlook Express, an email message 
can contain a link to open a separate browser window that refers back to (or 
"reads") the open email message. A vulnerability in Outlook Express could 
allow an attacker to make this browser window permanently refer back to the 
open email message, until the user closes the browser window or exits Outlook 
Express. Attackers could use this to send a message that would allow them to 
view the recipient's subsequent email messages displayed in the preview pane."

Reference:
Microsoft Security Bulletin MS00-045: "Patch Available for 'Persistent 
Mail-Browser Link' Vulnerability" at: 
http://www.microsoft.com/technet/security/bulletin/MS00-045.asp

_____

Date Reported:    7/20/00
Vulnerability:    winamp-playlist-parser-bo
Platforms Affected:  Winamp 2.10
Risk Factor:    Medium
Attack Type:    Network Based

Winamp is a high-fidelity music player for Windows 95/98/NT. By loading a 
specially crafted M3U file with a #EXTINF: variable of 280 characters or more 
on a user's computer, a remote attacker can overflow the buffer and execute 
arbitrary code on the system.

References:
BugTraq Mailing List, Fri Jul 21 2000 02:23:53: "Re: Winamp M3U playlist parser 
buffer overflow security vulnerability" at: 
http://securityfocus.com/templates/archive.pike?list=1&msg=OFC40D0B40.4D3E7C9E-ONC1256923.0022766E@mn.man.de

BugTraq Mailing List, Thu Jul 20 2000 11:52:56: "Winamp M3U playlist parser 
buffer overflow security vulnerability" at: 
http://securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3DLAW-F83FV4TJvGa1hXE000013d0@hotmail.com

_____

Date Reported:    7/19/00
Vulnerability:    outlook-date-overflow
Platforms Affected:  Outlook Express (4.0, 5.0)
      Microsoft Outlook (97, 98, 2000)
Risk Factor:    High
Attack Type:    Network Based

Microsoft Outlook and Outlook Express are vulnerable to a buffer overflow in 
the the inetcomm.dll component shared by the programs, which could allow a 
remote attacker to execute arbitrary code on your system. By sending an email 
message using either the POP3 or IMAP4 protocols with a date header value of 
excessive length, a remote attacker can overflow a buffer and execute arbitrary 
code on your system. The malicious email can begin executing code when it is 
retrieved by the server, before the user previews or opens the message. Users 
that only retrieve mail using MAPI (Microsoft Messaging API), including 
Microsoft Exchange users, are not affected by this vulnerability.

References:
Microsoft Security Bulletin MS00-043: "Patch Available for 'Malformed E-mail 
Header' Vulnerability" at: 
http://www.microsoft.com/technet/security/bulletin/MS00-043.asp

Internet Security Systems Security Alert #57: "Buffer Overflow in Microsoft 
Outlook and Outlook Express Mail Clients" at: 
http://xforce.iss.net/alerts/advise57.php

_____

Date Reported:    7/19/00
Vulnerability:    tomcat-error-path-reveal
Platforms Affected:  Jakarta Tomcat
Risk Factor:    Low
Attack Type:    Network/Host Based

Jakarta Tomcat reveals sensitive path information. Jakarta Tomcat is a Java 
application server used with Apache web servers to support Java Servlet Pages 
(JSP) and Java servlets. When a user requests the URL of a filename that is not 
found, the program returns an error message that provides the physical path to 
the web directory that was contained in the request. An attacker could use this 
to gain information about the file structure of the web server that would be 
helpful in an attack.

Reference:
BugTraq Mailing List, Wed, 19 Jul 2000 06:45:13: "[LoWNOISE] Tomcat 3.1 Path 
Revealing Problem." at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org

_____

Date Reported:    7/19/00
Vulnerability:    tomcat-snoop-info
Platforms Affected:  Jakarta Tomcat
Risk Factor:    Low
Attack Type:    Netowrk/Host Based

Jakarta Tomcat snoop servlet reveals sensitive information about the web 
server. Jakarta Tomcat is a Java application server used with Apache web 
servers to support Java Servlet Pages (JSP) and Java servlets. When a user 
requests the snoop servlet, the program returns detailed information about the 
web server, including the physical path to the web directory and the web server 
operating system and software version. An attacker could use this to gain 
information about the web server that would be helpful in an attack.

Reference:
BugTraq Mailing List, Wed Jul 19 2000 11:56:21: "[LoWNOISE] Snoop Servlet 
(Tomcat 3.1 and 3.0)" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org

_____

Date Reported:    7/19/00
Vulnerability:    website-webfind-bo
Platforms Affected:  WebSite Professional (2.3.18, 2.4, 2.4.9)
Risk Factor:    High
Attack Type:    Network Based

O'Reilly  WebSite Professional 2.3.18, 2.4, and 2.4.9 is vulnerable to a buffer 
overflow in the webfind.exe search utility. By entering a long request to the 
keywords string, a remote attacker can overflow the buffer and execute 
arbitrary code on the system.

Reference:
O'Reilly Software: "WebSite Professional 2.x Updates" at: 
http://website.oreilly.com/support/software/wsp2x_updates.cfm

_____

Date Reported:    7/18/00
Vulnerability:    alibaba-cgi-script-directory-listing
Platforms Affected:  Alibaba 2.0
Risk Factor:    Low
Attack Type:    Network Based

The Alibaba web server could allow a remote attacker to view directory 
listings. Many of the .exe scripts in the cgi-bin directory allow a user to 
send a specially-crafted URL to the server and obtain a directory listing of 
any directory on the server.

Reference:
BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org

_____

Date Reported:    7/18/00
Vulnerability:    alibaba-get-dos
Platforms Affected:  Alibaba 2.0
Risk Factor:    Medium
Attack Type:    Network Based

The Alibaba web server is vulnerable to a denial of service, caused by a buffer 
overflow. A remote attacker can send an abnormally long GET request to the 
server to overflow a buffer and shut down the server. The web server must be 
restarted to regain functionality.

Reference:
BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org

_____

Date Reported:    7/18/00
Vulnerability:    website-httpd32-bo
Platforms Affected:  WebSite Professional 2.4
Risk Factor:    Medium
Attack Type:    Network Based

O’Reilly WebSite Professional 2.4 is vulnerable to a buffer overflow in the 
httpd32.exe program. By submitting a long GET request or long “Referer” client 
header, a remote attacker can overflow a buffer and execute arbitrary code on 
the system.

References:
Cerberus Information Security Advisory CISADV000717: "Website Pro GET buffer 
overflow" at: http://www.cerberus-infosec.co.uk/advisories.html

O'Reilly Software: "WebSite Professional 2.x Updates" at: 
http://website.oreilly.com/support/software/wsp2x_updates.cfm

_____

Date Reported:    7/18/00
Vulnerability:    alibaba-script-file-overwrite
Platforms Affected:  Alibaba 2.0
Risk Factor:    High
Attack Type:    Network Based

The Alibaba web server could allow a remote attacker to overwrite files. Many 
of the .exe scripts in the cgi-bin directory allow a user to send a 
specially-crafted URL to the server and overwrite any file on the system.

Reference:
BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0" 
at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org

_____

Date Reported:    7/18/00
Vulnerability:    zeroport-weak-encryption
Platforms Affected:  NetZero ZeroPort 3.0
Risk Factor:    High
Attack Type:    Host Based

NetZero, a free Internet service provider, uses a program called ZeroPort to 
establish a connection and authenticate the user. NetZero ZeroPort 3.0 and 
earlier uses weak encryption to store the user's password in the id.dat text 
file. An attacker with access to this file can decrypt the username and 
password using a substitution cipher.  L0pht released the encryption algorithm 
used by ZeroPort, making it available to the public.

Reference:
L0pht Research Labs Security Advisory 07.18.2000: "NetZero Password Encryption 
Algorithm" at: http://www.l0pht.com/advisories/netzero.txt

_____

Date Reported:    7/17/00
Vulnerability:    linux-usermode-dos
Platforms Affected:  Linux-Mandrake 7.1
Risk Factor:    Low
Attack Type:    Host Based

The usermode package in Linux-Mandrake 7.1 could allow a local user without 
root access to reboot the machine or crash the server. The files that give 
users access to reboot, shutdown, halt, and poweroff the system all are 
affected.

Reference:
BugTraq Mailing List, Mon Jul 17 2000 23:09:37: "MDKSA-2000:020 usermode 
update" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D20000718130936.S29595@mandrakesoft.com

_____

Date Reported:    7/17/00
Vulnerability:    blackboard-courseinfo-dbase-modification
Platforms Affected:  Blackboard CourseInfo 4.0
Risk Factor:    Medium
Attack Type:    Network/Host Based

Blackboard CourseInfo 4.0 course management software could allow any user who 
has a valid account to make modifications to the database. An attacker can 
enter custom form values through any perl script located in /bin and its 
subdirectories to change other user's passwords or assign elevated security 
privileges.

Reference:
BugTraq Mailing List, Tue Jul 18 2000 06:59:57: "Blackboard Courseinfo v4.0 
User Authentication" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3DNDBBJCMNOLEKOCMECKFHCEPMCGAA.amini@eecs.tulane.edu

BugTraq Mailing List, Wed Jul 19 2000 00:19:04: "Security Fix for Blackboard 
CourseInfo 4.0" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000719151904.I17986@securityfocus.com

_____

Date Reported:    7/17/00
Vulnerability:    lsoft-listserv-querystring-bo
Platforms Affected:  Listserv
Risk Factor:    High
Attack Type:    Network Based

L-Soft LISTSERV is a system that creates, manages, and controls electronic 
mailing lists’on a corporate network. L-Soft LISTSERV is vulnerable to a 
buffer overflow in the web archive component. By sending a long query string to 
wa or wa.exe, a remote attacker can overflow the buffer and execute arbitrary 
code on the system with privileges of the LISTSERV daemon.

References:
Network Associates, Inc. Security Advisory #43: "LISTSERV Web Archive Remote 
Overflow" at: http://www.nai.com/nai_labs/asp_set/advisory/43_Advisory.asp

L-Soft Security Advisory #1 17 July 2000: "THE 2000b LEVEL SET" at: 
http://www.lsoft.com/news/default.asp?item=Advisory1

_____

Date Reported:    7/15/00
Vulnerability:    linux-nfsutils-remote-root
Platforms Affected:  Red Hat Linux (6.0, 6.1, 6.2)
      Debian Linux (2.2, 2.3)
      Mandrake Linux (7.0, 7.1)
Risk Factor:    High
Attack Type:    Network Based

The nfs-utils package in many Linux distributions could allow a remote attacker 
to gain root acess. The rpc.statd program included with nfs-utils is vulnerable 
to root compromise.

References:
Red Hat, Inc. Security Advisory RHSA-2000:043-03: "Updated package for 
nfs-utils available" at: 
http://www.redhat.com/support/errata/RHSA-2000-043-03.html

Caldera Systems, Inc.  Security Advisory CSSA-2000-025.0: "rpc.statd is not a 
problem on OpenLinux" at: 
http://www.calderasystems.com/support/security/advisories/CSSA-2000-025.0.txt

Debian Security Advisory: "nfs-common (from nfs-utils)" at: 
http://www.debian.org/security/2000/20000719a

_____

Date Reported:    7/14/00
Vulnerability:    iis-absent-directory-dos
Platforms Affected:  IIS 3.0
Risk Factor:    Low
Attack Type:    Network/Host Based

Microsoft Internet Information Server (IIS) is vulnerable to a denial of 
service attack. An administrative script installed with IIS 3.0 enters an 
infinite loop if an expected argument is missing. An attacker can use this to 
consume all CPU resources on the server. IIS 4.0 and 5.0 are only vulnerable if 
version 3.0 was previously installed on the system.

Reference:
Microsoft Security Bulletin MS00-044: ""Patch Available for ""Absent Directory 
Browser Argument"" Vulnerability"" at: 
http://www.microsoft.com/TechNet/security/bulletin/MS00-044.asp

ISBASE Security Advisory (SA2000-02): "IIS ISM.DLL truncation exposes file 
content" at: 
http://securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3D2412

_____

Date Reported:    7/14/00
Vulnerability:    blackboard-courseinfo-plaintext
Platforms Affected:  Blackboard CourseInfo 4.0
Risk Factor:    High
Attack Type:    Network/Host Based

Blackboard CourseInfo 4.0 course management software stores the local 
administrator username and password in plaintext in the registry. An attacker 
can use this username and password to connect to the server and access critical 
system information.

Reference:
NTBugtraq Mailing List, Mon, 10 Jul 2000 08:43:21 -0500: "Blackboard CourseInfo 
4.0 stores admin password in clear text" at: 
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647

_____

Date Reported:    7/14/00
Vulnerability:    cvsweb-shell-access
Platforms Affected:  CVSWeb 1.85
Risk Factor:    High
Attack Type:    Network/Host Based

The CVSWeb package version 1.85 and earlier could allow a remote user with 
commit access to a CVS repository to cause the CGI program to execute arbitrary 
commands. The Perl code in the cvsweb.cgi program invokes an open() call 
insecurely. An attacker can create a file name containing shell metacharacters 
to execute the shell code on the system. A user with commit access, but who 
does not have shell access to the CVS repository, can use this vulnerability to 
gain shell access.

References:
Linux-Mandrake Security Update Advisory MDKSA-2000:019: "SECURITY UPDATE: 
cvsweb" at: http://www.linux-mandrake.com/en/fupdates.php3#7.1

Debian Security Advisory 20000719b: "cvsweb: unauthorized remote code 
execution" at: http://www.debian.org/security/2000/20000719b

BugTraq Mailing List, Tue Jul 11 2000 23:34:27: "cvsweb: remote shell for cvs 
committers" at: 
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000712143427.H15253@kitenet.net

_____

Date Reported:    7/13/00
Vulnerability:    gatekeeper-long-string-bo
Platforms Affected:  Proxy-Pro GateKeeper 3.6
Risk Factor:    Medium
Attack Type:    Network Based

Proxy-Pro GateKeeper proxy server 3.6 and earlier is vulnerable to a buffer 
overflow. By sending a long string containing over 4096 characters to port 2000 
on the server, a remote attacker can overflow a buffer and execute arbitrary 
code or crash the server. The server must be restarted to regain functionality.

Reference:
BugTraq Mailing List, Thu Jul 13 2000 11:48:01: "The MDMA Crew's GateKeeper 
Exploit" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D00af01bfece2%24a52cbd80%24367e1ec4@kungphusion

_____

Date Reported:    7/12/00
Vulnerability:    webactive-long-get-dos
Platforms Affected:  ITAfrica WEBactive 1.0
Risk Factor:    Low
Attack Type:    Network Based

ITAfrica WEBactive 1.0 HTTP Server is vulnerable to a denial of service, caused 
by a buffer overflow. By requesting a URL containing more than 280 characters, 
a remote attacker can overflow a buffer and crash the server.

Reference:
BugTraq Mailing List, Wed Jul 12 2000 09:27:38: "Lame DoS in WEBactive win65/NT 
server" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26thread%3D200007130827.BAA32671@Rage.Resentment.org

_____

Date Reported:    7/12/00
Vulnerability:    worldclient-dir-traverse
Platforms Affected:  Deerfield WorldClient 2.1
Risk Factor:    High
Attack Type:    Network Based

Deerfield WorldClient 2.1 could allow a remote user to traverse directories on 
the server. WorldClient a server for providing web-based access to email 
accounts. A remote attacker can traverse directories on the server by 
requesting a specially-crated URL containing "dot dot" (/../) sequences. An 
attacker can use this to download any file on the system if the attacker knows 
or could guess the name of the file.

Reference:
BugTraq Mailing List, Wed Jul 12 2000 04:16:57: 
"Infosec.20000712.worldclient.2.1" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D4125691A.00387C3A.00@guardianit.se

_____

Date Reported:    7/11/00
Vulnerability:    http-cgi-bigbrother-bbhostsvc
Platforms Affected:  Big Brother
Risk Factor:    Medium
Attack Type:    Network Based

Big Brother is a Unix-based distributed network monitoring package that allows 
network administrators to view the status of networks and machines from a web 
browser. Due to a vulnerability in the host services ("bb-hostsvc.sh") CGI 
program, a remote attacker could view directory and file contents on a Big 
Brother server.

Reference:
BugTraq Mailing List, Mon Jul 10 2000 19:10:28: "REMOTE EXPLOIT IN ALL CURRENT
VERSIONS OF BIG BROTHER" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=00071110152805.00679@sj-soc-wks1.priv.nuasis.com
_____

Date Reported:    7/11/00
Vulnerability:    apache-source-asp-file-write
Platforms Affected:  Apache
Risk Factor:    Medium
Attack Type:    Network/Host Based

Apache web server could allow remote attackers to write to files on the web 
server. Due to a vulnerability in the source.asp file, an attacker can write to 
files that are in the same directory as the source.asp sample file.

Reference:
BugTraq Mailing List, Mon Jul 10 2000 19:38:56: "ANNOUNCE Apache::ASP v1.95 - 
Security Hole Fixed" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000711033856.17708.qmail@securityfocus.com

_____

Date Reported:    7/11/00
Vulnerability:    netware-port40193-dos
Platforms Affected:  Novell NetWare 5.0
Risk Factor:    Medium
Attack Type:    Network Based

Novell NetWare 5.0 is vulnerable to a denial of service attack. A remote 
attacker can send packets of random data to port 40193 of the NetWare server to 
crash the server. The server must be restarted to resume normal operation.

Reference:
BugTraq Mailing List, Tue Jul 11 2000 09:26:56: "Remote Denial Of Service -- 
NetWare 5.0 with SP 5" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D000501bfeab5%249330c3d0%24d801a8c0@dimuthu.baysidegrp.com.au

_____

Date Reported:    7/11/00
Vulnerability:    netscape-admin-server-password-disclosure
Platforms Affected:  Netscape SuiteSpot
Risk Factor:    Medium
Attack Type:    Network/Host Based

Netscape SuiteSpot web server suite default installation includes the Netscape 
Administration Server, which contains the Java and JavaScript forms used to 
configure the SuiteSpot servers. The encrypted administrative password is 
stored in the admpw file, in a readable local directory on the the SuiteSpot 
server. An attacker could retrieve this file, and then decrypt the password to 
gain full access to the administration server console.

Reference:
BugTraq Mailing List, Tue Jul 11 2000 10:46:22: "Security Advisory ( 
netscape.ad.00-07 ) : Netscape Administration Server Password Disclosure" at: 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-8%26msg%3D00071122473300.00796@ninja

_____

Date Reported:    7/11/00
Vulnerability:    cisco-pix-firewall-tcp
Platforms Affected:  Cisco Secure PIX Firewall 5.1(1)
Risk Factor:    High
Attack Type:    Network Based

Cisco Secure PIX Firewall version 5.1(1) and earlier could allow a remote 
attacker to terminate an established TCP/IP connection. The Secure PIX Firewall 
cannot distinguish between a forged TCP Reset packet and a genuine TCP Reset 
packet, if the source IP address, source port, destination IP address, and 
destination port are correct.

Reference:
Cisco Systems Field Notice, July 11, 2000: "Cisco Secure PIX Firewall TCP Reset 
Vulnerability" at: http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml

_____

Date Reported:    7/11/00
Vulnerability:    mssql-manager-password
Platforms Affected:  Microsoft SQL Server 7.0
Risk Factor:    High
Attack Type:    Host Based

Microsoft SQL Server 7.0 Enterprise Manager could allow a local user to a 
username and password for the server. If a SQL Server is registered under 
Enterprise Manager with a username and password instead of with Windows 
Authentication, the password is stored in the Registered Server Properties 
dialog box, hidden with asterisks. However, an attacker could use an available 
utility to reveal the actual password.

Reference:
Microsoft Security Bulletin MS00-041: ""Patch Available for ""DTS Password"" 
Vulnerability"" at: 
http://www.microsoft.com/technet/security/bulletin/ms00-041.asp

_____

Date Reported:    7/10/00
Vulnerability:    minivend-viewpage-sample
Platforms Affected:  MiniVend
Risk Factor:    High
Attack Type:    Network Based

MiniVend is a free, Perl-based web shopping cart system for Unix systems. An 
insecure open() call in the MiniVend UTIL.PM module could allow remote 
attackers to execute arbitrary commands, if they have access to the 
VIEW_PAGE.HTML sample file. This vulnerability affects users who have installed 
the "simple" catalog that ships with MiniVend as a sample.

Reference:
ZDNet News: "How a cracker defeated 'Hackopen'" at: 
http://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.html

_____

Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.

_____

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is  not to be edited in any way without express
consent of the X-Force.  If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,   
please e-mail xforce@iss.net for permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at:   http://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

About Internet Security Systems

Internet Security Systems (ISS) is the leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite* security software, ePatrol* remote managed security services,
and strategic consulting and education offerings, ISS is a trusted
security provider to its customers and partners, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security management
solutions protect more than 5,500 customers worldwide including 21 of the
25 largest U.S. commercial banks, 10 of the largest telecommunications
companies and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin
America and the Middle East. For more information, visit the Internet
Security Systems web site at www.iss.net <http://www.iss.net>  or call 
888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOYizcDRfJiV99eG9AQFAowP9ENtJEYB5dLHco2/Yq6Z9NNDnbSJLjGbh
cDRpnzZZGq451wYxXXYcldVptJ0SSJp5rkT1+VOHT4gHasHfIDtEC9Y6ROcyjltg
TA67ej/KCXaVfqsptyg9JMl1DPMalP9qZbSaLn+YsWPXYjDbKfZvDV/1eJ80i3ou
EesO57LGbuk=
=tGKp
-----END PGP SIGNATURE-----