From xforce@iss.net Thu May 4 10:01:49 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Thu, 4 May 2000 00:05:44 -0400 (EDT) Subject: ISSalert: ISS Security Alert Summary: v5 n4 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary May 1, 2000 Volume 5 Number 4 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 35 Reported Vulnerabilities - eudora-warning-message - icradius-username-bo - postgresql-plaintext-passwords - aix-frcactrl-file-modify - cisco-ios-http-dos - meetingmaker-weak-encryption - pcanywhere-tcpsyn-dos - piranha-passwd-execute - piranha-default-password - solaris-lp-bo - solaris-xsun-bo - solaris-lpset-bo - zonealarm-portscan - cvs-tempfile-dos - imp-wordfile-dos - imp-tmpfile-view - suse-file-deletion - qpopper-fgets-spoofing - adtran-ping-dos - emacs-local-eavesdrop - emacs-tempfile-creation - emacs-password-history - irix-pmcd-mounts - irix-pmcd-processes - irix-pmcd-dos - iis-myriad-escape-chars - freebsd-healthd - beos-syscall-dos - linux-trustees-patch-dos - pcanywhere-login-dos - beos-networking-dos - win2k-unattended-install - mssql-agent-stored-pw - webobjects-post-dos - allaire-forums-allaccess Risk Factor Key _____ Date Reported: 4/28/2000 Vulnerability: eudora-warning-message Platforms Affected: Eudora (2.4, 2.5) Risk Factor: High Attack Type: Network/Host Based Eudora is a Windows based mail reader. Versions 2.4 and 2.5 contain a vulnerability that would allow a user to bypass the warning message displayed when the user attempts to open a exe, com, or bat file. This could allow an unsuspecting user to execute a malicious program. Reference: "Stealth Attachment" demo page at: http://www.peacefire.org/security/stealthattach/ _____ Date Reported: 4/24/2000 Vulnerability: icradius-username-bo Platforms Affected: ICRadius Risk Factor: High Attack Type: Network Based ICRADIUS is a program that integrates Remote Authentication Dial In User Service (RADIUS) with MySQL. The program is vulnerable to a buffer overflow attack in the sprintf function, which does not check for oversized buffers. A remote attacker can send a large amount of data to the buffer to crash the program, and possibly execute arbitrary code on the system. Reference: Bugtraq Mailing List: "Buffer Overflow in version .14" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.21.0004240023080.19563-100000@mammoth.psnw.com _____ Date Reported: 4/23/2000 Vulnerability: postgresql-plaintext-passwords Platforms Affected: PostgreSQL Risk Factor: Medium Attack Type: Host Based PostgreSQL is an open-source relational database management system (DBMS) that supports SQL constructs. The program stores its usernames and passwords in plaintext format in a file called pg_shadow that is readable by the postgres user and root. A local attacker can run strings on the file to obtain database usernames and passwords. Reference: Bugtraq Mailing List: "Postgresql cleartext password storage" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000423220245.A24619@cistron.nl _____ Date Reported: 4/26/2000 Vulnerability: aix-frcactrl-file-modify Platforms Affected: AIX 4.3 Risk Factor: High Attack Type: Host Based The Fast Response Cache Accelerator (FRCA) is a kernel module that can be used with the IBM HTTP server to improve the performance of a web server. If the FRCA module is loaded, a local attacker could use frcactrl, a program used to manage FRCA configuration, create, append, or overwrite files as root. This would easily allow the user to gain root level privileges. The vulnerability is present on systems with AIX fix IY02669 applied and with the FRCA kernel extension loaded (the kernel extension is not enabled by default). Reference: ISS Security Advisory: "Insecure file handling in IBM AIX frcactrl program" at: http://xforce.iss.net/alerts/advise47.php3 _____ Date Reported: 4/26/2000 Vulnerability: cisco-ios-http-dos Platforms Affected: Cisco IOS Risk Factor: Medium Attack Type: Network Based The Cisco IOS operating system found on many Cisco routers is vulnerable to a denial of service attacker if the HTTP server is enabled. A remote user can crash the router by sending a specially-crafted URL to the router (in the form of http:///%%). This attack will either cause the router to restart itself, or it will have to be manually powered down and restarted. Reference: Bugtraq Mailing List: "Cisco HTTP possible bug" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.3.95.1000426201632.27862C-100000@rosencrantz.citytel.net _____ Date Reported: 4/25/2000 Vulnerability: meetingmaker-weak-encryption Platforms Affected: Meeting Maker Risk Factor: High Attack Type: Network/Host Based Meeting Maker is a client-server calendar and scheduling program for small workgroups to large enterprises. The software uses a weak encryption scheme to encrypt passwords sent between the client and the server. An attacker could use sniffing program on network traffic to obtain the encrypted passwords. Reference: Bugtraq Mailing List: "finding Meeting Maker passwords using tcpdump" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200004250056.UAA18065@tiki-god.mit.edu _____ Date Reported: 4/25/2000 Vulnerability: pcanywhere-tcpsyn-dos Platforms Affected: PC Anywhere (8.0, 9.0. 9.2) Risk Factor: Medium Attack Type: Network/Host Based Symantec pcAnywhere versions 8.0, 9.0, and 9.2 are vulnerable to a denial of service attack. A local or remote attacker can perform a TCP SYN scan on the vulnerable host to crash the service and cause it to stop responding. Reference: Bugtraq Mailing List: "Denial of Service Against pcAnywhere" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000425150157.13567A-100000@sword.damocles.com _____ Date Reported: 4/24/2000 Vulnerability: piranha-passwd-execute Platforms Affected: RedHat 6.2 Risk Factor: High Attack Type: Network Based Piranha is a package distributed by Red Hat, Inc. that contains the Linux Virtual Server (LVS) software, a web-based GUI, and monitoring and fail-over components. The Piranha component passwd.php3 allows an administrator to change their password. This component fails to validate user input before passing it to the shell, which may allow attackers to execute commands on the server. In conjunction with the backdoor password in Piranha, this could allow an anonymous remote attacker to compromise the Piranha server. References: ISS Security Advisory #46: "Backdoor Password in Red Hat Linux Virtual Server Package" at: http://xforce.iss.net/alerts/advise46.php3 Red Hat, Inc. Security Advisory RHSA-2000:014-10: "Piranha web GUI exposure" at: http://www.redhat.com/support/errata/RHSA-2000014-16.html _____ Date Reported: 4/24/2000 Vulnerability: piranha-default-password Platforms Affected: RedHat 6.2 Risk Factor: High Attack Type: Network Based Piranha is a package distributed by Red Hat, Inc. that contains the Linux Virtual Server (LVS) software, a web-based GUI, and monitoring and fail-over components. A backdoor password exists in the GUI portion of Piranha that may allow remote attackers to execute commands on the server. If an affected version of Piranha is installed and the default backdoor password remains unchanged, any remote as well as local user may login to the LVS web interface. From here LVS parameters can be changed and arbitrary commands can be executed with the same privilege as that of the web server. Reference: ISS Security Advisory #46: "Backdoor Password in Red Hat Linux Virtual Server Package" at: http://xforce.iss.net/alerts/advise46.php3 Red Hat, Inc. Security Advisory RHSA-2000:014-10: "Piranha web GUI exposure" at: http://www.redhat.com/support/errata/RHSA-2000014-16.html _____ Date Reported: 4/24/2000 Vulnerability: solaris-lp-bo Platforms Affected: Solaris 7.0 Risk Factor: High Attack Type: Host Based Solaris 7 is vulnerable to a buffer overflow in the lp program. The lp program is part of the lpr package that is used to submit print requests. A local attacker can pass a long argument to the -d flag to execute arbitrary code as root. Reference: Bugtraq Mailing List: "Solaris 7 x86 lp exploit" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000424151520.4813E-100000@carma.isirc.is _____ Date Reported: 4/24/2000 Vulnerability: solaris-xsun-bo Platforms Affected: Solaris 7.0 Risk Factor: High Attack Type: Host Based Solaris 7 is vulnerable to a buffer overflow in Xsun, the X11 server for Solaris. A local attacker can pass a long argument to the -dev flag and overflow the buffer. An attacker can exploit this to execute arbitrary code and gain root priviliges. Reference: Bugtraq Mailing List: "Solaris x86 Xsun overflow" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000424145711.4813C-100000@carma.isirc.is _____ Date Reported: 4/24/2000 Vulnerability: solaris-lpset-bo Platforms Affected: Solaris 7.0 Risk Factor: High Attack Type: Host Based Solaris 7 is vulnerable to a buffer overflow in the lpset program. The lpset program is part of the lpr package that is used to set printer configurations in /etc/printer.conf. A local attacker can pass a long argument to the undocumented -r flag to execute arbitrary code and possibly gain root access. Reference: Bugtraq Mailing List: "Solaris 7 x86 lpset exploit" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000424152415.4813F-100000@carma.isirc.is _____ Date Reported: 4/24/2000 Vulnerability: zonealarm-portscan Platforms Affected: ZoneAlarm Risk Factor: Medium Attack Type: Network/Host Based ZoneAlarm is a personal firewall by Zone Labs that provides firewall services for Windows based operating systems. ZoneAlarm does not block packets with a source port of 67 or generate an alert. A remote attacker can perform a port scan on the system by specifying a source port of 67. Reference: Bugtraq Mailing List: "ZoneAlarm" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000421044123.2353.qmail@securityfocus.com _____ Date Reported: 4/23/2000 Vulnerability: cvs-tempfile-dos Platforms Affected: CVS Risk Factor: Medium Attack Type: Host Based Concurrent Versions Software (CVS) is a program that allows multiple programmers to work on the same project by checking in and out source code and recording changes. Due to the predictable nature of the CVS temporary file names, a local user can create file names that CVS needs for locking purposes, causing CVS sessions to crash. Reference: Bugtraq Mailing List: "CVS DoS" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000423174038.A520@clico.pl _____ Date Reported: 4/22/2000 Vulnerability: imp-wordfile-dos Platforms Affected: IMP2 Risk Factor: Medium Attack Type: Host Based IMP is a PHP-based program for accessing IMAP email through a web browser. The program uses a utility called wv (formerly MSWordView) for translating Microsoft Word documents to HTML for viewing with a web browser. If the wv process is cancelled before it completes the file conversion, IMP 2.0.11 does not properly clean up the temporary files. An attacker could cancel the conversion process repeatedly to fill up the file system and cause a denial of service against the IMP server. Reference: Bugtraq Mailing List: "Two Problems in IMP 2" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-22&msg=Pine.LNX.4.05.10004241852320.18437-100000@biocserver.BIOC.CWRU.Edu _____ Date Reported: 4/22/2000 Vulnerability: imp-tmpfile-view Platforms Affected: IMP2 Risk Factor: High Attack Type: Host Based IMP is a PHP-based program for accessing IMAP email through a web browser. The program uses a utility called wv (formerly MSWordView) for translating Microsoft Word documents to HTML for viewing with a web browser. When converting Word documents to HTML, IMP 2.0.11 creates world-readable temporary files. A user could read these files and obtain sensitive information. Reference: Bugtraq Mailing List: "Two Problems in IMP 2" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-22&msg=Pine.LNX.4.05.10004241852320.18437-100000@biocserver.BIOC.CWRU.Edu _____ Date Reported: 4/21/2000 Vulnerability: suse-file-deletion Platforms Affected: SuSE Linux Risk Factor: Medium Attack Type: Host Based SuSE Linux (versions 6.3 and earlier) is vulnerable to arbitrary file deletion by a local attacker. An unauthorized user can to delete arbitrary files if the variable MAX_DAYS_IN_TMP is set to anything greater than 0 in the /etc/rc.config file. Reference: BugTraq Mailing List: "Local user can delete arbitrary files on SuSE-Linux" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0004210843510.23186-100000@gmv.spm.univ-rennes1.fr _____ Date Reported: 4/21/2000 Vulnerability: qpopper-fgets-spoofing Platforms Affected: Qpopper 3.0 Risk Factor: Medium Attack Type: Network/Host Based Qpopper versions 2.53 and 3.0 are vulnerable to a buffer overflow that could allow attackers to create messages with spoofed headers. Qpopper is POP3 mail server distributed by Qualcomm for Unix systems. The program uses the fgets() command to read message headers into a fixed input buffer. An attacker can overflow this buffer to trick the program and create a message with spoofed or incorrect headers. This spoofed message is treated as an internal plain-text message, which is not scanned by virus checking software. Reference: BugTraq Mailing List: "unsafe fgets() in qpopper" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-22&msg=9763.000421@SECURITY.NNOV.RU _____ Date Reported: 4/19/2000 Vulnerability: adtran-ping-dos Platforms Affected: Adtran Multiplexor Risk Factor: Medium Attack Type: Network Based The Adtran Multiplexor is vulnerable to a remote denial of service attack. By ping flooding the hardware for about 15 to 20 seconds, a remote attacker can cause the hardware to crash and automatically restart. Reference: Bugtraq Mailing List: "Adtran DoS" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10004190908140.32750-100000@localhost.localdomain _____ Date Reported: 4/18/2000 Vulnerability: emacs-local-eavesdrop Platforms Affected: GNU Emacs 20 Risk Factor: High Attack Type: Host Based GNU Emacs is a self-documenting, customizable, extensible real-time display editor. Versions 20.6 and earlier set PTY permissions improperly. A local attacker can eavesdrop on the Emacs user. Reference: Bugtraq Mailing List: "RUS-CERT Advisory 200004-01: GNU Emacs 20" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de _____ Date Reported: 4/18/2000 Vulnerability: emacs-tempfile-creation Platforms Affected: GNU Emacs 20 Risk Factor: High Attack Type: Host Based GNU Emacs is a self-documenting, customizable, extensible real-time display editor. Versions 20.6 and earlier create predictible temporary files that follow existing symbolic links. A local attacker could use a symlink attack to gain access to the Emacs user ID. Reference: Bugtraq Mailing List: "RUS-CERT Advisory 200004-01: GNU Emacs 20" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de _____ Date Reported: 4/18/2000 Vulnerability: emacs-password-history Platforms Affected: GNU Emacs 20 Risk Factor: High Attack Type: Host Based GNU Emacs is a self-documenting, customizable, extensible real-time display editor. Versions 20.6 and earlier do not clear user passwords from the key history. A local user with access to an Emacs session could potentially read the passwords in the Emacs history. Reference: Bugtraq Mailing List: "RUS-CERT Advisory 200004-01: GNU Emacs 20" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=tg4s8zioxq.fsf@mercury.rus.uni-stuttgart.de _____ Date Reported: 4/12/2000 Vulnerability: irix-pmcd-mounts Platforms Affected: IRIX (6.2, 6.3, 6.4, 6.5) Risk Factor: Medium Attack Type: Network Based Performance Copilot (pmcd) is installed by default with IRIX 6.x and is used to gather performance statistics about the system. One vulnerability that it contains allows a remote user to list all the disks and their mount points. Information gathering techniques can lead to unauthorized access attempts. Reference: Bugtraq Mailing List: "Performance Copilot for IRIX 6.5" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=001f01bfa4d5$1f26f7a0$63295581@emmazunz.rockefeller.edu _____ Date Reported: 4/12/2000 Vulnerability: irix-pmcd-processes Platforms Affected: IRIX (6.2, 6.3, 6.4, 6.5) Risk Factor: Medium Attack Type: Network Based Performance Copilot (pmcd) is installed by default with IRIX 6.x and is used to gather performance statistics about the system. One vulnerability that it contains allows a remote user to list all the processes and their owners. Information gathering techniques can lead to unauthorized access attempts. Reference: Bugtraq Mailing List: "Performance Copilot for IRIX 6.5" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=001f01bfa4d5$1f26f7a0$63295581@emmazunz.rockefeller.edu _____ Date Reported: 4/12/2000 Vulnerability: irix-pmcd-dos Platforms Affected: IRIX (6.2, 6.3, 6.4, 6.5) Risk Factor: Medium Attack Type: Network Based Performance Co-Pilot, installed by default with IRIX 6.x, is used to gather system performance statistics across a network. The Performance Metrics Collector Daemon (PMCD) is a message routing server, controlling communications between the client monitoring tools and the domain agents. The default configuration of PMCD allows allows a remote attacker to pass a large quantity of garbage data to the service, causing the system to consume all available memory. Reference: Bugtraq Mailing List: "Performance Copilot for IRIX 6.5" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=001f01bfa4d5$1f26f7a0$63295581@emmazunz.rockefeller.edu _____ Date Reported: 4/12/2000 Vulnerability: iis-myriad-escape-chars Platforms Affected: IIS 4.0, 5.0 Risk Factor: Medium Attack Type: Network/Host Based Microsoft Internet Information Server (IIS) 4.0 and 5.0 is vulnerable to a potential denial of service attack. A remote attacker could request a specially-crafted URL containing a large amount of escaped characters to consume CPU usage on the web server. This attack would slow down the web server and cause it to be unresponsive until it fully processed the URL. Reference: Microsoft Security Bulletin (MS00-023): "Patch Available for 'Myriad Escaped Characters' Vulnerability at: http://www.microsoft.com/technet/security/bulletin/ms00-023.asp _____ Date Reported: freebsd-healthd Vulnerability: 4/10/2000 Platforms Affected: FreeBSD (3.0, 3.1, 3.2, 3.3, 3.4, 4.0) Risk Factor: High Attack Type: Host Based The healthd package version 0.3, which ships with FreeBSD, is a utility for monitoring the motherboard temperature, CPU fan, and voltage levels in the computer. The program is vulnerable to a buffer overflow attack that would allow a local attacker to gain root level access. Reference: Bugtraq Mailing List: "FreeBSD Security Advisory: FreeBSD-SA-00:12.healthd" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-8&msg=200004102059.NAA07231@freefall.freebsd.org _____ Date Reported: 4/10/2000 Vulnerability: beos-syscall-dos Platforms Affected: BeOS (R5.0, R4.5.x) Risk Factor: Medium Attack Type: Host Based The BeOS operating system versions R5.0 and R4.5.x are vulnerable to denial of service caused by a malformed system call. If a user sends a direct kernel call with invalid parameters, the system will crash, and it will have to be restarted. Reference: Bugtraq Mailing List: "BeOS syscall bug" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000410131628.659.qmail@securityfocus.com _____ Date Reported: 4/10/2000 Vulnerability: linux-trustees-patch-dos Platforms Affected: Linux Risk Factor: Medium Attack Type: Network/Host Based Bray Systems Linux Trustees kernel patch version 1.5 is vulnerable to a buffer overflow that will hang processes. Linux Trustees is used to manage advanced permission settings in Linux, similar to the permission model in Novell NetWare. By attempting to access an unusually long file or path name, an attacker can hang the program, and possibly cause other system utilities to hang as a result. This attack will require the system to be restarted. Reference: Bugtraq Mailing List: "linux trustees 1.5 long path name vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000410142058.W19474@univ.uniyar.ac.ru _____ Date Reported: 4/9/2000 Vulnerability: pcanywhere-login-dos Platforms Affected: PC Anywhere (8.0, 9.0) Risk Factor: Medium Attack Type: Network Based Symantec pcAnywhere 8.0 and 9.0 remote control software is vulnerable to a denial of service attack against the service on the host computer. When connecting a pcAnywhere client to the host, a remote attacker can crash the host service by selecting cancel during the initial connection sequence, before the login screen appears. Reference: Bugtraq Mailing List: "A funny way to DOS pcANYWHERE8.0 and 9.0" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-8&msg=20000409093526.22418.qmail@securityfocus.com _____ Date Reported: 4/7/2000 Vulnerability: beos-networking-dos Platforms Affected: BeOS (R5.0, R4.5, R4.0) Risk Factor: Medium Attack Type: Network Based The BeOS operating system is vulnerable to a denial of service attack against the networking process. A local or remote attacker can crash the networking service by sending a malformed packet to it. If an IP packet is sent with the IP length field set to a number below the minimum header length, the networking service will crash, and it will have to be restarted. Reference: Bugtraq Mailing List: "BeOS Networking DOS" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=m12dhV0-000W5EC@malasada.lava.net _____ Date Reported: 4/7/2000 Vulnerability: win2k-unattended-install Platforms Affected: Windows 2000 Risk Factor: Medium Attack Type: Host Based In Windows 2000, only members of the Administrator or SYSTEM groups are given write access to the All Users profile. However, when Windows 2000 is installed with the unattended install file and the OEMPreinstall option is selected, the All Users profile directory is not secured. Any local user could install a trojan horse program to be executed when the next user logs in. Reference: NTBugtraq Mailing List: "All Users startup folder left open if unattended install and OEMP reinstall" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0004&L=ntbugtraq&F=&S=&P=1606 _____ Date Reported: 4/5/2000 Vulnerability: mssql-agent-stored-pw Platforms Affected: Microsoft SQL Risk Factor: High Attack Type: Host Based The SQL Server Agent can be configured to connect to SQL Server using Windows NT authentication or SQL Server authentication. If standard security is used, the password is stored in the registry using a proprietary two-way encryption algorithm. Most password hash algorithms are one-way functions. Since the password must be read from the registry and decrypted to connect to SQL Server, it is stored using a two-way encryption algorithm. This allows anyone with knowledge of the algorithm and access to the encrypted password to easily find the clear text password. This password is stored in the registry on the server under the key 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer\SQLServerAgent\HostPassword'. _____ Date Reported: 4/3/2000 Vulnerability: webobjects-post-dos Platforms Affected: WebObjects 4.5 Risk Factor: Medium Attack Type: Network/Host Based WebObjects 4.5 Developer, when used in conjunction with CGI-adapter and IIS 4.0, is vulnerable to a buffer overflow that will crash the service. An attacker can send a POST message with a large header variable to crash the service and generate a Dr. Watson error. Reference: Bugtraq Mailing List: "WebObjects DoS" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-01&msg=OCELLGABDLDELPDEFKNACELGCBAA.gdead@fortnocs.com _____ Date Reported: 4/3/2000 Vulnerability: allaire-forums-allaccess Platforms Affected: Allaire Forums 2.0.5 Risk Factor: Medium Attack Type: Network/Host Based Allaire Forums 2.0.5 could allow a remote user to view and post to secure discussion threads in an insecure manner. Due to improper handling of variable "rightAccessAllForums", an attacker could access conferences that they did not belong to, by using unsecured conferences or email. Reference: Allaire Security Bulletin (ASB00-06): "Patch Available for Allaire Forums 2.0.5 security issue" at: http://www.allaire.com/handlers/index.cfm?ID=15099&Method=Full _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. _____ Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. About Internet Security Systems Internet Security Systems (ISS) is the leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite* security software, ePatrol* remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers and partners, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBORD2djRfJiV99eG9AQGugwQArxXxQJyV3JA2ruP+JCHP7gY4hspP2oNQ ujF9xKHPonX941smN2ij60dRbeqDIzRlAFjraM0bhqA9P705CL93Z3opC2vOXD9a oVHPraUuWrItV8sSftJj1eTerewcvjqde9qe2IhAH7ef7UUYIEWvcnOZtvb0os4q 9nEGigRLw9g= =83kT -----END PGP SIGNATURE-----