Date: 27 Jul 2004 22:34:12 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #194
SecurityFocus Linux Newsletter #194
------------------------------------

This Issue is Sponsored By: SecurityFocus 

Want to keep up on the latest security vulnerabilities? Don't have time 
to
visit a myriad of mailing lists and websites to read the news? Just add 
the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all 
the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Wireless Attacks and Penetration Testing (part 3 of 3)
     2. A Promise Falls in the Forest
     3. Mac OS X ? Unix? Secure?
II. LINUX VULNERABILITY SUMMARY
     1. Medal Of Honor Allied Assault Remote Buffer Overflow Vulnera...
     2. Extropia WebStore Remote Command Execution Vulnerability
     3. PHPNuke Multiple Input Validation Vulnerabilities
     4. CuteNews Comment HTML Injection Vulnerability
     5. PHPBB Multiple HTTP Response Splitting Vulnerabilities
     6. PHPBB Search.PHP "search_author" Cross-Site Scripting Vulner...
     7. PHP-Nuke Reviews Module "title" Parameter Cross-Site Scripti...
     8. APC PowerChute Business Edition Unspecified Denial Of Servic...
     9. Imatix Xitami Server Side Includes Cross-Site Scripting Vuln...
     10. Linux Kernel Multiple Unspecified Local Privilege 
Escalation...
     11. Samba Web Administration Tool Base64 Decoder Buffer 
Overflow...
     12. Samba Filename Mangling Method Buffer Overrun Vulnerability
     13. Linux Kernel Unspecified Local Denial of Service 
Vulnerabili...
     14. Nessus Insecure Temporary File Creation Vulnerabiliry
     15. Imatix Xitami Malformed Header Remote Denial of Service 
Vuln...
III. LINUX FOCUS LIST SUMMARY
     1. Hack attempt (Thread)
     2. Access to nfs server, Part 2 (Thread)
     3. SSO on linux (Thread)
     4. Access control for a NFS server (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. Cyber-Ark  Inter-Business Vault
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. Lepton's Crack 20031130
     2. popa3d v0.6.4.1
     3. tinysofa enterprise server 2.0-rc1
     4. cenfw 0.2 beta
     5. TinyCA v0.6.4
     6. MIMEDefang v2.44
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Wireless Attacks and Penetration Testing (part 3 of 3)
By Jonathan Hassell

This third and final part of the wireless pen-test series looks at how 
to
mitigate the security risks outlined in the previous articles, and then
looks at some proposed solutions currently in front of the IETF.

http://www.securityfocus.com/infocus/1792


2. A Promise Falls in the Forest
By Mark Rasch

A federal court recently ruled that website privacy policies aren't
binding, because nobody reads them. The implications are far reaching 
for
contract law and the Internet. 

http://www.securityfocus.com/columnists/257


3. Mac OS X ? Unix? Secure? 
By Daniel Hanson

Apple's OS X is not safer or less susceptible to vulnerabilities and
viruses than other OSes, and Apple's secretive culture is bad for the
security world.

http://www.securityfocus.com/columnists/256

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Medal Of Honor Allied Assault Remote Buffer Overflow Vulnera...
BugTraq ID: 10743
Remote: Yes
Date Published: Jul 17 2004
Relevant URL: http://www.securityfocus.com/bid/10743
Summary:
A remote buffer overflow vulnerability was reported in Medal of Honor 
Allied Assault.  

This issue may permit remote code execution in vulnerable game servers 
and clients.  However, it is reported that clients will only be 
affected in LAN games as Internet games  use the Gamespy protocol.  The issue 
also affects various expansion packs for the game.

2. Extropia WebStore Remote Command Execution Vulnerability
BugTraq ID: 10744
Remote: Yes
Date Published: Jul 17 2004
Relevant URL: http://www.securityfocus.com/bid/10744
Summary:
eXtropia WebStore is prone to a remote command execution vulnerability.  

This issue is due to insufficient input validation and may permit 
execution of commands in the context of the hosting Web server.

3. PHPNuke Multiple Input Validation Vulnerabilities
BugTraq ID: 10749
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10749
Summary:
It is reported that PHPNuke is susceptible to multiple cross-site 
scripting and SQL injection vulnerabilities.

This can allow for theft of cookie-based authentication credentials and 
other attacks.  Attackers may supply malicious parameters to manipulate 
the structure and logic of SQL queries.

These vulnerabilities were reported in version 7.3 of PHPNuke. Other 
versions may also be affected.

4. CuteNews Comment HTML Injection Vulnerability
BugTraq ID: 10750
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10750
Summary:
CutePHP is reported prone to an HTML injection vulnerability.

The vulnerability exists due to insufficient sanitization of 
user-supplied input. Specifically, user-supplied input to comment posts are not 
sufficiently sanitized of malicious HTML code.

An attacker can exploit this vulnerability by adding HTML code within 
URI arguments. The hostile code may be rendered in the user's browser 
when the user views the entry.

Exploitation could permit an attacker to steal cookie-based 
authentication credentials or launch other attacks.

5. PHPBB Multiple HTTP Response Splitting Vulnerabilities
BugTraq ID: 10753
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10753
Summary:
phpBB is reported prone to multiple HTTP response splitting 
vulnerabilities. The issues exist in the "privmsg.php" script and the "login.php" 
script. The vulnerabilities present themselves due to a flaw in the 
affected scripts that will allow an attacker to manipulate how GET 
requests are handled.

A remote attacker may exploit these vulnerabilities to influence or 
misrepresent how web content is served, cached or interpreted.

6. PHPBB Search.PHP "search_author" Cross-Site Scripting Vulner...
BugTraq ID: 10754
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10754
Summary:
It is reported that one of the scripts included with phpBB is prone to 
a cross-site scripting vulnerability.  According to the author of the 
report, the script "search.php" returns the value of the HTML variable 
"search_author" to the client as its output without encoding it or 
otherwise removing potentially hostile content. 

It is reported that gpc magic quotes must be turned off in php.ini for 
this vulnerability to exist.

7. PHP-Nuke Reviews Module "title" Parameter Cross-Site Scripti...
BugTraq ID: 10755
Remote: Yes
Date Published: Jul 19 2004
Relevant URL: http://www.securityfocus.com/bid/10755
Summary:
PHP-Nuke 'reviews' module is prone to a cross-site scripting 
vulnerability.  This issue could allow an attacker to steal cookie-based 
authentication credentials.

An attacker can exploit this issue by creating a malicious link 
containing HTML and script code.  The attacker sends this link to a vulnerable 
user.  When the user follows the link, HTML and script renders in the 
user's browser.

8. APC PowerChute Business Edition Unspecified Denial Of Servic...
BugTraq ID: 10777
Remote: Unknown
Date Published: Jul 21 2004
Relevant URL: http://www.securityfocus.com/bid/10777
Summary:
It is reported that APC PowerChute Business Edition is susceptible to 
an unspecified denial of service vulnerability.

Reportedly, all versions of the software between 6.0 and 7.0.1 contain 
a denial of service vulnerability that affects servers and agents. It 
does not affect the ability of the software to shutdown computers in the 
event of a power failure.

APC has released version 7.0.2 addressing this issue.

This BID will be updated as further information is disclosed.

9. Imatix Xitami Server Side Includes Cross-Site Scripting Vuln...
BugTraq ID: 10778
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10778
Summary:
It is reported that Imatix Xitami is affected by a cross-site scripting 
vulnerability in the server side includes test script.  This issue is 
due to a failure of the application to properly sanitize user-supplied 
input.

Successful exploitation of this issue will allow an attacker to execute 
arbitrary script code in the browser of an unsuspecting user.  This may 
potentially be exploited to hijack web content or steal cookie-based 
authentication credentials from legitimate users.

10. Linux Kernel Multiple Unspecified Local Privilege Escalation...
BugTraq ID: 10779
Remote: No
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10779
Summary:
Linux Kernel is reported prone to multiple unspecified privilege 
escalation vulnerabilities.  These vulnerabilities may allow a local attacker 
to gain elevated privileges or disclose kernel memory.

These vulnerabilities were referenced in a SuSe advisory, however, 
further details are not currently available.  It is possible that these 
issues are related to BID 10566 (Linux Kernel Multiple Device Driver 
Vulnerabilities).  This BID will be updated or retired as more information 
becomes available.

It is reported that these issues present themselves in Linux kernel 
2.6.

11. Samba Web Administration Tool Base64 Decoder Buffer Overflow...
BugTraq ID: 10780
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10780
Summary:
It has been reported that Samba Web Administration Tool (SWAT) is 
affected by a base64 decoder buffer overflow vulnerability. This issue is 
due to a failure of the application to properly validate buffer 
boundaries when copying user-supplied input into a finite buffer.

Successful exploitation of this issue will allow a remote, 
unauthenticated attacker to execute arbitrary code on the affected computer with 
the privileges of the affected process; Samba typically runs with 
superuser privileges.

12. Samba Filename Mangling Method Buffer Overrun Vulnerability
BugTraq ID: 10781
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10781
Summary:
Samba is reported prone to an undisclosed buffer overrun vulnerability, 
the buffer overrun is reported to exist when Samba is handling file 
name mangling with the "hash" method.

It is conjectured that this vulnerability may present itself when the 
affected server handles a filename that is sufficient to trigger the 
vulnerability. To exploit this vulnerability, an attacker may require 
sufficient access so that they may write a file to a published samba share.

It is reported that the vulnerability does not exist in default Samba 
configurations; by default, Samba is configured to employ "hash2" name 
mangling. The "hash2" method is not vulnerable.

This vulnerability is reported to affect Samba version 3.0.0 and later.

13. Linux Kernel Unspecified Local Denial of Service Vulnerabili...
BugTraq ID: 10783
Remote: No
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10783
Summary:
Linux kernel is reported prone to an unspecified local denial of 
service vulnerability.  It is reported that issue only affects ia64 systems.  
A local attacker can exploit this issue by dereferencing a NULL pointer 
and causing a kernel panic.  Successful exploitation will lead to a 
denial of service condition in a vulnerable computer.

No further details are available at this time.  This issue will be 
updated as more information becomes available.

14. Nessus Insecure Temporary File Creation Vulnerabiliry
BugTraq ID: 10784
Remote: No
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10784
Summary:
Nessus is reported to be vulnerable to an insecure temporary file 
creation vulnerability.

This vulnerability presents itself in the 'nessus-adduser' script. This 
script is used to add users to the Nessus application. These users are 
independent of the system user database, and are used to define access 
roles and limits in the application.

When creating new users, Nessus insecurely creates a temporary file.

A non-privileged user with interactive access could overwrite any file 
on the system with superuser privileges. The attacker does not control 
the data being written, just the location of the file.

An attacker could also exploit this issue to modify the rules assigned 
to the new nessus user, allowing or denying access to scan hosts within 
Nessus.

Versions of 2.0.x prior to 2.0.12 and the experimental version 2.1.0 
are reported to be vulnerable to this issue.

15. Imatix Xitami Malformed Header Remote Denial of Service Vuln...
BugTraq ID: 10785
Remote: Yes
Date Published: Jul 22 2004
Relevant URL: http://www.securityfocus.com/bid/10785
Summary:
A vulnerability is identified in the handling of certain types of 
requests by Xitami. Because of this, it is possible for a remote attacker to 
deny service to legitimate users of a vulnerable server. 

Xitami 2.5c1 is reported prone to this issue, however, other versions 
may be affected as well.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. Hack attempt (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/369855

2. Access to nfs server, Part 2 (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/369850

3. SSO on linux (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/369843

4. Access control for a NFS server (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/369508

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. Cyber-Ark  Inter-Business Vault
By: Cyber-Ark
Platforms: Linux, Windows 2000, Windows NT, Windows XP
Relevant URL: 
http://www.cyber-ark.com/datasecuritysoftware/inter-business_vault.htm
Summary: 

Based on Cyber-Ark Software's Vaulting Technology, the Inter-Business 
Vault, an information security solution that enables organizations to 
safely overcome traditional network boundaries in order to securely share 
business information among customers, business partners, and remote 
branches. It provides a seamless, LAN-like experience over the Internet 
that includes all the security, performance, accessibility, and ease of 
administration required to allow organizations to share everyday 
information worldwide. To learn more about these core attributes of the 
Inter-Business Vault click on the relevant link below:

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. Lepton's Crack 20031130
By: Lepton and Nekromancer
Relevant URL: http://www.nestonline.com/lcrack/lcrack-20031130-beta.zip
Platforms: Linux, MacOS, Os Independent, UNIX, Windows 2000, Windows 
NT, Windows XP
Summary: 

Lepton's Crack is a generic password cracker. It is easily-customizable 
with a simple plugin system and allows system administrators to review 
the quality of the passwords being used on their systems. It can 
perform a dictionary-based (wordlist) attack as well as a brute force 
(incremental) password scan. It supports standard MD4 hash, standard MD5 hash, 
NT MD4/Unicode, Lotus Domino HTTP password (R4), and SHA-1 hash 
formats. LM (LAN Manager) plus appending and prepending

2. popa3d v0.6.4.1
By: Solar Designer, solar@openwall.com
Relevant URL: http://www.openwall.com/popa3d/
Platforms: Linux, Solaris
Summary: 

popa3d is a POP3 daemon which attempts to be extremely secure, 
reliable, RFC compliant, and fast (in that order).

3. tinysofa enterprise server 2.0-rc1
By: Omar Kilani
Relevant URL: http://www.tinysofa.org
Platforms: Linux, POSIX
Summary: 

tinysofa enterprise server is a secure server targeted enterprise grade 
operating system. It is based on Trustix Secure Linux and includes a 
complete distribution port to Python 2.3 and RPM 4.2, an overhauled PAM 
authentication system providing system-wide authentication 
configuration, the latest upstream packages, the replacement of ncftp with lftp, the 
addition of gdb and screen, feature additions to the swup updater that 
provide multiple configuration file support, user login FTP support, 
enable/disable support, variable expansion support (allows multiple 
architectures), and many enhancements.

4. cenfw 0.2 beta
By: Peter Robinson
Relevant URL: http://www.securegateway.org
Platforms: Linux, Windows 2000, Windows 95/98, Windows CE, Windows NT, 
Windows XP
Summary: 

The Centron IPTables Firewall Gui is an object oriented, database 
driven, windows interface to linux IPtables firewall rules.

5. TinyCA v0.6.4
By: Stephan Martin
Relevant URL: http://tinyca.sm-zone.net/
Platforms: Linux, OpenNMS, POSIX
Summary: 

TinyCA is a simple GUI written in Perl/Tk to manage a small 
certification authority. It is based on OpenSSL and Perl modules from the OpenCA 
project. TinyCA lets you manage x509 certificates. It is possible to 
export data in PEM or DER format for use with servers, as PKCS#12 for use 
with clients, or as S/MIME certificates for use with email programs. It 
is also possible to import your own PKCS#10 requests and generate 
certificates from them.

6. MIMEDefang v2.44
By: David F. Skoll
Relevant URL: http://www.mimedefang.org/
Platforms: Linux, Perl (any system supporting perl), UNIX
Summary: 

MIMEDefang is a flexible MIME e-mail scanner designed to protect 
Windows clients from viruses. It can alter or delete various parts of a MIME 
message according to a very flexible configuration file. It can also 
bounce messages with unnaceptable attachments. MIMEDefang works with 
Sendmail 8.11's new "Milter" API, which gives it much more flexibility than 
procmail-based approaches.

VII. SPONSOR INFORMATION
-----------------------

This Issue is Sponsored By: SecurityFocus 

Want to keep up on the latest security vulnerabilities? Don't have time 
to
visit a myriad of mailing lists and websites to read the news? Just add 
the
new SecurityFocus RSS feeds to your freeware RSS reader, and see all 
the
latest posts for Bugtraq and the SF Vulnernability database in one
convenient place. Or, pull in the latest news, columnists and feature
articles in the SecurityFocus aggregated news feed, and stay on top of
what's happening in the community!

http://www.securityfocus.com/rss/index.shtml

------------------------------------------------------------------------