VARIoT IoT vulnerabilities database

Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php. It has been reported that MS-Analysis is prone to a multiple cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user supplied URI parameters. These issues could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks

Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660. This service has been reported to be exclusively associated with port 660. The reports indicate that when this service handles a request that is 2056 bytes long the service will crash and restart. This BID will be updated as further details regarding this issue are disclosed. Mac OS X is an operating system used on Mac machines, based on the BSD system. Remote attackers can use this vulnerability to send 2057 characters to perform remote buffer overflow attacks, and may execute arbitrary instructions on the system with process privileges. There are currently no detailed vulnerability details

Unknown vulnerability in F-Secure Anti-Virus (FSAV) 4.52 for Linux before Hotfix 3 allows the Sober.D worm to bypass FASV. A hotfix for this vulnerability has been released. F-Secure Anti-Virus is prone to a remote security vulnerability

SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero. The issue is reported to present itself in the TCP packet processing routines of the affected software. It is reported that this vulnerability will have a system wide impact, causing Windows GUI and peripherals that are attached to the host to become unresponsive. A hard reset is reported to be required to restore normal functionality to the system. The information in this BID was consolidated from BID 10204 as both of these BIDs represented the same issue. BID 10204 is being retired. According to the report, this vulnerability cannot be exploited to execute arbitrary commands, and no detailed vulnerability details are currently available. The vulnerability allows a remote attacker to reliably render a system inoperative with one single packet. Physical access is required in order to bring an affected system out of this "frozen" state. This specific flaw exists within the component that performs low level processing of TCP packets. Technical Description: The vulnerability exists in SYMNDIS.SYS when trying to parse through the TCP Options in a TCP packet. The only way to bring the system back online is to hard boot the system which requires physical access of the system. The attacker only needs to send a single packet to any port on the system regardless of whether or not the port is open. This flaw is still accessible even if the firewall or IDS are enabled/disabled. Below is a portion of a TCP SYN packet (total length of 44 bytes) with a bad SACK TCP option. Sample Packet: 40 00 57 4B 00 00 01 01 05 00 |___| |___| |___| |_________| | | | | | | | TCP Options | | Urgent Pointer | Checksum Window Size The vulnerable code maintains an offset into the TCP option bytes, and attempts to advance past a variable-length option by adding its length to the offset. If the option's length field is zero, then this will result in an infinite loop and the machine halts completely. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Symantec has released a patch for this vulnerability. The patch is available via the Symantec LiveUpdate service. This vulnerability has been assigned the CVE identifier CAN-2004-0375. Credit: Discovery: Karl Lynn Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/Products/Retina/download.html Greetings: The entire eEye family, Kelly H., Geoff and Sarah, Mike M. (Tocks), Dragon IDS crew, Riley's list of firewall vendors, pie in the sky charts, SCARFACE : Make Way for The Bad Guy!. Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com

Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm. The Protocol Analysis Module (PAM) used by Internet Security Systems (ISS) intrusion detection and prevention products does not properly handle ICQ server response messages. An unauthenticated, remote attacker could execute arbitrary code by sending a specially crafted UDP packet. This issue exists due to insufficient bounds checking performed on certain unspecified ICQ protocol fields supplied in ICQ response data. This attack would occur in the context of the vulnerable process. This module is used to parse network protocols and is included in a number of products provided by ISS, including various RealSecure and BlackICE releases. To call these affected functions, an attacker simply needs to construct an SRV_USER_ONLINE reply containing two nested reply packets. Attackers can forge data frames and send them to networks, devices, and hosts protected by ISS products

error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information via an invalid (1) language, (2) newlang, or (3) lang parameter, which leaks the pathname in a PHP error message. It has been reported that Error Manager is prone to multiple vulnerabilities. These issues are due to failure to validate user input, failure to handle exceptional conditions and simple design errors. These issues may be leveraged to carry out cross-site scripting attacks, reveal information about the application configuration and initiate HTML injection attacks against the affected system. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. 1) The path leakage problem exists in the error.php file. Submitting any parameter to \'\'newlang\'\' can return sensitive information including the application installation path. 2) The problem of cross-site script execution attack exists in the error.php file. Due to the lack of sufficient filtering of the \'\'pagetitle\'\' and \'\'error\'\' parameters, the submission contains malicious script code data. When When the target user browses this connection, it can lead to the disclosure of sensitive information. 3) Script injection into the error log Error Manager will record references, request URI and other information when recording log errors, but does not perform any filtering on HTML tags, so attackers can inject thermal instrument script code into the error log, when the administrator views At this time, sensitive information of COOKIE can be stolen, or an administrator account can be established

Three security vulnerabilities have been reported to affect OpenSSL. Each of these remotely exploitable issues may result in a denial of service in applications which use OpenSSL. For the first issue, a NULL-pointer assignment can be triggered by attackers during SSL/TLS handshake exchanges. The CVE candidate name for this vulnerability is CAN-2004-0079. Versions 0.9.6c to 0.9.6k (inclusive) and from 0.9.7a to 0.9.7c (inclusive) are vulnerable. The second issue is also exploited during the SSL/TLS handshake, but only when Kerberos ciphersuites are in use. The vendor has reported that this vulnerability may not be a threat to many, because it occurs only when Kerberos ciphersuites are in use, an uncommon configuration. The CVE candidate name for this vulnerability is CAN-2004-0112. Versions 0.9.7a, 0.9.7b, and 0.9.7c are affected. This entry will be retired when individual BID records are created for each issue. *Note: A third denial-of-service vulnerability included in the announcement was discovered affecting 0.9.6 and fixed in 0.9.6d. The CVE candidate name for this vulnerability is CAN-2004-0081. Null-pointer assignment during SSL handshake =============================================== Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. 2. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. Recommendations --------------- Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.7d.tar.gz MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 o openssl-0.9.6m.tar.gz [normal] MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9 o openssl-engine-0.9.6m.tar.gz [engine] MD5 checksum: 4c39d2524bd466180f9077f8efddac8c The checksums were calculated using the following command: openssl md5 openssl-0.9*.tar.gz Credits ------- Patches for these issues were created by Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team. The OpenSSL team would like to thank Codenomicon for supplying the TLS Test Tool which was used to discover these vulnerabilities, and Joe Orton of Red Hat for performing the majority of the testing. References ---------- http://www.codenomicon.com/testtools/tls/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 URL for this Security Advisory: http://www.openssl.org/news/secadv_20040317.txt

Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php. It has been reported that PHP-Nuke is prone to a remote admin command execution vulnerability. This issue is due to a design error that allows an attacker to specify arbitrary URI values in bbCode tags contained within posts. This issue may be leveraged to force an admin user viewing a malicious post to perform some query to the affected application such as adding a user or removing arbitrary data from the database. PHP-Nuke is a popular website creation and management tool, it can use many database software as backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc. There is a design error in PHP-Nuke's handling of the bbCode tag in POST, which can be exploited by remote attackers to execute remote management commands. PHP-Nuke uses bbCode tags to support images, HTML, etc., but the processing of any Image tags specified by users is incorrect, which can lead to the execution of arbitrary remote commands, such as attackers can submit malicious POST requests to add or delete users from the database

VocalTec VGW4/8 Gateway 8.0 allows remote attackers to bypass authentication via an HTTP request to home.asp with a trailing slash (/). The problem is due to a design error in the application that allows a user to access configuration pages without prior authentication. Successful exploitation of this issue may allow a remote attacker to gain control of the affected appliance via its web configuration tool. There is a vulnerability in VocalTec VGW4/8 Gateway version 8.0

Sybari AntiGen for Domino 7.0 Build 722 SR2 allows remote attackers to cause a denial of service (hang) via an encrypted ZIP file with the "include full path info" option set, as used by certain variants of the Beagle/Bagle worm. Sybari AntiGen For Lotus Domino has been reported prone to a remote denial of service vulnerability. The issue presents itself when a malicious encrypted ZIP archive is encountered. This will result in a denial of service to the affected Sybari AntiGen virus detection software. Although unconfirmed, it is conjectured that subsequent to the denial of service attack malicious programs may not be detected by Sybari AntiGen. The Sybari AntiGen version of Domino 7.0 Build 722 SR2 has a vulnerability

Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7.1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Your Name field, (2) e-mail field, (3) nicname field, (4) fname parameter, (5) ratenum parameter, or (6) search field. It has been reported that PHP-Nuke may be prone to multiple cross-site scripting vulnerabilities. These vulnerabilities occur due to insufficient sanitization of user-supplied data via the 'Your Name', 'nicname', 'fname', 'ratenum', and 'search' fields of 'modules.php' script. Exploitation could allow for theft of cookie-based authentication credentials. Other attacks are also possible. PHP-Nuke 7.1.0 has been reported to be prone to these issues, however, it is possible that other versions are affected as well. These issues are undergoing further analysis. These issues will be separated into individual BIDs once analysis is complete

Directory traversal vulnerability in VocalTec VGW4/8 Gateway 8.0 allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request, as demonstrated using home.asp. It has been reported that the VGW4/8 Telephony Gateway is prone to a remote authentication bypass vulnerability via its web configuration tool. The problem is due to a design error in the application that allows a user to access configuration pages without prior authentication. Successful exploitation of this issue may allow a remote attacker to gain control of the affected appliance via its web configuration tool

SQL injection vulnerability in IP3 Networks NetAccess Appliance before firmware 3.1.18b13 allows remote attackers to bypass authentication via the (1) login or (2) password. NOTE: this issue was later reported to also affect firmware 4.0.34. The IP3 NetAccess Appliance is reported prone to a remote SQL-injection vulnerability. This issue is due to the application's failure to properly sanitize user input. This issue may allow an attacker to gain full control of the appliance through the network-administration interface. The attacker may also be able to influence database queries to view or modify sensitive information, potentially compromising the system or the database. -------------------- KPMG recommends that owners of a NetAccess NA75 take steps to ensure the security of the device, and that IP3 Networks is contacted to acquire the new firmware that includes the patches for the issues described. IP3 Networks has requested that customers contact IP3 through http://www.ip3.com/supportoverview.htm. Product: NA75 and possibly others Revision: na-img-4.0.34.bin Vendor Status: notified, verified and patch available from 1 April 2006 Risk: High Remote: Yes Local: Yes --------------------- ISSUE 1: Various SQL injection vulnerabilities in the HTTP user interface Due to the absence of user input validation, attackers can embed SQL commands and queries into various HTTP forms. The impact of this is that attackers can login into the unit by specifying username 'admin' and password ' OR "1=1';--. However, as can be seen from the above info, we have found the vulnerability to be present in firmware 4.0.34. ISSUE 2: Unix command injection vulnerability in command line interface Due to the absence of user input filtering in the command line interface, attackers can embed Unix commands in certain parameters by passing the commands in the unix shell substitution characters '`'. ISSUE 3: No mandatory default password change on first login The default username and password 'admin'/'admin' do not have to be changed at first login. This greatly increases the chance of the password remaining 'admin' after install. ISSUE 4: World readable shadow password file The shadow password file contains the encrypted passwords for all users on the system. Password crackers can be used on this file to obtain the plaintext passwords for users. ISSUE 5: NetAccess database file world readable and writable The permission settings on the NetAccess database file allow all unix users read and write access to the file, thereby allowing potentially sensitive customer information to be disclosed. Ralph Moonen, CISSP Manager KPMG Information Risk Management Amstelveen, The Netherlands -------------------------------------------------------------------------------------------------------------------------------------------- De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht. KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur. Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure. KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code. --------------------------------------------------------------------------------------------------------------------------------------------

Apple Safari allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Safari to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Multiple vendor Internet Browsers have been reported to be prone to a cookie path argument restriction bypass vulnerability. The issue presents itself due to a failure to properly sanitize encoded URI content, this may make it possible for an attacker to craft a URI that will contain encoded directory traversal sequences sufficient to provide access to a supposedly path exclusive cookie from an alternate path. There are vulnerabilities in Apple Safari

The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code by using the reflection API to access private Java packages. There is a vulnerability in the Sun Java Plug-in that could allow a malicious Java applet to bypass restrictions for untrusted applets. Multiple vulnerabilities exist in numerous Oracle products. The impacts of these vulnerabilities are varied and may include remote execution of arbitrary code, the disclosure of sensitive information, and denial-of-service conditions. various Oracle Multiple vulnerabilities exist in the product and its components.Although it depends on the target product, a third party can execute any command or code remotely, leak information in the database, disrupt service operation ( Denial-of-Service,DoS ) Attacks could be made. Reports indicate that it is possible for a malicious website that contains JavaScript code to exploit this vulnerability to load a dangerous Java class and to pass this class to an invoked applet. If a vulnerable version is still installed on the computer, it may be possible for to specify that this version runs the applet instead of an updated version that is not prone to the vulnerability. Users affected by this vulnerability should remove earlier versions of the plug-in. This functionality could also be abused to prompt users to install vulnerable versions of the plug-in, so users should be wary of doing so. This general security weakness has been assigned an individual BID (11757). Various Oracle Database Server, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite and Applications, Oracle Workflow, Oracle Forms and Reports, Oracle JInitiator, Oracle Developer Suite, and Oracle Express Server are affected by multiple vulnerabilities. The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Oracle has released a Critical Patch Update advisory for July 2005 to address these vulnerabilities. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier, unsupported releases are likely to be affected by the issues as well. The issue is that documents may be served with weaker SSL encryption than configured in Oracle HTTP Server. This could result in a false sense of security. Oracle has not released any further information about this weakness. The first issue can allow an untrusted applet to escalate its privileges to access resources with the privilege level of the user running the applet. This issue occurs only in Internet Explorer running on Windows. The second issue allows an untrusted applet to interfere with another applet embedded in the same web page. This issue occurs in Java running on Windows, Solaris, and Linux. A remote attacker can use this vulnerability to bypass the Java\'\'sandbox\'\' and all restrictions to access restricted resources and systems. BACKGROUND Java Plug-in technology, included as part of the Java 2 Runtime Environment, Standard Edition (JRE), establishes a connection between popular browsers and the Java platform. This connection enables applets on Web sites to be run within a browser on the desktop. II. A number of private Java packages exist within the Java Virtual Machine (VM) and are used internally by the VM. Security restrictions prevent Applets from accessing these packages. Any attempt to access these packages, results in a thrown exception of 'AccessControlException', unless the Applet is signed and the user has chosen to trust the issuer. III. ANALYSIS Successful exploitation allows remote attackers to execute hostile Applets that can access, download, upload or execute arbitrary files as well as access the network. A target user must be running a browser on top of a vulnerable Java Virtual Machine to be affected. It is possible for an attacker to create a cross-platform, cross-browser exploit for this vulnerability. Once compromised, an attacker can execute arbitrary code under the privileges of the user who instantiated the vulnerable browser. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and 1.4.2_04 from Sun Microsystems. Various browsers such as Internet Explorer, Mozilla and Firefox on both Windows and Unix platforms can be exploited if they are running a vulnerable Java Virtual Machine. V. Other Java Virtual Machines, such as the Microsoft VM, are available and can be used as an alternative. VI. VENDOR RESPONSE This issue has been fixed in J2SE v 1.4.2_06 available at: [15]http://java.sun.com/j2se/1.4.2/download.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-1029 to this issue. This is a candidate for inclusion in the CVE list ([16]http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/29/2004 Initial vendor notification 06/30/2004 Initial vendor response 08/16/2004 iDEFENSE clients notified 11/22/2004 Public disclosure IX. CREDIT Jouko Pynnonen (jouko[at]iki.fi) is credited with this discovery. Get paid for vulnerability research [17]http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright \xa9 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [18]customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

The Javascript engine in Safari 1.2 and earlier allows remote attackers to cause a denial of service (segmentation fault) by creating a new Array object with a large size value, then writing into that array. for Exists in unspecified vulnerabilities.None. Apple Safari Web Browser is reported to be prone to a security vulnerability related to handling of large JavaScript arrays (with 99999999999999999999999 or 0x23000000 elements). By declaring such an array and then attempting to access it, it may be possible to cause a browser crash. This issue is likely due to memory corruption but it is not known if it could be further exploitable to execute arbitrary code. The Javascript engine of Safari 1.2 and earlier is vulnerable

Cisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x) before 05.0(04.07)S, and 6.10(x) before 06.10(02.05)S allow remote attackers to cause a denial of service (device reset) via a malformed packet to UDP port 5002

Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack. Multiple interconnected devices process valid HTTP request headers inconsistently and in this may manner may allow a remote attacker to poison a cache, conduct cross-site scripting attacks, and hijack user sessions. Some HTTP handling devices are vulnerable to a flaw which may allow a specially crafted request to elicit multiple responses, some of which may be controlled by the attacker. These attacks may result in cache poisoning, information leakage, cross-site scripting, and other outcomes. plural HTTP The server (1) HTTP Line feed code in request (CR/LF) Vulnerability that headers can be divided in server responses due to improper handling of (2) There is a vulnerability that recognizes the second half of the divided header included in the first request as a response to the second request under certain conditions.An arbitrary script may be executed on the user's browser. This issue results from insufficient sanitization of user-supplied data. Squid versions 2.5 and earlier are reported prone to this issue. A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics) was released to describe various attacks that target web users through web application, browser, web/application server and proxy implementations. Exploitation would occur by injecting variations of CR/LF sequences into parts of HTTP response headers that the attacker may control or influence. The general consequences of exploitation are that an attacker may misrepresent web content to the client, potentially enticing the user to trust the content and take actions based on this false trust. While the various implementations listed in the paper contribute to these attacks, this issue will most likely be exposed through web applications that do not properly account for CR/LF sequences when accepting user-supplied input that may be returned in server responses. This vulnerability could also aid in exploitation of cross-site scripting vulnerabilities. This issue is due to a failure of the affected proxy to handle CR/LF characters in HTTP requests. This may facilitate man-in-the-middle attacks as well as others. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 667-1 security@debian.org http://www.debian.org/security/ Martin Schulze February 4th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : squid Vulnerability : several Problem-Type : remote Debian-specific: no CVE IDs : CAN-2005-0173 CAN-2005-0175 CAN-2005-0194 CAN-2005-0211 Several vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2005-0173 LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting. CAN-2005-0211 The length argument of the WCCP recvfrom() call is larger than it should be. An attacker may send a larger than normal WCCP packet that could overflow a buffer. For the stable distribution (woody) these problems have been fixed in version 2.4.6-2woody6. For the unstable distribution (sid) these problems have been fixed in version 2.5.7-7. We recommend that you upgrade your squid package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6.dsc Size/MD5 checksum: 612 f585baec3cc0548a0b6d3e21d185db50 http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6.diff.gz Size/MD5 checksum: 235426 85d38139f57a82f3c422421ad352e70e http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz Size/MD5 checksum: 1081920 59ce2c58da189626d77e27b9702ca228 Alpha architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_alpha.deb Size/MD5 checksum: 815424 ecbca01e45af0d55e94bcd6dc93a140a http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_alpha.deb Size/MD5 checksum: 75546 e3ad6d3c681293593ab8e0c3ed46e56d http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_alpha.deb Size/MD5 checksum: 60290 bd894e6b88b4155a4d79ab346ef0ecf0 ARM architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_arm.deb Size/MD5 checksum: 725786 00174ebf650a7becff1a974766a8ef18 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_arm.deb Size/MD5 checksum: 73324 496ebaa76ff79e0b3df5032e9db249ee http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_arm.deb Size/MD5 checksum: 58634 b036414c28e9371324b2b2112e2195ef Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_i386.deb Size/MD5 checksum: 684246 5f932b6cd8e3fae41bee679b8f78ce9d http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_i386.deb Size/MD5 checksum: 73820 51b9d7d06722aa12086d5e321521c957 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_i386.deb Size/MD5 checksum: 58322 8fceca376dc96840d11e210f2796dcb4 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_ia64.deb Size/MD5 checksum: 953904 aeaee5d9ee53e39a3aa1e1b775d12142 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_ia64.deb Size/MD5 checksum: 79392 1430eda6e1c2c4b4b8b7fade39efbdc4 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_ia64.deb Size/MD5 checksum: 62960 8cebaa32f4f3f17eef2d731fc4c154b3 HP Precision architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_hppa.deb Size/MD5 checksum: 779494 9341bc9e4b7c39806601a378aad51d56 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_hppa.deb Size/MD5 checksum: 74766 8479e2a71ae184650520cf3a139bc1ad http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_hppa.deb Size/MD5 checksum: 59772 bc6dff1697cb54f3c3baa9fbb21cd49b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_m68k.deb Size/MD5 checksum: 666170 bfea1f097c0913615dd885cf6090ff90 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_m68k.deb Size/MD5 checksum: 72654 3db952c5d712e4e0a54db5215f2ae812 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_m68k.deb Size/MD5 checksum: 57868 c81e9618868ea0e82b0c2179067fe3eb Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_mips.deb Size/MD5 checksum: 765316 8a18eea8fa4f5a738cf2c9415233d172 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_mips.deb Size/MD5 checksum: 74292 5a6f6f6ac7dd721d9dba3478a5c478de http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_mips.deb Size/MD5 checksum: 58946 eae54358cc4adcc85d754fbd6ca29225 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_mipsel.deb Size/MD5 checksum: 765424 0490a5ec43851928800922afd54a2d5f http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_mipsel.deb Size/MD5 checksum: 74392 1093f566bac7bf08d1da720439234d80 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_mipsel.deb Size/MD5 checksum: 59036 7846b97c6c8661b1e07889fff408b250 PowerPC architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_powerpc.deb Size/MD5 checksum: 722620 0c8c21ad09813e7565022c35f87dd29c http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_powerpc.deb Size/MD5 checksum: 73302 d86696f63adab59d1fadbd64702ca633 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_powerpc.deb Size/MD5 checksum: 58522 7d812f5b516060abcdb0eb977ea85a5e IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_s390.deb Size/MD5 checksum: 712166 809bb77631c098b4c1f548f7d4101f88 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_s390.deb Size/MD5 checksum: 73646 ff34ec95644ed86adfde338834bbe014 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_s390.deb Size/MD5 checksum: 59084 27e215b7b647ce8fbabd1108fc9dbec4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_sparc.deb Size/MD5 checksum: 724716 da2925f0ab258d718872525a6a2f0a80 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_sparc.deb Size/MD5 checksum: 75932 5b46ca56b3274c5e4dbdab3556a85491 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_sparc.deb Size/MD5 checksum: 60956 7a2ec6fb96971c29edfabce83c0069ec These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCA6RvW5ql+IAeqTIRArERAJ9RzG0Oko2BOd4TdCmy066szqDWygCfdWjV R0Sv6Ly/9lV7nT/fQbPRyv8= =LwDu -----END PGP SIGNATURE----- . --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated squid package fixes security issues Advisory ID: FLSA:152809 Issue date: 2006-02-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0194 CVE-2005-0211 CVE-2005-0241 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-2005-1345 CVE-1999-0710 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CVE-2005-2917 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated Squid package that fixes several security issues is now available. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0541 to this issue. An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0832 to this issue. iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow an attacker who has the ability to send arbitrary packets to the SNMP port to restart the server, causing it to drop all open connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0918 to this issue. A buffer overflow flaw was found in the Gopher relay parser. Although Gopher servers are now quite rare, a malicious web page (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0174 and CVE-2005-0175 to these issues. When processing the configuration file, Squid parses empty Access Control Lists (ACLs) and proxy_auth ACLs without defined auth schemes in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0194 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0211 to this issue. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0241 to this issue. A bug was found in the way Squid handles FQDN lookups. It was possible to crash the Squid server by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0446 to this issue. A race condition bug was found in the way Squid handles the now obsolete Set-Cookie header. It is possible that Squid can leak Set-Cookie header information to other clients connecting to Squid. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0626 to this issue. A bug was found in the way Squid handles PUT and POST requests. It is possible for an authorised remote user to cause a failed PUT or POST request which can cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0718 to this issue. A bug was found in the way Squid processes errors in the access control list. It is possible that an error in the access control list could give users more access than intended. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1345 to this issue. A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. A bug was found in the way Squid handles DNS replies. If the port Squid uses for DNS requests is not protected by a firewall it is possible for a remote attacker to spoof DNS replies, possibly redirecting a user to spoofed or malicious content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1519 to this issue. A bug was found in the way Squid displays error messages. A remote attacker could submit a request containing an invalid hostname which would result in Squid displaying a previously used error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2479 to this issue. Two denial of service bugs were found in the way Squid handles malformed requests. A remote attacker could submit a specially crafted request to Squid that would cause the server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2794 and CVE-2005-2796 to these issues. A bug was found in the way Squid handles certain request sequences while performing NTLM authentication. It is possible for an attacker to cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2917 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152809 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/squid-2.4.STABLE7-0.73.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squid-2.5.STABLE1-9.10.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/squid-2.5.STABLE1-9.10.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squid-2.5.STABLE9-1.FC2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/squid-2.5.STABLE9-1.FC2.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 5db383926b0358e7b1a74cd0c84d3c253fae82a6 redhat/7.3/updates/i386/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm 8d2b75252ee52b9fe943d4478960e30508bae4ea redhat/7.3/updates/SRPMS/squid-2.4.STABLE7-0.73.3.legacy.src.rpm d90f37a598d6789876d85fc41297fb6d6957711d redhat/9/updates/i386/squid-2.5.STABLE1-9.10.legacy.i386.rpm c6f5927ebca3000a5d9cb2d52912e9ea989ee8eb redhat/9/updates/SRPMS/squid-2.5.STABLE1-9.10.legacy.src.rpm 4e1d0e1546e50f3f694617ce641b31230b3989ad fedora/1/updates/i386/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm 03e318f01302e6305d368349ea778ac9f104839d fedora/1/updates/SRPMS/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm 9eb87b9c886d2c72d6ecefa3f70e016d65de9574 fedora/2/updates/i386/squid-2.5.STABLE9-1.FC2.4.legacy.i386.rpm 6aab32f2cb1e01196722d2ee6e980dc3915d788b fedora/2/updates/SRPMS/squid-2.5.STABLE9-1.FC2.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0832 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0918 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2917 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------

FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections. FreeBSD fails to limit the number of TCP segments held in a reassembly queue which could allow an attacker to exhaust all available memory buffers (mbufs) on the destination system resulting in a denial-of-service condition. FreeBSD of FreeBSD Unspecified vulnerabilities exist in products from multiple vendors.None. A problem in the handling of out-of-sequence packets has been identified in BSD variants such as FreeBSD and OpenBSD. Because of this, it may be possible for remote attackers to deny service to legitimate users of vulnerable systems

Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges. Symantec's firewall vpn appliance 100 , firewall vpn appliance 200 , firewall vpn appliance 200r Exists in unspecified vulnerabilities.None. It has been reported that Symantec Firewall/VPN Appliance is prone to an issue where depending on browser settings; administration password credentials may be stored in the browser\proxy cache in plaintext format. Symantec Firewall/VPN Appliance Models 100, 200, 200R are reported to be prone to this vulnerability