•   Home   •  Getting Started   •  Intranet Development   •  Info Management   •  Columns & Advice   •  Case Studies   •  Security   •  Intranet FAQ   •  Discussion Board   •  Events Calendar   •  Intranet Books   •  Tools of the Trade   •  Tutorials   •  Features   •  Site Map Free Newsletter!   Privacy Policy Search Intranet Journal:

internet commerce

-- Security Alert Consensus --

                          Number 049 (00.25)
                       Thursday, June 15, 2000
                          Created for you by
                Network Computing and the SANS Institute

------------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

------------------------------------------------------------------------

This issue sponsored by Symantec Corp.

Join our key executives June 21 for a live Web cast detailing our new
Enterprise Security solution. Learn how Symantec can secure Enterprise
organizations from intrusion, viruses and other attacks. To register:
http://enterprisesecurity.symantec.com/symwebcast

------------------------------------------------------------------------

Many people wrote in last week indicating they did not receive items
{00.24.025} and {00.24.032}. As indicated in issue 00.24, only those
who subscribe to the "Cross Platform" category received those alerts.
In the future we will include reference URLs with all news items, even
if they are reprinted as an item in the same issue.

Meantime, you can view archived issues, which include all categories
and, therefore, all items, at:
http://archives.neohapsis.com/archives/securityexpress/current/

Items {00.24.025} and {00.24.032} are available in the archived issue
from last week at the above URL.

That said, Darren Reed posted instructions to Bugtraq on how to use
IPFilter to protect your Check Point FireWall-1 installation for the
DoS mentioned in {00.24.025}. This is available at:
http://archives.neohapsis.com/archives/bugtraq/2000-06/0097.html

Until next week,
Security Alert Consensus Team

------------------------------------------------------------------------

------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.25.007} MS00-040: Remote registry authentication DoS
--> {00.25.008} DoS and full path disclosure in Ceilidh
--> {00.25.009} DoS and remote buffer overflow in CMail
--> {00.25.010} HP OpenView OmniBack DoS
--> {00.25.011} i-drive Filo proxy request buffer overflow
--> {00.25.012} Outlook behaves strangely to blank headers
--> {00.25.013} HP OpenView Network Node Manager buffer overflow
--> {00.25.020} SessionWall-3 vulnerabilities
--> {00.25.023} BEA WebLogic JSP source disclosure
--> {00.25.024} IBM WebSphere JSP source disclosure
--> {00.25.026} Outlook E-Mail Security Update
--> {00.25.028} McAfee VirusScan alert tampering
--> {00.25.031} IE IFrame/WebBrowser control cross-frame security breech
--> {00.25.032} ICQ creates files with plaintext passwords
--> {00.25.004} Linux kernel setuid/setcap vulnerability
--> {00.25.014} Update to {00.23.027}: cdrecord dev parameter buffer
		overflow
--> {00.25.015} Update to {00.24.006}: innd buffer overflow
--> {00.25.016} Update to {00.22.017}: gdm XDMCP buffer overflow
--> {00.25.018} Update to {00.21.003}: Netscape SSL reuse vulnerability
--> {00.25.030} Possible rpc.lockd malformed request DoS
--> {00.25.033} qpopper malformed mail header vulnerability
--> {00.25.005} FreeBSD ssh listens on Port 722 by default
--> {00.25.019} Apsfilter local command execution
--> {00.25.029} FreeBSD/Alpha lacks /dev/random and /dev/urandom
--> {00.25.001} Shiva Access Manager stores plaintext password
--> {00.25.017} Mac OS URLConnection/weak JVM security
--> {00.25.002} BRU allows appending to any file
--> {00.25.003} ASB00-14: ColdFusion Administrator DoS
--> {00.25.006} OpenSSH "Uselogin" allows commands to be ran as root
--> {00.25.021} MIT Kerberos DoS
--> {00.25.022} xinetd allows connections when client reverse DNS
		lookup fails
--> {00.25.025} MailStudio2000 multiple vulnerabilities
--> {00.25.027} Unify eWave ServletExec JSP source disclosure


--- Windows News -------------------------------------------------------

--> {00.25.007} MS00-040: Remote registry authentication DoS

Microsoft has released MS00-040 ("Patch Available for Remote Registry
Access Authentication Vulnerability"). The patch corrects a denial of
service situation where a remote attacker could cause winlogon.exe (the
service responsible for remote registry access) to crash, requiring a
system reboot.  All Windows NT 4.0 platforms are vulnerable; Windows
2000 is not.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-040.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q2/0042.html

--> {00.25.008} DoS and full path disclosure in Ceilidh

Two vulnerabilities were found in the Ceilidh Web application, version
2.60a. First, ceilidh.exe embeds the full path of the application in a
hidden form field in the generated HTML.  Also, many requests to
ceilidh.exe will result in a resource-starvation situation, creating a
denial of service.

No patches have been made available. Vendor home page:
ttp://www.lilikoi.com/

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0246.html

--> {00.25.009} DoS and remote buffer overflow in CMail

Two vulnerabilities were found in Computalynx's Cmail package, version
2.4.7. A denial of service situation is possible by submitting large
(greater than 195 KB) user names to the create new user dialog, which
is provided by the included Web server running on Port 8002. The result
is a high CPU utilization for an undetermined amount of time. There is
also a remotely exploitable buffer overflow in the included Web service.
An attacker can submit a large GET request, resulting in the execution
of arbitrary code.

Upgrade to version 2.4.8, available at:
http://www.computalynx.net/

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0248.html

--> {00.25.010} HP OpenView OmniBack DoS

A memory leak has been found in HP OpenView OmniBack version 3.00 and
3.10 for Windows NT.  A remote attacker can make repeated connections
to the OmniBack service, causing it to crash the system eventually.

HP has made patches available:

OMNIBACK_00011 - HP OpenView OmniBack version 3.00
OMNIBACK_00012 - HP OpenView OmniBack version 3.10

Both patches are available at:
http://ovweb.external.hp.com/cpe/patches

Source: HP (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0051.html

--> {00.25.011} i-drive Filo proxy request buffer overflow

The Filo software provided by i-drive.com has been found to contain a
buffer overflow, allowing the remote execution of arbitrary code when
an attacker submits an overly long GET request to the included HTTP
proxy server. Version 1.0.0.1 is affected.

Update to version 1.5.3, available at:
http://www.idrive.com/site/download/WinFiloInstaller.exe

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0052.html

--> {00.25.012} Outlook behaves strangely to blank headers

Reports have surfaced indicating Microsoft Outlook and Outlook Express
behave oddly when they attempt to open POP e-mail that contains blank
From, BCC, Reply To or Return Path headers. This has not been confirmed
by Microsoft.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0045.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0082.html

--> {00.25.013} HP OpenView Network Node Manager buffer overflow

HP's OpenView Network Node Manager version 6.1 contains a buffer
overflow in the included alarm service that listens on Port 2345. A
remote attacker can submit a large string to the service, allowing for
the execution of arbitrary code.

No patches have been made available.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0249.html

--> {00.25.020} SessionWall-3 vulnerabilities

A few vulnerabilities were recently published for SessionWall-3. First,
SessionWall-3 insecurely stores passwords in the registry, using XOR
encoding to obfuscate them.  It is possible to remotely identify
SessionWall-3 systems by sending particular ICMP packets. Lastly, a
denial of service is possible by sending many ICMP locator packets.
Exploits and utilities to demonstrate all problems listed have been
published.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0021.html

--> {00.25.023} BEA WebLogic JSP source disclosure

A bug in BEA System's WebLogic application version 4.5.1 lets a remote
attacker view the source code of a JSP application by specifing the JSP
file extension in uppercase. This vulnerability is a result of the
extension handler being case-sensitive.

A solution matrix is available at:
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0262.htm

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0262.htm

--> {00.25.024} IBM WebSphere JSP source disclosure

A bug in IBM's WebSphere server version 3.0.2 lets a remote attacker
view the source code of a JSP application by specifing the JSP file
extension in uppercase.  This vulnerability is a result of the extension
handler being case-sensitive.

A fix (APAR: PQ38936) will be available at:
http://www-4.ibm.com/software/webservers/appserv/efix.html

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0263.html

--> {00.25.026} Outlook E-Mail Security Update

Microsoft has released a Security Update for Outlook 98 and 2000, which
disables unwanted features and gives added protection to combat
e-mail-based macro viruses.

Patch for Outlook 98:
http://www.officeupdate.com/downloadDetails/Out98sec.htm

Patch for Outlook 2000 SR1:
http://www.officeupdate.com/2000/downloaddetails/Out2ksec.htm

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0256.html

--> {00.25.028} McAfee VirusScan alert tampering

The alert mechanism in McAfee VirusScan version 4.03 is insecure. A
local user can modify the alerts, which are stored in a text file,
before they are sent to the central alert server. This can result in
false reports and possibly a denial of service.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0038.html

--> {00.25.031} IE IFrame/WebBrowser control cross-frame security breech

A vulnerability has been found in Microsoft Internet Explorer 5.01. By
using a combination of the IFRAME tag and WebBroswer control, it is
possible to use the NavigateComplete2 event to gain access to the DOM
of the document in the IFRAME. This means a malicious Web site can
access arbitrary files on a user's system.

No patches have been made available.

Source: Win2KSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0154.html

--> {00.25.032} ICQ creates files with plaintext passwords

ICQ2000's ICQwebmail creates a temporary file when logging into the
service. This temporary Internet shortcut contains the password and user
name for the service. Unfortunately, ICQwebmail/ICQ2000 do not delete
these files, allowing a local user to retrieve the authentication
information.

No patches have been made available.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0237.html


--- Linux News ---------------------------------------------------------

--> {00.25.004} Linux kernel setuid/setcap vulnerability

A severe bug has been found in Linux kernels version 2.2.x. The
vulnerability has to do with a new feature called "capabilities." The
attacker can tell the kernel to not allow any programs to use setuid
calls, and then run a setuid program, such as sendmail. The result is
that sendmail is unable to drop root privileges and starts executing
"risky" code at the higher UID. Any setuid program can be abused in this
manner.

Exploits have been published and are being used in the wild.

Patches to the kernel (version 2.2.16) correct this problem. Version
2.2.16 is available at:
http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.16.tar.gz

Sendmail has also patched version 8.10.2, available at:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.10.2.tar.gz

Trustix Linux has made new kernel packages available for Trustix Secure
Linux:
ftp://ftp.trustix.com/pub/Trustix/updates/1.01/RPMS/kernel-2.2.16-1tr_1.01.i
586.rpm

ftp://ftp.trustix.com/pub/Trustix/updates/1.01/RPMS/kernel-BOOT-2.2.16-1tr_1
.01.i586.rpm

ftp://ftp.trustix.com/pub/Trustix/updates/1.01/RPMS/kernel-headers-2.2.16-1t
r_1.01.i586.rpm

Conectiva Linux has made updated packages available:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/alsasound-2.2
.14-19cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/kernel-2.2.14
-19cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/kernel-BOOT-2
.2.14-19cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/kernel-header
s-2.2.14-19cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/kernel-pcmcia
-cs-2.2.14-19cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/sensors-2.2.1
4-19cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/kernel-instal
l-2.2.14-19cl.i386.rpm

Caldera has also made updated packages available for OpenLinux Desktop,
eServer, eBuilder and eDesktop:

- OpenLinux Desktop 2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/linux-ke
rnel-binary-2.2.10-10.i386.rpm

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/linux-ke
rnel-include-2.2.10-10.i386.rpm

- OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/linux-kern
el-binary-2.2.14-2S.i386.rpm

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/linux-kern
el-include-2.2.14-2S.i386.rpm

- OpenLinux eDesktop 2.4
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/linux-ker
nel-binary-2.2.14-5.i386.rpm

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/linux-ker
nel-include-2.2.14-5.i386.rpm

A third-party utility to log abuse of this vulnerability is available
at:
http://archives.neohapsis.com/archives/bugtraq/2000-06/0090.html

Source: Sendmail, Bugtraq, Trustix, Conectiva, Caldera
http://archives.neohapsis.com/archives/sendmail/2000-q2/0002.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0033.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0053.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0062.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0063.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0066.html

--> {00.25.014} Update to {00.23.027}: cdrecord dev parameter buffer
		overflow

Conectiva Linux has released updated packages that correct the
vulnerability discussed in {00.23.027} (cdrecord dev parameter buffer
overflow).

Download the updated packages:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/cdda2wav-1.8-
2cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/cdrecord-1.8-
2cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/cdrecord-deve
l-1.8-2cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/mkisofs-1.8-2
cl.i386.rpm

Source: Conectiva (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0019.html

--> {00.25.015} Update to {00.24.006}: innd buffer overflow

Conectiva has released updated packages that fix the vulnerability
described in {00.24.006} (innd control cancel request buffer overflow).
Caldera has released an official workaround.

Download Conectiva updated packages:
- Conectiva Linux 4.0
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inews-2.2.2-3
cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-2.2.2-3cl
.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/inn-devel-2.2
.2-3cl.i386.rpm

- Conectiva Linux 4.1
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inews-2.2.2-3
cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-2.2.2-3cl
.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/inn-devel-2.2
.2-3cl.i386.rpm

- Conectiva Linux 4.2
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inews-2.2.2-3
cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-2.2.2-3cl
.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/inn-devel-2.2
.2-3cl.i386.rpm

- Conectiva Linux 5.0
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inews-2.2.2-3
cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-2.2.2-3cl
.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/inn-devel-2.2
.2-3cl.i386.rpm

Caldera workaround
Replace 'verifycancels: true' with 'verifycancels: false' in
/etc/news/inn.conf, and then reload inn by running:
/usr/libexec/inn/bin/ctlinnd reload all 'security fix'

Source: Conectiva, Caldera (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0023.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0027.html

--> {00.25.016} Update to {00.22.017}: gdm XDMCP buffer overflow

Conectiva Linux has released updated packages that correct the
vulnerability discussed in Update to {00.22.017} (gdm XDMCP buffer
overflow).

Download the following updates:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/gdm-2.0beta4-
2cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/gdm-2.0beta4-
2cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/gdm-2.0beta4-
2cl.i386.rpm

Source: Conectiva (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0025.html

--> {00.25.018} Update to {00.21.003}: Netscape SSL reuse vulnerability

Caldera has released updated Netscape packages for Caldera eDesktop
version 2.4. The packages correct {00.21.003} (Netscape SSL reuse
vulnerability).

Download the updated packages:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/communica
tor-4.73-2.i386.rpm

Source: Caldera (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0080.html

--> {00.25.030} Possible rpc.lockd malformed request DoS

A report has indicated that it may be possible to crash the lockd
service by issuing a malformed request to it. This was tested on Red
Hat Linux 6.1 and 6.2.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0073.html

--> {00.25.033} qpopper malformed mail header vulnerability

SuSE has released an advisory stating a vulnerability in qpop version
2.53 that would allow an attacker to execute arbitrary code under UID
"mail" by sending a carefully crafted e-mail to a user, and that user
retrieving the e-mail via qpop.

SuSE has made updated packages available:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/pop-2000.6.7-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/pop-2000.6.7-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/pop-2000.6.8-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/pop-2000.6.7-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/pop-2000.6.7-0.i386.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.3/n1/pop-2000.6.7-0.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/pop-2000.6.7-0.ppc.rpm

Source: SuSE
http://archives.neohapsis.com/archives/vendor/2000-q2/0043.html


--- BSD News -----------------------------------------------------------

--> {00.25.005} FreeBSD ssh listens on Port 722 by default

FreeBSD has released an advisory indicating that a patch applied on
2000-01-14 enables, by default, ssh to listen on both Ports 22 and 722.
Having ssh listening on Port 722 may present problems to some
organizations (such as limiting access via firewall rule sets).

If you have obtained your ssh port between Jan. 14, 2000, and  April
21, 2000, you will need to download the new ssh port skeleton.
Alternatively, you can comment out the 'Port 722' line in
/usr/local/etc/sshd_config.

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-06/0031.html

--> {00.25.019} Apsfilter local command execution

FreeBSD has released updated port packages for apsfilter. A
vulnerability in apsfilter let local users execute commands under the
UID of the lpd service.

Download updated packages:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/print/apsfilt
er-5.4.2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/print/apsfilt
er-5.4.2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/print/apsfil
ter-5.4.2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/print/apsfil
ter-5.4.2.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/print/apsfi
lter-5.4.2.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-06/0030.html

--> {00.25.029} FreeBSD/Alpha lacks /dev/random and /dev/urandom

An oversight in the FreeBSD Alpha distribution leaves the system without
a /dev/random or /dev/urandom device, which is used to generate
randomness, particularly in cryptographic applications. This, coupled
with software that does not detect this oversight (OpenSSL and OpenSSH
are two examples), may lead to cryptographicly compromised data.

An updated kernel is available at:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:25/kernel.gz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-06/0083.html


--- Solaris News -------------------------------------------------------

--> {00.25.001} Shiva Access Manager stores plaintext password

Shiva Access Manager 5.0.0 has been found to store the LDAP server's
root DN name and password in cleartext in a file named radtac.ini. This
could let a local user compromise your LDAP server.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0008.html


--- Other News ---------------------------------------------------------

--> {00.25.017} Mac OS URLConnection/weak JVM security

A vulnerability in the various Mac OS Java Virtual Machines allows a
malicous Web site to violate the security features of the JVM and open
network connections to arbitrary sites. Apple's MJR version 2.x is
vulnerable, as is Microsoft's JVM shipped with Internet Explorer 4.x.
A matrix of the exact product version combinations that are vulnerable
is available in the reference URL below.

No patches have been made available. It is suggested that you disable
Java support in your browser until a fix is supplied.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0056.html


--- Cross-Platform News ------------------------------------------------

--> {00.25.002} BRU allows appending to any file

The BRU backup/restore utility lets users specify alternate log files
via the BRUEXECLOG environment variable. On systems where BRU is setuid
root, this lets local users append information to any file.

No patches have been made available. Setuid permission is only required
on BRU if you let normal users initiate backups/restores, a practice
with security implications itself. We suggest removing suid permissions.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0013.html

--> {00.25.003} ASB00-14: ColdFusion Administrator DoS

Allaire has released ASB00-14, "Workaround available for Denial of
Service attack against ColdFusion Administrator." A remote attacker can
submit a large login password to the ColdFusion administrator; the
administrator then causes an abnormally high amount of CPU utilization
as it encodes the submitted password for matching with the stored
password.

Allaire suggests securing the administrator by removing it or requiring
other authentication mechanisms. More information can be found at:
http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full

Source: Allaire
http://archives.neohapsis.com/archives/vendor/2000-q2/0041.html

--> {00.25.006} OpenSSH "Uselogin" allows commands to be ran as root

A vulnerability in OpenSSH in all versions prior to 2.1.1 causes sshd
to not properly drop root privileges when a command is given and the
"Uselogin" option is enabled (it is disabled by default). This allows
anyone with a valid login to execute commands under the UID of sshd,
which is typically root.

Version 2.1.1 corrects the problem. A workaround would be to use the
"Uselogin no" configuration option in your /etc/sshd_config file.

Conectiva Linux has released updated packages:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-2.1.1
p1-1cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpa
ss-2.1.1p1-1cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-askpa
ss-gnome-2.1.1p1-1cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-clien
ts-2.1.1p1-1cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssh-serve
r-2.1.1p1-1cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-0.9.5
a-1cl.i386.rpm

ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/openssl-devel
-0.9.5a-1cl.i386.rpm

Red Hat has made updated Red Hat Linux packages available at:
ftp://ftp.redhat.de/pub/rh-addons/security/current

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0065.html

--> {00.25.021} MIT Kerberos DoS

A buffer overflow has been found in MIT-derived Kerberos
implementations.  The buffer overflow allows a remote attacker to cause
a denial of service on the KDC software; it is not believed at this time
that the buffer overflow can be used to execute arbitrary code.

Patches and updated source trees are available at:
http://web.mit.edu/kerberos/www/advisories/index.html

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0064.html

--> {00.25.022} xinetd allows connections when client reverse DNS
		lookup fails

A bug in xinetd versions prior to 2.1.8.8p3 will cause xinetd to allow
connections to anyone if the configuration specifies a limitation to a
hostname(s), and the incoming connection does not have a valid reverse
DNS entry.

Upgrade to version 2.1.8.8p3, available at:
www.synack.net/xinetd/

Source: xinetd maintainer
www.synack.net/xinetd/

--> {00.25.025} MailStudio2000 multiple vulnerabilities

3RSoft's MailStudio2000 version 2.0 is vulnerable to various remote CGI
attacks. Using mailview.cgi, it is possible to view arbitrary files on
the system. Using userreg.cgi, a remote attacker can run command-line
commands. Because MailStudio2000 runs with root privileges, all file
viewing and command execution happens under root context.

No patches have been made available. Vendor homepage:
http://www.3rsoft.com/

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0081.html

--> {00.25.027} Unify eWave ServletExec JSP source disclosure

A bug in Unify's eWave ServletExec application lets a remote attacker
view the source code of a JSP application by specifing the JSP file
extension in uppercase.  This vulnerability is a result of the extension
handler being case-sensitive.

No patches have been made available.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0250.html

------------------------------------------------------------------------

This issue sponsored by Symantec Corp.

Join our key executives June 21 for a live Web cast detailing our new
Enterprise Security solution. Learn how Symantec can secure Enterprise
organizations from intrusion, viruses and other attacks. To register:
http://enterprisesecurity.symantec.com/symwebcast

-------------------------------------------------------------------

Please join us in Washington, D.C., July 5-10 to enhance your security
skills and PROVE you have mastered the material. SANS certifications
are the industry's most difficult to obtain, but the training is
extraordinary and those who make the grade are immediately recognized
as knowledgeable and skilled. The respect that comes along with that
recognition can help you get the support to improve security in your
organization.

Or if you cannot come to Washington, try the online version.

Complete program details: http://www.sans.org/dc2000.htm

Certification information: http://www.sans.org/giactc.htm